Configuring Unique Portal Themes per Virtual Server (vServer) in NetScaler 11 Unified Gateway Guest Blog Post by John Meek

Share Button

johnOver the last several years, I’ve had the honor of working with a Citrix and VMware virtualization focused engineer named John Meek. Bitten by the blogging bug, John is at it again with his second guest blog post! For this blog post John has volunteered to share his experiences with the NetScaler 11 Beta and a new feature I’m particularly excited about that enables customers to have multiple themes on the same NetScaler appliances. Previously, portal customizations were difficult and manual to configure, and would be applied globally to the virtual or physical appliances, so this is a very nice feature!  If you have content you would like to contribute and be a guest blogger (or regular) on, feel free to reach out to me at or on Twitter @youngtech so we can discuss. Without further ado, below is the guest blog post by John Meek, you can find him on LinkedIn or on Twitter.

I was very excited when I heard about the new theme capabilities in the Unified Gateway (formerly Access Gateway) settings of NetScaler 11. In the soon to be released newfangled version of NetScaler you can create multiple themes, and each Gateway can have its own.

Having multiple themes may not matter much to smaller businesses that have need of only one Gateway. However, for some of the larger clients I work with they have separate Citrix “Sites” and would like to have their own customization’s per site. I often get asked how to set up different themes for multiple Gateways in NetScaler 10.x, which unfortunately you cannot. These Gateways can be for different departments, child companies, partner access, etc. pointing to segregated resources.

For this blog, I decided to go through the whole process of creating your load balancer, your Gateway, the session policies, etc. I figured this could help anyone that is new to configuring NetScaler for StoreFront access. You will need to have the StoreFront server, Desktop Delivery Controller, and VDA’s configured to follow this process. If you are experienced please skip to below where I show some of the new “Portal Theme” customization options.

Please note as well that once you log in to the NetScaler Gateway StoreFront will not be customized and will still have the green bubble theme. As I play more with the new theme features of StoreFront 3.0 I may update this article to get StoreFront to match the Gateway.

Creating the StoreFront Load Balancer

First we will create an internal load balancer to handle traffic and monitoring of our StoreFront server. This will be bound to the Access Gateway where we will configure a custom theme.

Log in to the NetScaler GUI. Select Traffic Management -> Load Balancing -> Virtual Servers. Click Add.

Enter your Load Balancing Virtual Server settings. The IP address is the Virtual IP that you wish to use for the load balancer, which will correspond to your internal DNS record for accessing StoreFront.

Click OK.

Select No Load Balancing Virtual Service Binding.

Click the + to add a new Service.

Enter in your Service details. The IP address is the IP of your StoreFront server.

Click OK.

If this is in production I would recommend adding a new StoreFront type monitor for better server monitoring. Follow the instructions at the link to configure production StoreFront monitors on the Services.

Configure a NetScaler Access Gateway for StoreFront

In the steps below we will configure a new NetScaler Gateway ICA Proxy that we can use to create our custom themes.

Log into your NetScaler and select the NetScaler Gateway tab. Under Getting Started select the NetScaler Gateway Wizard.

Select Get Started.

Enter the settings for the NetScaler Gateway. Make sure to check the box for Redirect requests from port 80 to secure port so the wizard will configure the HTTP redirect for you automatically.

Browse and select your certificate. In my lab I have a wildcard third-party certificate. If you do not have a certificate either create one from your Active Directory Certificate Services, or use the Create Test Certificate option on the NetScaler Gateway Wizard.

Enter in your LDAP settings.

  • IP Address: Your domain controller
  • Base DN: The Base DN of your domain (or you can specify a specific user OU)
  • Service account: Account used to query Active Directory for users
  • Password: The password of the service account
  • Server Logon Name Attribute: I typically use sAMAccountName

Click Continue.

Verify the configuration was successful.

Since this Gateway is using StoreFront directly and not VPN it will be an ICA proxy which we need to configure. In the NetScaler GUI go to NetScaler Gateway -> Virtual Servers and Edit your Access Gateway.

Select the Edit icon next to Basic Settings.

Select More.

Select ICA Only. Click OK.

Configure the Session Policy for the Receiver Client

Next scroll down the page to Policies. Here we will add a new Session Policy to direct traffic to our StoreFront server.

Click the arrow to the right of Session Policy.

Select the Session Policy and choose Unbind. We will create new Session Policies for StoreFront for Web as well as the Receiver Client.

Select Add Binding.

Next to Select Policy select the + icon.

Enter in your Session Policy Name. Next to Action select the + icon.

Select the Client Experience tab. Change the Plug-in Type to Java.

Scroll further down and also select Single Sign-on to Web Applications.

Select the Security tab. Change Default Authorization Action to ALLOW.

Select the Published Applications tab. Change ICA Proxy to ON. For Web Interface Address and Account Services Address enter either the IP or FQDN of your StoreFront load balancer. Change the Single Sign-on Domain to the NETBIOS name of your domain.

Click OK.

Select Expression Editor.

Enter the following values. Click Done and then Create.

Click Select.

Select Bind.

Configure a Session Policy for Receiver for Web

Next to Policies select the + icon.

Click Continue.

Select Add Binding.

Next to Select Policy click the + icon to add a new policy.

Enter in the Name. Next to Action click the + icon to add a new action.

Select the Client Experience tab. Change Clientless Access to Allow. Scroll down the page.

Plug-in Type should be set to Java. Enable Single Sign-on to Web Applications.

Select the Security tab. Set the Default Authorization Action to ALLOW.

Select the Published Applications tab. For the Web Interface Address enter in http(s)://<VIP-IP\FQDN>/Citrix/<StoreName>Web. In the Receiver for Web policy you do not need to enter in the Account Services Address.

Click Create.

Select Expression Editor.

Enter in the following Expression manually, or use the Expression Editor.


Now you have configured your Receiver_pol and your Receiver_for_Web_pol and can access your XenApp/XenDesktop resources.

Now create the DNS A Record pointing to your NetScaler Gateway or update your hosts file. Confirm you can login through your gateway and get to StoreFront and your certificate is valid.

Create a New NetScaler Gateway Portal Theme

In the NetScaler GUI expand NetScaler Gateway and click on Portal Themes.

Click Add.

Give the theme a Theme Name. I am using GreenBubble as my Template Theme. Click OK.

Select Change Background Image. Select Browse and locate your image file. Scroll down and click OK.

Click Done.

Select Virtual Servers. Select your Gateway and click Edit.

Scroll down to Portal Themes. Click the Arrow to select a new theme.

Select Add Binding.

Select the arrow.

Select your new Theme Name and click Select.

Select Bind. (I know, it’s a lot of steps and could probably be streamlined…)

Verify the new background image works. The process is much more streamlined than using WinSCP to replace the .png files on the NetScaler appliance.

Note however, that if you have accessed this theme more than once, to get new changes to show in your browser you may need to either clear your browser cache or launch the browser in private/incognito mode to ignore old cached files.

Now we will make a few more updates.

In the Portal Theme page next to Common Attributes select the Edit icon.

Select Change Center Logo and Browse to your logo. This will update the NetScaler logo in the middle of the Gateway page with your company logo.

The size of the Center Logo must be near the size in height and width of the NetScaler logo to not get cut off. You can inspect the element in your browser to get the specific size, I used GIMP to create my logo and my size was 245W x 60H and it showed up pretty well.

Select Login Page under Advanced Settings.

Scroll down and edit the Login Page settings. Here you can change the text that displays on the main login page.

Very nice! As you can see in this screenshot I have updated the background, added my lab company logo, updated the header to the credentials box, and updated the text for the user name.

Create a Second NetScaler Gateway Virtual Server Portal Theme

Now to show you that different themes can be applied to different gateways, I created a new Gateway for the European division of my fantasy lab company XenWorks and created a new theme to apply it using the steps above. Here is a screen capture of the European gateway.

There are also several other NetScaler Endpoint Analysis theme settings you can edit, as well as VPN settings. These settings include headers, information messages, warnings, etc. but for this blog I wanted to focus more on the look of the Gateway page. However it would be a good idea to review these settings if you use VPN or End Point Analysis.


Citrix has done a great job in listening to its user base and making the NetScaler interface more intuitive and responsive. From starting the removal of Java for HTML5, better configuration wizards, and now to making customizations easier, the improvements to NetScaler have been impressive.

All network traffic that accesses server resources should be going through an Application Delivery Controller for isolation, security, resilience, and performance reasons, and by making improvements to the UX on the NetScaler it makes it hard to say no to deploying these appliances in your datacenters. NetScaler is one of the more powerful and fun tools I get to work with on a regular basis and I can’t wait to see what is in store for the future.

Hopefully this blog post has been beneficial to you. If you have any comments, questions, or just want to leave feedback, please do so in the comments section below.


John Meek

Share Button
  1. Citrix LoginCitrix Login05-01-2017

    Hey nice post! I hope it’s alright that I
    shared this on my Twitter, if not, no worries just tell me and I’ll
    remove it. Regardless keep up the good work.

  2. Joe MarriottJoe Marriott01-26-2016

    awesome Phil. Thanks for the great writeup and sharing the steps


  3. Joe MarriottJoe Marriott07-04-2015

    Great post John.

    The ability to customize themes using the NetScaler 11 GUI is a big step forward.

    For those who would like to take the customizations a bit further than the GUI allows, navigate to the /var/netscaler/logon/themes/ folder and then edit the files directly.

    For example, to user a larger center logo image:
    1) Place the logo file into the /custom_media folder
    2) Edit the /css/custom.css file and specify custom height, top & width properties in the section #logonbox-logoimage i.e.
    #logonbox-logoimage {
    background-image : url(‘../custom_media/new_logo.png’);
    height: 147px;
    top: 125px;

    To customize some of the logon page text that isn’t configurable via the GUI, open the /var/netscaler/logon/themes//resources/en.xml and replace strings as required. i.e. change the EULA caption from ‘I abide by’ to ‘I agree to’

    Joe Marriott

    • John MeekJohn Meek07-07-2015

      Hey Joe, thank you for your comment, I appreciate the additional information.

    • PhilPhil07-21-2015

      Joe, are you aware of a way to add another DIV to the logon page so we can insert some text below the username/password boxes?
      I’ve tried using the ns_gui_custom method that served us well in NS 10.1/10.5, but this doesn’t seem to work in NS 11, which prevents us from making customisations to anything other than predefined images and css. Ideally I want to edit the index.html file

      • Joe MarriottJoe Marriott09-15-2015

        Hi Phil.

        Thanks for asking. Currently I’m not aware of a way to add another DIV to the logon page, but it is something I would like to know how to do as I have a project where this would be useful. One option would be to embed text in the ‘watermark’ image as this is shown below the logon box. Please let me know if you find a way to do it.


Leave a Reply