Did you know that you can configure NetScaler so users don’t have to type in the https:// when going to StoreFront or the NetScaler Gateway URLs?
More often than not, this is accomplished using a crude method in which port 80 http Virtual Server is configured on the same IP as the https site and the Redirect URL field in the protection section of the Virtual Server is set. While this works just fine, it unfortunately also renders a permanently Down Virtual Server in the Load Balancing screen.
Good news though, there is a better way to configure the redirection that renders all of the Virtual Servers as Up by using Responder Policies.
If you own a NetScaler VPX10 and above (MPX and SDX included), regardless of which edition, you have a license for Responder Policies.
First, here are 4-5 Responder Policy Actions that should always be used when deploying XenApp/XenDesktop 7.X that involves Citrix StoreFront, Director and the NetScaler Gateway. In the steps below, I’ll cover the Actions for each.
StoreFront non-secure to secure redirection and StoreFront secure to secure redirection with the site path defined will use the same Action. The Action is:
"https://"+HTTP.REQ.HOSTNAME+"/Citrix/StoreWeb/”
Make sure to change the word Store with your StoreName as defined when you configured StoreFront.
For StoreFront non-secure to secure redirection, the Action is:
"https://"+HTTP.REQ.HOSTNAME+"/vpn/index.html"
If you are using a different page then the default index.html you will need to adjust the Action accordingly.
For Citrix Director non-secure to secure redirection (only if Director is running as secured) and Citrix Director secure to secure redirection or Director non-secure to non-secure with the site path defined, the Action is:
"https://"+HTTP.REQ.HOSTNAME+"/Director/"
Note: If you are not securing Citrix Director remove the “s” off of “https”.
For StoreFront non-secure to secure redirection, the expression is:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
Make sure you change storefront.domain.com to the StoreFront URL in your configuration to bind it to the StoreFront Responder Action.
For StoreFront secure to secure redirection with the site path defined, the expression is:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
Make sure you change storefront.domain.com to the StoreFront URL in your configuration to bind it to the StoreFront Responder Action.
A. Click the plus sign to the right of Policies. In the drop down, click Responder.
B. Choose the Responder Policy that we created in Step 2, and bind it at any priority.
A. Create a Server for load balancing, give it an appropriate name, and for the IP address I recommend something that does not cause an IP conflict, for instance 169.254.1.100.
B. Now we bind that to a service. Since we only want redirection, uncheck the health monitoring.
C. Bind the service to the virtual server you created above and test.
You can follow the steps above for all other services you want to redirect from http to https as well.
Here are the additional Responder Policies and Actions for Storefront, Director and NetScaler Gateway that will need to be bound to their respected virtual servers. For StoreFront and Director the multiple Responder polices are bound to the same action.
StoreFront
Responder Policy for https to https with Store Path:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("storefront.domain.com")
NetScaler Gateway
Responder Policy for http to https redirection:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("netscalergateway.domain.com")
Responder Action:
"https://"+HTTP.REQ.HOSTNAME+"/vpn/index.html"
Citrix Director
Responder Policy for http to https:
CLIENT.TCP.DSTPORT.EQ(80) && HTTP.REQ.HOSTNAME.CONTAINS("director.domain.com")
Responder Policy for https to https with Director path:
HTTP.REQ.URL.EQ("/") && HTTP.REQ.HOSTNAME.CONTAINS("director.domain.com")
Responder Action:
"https://"+HTTP.REQ.HOSTNAME+"/director"