Carl Stalhood

Filling gaps in EUC vendor documentation

NetScaler Gateway 11.1 Virtual Server

Last Modified: May 4, 2017 @ 2:20 pm

 17 Comments

Navigation

NetScaler Gateway Universal Licenses

Create NetScaler Gateway Virtual Server

Verify SSL Settings

Gateway Portal Theme

Custom Theme

SSL Redirect

DNS SRV Records for Email-based discovery

Block Citrix VPN for iOS

View ICA sessions

Customize Logon Page

Logon Page Labels

Disclaimer / EULA

Theme File Customization

Logon Page Links

Other Customizations

UDP Audio Through Gateway

StoreFront – Rewrite X-Citrix-Via

💡 = Recently Updated

NetScaler Gateway Universal Licenses

For basic ICA Proxy connectivity to XenApp/XenDesktop, you don’t need to install any NetScaler
Gateway Universal licenses on the NetScaler appliance.

However, if you need SmartAccess features (e.g. EPA scans), or VPN, then you must install Net-
Scaler Gateway Universal licenses. These licenses are included with the Platinum editions of Xe-
nApp / XenDesktop, Advanced or Enterprise editions of XenMobile, and the Platinum edition of
NetScaler.

NetScaler 11.1 build 49 and later come with built-in Gateway Universal licenses: NetScaler
Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler
Platinum Edition = unlimited licenses.

When you create a NetScaler Gateway Virtual Server, the ICA Only setting determines if you
need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only, then
you don’t need licenses. But if ICA Only is set to false then you need a NetScaler Gateway Uni-
versal license for every user that connects to this NetScaler Gateway Virtual Server. Enabling
ICA Only disables all non-ICA Proxy features, including: SmartAccess, SmartControl, and VPN.

If you don’t need any non-ICA Proxy features, then you don’t need any Gateway Universal li-
censes, and you can skip to the next section.

If you are running NetScaler Platinum Edition 11.1 build 49 or later, then you already have un-
limited licenses and can skip to the next section.

For other NetScaler editions and older builds, you can install more Gateway Universal licens-
es. The Gateway Universal licenses are allocated to the case sensitive hostname of each appli-
ance. If you have an HA pair, and if each node has a different hostname, allocate the Gateway
Universal licenses to the first hostname, and then reallocate the same licenses to the other
hostname.

To see the hostname, click your username on the top right.

To change the hostname:

1. Click the gear icon on the top right.

2. Then click the third section.

To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses. A
reboot is required.
After NetScaler Gateway Universal licenses are installed on the appliance, they won’t necessari-
ly be available for usage until you make a configuration change as detailed below:

1. On the left, expand System, and click Licenses.

2. On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of
licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.

3. On the left, under NetScaler Gateway, click Global Settings.

4. In the right column of the right pane, click Change authentication AAA settings.

5. Change the Maximum Number of Users to your licensed limit. In NetScaler 11.1 build 49
and newer, this value should already match the number of licensed users. In older builds,
you must manually configure this setting, and if not configured, then it defaults to only 5
concurrent connections.

6. If desired, check the box for Enable Enhanced Authentication Feedback. Click OK.

set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200

Create Gateway Virtual Server

1. Create a certificate for the NetScaler Gateway Virtual Server. The certificate must match the
name users will use to access the Gateway.
2. For email discovery in Citrix Receiver, the certificate must have subject alternative names
(SAN) for discoverReceiver.email.suffix (use your email suffix domain name). If you have
multiple email domains then you’ll need a SAN for each one.

3. On the left, right-click NetScaler Gateway and click Enable Feature.

4. On the left, expand NetScaler Gateway and click Virtual Servers.

5. On the right, click Add.

6. Name it gateway.corp.com or similar.

7. Enter a new VIP that will be exposed to the Internet. Note: you can also set it to Non Ad-
dressable, which means you can place the Gateway behind a Content Switching Virtual
 Server.
8. Click More.

9. Check the box next to ICA Only. This option disables SmartAccess and VPN features
but does not require any additional licenses.
10. Check the box next to DTLS, and click OK.
11. DTLS enables EDT protocol, UDP Audio, and Framehawk. 💡
12. EDT requires UDP 443 on client side, and UDP 1494/2598 on server side.
13. DTLS (including EDT), will not work if Mac Based Forwarding is enabled. 💡

14. In the Certificates section, click where it says No Server Certificate.

15. Click the arrow next to Click to select.

16. Select a previously created certificate that matches the NetScaler Gateway DNS name and
click Select.

17. Click Bind.

18. If you see a warning about No usable ciphers, click OK.

19. Click Continue.

20. In the Basic Authentication section, click the plus icon in the top right.
21. Note: it’s also possible to disable authentication on Gateway and make StoreFront do it in-
stead as described in Citrix CTX200066 How to Log On to StoreFront When Authentication
is Disabled on NetScaler Gateway VIP. However, it’s more secure to require Gateway to au-
thenticate the users before the user can communicate with StoreFront.

22. Select LDAP, select Primary and click Continue.

23. If you used the authentication dashboard to create the LDAP server then you probably
 haven’t created the corresponding policy yet. Click the plus icon to create a new policy.

24. Use the Server drop-down to select the previously created LDAP server.
25. Give the policy a name. The policy name can match the Server name.
26. In the Expression box, enter ns_true, or select it from the Saved Policy Expressions drop-
down. Click Create.

27. Click Bind.

28. Or for two-factor authentication, you will need to bind two policies to Primary and two po-
lices to Secondary:

Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)

Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)

Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)

Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)

29. Click Continue.

30. Scroll down to the Profiles section and click the pencil icon.

31. In the TCP Profile drop-down select nstcp_default_XA_XD_profile and click OK.

32. In the Policies section, click the plus icon near the top right.
33. Select Session, select Request and click Continue.

34. Click the arrow next to Click to select.

35. Select one of the Receiver session policies and click Select. It doesn’t matter in which order
you bind them.

36. There’s no need to change the priority number. Click Bind.

37. Repeat these steps to bind the second policy. In the Policies section, click the plus icon near
the top right.

38. Select Session, select Request and click Continue.

39. Click Add Binding.

40. Click the arrow next to Click to select.

41. Select the other Receiver session policy and click Select.
42. There’s no need to change the priority number. Click Bind.

43. The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
44. On the right, in the Advanced Settings section, click Published Applications.

45. Click where it says No STA Server.

46. Add a Delivery Controller in the https://<Controller_FQDN> or http://<Controller_FQDN>
format, depending on if SSL is enabled on the Delivery Controller or not. This must be a
FQDN or IP address. Short names don’t work.
47. Click Bind.

48. To bind another Secure Ticket Authority server, on the left, in the Published Applications
section, click where it says 1 STA Server.

49. Click Add Binding.

50. Enter the URL for the second Controller and click Bind.

51. This view shows if the STAs are reachable or not. To refresh the view, close the STA Bind-
ings list and reopen it.

add vpn vserver gateway.corp.com SSL 10.2.2.200 443 -icaOnly ON -dtls ON -

tcpProfileName nstcp_default_XA_XD_profile

bind vpn vserver gateway.corp.com -policy "Receiver Self-Service" -priority 100

bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110
 bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100

bind vpn vserver gateway.corp.com -staServer "http://xdc01.corp.local"

bind vpn vserver gateway.corp.com -staServer "http://xdc02.corp.local"

bind vpn vserver gateway.corp.com -portaltheme RfWebUI

52. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configura-
tion including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport
Security.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind vpn vserver MyvServer -policy insert_STS_header -priority 100 -

gotoPriorityExpression END -type RESPONSE

Verify SSL Settings

After you’ve created the Gateway Virtual Server, run the following tests:

1. Citrix CTX200890 – Error: “1110” When Launching Desktop and “SSL Error” While Launch-
ing an Application Through NetScaler Gateway: You can use OpenSSL to verify the certifi-
cate. Run the command: openssl s_client -connect gateway.corp.com:443. Replace the
FQDN with your FQDN. OpenSSL is installed on the NetScaler or you can download and in-
stall it on any machine.
2. Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Citrix
Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update.
Gateway Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains
NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI
changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0 and newer,
enable the built-in RfWebUI or X1 theme. RfWebUI is optimized for Unified Gateway (Clientless
VPN) since it provides the exact same appearance and user experience as StoreFront 3.x. The
Unified Gateway RfWebUI theme can display RDP Links and Web Links (bookmarks) along with
the familiar StoreFront apps and desktops. Note: RfWebUI requires StoreFront 3.6 or newer.

1. Go to NetScaler Gateway > Virtual Servers and edit an existing Virtual Server.
2. On the right, in the Advanced Settings section, click Portal Themes.
3. On the left, Change the Portal Theme drop-down to RfWebUI. Click OK.

4. Click Done.

bind vpn vserver gateway.corp.com -portaltheme RfWebUI

5. When you access the NetScaler Gateway login page you’ll see the theme.
Custom Theme

You can also your own theme by starting from one of the built-in themes:

1. Go to NetScaler Gateway > Portal Themes.

2. On the right, click Add.

3. Give the theme a name, and select RfWebUI as the Template Theme. Click OK.

4. In the Look and Feel section, there are two sub-sections: one for Home Page and one for
Common Attributes.

5. The Home Page is for Unified Gateway (aka VPN Clientless Access). Notice that the Web-
sites Sections can be disabled.
6. The Help Legend link shows you what the other fields modify.

7. If you want to modify the logon page, use the Common Attributes sub-section.
 8. The Help Legend link shows you what the fields modify.

9. Make changes as desired and click OK.

10. After you click OK, the Language section appears.
11. In the Language section, select a language and click OK.
12. On the right, in the Advanced Settings section, click Login Page.

13. Make changes as desired (e.g. Password Field Titles) and click OK.

14. At the top of the screen, click the link to Click to Bind and View Configured Theme.

15. Select a Gateway Virtual Server and click Bind and Preview.
16. The logon page is displayed.

17. You could go to /var/netscaler/logon/themes/MyTheme/css and make more changes to

custom.css, but this file gets overwritten any time you make a change in the Portal Themes
section of the NetScaler GUI.

18. Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version
11.0 to another Device running 11.0.
SSL Redirect

Use one of the following procedures to configure a redirect from http to https. Responder
method is preferred.

Responder method

Down vServer method

Public DNS SRV Records

For email-based discovery, add a SRV record to each public email suffix DNS zone. Here are
sample instructions for a Windows DNS server:

1. In Server Manager, click Tools > DNS Manager

2. In the left pane of DNS Manager, select your DNS domain in the forward or reverse lookup
zones. Right-click the domain and select Other New Records.

3. In the Resource Record Type dialog box, select Service Location (SRV) and then click Cre-
ate Record.
 4. In the New Resource Record dialog box, click in the Service box and enter the host value
_citrixreceiver.
5. Click in the Protocol box and enter the value _tcp.
6. In the Port number box, enter 443.
7. In the Host offering this service box, specify the fully qualified domain name (FQDN) for
your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.com-
pany.com)

Block Citrix VPN for iOS

Andrew Morgan Blocking the new Citrix VPN iOS connection to Netscaler gateway and Cit-
rix CTX201129 Configuration for Controlled Access to Different VPN Plugin Through NetScaler
Gateway for XenMobile Deployments: do one or both of the following:

Create an AppExpert > Responder > Policy with Action = DROP and Expression =
HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin"). Either bind the
Responder Policy Globally, or bind it to the Gateway vServers.

In your Gateway Session Policies, on the Client Experience tab, set the Plug-in Type to
Java. If any of them are set to Windows/MAC OS X, then VPN for iOS is allowed.

View ICA Sessions

To view active ICA sessions, click the NetScaler Gateway node on the left, and then click ICA
Connections on the right.
 show vpn icaconnection

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for
User name, Password, and Password 2.
The Password field labels can be changed to something more descriptive, such as Active Directo-
ry or RSA:

To change the labels, edit a Portal Theme:

1. Go to NetScaler Gateway > Portal Themes and edit an existing theme. You can’t edit the
built-in themes so you’ll have to create one if you haven’t already.
2. On the right, in the Advanced Settings column, click Login Page.

3. In the Login Page section, change the two Password fields to your desired text. Click OK.
4. If using the RfWebUI theme, the default text size for the form field labels is 17px. However,
the Portal Themes editor defaults to 12px. You can change it back to 16px or 18px by edit-
ing Form Font Size in the Look and Feel > Common Attributes section.

5. In the Portal Theme section at the top of the page, you can Click to bind and View Config-
ured Theme to Preview your changes.

6. On Platinum Edition appliances, you might have to invalidate the loginstaticobjects Con-
tent Group (Optimization > Integrated Caching > Content Groups) before the changes ap-
pear. This seems to be true even if Integrated Caching is disabled.
Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.
Clicking the Terms & Conditions link allows the user to view the EULA text that you have
entered.

Do the following to configure the EULA:

1. Go to NetScaler Gateway > Resources > EULA.

2. On the right, click Add.

3. Give the EULA a name and enter some text. You can even enter HTML code. See the exam-
ple posted by Chris Doran at Citrix Discussions.
4. Click Create.

5. Edit a Gateway Virtual Server.

6. On the right, in the Advanced Settings column, click EULA.

 7. Click where it says No EULA.

8. Click the arrow next to Click to select.

9. Select the EULA and click Select.

10. Click Bind.

11. Mike Roselli at Automatic EULA Acceptance by Cookie Rewrite Guide at Citrix Discussions
details Rewrite policies that change the behavior so that users only have to accept the EULA
once. It records acceptance in a cookie.
12. Sam Jacobs Adding an EULA for AAA Login at CUGC explains how to enable the EULA on
the AAA logon page. 💡

Theme File Customization

The original themes (Default, Green Bubble, and X1) use files from /netscaler/ns_gui/vpn/js
and /var/netscaler/logon/themes. A commonly edited file
is /netscaler/ns_gui/vpn/js/gateway_login_form_view.js since this file is responsible for render-
ing the logon form.

The new RfWebUI theme is different than the original themes, because it pulls files
from /var/netscaler/logon/LogonPoint/receiver. This means the customizations for NetScaler
11.0 won’t work with the new RfWebUI theme. When reviewing customization guides for Net-
Scaler 11, be aware that most of them won’t work for the RfWebUI theme.

Logon Page Links

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to
add links to the NetScaler Gateway 11 logon page. This only works in the Default, Green Bubble,
and X1 themes (no RfWebUI theme).

Other Customizations

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page – Part
2 at CUGC explains how to add text to the RfWebUI theme logon page. The process for RfWebUI
is quite different than the older themes:

Text is stored in /var/netscaler/logon/themes/<theme>/strings.<language code>.json

Custom CSS is stored in /var/netscaler/logon/themes/<theme>/css/theme.css

Sample Logon Page:

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page – Part 1
at CUGC explains how to modify custom.css and en.xml to add text below the logon box on the
Logon Page. No Rewrite policies or source code modifications needed.
Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. This ar-
ticle does not work with the RfWebUI theme, but it works with the X1 theme.

Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at discus-
sions.citrix.com has sample rewrite policies to customize the NetScaler Gateway logon page
with additional HTML.

Craig Tolley Customising the NetScaler 11 User Interface – Adding Extra Content: add new sec-
tions to login page. These sections pull content from local HTML files.
Daniel Ruiz Set up a maintenance page on NetScaler Gateway: configure a Responder policy (see
the blog post for sample HTML code). During maintenance, manually bind the Responder policy
to the Gateway. Manually remove the policy after maintenance is complete.

UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio
over Netscaler Gateway with DTLS

Note: Enabling DTLS on the Gateway also enables Framehawk and EDT. See Citrix Policy Settings
for Framehawk configuration.

Requirements for UDP Audio:

Citrix Receiver 4.2 or newer

NetScaler Gateway 10.5.e (enhancement build) or NetScaler 11 or newer

UDP 443 allowed to NetScaler Gateway Virtual Server

UDP 16500-16509 allowed from NetScaler SNIP to VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual
Server and in Receiver:

1. Edit the NetScaler Gateway Virtual Server. In the Basic Settings section click the edit (pen-
cil) icon.

2. Click More.
3. Enable the DTLS option, and click OK.

4. After enabling DTLS, it probably won’t work until you unbind the Gateway certificate and
rebind it.
Client-side configuration

There are two methods of enabling RTP on the client side:

Edit default.ica on the StoreFront server

Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inet-
pub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Applica-
tion section:

EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1
To use GPO to modify the client-side config:

1. Copy the receiver.admx (and .adml) policy template into PolicyDefinitions if you haven’t
already.
2. Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver
machine.
3. Go to Computer Configuration > Policies > Administrative Templates > Citrix Compo-
nents > Citrix Receiver.
4. Edit the setting Client audio settings.
5. Enable the setting.
6. Set audio quality as desired. Higher quality = higher bandwidth.
7. Check to Enable Real-Time Transport.
8. Check to Allow Real-Time Transport through Gateway. Click OK.
Next step

Configure StoreFront to use NetScaler Gateway

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via
that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a
matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler
11.0 and newer, you can create a rewrite policy to change this header. This is useful when
changing URLs or using DNS aliases for Gateways. See CTX202442 FAQ: Modify HTTP Header X-
Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")"

"\"mystorefront.mydomain.com\""
 add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-
Via\").NE(\"mystorefront.mydomain.com\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

 July 2, 2016  Carl Stalhood  NetScaler, NetScaler 11.1, NetScaler Gateway 11.1

17 thoughts on “NetScaler Gateway 11.1 Virtual Server”

Kari Ruissalo
April 26, 2017 at 7:52 am

About the customizations, is there a way to change the texts in the clientless
portal in 11.1? Currently in the top-right corner text says “Hello, {Username}”
and I would want to change that to “Logged on user: {Username}”.

I tried to change the en.xml -file but it didn’t help. Next step is to use AppEx-
pert rewrite, but if you’d had something ready it’d be much easier!

John
December 15, 2016 at 4:15 pm

I upgraded from 10.5 to 11.1 and in chrome browsers the “user name” and
password” fields on the login page don’t display. The error message in the
browser is: “JavaScript is either disabled in or not supported by the Web
browser.
To continue logon, use a Web browser that supports JavaScript or enable Java-
Script in your current browser.
“.

I’m using a custom X1 theme (customized in the GUI), but this issue occurs us-
ing any of the built-in themes as well.

Works as expected in IE. Any ideas?

Carl Stalhood 
December 15, 2016 at 5:10 pm

Check your /nsconfig/rc.netscaler file to make sure there’s nothing in it ex-

cept NTP.
 John
December 16, 2016 at 8:42 am

That file does not exist on my device. I did a global search.

Carl Stalhood 
December 16, 2016 at 8:50 am

I guess that means you don’t have NTP enabled, which you should.

Have you done any file-based customizations of your themes?

Use your browser developer tools to see if there are errors in the Console.
Or compare with a working browser.

John
December 16, 2016 at 9:48 am

You’re right! went ahead and enabled NTP.

No file based customizations. I simply added a new theme in the GUI

(NetScalerNetScaler GatewayPortal Themes) and simply used X1 as the
base/template.

Here is the error in the console:

rdx.js:1 Synchronous XMLHttpRequest on the main thread is deprecated

because of its detrimental effects to the end user’s experience. For more
help, check https://xhr.spec.whatwg.org/.send @ rdx.js:1
VM42:1 Uncaught SyntaxError: Unexpected token <
at Function.globalEval (https://mynetscalerportal.-
com/vpn/js/rdx.js:1:29706)
at text script (https://mynetscalerportal.com/vpn/js/rdx.js:1:99437)
at b4 (https://mynetscalerportal.com/vpn/js/rdx.js:1:98381)
at s (https://mynetscalerportal.com/vpn/js/rdx.js:1:94609)
at a (https://mynetscalerportal.com/vpn/js/rdx.js:1:101481)
at Object.send (https://mynetscalerportal.com/vpn/js/rdx.js:1:101525)
at Function.ajax (https://mynetscalerportal.com/vpn/js/rdx.js:1:96652)
at Object.load_script (https://mynetscalerportal.-
com/vpn/js/rdx.js:1:1018426)
at Object._load_lang_file (https://mynetscalerportal.-
 com/vpn/js/rdx.js:1:1121482)
at Object._init_rdx_lang (https://mynetscalerportal.-
com/vpn/js/rdx.js:1:1120174)

I'm researching.

Ramesh
August 19, 2016 at 4:57 am

Hi,

Is there any issue in upgrading 10.5 to 11.1 netscaler gateway.

which is the stable version 11 or 11.1

Regards

Ramesh

Carl Stalhood 
August 19, 2016 at 6:07 am

I am currently deploying 11.0 build 66 at my Customers. Unless you have

high risk tolerance.

Jeppe Schoubye
August 8, 2016 at 3:03 am

Hi Carl.
Great article!
One question however.. Some of your screenshots displays the Gateway login
page without the “Password 2” field. This is exactly what I’m looking for as the
procedure have changed in 11.1. Could you please add som info on how to dis-
able this field in version 11.1 (I’m using rfWebUi-theme)
Regards
Jeppe

Carl Stalhood 
August 8, 2016 at 6:10 am

Are you saying that you have two-factor enabled but want to hide the 2nd
field in RfWebUI? If so, I haven’t figured out how to do that yet. RfWebUI is
quite different from X1. It behaves more like a Login Schema form – lots of
AJAX.

Jeppe Schoubye
August 8, 2016 at 7:34 am

Yes 🙂
After supplying username and password (LDAP) I receive the passcode in a
text message. This is then typed into a seperate field which is displayed.
I do not need the Password 2 field which will just confuse the users.
We were able to remove it in version 10.5 but now I need to migrate every-
thing to version 11.1.
Above in step 16 you actually have a screenshot without the Password 2
field.

Carl Stalhood 
August 8, 2016 at 7:46 am

That screenshot only has LDAP configured.

Your two-factor product should have instructions for removing the 2nd
password field. For X1 theme, the typical file to edit is
/netscaler/ns_gui/vpn/js/gateway_login_form_view.js. I don’t know how to
remove it from RfWebUI since RfWebUI does not use the gateway_login_-
form_view.js file.

Beat
November 23, 2016 at 3:48 am

did you see a solution to hide the second password field in RfWebUI?
Since the new StoreFront and unified Gateway it ist no longer suitable
to use X1 theme.. Thanks in advance…

Carl Stalhood 
November 23, 2016 at 5:36 am

I have not seen anything yet. Did you post your question to http://discus-
sions.citrix.com?
 Jeppe Schoubye
November 23, 2016 at 6:37 am

I’m not sure that this works in RfWebUI but I use the following method
to hide the “Password 2” field:

Remove the “Password 2”-field in Gateway by using a rewrite policy:

add rewrite action rw_act_pwcount insert_http_header Set-Cookie

“\”pwcount=\”+ 1” -comment “Remove Password 2 field”

add rewrite policy rw_pol_pwcount “HTTP.REQ.HEADER(\”Cook-

ie\”).CONTAINS(\”pwcount\”).NOT” rw_act_pwcount -comment “Remove
Password 2 field”

bind vpn vserver [LB Vserver Name] -policy rw_pol_pwcount -priority

100 -gotoPriorityExpression END -type RESPONSE

This will set the “pwcount” cookie to 1 which will remove the extra field

Regards
Jeppe

Tyus
July 5, 2016 at 11:26 am

Carl,

Im currently trying to decide which is a better appliance “Netscaler vs F5” and

could use your intake on the appliances.

We would be using it for Citrix, Exchange , SharePoint and load balancing oth-
er items such as websites .

What are the main points to consider between the two?

Carl Stalhood 
July 5, 2016 at 11:32 am

For ICA Proxy, you definitely want NetScaler. It’s supported by Citrix, while
F5 is not. NetScaler has AppFlow, which I believe F5 does not.
 Otherwise, both F5 and NetScaler can do normal load balancing.

In my F5 customers, I typically do NetScaler for ICA Proxy, and F5 for every-

thing else.

Proudly powered by WordPress