NetScaler – Create Management URL for Native One Time Passwords (OTP)

The OTP feature which is available since NetScaler 12.0 Build 51.24 is a great feature to reduce your operationg costs or implement 2 factor authentication for the first time because your company/customer wanted to save some money instead of investing in  secure remote access 🙂

If you already have configured the AAA server, schemas and the authenciation policies you should be able to access the OTP Management Web GUI with the substring “/manageotp” on your NetScaler Gateway. If this is not the case please follow Carl Stalhoods  detailed configuration steps.

While setting this up in my lab, I already could imagine that the first users will complain at the Helpdesk because the URL is to “difficult” to remember.  To make our/their life easier we will create a DNS A-Record with the desired URL and implement a responder policy to achieve this demand.

Step 1 – DNS Record

Create an A-Record with the FQDN the users should have access to manage their token. This record is pointing to the VIP of your NetScaler Gateway.  Please make sure the used SSL certificate is matching.



Step 2 – NetScaler Configuration

Create an action/policy for the “manageotp” responder.

add responder action resp_act_manageotp redirect “\”\”” -responseStatusCode 302
add responder policy resp_pol_manageotp “HTTP.REQ.HOSTNAME.CONTAINS(\”\”)” resp_act_manageotp

Bind the responder policy to your NetScaler Gateway.

bind vpn vserver -policy resp_pol_manageotp -priority 100 -gotoPriorityExpression END -type REQUEST


Now you can browse to “” and you will be  redirected to the login form where the users can manage their tokens.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: