Custom theme for NetScaler is a quick win to maximum appearance on the Access Gateway login page. With custom theme, the changes you made will persist on NetScaler reboot.
To edit/create a new theme, using winscp or filezilla connect to NetScaler and take a backup of:
/netscaler/ns_gui
on your local backup copy, start making changes:
put your pictures in /media
put your css changes in /css
put you html adjustment in index.html
put localised string in /resource/en.xml
Once the adjustment is done, upload the files back to /netscaler/ns_gui
To record the changes as a custom theme do the following:
mkdir /var/ns_gui_custom
cd /netscaler
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
this creates customtheme.tar.gz in the /var/ns_gui_custom folder
Now you can login to NetScaler, navigate to Global Settings and change the theme to custom
all done!
To make adjustment to this custom theme, you do:
edit /var/ns_gui_custom/ns_gui
rm /var/ns_gui_custom/customtheme.tar.gz
cd /var/ns_gui_custom
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*
that's it
Showing posts with label netscaler. Show all posts
Showing posts with label netscaler. Show all posts
Tuesday, September 15, 2015
Tuesday, December 31, 2013
NetScaler Blank Screen with Internet Explorer 9+
If you customized your NetScaler theme and when trying to login to its Access Gateway or VPN using Internet Explorer 10 or 11, you might get a blank screen instead of a login screen.
To fix this issue, you can tell your users to run their IE on compatibility mode or you need to edit the index.html file located on your theme folder
I am using the Symphony1 theme, so my index.html file location is on
/var/vpn/themes/Symphony1/ns_gui/vpn/index.html
Edit the file using vi and add the following line:
<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />
right after <link
Save the file and try again :)
To fix this issue, you can tell your users to run their IE on compatibility mode or you need to edit the index.html file located on your theme folder
I am using the Symphony1 theme, so my index.html file location is on
/var/vpn/themes/Symphony1/ns_gui/vpn/index.html
Edit the file using vi and add the following line:
<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />
right after <link
 |
| Location of <META> Tag |
Save the file and try again :)
Thursday, April 12, 2012
NetScaler MAC Based Forwarding
In the situation where you have deployed your NetScaler with 2 NICs, one connected to the DMZ network and the other one is connected to your Internal network, depending on your configuration, you might need to enable the MAC Based Forwarding on NetScaler
You probably assign the NSIP on your Internal Network, MIP on your Intenal Network, SNIP and VIPs on your DMZ Network (for example for publishing CAG/SSL VPN). You then trying to access your NetScaler services from your Internal Network. This means your traffic from the Internal network goes to your default gateway (e.g. the firewall) which then forwarded to the VIP on DMZ Network. NetScaler then accept the traffic, however, the returning traffic will not going back to through the firewall (e.g. NetScaler default gateway), it will be going to the other NetScaler's NIC that connects to Internal network. This will create asymmetric routing, and most router/firewall will drop the packets.
To avoid this, usually enabling the MAC Based Forwarding (MBF) will fix this.
The following is the definition of MBF:
With MAC-based forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the appliance remembers the source MAC address of the frame and uses it as the destination MAC address for the resulting replies. MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPNs or firewalls, because it ensures that the return traffic is sent to the same device that the initial traffic came from.
To enable it, from the NetScaler Console:
You probably assign the NSIP on your Internal Network, MIP on your Intenal Network, SNIP and VIPs on your DMZ Network (for example for publishing CAG/SSL VPN). You then trying to access your NetScaler services from your Internal Network. This means your traffic from the Internal network goes to your default gateway (e.g. the firewall) which then forwarded to the VIP on DMZ Network. NetScaler then accept the traffic, however, the returning traffic will not going back to through the firewall (e.g. NetScaler default gateway), it will be going to the other NetScaler's NIC that connects to Internal network. This will create asymmetric routing, and most router/firewall will drop the packets.
To avoid this, usually enabling the MAC Based Forwarding (MBF) will fix this.
The following is the definition of MBF:
With MAC-based forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the appliance remembers the source MAC address of the frame and uses it as the destination MAC address for the resulting replies. MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPNs or firewalls, because it ensures that the return traffic is sent to the same device that the initial traffic came from.
To enable it, from the NetScaler Console:
enable ns mode mbf
Thursday, December 23, 2010
Netscaler and Citrix Web Interface Setup
This guide assumes you have setup a basic Netscaler (e.g. DNS, NTP, IP) and Citrix Web Interface
Netscaler
Enable Access Gateway features
Access Gateway - Policies - Authentication - Servers (tab)
Add the domain controller
Access Gateway - Policies - Authentication - Policies (tab)
Add a new policy
Select the Server created earlier and add ns_true as expression
Access Gateway - Policies - Session - Profiles (tab)
Add a new profile
Change the Web Interface Address to your local web interface server path
Change the Single Sign-On Domain to your Active Directory domain
Access Gateway - Policies - Session - Policies (tab)
Add a new Policy
Add the ns_true expression
Change the Request Profile to the profile created earlier
Access Gateway - Virtual Servers
Add a new virtual server
Give an IP address
Select the SSL certificate (click here how to add SSL certificate to NetScaler)
Insert the policy created earlier
Add the URL to the STA
Citrix Web Interface
Create a new XenApp Web Sites
Authentication Point: At Access Gateway
Available Method: Explicit
Authentication Method:
Add the URL (https) that is publicly available for the user
Secure Access: Gateway Direct
Enter the publicly available URL to the address
Add the STA URL exactly the same with the STA servers you added to the Netscaler
Netscaler
Enable Access Gateway features
Access Gateway - Policies - Authentication - Servers (tab)
Add the domain controller
Access Gateway - Policies - Authentication - Policies (tab)
Add a new policy
Select the Server created earlier and add ns_true as expression
Access Gateway - Policies - Session - Profiles (tab)
Add a new profile
Change the Web Interface Address to your local web interface server path
Change the Single Sign-On Domain to your Active Directory domain
Access Gateway - Policies - Session - Policies (tab)
Add a new Policy
Add the ns_true expression
Change the Request Profile to the profile created earlier
Access Gateway - Virtual Servers
Add a new virtual server
Give an IP address
Select the SSL certificate (click here how to add SSL certificate to NetScaler)
Insert the policy created earlier
Add the URL to the STA
Citrix Web Interface
Create a new XenApp Web Sites
Authentication Point: At Access Gateway
Available Method: Explicit
Authentication Method:
Add the URL (https) that is publicly available for the user
Secure Access: Gateway Direct
Enter the publicly available URL to the address
Add the STA URL exactly the same with the STA servers you added to the Netscaler
Monday, September 20, 2010
Import SSL Certificate to Citrix Netscaler
I use the following method to import SSL Certificate to Citrix Netscaler:
- Find any Windows 2003 with IIS installed. Generate a CSR from this machine
- Submit this CSR to your CA to get the private key of it
- Import this private key to your IIS again
- Export the certificate both public and private keys as a pfx file
- Import this .pfx file to the Netscaler, it will generate a new file
- Open this new file, it should have 2 sections, public and private sections
- Create 2 new files, one for the public and one for the private section
- Upload these 2 new files to the Netscaler (you can delete the .pfx and the generated file from Netscaler if you want to)
- From Netscaler, add a new SSL certificate
- Give a name to the new Certificate
- Select the public certificate for the Certificate File Name
- Select the private certificate for the Private File Name
- You can use the SSL certificate now with CAG