Redirect Web Interface on Citrix NetScaler with Rewrite function

When you install and configure Web Interface on Citrix NetScaler nCore you probably notice that there is no option to automatically go to the default Citrix XenApp page as you were used to in a Microsoft IIS install of the Citrix Web Interface. Once you have set up Citrix Web Interface and you add the newly created address in the browser you will get an “Invalid Path” notice. This would mean you (or your users) always would have to fill in the subdirs also.

Off course this can be nicely resolved with a Rewrite function within the Citrix NetScaler and here I will show you how to.

Command line version:

add rewrite action rw_ac_xenapp replace HTTP.REQ.URL “\”/Citrix/XenApp\””

add rewrite policy rw_pol_xenapp “HTTP.REQ.URL.EQ(\”/\”)” rw_ac_xenapp

bind lb vserver -policyName rw_pol_xenapp -priority 100 -gotoPriorityExpression END -type REQUEST

GUI Version:

Go to Rewrite –> Actions and click Add. Create the Action as in the screenshot below:

Click OK and go to Rewrite –> Policies. Create the Policy as in the screenshot below:

And the last step. Bind the newly created policy to the Web Interface Virtual Server:

Start a browser and visit the Web Interface address. There u go. Could not redirect faster then that you guys!


About Henny Louwers
I work as a Consultant specialized in Application Delivery, Virtualization of Servers, Desktops and Apps.

20 Responses to Redirect Web Interface on Citrix NetScaler with Rewrite function

  1. ns_dummy says:

    Great post. I’m facing the same problem. What about having an home page displayed where to let user choose different Web Interface Sites? Is it worth using the rewrite to replace that page with some html code?



    • Yes, that would be possible, but you will have to know where that you want NetScaler to react on, originating IP, host header, etc.

      You could also create 2 DNS entries, one for each site and then create a rewrite function for every incoming DNS address to change to the specific Web Interface when it comes in.


  2. astrashnikov says:

    Hello Henry. I found your site today. Maybe you can help me to find solution for my netscaler VPX installation. I try to install AGEE and xenapp service site on Netscaler VPX, version is NS9.2: Build Now I have one Virtual AG server with turn off authenticarion and xenapp service site in gateway direct mode. It works fine, but I can’t use the single sign on for xenapp service site. I Also set “WIAuthenticationMethods=SingleSignOn” in the WebInterface.conf file, but i doesn’t help in the gateway direct mode. Also I have installed another Xenapp Service Site by direct mode and when I set “WIAuthenticationMethods=SingleSignOn” the Single Sign On work. Do you know Is it possible to use Single Sign on the xenapp service site and AGEE on the Netscaler Vpx Appliance with gateway direct mode?


    • I have had the exact same problem. You probably would like to create a Citrix XenApp Services to use with AGEE and Citrix Receiver for iPad/iPhone/etc.

      Seems that Citrix XenApp Services site passthrough (or SSO) authentication does not yet work within the Citrix Web interface for NetScaler. Now, I’m not sure about the most recent builds.

      The only workaround I know is to still use Windows Citrix Web interface Servers in the backend for use with Citrix Receiver.

      If you can confirm this problem on your site I will try and create a support ticket with Citrix Tech Support.


      • astrashnikov says:

        Hello Henry.
        Thank you very much for your reply. Do you try to set Web interface (Web site) for those functions?
        I’m trying to setup website on the ncore with “Single Sign on”. But I can’t use “Single Sign on” either I use Gateway Direct mode with Authentication at the AGEE or Gateway Direct mode with Authentication at the Web interface. I also Can’t use “Single sign on” in the “direct mode”. When I set “WIAuthenticationMethods=SingleSignOn” I always get Error “Invalid System Configuration”. Do you know any possibility to use “Single sign on” with the Web Site in the Ncore? Where I can setup Authentication on Website if I use direct mode or gateway direct mode (with authentication point in the web interface)? Is it possible to use “single sign on” at the gateway direct mode, when authentication point at the AGEE ( use “single sign on” for Authentication at the AGEE)?


  3. Walter says:

    Hey Henry,

    Thanks sir, you are a lifesaver on this! I do have a question though. Do you know how one would go about setting up a redirect from non-secure to secure

    Thanks in advance!



    • Hi Walter,

      Apologies for the late response, look at this page to use a rewrite function to go from non-secure http to secure https:

      A good alternative would be to open the Virtual Server that you would like redirected, go to the Advanced Tab and fill the field “redirect URL” with the secure one.


  4. HenryB says:


    After performing the above commands and trying the GUI, I still get the “Invalid Path” when going directly to IP. Thanks in advance..


  5. HenryB says:

    Hello HenryL,

    After a little exploring, I realized that the “rewrite” option was not enabled within “Configure basic features”. Once enabled, it worked like a charm. Thanks again!!!!!


  6. cmsantos says:

    Hi Henny!

    Nice tip in a nice post! Thanks guy!


    Kind regards,

    Cristiano Santos


  7. Ilya Fedotov says:

    It works,


  8. Luke Ericksen says:

    I am facing a similar issue. My site is published to the outside and port 443 is only allowed. The Rewrite function from what i see only reacts to http site. it can redirect to https but does not read in https.
    I need to append the full URL to my site. example rewrite or respond with


    • Luke, try a two-step approach, first put a redirection in place for http to https by creating a virtual server and adding the under the Advanced tab. Bind no Services or Service Groups to this Virtual Server, it’s status must be DOWN.

      Next create a rewrite rule for adding the /mysite/test.aspx and bind it to the https virtual server. You can use the steps mentioned in the post.

      Let me know if that works.


      • Luke Ericksen says:

        Henny, This will not work because port 80 is not open to the outside. This site is only 443. I have built the rewrite policy and that does not work.
        Do you think it would be better to use a responder. I have tried to build a responder for this site with no luck as well. I am not familiar with either as I am learning as I go with the Netscaler.


  9. Talis says:

    Hi Henry, thank you for this post. The problem I’m facing is that I have two webinterface’s on a different server. I want to use that server for both internal use and external for the Netscaler. The URL Citrix/XenApp/auth/login.aspx leads to the internal webinterface allready in place. The URL used by Netscaler is Citrix/XenApp2/auth/login.aspx and has two factor authentication enabled. When connecting to the external URL it is possible to change the URL to Citrix/XenApp/auth/login.aspx to bypass the XenApp2 / two factor authentication settings. Can URL rewriting help me with this problem?


    • Hi Talis,

      Your problem is not very clear (at least to me) but it seems to me you shoud be able to solve this with Session Profiles within Access Gateway. Are you using Access Gateway or just Load Balancing Citrix Web Interface servers? Or have you configured Access Gateway that authentication is taking place on the Citrix Web Interface?


  10. eugene says:

    Hi Henny.. I wanted to implement a URL rewrite in the below scenario:

    The two URL – (agent) and (admin) are pointing to one server with context /xx/admin. Currently, when the user access his (user) URL, it is being displayed as because of the backend context.

    What I intend to do is to rewrite the response URL – back to agent URL – so that user will not be aware that he is accessing the same page.

    Can this be possible using rewrite?




    • Hey Eugene,

      Yes, you should be able to accomplish this using rewrite rules.

      Here is an example:

      add rewrite action rw_act_req_admin replace http.REQ.URL.PATH “\”/xx/admin\””
      add rewrite policy rw_pol_req_admin “HTTP.REQ.URL.PATH.EQ(\”/xx/user\”)” rw_act_req_admin

      Apply the rw_pol_req_admin policy to the Virtual Server.


  11. eko says:

    Hi Henny……..good day too you…..
    i already running the feature off rewrite……but after i running the rewrite, the site that i configure in rewrite the image can not show up, can you help me……i try to upgrade the ios of netscaler still doesn’t work………need your help urgent
    Thanks a lot henny


  12. Nicolas says:

    Hi henry,
    I’m lost,
    I have an bind to a LB for WI.
    entering https;// bring show me the IIS7 default page (the WI isn’t set as default site)
    I have created a step above
    add rewrite action rw_ac_xenapp replace HTTP.REQ.URL “\”/Citrix/XenApp\””
    add rewrite policy rw_pol_xenapp “HTTP.REQ.URL.EQ(\”/\”)” rw_ac_xenapp
    bind lb vserver -policyName rw_pol_xenapp -priority 100 -gotoPriorityExpression END -type REQUEST

    and now when I type : I get in the adress (with an error 404)
    When I put it work
    When I put it doesn’t work

    what’s wrong in my settings ? (VPX 200 10.1)


%d bloggers like this: