NetScaler Gateway rewrite policy not working

[Kevin Papasoglou1709156704]

Hello community,

 

I've an issue with rewriting at clientless access for which I'd like to ask for your help.

 

First some facts:

NetScaler version: 11.1-51.26

License: VPX200 Ent

 

The situation:

In this deployment I'm using NetScaler Gateway with enabled clientless access to publish an internal website. This internal website is built on SharePoint with an additional front end.

 

The problem:

The CVPN engine of NetScaler Gateway seems to miss some URLs to rewrite or doesn't rewrite them correctly. In one particular case it forgets to include "/cvpn/https/..." at a link to a PDF document on the site.

 

The website's URL looks like the following:

https://host.example.intra/mysite/Pages/default.aspx

 

On the website there is, as mentioned before, a PDF document listed by the following element:

(...)

<div class="ms-vb  itx" ctxname="ctx5" id="4" app="">

<a class="ms-listlink ms-draggable" href="/mysite/directory_a/examplefile.pdf" (...) </a>

</div>

(...)

 

The issue with the href link is that if it's clicked it gets rewritten to

https://netscalergatewayFQDN/mysite/directory_a/examplefile.pdf

 

which should actually be

https://netscalergatewayFQDN/cvpn/https/host.example.intra/mysite/directory_a/examplefile.pdf

 

The HTTP response contains the following line which I guess is linked with this (I'm not a web developer though): 

"FileRef": "\u002fmysite\u002fdirectory_a\u002fexamplefile.pdf",

 

I thought I could trick it by creating an additional rewrite policy for that particular issue and bind it to the NetScaler Gateway for the response:

 

add rewrite action rwa_pdf replace_all "HTTP.RES.BODY(1000000000).SET_TEXT_MODE(IGNORECASE)" q/"\"FileRef\": \"\\u002fcvpn\\u002fhttps\\u002fhost.example.intra\\u002fmysite"/ -pattern "\"FileRef\": \"\\u002fmysite\\"

add rewrite policy rwp_pdf true rwa_pdf DROP

bind vpn vserver netscalergateway -policy rwp_pdf -priority 100 -gotoPriorityExpression END -type RESPONSE

 

The issue now is that the policy gets a hit when the site is called but it doesn't rewrite anything. Even changing it to something very simple by rewriting only a single word to exclude issues with special characters, it took no effect. When I check the HTTP response the code is still the same as before. Am I missing something? Maybe someone sees something in here.

 

Thank you in advance!

[Sam Jacobs]

Did you include .example.intra in the list of clientlessaccess domains?

 

[Kevin Papasoglou1709156704]

Hello Sam,

 

Thanks for your reply. Yes, the domain of the site is listed in the allowed clientless access domains.

[Kevin Papasoglou1709156704]

Sorry for the double post but the previous one was somehow messed up, lost some information and I couldn't correct it.

 

In the meantime I also tried to trick it with a responder policy to redirect the client to the correct URL (see below). Unfortunately that doesn't work either. It still leads to https://netscalergatewayFQDN/mysite/directory_a/examplefile.pdf where NetScaler responds with "Http/1.1 Object Not Found". I also changed the policy expression to "true" but "nsconmsg -d current" shows no policy hits. At that point it looks like that it doesn't even consider processing the bound policies but immediately responds with the error message. I found a related post about this: http://discussions.citrix.com/topic/370970-question-url-11-object-not-found/

 

So there are two ideas but none of them works.   :( Any further ideas?

 

add responder action rpa_pdf redirect "\"https://\" + HTTP.REQ.HOSTNAME+ \"/cvpn/https/host.example.intra\" + HTTP.REQ.URL" -responseStatusCode 302

add responder policy rpp_pdf "HTTP.REQ.URL.PATH.STARTSWITH(\"/mysite\") && HTTP.REQ.URL.PATH.CONTAINS(\".pdf\")" rpa_pdf DROP

 

 

[NCOC ICT OPS NCOC ICT OPS]

Dear kpapaso136, 

 

Did you find any solution for this case, we face with the same situation, we see hits but not rewritten content of response in UG. 

 

Thanks!

[Kevin Papasoglou1709156704]

Dear ncoc-citrix-account,

 

Unfortunately I couldn't find a solution to this issue. Later on this configuration request was dropped and I did not investigate further on this, I'm sorry.

 

Good luck!

[albert shi]

Hi Bro

 

I have encountered similar problems, with reasons and solutions for your reference:

 

In general, in the CVPN scenario, NETSCALER will overwrite the links referenced in JS and add the CVPN encrypted fields to the URL.

 

NetScaler interprets whether the response file is JavaScript through content type. If the content type is incorrect or not standard, NetScaler will not convert the link in the JavaScript.

 

So please make sure all javascript file use “Application/x-javascript” as Content-Type in your web site.

 

If use the “Application/javascript” or other, rewrite it to "application/x-javascript" please.

 

Good luck！

[albert shi]

3 minutes ago, albert shi said:

Hi Bro

 

I have encountered similar problems, with reasons and solutions for your reference:

 

In general, in the CVPN scenario, NETSCALER will overwrite the links referenced in JS and add the CVPN encrypted fields to the URL.

 

NetScaler interprets whether the response file is JavaScript through content type. If the content type is incorrect or not standard, NetScaler will not convert the link in the JavaScript.

 

So please make sure all javascript file use “Application/x-javascript” as Content-Type in your web site.

 

If use the “Application/javascript” or other, rewrite it to "application/x-javascript" please.

 

Good luck！

If the rewrite not working, please remove the "Accept-Encoding" in request headers.