NetScaler Unified Gateway / SSO with Citrix StoreFront 3.9 and Client Access Mode

Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9.  As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP).  Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1.  In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel


In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this.  Make sure you change them all.  This will allow the page to come up with all browsers including IE.  Once the changes are made, simply reset IIS or reboot your SF server(s)


On the NetScaler Session Profile the following settings are required:


  • On the Client Experience tab:
    Clientless Access = ON
    Single Sign-on to Web Applications = Checked
    Credentials Index = Primary

    On the Security tab:
    Default Authorization Action = Allow

    On the Published Applications tab:
    ICA Proxy = OFF
    Web Interface Address = https://serverFQDN/Citrix/StoreWeb (StoreWeb is the actual store name).
    Single Sign-on Domain = Configured


Make sure you use the FQDN link to your storefront server.  You can run into an issue within Clientless Access mode not displaying the Storefront Server page if you configure to an IP.


Once changed to FQDN the page displayed successfully (Ex:


This is a sample of the session profile I manually created and binded to the session policy the UG Wizard created.

add vpn sessionAction UG_VPN_SAct_dmz -defaultAuthorizationAction ALLOW -SSO ON -windowsAutoLogon ON -wihome “” -wiPortalMode COMPACT -ClientChoices ON -ntDomain name_of_domain -clientlessVpnMode ON -emailHome “”

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy.  This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.


To do this:

Create a Responder action based on the URL your users will be connecting to

add responder action ug_redirect_ac redirect “\”\”” -responseStatusCode 302

Create a Responder policy, notice it is looking for that choices.html page


add responder policy ug_redirect_pol “HTTP.REQ.HOSTNAME.EQ(\”\”) && HTTP.REQ.URL.CONTAINS(\”vpns/choices.html\”)” ug_redirect_ac

Bind the Responder policy to the NetScaler Gateway the UG config creates.  In my case it is called UG_VPN_ug_gtw_dmz


bind vpn vserver UG_VPN_ug_gtw_dmz -policy ug_redirect_pol -priority 100 -gotoPriorityExpression END -type REQUEST

Once the policy is binded, users will simply be redirected to the “Clientless Access” portion of the site without being prompted to select VPN, Clientless Access, or good old StoreFront/Web Interface

That is it! Hope this helps!  Cheers :)


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.


NetScaler Gateway 11 footer customization

Ran into difficulties customizing a new NetScaler 11 Gateway.  Although I was happy to finally be able to apply themes per NetScaler Gateway vServer, I quickly saw that this new option presents new challenges if you are looking to customize beyond what the themes allow.

Our goal was to add footer information on the front page in order to provide Help Desk contact info, a Citrix Receiver download link and the RSA Self Service portal.   With NS 11, the problem is that the index.html file is no longer constructed the same as it was with 10.x.

Lets understand this a bit more.

With NetScaler Gateway 11, the logon form and pretty much the entire index.html body, is generated by 2 javascript files (gateway_login_view.js and gateway_login_form_view.js).

  1. gateway_login_view.js – creates the body and tables for the actual form
  2. gateway_login_form_view.js – creates the form itself, username and password fields, domain dropdown box, etc.

This naturally creates a headache if you are use to working with the 10.x firmware.  As with 10.x you can accomplish most of the customization by directly modifying the index.html file, and creating a custom global policy user interface.  On the other hand, this presented a challenge if you had to run multiple Gateway vServers  with a custom UI, and you had to get pretty creative on how to overcome  it.

For NS 11, I read a post where someone was struggling with a similar situation, luckily it pointed me in the right direction.  The post suggested to modify or create a new gateway_login_view.js  and/or gateway_login_form_view.js (you can read the post here).  

Rather than modifying existing code or creating new files then having to deal with responder policies, etc.  I figure I try to do this via the NetScaler Rewrite Policies and Actions to make it look something like the picture below.



  • Citrix NetsScaler 11.0Build
  • StoreFront 3.0
  • RSA 8.1

Let’s get started.

  1. Add links at the bottom of the authentication page, unfortunately rewrite actions have a 255 character limit which you can easily bypass by adding “+” to the expression. Click here to view/download the syntax as WordPress messes with it.

2. Enable the EULA box by default:

add rewrite action ns_gtw_eula_checked_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”type=\’checkbox\’ checked\”” -pattern “type=\’checkbox\'”
add rewrite policy ns_gtw_eula_checked_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_eula_checked_action
bind vpn vserver portal_netscaler -policy ns_gtw_eula_checked_pol -priority 110 -gotoPriorityExpression NEXT -type RESPONSE

3. Enable the Logon Button by default:

add rewrite action ns_gtw_LogonAutoEnable_rw_act replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”\’disabled\’:\’\’\”” -pattern “\’disabled\’:\’disabled\'”
add rewrite policy ns_gtw_LogonAutoEnable_rw_pol “HTTP.REQ.URL.CONTAINS(\”gateway_login_form_view.js\”)” ns_gtw_LogonAutoEnable_rw_act
bind vpn vserver portal_netscaler -policy ns_gtw_LogonAutoEnable_rw_pol -priority 120 -gotoPriorityExpression END -type RESPONSE

Hope this helps 🙂


I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Customizing Citrix NetScaler Gateway 10.5 logon page with Dual Factor Authentication

Following up on my instructions on how to Customize the new version of Citrix StoreFront 2.6.  Below is how you can create your own Citrix NetScaler Gateway customization package , and ensure your changes are not lost when the appliance is rebooted.


  • Windows 2008 R2
  • Citrix XenApp 6.5 Hotfix Rollup Pack 2
  • PVS 6.1.16
  • StoreFront 2.6
  • Citrix NetsScaler 10.5: Build
  • RSA for dual factor

Now in my case, we are utilizing RADIUS for secondary authentication.  After creating the AGEE site, make sure the site is set to “Green Bubble” under “NetScaler” “Global Settings” Change Global Settings” , then head over to the “Client Experience” Tab, and select “Green Bubble” under the “UI Theme”

Once complete, your site will look something similar to the picture below.



Now lets customize the following

  • Logo
  • First Authentication box
  • Second Authentication box
  • Fix Compatibility issues with Internet Explorer 11

Solution: (Connect to your NetScaler via WinSCP)

1. Copy the vpn folder from /var/netscaler/gui/ to your local desktop

2.  Edit “login.js” under /var/netscaler/gui/vpn to fix the “Password 1” entry

Around line 93


if ( pwc == 2 ) { document.write(‘ 1’); }


if ( pwc == 2 ) { document.write(‘ ’); }

3. Upload your company logo under under /var/netscaler/gui/vpn/media

4. Update “ctxs.authentication.css” under /var/netscaler/gui/vpn/css to update your logo and height and width where the logo will be placed

In my case, our company logo was bigger than the logo provided by Citrix. So I needed to modify the height and the width.

Around line 210

background-image: url(“../media/company_logo.png”);
border: 0 none;
float: right;
height: 48px;
position: absolute;
right: 71%;
top: 80px;
width: 273px;

5. Update “en.xml” under /var/netscaler/gui/vpn/resources  to change “Password 2:” for the secondary authentication box

Around line 83:


<String id=”Password2″>Password 2:</String>


<String id=”Password2″>RSA Code:</String>

6. Fix the Internet Explorer 11 compatibility issue, the quick fix is to tell IE11 to use  compatibility mode, however you can force the NetScaler page to emulate IE v.9, you can read more about this under


Edit index.html under /var/netscaler/gui/vpn

Under line 4 place

<META http-equiv=”X-UA-Compatible” content=”IE=EmulateIE9″ />


7. Upload your modified files and logo


8. Head over to your site and make any corrections.  once you are happy with the results, create your custom package

Open Putty and log in as nsroot, then type (Note the name of the compressed file, this needs to match “customtheme.tar.gz“)

  • shell
  • mkdir /var/ns_gui_custom
  • cd /netscaler
  • tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

9. Now apply the package to your AGEE sites

  • In the configuration utility, under the Configuration tab, expand “NetScaler Gateway” and then click “Global Settings“.
  • In the details pane, under Settings, click Change global settings.
  • In Global NetScaler Gateway Settings, click the Client Experience tab.
  • Next to UI theme, click Custom and then click OK.



10. Reboot the NetScaler and you will notice your changes are intact.



Customize AGEE logon page for NetScaler 10.1 via Rewrite policies

While migrating to Access Gateway on the NetScaler 10.1.  I noticed the rewrite policies I implemented on 9.3 did not work.

While this can be done with some HTML customization, etc, and/or creating your own NetScaler theme, I just wanted to change the logon page by NetScaler Rewrite Policies.

Below are the policies that will allow you to do this.


  • MPX 8200 NetScaler 10.1: Build
  • Web Interface 5.3 (Can’t deploy StoreFront here due to custom code we use)


When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2


The issue  seems to be due to change in the ‘ns_showpwd’ function on login.js under /var/netscaler/gui/vpn/ as it has been updated from 9.3

ns_showpwd function

ns_showpwd on Login.js




1. Create the following actions under “Rewrite/Actions” with putty (no need to go under shell mode)

Rewrite Actions:

add rewrite action AD_agee_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’&nbsp;1\’);” -bypassSafetyCheck YES

add rewrite action AD_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re!e![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

add rewrite action RSA_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Code:\’\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\”Password2\”\)[ ]*!)/

Rewrite Policies:

add rewrite policy AD_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_replace_rewrite_action

add rewrite policy RSA_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_agee_replace_rewrite_action

add rewrite policy AD_agee_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_delete_rewrite_action

Bind the policies:

bind rewrite global AD_agee_rewrite_pol 100 NEXT -type RES_OVERRIDE

bind rewrite global RSA_agee_rewrite_pol 110 NEXT -type RES_OVERRIDE

bind rewrite global AD_agee_delete_pol 120 NEXT -type RES_OVERRIDE


Responder Policy AGEE 10.1

Responder Policy AGEE 10.1

Licensing your NetScaler AGEE nCore


  • MPX 7500 NetScaler 9.3 52.3nc
  • AGEE


Apply a new AGEE license on your NetScaler without the need to modify your NetScaler’s host name.


First lets understand the AGEE licensing feature and assume that you downloaded the Access Gateway platform license from your portal.

AGEE can run under two modes “Basic Mode” and “SmartAccess Mode”

Basic Mode:

Several Access Gateway features, such as full VPN functionality, EPA, Clientless Access, and SmartAccess, are unavailable, which means you can use this configuration if you are only utilizing a Citrix Web Interface once you authenticate to your AGEE portal, meaning your AGEE Authentication and Session Policies must point to a Citrix Web Interface server, pretty much making AGEE act as your good old Citrix Secure Gateway.

If you go this route and don’t need any of the advanced features, you will need to make sure your AG Platform license contains the entries below, you can read more about it on this article which will show you how to configure an Access Gateway Enterprise Edition Appliance with Unlimited ICA Connections

INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

SmartAccess Mode:

This gives you features such as VPN functionality, EPA, Clientless Access, and SmartAccess control.

For example, in the environment I am working on now, I created two session policies, were I can filter specific AD groups and assign them to specific Session policies.

AD-GroupVPN which contains VPN SSL users, see both the Network Access icon for VPN SSL sessions, as well as the Citrix XenApp icon which redirects users to a Citrix Web Interface.  In addition I set up another group, lets call it AD-GroupWI which only redirects users to a Citrix Web Interface page once they authenticate.


Below is a screenshot where the modes are configured under your AGEE virtual server

License installation:

Lets license AGEE with a license file that contains a name other than the host name of the NetScaler

The traditional set up would look like this… you set your host and the license file to be the same

  • Connect to the Access Gateway Enterprise Edition appliance by using the serial cable or a Secure Shell (SSH) utility.
  • Log in to the appliance by using the nsroot credentials.
  • Run the following commands to set the Fully Qualified Domain Name (FQDN) for the appliance:
  • set ns hostName
  • save config
  • shell
  • echo hostname=\”\” > /nsconfig/rc.conf
  • Restart the appliance.

Now lets assume your license file is similar to the one below, and the hostname of your NetScaler is called NS

License File:

SERVER this_host HOSTNAME=anotherhost

INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

When you access the GUI or CLI (sh license) you will notice that the total number of Access Gateway Users Allowed has the default value of 5, meaning you can have no more than 5 SSL connections to your AGEE site, user number six will get an SSL Error 38 when launching applications.



Edit the rc.conf file located under the /nsconfig/nsconf 

  • shell
  • echo hostname=\”anotherhost\” > /nsconfig/rc.conf

This will overwrite the rc.conf file with the hostname you have embedded in your license file

You can also do this with a program like FileZilla and edit the file directly over port 22



Once you are done, reboot the appliance… now if you are running nCore, you can do a Warm reboot vs a standard reboot

This new option, “-warm,” has been introduced for the “reboot” command. This option can be used only on NetScaler nCore appliances. When the “-warm” option is specified, the NetScaler restarts NetScaler specific functionality without restarting the appliance, reducing the time required to implement changes that would otherwise require a complete reboot of the NetScaler appliance.