# Commands zur Erstellung von SAML Auth an Unified Gateway und StorageZone LB
#
# Im Skript wird von einem bestehenden Unified Gateway ausgegangen mit folgenden Parametern:
# 	CS vServer:		cs-vsrv-UGW.domain.pit mit der IP 192.168.200.10
#	NSG vServer:	nsg-vsrv-access.domain.pit ohne IP (0.0.0.0) --> FQDN: https://access.domain.pit
#	Wildcard:		wildcard.domain.pit


# Loadbalanced LDAPS für SAML einrichten (Mail als Username)

add server pitad01 192.168.100.61
add server pitad02 192.168.100.62

add service svc-ldaps-pitad01 pitad01 SSL_TCP 636
add service svc-ldaps-pitad02 pitad02 SSL_TCP 636

add lb vserver lb-vsrv-ldaps SSL_TCP 192.168.100.60 636 -persistenceType NONE
bind ssl vserver lb-vsrv-ldaps -certkeyName wildcard10.domain.pit
bind lb vserver lb-vsrv-ldaps svc-ldaps-pitad01
bind lb vserver lb-vsrv-ldaps svc-ldaps-pitad02

add authentication ldapAction ldap-srv-ldaps.domain.pit -serverIP 192.168.100.60 -serverPort 636 -ldapBase "dc=domain,dc=pit" -ldapBindDn svcldap@domain.pit -ldapBindDnPassword SicheresPasswort -ldapLoginName mail -groupAttrName memberOf -subAttributeName cn -secType SSL -ssoNameAttribute UserPrincipalName -passwdChange ENABLED -Attribute1 mail
add authentication ldapPolicy ldap-pol-ldaps.domain.pit ns_true ldap-srv-ldaps.domain.pit

bind vpn vserver nsg-vsrv-access.domain.pit -policy ldap-pol-ldaps.domain.pit -priority 100



# SAML einrichten

add ssl certKey sharefilesaml.domain.pit # am einfachsten via GUI
add ssl certKey SharefileSAML-SP -cert sharefilesaml-SP.cer #oder via GUI

add authentication samlIdPProfile SAML-Prof-Sharefile -samlSPCertName SharefileSAML-SP -samlIdPCertName sharefilesaml.domain.pit -assertionConsumerServiceURL "https://IhreSubdomain.sharefile.eu/saml/acs" -samlIssuerName "https://access.domain.pit" -audience "https://IhreSubdomain.sharefile.eu"
add authentication samlIdPPolicy SAML-Pol-Sharefile -rule "HTTP.REQ.URL.CONTAINS(\"saml\")" -action SAML-Prof-Sharefile

bind vpn vserver nsg-vsrv-access.domain.pit -policy SAML-Pol-Sharefile -priority 150 -gotoPriorityExpression END -type REQUEST


# StorageZone einrichten
# Basis kann auch mit dem Wizard im GUI gemacht werden.
# Dieser geht jedoch nicht von Unified Gateway aus.

# Loadbalanced StorageZone einrichten (Data und Connectors) inkl. Auth

add server pitsz01 192.168.100.80
add service svc-https-pitsz01-Sharefile pitsz01 SSL 443

add lb vserver lb-vsrv-Sharefile-Data SSL 0.0.0.0 0 -persistenceType SSLSESSION -lbMethod TOKEN -rule "http.REQ.URL.QUERY.VALUE(\"uploadid\")"
add lb vserver lb-vsrv-Sharefile-Connectors SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 240 -authn401 ON -authnVsName nsg-vsrv-access.domain.pit

bind lb vserver lb-vsrv-Sharefile-Data svc-https-pitsz01-Sharefile
bind lb vserver lb-vsrv-Sharefile-Connectors svc-https-pitsz01-Sharefile

bind ssl vserver lb-vsrv-Sharefile-Data -certkeyName wildcard.domain.pit
bind ssl vserver lb-vsrv-Sharefile-Connectors -certkeyName wildcard.domain.pit

add lb monitor mon-SZC-Heartbeat HTTP-ECV -send "GET /heartbeat.aspx" -recv "***ONLINE***" -LRTM DISABLED -secure YES
bind service svc-https-pitsz01-Sharefile -monitorName mon-SZC-Heartbeat


# HTTP Callout konfigurieren

add policy httpCallout _SF_VAL_LB_CALLOUT -vServer lb-vsrv-Sharefile-Data -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
add policy httpCallout _SF_VAL_LB_CALLOUT_y -vServer lb-vsrv-Sharefile-Data -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
set policy httpCallout _SF_VAL_LB_CALLOUT -vServer lb-vsrv-Sharefile-Data -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.BEFORE_STR(\"&h\").HTTP_URL_SAFE.B64ENCODE + \"&h=\"+ HTTP.REQ.URL.QUERY.VALUE(\"h\")" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"
set policy httpCallout _SF_VAL_LB_CALLOUT_y -vServer lb-vsrv-Sharefile-Data -returnType BOOL -hostExpr "\"ShareFile\"" -urlStemExpr "\"/validate.ashx?RequestURI=\" + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + \"&h=\"" -scheme http -resultExpr "HTTP.RES.STATUS.EQ(200).NOT"

add responder policy rs-pol-Sharefile "HTTP.REQ.URL.CONTAINS(\"&h=\") && HTTP.REQ.URL.CONTAINS(\"/crossdomain.xml\").NOT&& HTTP.REQ.URL.CONTAINS(\"/validate.ashx?requri\").NOT&& SYS.HTTP_CALLOUT(_SF_VAL_LB_CALLOUT) || HTTP.REQ.URL.CONTAINS(\"&h=\").NOT && HTTP.REQ.URL.CONTAINS(\"/crossdomain.xml\").NOT&& HTTP.REQ.URL.CONTAINS(\"/validate.ashx?requri\").NOT&& SYS.HTTP_CALLOUT(_SF_VAL_LB_CALLOUT_y)" DROP

bind lb vserver lb-vsrv-Sharefile-Data -policyName rs-pol-Sharefile -priority 100 -gotoPriorityExpression END -type REQUEST


# CS vServer vom Unified Gateway konfigurieren

add policy expression host_sharefile "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(ignorecase).STARTSWITH(\"sharefile\")"

add cs action cs-act-Sharefile-Data -targetLBVserver lb-vsrv-Sharefile-Data
add cs action cs-act-Sharefile-Connectors -targetLBVserver lb-vsrv-Sharefile-Connectors

add cs policy cs-pol-Sharefile-Data -rule "(host_sharefile && HTTP.REQ.URL.CONTAINS(\"/cifs/\").NOT && HTTP.REQ.URL.CONTAINS(\"/sp/\").NOT)" -action cs-act-Sharefile-Data
add cs policy cs-pol-Sharefile-Connectors -rule "(host_sharefile && HTTP.REQ.URL.CONTAINS(\"/cifs/\") || HTTP.REQ.URL.CONTAINS(\"/sp/\"))" -action cs-act-Sharefile-Connectors

bind cs vserver cs-vsrv-UGW.domain.pit -policyName cs-pol-Sharefile-Data -priority 110
bind cs vserver cs-vsrv-UGW.domain.pit -policyName cs-pol-Sharefile-Connectors -priority 120