NetScaler Gateway 12 Tweaks

Last Modified: Sep 16, 2017 @ 11:33 am


ūüí° = Recently Updated

NetScaler Gateway Feature Licensing

Here is a listing of some NetScaler Gateway features and the licenses they require:

Feature NetScaler Editions Universal Licenses?
StoreFront Load Balancing Standard/Enterprise/Platinum
Global Server Load Balancing (GSLB) Enterprise/Platinum
ICA Proxy and StoreFront Proxy All
Two-factor Auth (RADIUS) All
StoreFrontAuth (nFactor) Enterprise/Platinum
nFactor Authentication Enterprise/Platinum
Native OTP Authentication (nFactor) Enterprise/Platinum
HDX Insight (AppFlow) Enterprise/Platinum
SmartAccess All Yes
SmartControl Platinum Yes
RDP Proxy Enterprise/Platinum Yes
PCoIP Proxy Enterprise/Platinum Yes
Unified Gateway Enterprise/Platinum Yes
Citrix SCOM MP for NetScaler Platinum

All Editions = NetScaler Gateway Enterprise VPX, NetScaler Standard, NetScaler Enterprise, and NetScaler Platinum.

  • NetScaler Gateway Enterprise VPX¬†is the cheap VPX appliance that only does NetScaler Gateway. It doesn’t even do Load Balancing.
  • NetScaler Enterprise Edition is the minimum edition for many Gateway features, and thus is recommended for all Gateway purchases.

Gateway Universal Licenses – many NetScaler Gateway features require NetScaler Gateway Universal licenses for each concurrent connection to the NetScaler Gateway Virtual Server. See the above table for which features require these licenses.

When you create a NetScaler Gateway Virtual Server, in the Basic Settings section, the ICA Only setting determines if you need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only is true, then features requiring Universal Licenses are disabled. But if ICA Only is set to false, then you need a NetScaler Gateway Universal license for every user that connects to this NetScaler Gateway Virtual Server.

Most editions of NetScaler include Universal licenses:

  • NetScaler Gateway Enterprise VPX¬†does not come with any Gateway Universal Licenses
  • NetScaler Standard Edition¬†comes with 500 Gateway Universal Licenses
  • NetScaler Enterprise Edition¬†comes with 1,000 Gateway Universal Licenses
  • NetScaler Platinum Edition¬†comes with unlimited Gateway Universal Licenses

If your NetScaler Edition does not include a sufficient number of Universal Licenses for your user load, then you can acquire these licenses through other means:

  • XenApp/XenDesktop Platinum Edition includes Gateway Universal licenses for each licensed user
  • XenMobile App Edition and XenMobile Enterprise Edition¬†include Gateway Universal licenses for each licensed user
  • “a la carte” NetScaler Gateway Universal Licenses – these are very inexpensive

You can install more Gateway Universal licenses on the NetScaler appliance. The Gateway Universal licenses are allocated to the case sensitive hostname of each appliance. If you have an HA pair, and if each node has a different hostname, then allocate the Gateway Universal licenses to the first hostname, and then reallocate the same licenses to the other hostname.

To see the hostname, click your username on the top right.

To change the hostname:

  1. Click the gear icon on the top right.
  2. Then click the third section.

Go to, and allocate your purchased Gateway Universal licenses to the hostname of the appliance.

To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses > Manage Licenses. A reboot is required.

To see the number of installed Gateway Universal licenses:

  1. On the left, expand System, and click Licenses.
  2. On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.

RFWebUI Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0 and newer, enable the built-in RfWebUI or X1 theme. RfWebUI is optimized for Unified Gateway (Clientless VPN) since it provides the exact same appearance and user experience as StoreFront 3.x. The Unified Gateway RfWebUI theme can display RDP Links, Web Links (bookmarks), PCoIP published icons, along with the familiar StoreFront apps and desktops. Note: RfWebUI requires StoreFront 3.6 or newer.

  1. Go to NetScaler Gateway > Virtual Servers, and edit an existing Virtual Server.
  2. If you see the Portal Themes section on the left:
    • Then click the pencil icon.
  3. If you don’t see Portal Themes on the left:
    • On the right, in the Advanced Settings section, click Portal Themes.
  4. On the left, change the Portal Theme drop-down to RfWebUI. Click OK.
  5. Click Done.

    bind vpn vserver -portaltheme RfWebUI
  6. When you access the NetScaler Gateway login page you’ll see the theme.

Custom Portal Theme

You can create your own theme by starting from one of the built-in themes:

  1. Go to NetScaler Gateway > Portal Themes.
  2. On the right, click Add.
  3. Give the theme a name, select RfWebUI as the Template Theme, and click OK.
  4. In the Look and Feel section, there are two sub-sections: one for Home Page Attributes, and one for Common Attributes.
  5. The Home Page Attributes section is for Unified Gateway (aka VPN Clientless Access). Notice that the Websites Sections can be disabled.
  6. The Help Legend link at the top of the section shows you what the other fields modify.

  7. If you want to modify some attributes of the logon page, use the Common Attributes sub-section. The labels are changed later.
  8. The Help Legend link at the top of the Common Attributes section shows you what the fields modify.
  9. Make changes as desired, and click OK at the bottom of the page.
  10. After you click OK, the Language section appears.
  11. In the Language section, select a language, and click OK.
  12. On the right, in the Advanced Settings section, click Login Page.
  13. Make changes as desired (e.g. Password Field Titles), and click OK.
  14. At the top of the screen, click the link to Click to Bind and View Configured Theme.
  15. Select a Gateway Virtual Server, and click Bind and Preview. Notice that you can also bind Portal Themes to AAA vServers.
  16. The logon page is displayed.
  17. You could go to /var/netscaler/logon/themes/MyTheme/css and make more changes to custom.css, but this file gets overwritten any time you make a change in the Portal Themes section of the NetScaler GUI.
  18. Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version 11.0 to another Device running 11.0.

Public DNS SRV Records

When a user launches Receiver, instead of typing in the Gateway FQDN, the user can enter an email address. Receiver uses the email suffix to lookup the Gateway FQDN. It does this by looking for an SRV record named _citrixreceiver._tcp in the email suffix’s domain (e.g. If you have multiple email suffixes, then you need to add the SRV record to each email suffix DNS zone.

Note: to eliminate certificate and/or trust prompts, the Gateway certificate must match (e.g If you have multiple email suffixes, then you need the certificate to match every email suffix.

To enable email-based discovery, add a SRV record to each public email suffix DNS zone. Here are sample instructions for a Windows DNS server:

  1. In Server Manager, click Tools > DNS.
  2. In the left pane of DNS Manager, right-click your DNS domain, and click Other New Records.
  3. In the Resource Record Type dialog box, select Service Location (SRV), and then click Create Record.
  4. In the New Resource Record dialog box, do the following:
    1. In the Service box, enter the host value _citrixreceiver.
    2. In the Protocol box, enter the value _tcp.
    3. In the Port number box, enter 443.
    4. In the Host offering this service box, specify the fully qualified domain name (FQDN) for your NetScaler Gateway Virtual Server in the form servername.domain (e.g.
  5. Click OK to close the New Resource Record dialog box.
  6. Click Done to close the Resource Record Type dialog box.

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for User name, Password, and Password 2.

The Password field labels can be changed to something more descriptive, such as Active Directory or RSA:

To change the labels, edit a Portal Theme:

  1. Go to NetScaler Gateway > Portal Themes, and edit an existing theme. You can’t edit the built-in themes, so you’ll have to create one if you haven’t already.
  2. If you see the Login Page section on the left:
    • Click the pencil icon in the¬†Login Page section.
  3. If you don’t see the Login Page section on the left:
    • On the right, in the Advanced Settings column, click Login Page to add it to the left.
  4. On the left, in the Login Page section, change the two Password fields to your desired text.
  5. Click OK to close the Login Page section.
  6. If you are using the RfWebUI theme, the default text size for the form field labels is 17px. However, the Portal Themes editor defaults to 12px. You can change it back to 16px or 18px by doing the following:
    1. In the Look and Feel section, click the pencil icon.
    2. Scroll down to the Common Attributes section.
    3. Change the Form Font Size drop-down to 16px or 18px.
    4. Click OK to close the Look and Feel section.
  7. In the Portal Theme section at the top of the page, you can Click to Bind and View Configured Theme to Preview your changes.
  8. You might have to invalidate the loginstaticobjects Integrated Caching Content Group (Optimization > Integrated Caching > Content Groups) before the changes appear. This seems to be true even if Integrated Caching is disabled.

 Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.

Clicking the Terms & Conditions link allows the user to view the EULA text that you have entered.

Do the following to configure the EULA:

  1. Go to NetScaler Gateway > Resources > EULA.
  2. On the right, click Add.
  3. Give the EULA a name, and enter some text. You can even enter HTML code. See the example posted by Chris Doran at Citrix Discussions.
  4. Scroll down, and click Create.
  5. Edit a Gateway Virtual Server.
  6. On the right, in the Advanced Settings column, click EULA.
  7. On the left, in the EULA section, click where it says No EULA.
  8. Click where it says Click to select.
  9. Click the radio button next to the previously created EULA, and click Select.
  10. Click Bind.
  11. Mike Roselli at Automatic EULA Acceptance by Cookie Rewrite Guide at Citrix Discussions details Rewrite policies that change the behavior so that users only have to accept the EULA once. It records acceptance in a cookie.
  12. Sam Jacobs Adding an EULA for AAA Login at CUGC explains how to enable the EULA on the AAA logon page.

Theme File Customization

The original themes (Default, Green Bubble, and X1) use files from /netscaler/ns_gui/vpn/js and /var/netscaler/logon/themes. A commonly edited file is /netscaler/ns_gui/vpn/js/gateway_login_form_view.js since this file is responsible for rendering the logon form.

The new RfWebUI theme is different than the original themes, because it pulls files from¬†/var/netscaler/logon/LogonPoint/receiver. This means the customizations for NetScaler 11.0 won’t work with the new RfWebUI theme.¬†When reviewing customization guides for NetScaler 11, be aware that most of them won’t work for the RfWebUI theme.

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to add links to the NetScaler Gateway 11 logon page. This only works in the Default, Green Bubble, and X1 themes (no RfWebUI theme).

Other Customizations

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 2 at CUGC explains how to add text to the RfWebUI theme logon page. The process for RfWebUI is quite different than the older themes:

  • Text is stored in /var/netscaler/logon/themes/<theme>/strings.<language code>.json
  • Custom CSS is stored in /var/netscaler/logon/themes/<theme>/css/theme.css
  • Sample Logon Page:
    Logon screen with footer.jpg

CTP Sam Jacobs at Adding Text, Links and Other Elements to the NetScaler Logon Page РPart 1 at CUGC explains how to modify custom.css and en.xml to add text below the logon box on the Logon Page. No Rewrite policies or source code modifications needed.

Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. This article does not work with the RfWebUI theme, but it works with the X1 theme.

Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at Citrix Discussions has sample rewrite policies to customize the NetScaler Gateway logon page with additional HTML.


Craig Tolley¬†Customising the NetScaler 11 User Interface ‚Äď Adding Extra Content: add new sections to login page. These sections pull content from local HTML files.


Daniel Ruiz Set up a maintenance page on NetScaler Gateway: configure a Responder policy (see the blog post for sample HTML code). During maintenance, manually bind the Responder policy to the Gateway. Manually remove the policy after maintenance is complete.

 UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio over Netscaler Gateway with DTLS

Note: Enabling DTLS on the Gateway also enables the Gateway to support EDT (Adaptive Transport) and Framehawk.

Requirements for UDP Audio:

  • Citrix Receiver 4.2 or newer
  • UDP 443 allowed to NetScaler Gateway Virtual Server
  • UDP 16500-16509 allowed from NetScaler SNIP to the VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual Server, and in Receiver:

  1. Edit a NetScaler Gateway Virtual Server.
  2. In the Basic Settings section, click the pencil icon.
  3. Click More.
  4. Enable the DTLS option, and click OK.
  5. After enabling DTLS, it probably won’t work until you unbind the Gateway certificate, and rebind it.
    1. On the left, click where it says 1 Server Certificate.
    2. Click Add Binding.
    3. Click where it says Click to select.
    4. Click the radio button next to the same certificate that’s already bound. Click¬†Select.
    5. Click Bind.
    6. Click Close.
    7. Click Continue to close the Certificate section.

Client-side configuration

There are two methods of enabling RTP on the client side:

  • Edit default.ica on the StoreFront server
  • Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Application section:


To use GPO to modify the client-side config:

  1. Copy the receiver.admx¬†(and .adml) policy template into PolicyDefinitions if you haven’t already.
  2. Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver machine.
  3. Go to Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | User Experience.
  4. On the right, edit the setting Client audio settings.
  5. Do the following in the Client audio settings dialog box.
    1. Enable the setting.
    2. Set audio quality as desired. Higher quality = higher bandwidth.
    3. Check to Enable Real-Time Transport.
    4. Check to Allow Real-Time Transport through Gateway.
  6. Click OK to close the Client audio settings dialog box.
  7. Look in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Audio to make sure the registry keys applied.
  8. When you launch the first session after enabling Real-Time Transport, you might be prompted to enable it through the client-side firewall.

To view the current UDP Audio sessions:

  1. In the NetScaler GUI, click the NetScaler Gateway node.
  2. On the right, click DTLS ICA Connections.
  3. This will show you all users that have UDP Audio connections through NetScaler Gateway. Note: this is different than EDT. To see EDT (UDP) HDX connections, click ICA Connections instead.

Citrix VPN from Mobile Devices


Citrix VPN Clients on Mobile Devices (Android, iOS) contain one of the following in their User-Agent strings. You can use this text in a Session Policy expression.

  • CitrixReceiver/NSGiOSplugin
  • CitrixReceiver/CitrixVPN

To block the Citrix VPN client connections from mobile devices, do one of the following:

  • Create an AppExpert > Responder > Policy with Action = DROP and Expression = HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin")|| HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/CitrixVPN").¬†Either bind the Responder Policy Globally, or bind it to the Gateway vServers.
  • In your Gateway Session Policies, on the Client Experience tab, set the Plug-in Type to Java. If any of them are set to Windows/MAC OS X, then VPN for Mobile is allowed.

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler 11.0 and newer, you can create a rewrite policy to change this header. This is useful when changing URLs or using DNS aliases for Gateways. See¬†CTX202442¬†FAQ: Modify HTTP Header X-Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")" "\"\""

add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-Via\").NE(\"\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

Device Certificates¬† ūüí°

NetScaler Gateway can require Device Certificates (machine based) before a user can login. The Endpoint Analysis Plug-in reads the machine certificate, and compares it to a CA certificate that is bound to the NetScaler Gateway Virtual Server.

  • Device Certificates are different from User Certificates.
  • Administrator permissions are required to access the machine certificate’s private key. NetScaler Gateway Plug-in (VPN client) can workaround this requirement.
  • OCSP is required. You can use Microsoft Online Responder.

To enable Device Certificates

  1. Create a OCSP Responder on NetScaler, and bind it to the CA Certificate. See CTX200290 How to Configure Device Certificate on NetScaler Gateway for details. At Traffic Management > SSL > Certificates > OCSP Responder.

    1. The URL for Microsoft Online Responder is http://ocsp_server_FQDN:80/ocsp.
    2. Misja Geuskens at¬†Netscaler Device certificate checks fails with W2K12R2 Online responder says don’t check the Nonce box.
  2. Import CA certificates for Root and Intermediate. At Traffic Management > SSL > Certificates > CA Certificates.
  3. Right-click each CA certificate, and click OCSP Bindings.

    1. Select the OCSP Responder you created earlier.
  4. Bind the CA certificates to the Gateway Virtual Server in the CA certificates section.

  5. Enable Device Certificates in the NetScaler Gateway Virtual Server > Basic Settings > More section. Move the same CA certificates to the right.

User Experience

Users will be prompted to install the Endpoint Analysis plugin.

Click Yes to run the scan. Note: if the user is not an administrator of the local machine, then you must also install the NetScaler Gateway Plug-in (VPN client) to handle the security restrictions.

If there are multiple certificates on the client machine, the user will be prompted to select one.

The chosen machine certificate is stored in %localappdata%\Citrix\AGEE\config.js. The user won’t be prompted for certificate selection again unless you delete this file.

This same folder contains nsepa.txt, which lets you troubleshoot device certificate checking. The most common issue is lack of permissions, which is handled by installing the NetScaler Gateway VPN Plug-in. The Gateway VPN Plug-in version must match the firmware version.

3 thoughts on “NetScaler Gateway 12 Tweaks”

  1. We found a few issues with RfWebUI (running NetScaler One being that the WfWebUI portal theme loaded inconsistently across many devices (desktop and phone). We had to remove the cache policies that are automatically added when you create the NSGW virtual server (_cacheTCVPNStaticObjects, etc). Looks like the theme flips out when it tries to perform 302 or 304 requests for the web resources. I found a known issue Citrix article that kind of alluded to that, but didn’t mention caching. This was with Enterprise licensing too, which means I couldn’t change the policies (as I’m not licensed), but I could unlink them. Also, we’ve found the RfWebUI theme loads really poorly over high latency (e.g, 300 ms+) connections. Way worse than the default themes. Even X1 is a bit better, but no mobile support. I also assume this is related to all the AJAX requests the theme makes. Haven’t got a solution for that yet. The theme definitely looks better, but also has pretty serious flaws.

Leave a Reply