Bypass Client Choices on NetScaler Unified Gateway

It’s been a while since I posted something new.  Lately I been primarily working with Cisco and Nutanix related techs, but now getting back to my good old Citrix roots (Forgot how fun it actually is).

Been working on a new deployment of the Citrix NetScaler Unified Gateway, which c’mon that is just a marketing name, technically it is nothing more than some pretty good Content Switching policies and actions, but lets not get into that 🙂

By the way I am actually in the middle of creating a post on how to deploy Unified Gateway, and integrating it with OWA, StoreFront 3.8 including customization code, ShareFile with on-prem storage, and a good old intranet/internal sites so we see how SSO works as part of the deployment.  So look for that in the coming weeks.

Now before we get started.  Watch out for the NetScaler build you are running!  I ran into a bug which actually made the primary NetScaler crash (not a fun event to have to explain to management)

This darn bug in technical terms, crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP).  Meaning, that I was binding a Responder policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.  Thought it was pretty amusing.


This bug is has been fixed from 11.0 Build 64.x and later, and 11.1.  In my case I was running NS11.0

Ok.  Lets get started.

  • Create your Unified Gateway config (blog post coming soon)
  • Once you verify things are working, go ahead and connect to the new portal01_auth_screen
  • By default after you authenticate, you get prompted with the Client Choices options page, this will confuse the hell out of your users.  So lets get rid of this!02_user_choices.png
  • My goal was to select all client traffic to automatically get routed to the “Clientless Access” option without anyone clicking on it.03_ug_portal.png
  • To accomplish this you simply need to create the following Responder action, and policy, then finally bind it to the NetScaler Gateway Content Switch the Unified Gateway config creates.
  • Here it goes:
    • Create a Responder action based on the URL your users will be connecting to
    • add responder action ug_redirect_ac redirect “\”\”” -responseStatusCode 302

    • Create a Responder policy, notice it is looking for that choices.html page
    • add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

    • Bind the Responder policy to the NetScaler Gateway the UG config creates.  In my case it is called UG_VPN_ug_gtw_dmz
    • bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps!  Cheers :)


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website







About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: