As everybody are aware of, we do have the possibility to configure a Netscaler Access Gateway appliance to forward the VPN login credentials to Storefront Webservers by selecting the Single sign-on to Web Applications option in a Session Action policy. However, as a security precaution, Netscaler Access Gateway is designed in a way to not forward credentials to Web servers that have public IP addresses (which is my reality right now), In addition, I don’t want to use any Split Tunneling in my Session Action policies to solve this. It is simply not an option.

As a woraound according to CTX121699, you can loadbalance the StoreFront server(s) in an “LB service group” or “LB Service” behind a Load Balancing vServer that is configured with a private IP and then point AGEE (DNS) to that VIP. This was working quite well until Citrix released Storefront 2.x. The workaround stopped working and I had to find an other solution by forcing “inserting” the http headers (X-Citrix-Via) & (X-Citrix-Via-Vip) using a rewrite policy and bind it to (LB vServer or the AGVIP it self).

Is this a permanemt solution! I really hope not! I will not implement this workaround on a production environment.
What happens if Citrix change the architecture of Storefront and decides to push other headers from Netscaler in future releases?

Anyway, I just received a comment on this post with a request of a technical work around for this. So what you do is basically forcing the Netscaler to insert the needed http headers to Storefront servers, and in our case you only need to insert the X-Citrix-Via header.

Do the following:

1. Log on to Netscaler WebGUI – AppExpert – Rewrite – Policies (If you are using any 10.1 Netscaler release)
2. Click Add and give the policy the following:
Name: xcitrixvia-pol
Action: Click “New” and type xcitrixvia-act as a name, Chose Type: INSERT_HTTP_HEADER, In Header Name section type X-Citrix-Via and on String expression for header value type the fqdn you defined on your Storefront access gateway configuration and put it between quotes “fqdn_of_storefront_gateway” and hit Create.
Now enter the following expression on the rewrite policy HTTP.REQ.HEADER(“Referer”).EXISTS (Use this expression to just apply the rewrite policy when comming form receiver fro web) and hit Create
3. Bind the Rewrite policy you just created to AGvServer or your Storefront LB Service Group…