In the name of the kind of simplicity that was addressed by Leonardo da Vinci, organizations invested in XenApp and/or XenDesktop for providing secure, remote access to virtual applications and desktops leverage the NetScaler Gateway feature on the NetScaler.  It is common to use this feature to securely proxy ICA and SSO to Storefront/Web Interface.  This enables them to present applications and desktops after granularly controlling authentication, authorization and auditing at the NetScaler.

Several organizations also leverage SSL VPN on the NetScaler using a NetScaler Gateway vServer.

  • They configure a landing page to Storefront
  • This allows them to present a portal to the company owned virtual applications and desktops presented using XenApp and XenDesktop.

At this point, their users only authentication once.  They get SSO from the SSL VPN NetScaler Gateway vServer to Storefront and see their apps and desktops.

But, what  if they want telemetry and visibility into application and desktop usage within the full SSL VPN tunnel?  They would have to configure HDX Insight for the ICA proxy NetScaler Gateway vServer on the same NetScaler. But, if the landing page for the SSL VPN NetScaler Gateway vServer is configured as the ICA Proxy NetScaler Gateway vServer, their users will have to re-authenticate at the ICA Proxy NetScaler Gateway vServer after authenticating at the SSL VPN NetScaler Gateway vServer.

To Avoid Having to Re-Authenticate

We can configure SSO between the SSL VPN NetScaler Gateway vServer and the ICA Proxy NetScaler Gateway vServer by making a minor modification to the index.html file and leveraging a responder policyEnd Result: A “Seamless User Experience that Provides Visibility using HDX Insight

  1. Users browse to
  2. Enter username/password and click on login
  3. Get redirected on and see their applications and desktops published using XenApp/XenDesktop
  4. Get application visibility and telemetry using HDX Insight from AppFlow enabled at

The following steps describe the process to Single-Sign-On from an SSL VPN NetScaler Gateway vServer to ICA Proxy NetScaler Gateway.


1. Download index.html to the computer. Note: Make sure that you back up this original file.

2. Open the file for editing with preferred document editor software.

3. Locate the following section of text. The line where this section is located will vary depending on the version of NetScaler:

Logon box –>
<tr class=”mainPane”>
<td class=”carbonBoxBottom” valign=”bottom”>
<script language=”javascript” type=”text/javascript”>

4. Insert the following text immediately after the section described in step 3 :

function getCookie(name) { // use: getCookie(“name”);
var re = new RegExp(name + “=([^;]+)”);
var value = re.exec(document.cookie);
return (value != null) ? unescape(value[1]) : null;

var today = new Date();
var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // plus 28 days
var expired = new Date(today.getTime() – 24 * 3600 * 1000); // less 24 hours

function setCookie(name, value) { // use: setCookie(“name”, value);
document.cookie=name + “=” + escape(value) + “;;path=/; expires=” + expiry.toGMTString();

function storeValues(form) {
setCookie(“login”, form.login.value);
setCookie(“passwd”, form.passwd.value);
return true;

Note: This has been tested for the Green Bubble theme as well as the Black and Blue Carbon theme.

Also, the process of creating the cookie is similar to that we use for creating domain cookies when we have a domain dropdown on the ICA Proxy NetScaler Gateway vServer login page as documented in

5. The next two lines should read as follows:

name=”vpnForm” autocomplete=”off” style=”margin:0″

6. The HTML code should now read as follows:
<FORM method=”post” action=”/cgi/login” name=”vpnForm” autocomplete=”off” style=”margin:0″
onSubmit=”return storeValues(this); clean_name_cookie(this);”>

7. Make sure login and passwd cookies contain the username and password when the user authenticates at the SSL VPN vServer login page.

8. Config to login from SSL VPN to ICA Proxy when the user authenticates at the SSL VPN login page:

add responder action LOGIN_TO_AGEE_action respondwith “\”<html><head>\”+\”<script language=\\\”JavaScript\\\”>function UnsetCookie(cookieName) {document.cookie=cookieName+\\\”=nothing;expires=Thursday, 1 Jan 1970 00:00:00 GMT;; path=/\\\”;} </script>\”+\”<FORM action=\\\”\\\” method=\\\”post\\\” id=\\\”ctxredir\\\”>\n<INPUT type=\\\”login\\\” style=\\\”display:none\\\”\nname=\\\”login\\\” value=\\\”\”+ http.REQ.COOKIE.VALUE(\”login\”) + \”\\\”>\n<INPUT type=\\\”mypass\\\” style=\\\”display:none\\\”\nname=\\\”passwd\\\” value=\\\”\”+ http.REQ.COOKIE.VALUE(\”passwd\”) + \”\\\”></FORM><script language=\\\”JavaScript\\\” type=\\\”text/javascript\\\”>\n<!–\ndocument.getElementById(\\\”ctxredir\\\”).submit();\n//–>\n</script>\”+\”</head></html>\”” -bypassSafetyCheck YES


add responder policy “http.REQ.HOSTNAME.EQ(\”\”) && (http.REQ.URL.EQ(\”/\”) || http.REQ.URL.EQ(\”/cgi/login\”) || http.REQ.URL.EQ(\”/vpn/index.html\”)) && http.REQ.HEADER(\”Cookie\”).CONTAINS(\”login\”)” LOGIN_TO_AGEE_action

bind responder global 100 END -type REQ_OVERRIDE


The responder policy can also be bound at the ICA Proxy vServer. This is just an example.

The responder action is nothing but a POST into for SSO to the ICA Proxy NetScaler Gateway vServer.

Please Note:

The login and passwd cookies can be re-encrypted and secured as described in the following blog: /blogs/2011/08/05/secure-your-application-cookies-before-it-is-too-late/.


The sample code available in this article is provided as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.