Citrix Gateway

Prompt users to upgrade older or unsupported browsers by creating a custom page

If a client connects to a Citrix ADC VIP address using an insecure cipher such as SSLv3, they can be redirected to a custom page prompting them to upgrade to the latest version of Internet Explorer, Firefox, Chrome, or Safari.

Note: According to RFC6176 from the Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. Therefore, the Citrix ADC appliance does not support SSLv2 from release 12.1 and later.

How to create a custom page to prompt users to upgrade older unsupported browsers based on SSL

  • Create a Citrix ADC responder policy with the rule client.ssl.version.eq(). The version returns the SSL protocol version.

    • Returns 0 if the transaction is not SSL based.
    • Returns 0x002 if the transaction is SSLv2.
    • Returns 0x300 if the transaction is SSLv3.
    • Returns 0x301 if the transaction is TLSv1.
  • You must enable SSLv3 (or other earlier version) to trigger the responder policy.

    For example, if SSLv3 is disabled on the Citrix ADC appliance and a client with an older browser using SSLv3 tries to connect, then the access is denied.

  • If your deployment requires SSLv3 or an earlier version for a specified period (a month or two), configure the following:

    • Enable the SSLv3 protocol.
    • Update the custom page to include information that after the specified period, the browser cannot connect to the appliance.

Prompt users to upgrade older or unsupported browsers by creating a custom page