URL Rewrite and Responder with Citrix NetScaler

Feb 09, 2016
/
NetScaler

You can use the URL Rewrite feature to accomplish tasks such as directing users to the full StoreFront path if they do not specify it internally. You could also rewrite HTTP requests to HTTPS or rewrite headers in a TCP packet.

For example:

User enters https://storefront.citrixpro.co.uk in to the address bar.
NetScaler rewrites the URL to append /Citrix/StoreWeb/ to the URL which directs users to Receiver for Web.

This is just one way you can use URL Rewrite.

To see how to set Receiver for Web as the default web page in IIS see this post.

Using Responder, we can also direct users to different websites on the fly, or respond with a maintenance page for example. One of the main differences between Rewrite and Responder is that Rewrite can apply to both requests and responses whilst Responder can only apply to requests reaching the NetScaler.

Rewrite:

Enable the URL Rewrite feature by navigating to Configuration -> System -> Settings -> Configure Basic Features.

Note: Rewrite and Responder comes with Standard, Enterprise and Platinum editions of NetScaler.

1-min

Tick Rewrite and click OK.

CLI command = enable ns feature rewrite. 2-min

To create a rewrite action navigate to AppExpert -> Rewrite -> Actions -> Add. 3-min

Enter a name.
Type = REPLACE
Expression to choose target location = HTTP.REQ.URL
Expression to Replace with = “/ReceiverforWeb/Address“
Click Create.

4-min

Note: If you wanted to rewrite the value of the User-Agent header for example, you could configure your Rewrite action as below. You would then create a Rewrite policy which matches on the User-Agent header value that you would like to replace with the User-Agent header value below.

Navigate to AppExpert -> Rewrite -> Policies -> Add. 5-min

Enter a name.
Action = Action you created.
Expession = HTTP.REQ.URL.EQ(“/”)
Click Create.

Navigate to Traffic Management -> Load Balancing -> Virtual Servers and edit your existing Load Balanced StoreFront vServer.

7-min

Under Policies click Add.

8-min

Choose Policy = Rewrite.
Choose Type = Request.
Continue.

Click Click to select under Select Policy. 10-min

Select the Rewrite Policy and click Bind. 11-min

Click Done to finish editing the vServer.

Now when a user types https://storefront.citrixpro.co.uk in to a web browser the /Citrix/CitrixProWeb/ portion is automatically added and users are redirected to Receiver for Web. 14-min

Back viewing your Rewrite Policy you can see the Hits counter has gone up. 15-min

Responder:

You can use Responder to accomplish tasks such as transferring users from one URL to another.

In this example, I have a web site load balanced through NetScaler on protocol HTTP (port 80). The URL to access the site is http://mywebapp.citrixpro.co.uk/. I want to use a Responder policy to direct users to a new version of the web site which is available on URL http://mywebappnew.citrixpro.co.uk/. These web servers are just basic default IIS installs showing the main IIS splash screen.

http://mywebapp.citrixpro.co.uk/ and http://mywebappnew.citrixpro.co.uk/ run on two different virtual machines.

To enable Responder navigate to Configuration -> System -> Settings -> Configure Advanced Features. 16-min

Tick Responder -> OK.

CLI command = enable ns feature responder. 17-min

To create a Responder action navigate to AppExpert -> Responder -> Actions -> Add. 18-min

Enter a name.
Type = Redirect.
Expression = “http://mywebappnew.citrixpro.co.uk“
Click Create.

Navigate to AppExpert -> Responder -> Policies -> Add. 20-min

Enter a name.
Action = Responder action you just created.
Expression = HTTP.REQ.HOSTNAME.EQ(“mywebapp.citrixpro.co.uk”)
Click Create.

Now let me show you what happens when I browse to http://mywebapp.citrixpro.co.uk/. I hit the Load Balanced vServer VIP and am then directed to a server which is actually one of my StoreFront servers. 22-min

Back on the NetScaler, navigate to Traffic Management -> Load Balancing -> Virtual Servers and edit the web server vServer. 23-min

Click on Add under Policies. 24-min

Choose Policy = Responder.
Choose Type = Request.
Click Continue.

25-min

Click Click to select under Select Policy. 26-min

Select the Responder policy. Click Bind. 27-min

Click Done. 29-min

Now upon navigating to http://mywebapp.citrixpro.co.uk/ you will be redirected to the new web address. 30-min

If you view the Responder policy you can see it has been hit a couple of times. 31-min

Here is an example WireShark trace (taken from a different redirect) showing the 302 Found: Moved Temporarily packet including the new location that NetScaler is directing the client to.

Responder to redirect HTTP to HTTPS (NetScaler Gateway):

Let me show you how to direct HTTP requests to HTTPS when users are connecting to NetScaler Gateway. We can use both Content Switching and Load Balanced vServers with the Responder policy attached.

Create a Responder action:

Type = Redirect

Expression: “https://netscalergatewayurl.domain.com”

By default this will perform a standard 302 redirect, meaning the page has moved temporarily. This ensures the browser does not cache the page. You can change the redirect code to 301 for example to tell web browsers that this is a permanent move.

32-min

Create a Responder policy:

Action = Action we have just created.

Expression = HTTP.REQ.HOSTNAME.CONTAINS(“netscalergatewayurl.domain.com”) 33-min

Now create a Content Switching Virtual Server:

Protocol = HTTP

IP Address = IP address of the NetScaler Gateway vServer (VIP)

Port = 80 34-min

Click to add a policy. 35-min

Choose Responder under Choose Policy and Request under Choose Type. 36-min

Click on Click to select. 37-min

Click the radio button beside the Responder Policy you have just created and click Select. 38-min

Click Bind. Now when users type http://netscalergatewayurl.domain.com they will be directed to the HTTPS URL. 39-min

To achieve the same result this time with a Load Balanced vServer instead of a Content Switching vServer, navigate to Traffic Management -> Virtual Servers -> Add. 40-min

Protocol = HTTP.

IP Address = Same IP as NetScaler Gateway VIP.

Port = 80.

Click OK. 41-min

Click to add a service. 42-min

Click on Click to select. 43-min

Click Add. 44-min

IP = A dummy IP that doesn’t represent any backend server.

Protocol = HTTP.

Port = 80.

Untick Health Monitoring so that this service is marked as up.

Click OK. 45-min

Click Done. 46-min

Click Select. 47-min

Click Bind. 48-min

Click Continue. 49-min

Click Done. 50-min

As you can see now, the Virtual Server is up. This is a requirement since clients are going to need to connect to something on port 80 originally before being redirected. 51-min

The last step is to bind the Responder policy to the Load Balanced vServer. 52-min

Once done, client will be redirected to HTTPS and the Responder policy hits counter will increase. 53-min

Tags: citrix, netscaler, responder, url rewrite

31 Comments

Jackie
June 16, 2016

Hi,

I am facing the issue. I created the rewrite actions and policies. It is showing active but i don’t see any hits on it. Also it is not resolving to new webpage (where i want to redirect). Please give your suggestions for the possible cause.

Reply
- George Spiers
  June 18, 2016
  
  If you created the Rewrite action, policy and then bound that policy to your StoreFront LB vServer it should work.
  
  Please feel free to email me screenshots of the Rewrite configuration and I will try and help.
  george@jgspiers.com
  
  Reply
Andrew Niteesh
August 1, 2016

Hi,

WE are trying to do a rewrite for SMB which is a file sharing protocol. Is it possible to do, if so can you please help me out with that.
Thanks in advance.

– Andrew

Reply
- George Spiers
  August 2, 2016
  
  Hi Andrew
  
  I’m not 100% sure. You could have a look here https://www.citrix.com/blogs/2011/08/05/how-to-make-tcp-apps-end-client-aware/?_ga=1.73853466.906435471.1460582171 for guidance.
  
  Regards
  
  Reply
Raja
August 10, 2016

HI George,

Thanks for the article. I followed it but was getting a “Placeholder” message accessing the site. However it worked after making the below two corrections –
1. The Expression in Policy rule should be HTTP.REQ.URL.EQ(“/”).
In the article it is mentioned as HTTP.REQ.URL.EQ(/)
2. Under Action, the Expression to Replace with should be = “/ReceiverforWeb/Address” instead of “/ReceiverforWeb/Address/”

Reply
- George Spiers
  August 10, 2016
  
  Hi Raja
  
  Yes you are right, only one picture shows HTTP.REQ.URL.EQ(/), the others rightly show (“/”) so not sure how that happened :). I have updated the incorrect picture to indeed show (“/”). Thanks for spotting that.
  
  Reply
DJ
August 24, 2016

Great article George. I have a scenario where after logging out of StoreFront (coming through NetScaler gateway) I must close my browser and open a new session in order to log back in. If I just close my browser tab it, I get a smart card login error. This makes for a bad user experience b/c you have to close all tabs/browsers (whether IE/Chrome) depending upon which browser you use and log back in. I have looked into a session cookie invalidation using a rewrite policy. I’ve also looked at a responder policy to kill/drop the session as well as a traffic policy and can’t seem to find a working policy as I am using smart card authentication in my production lab but not in my other lab environments. Just to add in my production lab I am using ADFS/SAML and smart card auth. I am also able to successfully invalidate the NSC_AAAC session cookie but from what I can tell cannot seem to invalidate the CtxsSmartcardAuthenticated session cookie which what I think is hanging me up. Any ideas or thoughts you have would be greatly appreciated!

Reply
- George Spiers
  August 24, 2016
  
  Hi DJ. If you do not close the browser and try to log on what is the exact error message are you getting? Is StoreFront load balanced through NetScaler or is the NetScaler Gateway sending direct to backend StoreFront servers?
  
  Reply
Vincent Gedye
March 16, 2017

Good post!

Reply
SK
July 12, 2017

Hi George,

Great article! We are trying to define rewrite/responder policies to include Client IP in the syslogs.
We were successful testing this in our Lab environment. We are concerned what would be the effect if we bind the responder/rewrite policy to all the Virtual servers that are configured on the netscaler.

Can you please shed some light on the impact, We have around 100-200 Virtual servers on the Netscaler and we do have considerably more traffic going through the netscaler.

Thanks,
SK

Reply
- George Spiers
  July 13, 2017
  
  Hi SK. It isn’t easy to predict because every customer NetScaler will be different in terms of how many requests are sent to the NetScaler each second. The positive is that such a Rewrite is not complex and therefore it is more a case of how many NetScaler will have to perform. I can only advise you test this yourself by enabling on a handful of Virtual Servers, monitoring the NetScaler resource consumption before/afterwards and repeating the process for additional Virtual Servers. Also keep in mind that NetScaler has an “Insert Client IP Address” option which inserts the Client IP into a new header. This only works for HTTP/S traffic and can be enabled globally or at a service level. I would recomend this option if it suits before using Rewrite.
  
  Reply
Vikas Dewan
September 20, 2017

Hi George,

I have a scenario, where I need to rewrite the url based upon the web service response.
If response is true then redirect to old system otherwise new system. Can we configure the same in netscaler ? Can netscaler make decision based upon the service call ?

Thanks,
Vikas

Reply
- George Spiers
  September 20, 2017
  
  Yes that sounds do-able. So you create a Rewrite policy for Response which analyses the response from the backend web server, and an action is associated with the policy which rewrites the URL and sends to client.
  
  Reply
  - Parag
    March 16, 2022
    
    Hi George,
    Thank you for this article..
    
    I have one scenario where We are trying one of our URL (example; https://myurl.com)
    
    Can we redirect or rewrite this URL to ( https://myurl.com/home/my page) when client originally tries for (https://myurl.com)
    
    Can you help me what’s should I use – responder/rewrite/url transform
    
    Do you any used case or syntax that can help me
    
    Reply
Brenton Crosby
October 16, 2017

Hi George, thanks for your post. I’m attempting to redirect from one HTTPS to another HTTPS. However in the responder policy, it’s saying Expression syntax error [^HTTPS.REQ., Offset 0]
when I attempt to set the expression as HTTPS.REQ.HOSTNAME.EQ(“myoldwebapp.mysite.com.au”)
in the Responder policy. Do you know how I would go about redirecting a HTTPS site to another HTTPS site?
It’s currently listed as a VIrtual Server, however I’ll be updating it to just redirect and would like to achieve this through the Netscaler.

Reply
- George Spiers
  October 16, 2017
  
  The expression should be: HTTP.REQ.HOSTNAME.EQ(“myoldwebapp.mysite.com.au”)
  Could also be: HTTP.REQ.URL.EQ(“https://myoldwebapp.mysite.com.au”)
  
  Alternatively:
  On the old HTTPS Virtual Server, under Protection -> Redirect URL -> enter the new URL you want users to be redirected to. Then, mark the Virtual Server as disabled. All requests to HTTPS URL old will be redirected to HTTPS URL new.
  
  Reply
Pingback: NetScaler URL rewrite, url transformation links – CalmDownPony!
roger
August 6, 2018

Excellent post
I have a question though.
I have a rewrite policy that works by looking at specific text in the browser tab and changes it from NetScaler AAA to a new name. This doesn’t happen straight away and is therefore a security risk by advertising the NetScaler AAA. Is there any way of configuring so that it does not show the AAA and references the new name straight away.

Expression to choose target location
HTTP.RES.BODY(120000)
Expression is
new name
Text search is
NetScaler AAA

Reply
Ray
December 5, 2018

Is there not a way to do this with a Vserver? So it appears that you have a Vserver “UP” inorder for the URL redirect to work. Which then means you have to make sure the backend is always up as well. Which in my opinion defeats the redirect. Is there another way to get around this?

Reply
- George Spiers
  December 6, 2018
  
  You can have a vServer that is down, for example no services are bound to it. You can then use the Protection features of that vServer, in particular the “Redirect URL” or “Backup Virtual Server” options.
  
  Reply
Ray
December 5, 2018

Without a Vserver being up I meant.

Reply
Clinton
January 16, 2019

Hiya, is it possible to use Netscaler to do a 301 redirect from my .co.uk web interface to the .com address both sites use certificates. Users currently use the .co.uk address internally and externally. I’ve enabled MFA on my .com address. I would like to redirect all external users from the .co.uk to the .com address.

Reply
- George Spiers
  January 23, 2019
  
  Yes you could use a Responder policy for that.
  
  Reply
ric
February 2, 2019

Hi Geroge,
We are trying to do two things .
1) Is it possible to remove Network Access choice from SSL VPN choice page with rewrite policy?
What we are trying to do , We just want users to see only Client Less option .
2) if above scenario is not possible then can we do something so user will default to Client less choice only.

Ric

Reply
- George Spiers
  February 3, 2019
  
  Hello – Within your Session Profile uncheck “Client Choices” and set Clientless Access to ON.
  
  Reply
Shekhar
March 14, 2019

Hi George,

Is it possible to redirect a NS Gateway URL for a specific subnet of users
we have a requirement to have a set of users to launch a different gateway and all other users hitting in the existing URL should not be affected

Reply
- George Spiers
  March 15, 2019
  
  If the requirement is to have completely separate Gateway vServers, you would need to have an extra URL for specific users which points to the VIP of a second Gateway.
  If users can go to the same Gateway but need to be directed to different StoreFront for example, that is easy to achieve by split Session Policies.
  GSLB is another option but is likely overkill for what you want to achieve.
  
  Reply
Sami
July 17, 2019

Need help for webdispatcher sap..

Reply
Loki
May 6, 2020

How do I write a rewrite policy for CSP for one specific url?

Reply
Stephan Hardtmann
June 23, 2020

Great Article. Good job!
I´ve got a challenge which i can´t get solved.

i try to create a responder policy like you but:

Old URL:
https://oldurl.com/subpath /additionally dynamic paths

replace with new URL:
https://newurl.com /additionally dynamic paths

do you have any idea?
Thanks a lot.

Reply
Andrea Gennari
December 28, 2021

Hi, I found this article very interesting. I have a similar problem.
I would like to replace the url “https://mysite.com/something” with “https://mysite.com:444”.
Is it possible ? Following the steps on the article it doesnj’t work. Is there another way ?

Reply