While working with a new AGEE site for a client (test2.mydomain.com), I was given the challenge to ensure that only a specific subnet is redirected to the new site while still connecting to the original url (test.mydomain.com), and ensure no one else is impacted by the redirector.
Luckily this can be achieved by setting up Responder Policies via the NetScaler
Environment
- MPX 7500 NetScaler 9.3 52.3nc
- AGEE
Goal:
Redirect an AGEE site based on a specific clients subnet
1. All users that go to AGEE1 http://test.mydomain.com site simply get redirected to AGEE1 site with SSL https://test.mydomain.com
2. All users from the 10.10.20.0/24 subnet that go to AGEE1 site http://test.mydomain.com get redirected to AGEE2 site https://test2.mydomain.com
Configuration:
1. First make sure the Responder feature is turned on by right clicking “Responder” and selecting “enable responder feature”
Once it is enabled, it will look like this
2. Now lets create Actions. This will tell policies what to do.
Lets create a redirect action for ALL users to be redirected to AGEE1 SSL site https://test.mydomain.com
Now lets create a redirect action for a specific subnet and redirect to AGEE2 SSL site https://test2.mydomain.com
Now that we have the actions defined, lets create the policies that will be assigned to your VIP
3. Create Responder polcies – The actions you created above will need to be binded to your Responder polcies
Create a policy to to match the URL (in this case http://test.mydomain.com) then bind your previous action to redirect them to https://test.mydomain.com
Expression:
HTTP.REQ.IS_VALID
Now create a policy that will match the url test.mydomain.com and will redirect users from the 10.10.20.0/24 to test2.mydomain.com
Expression:
HTTP.REQ.HOSTNAME.EQ(“test.mydomain.com”)&& CLIENT.IP.SRC.IN_SUBNET(10.10.20.0/24)
4. Now lets assign these Responder policies to your AGEE1 site http://test.mydomain.com
Notice on the screenshot below, I simply created a service name “Dummy” and gave it the NetSacalers localhost IP 127.0.0.1, this is simply to make sure the TCP 80 VIP is able to come up under the AGEE IP (Since AGEE ONLY runs under TCP 443). Note that Responder actions will not work under down VIPs.
Head over to the “Polcies” tab, then click on”Responder” and assign the polcies you previously created. A reminder that the lower the priority number, the higher the priority actually is. In the case below “subnetet_users_pol” wins
Hope this helps! 
