Web proxy support for outbound calls to IdP or third party endpoints
NetScaler authentication can route outbound calls to third-party identity providers (IdPs) through an explicitly configured HTTP or HTTPS forward (web) proxy. This feature includes an optional basic Proxy-Authorization and a customizable bypass list for selected domains or IP addresses.
Many enterprises restrict direct internet access from the NetScaler data plane. Instead, they require outbound traffic to traverse a corporate web proxy to ensure security, auditing, and Data Loss Prevention (DLP) compliance. Modern federated authentication and third party integration, such as OAuth, SAML, and Google reCAPTCHA, require connectivity with external third party endpoint for authentication. NetScaler previously lacked a native mechanism to route these outbound authentication calls through an explicit proxy.
A new global parameter, aaa proxyparam, allows administrators to configure a single explicit forward proxy (IPv4:port) for all authentication, authorization, and auditing outbound HTTP or HTTPS traffic.
Notes:
- Only IPv4 proxy addresses are supported in the initial release.
- The OAuth flow is supported.
Some of the benefits of using a single explicit forward proxy are:
- Corporate egress compliance: Aligns with corporate security policies that mandate proxy traversal for outbound web traffic.
- Expanded IdP integration: Enables OAuth based authentication, such as Microsoft Entra ID, Okta, Duo Universal Prompt, Google, and Intune device compliance checks in proxy-only networks.
- Simplified administration: A single global configuration applies across OAuth outbound endpoints without affecting the end-user experience.
-
Granular controls: Uses an integrated pattern set (
ns_aaa_proxy_bypasslist), administrators can exclude specific IdP host names, domain suffixes, or IP prefixes from proxy routing.
This feature applies to the NetScaler authentication and authorization module (NetScaler Gateway and AAA-TM authentication virtual servers). It also applies to OAuth RP outbound calls, including token, introspect, and user info dynamic endpoints.
Notes:
- Global scope impact: The proxy configuration is enforced at AAA global scope and applies to OAuth outbound calls system-wide. Plan your rollout strategies accordingly.
- Bypass list matching logic: The integrated bypass list uses suffix matching for domain entries. For example,
idp.aaa.localmatches itself andsub.idp.aaa.local. IP entries use prefix matching. For example,192.168.1matches192.168.1.0through192.168.1.255.- SSL offload targeting: When using the HTTPS-to-proxy with load balancing offload, the proxy address configured in the
set aaa proxyparammust point to the load balancing virtual server IP address:port, not the backend proxy directly.
Prerequisites
Ensure that the following prerequisites are met:
NetScaler version 14.1-72.x or later.
- Outbound DNS resolution for IdP host names must work either on the appliance or on the forward proxy, based on your network architecture.
- Reachability from NetScaler SNIP to the explicit proxy IP address:port.
- If Proxy-Authorization is required, the proxy username/password credentials (Basic).
- If HTTPS-to-proxy is required, a load balancing virtual server with an
SSL_TCPservice bound to the proxy IP address:port. - NetScaler superuser or AAA-configuration permissions to run
set aaa proxyparamandbind policy patset ns_aaa_proxy_bypasslist.
Configure an outbound proxy by using the CLI
-
Configure an HTTP forward proxy at the global level:
set aaa proxyparam -proxy <ip:port> -proxyAuthorization ( disabled | basic ) -proxyUsername <string> {-proxyPassword} <!--NeedCopy-->Example without proxy authentication:
set aaa proxyparam -proxy [REDACTED] <!--NeedCopy-->Example with basic Proxy-Authorization:
set aaa proxyparam -proxy [REDACTED] -proxyAuthorization basic -proxyUsername proxyuser -proxyPassword <secret> <!--NeedCopy--> -
Verify the configuration:
show aaa parameter <!--NeedCopy--> -
To manage the bypass list (default patset
ns_aaa_proxy_bypasslist):-
Show the current bypass list:
show patset ns_aaa_proxy_bypasslist <!--NeedCopy--> -
Bind policy to the patset, for example, for a domain:
bind policy patset ns_aaa_proxy_bypasslist idp.aaa.local <!--NeedCopy--> -
Bind a policy to the patset, for example, for an IP prefix:
bind policy patset ns_aaa_proxy_bypasslist 192.168.1 <!--NeedCopy--> -
Unbind a policy from the patset, for example, for a domain::
unbind policy patset ns_aaa_proxy_bypasslist idp.aaa.local <!--NeedCopy-->
-
-
To Configure Secure HTTPS-to-proxy mode by using load balancing offload:
-
Add a service for the OAuth IdP:
add service oauth_idp_service_ssl [REDACTED] SSL_TCP 3128 <!--NeedCopy--> -
Add a load balancing virtual server for OAuth:
add lb vserver oauth_lb_vserver_ssl TCP [REDACTED] 3128 <!--NeedCopy--> -
Bind the service to the load balancing virtual server:
bind lb vserver oauth_lb_vserver_ssl oauth_idp_service_ssl <!--NeedCopy--> -
Set the AAA proxy parameter to the load balancing virtual server IP and port:
set aaa proxyparam -proxy [REDACTED] <!--NeedCopy-->
-
Configure an outbound proxy by using the GUI
- Navigate to Security > AAA - Application Traffic > Authentication > Settings > Change AAA proxy parameter.
- Configure Proxy (IP:port), Proxy Authorization (disabled or basic), and the optional username and password.
- Manage bypass list under Security > AAA > Patsets > ns_aaa_proxy_bypasslist.
Use cases
You can use this feature to address the following use cases:
Use case 1: OAuth authorization code flow with Duo universal prompt
- The appliance acts as an OAuth Relying Party (RP) and contacts Duo, a cloud IdP, to obtain tokens, introspect tokens, and retrieve user information.
- All Outbound HTTPS requests for this flow tunnel through the corporate web proxy by using HTTP CONNECT.
Use case 2: NetScaler Gateway and Microsoft Intune integration
- NetScaler Gateway verifies device compliance with Microsoft Intune before granting access to back-end applications such as corporate email.
- Route the outbound HTTPS compliance query to Intune through your explicit web or forward proxy.