Advertisements

Customize AGEE logon page for NetScaler 10.1 via Rewrite policies

While migrating to Access Gateway on the NetScaler 10.1.  I noticed the rewrite policies I implemented on 9.3 did not work.

While this can be done with some HTML customization, etc, and/or creating your own NetScaler theme, I just wanted to change the logon page by NetScaler Rewrite Policies.

Below are the policies that will allow you to do this.

Environment

  • MPX 8200 NetScaler 10.1: Build 122.17.nc
  • Web Interface 5.3 (Can’t deploy StoreFront here due to custom code we use)

Issue:

When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2

agee_no_active_pol

The issue  seems to be due to change in the ‘ns_showpwd’ function on login.js under /var/netscaler/gui/vpn/ as it has been updated from 9.3

ns_showpwd function

ns_showpwd on Login.js

 

 

Solution:

1. Create the following actions under “Rewrite/Actions” with putty (no need to go under shell mode)

Rewrite Actions:

add rewrite action AD_agee_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’ 1\’);” -bypassSafetyCheck YES

add rewrite action AD_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re!e![ ]*\'[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

add rewrite action RSA_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Code:\’\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\'[ ]*\+[ ]*_\(\”Password2\”\)[ ]*!)/

Rewrite Policies:

add rewrite policy AD_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_replace_rewrite_action

add rewrite policy RSA_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_agee_replace_rewrite_action

add rewrite policy AD_agee_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_delete_rewrite_action

Bind the policies:

bind rewrite global AD_agee_rewrite_pol 100 NEXT -type RES_OVERRIDE

bind rewrite global RSA_agee_rewrite_pol 110 NEXT -type RES_OVERRIDE

bind rewrite global AD_agee_delete_pol 120 NEXT -type RES_OVERRIDE

Result:

Responder Policy AGEE 10.1

Responder Policy AGEE 10.1

Advertisements