URL Rewrite and Responder with Citrix NetScaler

You can use the URL Rewrite feature to accomplish tasks such as directing users to the full StoreFront path if they do not specify it internally. You could also rewrite HTTP requests to HTTPS or rewrite headers in a TCP packet.

For example:

  1. User enters https://storefront.citrixpro.co.uk in to the address bar.
  2. NetScaler rewrites the URL to append /Citrix/StoreWeb/ to the URL which directs users to Receiver for Web.

This is just one way you can use URL Rewrite.

To see how to set Receiver for Web as the default web page in IIS see this post.

Using Responder, we can also direct users to different websites on the fly, or respond with a maintenance page for example. One of the main differences between Rewrite and Responder is that Rewrite can apply to both requests and responses whilst Responder can only apply to requests reaching the NetScaler.

Rewrite:

Enable the URL Rewrite feature by navigating to Configuration -> System -> Settings -> Configure Basic Features.

Note: Rewrite and Responder comes with Standard, Enterprise and Platinum editions of NetScaler.

1-min

Tick Rewrite and click OK.

CLI command = enable ns feature rewrite.2-min

To create a rewrite action navigate to AppExpert -> Rewrite -> Actions -> Add.3-min

  • Enter a name.
  • Type = REPLACE
  • Expression to choose target location = HTTP.REQ.URL
  • Expression to Replace with = “/ReceiverforWeb/Address
  • Click Create.

4-min

Note: If you wanted to rewrite the value of the User-Agent header for example, you could configure your Rewrite action as below. You would then create a Rewrite policy which matches on the User-Agent header value that you would like to replace with the User-Agent header value below.

Navigate to AppExpert -> Rewrite -> Policies -> Add.5-min

  • Enter a name.
  • Action = Action you created.
  • Expession = HTTP.REQ.URL.EQ(“/”)
  • Click Create.6-min

Navigate to Traffic Management -> Load Balancing -> Virtual Servers and edit your existing Load Balanced StoreFront vServer.

7-min

Under Policies click Add.

8-min

  • Choose Policy = Rewrite.
  • Choose Type = Request.
  • Continue.9-min

Click Click to select under Select Policy.10-min

Select the Rewrite Policy and click Bind.11-min

12-min

Click Done to finish editing the vServer.

13-min

Now when a user types https://storefront.citrixpro.co.uk in to a web browser the /Citrix/CitrixProWeb/ portion is automatically added and users are redirected to Receiver for Web.14-min

Back viewing your Rewrite Policy you can see the Hits counter has gone up.15-min

Responder:

You can use Responder to accomplish tasks such as transferring users from one URL to another.

In this example, I have a web site load balanced through NetScaler on protocol HTTP (port 80). The URL to access the site is http://mywebapp.citrixpro.co.uk/. I want to use a Responder policy to direct users to a new version of the web site which is available on URL http://mywebappnew.citrixpro.co.uk/. These web servers are just basic default IIS installs showing the main IIS splash screen.

http://mywebapp.citrixpro.co.uk/ and http://mywebappnew.citrixpro.co.uk/ run on two different virtual machines.

To enable Responder navigate to Configuration -> System -> Settings -> Configure Advanced Features.16-min

Tick Responder -> OK.

CLI command = enable ns feature responder.17-min

To create a Responder action navigate to AppExpert -> Responder -> Actions -> Add.18-min

  • Enter a name.
  • Type = Redirect.
  • Expression = “http://mywebappnew.citrixpro.co.uk
  • Click Create.19-min

Navigate to AppExpert -> Responder -> Policies -> Add.20-min

  • Enter a name.
  • Action = Responder action you just created.
  • Expression = HTTP.REQ.HOSTNAME.EQ(“mywebapp.citrixpro.co.uk”)
  • Click Create.21-min

Now let me show you what happens when I browse to http://mywebapp.citrixpro.co.uk/. I hit the Load Balanced vServer VIP and am then directed to a server which is actually one of my StoreFront servers.22-min

Back on the NetScaler, navigate to Traffic Management -> Load Balancing -> Virtual Servers and edit the web server vServer.23-min

Click on Add under Policies.24-min

  • Choose Policy = Responder.
  • Choose Type = Request.
  • Click Continue.

25-min

Click Click to select under Select Policy.26-min

Select the Responder policy. Click Bind.27-min

28-min

Click Done.29-min

Now upon navigating to http://mywebapp.citrixpro.co.uk/ you will be redirected to the new web address.30-min

If you view the Responder policy you can see it has been hit a couple of times.31-min

Here is an example WireShark trace (taken from a different redirect) showing the 302 Found: Moved Temporarily packet including the new location that NetScaler is directing the client to.

Responder to redirect HTTP to HTTPS (NetScaler Gateway):

Let me show you how to direct HTTP requests to HTTPS when users are connecting to NetScaler Gateway. We can use both Content Switching and Load Balanced vServers with the Responder policy attached.

Create a Responder action:

Type = Redirect

Expression: “https://netscalergatewayurl.domain.com

By default this will perform a standard 302 redirect, meaning the page has moved temporarily. This ensures the browser does not cache the page. You can change the redirect code to 301 for example to tell web browsers that this is a permanent move.

32-min

Create a Responder policy:

Action = Action we have just created.

Expression = HTTP.REQ.HOSTNAME.CONTAINS(“netscalergatewayurl.domain.com”)33-min

Now create a Content Switching Virtual Server:

Protocol = HTTP

IP Address = IP address of the NetScaler Gateway vServer (VIP)

Port = 8034-min

Click to add a policy.35-min

Choose Responder under Choose Policy and Request under Choose Type.36-min

Click on Click to select.37-min

Click the radio button beside the Responder Policy you have just created and click Select.38-min

Click Bind. Now when users type http://netscalergatewayurl.domain.com they will be directed to the HTTPS URL.39-min

To achieve the same result this time with a Load Balanced vServer instead of a Content Switching vServer, navigate to Traffic Management -> Virtual Servers -> Add.40-min

Protocol = HTTP.

IP Address = Same IP as NetScaler Gateway VIP.

Port = 80.

Click OK.41-min

Click to add a service.42-min

Click on Click to select.43-min

Click Add.44-min

IP = A dummy IP that doesn’t represent any backend server.

Protocol = HTTP.

Port = 80.

Untick Health Monitoring so that this service is marked as up.

Click OK.45-min

Click Done.46-min

Click Select.47-min

Click Bind.48-min

Click Continue.49-min

Click Done.50-min

As you can see now, the Virtual Server is up. This is a requirement since clients are going to need to connect to something on port 80 originally before being redirected.51-min

The last step is to bind the Responder policy to the Load Balanced vServer.52-min

Once done, client will be redirected to HTTPS and the Responder policy hits counter will increase.53-min


31 Comments

  • Jackie

    June 16, 2016

    Hi,

    I am facing the issue. I created the rewrite actions and policies. It is showing active but i don’t see any hits on it. Also it is not resolving to new webpage (where i want to redirect). Please give your suggestions for the possible cause.

    Reply
    • George Spiers

      June 18, 2016

      If you created the Rewrite action, policy and then bound that policy to your StoreFront LB vServer it should work.

      Please feel free to email me screenshots of the Rewrite configuration and I will try and help.
      george@jgspiers.com

      Reply
  • Andrew Niteesh

    August 1, 2016

    Hi,

    WE are trying to do a rewrite for SMB which is a file sharing protocol. Is it possible to do, if so can you please help me out with that.
    Thanks in advance.

    – Andrew

    Reply
  • Raja

    August 10, 2016

    HI George,

    Thanks for the article. I followed it but was getting a “Placeholder” message accessing the site. However it worked after making the below two corrections –
    1. The Expression in Policy rule should be HTTP.REQ.URL.EQ(“/”).
    In the article it is mentioned as HTTP.REQ.URL.EQ(/)
    2. Under Action, the Expression to Replace with should be = “/ReceiverforWeb/Address” instead of “/ReceiverforWeb/Address/”

    Reply
    • George Spiers

      August 10, 2016

      Hi Raja

      Yes you are right, only one picture shows HTTP.REQ.URL.EQ(/), the others rightly show (“/”) so not sure how that happened :). I have updated the incorrect picture to indeed show (“/”). Thanks for spotting that.

      Reply
  • DJ

    August 24, 2016

    Great article George. I have a scenario where after logging out of StoreFront (coming through NetScaler gateway) I must close my browser and open a new session in order to log back in. If I just close my browser tab it, I get a smart card login error. This makes for a bad user experience b/c you have to close all tabs/browsers (whether IE/Chrome) depending upon which browser you use and log back in. I have looked into a session cookie invalidation using a rewrite policy. I’ve also looked at a responder policy to kill/drop the session as well as a traffic policy and can’t seem to find a working policy as I am using smart card authentication in my production lab but not in my other lab environments. Just to add in my production lab I am using ADFS/SAML and smart card auth. I am also able to successfully invalidate the NSC_AAAC session cookie but from what I can tell cannot seem to invalidate the CtxsSmartcardAuthenticated session cookie which what I think is hanging me up. Any ideas or thoughts you have would be greatly appreciated!

    Reply
    • George Spiers

      August 24, 2016

      Hi DJ. If you do not close the browser and try to log on what is the exact error message are you getting? Is StoreFront load balanced through NetScaler or is the NetScaler Gateway sending direct to backend StoreFront servers?

      Reply
  • Vincent Gedye

    March 16, 2017

    Good post!

    Reply
  • SK

    July 12, 2017

    Hi George,

    Great article! We are trying to define rewrite/responder policies to include Client IP in the syslogs.
    We were successful testing this in our Lab environment. We are concerned what would be the effect if we bind the responder/rewrite policy to all the Virtual servers that are configured on the netscaler.

    Can you please shed some light on the impact, We have around 100-200 Virtual servers on the Netscaler and we do have considerably more traffic going through the netscaler.

    Thanks,
    SK

    Reply
    • George Spiers

      July 13, 2017

      Hi SK. It isn’t easy to predict because every customer NetScaler will be different in terms of how many requests are sent to the NetScaler each second. The positive is that such a Rewrite is not complex and therefore it is more a case of how many NetScaler will have to perform. I can only advise you test this yourself by enabling on a handful of Virtual Servers, monitoring the NetScaler resource consumption before/afterwards and repeating the process for additional Virtual Servers. Also keep in mind that NetScaler has an “Insert Client IP Address” option which inserts the Client IP into a new header. This only works for HTTP/S traffic and can be enabled globally or at a service level. I would recomend this option if it suits before using Rewrite.

      Reply
  • Vikas Dewan

    September 20, 2017

    Hi George,

    I have a scenario, where I need to rewrite the url based upon the web service response.
    If response is true then redirect to old system otherwise new system. Can we configure the same in netscaler ? Can netscaler make decision based upon the service call ?

    Thanks,
    Vikas

    Reply
    • George Spiers

      September 20, 2017

      Yes that sounds do-able. So you create a Rewrite policy for Response which analyses the response from the backend web server, and an action is associated with the policy which rewrites the URL and sends to client.

      Reply
      • Parag

        March 16, 2022

        Hi George,
        Thank you for this article..

        I have one scenario where We are trying one of our URL (example; https://myurl.com)

        Can we redirect or rewrite this URL to ( https://myurl.com/home/my page) when client originally tries for (https://myurl.com)

        Can you help me what’s should I use – responder/rewrite/url transform

        Do you any used case or syntax that can help me

        Reply
  • Brenton Crosby

    October 16, 2017

    Hi George, thanks for your post. I’m attempting to redirect from one HTTPS to another HTTPS. However in the responder policy, it’s saying Expression syntax error [^HTTPS.REQ., Offset 0]
    when I attempt to set the expression as HTTPS.REQ.HOSTNAME.EQ(“myoldwebapp.mysite.com.au”)
    in the Responder policy. Do you know how I would go about redirecting a HTTPS site to another HTTPS site?
    It’s currently listed as a VIrtual Server, however I’ll be updating it to just redirect and would like to achieve this through the Netscaler.

    Reply
    • George Spiers

      October 16, 2017

      The expression should be: HTTP.REQ.HOSTNAME.EQ(“myoldwebapp.mysite.com.au”)
      Could also be: HTTP.REQ.URL.EQ(“https://myoldwebapp.mysite.com.au”)

      Alternatively:
      On the old HTTPS Virtual Server, under Protection -> Redirect URL -> enter the new URL you want users to be redirected to. Then, mark the Virtual Server as disabled. All requests to HTTPS URL old will be redirected to HTTPS URL new.

      Reply
  • Pingback: NetScaler URL rewrite, url transformation links – CalmDownPony!

  • roger

    August 6, 2018

    Excellent post
    I have a question though.
    I have a rewrite policy that works by looking at specific text in the browser tab and changes it from NetScaler AAA to a new name. This doesn’t happen straight away and is therefore a security risk by advertising the NetScaler AAA. Is there any way of configuring so that it does not show the AAA and references the new name straight away.

    Expression to choose target location
    HTTP.RES.BODY(120000)
    Expression is
    new name
    Text search is
    NetScaler AAA

    Reply
  • Ray

    December 5, 2018

    Is there not a way to do this with a Vserver? So it appears that you have a Vserver “UP” inorder for the URL redirect to work. Which then means you have to make sure the backend is always up as well. Which in my opinion defeats the redirect. Is there another way to get around this?

    Reply
    • George Spiers

      December 6, 2018

      You can have a vServer that is down, for example no services are bound to it. You can then use the Protection features of that vServer, in particular the “Redirect URL” or “Backup Virtual Server” options.

      Reply
  • Ray

    December 5, 2018

    Without a Vserver being up I meant.

    Reply
  • Clinton

    January 16, 2019

    Hiya, is it possible to use Netscaler to do a 301 redirect from my .co.uk web interface to the .com address both sites use certificates. Users currently use the .co.uk address internally and externally. I’ve enabled MFA on my .com address. I would like to redirect all external users from the .co.uk to the .com address.

    Reply
    • George Spiers

      January 23, 2019

      Yes you could use a Responder policy for that.

      Reply
  • ric

    February 2, 2019

    Hi Geroge,
    We are trying to do two things .
    1) Is it possible to remove Network Access choice from SSL VPN choice page with rewrite policy?
    What we are trying to do , We just want users to see only Client Less option .
    2) if above scenario is not possible then can we do something so user will default to Client less choice only.

    Ric

    Reply
    • George Spiers

      February 3, 2019

      Hello – Within your Session Profile uncheck “Client Choices” and set Clientless Access to ON.

      Reply
  • Shekhar

    March 14, 2019

    Hi George,

    Is it possible to redirect a NS Gateway URL for a specific subnet of users
    we have a requirement to have a set of users to launch a different gateway and all other users hitting in the existing URL should not be affected

    Reply
    • George Spiers

      March 15, 2019

      If the requirement is to have completely separate Gateway vServers, you would need to have an extra URL for specific users which points to the VIP of a second Gateway.
      If users can go to the same Gateway but need to be directed to different StoreFront for example, that is easy to achieve by split Session Policies.
      GSLB is another option but is likely overkill for what you want to achieve.

      Reply
  • Sami

    July 17, 2019

    Need help for webdispatcher sap..

    Reply
  • Loki

    May 6, 2020

    How do I write a rewrite policy for CSP for one specific url?

    Reply
  • Stephan Hardtmann

    June 23, 2020

    Great Article. Good job!
    I´ve got a challenge which i can´t get solved.

    i try to create a responder policy like you but:

    Old URL:
    https://oldurl.com/subpath /additionally dynamic paths

    replace with new URL:
    https://newurl.com /additionally dynamic paths

    do you have any idea?
    Thanks a lot.

    Reply
  • Andrea Gennari

    December 28, 2021

    Hi, I found this article very interesting. I have a similar problem.
    I would like to replace the url “https://mysite.com/something” with “https://mysite.com:444”.
    Is it possible ? Following the steps on the article it doesnj’t work. Is there another way ?

    Reply

Leave a Reply