Jump to content


Photo

Help with URL redirect/rewrite for Netscaler Access Gateway

Started by Cedric Brady , 10 April 2017 - 06:02 AM
6 replies to this topic

Best Answer Paul Blitz , 10 April 2017 - 11:31 AM

You would need to do all of this at the HTTP level! And it could be quite trivial....

 

You have an HTTP LBVS whose sole purpose is to redirect traffic to port 443. Thus you simply use a responder to redirect all traffic from that LBVS to https://gateway.example.com. Thus, it doesn't matter which fqdn you use at the HTTP level, it redirects to the correct FQDN at the HTTPS level.

 

To make the responder work, that dummy LBVS needs to be UP, so create a dummy service that does NOT use a monitor, and bind it. Now create a responder action, a responder policy, and bind everything

 

You end up with something like: 

 

add responder action <action> redirect '"https://gateway.example.com"

add responder <policy> 'true' rs_act_sendtossl
bind lb vserver <vserver> -policyName rs_pol_sendtossl -priority 10

 

 

Another (actually simpler) was to do this is to create an LBVS (no service, so it is down" and fill in the "Redirect url" with "https:/gateway.example.com/" - the disadvantage of this is that the LBVS shows as red = down, and people don't like that!

 

 

Unfortunately, you HAVE to do this at the HTTP level, simply because to respond to an incorrect https request, you need a valid certificate!

Cedric Brady Members

Cedric Brady
  • 7 posts

Posted 10 April 2017 - 06:02 AM

I have a home setup, so one public IP address. I have a registered domain with two A records set up DDNS to my public IP.  On the router, port forwarding it set up on port 80 and 443 going to the VIP of the Netscaler Gateway.  I have a Netscaler Gateway on port 443/80 and have http-https redirection working.

 

The Netscaler Gateway is public A records is gatway.example.com, and the other A record is vpn.example.com. I'm using vpn.example.com just for DDNS when  I do VPN so I dont have to remember my public IP. Of course, if I put vpn.example.com in the browser I get SSL error because the SSL cert is tied to gateway.example.com.

 

My question is, is there any rewrite/responder policies I can bind to the NEtscaler Gatway config, so that if any requests hit vpn.example.com, they automatically rewrite/redirect to gateway.example.com?

 

I appreciate any help you can provide. Thanks.



Paul Blitz Members

Paul Blitz
  • 3,915 posts

Posted 10 April 2017 - 11:31 AM

You would need to do all of this at the HTTP level! And it could be quite trivial....

 

You have an HTTP LBVS whose sole purpose is to redirect traffic to port 443. Thus you simply use a responder to redirect all traffic from that LBVS to https://gateway.example.com. Thus, it doesn't matter which fqdn you use at the HTTP level, it redirects to the correct FQDN at the HTTPS level.

 

To make the responder work, that dummy LBVS needs to be UP, so create a dummy service that does NOT use a monitor, and bind it. Now create a responder action, a responder policy, and bind everything

 

You end up with something like: 

 

add responder action <action> redirect '"https://gateway.example.com"

add responder <policy> 'true' rs_act_sendtossl
bind lb vserver <vserver> -policyName rs_pol_sendtossl -priority 10

 

 

Another (actually simpler) was to do this is to create an LBVS (no service, so it is down" and fill in the "Redirect url" with "https:/gateway.example.com/" - the disadvantage of this is that the LBVS shows as red = down, and people don't like that!

 

 

Unfortunately, you HAVE to do this at the HTTP level, simply because to respond to an incorrect https request, you need a valid certificate!


Best Answer Helpful Answer

Cedric Brady Members

Cedric Brady
  • 7 posts

Posted 10 April 2017 - 03:59 PM

Yes! Thank you that did work!

 

After I submiitted this, I looked at my external DNS provided, and they offered a URL redirect for a host name, which worked for redirecting the request to gateway.example.com, but it changed the IP so that broke what I was trying to for for DDNS for vpn.example.com.

 

By adding the new responder action and policy as you specified, and binding it to the LBVS used for the http-https redirect, it worked perfect.

 

Thank you!



Cedric Brady Members

Cedric Brady
  • 7 posts

Posted 11 April 2017 - 02:17 AM

Actually, one more question. It is possible to do the same thing on the netscaler access gateway? http://vpn.example.com, redirects to https://gateway.example.com.

 

When i try to add the same or a similar responder policy to the LBVS for the access gateway, it errors out with too many redirects, when i goto https://vpn.example.com.

 

Without the responder policy, when i goto https://vpn.example.com - it really goes to https://gateway.example.com, but with an SSL error because the names dont match.



Paul Blitz Members

Paul Blitz
  • 3,915 posts

Posted 12 April 2017 - 09:29 AM

No reason it shouldn't work for the NG.

 

Again it needs to be done with an HTTP LBVS, same as above. So the NGVS is on <public ip>:443, the lb will be on <public ip>:80. Your multiple FQDNS point to that <public ip> , and any request to the HTTP LB then get redirected to the NG

 

Remember that the redirect must be done at the HTTP level: if you connect at the SSL level with the wrong FQDN, then you get an error

 

Of course, if you used SAN certs, or SNI, you could accept the multiple FQDNs at the SSL level, and do the redirect from there: your policy will need to be a bit more intelligent, and rather than using "true" (which will cause a redirect loop!) you need something that will do a "hostname is NOT the primary FQDN", to redirect everything BUT the one that's right.



Cedric Brady Members

Cedric Brady
  • 7 posts

Posted 12 April 2017 - 08:02 PM

Thank you again for the pointing me in the right direction.

 

On that HTTP LBVS, I have a redirect responder action to https://gateway.example.com, also I have the same responder action set on the HTTPS NGVS to https://gateway.example.com, but for the responder policies for both added a little bit of intelligence with http.req.hostname.eq("vpn.example.com").

 

Also, to make the redirection fluid I had to get new certificates generated from letsencrypt, to include vpn.example.com as a SAN. So now, the transition on both http and https is fluid, and I can actually see it working in the responder policy hits. All while still using vpn.example.com for DDNS for VPN.

 

Thank you! 



Paul Blitz Members

Paul Blitz
  • 3,915 posts

Posted 13 April 2017 - 11:31 AM

If you want to combine the use of static DNS with dynamic DNS, then you could always just put a cname from your static DNS pointing to the dynamic DNS: the advantage of that is that you get to keep your "nice looking" fqdn, but it changes as needed.