NetScaler URL Transform and Rewrite for 302 Location Header Redirects

The NetScaler can do A LOT – not just Citrix Access Gateway – the URL transformation, rewrite and responder engines are unbelievably powerful. One of the more common requests is to modify a URL so that it can be different for internal\external access or a different URL for a different set of users, even the ability to append a folder path to an existing host so that users don’t need to know the entire path – URL transformation is a perfect tool for this.

The most simple example is a URL transform to go from to

This applies to mostly any version of NetScaler, but the navigation and screenshots will differ slightly. First, navigate to the AppExpert > Rewrite > URL Transform section of the NetScaler. Create a new transformation profile with any name you wish, then edit the transform action. These are the fields needed for this simple transform:

The Request URL From field is what the incoming URL should match, and the Request URL Into field is what the URL request will be transformed into – those are the request fields, but communications are two way – so the server is going to respond with the translated ( in this case) URL which will not match what the user entered. This is where the Response URL From field takes the response from the server and translates it back to match what the user entered, or the Response URL Into field.
Once You have a profile created, you must create and match a transform policy. For this example, I am using a simple hostname expression: HTTP.REQ.HOSTNAME.EQ(“”) – this policy can then be bound to a load balancing vServer or content switching vServer.
Also of note some of the regex and variables used. Per
The protocol, hostname, path, and query can all be manually adjusted. The reqUrlFrom section supports Regex and has the ability to create variables ($1) based on word groups. The $1 – $9 variables can be used in the reqUrlInto section.

Lets look at another example where we are redirecting to a folder on the server, but the user does not see or know that it is going on. In this example, we are redirecting to – here is the relevant transform action.

And we are now in the /Folder application on the ‘demo’ server when the user types ‘’
Now the fun part. Certain applications will respond with 302 redirects using absolute URLs in the location header field – Microsoft SharePoint is one of the most common to do this, and to be behind a NetScaler. So lets simulate that with some quick script.

This ‘Default.aspx’ is located at so when a user goes to they will be redirected to So what is the desired outcome? ‘’ should be translated into ‘’ since we are already translating ‘Folder/’.
You’re probably thinking that the URL transform policy will take care of this – not so much. You’ll get 404 because the resulting path at the server will be something like ‘’.

Why doesn’t the URL transform work? Because this absolute path came in a location header.

So what do we do about this? We use the NetScaler to rewrite the header to our needs. So let’s navigate to AppExpert > Rewrite > Actions and create a new rewrite action – see the below screenshot for explanation.

Create the associated policy – in this case, the expression I used is: HTTP.RES.HEADER(“Location”).CONTAINS(“”).
Bind the rewrite policy to the CSW or SLB vServer – note this is a Response policy as we are rewriting the response headers.
Now the headers should look like this:

And the page loads successfully:

4 thoughts on “NetScaler URL Transform and Rewrite for 302 Location Header Redirects”

  1. Hi,
    I have a question regarding to HTTPS Status Response Code Policies. I hope,that I can describe exactly my Problem.

    My Question can be see in below:

    If my web page can be called from outside,the HTTPS response code should adapt appropriate requirements
    1 – if the request “/subscribe/” is a must if you should start header “Authorization Basic”.
    If that does not have, the answer should be the 403rd

    2 – “/ subscribe/search” must only be accessible by POST

    3 – “/ subscribe/document” must only be accessible with GET

    If the rules does not correspond to Article 2 and 3, the request should give appropriate error 422 Unprocessable Entity answer.

    Best Regards


  2. Hi Serkan,

    I’m not sure I completely understand the scenario, but I have a few thoughts. As far as authentication is concerned, is this behind a AAA vServer?

    Depending on where in the URL path that each of these things are, the expression to find them would be:

    HTTP.REQ.URL.PATH.GET(1).EQ(“subscribe”) – replacing the uint (1 in this case) with the location in the path.

    Additionally, you can use responder to allow\prevent access to a specific path or page with the policy looking like:


    Additionally, you can add a ‘.NOT’ to negate the expression to respond to anything except GET for example.

    Hope this helps.

  3. I am facing an issue regarding the URL transform policy that I can’t seem someone else has already posted about:
    In my case the original request URL has to be rewritten to

    The difficulty is in the questionmark. The rewrite policy does apply as I can see the URL is rewritten to
    So everything starting from the quetionmark is not added to the URL.
    How can I fix this?

    • Dear All,

      I am stuck with a scenario with ADC for Netscaler Policy , trying to explain the requirement here.

      I have plan to configure multiple Service group under a Virtual Server.

      EX :

      Virtual Server : vs-hello-all

      Service Group-1 : sg-hello-morning (this Service Group includes servers with port 8080)
      Service Group-2 : sg-hello-noon (this Service Group includes servers with port 8081)
      Service Group-2 : sg-hello-evening (this Service Group includes servers with port 8082)

      End User hits a site URL (For eg : “” ) , this should be redirected to Service Group-1 (sg-hello-morning) i.e. based on the “/_ _ _” parameter appended to URL (in this case /morning).

      Similarly for if End user type URL : “” , this should be forwarded to Service Group-2 (sg-hello-noon) i.e. based on the “/_ _ _” parameter appended to URL (in this case /noon)

      For Third case, if end user access the URL : “” , this request should be redirect or forward to Service Group-3 (sg-hello-evening) i.e. based on “/_ _ _ ” parameter appended to URL (in this case /evening).

      please help.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.