Delegating NetScaler Administration to Active Directory Group
I often get the request to delegate the administration of NetScalers to an active directory group, particularly in very large organizations.
This is very simple procedure but you should be very careful when giving permissions on such devices since a small mistake may lead to serious problems.
Let's get started then...
The first thing you have to do is create an LDAP server. This is the server that the authentication requests are going to be directed to. You should add more than one servers as a best practice. I always create an LDAP (and sometimes an LDAPS) vServer with all the AD Domain Controllers and use that one.
So, to create the LDAP server, navigate to System - Authentication - LDAP, click "Servers" and then "Add". Fill the friendly name, IP address and port of the server (AD server of LDAP vServer) and the details about the domain and then create the server.
Next, you have to create the Authentication policy, click on the "Policy" tab and then "Add". Fill the friendly name of the policy, select the server you created at the previous step and add "ns_true" as the expression. Then create the policy.
That's not all, you will have to bind the newly created policy to the global level. To do so, select the "Global Binding" option in the "Actions" menu from within the policy tab. If you have successfully bound the policy to the global level, you'll see a tick under the "Globaly Bound" column of policies.
Finally, you have to create the group of the users that you want to grant permissions on Active Directory and on NetScaler also. Create the group on AD and note the group name. Then navigate on System - User Administration - Groups and hit "Add" to create a group. The "Group Name" field has to be identical to the name of the group in AD. Insert the permission level you want the users to have and click "Close". Don't forget to save the netscaler configuration!
You should then be able to login on the netscaler with your active directory account.
This is very simple procedure but you should be very careful when giving permissions on such devices since a small mistake may lead to serious problems.
Let's get started then...
The first thing you have to do is create an LDAP server. This is the server that the authentication requests are going to be directed to. You should add more than one servers as a best practice. I always create an LDAP (and sometimes an LDAPS) vServer with all the AD Domain Controllers and use that one.
So, to create the LDAP server, navigate to System - Authentication - LDAP, click "Servers" and then "Add". Fill the friendly name, IP address and port of the server (AD server of LDAP vServer) and the details about the domain and then create the server.
Next, you have to create the Authentication policy, click on the "Policy" tab and then "Add". Fill the friendly name of the policy, select the server you created at the previous step and add "ns_true" as the expression. Then create the policy.
That's not all, you will have to bind the newly created policy to the global level. To do so, select the "Global Binding" option in the "Actions" menu from within the policy tab. If you have successfully bound the policy to the global level, you'll see a tick under the "Globaly Bound" column of policies.
Finally, you have to create the group of the users that you want to grant permissions on Active Directory and on NetScaler also. Create the group on AD and note the group name. Then navigate on System - User Administration - Groups and hit "Add" to create a group. The "Group Name" field has to be identical to the name of the group in AD. Insert the permission level you want the users to have and click "Close". Don't forget to save the netscaler configuration!
You should then be able to login on the netscaler with your active directory account.