Customize AGEE logon page for NetScaler 10.1 via Rewrite policies

While migrating to Access Gateway on the NetScaler 10.1.  I noticed the rewrite policies I implemented on 9.3 did not work.

While this can be done with some HTML customization, etc, and/or creating your own NetScaler theme, I just wanted to change the logon page by NetScaler Rewrite Policies.

Below are the policies that will allow you to do this.


  • MPX 8200 NetScaler 10.1: Build
  • Web Interface 5.3 (Can’t deploy StoreFront here due to custom code we use)


When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2


The issue  seems to be due to change in the ‘ns_showpwd’ function on login.js under /var/netscaler/gui/vpn/ as it has been updated from 9.3

ns_showpwd function

ns_showpwd on Login.js




1. Create the following actions under “Rewrite/Actions” with putty (no need to go under shell mode)

Rewrite Actions:

add rewrite action AD_agee_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’ 1\’);” -bypassSafetyCheck YES

add rewrite action AD_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re!e![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

add rewrite action RSA_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Code:\’\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\”Password2\”\)[ ]*!)/

Rewrite Policies:

add rewrite policy AD_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_replace_rewrite_action

add rewrite policy RSA_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_agee_replace_rewrite_action

add rewrite policy AD_agee_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_delete_rewrite_action

Bind the policies:

bind rewrite global AD_agee_rewrite_pol 100 NEXT -type RES_OVERRIDE

bind rewrite global RSA_agee_rewrite_pol 110 NEXT -type RES_OVERRIDE

bind rewrite global AD_agee_delete_pol 120 NEXT -type RES_OVERRIDE


Responder Policy AGEE 10.1

Responder Policy AGEE 10.1

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

7 Responses to Customize AGEE logon page for NetScaler 10.1 via Rewrite policies

  1. Javier Citrix Guru says:

    This honestly just saved my @$$

    Thank you Daniel!!!

  2. Karl says:

    I’m getting a syntax error for the expression in the -refineSearch parameter. I dropped this part, and added the rewrite action via putty. Then I went into the GUI and pasted:

    q/extend(50,50).REGEX_SELECT(re!e![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

    Get a syntax error in the GUI as well. Any help?

    Thanks for this post. It is exactly what I need to do.

    • CyberRuiz says:

      Thanks for visiting my blog.
      I assume you are referring to the “AD_agee_replace_rewrite_action”?
      If so if you create it manually, type the following under the “Refine Search”

      extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\"Password\"\)[ ]*!)

  3. Shane says:

    Great write up. Seeing my policy hits increase but the wording on the screen hasn’t changed. Running if that makes a difference. The one thing that I had a problem with in your site was copying the code, it was pasting in special character formatting. So I just typed it all. But still, Ive gone through and it all matches.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: