Jump to content
Welcome to our new Citrix community!

HTTP / HTTPS redirection on alternate port

Recommended Posts

Hi all,


We have a service listening on SSL with port 3000 - with the Netscaler doing the SSL offloading for it. The SSL portion works. One the firewall (which we do not manage) has one NAT translation to an internal IP on TCP/3000.


Now we wish to redirect HTTP requests, but cannot do this the conventional way, Create a HTTP LBVS with a redirect to the SSL LBVS, because when we do that we get the message: "Operation not permitted"


To sketch it out:



https://url.com:3000 -> Citrix ADC -> LBVS for SSL 3000 -> Send to servicegroup which is at port 3000


Want, as addition to what works:

http://url.com:3000 -> Citrix ADC -> LBVS for TCP 3000 (or any other option) -> rewrite to https -> hit the LBVS with SSL:3000


Found the following, but its misses the mark for our use-case, I think.




We are stuck now trying to get this to work, I am making this post to see if any of you have any great ideas/points as my ADC skills are limited.


Thanks in advance

Link to comment
Share on other sites

In order for you to redirect HTTP:80 or HTTP:3000 to https:3000, you have to have a lb vserver or listener on HTTP.

So my guess is you tried to bind the HTTP to SSL redirect policy on the SSL vserver, but it can't listen on HTTP.


Otherwise, when you got operation not permitted, what exactly were you trying to do? 


If you need to redirect HTTP:80 or HTTP;3000 (aka multiple ports to HTTPS:3000 to keep it simple.)


method 1: down vserver + redirect url

Create an lb vserver on HTTP:* (with a listen policy for http.req.dstport(80) || http.req.dstport(3000) to listent for both).  Use the protection method for Redirect URL to redirect to https://<fqdn>:3000  (no path or trailing "/" and whatever path user has will be tacked on.)

this HTTP vserver can be in a down state, so all traffic will go to redirect url.  IT will listen to HTTP:<ports> and redirect to hTTPS:443 or HTTPS:3000 (depending on what your vserver is on).


add lb vserver lb_vsrv_sendtossl HTTP <VIP1> * -redirectUrl "https://<fqdn>:3000"

# no services bound; it will be down its job is to redirect any traffic on HTTP:* to the https:3000 url specified.

# You can restrict it to listening on specific ports like 80 | 3000 only via listen policies....


Method 2: up vserver + responder policy

Use a responder policy and an UP lb vserver on HTTP:*

Create a dummy service that is unmonitoring (always up) whose job is to keep http vserver in an UP state, but not go anywhere.

Create a lb vserver on HTTP:* and bind placeholder UP service to it.

Now bind responder policy to redirect HTTP to https://<fqdn>:3000<path>/<query> using policy expression


add service svc_alwaysup http 80*

add lb vserver lb_vsrv_sendtossl HTTP <VIP1> *

bind lb vserver lb_vsrv_sendtossl svc_alwaysup

Create your responder policy with an action like:  "https://<fqdn>:3000" + http.req.url.path_and_query

And bind this to the HTTP vserver to direct traffic to the https:3000 vserver.


Method 3:  on the ssl vserver, configure a listen port/redirect url

This may not be the best option if you need to redirect http:80 and http:3000 to https:3000 as the SSL vserver only has a single port to listen on to redirect.  These settings are only in LB vservervs of type SSL appearing in the GUI under the basic properties section.  

But it functions like Method 1, but the port 80 vserver is invisible and doesn't show as explicitly down.

However, if you need multiple redirects, Method 2 is the best.


Partial command lines are listed above; I can get you full command lines later, or you can see examples in this thread (minus the port:3000 examples):













Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

Method 2: up vserver + responder policy


I don't like this "up-service" method (I do know, it's everywhere). Instead I usually use a CS vServer, which is always up, even with no policy bound to it (it will return a 500 error). I usually bind a redirection policy to it. But all this won't solve your problems.


7 hours ago, Marco van Wijngaarden1709161757 said:

We have a service listening on SSL with port 3000 - with the Netscaler doing the SSL offloading for it. The SSL portion works. One the firewall (which we do not manage) has one NAT translation to an internal IP on TCP/3000


As far as I understand, you want to redirect from http://www.myserver,com:3000 to https://www.myserver.com:3000. I have no clue how to do this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...