Jump to content
Welcome to our new Citrix community!

https to https redirection for Access gateway

Recommended Posts

I've configured NS 12.1 Access Gateway for customer , url https:\\apps.domain.com , their current url myapps.domain.com and would like to redirect myapps.domain.com to apps.domain.com.

CName record would do it only for http but also need it for https.


I've setup responder as per https://support.citrix.com/article/CTX221243 and applied to the http vserver, works great but when I creat extra vserver for ssl with the AG Ip it says resource already exist.

Is there another way to achieve redirect ?  

Link to comment
Share on other sites

You can only have a single entity on <VIP1>:443 (SSL)...so if you have the vpn vserver on this port, you would not create an lb vserver on <VIP1>:443 (SSL) at the same time.

You would only need the lb vserver on HTTP:80 to catch the port 80 traffic and redirect to SSL using a responder policy.  The FQDN in the responder policy will resolve to your gateway VIP on SSL.  


add lb vserver lb_vsrv_gw_sslredirect HTTP <VIP1> 80

   bind lb vserver lb_vsrv_gw_sslredirect -policyName <responder policy send to ssl> ....


add vpn vserver vpn_vsrv_gateway SSL <VIP1> 443



Link to comment
Share on other sites

I had http-https lb vserver created at netscaler gateway setup and I bonded responder to it and it does redirect http://myapps.domain.com to https://apps.domain.com but not https

So I think I need SSL lb Vserver to catch up https://xxxxxxxxx but I can't create SSL lb vserver with the gateway IP. I'm stuck..


Need help 

Link to comment
Share on other sites

You can't have an ssl vserver on the same VIP and port as an existing vpn vserver.


If you need to redirect your gateway from an old name to a new one for traffic that is already on HTTPS, then you will have to bind the responder policy to the vpn vserver...but if the FQDN doesn't match the cert users may get a untrusted cert issue before the redirect occurs.  But if the cert on the vpn vserver is issued to both names (a multi san cert or a wildcard cert) than the redirect should work.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...