This will go over how to setup a single Access Gateway Vserver connecting to Multiple Domains using a single Pair of web interface servers. This might sound confusing at first but in reality its pretty strait forward. This article assumes that you already have some basic knowledge of how to setup netscaler and xenapp with WI in a single domain.
Environment (LB is not required)
- Pair of Netscalers v10.1 in LB config.
- Pair of Web Interface 5.4 Servers with LB Vserver.
- Two AD Forests/Domains.
- A few STA servers (Doesn’t matter what domain they are on)
- A couple XA farms in Different domains (We are using XA6.5 and XA6)
Configure the AD Polices on the NS. There are many articles out there on how to do this. The Top two in this list are my first domain and the 3rd one is the second domain.
Build your Vservers for WI and XML for each Domain. It helps to have the xml servers for each farm on different ports to save IP address’s. In this case I have three different farms specified. The one on port 8888 and 8080 are on the same domain and the xml server setup on port 80 is the second domain. I had to create a separate IP for the second domain as my WI vserver is also using port 80. Again if you need help on how to build these their is plenty of articles out there on how to do it.
Configure the AG Vserver to hit multple domains. The NS will step through these in order of priority until it finds a matching username/password match. If you have the same username/password combination on both domains it will always grab the one that has the lowest priority. In this case the Top two Policies hit the first domain and the 3rd one hits the second domain.
Under the Published Applications Tab for the AG Vserver you need to configure some STA’s. In my case I used the first domain/farm servers for STA’s. I would make sure that all the STA’s belong to the same domain/farm. You do not need to have a STA for each domain here.
On the WebInterface Servers configure a Xenapp site for Each Domain making sure to point to the XML Vserver’s created in Step2. Make Sure you have each Site pointing back to the respective Vserver XML LB IP/port and configure it to point to your AG Vserver. In this case the top Site is pointing to the Second Domain and the Second Site is pointing to the First domain. For this it really doesn’t matter what domain
For the Sta Config on the WI Servers I am using STA servers on the First domain even though the users are coming into the second domain. All sites/domains should be setup with the same STA servers and they should match what your AG Vserver has configured for STA servers in Step 2.
Configure the AAA Policies and Profiles to hit the AG Vserver. For this to work the AAA group name must match the AD group that the user is a member of. In this Case the Second one down ASP_Access is my first Domain, and the one A_Access is the Second Domain.
Inside each AAA Group you have your Session policies that point to the specific URL/Domain. Each Domain/AAA group should point back to a different Session policy
Next we need to make sure the Session profile is pointed back to our WI Server site for that domain. Make sure you have the corresponding domain specified and the override global check boxes checked. You will have to create one of these for each domain so that users from that domain hit the appropriate site.
Step 6. Profit!!!
Once again if you have users that have the same username and password in multiple domains they will always get the lower priority domain. If you have any questions feel free to jump on the channel and ask Splatone.