Jump to content
Welcome to our new Citrix community!

How Can I Write a Rewrite Action to change between internal and external servers.

Recommended Posts

Hello I am trying to do what I believe should be a simple rewrite to hide an internal server's traffic. In detail:


1. A user goes to the company url  https://mycompany.abc.com this then is directed to an SSL loadbalancer which is up and working, which sends traffic to (one of two) web servers.

2. The web server then redirects (302) to an internal authentication server. 

3. The user is then presented with a login to this internal authentication server, using the server's own name. https://authenticationserver.abc.com/loginquerystuff


What I am trying to do is rewrite these requests and responses so that the user never sees the internal server which of course is also not publicly resolvable for external users.


So the flow is:


User Request -> forwarded by web server to auth server->Auth server responds with URL with itself in the hostname-> User logs in. (fails externally of course).


I have written a rewrite policy for the response so now NetScaler sends the user the login page with the company url i.e. https://mycompany.abc.com/loginquerystuff

This request is now sent back to the NetScaler but the rewrite for the request to translate it back to the authentication server name is failing so the login request goes back to the web server resulting in a 400 error or other error depending on how I word my action.


The policy is applying and the action is firing but I don't see any result.


This is a 10.5 NetScaler. Below are my policies (all rewrite) I have followed various articles including: https://docs.citrix.com/en-us/netscaler/12/appexpert/rewrite/rewrite-action-policy-examples/example-redirecting-external-url.html to no avail.


I've reached a dead end and would really appreciate some help.


The policy looks for a "/specifictag" to identify requests coming from the client aimed at the auth server.

Here is my action:


replace  HTTP.REQ.URL.PATH "authenticationserver.abc.com"  - this is just teh latest of many iterations mind you.


The result I am looking for is to do this :

https://mycompany.abc.com/specifictag/query stuff


replaced with:

https://authenticationserver:8000/specifictag/query stuff


In chrome developer tools the first URL is part of a header called "Request URL" I don't know how to target this.

something like this.



    Request URL: https://mycompany.abc.com/specifictag/query stuff


My policy is being hit and the action is firing but when I look in chrome at my request it isn't changing and anyway the browser spits out 400 coming from the web server and not the authentication server.


I hope this information is enough.




Link to comment
Share on other sites

Rewrites are unidirectional.  Rather than a rewrite, you might want to use a transform.  This changes the URL in both directions so that the client sees one thing and the server sees another.



Request URL from


Request URL into


Response URL from


Response URL Into



Or you may need a combination of rewrites and transforms.  I manage one site that employs 1 responder, two transforms and 22 rewrites.  Sometimes it just takes a lot of trial and error, using chrome developer and fiddler to analyse along the way. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...