The OTP feature which is available since NetScaler 12.0 Build 51.24 is a great feature to reduce your operationg costs or implement 2 factor authentication for the first time because your company/customer wanted to save some money instead of investing in secure remote access 🙂
If you already have configured the AAA server, schemas and the authenciation policies you should be able to access the OTP Management Web GUI with the substring “/manageotp” on your NetScaler Gateway. If this is not the case please follow Carl Stalhoods detailed configuration steps.
While setting this up in my lab, I already could imagine that the first users will complain at the Helpdesk because the URL is to “difficult” to remember. To make our/their life easier we will create a DNS A-Record with the desired URL and implement a responder policy to achieve this demand.
Step 1 – DNS Record
Create an A-Record with the FQDN the users should have access to manage their token. This record is pointing to the VIP of your NetScaler Gateway. Please make sure the used SSL certificate is matching.
Example: token.flashmob-saulgau.de
Step 2 – NetScaler Configuration
Create an action/policy for the “manageotp” responder.
|
1 2 |
add responder action resp_act_manageotp redirect “\”https://gateway.corp.com/manageotp\”” -responseStatusCode 302 add responder policy resp_pol_manageotp “HTTP.REQ.HOSTNAME.CONTAINS(\”token.flashmob-saulgau.de\”)” resp_act_manageotp |
Bind the responder policy to your NetScaler Gateway.
|
1 |
bind vpn vserver gateway.corp.com -policy resp_pol_manageotp -priority 100 -gotoPriorityExpression END -type REQUEST |
Now you can browse to “token.flashmob-saulgau.de” and you will be redirected to the login form where the users can manage their tokens.
