I am often asked to customize the Netscaler logon pages with the company corporate design, logos and other stuff. Another very common requirement is, to have the opportunity to set a hint what is the compony’s LDAP password complexity policy, when the user have to change their passwords in a remote scenario. Netscaler does not offer any functionality to do this in the GUI. The second challenge is, Citrix has changed how the designs and portal themes are stored on the file system and how they are activated.
As there some instructions how to insert such notifications in the „old“ or standard themes, I will focus on the new way and new themes.
First of all we will create a new theme on the Netscaler 11.1
I’ve created the a new theme with the X1 template and named it with „X1_new“
Now I made my changes (very simple with a new background image)
Afterwards switch over to the Netscaler Gateway vServer and bind the new theme.
Select the new theme from the drop-down menu, click on ok and finish the vserver configuration.
When we access the page we will see the new theme.
Now when a user logs on, who has to change his or her LDAP password the default message comes up. This message only says „Password expired, please change“
Now I started searching for a place, where I can insert a custom message. After some time I came across the the custom.css file. This file is for your advanced custom settings which can not be set within the GUI wizard.
On the file system we can find the file in the path of the theme created previously.
One thing is to add some code to the file directly. But we want to set the message as flexible as possible and so the idea was to change the css file with the rewriting feature of Netscaler and bring up a more meaningful notification for the user.
1 = Name and type of rewrite action
INSERT_AFTER_ALL
2 = What pattern are we looking for
.personal_fileshare_section .NUI_Icon table td span.descr { color :#dcdcdc; }
3 = Where to change
HTTP.RES.BODY(150000)
4 = What is the new code (expression) we want to add:
"\n\n\n/* This is from Netscaler Rewrite Engine */\n\n#logonbox-logonform #dialogueStr:after { content: 'ACHTUNG: Minimale Anforderung - 8 Zeichen A-Z, a-z, 0-9 und mindestens ein Sonderzeichen &,%,!,?'; display: block; margin-top: 9px; }"
Now we need a policy to decide, when Netscaler should execute the action above
I had to use a three condition policy. First the policy is looking for my public host name, then I the request contains a custom.css file in the request and if the browser language is German. If all conditions are met, Netscaler will add the code into the css.
NOTE: In our case we had several policy based on different browser languages, for example en, fr, es and related policies.
To activate the policy we can bind the policy on vServer base or globally. In the demo I will bind the policy in the global Rewrite Policy Manager as a Response policy.
Now when a user logs in with and is prompted to change his or her password the following message comes up.
If we have look in the network inspector of Goolge Chrome or Firefox we see the new code within the custom.css
In a second post I will show how to insert these rewriting stuff into a AAA portal theme.
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).
Can you explain a little more in the step „configure rewrite policy“ step.
What is the expression condition? How to configure it?
Which step do you mean exactly?
Hi Marco, sorry for the delay in coming back..
You have used 3 condition policy, 1st is to check the public host name, here what is hostname am i supposed to put? Does hostname means Netscaler name or the gateway name or the URL what users use to login
HTTP.REQ.HOSTNAME.EQ(„domain.com“)
Correct, you have to search for the Gateway or AAA hostname.