NetScaler Gateway 11 – SSL VPN

Last Modified: Oct 10, 2016 @ 5:42 pm


💡 = Recently Updated


NetScaler Gateway supports five different connection methods:

  • ICA Proxy to XenApp/XenDesktop – client is built into Citrix Receiver
  • SSL VPN – requires NetScaler Gateway plug-in
  • Clientless – browser only, no VPN client, uses rewrite
  • Secure Browse – from MDX-wrapped mobile applications (XenMobile), uses rewrite
  • RDP Proxy – only RDP client is needed

If Endpoint Analysis is configured, then an Endpoint Analysis plug-in is downloaded to the Windows or Mac client.

Users use SSL to connect to NetScaler Gateway Virtual Servers.

  • NetScaler Gateway prompts the user for authentication.
  • Once the user is authenticated, NetScaler Gateway uses Session Policies to determine what happens next.

You can configure NetScaler Gateway Session Policies to only use one of the connection methods. Or NetScaler Gateway can be configured to let users choose between ICA Proxy, Clientless, and SSL VPN connection methods. Here’s a sample Client Choices screen using the X1 theme:

Enable SSL VPN in a Session Policy as detailed later. Then configure additional NetScaler Gateway objects including the following:

  • DNS Servers and Suffix – enable DNS resolution across the VPN tunnel
  • NetScaler Gateway Universal Licenses – all VPN users must be licensed.
  • Intranet IP addresses – give IP addresses to VPN clients. If no client IP, then VPN clients use NetScaler SNIP to communicate with internal resources. Requires routing changes on internal network.
  • Intranet Applications – if split tunnel is enabled, configure this object to dictate what traffic goes across the tunnel and which traffic stays local.
  • Authorization Policies – if default authorization is DENY, use Authorization Policies to dictate what resources can be accessed across the NetScaler Gateway connection. These Authorization Policies apply to all NetScaler Gateway connections, not just VPN.
  • Bookmarks – displayed on the built-in NetScaler Gateway portal page. Users click bookmarks to access resources across the VPN tunnel or clientless access (rewrite).
  • Endpoint Analysis Scans – block endpoints that fail security requirements. Configured in Session Policies or Preauthentication Policies.
  • Traffic Policies – Single Sign-on to internal web applications
  • AAA Groups – bind Session Policies, Authorization Policies, Intranet Applications, Intranet IPs, Bookmarks, and Traffic Policies to one or more Active Directory groups. Allows different Active Directory groups to have different NetScaler Gateway configurations.


Except for ICA Proxy, all NetScaler Gateway connection methods require a NetScaler Gateway Universal License for each concurrent session. Go to System > Licenses and make sure NetScaler Gateway User licenses are installed.

Also make sure the maximum AAA users equals the number of licenses. Go to NetScaler Gateway > Global Settings > Change authentication AAA settings.

DNS usually needs to function across the VPN tunnel. Go to Traffic Management > DNS > Name Servers to add DNS servers.

Create Session Profile

You can create multiple Session Policy/Profiles, each with different settings. Then you can bind these Session Policies to different AAA groups or different NetScaler Gateway Virtual Servers. You can also bind Endpoint Analysis expressions to a Session Policy so that the Session Policy only applies to machines that pass the Endpoint Analysis scan.

If multiple Session Policies apply to a particular connection, then the settings in the policies are merged. For conflicting settings, the Session Policy with the highest priority (lowest priority number) wins. Session Policies bound to AAA groups only override Session Policies bound to NetScaler Gateway Virtual Servers if the AAA group bind point has a lower priority number. In other words, priority numbers are evaluated globally no matter where the Session Policy is bound. You can run the command nsconmsg –d current –g pol_hits to see which Session Policies are applying to a particular connection.

Do the following to enable SSL VPN. First create the Session Profile. Then create a Session Policy.

  1. On the left, expand NetScaler Gateway, expand Policies, and click Session.
  2. On the right, switch to the Session Profiles tab and click Add.
  3. Name the profile VPN or similar.
  4. In Session Profiles, every line has an Override Global checkbox to the right of it. If you check this box next to a particular field, then the field in this session profile will override settings configured globally or in a lower priority session policy.
  5. Switch to the Network Configuration tab and check the box next to Advanced Settings.
  6. You will find a setting that lets you select a DNS Virtual Server. Or if you don’t select anything then the tunnel will use the DNS servers configured under Traffic Management > DNS > Name Servers.
  7. Configure the behavior when there are more VPN clients than available IPs in the address pool. This only applies if you are configuring Intranet IPs.
  8. There are also a couple timeouts lower on the page.
  9. Switch to the Client Experience tab. This tab contains most of the NetScaler Gateway VPN settings.
  10. Override Plug-in Type and set it to Windows/Mac OS X.
  11. Whenever NetScaler firmware is upgraded, all users will be prompted to upgrade their VPN clients. You can use the Upgrade drop-downs to disable the automatic upgrade.
  12. By default, if Receiver and NetScaler Gateway Plug-in are installed on the same machine, then the icons are merged. To see the NetScaler Gateway Plug-in Settings, you right-click Receiver, open Advanced Preferences and then click NetScaler Gateway Settings.

  13. You can configure the Session Policy/Profile to prevent NetScaler Gateway Plug-in from merging with Receiver. On the Client Experience tab, scroll down and check the box next to Advanced Settings.
  14. Check the box next to Show VPN Plugin-in icon with Receiver. This causes the two icons to be displayed separately thus making it easier to access the NetScaler Gateway Plug-in settings.

  15. On the Client Experience tab, override Split Tunnel and make your choice. Setting it to Off will force all traffic to use the tunnel. Setting it to On will require you to create Intranet Applications so the NetScaler Gateway Plug-in will know which traffic goes through the tunnel and which traffic goes directly out the client NIC (e.g. to the Internet).
  16. On the Client Experience tab, there are timers that can be configured. Global Settings contains default timers so you might want to override the defaults and increase the timeouts. See Configuring Time-Out Settings at Citrix Docs for details.
    1. Client Idle Time-out is a NetScaler Gateway Plug-in timer that disconnects the session if there is no user activity (mouse, keyboard) on the client machine.
    2. Session Time-out disconnects the session if there is no network activity for this duration.
    3. In addition to these two timers on the Client Experience tab, on the Network Configuration tab, under Advanced Settings, there’s a Forced Timeout setting.
  17. By default, once the VPN tunnel is established, a 3-page interface appears containing bookmarks, file shares, and StoreFront. An example of the three-page interface in the X1 theme is shown below.
  18. On the Client Experience tab, the Home Page field lets you override the 3-page interface and instead display a different webpage (e.g. Intranet or StoreFront). This homepage is displayed after the VPN tunnel is established (or immediately if connecting using Clientless Access).
  19. On the Client Experience tab, there are more settings that control the behavior of the NetScaler Gateway plug-in. Hover your mouse over the question marks to see what they do.
  20. Additional VPN settings can be found by clicking Advanced Settings near the bottom of the Client Experience tab.
  21. Under Client Experience > Advanced Settings, on the General tab, there are settings to run a login script at login, enable/disable Split DNS, and enable Local LAN Access. Use the question marks to see what they do. Reliable DNS occurs when Split DNS is set to Remote.
  22. Under Client Experience > Advanced Settings, on the General tab, is a checkbox for Client Choices. This lets the user decide if they want VPN, Clientless, or ICA Proxy (StoreFront). Without Client Choices, the VPN will launch automatically
  23. On the main Client Experience tab, if you enabled Client Choices, you can set Clientless Access to Allow to add Clientless to the list of available connection methods.
  24. An example of Client Choices is shown below:
  25. The Client Experience > Advanced Settings section has additional tabs for controlling the NetScaler Gateway Plug-in. A commonly configured tab is Proxy so you can enable a proxy server for VPN users.
  26. Back in the main Session Profile, switch to the Security tab.
  27. Set the default authorization to Allow or Deny. If Deny (recommended), you will need to create authorization policies to allow traffic across the tunnel. You can later create different authorization policies for different groups of users.
  28. On the Published Applications tab, set ICA Proxy to Off. This ensures VPN is used instead of ICA Proxy.
  29. Configure the Web Interface Address to embed StoreFront into the 3-pane default portal page. Note: additional iFrame configuration is required on the StoreFront side as detailed below.
  30. From Michael Krasnove: if you configured the Session Policy to direct users to StoreFront, then placing the following code in c:\inetpub\wwwroot\Citrix\StoreWeb\custom\script.js will cause StoreFront to end the VPN tunnel when the user logs off of StoreFront.
    // Prevent the default "logoff" screen from being displayed
    CTXS.Controllers.LogoffController.prototype._handleLogoffResult = $.noop;
    CTXS.Extensions.afterWebLogoffComplete = function () {
     window.location.href = LOGOFF_REDIRECT_URL;
  31. Click Create when you’re done creating the Session Profile.

Create Session Policy

  1. In the right pane, switch to the Session Policies tab and click Add.
  2. Give the policy a descriptive name.
  3. Change the Action to the VPN Profile you just created.
  4. Add a policy expression. You can enter ns_true, which applies to all connections.
  5. Or you can add Endpoint Analysis scans. If the Endpoint Analysis scan succeeds, then the session policy is applied. If the Endpoint Analysis scan fails, then this session policy is skipped and the next one is evaluated. This is how you can allow VPN if EPA scan succeeds but all failed EPA scans will get a different session policy that only has ICA Proxy enabled.
  6. To add an Endpoint Analysis scan, use one of the Editor links on the right.
  7. Configure OPSWAT scans in the OPSWAT EPA Editor.
  8. Configure Client Security Expressions in the Expression Editor.
  9. You can combine multiple Endpoint Analysis scan expressions using Booleans (&&, ||, !). Click Create when done.

Bind Session Policy

Most of the NetScaler Gateway objects can be bound to NetScaler Gateway Virtual Server, AAA Group, or both. This section details Session Policies, but the other NetScaler Gateway objects (e.g. Authorization Policies) can be bound using similar instructions.

  1. Bind the new session policy to a NetScaler Gateway Virtual Server or a AAA group. If you bind it only to a AAA group, then only members of that Active Directory group will evaluate the expression.
  2. To bind to a NetScaler Gateway Virtual Server, edit a NetScaler Gateway Virtual Server (or create a new one), scroll down to the Policies section and click the Plus icon.
  3. In the Choose Type page, select Session, Request and click Continue.
  4. Select one or more session policies. This is where you specify a priority.
  5. To bind to a AAA Group, go to NetScaler Gateway > User Administration > AAA Groups.
  6. Add a group with the same name (case sensitive) as the Active Directory group name. This assumes your LDAP policies/server are configured for group extraction.
  7. Edit the AAA Group.
  8. On the right, in the Advanced Settings column, add the Policies section.
  9. Click the plus icon to bind one or more Session Policies.
  10. If you want these Session Policies to override the Session Policies bound to the NetScaler Gateway Virtual Server then make sure the Session Policies bound to the AAA Group have lower priority numbers.

NetScaler Gateway Plug-in Installation

Here is what the user sees when launching the VPN session for the first time.

And then the 3-pane interface is displayed.

Only administrators can install the NetScaler Gateway Plug-in. You can download the Gateway plug-in from the NetScaler at /var/netscaler/gui/vpns/scripts/vista and push it to corporate-managed machines. Or you can download VPN clients from The VPN client version must match the NetScaler firmware version.

Authorization Policies

If your Session Profile has Security tab > Default Authorization set to Deny (recommended), then create Authorization Policies to allow access across the tunnel.

  1. On the left, under NetScaler Gateway, expand Policies and click Authorization.
  2. On the right, click Add.
  3. Name the Authorization Policy.
  4. Select Allow or Deny.
  5. NetScaler Gateway requires you to Switch to Classic Syntax. The other syntax option is for AAA.
  6. Enter an expression. Use the Expression Editor link to build an expression. You can specify destination IP subnets, destination port numbers, etc.
  7. Click Create when done.
  8. Authorization Policies are usually bound to AAA groups. This allows different groups to have different access across the tunnel.
  9. On the right, in the Advanced Settings column, add the Authorization Policies section.
  10. Then click where it says No Authorization Policy to bind policies.

Intranet Applications

If you enabled Split Tunnel, then you’ll need to create Intranet Applications to specify which traffic goes through the tunnel.

  1. On the left, under NetScaler Gateway, expand Resources and click Intranet Applications.
  2. On the right, click Add.
  3. Enter a name for the Internal subnet.
  4. Change the Interception Mode to TRANSPARENT.
  5. Enter an IP subnet. Only packets destined for this network go across the tunnel.
  6. Then click Create.
  7. Create additional Intranet applications for each internal subnet.
  8. Intranet Applications are usually bound to the Gateway Virtual Server but you can also bind them to AAA Groups.
  9. On the right, in the Advanced Settings column, add the Intranet Applications section.
  10. On the left, click No Intranet Application to bind Intranet Applications.

DNS Suffix

Specify a DNS Suffix for Split DNS to function with single label DNS names.

  1. On the left, under NetScaler Gateway, expand Resources and click DNS Suffix.
  2. On the right, click Add.
  3. Enter the DNS Suffix and click Create. You can add multiple suffixes.


Bookmarks are the links that are displayed in the 3-pane interface. They can point to file shares or websites.

  1. Under NetScaler Gateway, expand Resources, and click Bookmarks.
  2. On the right, click Add.
  3. Give the bookmark a name and display text.
  4. Enter a website or file share. For file shares you can use %username%.
  5. The other fields are for Single Sign-on through Unified Gateway. Click Create.
  6. Bookmarks (aka Published Applications > Url) are usually bound to AAA groups so different groups can have different bookmarks. But it’s also possible to bind Bookmarks to NetScaler Gateway Virtual Servers.
  7. If NetScaler Gateway Virtual Server, add the Published Applications section to bind Bookmarks.
  8. For AAA Group, it’s the Bookmarks section.
  9. On the left, find the Published Applications section and click No Url to bind Bookmarks.

VPN Client IP Pools (Intranet IPs)

By default, NetScaler Gateway VPN clients use NetScaler SNIP as their source IP when communicating with internal resources. To support IP Phones or endpoint management, you must instead assign IP addresses to VPN clients.

Any IP pool you add to NetScaler must be reachable from the internal network. Configure a static route on the upstream router. The reply traffic should be routed through a NetScaler SNIP. Or the NetScaler can participate in OSPF.

When a client is assigned a client IP, this IP address persists across multiple sessions until the appliance reboots or until the appliance runs out of IPs in the pool.

  1. Edit a NetScaler Gateway Virtual Server or a AAA group.
  2. On the right, in the Advanced Settings section, click the plus icon next to Intranet IP Addresses.
  3. On the left, click where it says No Intranet IP.
  4. Enter a subnet and netmask. Click Bind.
  5. To see the Client IP address, on the client side, right-click the NetScaler Gateway Plug-in and click Configure NetScaler Gateway.
  6. Switch to the Profile tab to see the Client IP address.
  7. To see the client IP on the NetScaler, go to NetScaler Gateway and on the right is Active user sessions.
  8. Select one of the views and click Continue.
  9. The right column contains the Intranet IP.

StoreFront in Gateway Portal

  1. If you want to enable StoreFront to integrate with NetScaler Gateway’s default portal, edit the file C:\Inetpub\wwwroot\Citrix\StoreWeb\web.config.
  2. On the bottom, there are three sections containing frame options. Change all three of them from deny to allow.
  3. Also change frame-ancestors from none to self.
  4. In NetScaler, go to NetScaler Gateway > Global Settings and click Configure Domains for Clientless Access.
  5. Change the selection to Allow Domains, enter your StoreFront FQDN and click the plus icon.
  6. Click OK.
  7. In a Session Policy/Profile, on the Client Experience tab, make sure Single Sign-on to Web Applications is enabled.
  8. On the Published Applications tab, configure the Web Interface Address to point to the StoreFront Receiver for Web page.
  9. Configure the Single Sign-on domain to match what’s configured in StoreFront.
  10. The Applications page of the 3-page portal should automatically show the StoreFront published icons.

Quarantine Group

NetScaler Gateway can be configured so that if Endpoint Analysis scans fail, then the user is placed into a Quarantine Group. You can bind session policies, authorization policies, etc. to this quarantine group. Policies bound to other AAA groups are ignored.

  1. Go to NetScaler Gateway > User Administration > AAA Groups.
  2. Add a new local group for your Quarantined Users. This group is local and does not need to exist in Active Directory.
  3. Create a new Session Profile.
  4. On the Security tab, check the box next to Advanced Settings.
  5. Check the box to the right of Client Security Check String.
  6. Use the Editor links to add an Endpoint Analysis expression.
  7. Just below the Client Security Check String, select the previously created Quarantine Group.
  8. Click Create when done.
  9. Create a Session Policy and select the Session Profile you just created.
  10. Enter ns_true as the expression. Then click Create.
  11. Edit your Gateway Virtual Server and bind the new session policy.
  12. Bind session policies, authorization policies, etc. to your quarantine group. These policies typically limit access to the internal network so users can remediate. Or it might simply display a webpage telling users how to become compliant.
  13. To troubleshoot Quarantine policies, use the command nsconmsg –d current –g pol_hits.
  14. Another option is to use the session policy bound to the Quarantine Group for SmartAccess configuration.
  15. Gateway Insight (Insight Center 11.0 build 65 and newer) shows users that failed EPA scans and their quarantine status.

Related Pages

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

47 thoughts on “NetScaler Gateway 11 – SSL VPN”

  1. Is it possible to increase the limit to bind maximum 128 Intranet Applications to an AAA group? Or can I add domains with wildcards (*.corp.domain)? I have to add about 400 subnets to a aaa group.

      1. I have not tried that. I only have one group for all VPN users and the Intranet Applications are bound to that one group. When trying to connect the error in the connection log appears “395 intranet application confirmed, Exceeds the limit of 128”.

        So you mean to create a second group, add the users also to the second one and see if the error still appears?

  2. Hi Carl:

    Great article as always. I find most of what I need on your site as, yes. great as the product is, the documentation definitely has gaps. Question: I am doing clientless VPN and the customer has two stipulations: 1. to limit access to the gateway by AD domain and 2., to limit access in the VPN to specific sites. The first one, not so tough; the second, I’m unclear on this. How do I create a site ACL in the gateway, i.e., I would specify a certain webpage as home, from where the user is limited to two other sites (host names)?

    Bonus question. Once in, how do I limit access to an additional URL by AD Group?

    Appreciate your help.


    1. NetScaler has authorization policies based on destination IP address. You can bind these authorization policies to a AAA Group that matches your AD group.

      Another option is to assign Intranet IPs to your AAA group. Then use a different device to control access from those source IPs.

      1. That seems to apply to the second question. Perhaps I’m not wording correctly.

        Login to the gateway sends the user, via session policy “Client Experience” to a page on server “A”
        On this home page, which can also be used internally, there are links to pages on severs B, C. D and E.
        I want the user to be able to select link B or C but to fail on D.

        Is this not a just a response policy of some sort? (if hostname not A,B or C)

        Link E is the tricky one. I want only members of a given AD group to be able to select it, but lets set that aside for now.


        1. If it goes across the VPN tunnel, then Authorization policies or firewall rules are your option. If doing clientless, then you might be able to do Responder policies using HTTP.REQ.USER.MEMBER_OF expressions.

  3. Hello Carl,
    Thanks for the article, it’s very interesting, and i have a question:
    we have out Test NS VPX Gateway updated from version 10.5 to 11.0, and our client have at this moment all the version 10.5. When I try with a Client Plug-in v10.5 to connect to the new v11 VPX Gateway, the Plug-in start the Upgrade routine but I receive the error message that “the version from Plug-in and the Version from Gateway are different” and the upgrade don’t continue. Could you tell me where and what can I check?

      1. Hello Carl,
        Thankyou for your answer. I have emptied the cache from the browser but still the same message “plugin and Gateway Version differently”. Do you have another idea what can i check?

  4. Carl,
    If the Gateway was in the DMZ, what is needed to allow the SSL Tunnel to access everything and anything on the corporate LAN? Firewall rules?

    In my lab I go from Internet > NAT to VIP on VPX (which sits in the LAN). The SSL VPN tunnel has access to everything (as if I was connected to the corporate network)

    In my PROD environment, I go Internet > NAT to VIP in DMZ > Lan. My SSL VPN tunnel only has access to a very limited bunch of resources. Port 80 HTTP for example.

    1. If you are using Intranet IPs, then firewall needs to allow those IPs. If you’re not using Intranet IPs, then firewall needs to allow the SNIP.

  5. Hi Carl

    Thanks a lot for your articles. I was able to install it a few month ago but now we changed the system and after I installed the version 11.0. 64.34 I have some problems with the VPN.

    First it takes always the default Session Policy with the Global Settings but I need to allow just some AD Group users I have set in the AAA authentication settings.

    And as second problem, my logon script is not running after the VPN connection is established.

    The difference before was I did a version Update from 11.0 63 to 11.0 64 and there was no SETVPNPARAMS_POL in the Session Policies and no SETVPNPARAMS_ACT in the session profiles.
    How can I bypass this policy?

    Thank you and Regards

    1. The global settings are always applied. That’s why you need to override them.

      Are you saying that non-authorized users are able to login? In that case, configure your LDAP policy with a search filter.

      Or are you saying that your ICA Proxy only users are getting VPN as an option? In that case, make sure Client Choices is overridden and turned off.

  6. Carl,
    I was able to follow your steps to do full VPN and i also got SSO working with full VPN. After SSO worked i am now unable to launch my applications, i am getting the following error messages.
    “Cannot connect to the citrix xenapp server. SSL Error 43. The proxy denied access to the port 1494” I confirmed that i can access that port on the xenapp servers from the netscaler with no issues. Do you have any thoughts on this?

    1. How is ICA routed? Is it ICA Proxy through Gateway? Or is it internal through the VPN? If internal, do your authorization policies include the IPs/ports? If ICA Prox, are the STAs configured correctly?

      1. I have ICA off at the moment and i am using FULL VPN. STAs are configured on the netscaler. If i break SSO it works but once SSO works it fails.

  7. Hi Carl, Great post.

    I have a question I would like to ask in regards to a client site I am setting up. We NetScaler configured as above with an LDAP group AAA bound for VPN access, and Web based access works as expected. However when a user in the VPN group tries to logon to Receiver the logon fails.

    I am assuming this is something with the bind order, but I have the policies set lower than those set on the vServer so I am a little stumped. Any ideas would be great.



  8. Hello Carl,

    Great article. I have always admired your work and have been following your blog from some time now.

    I have a question regarding your statement on session timeout: “Session Time-out, is a total session timer (doesn’t care if user is working or not).” Your statement actually fits for Forced time out under network settings of session profile.

    As far as I know session time out will only trigger if there is no traffic coming from client to VPN vserver for the specified time out period.

    Correct me If I am wrong…

    Anyways Great work 🙂

    1. I can’t find any clear documentation on this. I wonder if “session timeout” refers to clientless VPN while “forced timeout” refers to Gateway Plug-in.

  9. Hi Carl, thank you for another great article!
    I have the following questions regarding Netscaler Gateway 11:
    – Is the VPN plugin compatible with old XenApp farms using Web interface instead of storefront? I have had problems with recent Receiver versions (had to use ICA Only plugin instead) and I wonder if the same kind of uncompatibility could happen with the VPN pulgin.
    – Have you tested the File Transfer feature? I was never able to make it work with NS 9.3 because it uses deprecated SMB protocol which is not supported in recent versions of Windows servers. Would that work now?
    -Are there any special considerations to migrate NS Gateway configuration (authorization policies, intranet applications, etc.) from versión 10.1 to 11.0? Is there any change in the sintaxis of commands?
    Thanks in advance!!!

    1. 1. VPN plugin creates a generic VPN tunnel. In theory, any traffic can run on top of it. ICA Only plugin could send ICA traffic across the tunnel to the old Citrix farm. I’m not aware of any limitation.

      2. I have not tested File Transfer. It’s an old feature that is still in 11.0. I see this thread –

      3. The configuration commands are the same. If you have a test VPX appliance running 10.1, load your config on it, upgrade it, and see if everything still works. Or you can copy your 10.1 Gateway commands to an 11.0 test appliance and see if they work.

      However, themes are totally different.

  10. Carl
    Can u explain the difference between netscaler plugin compare to citrix reciever? I have never used the plugin for netclarer.

    1. NetScaler Gateway Plug-in is for VPN connections. It’s installed automatically when you connect to a NetScaler Gateway that has Full VPN enabled.

  11. Hi Carl,

    I am trying to enable Storefront to integrate with Netscaler Gateway (“Storefront in Gateway Portal” part). I have to say it works correctly if you point to the Storefront web server directly. However, if i tried to point to a VIP (which load balanced SF servers with Netscaler) it will ask under the application tab to authenticate again so wont show the resources straigh away.

    Have you tried pointing to the NS LB VIP and not the SF itself? does it work?

    Please see below the settings used:
    NS 11 build 65.31
    SF version 3.5 on W2K12 R2.
    Full VPN with ICA proxy OFF.
    SF VIP: I tried with persistence Source IP or CookieInsert. Cert CA and Server binded (same as the SF servers). 2 “Service group members” with Header X-Forwarded-For added.
    It works pointing to the SF itselft but not pointing to the SF LB VIP created ( will require to authenticate again).

    Please let me know if you need more info.

    1. Is one SSL and the other is HTTP?

      What errors are you seeing in the StoreFront event log?

      Is StoreFront loopback enabled with OnUsingHttp?

      1. I use ssl for all with the same cert for SF and the NS LB VIP . Weird, now it is working using the NS LB VIP (the settings are: persistent/CookieInsert, Cookie Name/NSC_SFPersistent, Service group with two SF members, Header/X-Forwarded-For, Monitoring the StoreName)

      2. Carl,
        your site has always provided very helpful information for me. i followed your steps but i cannot keep to get the integration going with SF into the GW. i am looking to do this was since i am now using the VPN Plug-in my SSO is not working to the SF. Also, i noticed that edge sight/insight is not logging the traffic when using the VPN Plug-in. Please let me know what you think.

        1. If StoreFront is https then NetScaler can’t intercept the traffic to inject credentials.

          If ICA goes across the tunnel instead of through ICA Proxy then I suspect that AppFlow won’t work. You’d need to force StoreFront to use ICA Proxy instead of direct connections (through the tunnel).

          1. thanks for the quick reply. i am forced to use VPN Plug-in because of the timeout. I was told that ICA does not do the time out on the netscaler. If you know of a way to get the timeout working and have the AppFlow working as well that would be great.

  12. Hi Carl,

    Thank you so much for the insightful articles , they are a massive help !

    I have been trying to get “Storefront in Gateway Portal” to show and the “Application” icon does not show i have followed your article and Jen Trendelkamps article also.

    I logged a call with Citrix and they said it wasn’t a supported configuration and they gave me best effort support … and the best effort support could not get it working either .

    Can you let me know what version of storefront you used in your configuration example ?

    1. I did 3.5. Don’t forget to add it to the Clientless Domains.

      If you have Client Choices enabled, are you able to access StoreFront and automatically log in?

      1. Thanks for the quick reply , yes i have configured the “Domains for Clientless Access” with the storefront FQDN .

        Yes i can login to storefront automatically (SSO) when using “Virtual App and Desktop Access” from the Client Choices page.

  13. Carl, truly fabulous and detailed article. I don’t know where you find the time and gather the experience to do all this and still have a day job.

    Q: for clientless browser VPN, how does storefront manage launching apps? does it rely on HTML5 clients or does it still use the local native receiver? Does SF need to be configured with the gateway still?

    1. There are two ICA engines: regular full Receiver (Windows, Mac, Mobile, Linux, etc.) and Receiver for HTML5. Both require NetScaler Gateway to handle proxy from public IP to internal IPs. Receiver for HTML5 uses WebSockets to Gateway. Regular Receiver uses ICA (wrapped in SSL) to Gateway. Receiver for HTML5 does not require any client-side software but regular Receiver does. Full Receiver is more functional than HTML5 Receiver.

  14. I’m testing some configuration on a VPX (from my production environment into a isolated test environment). I can’t get the Gateway Virtual Server to show UP. I’ve gone through the procedure you have set up, along with guides I have found on several other sites/forums. I’m not sure what is causing the status to be down as the Netscaler won’t give me any useful feedback other than DOWN. The only real deviation I have from the guide I’ve done is to use a self-signed (Server Test Certificate), which in my current case should be adequate (the production Netscaler appliances have a proper cert). Any advice as to what I should try to do to get the Virtual Server online?

    1. That usually means the cert isn’t bound to the Gateway. Or SSL is not enabled. Go to System > Settings > Basic Features and make sure SSL is enabled.

      Note: most browsers won’t accept self-signed certs where self-signed means Issuer and Subject are the same.

  15. Hello Carl,
    Thanks for the article.
    Is the SSL VPN for netscaler is similar as the Cisco VPN which can be used for RDP to the servers through the Internet or it is just for applications?


Leave a Reply