On XenMobile 10 internal websites are published as web link . Proxy is configured in the environment and traffic policies are added on the NetScaler Gateway .

Customer wants to send external traffic to go through proxy and skip the internal websites from going through the same.

When users are trying to access web link, they get an error " Not a privilege user." .

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

In Netscaler Gateway session profile, make sure secure browse is enabled.
On Secure Web MDX policy, Tunnelled to internal network should be selected.
Make sure DNS suffixes are added under NSG.

Since we want to restrict the external traffic by pointing it to the proxy . ​(Please note that the expression might vary depending upon the requirement)

Navigate to NetScaler Gateway -> Virtual Servers and Select the Virtual Server on the Right side and Click Edit.

Click on “+” sign for Policies.

 

Select Traffic from the Dropdown.

Click Continue

Click on “+” sign

 

Enter the Name of the Traffic Policy and create Traffic Profile under Request Profile.

For the policy enter the Expression

(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser || REQ.HTTP.HEADER User-Agent CONTAINS Secure Web) && REQ.TCP.DESTPORT == 80

 as shown below and Click Create.


Once Done Click on "+" to create profile for this policy



Enter name of the Traffic Profile and Select the Protocol as Http. This Traffic Profile is both for http and SSL. CVPN traffic is HTTP traffic by design, regardless of the destination port or service type. Thus, both SSL and HTTP traffic are to be specified as HTTP in traffic profile. Enter the IP address and Port number in the format (ip:port for eg 10.10.10.10:8080) of the Proxy Server. (leave rest of the field empty)

Click Create.

and Bind with higher priority 


Simillarly create a traffic policy to skip proxy follow the same process and 

The priority for no proxy should be lower 

If you still face issue with the same - Check the policy hits on the NetScaler while accessing the website . Run the following commands on NetScaler putty :
> shell
# cd /var/nslog
# nsconmsg -g pol_hits -d current 

This will confirm the policy being hit if in case it is not hitting the right policy or any policy that means the expressions needs to be verified. A trace can be taken to check what header value is being request. 

 

---

Problem Cause

This article summarize the troubleshooting steps that needs to followed in case you receive "not a privilege user" while accessing internal weblink .