Category Archives: NetScaler VPX

Updating password field names with multiple NetScaler Gateway virtual servers

Imagine a situation where you want to change your NetScaler Gateway’s logon page to include alternative prompts for the Username, Password 1 and Password 2 fields and need to update the language specific .XML files. This has been documented before, and isn’t too hard to figure out once you’ve found a couple of ‘How to’ guides on the Internet. However I have since come across a limitation in trying to apply the NetScaler’s new ‘Custom’ design template to several different NetScaler Gateway virtual servers at the same time, because essentially whilst you can define your own custom design it is automatically applied to all instances of the virtual server residing on the NetScaler – so if you define custom fields then you’ve defined them for all. This may not be a problem for some people, but what if the secondary authentication mechanism is an RSA token for one site, and a VASCO token for another? How do you go about configuring alternative sets of custom logon fields?

Most of the answers are already out there in one form or another, but I lacked one simple beginning to end description of the solution (I tried several alternate options including rewrite policies which didn’t quite work before I opted for this approach):

Background (NetScaler 10.5.x build)

The Citrix NetScaler VPN default logon page has already been modified in order to ask for ‘AD password’ and ‘VASCO token’ values instead of Password 1: and Password 2:, as detailed in http://support.citrix.com/article/CTX126206

This was achieved by editing index.html and login.js files in /var/netscaler/gui/vpn of the NS as per the Citrix article above. In addition, the resources path which holds the language based .XML files in /var/netscaler/gui/vpn/resources has been backed up into /var/customisations so that the /nsconfig/rc.netscaler file can copy them back into the correct location if they get overwritten or lost following reboot.

Contents of rc.netscaler file

cp /var/customisations/login.js.mod /netscaler/ns_gui/vpn/login.js
cp /var/customisations/en.xml.mod /netscaler/ns_gui/vpn/resources/en.xml
cp /var/customisations/de.xml.mod /netscaler/ns_gui/vpn/resources/de.xml
cp /var/customisations/es.xml.mod /netscaler/ns_gui/vpn/resources/es.xml
cp /var/customisations/fr.xml.mod /netscaler/ns_gui/vpn/resources/fr.xml

However, because these values apply globally there is an issue if a second NetScaler virtual server does not use a VASCO token as a secondary authentication mechanism. This causes the normal ‘Password’ entry box to be displayed as ‘VASCO token’. The only suitable workaround for this is to create a parallel set of logon files for each additional NS gateway virtual server and use a responder policy on the NS to redirect incoming requests for the index.html page of the VPN to a different file. In the following examples, I have created a second configuration for a ‘Training NetScaler’, abbreviated to TrainingNS throughout.

In summary,

Create separate login.js and index.html files for the alternate parameters, create a new /resources folder specifically for those and edit references within those before defining a responder action & policy in NS:

1. Copy existing login.js to loginTrainingNS.js
2. Copy existing index.html to indexTrainingNS.html
3. Create a new folder called /netscaler/ns_gui/vpn/resourcesTrainingNS and give it the same owner/group permissions as the /netscaler/ns_gui/vpn/resources folder (use WinSCP to define the permissions, right click Properties on the file)
4. Copy all of the .XML files from /netscaler/ns_gui/vpn/resources into the new folder
5. Edit the indexTraining.html file and make the following change to reflect the new location of the resource files

var Resources = new ResourceManager("resourcesTrainingNS/{lang}", "logon");

6. Edit the indexTrainingNS.html file and make the modifications described in CTX126206

7. Edit the individual .XML files in the new folder as per the explanation in CTX126206

AD Password:
TwoFactorAuth Password:

(this second option will not be used if only a primary authentication mechanism is defined)

8. When all of the file changes are complete, using https://support.citrix.com/article/CTX123736 as a guide, define the responder action and policy on the NS:

Create a responder action using the URL: “https://trainingns.lstraining.ads/vpn/indexTrainingNS.html”
Create a responder policy using the expression: HTTP.REQ.HOSTNAME.EQ(“trainingns.lstraining.ads”) && HTTP.REQ.URL.CONTAINS(“index.html”)
Bind the policy to the global defaults

8. Now when you launch the URL for the Training NetScaler it will redirect to the custom index.html file and load a separate logon.js and .xml resource files so that the logon box will be name differently.

In addition, the following article hints at an alternative resolution if the Responder feature cannot be licensed: http://www.carlstalhood.com/netscaler-gateway-virtual-server/#customize

NetScaler VPX virtual interfaces

I only just found out whilst playing with the NetScaler VPX that one of the two virtual interfaces that come in the template can be deleted in order to change the configuration. If you prefer to operate a single arm deployment (i.e. the same interface handles both public and private traffic) you can delete the virtual interface in VMware whilst the appliance is switched off, and then on starting the FreeBSD OS will configure itself with only one interface.

Another tip, if you have a flat network, don’t connect both virtual interfaces to the same virtual or physical network. You will end up with a bridging loop! IP addresses on the NetScaler do not bind to individual cards, they appear to float upon the network infrastructure. The system then builds up knowledge of the different subnets that sit behind each interface.