NetScaler Management and Analytics System

Last Modified: Oct 13, 2016 @ 7:26 pm


💡 = Recently Updated


NetScaler MAS is a replacement for NetScaler Insight Center, Command Center, and Control Center. It’s a combination of these three different tools.

NetScaler MAS is a licensed product. It’s free for 30 vServers. Beyond that, licenses can be purchased in 100 vServer packs. Alternatively, you can continue to use Insight Center and/or Command Center.

Requirements for HDX Insight (AppFlow):

  • Your NetScaler appliance must be running Enterprise Edition or Platinum Edition.
  • NetScaler must be 10.1 or newer.
  • HDX Insight works with the following Receivers:
    • Receiver for Windows must be 3.4 or newer.
    • Receiver for Mac must be 11.8 or newer.
    • Receiver for Linux must be 13 or newer.
    • Notice no mobile Receivers. See the Citrix Receiver Feature Matrix for the latest details.
  • For Session Reliability, NetScaler 10.5 build 54 and newer.
  • ICA traffic must flow through a NetScaler appliance:


For ICA round trip time calculations, in a Citrix Policy, enable the following settings:

  • ICA > End User Monitoring > ICA Round Trip Calculation
  • ICA > End User Monitoring > ICA Round Trip Calculation Interval
  • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)


The version/build of NetScaler MAS must be the same or newer than the version/build of the NetScaler appliances.

Citrix whitepaper – NetScaler Insight Center Deployment & Sizing Guide: virtual machine sizing, firewall rules, licensing, Receiver versions, etc.

Import Appliance

You can use either the vSphere Client, or the vSphere Web Client, to import the appliance. In vSphere Client, open the File menu, and click Deploy OVF Template. vSphere Web Client instructions are shown below.

You might see this operating system error when not using the vSphere Web Client. Click Yes to proceed. It seems to work.

  1. Download NetScaler MAS for ESX, and then extract the .zip file.
  2. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  3. In the Select source page, if you see a message regarding the Client Integration Plug-in, download the installer, run it, and then return to this wizard.
  4. In the Select source page, select Local file, and browse to the NetScaler MAS .ovf file. Click Next.
  5. In the Review details page, click Next.
  6. In the Select name and folder page, enter a name for the virtual machine, and select an inventory folder. Then click Next.
  7. In the Select a resource page, select a cluster or resource pool, and click Next.
  8. In the Select storage page, select a datastore. If a single appliance, or if a database appliance, due to high IOPS, SSD or Flash is recommended.
  9. Change the virtual disk format to Thin Provision. Click Next.
  10. In the Setup networks page, choose a valid port group, and click Finish.
  11. In the Ready to Complete page, check the box next to Power on after deployment, and click Finish.

IP Configuration and High Availability

  1. Open the console of the virtual machine, and configure an IP address.
  2. Enter 7 when done.
  3. When prompted for Insight Deployment Type, enter 1 for NetScaler MAS Server. The first appliance must always be NetScaler MAS Server.
  4. If you want to deploy two NMAS appliances and HA pair them, enter no for Standalone and yes for First Server Node.
  5. Note: HA is only for database redundancy. All other traffic (SNMP, AppFlow) only goes to one node.
  6. Enter Yes to reboot.
  7. Deploy another appliance.
  8. This time, when asked if First Server Node, enter no. You will then be asked for the IP address of the first node. Enter the nsroot password.
  9. Once you’ve built all of the nodes, point your browser to the primary NetScaler MAS IP address and login as nsroot/nsroot.
  10. If you see CUXIP, either Skip or Enable the Customer User Experience Improvement Program.
  11. Click Get Started
  12. Select Two servers deployed in High Availability Mode, and click Next.
  13. It should show both nodes. Click Deploy on the top right.
  14. Click Yes to reboot the appliances.
  15. If you login to one of the appliances, at System > Deployment, you’ll see the performance of each node. Notice the Break HA icon on the top right.

  16. You can manage the pair by logging in to either node.
  17. Or you can load balance the pair. Load Balancing is only useful for administration. All other communications (e.g.  SNMP, AppFlow) go directly to one of the nodes. See High Availability Deployment at Citrix Docs for load balancing instructions.

Add Instances

NetScaler MAS must discover NetScaler instances before they can be managed.

  1. Login to one of the NetScaler MAS appliances.
  2. If you see the Get Started page, click Get Started.
  3. In the Select Deployment Type page, click Next.
  4. On the Add New Instances page, click + New near the top right.

  5. Enter the NSIP address of a NetScaler appliance.
  6. Click the pencil next to ns_nsroot_profile.
  7. Enter the password for the nsroot account.
  8. Enter an SNMP community string that NetScaler MAS will configure on the appliance.
  9. The NetScaler Profile defaults to using https for instance communication. Click OK.
  10. Then click OK to add the instance.
  11. A progress window will appear.
  12. You can add more instances, or just click Finish.
  13. To add more instances later, go to Infrastructure > Dashboard, and on the top right, click All Instances.
  14. Then click New.


Virtual Server License Packs

Without licenses, NetScaler MAS only shows 30 Virtual Servers. You can install additional licenses in 100 Virtual Server packs.

  1. Go to Infrastructure > Licenses > Settings.
  2. On the right, notice the Host ID. Allocate your NetScaler MAS licenses to this Host ID. Then use the Browse button to upload the allocated license file.
  3. You can use the Notification Settings section to email you when licenses are almost fully consumed or about to expire.


Allocate licenses to Virtual Servers  💡

If you have fewer Virtual Servers than the number of installed licenses, then licenses are automatically assigned to all Virtual Servers. You can manually unassign a license and reassign it to a different Virtual Server.

  1. Go to Infrastructure > Licenses > System Licenses.
  2. On the top right, click Modify licensed Virtual Servers.
  3. In the top row, select the type of Virtual Server you want to unlicense or license.
  4. Select one or more Virtual Servers, and click the Mark Unlicensed button.
  5. Click Yes when asked to mark unlicensed.
  6. To allocate a license to a Virtual Server, click the Add Virtual Servers button.
  7. Select the Virtual Server(s) you want to allocate and click Select.
  8. Click Finish now when done.

Enable AppFlow / Insight

  1. Go to Infrastructure > Instances > Instance type (e.g. NetScaler VPX).
  2. Click the ellipsis next to an instance, and then click Enable/Disable Insight.
  3. With Load Balancing selected in the View list, click the ellipsis next to your StoreFront load balancer, and click Enable AppFlow.
  4. Type in true.
  5. Select Web Insight. If App Firewall is enabled on the vServer then also select Security Insight.
  6. HTML Injection injects JavaScript in HTTP responses to measure page load times.
  7. Click OK.
  8. At the top of the page is a checkbox to Enable Geo data collection.
  9. Use the View drop-down to select VPN.
  10. Click the ellipsis next a NetScaler Gateway Virtual Server, and click Enable AppFlow.
  11. In the Select Expression drop-down, select true.
  12. For Export Option, select ICA and HTTP, and click OK. The HTTP option is for Gateway Insight.
  13. The TCP option is for the second appliance in double-hop ICA. If you need double-hop then you’ll also need to run set appflow param -connectionChaining ENABLED on both appliances. See Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode at for more information.
  14. By default, with AppFlow enabled, if a NetScaler High Availability pair fails over, all Citrix connections will drop, and users must reconnect manually. NetScaler 11.1 build 49 adds a new feature to replicate Session Reliability state between both HA nodes.  💡
    1. From Session Reliability on NetScaler High Availability Pair at Citrix Docs: Enabling this feature will result in increased bandwidth consumption, which is due to ICA compression being turned off by the feature, and the extra traffic between the primary and secondary nodes to keep them in sync.
    2. If you still want this feature, on NetScaler 11.1 build 49 and newer, go to System > Settings.
    3. On the right, click Change ICA Parameters.
    4. Check the box next to Session Reliability on HA Failover, and click OK.
  15. AppFlow (e.g. HDX Insight) information can be viewed in NetScaler MAS on the Analytics tab.

Citrix Blog Post – NetScaler Insight Center – Tips, Troubleshooting and Upgrade

Nsroot Password

  1. On the System tab, expand User Administration, and click Users.
  2. On the right, click the ellipsis next to the nsroot account, and click Edit.
  3. Enter a new password.
  4. You can also specify a session timeout. Click OK.

Management Certificate

The certificate to upload must already be in PEM format. If you have a .pfx, you must first convert it to PEM (separate certificate and key files). You can use NetScaler to convert the .pfx, and then download the converted certificate from the appliance.

  1. On the System tab, go to System Administration.
  2. On the right, click Install SSL Certificate.
  3. Click Choose File to browse to the PEM format certificate and key files. If the keyfile is encrypted, enter the password. Click OK.
  4. Click Yes to reboot the system.

System Configuration

  1. Click the System tab on the top of the page.
  2. On the left, click the System Administration node.
  3. On the right, modify settings (e.g.Time Zone) as desired.

  4. To change the Session Timeout, click Change System Settings.

  5. On the right column are additional settings. For example, System Prune Settings, which defaults to deleting SNMP traps after 15 days.

  6. Instances Backup Settings lets you configure the number of backup files to retain for each instance.
  7. There are more settings under System > Analytics Settings.
  8. ICA Session Timeout can be configured by clicking the link. Two minutes of non-existent traffic must occur before the session is considered idle. Then this idle timer starts.
  9. If you are using Web Insight, Configure Data Record Settings lets you enable Reports on the dashboard.

  10. Auditing > Syslog Purge Settings controls how long Syslog data is retained (15 days by default).

  11. On the left, click NTP Servers.
  12. On the right, click Add.

  13. After adding NTP servers, click NTP Synchronization.
  14. Check the box next to Enable NTP Synchronization, and click OK.
  15. Click Yes to restart.
  16. On the System tab, on the left, expand Auditing, and click Syslog Servers.
  17. On the right, click Add.
  18. Enter the syslog server IP address, and select Log Levels. Click Create.
  19. You can click Syslog Parameters to change the timezone and date format.

System Email Notifications

  1. On the System tab, on the left, expand Notifications, and click Email.
  2. On the right, on the Email Servers tab, click Add.
  3. Enter the SMTP server address, and click Create.
  4. On the right, switch to the Email Distribution List tab, and click Add.
  5. Enter an address for a destination distribution list, and click Create.
  6. On the left, click Notifications.
  7. On the right, click Change Notification Settings.
  8. Move notification categories (e.g. UserLogin) to the right.
  9. Select a notification distribution list. Then click OK.


  1. On the System tab¸ expand Authentication, and click LDAP.
  2. On the right, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL, and Port to 636. Scroll down.
  4. Enter the bind account credentials.
  5. Check the box for Enable Change Password.
  6. Click Retrieve Attributes, and scroll down.
  7. For Server Logon Attribute, select sAMAccountName.
  8. For Group Attribute, select memberOf.
  9. For Sub Attribute Name, select cn.
  10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
  11. If desired, configure Nested Group Extraction.
  12. Click Create.
  13. On the left, expand User Administration, and click Groups.
  14. On the right, click Add.
  15. Enter the case sensitive name of your NetScaler Admins group.
  16. Select the admin Permission.
  17. If desired, configure a Session Timeout. Click Next.
  18. On the Select Applications page, click Finish.
  19. On the left, click User Administration.
  20. On the right, click User Lockout Configuration.
  21. If desired, check the box next to Enable User Lockout, and configure the maximum logon attempts. Click OK.
  22. On the left, click Authentication.
  23. On the right, click Authentication Configuration.
  24. Change the Server Type to EXTERNAL, and click Insert.
  25. Select the LDAP server you created, and click OK.
  26. Make sure Enable fallback local authentication is checked, and click OK.

Analytics Thresholds

  1. Go to Analytics Settings > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. Use the Traffic Type drop-down to select HDX or Web.
  5. Use the Entity drop-down to select a category of alerts. What you choose here determines what’s available in the Rule section.
  6. Check the box to Enable Alert.
  7. Check the box to Notify through Email.
  8. In the Rule section, select a rule, and enter threshold values. Click Create.

Geo Map

  1. Download the Maxmind database from
  2. Extract the .gz file.
  3. On the System tab, expand Advanced Settings, and click Geo Database Files.
  4. On the right, click Upload.
  5. Browse to the extracted GeoLiteCity.dat file, and click Open.
  6. You can also define Geo locations for internal subnets. Go to Infrastructure > Dashboard > Data Centers.
  7. On the right, click Add.
  8. Enter a name.
  9. Enter the starting and ending IP address.
  10. Select a Geo Location.
  11. Click Create.

Instance Email Alerts (SNMP Traps)

You can receive email alerts whenever a NetScaler appliance sends a critical SNMP trap.

  1. Go to Infrastructure > Events > Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Move Severity filters (e.g. Major, Critical) to the right.
  5. While scrolling down you’ll see additional alert filters.
  6. On the bottom of the page, click Add Action.
  7. Select an Action Type (e.g. Send e-mail), and select the recipients (or click the plus icon to add recipients).
  8. Click OK.
  9. Then click Create.

Director Integration  💡

Integrating NetScaler MAS with Director adds Network tabs to Director’s Trends and Machine Details views. Citrix Blog Post Configure Director with Netscaler Management & Analytics System (MAS)


  • XenApp/XenDesktop must be licensed for Platinum Edition. This is only required for the Director integration. Without Platinum, you can still access the HDX Insight data by going visiting the NetScaler MAS website.
  • Director must be 7.11 or newer for NetScaler MAS support.
  • NetScaler MAS must be 11.1 build 49 or newer.

To link Citrix Director with NetScaler MAS, on the Director server, run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler.

  1. Enter the NetScaler MAS nsroot credentials.
  2. If HTTPS Connection (recommended), the NetScaler MAS certificate must be valid and trusted by both the Director Server and the Director user’s browser.
  3. Enter 1 for NetScaler MAS.
  4. Do this on both Director servers.

Use NetScaler MAS

Marius Sandbu NetScaler Management and Analytics Systems has a quick rundown of the major features.

The AppFlow Analysis tools (e.g. HDX Insight) are located on the Analytics tab.

NetScaler MAS also includes all of the previous Command Center functionality, which you can find on the Infrastructure and Applications tabs. For example, on the Infrastructure tab, select an instance, and view its Dashboard.

Backups are available at View Backup.

Dave Bretty Automating Your Netscaler 11.1 Vserver Config Using Netscaler Management and Analytics System: use a Configuration Job to deploy StoreFront load balancing configuration to an instance.

On the Applications tab, Dashboard node, Applications sub-tab, you can click New Application to group vServers together so they can be monitored as a group.

Also see NetScaler MAS How-to Articles at Citrix Docs.

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

HDX Insight can also display Geo Maps. Configure NetScaler MAS with Data Center definitions (private IP blocks). More info at Geo Maps for HDX Insight at Citrix Docs.

Gateway Insight

On the Analytics tab is Gateway Insight.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • # of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at Citrix Docs.

Security Insight

The Security Insight dashboard uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler is configured), and Actionable Information. More info at Security Insight at Citrix Docs.


Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix Blog PostNetScaler Insight Center – Tips, Troubleshooting and Upgrade

See Troubleshooting Tips. Here are sample issues covered in

  • Can’t see records on Insight Center dashboard
  • ICA RTT metrics are incorrect
  • Can’t add NetScaler appliance to inventory
  • Geo maps not displaying

Upgrade NetScaler MAS

  1. Download the latest Upgrade Pack for NetScaler Management and Analytics System.
  2. Login to NetScaler MAS.
  3. On the System tab, on the left, click the System Administration node.
  4. On the right, in the right pane, click Upgrade NetScaler MAS.
  5. Browse to the Software Image Upgrade Pack .tgz file and click OK.
  6. Click Yes to reboot the appliance.
  7. After it reboots, login. The new firmware version will be displayed in the top right corner.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

15 thoughts on “NetScaler Management and Analytics System”

  1. HI Carl,

    first – great article! like so often.

    at the config Point

    “Enter an SNMP community string that NetScaler MAS will configure on the appliance.”

    -> should we use a new community string at this point or an existing one on a NS Appliance where is there configured?

    ive some trouble by adding the first NS VPX Appliance. i received always the issue:

    Trying to connect to
    Error: License cannot be retrieved. Either the NetScaler is unresponsive or the login credentials are incorrect.

    iam using the NS MAS Vers. 1 / Built


    1. NMAS uses several ports to connect to the NSIP of the NetScaler appliance. Run “tail -f /var/log/ns.log” on the NetScaler while performing NetScaler MAS discovery and see if any commands make it to the appliance. It might help you find the issue.

      1. found the issue, ill try to connected NS VPX V11 Built 55.20 without any success. ive upgrade to NS VPX V11 Built 64.34 and adding via NS MAS works fine

  2. Hi Carl,

    Thank you so much for your site and all the work you do, it is an amazing help!!!

    Do you know the port requirements between NetScaler instances and MAS? I can not find it listed in the Citrix edocs.


    1. I suspect a combination of Command Center and Insight Center. TCP 22. TCP 443. SNMP ports. Then there’s AppFlow, SNMP, and Syslog from appliance back to MAS.

  3. Hi, Carl:

    Thanks your great info, Netscaler MAS can integrate with Director now ?
    I run the command in Director but it show “This content can not be displayed in a frame” in Director…..
    Do you know this issue ?

    1. That’s a good question. I copied that section from my Insight Center post without testing it. I removed it for now until I can determine if it works or not.

        1. Also, while you’re there.. have you seen the image on the eDocs about HDX Insight through MAS, where all the various metrics (WAN latency, RTT etc) are shown on the same graph? I don’t seem to be able to do that from the Users info, they are all split into separate graphs?

          Edocs page

          Actual image I mean:

  4. Hi Carl,

    Really great info… have you found anything that Insight can do that MAS can’t yet?

    If you were starting from scratch, with HDX Insight particularly in mind, is there any reason not to use MAS? Licensing aside I mean.


    1. MAS is where the development is happening, especially because they can charge for it.

      Other than licensing, I haven’t found any limitations yet.

Leave a Reply