Did you know that you can configure NetScaler so users don’t have to type in the https:// when going to StoreFront or the NetScaler Gateway URLs?
More often than not, this is accomplished using a crude method in which port 80 http Virtual Server is configured on the same IP as the https site and the Redirect URL field in the protection section of the Virtual Server is set. While this works just fine, it unfortunately also renders a permanently Down Virtual Server in the Load Balancing screen.
Good news though, there is a better way to configure the redirection that renders all of the Virtual Servers as Up by using Responder Policies.
If you own a NetScaler VPX10 and above (MPX and SDX included), regardless of which edition, you have a license for Responder Policies.
First, here are 4-5 Responder Policy Actions that should always be used when deploying XenApp/XenDesktop 7.X that involves Citrix StoreFront, Director and the NetScaler Gateway. In the steps below, I’ll cover the Actions for each.
- StoreFront non-secure to secure redirection.
- StoreFront secure to secure redirection with the site path defined.
- NetScaler Gateway non-secure to secure redirection.
- Citrix Director non-secure to secure redirection (only if Director is running as secured).
- Citrix Director secure to secure redirection or non-secure to non-secure with the site path defined.
Prerequisites:
- Enable the Responder section under App Expert.
- Know your IP addresses of your NetScaler Gateway, StoreFront and Director virtual servers.
- If doing this for both Director and StoreFront, there will need to be separate IP addresses even though they may both be installed on the same server.
Steps:
- First, create Responder Actions, as these need to be bound to the Responder Policies. (The amount of Responder Actions will be less than the amount of Responder Policies as we can reuse ones for the same purpose.)
StoreFront non-secure to secure redirection and StoreFront secure to secure redirection with the site path defined will use the same Action. The Action is:
"https://"+HTTP.REQ.HOSTNAME+"/Citrix/StoreWeb/”
Make sure to change the word Store with your StoreName as defined when you configured StoreFront.
For StoreFront non-secure to secure redirection, the Action is:
"https://"+HTTP.REQ.HOSTNAME+"/vpn/index.html"
If you are using a different page then the default index.html you will need to adjust the Action accordingly.
For Citrix Director non-secure to secure redirection (only if Director is running as secured) and Citrix Director secure to secure redirection or Director non-secure to non-secure with the site path defined, the Action is:
"https://"+HTTP.REQ.HOSTNAME+"/Director/"
Note: If you are not securing Citrix Director remove the “s” off of “https”.
- After setting up the Responder Actions, we need to setup Responder Policies and bind them to the Responder Actions.
For StoreFront non-secure to secure redirection, the expression is:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
Make sure you change storefront.domain.com to the StoreFront URL in your configuration to bind it to the StoreFront Responder Action.
For StoreFront secure to secure redirection with the site path defined, the expression is:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
Make sure you change storefront.domain.com to the StoreFront URL in your configuration to bind it to the StoreFront Responder Action.
- Next we will edit/create the virtual server for Storefront load balancing on port 80 using http as the protocol:
A. Click the plus sign to the right of Policies. In the drop down, click Responder.
B. Choose the Responder Policy that we created in Step 2, and bind it at any priority.
- In order for the Responder Policy to work, the server needs to be up. Since we don’t want users going to the web page http, we can just blind redirect them with services that are not health checked.
A. Create a Server for load balancing, give it an appropriate name, and for the IP address I recommend something that does not cause an IP conflict, for instance 169.254.1.100.
B. Now we bind that to a service. Since we only want redirection, uncheck the health monitoring.
C. Bind the service to the virtual server you created above and test.
You can follow the steps above for all other services you want to redirect from http to https as well.
Here are the additional Responder Policies and Actions for Storefront, Director and NetScaler Gateway that will need to be bound to their respected virtual servers. For StoreFront and Director the multiple Responder polices are bound to the same action.
StoreFront
Responder Policy for https to https with Store Path:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
NetScaler Gateway
Responder Policy for http to https redirection:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("netscalergateway.domain.com")
Responder Action:
"https://"+HTTP.REQ.HOSTNAME+"/vpn/index.html"
Citrix Director
Responder Policy for http to https:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("director.domain.com")
Responder Policy for https to https with Director path:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("director.domain.com")
Responder Action:
"https://"+HTTP.REQ.HOSTNAME+"/director"
