Jump to content
Welcome to our new Citrix community!

Rewrite Policy not Triggering - RDP Proxy

Recommended Posts

I have an issue where a rewrite policy bound to a gateway virtual server is not triggering. I have seen past articles which suggest it is due to HTTTP compression of the response and to remove the Accept-Encoding header. I have added a policy to remove the header which is triggering.

This is the scenario, Unified Gateway with Clientless access enabled providing RDP Proxy with published RDP URLS's. I want to trigger rewrite upon a request for a RDP Proxy URL. I have tried the following expressions.


or checking for the existence of 'NSC_NONCE='in the URL


The request headers are for example

GET /rdpproxy/srvtest01..somedomain.com?pol_name=srvtest01&NSC_NONCE=5NsxdQp6SMr256eQ HTTP/1.1
Host: gateway.som.nats.co.uk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: NSC_AAAC=0eec9dfa847021c050c0d17bbe1d971a0af151d9c45525d5f4f58455e445a4a42
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache

And the response is

HTTP/1.1 200 OK
Strict-Transport-Security: max-age=157680000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 605
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/x-rdp; charset=utf-8
Content-Disposition: attachment; filename=srvtest01_1709721406.rdp

I have also tried evaluating on the response header.


Policies are bound to the correct bind point, and there are no other higher priorities with a go to expression of end.

Should it be configured in a Clientless Access Policy as clientless access is enabled.

A rewrite policy in a different environment which encrypts the ICA file does not evaluate when clientless access is enabled in the session profile. Therefore I tried the above in a clientless access policy but still couldn't get it to trigger but the difference is with RDPProxy the request is not re-written to /CVPN.

The requirement for this is because RDP files generated by the NetScaler are not signed therefore when downloaded by the browser a trust warning is displayed. All is required is to change the HTTP Response Body and sign it with a certificate. Something along the lines of 

add rewrite action insert_rdp_sig insert_after "HTTP.RES.BODY(2048)" "(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))"

Not sure if I can just do an append or I need to do a replace

add rewrite action insert_rdp_sig2 replace "HTTP.RES.BODY(2048)" "HTTP.RES.BODY(2048).APPEND(\"signature:s:\").APPEND(HTTP.RES.BODY(2048).PKEY_SIGN_CERTKEY(\"certkeyname\"))"

Have also logged a call with Citrix







Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...