NetScaler System Configuration

Last Modified: Aug 15, 2016 @ 6:21 pm


This page contains the following topics:

Java Security

Citrix has information on configuring browsers for Java

When performing operations on NetScaler that require Java, you might see the message “Java Applet could not be loaded”. To fix it, do the following:

  1. Java uses TCP 3008 and TCP 3010 to communicate with the NetScaler NSIP (and/or SNIP). Make sure these ports are open on any firewall between the administrator workstations and the NetScaler management IPS.
  2. Go to Control Panel and open the Java applet.
  3. Switch to the Security
  4. Click Edit Site List.
  5. Click Add.
  6. Type in a URL to a NetScaler management IP. You must prepend http and/or https. The management IP is NSIP and/or SNIP.
  7. If you enter an http URL then you will see a warning message. Click Continue.
  8. Continue adding NetScaler management URLs to the list. Add both http and https so you can use either. Click OK when done.
  9. Then click OK to close the Java Control Panel applet.
  10. The Java site exception list is stored in %userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites and can be transferred to other users.

VPX – vSphere 5.1 and 5.5 issue

If you are licensed for VPX-1000 or higher, see Citrix Knowledgebase Article CTX139485 (Resource Requirements for Optional Multi-PE Configuration for NetScaler VPX) for correct vCPU and Memory configuration.

From VMware knowledgebase article 2092809: After applying patches to an ESXi 5.1/5.5 host, Citrix NetScaler virtual machine with e1000 vNIC loses network connectivity: After patching your ESXi host to version 5.5 Update 2 (build 2143827) or 5.1 Patch 6 (build 2191751), you experience these symptoms:

  • Some Citrix NetScaler virtual machine appliance running the guest Operating System with e1000 vNIC driver loses network connectivity
  • Cannot access the console after applying the patches

See VMware’s article for their workaround.

From Citrix Knowledgebase article CTX200278 – NetScaler VPX Loses Network Connectivity on VMware ESXi 5.1.0 2191751 and VMware ESXi 5.5 2143827:

  1. Log in to the Citrix NetScaler virtual machine appliance as nsroot
  2. Type shell.
  3. Type the following command:
    cd /flash/boot
  4. Type the following command:
    touch /flash/boot/loader.conf.local
  5. Edit (vi) the file conf.local and add the following line to the end of it:
  6. Save the changes
  7. Restart the NetScaler virtual machine appliance

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

  • One method is to look in the GUI.

    • In the right pane, look down for the Host Id This is the MAC address you need for license allocation.
  • Another option is to SSH to the appliance and run shell.
    • Then run lmutil lmhostid. The MAC address is returned.

Licensing –

  1. Login to
  2. Click Activate and Allocate Licenses.
  3. Check the box next to a Citrix NetScaler license and click Continue.
  4. If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

    For a VPX appliance, you can also get the Host ID by looking at the System Information page.
  5. Click Confirm.
  6. Click OK when asked to download the license file.
  7. Click Download.
  8. Click Save and put it somewhere where you can get to it later.
  9. If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
  10. Enter your appliance hostname as the Host ID for all licenses.
  11. Click Confirm.
  12. Click OK when prompted to download your license file.
  13. Click Download.
  14. Click Save.
  15. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

  1. In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
  2. On the right, click Manage Licenses.
  3. Click Add New License.

    License files are stored in /nsconfig/license.
  4. If you have a license file, select Upload license files from a local computer, and then click Browse.
  5. Click Reboot when prompted. Login after the reboot.
  6. After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
  7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwidth or packets will drop.

Upgrade Firmware

Citrix CTX127455How to Upgrade Software of the NetScaler Appliances in a High Availability Setup:

  1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at by clicking the Alerts link on the top right.
    Note: Citrix sometimes refreshes firmware builds (e.g 10.1 build 130.13 replaces 10.1 build 130.10). If this happens, make sure you install the refreshed version since the original version can no longer be downloaded. If you have an HA pair running 130.10, and if one of the appliances needs to be replaced, you can’t download 130.10 and thus can’t install it on the new secondary, and thus the config won’t replicate when you join the HA pair since the node firmware versions will be different. If you don’t have access to the 130.10 firmware, your only option is to upgrade the primary to 130.13 before joining the new secondary running 130.13.
  2. Make sure you Save the config before beginning the upgrade.
  3. If you configured NetScaler Gateway to use a Custom theme, change the theme back to Default (or Green Bubble). You will have to re-create the customtheme.tar.gz file after you upgrade.
  4. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
  5. Start with the Secondary appliance.
  6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
  7. In the NetScaler GUI, with the top left node (System) selected, click System Upgrade.
  8. Browse to the build…tgz file. If you haven’t downloaded firmware yet, then you can click the Download Firmware link.
  9. Click More and then check the box next to Automatically move files to create space. Click Yes to acknowledge the prompt.
  10. Click Upgrade.

  11. The firmware will upload.
  12. You should eventually see a System Upgrade window with text in it. It will reboot automatically.
  13. Or if older than 10.5 build 56, click Upgrade Wizard
  14. In the Introduction page, click Next.
  15. In the Upload Software page, browse to the build…tgz file and click Next.
  16. In the Manage Licenses page, click Next.
  17. In the Clean Up / Reboot page, check both boxes and then click Next.
  18. If you select the option to automatically move files, you will be asked to delete unused kernels. Click Yes.
  19. In the Summary page, click Finish. The upgrade will begin. Do not disturb your browser session until you see that it is rebooting. It will run several commands after uploading the files.
  20. If you are asked to enable Call Home, select Yes, and click Go.
  21. When you see the message Rebooting… it is then safe to close the window.
  22. Once the Secondary is done, login and failover the pair.
  23. Then upgrade the firmware on the former Primary.


To install firmware by using the command-line interface

  1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
  2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/10.5.63).
  3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.5.63) directory on the appliance.
  4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
  5. At a command prompt, type shell.
  6. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
  7. To view the contents of the directory, type ls.
  8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart NetScaler.
  11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

  1. Prepare the secondary appliance:
    1. Configure a NSIP.
    2. Don’t configure a SNIP. You can click Do It Later to skip the wizard.
    3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
    4. License the secondary appliance.
    5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
  2. On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this, then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.

    set ha node -hastatus STAYSECONDARY
  3. On the primary appliance, on the left, expand System, expand Network and click Interfaces.
  4. On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface, and click Disable. Repeat for the remaining disconnected interfaces.

    show interface
    disable interface 1/1
  5. On the left, expand System, and click High Availability.
  6. On the right, click Add.
  7. Enter the other NetScaler’s IP address.
  8. Enter the other NetScaler’s login credentials, and click Create.

    add ha node 1
    Note: this command must be run separately on each appliance.
  9. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.
  10. Eventually it will say SUCCESS.
  11. To enable Fail-safe mode, on the right, edit Node ID 0 (the local appliance).
  12. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.

    set ha node -failSafe ON
  13. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
  14. On the secondary appliance, go to System > High Availability, edit the local node, and change it from STAY SECONDARY to ENABLED.
  15. From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
  16. You can Force Failover of the primary appliance by opening the Actions menu, and clicking Force Failover.

    force ha failover
    If your firewall (e.g. Cisco ASA) doesn’t like the Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.


You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Channel, or the new Redundant Interface Set feature in 10.5.e. See Webinar: Troubleshooting Common Network Related Issues with NetScaler

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.


Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

  • 0/1 connected to a dedicated management network. NSIP is on this network.
    • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
    • To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network,  then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
    • It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
  • 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
  • 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.


SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.


NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).


To configure multiple connected subnets:

  1. On the left, expand System, and click Settings.
  2. On the right, in the left column, click Configure modes.
  3. Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

    enable mode mbf
  4. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
  5. On the right, click Add.
  6. Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
  7. Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
  8. Ensure the IP Type is set to Subnet IP. Scroll down.

    add ns ip -type SNIP
  9. Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
  10. Click Create when done. Continue adding SNIPs for each connected network (VLAN).

    set ns ip -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
  11. On the left, expand System, expand Network and click VLANs.
  12. On the right, click Add.
  13. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
  14. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
  15. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
  16. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
  17. Switch to the IP Bindings tab.
  18. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.

    add vlan 50
    bind vlan 50 -ifnum 1/1 -IPAddress
  19. The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network, and click Routes.
  20. On the right, click Add.
  21. Internal networks are only accessible through an internal router. Add a static route to the internal networks, and set the Gateway to an internal router. Then click Create.

    add route
  22. Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
  23. The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
  24. Then open the Action menu, and click Apply.

    add ns pbr NSIP ALLOW -srcIP = -nextHop
    apply ns pbrs
  25. Go back to System > Network > Routes. On the right, delete the route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

    rm route
  26. Then click Add.
  27. Set the Network to, and the Netmask to
  28. Make sure NULL Route is set to No.
  29. Enter the IP address of the DMZ (or data) router, and click Create.

    add route

DNS Servers

  1. To configure DNS servers, expand Traffic Management, expand DNS, and click Name Servers.
  2. On the right, click Add.
  3. Enter the IP address of a DNS server and click Create.
  4. Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP.
    add dns nameServer

NTP Servers

  1. On the left, expand System, and click NTP Servers.
  2. On the right, click Add.
  3. Enter the IP Address of your NTP Server (or and click Create.

    add ntp server
  4. Open the Action menu and click NTP Synchronization.
  5. Select ENABLED and click OK.

    enable ntp sync
  6. You can click the System node to view the System Time.
  7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
  8. Ntpdate –u will cause an immediate NTP time update.


Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

  1. Replace the following line in /etc/ntp.conf file, if it exists:
    >  restrict default ignore
  2. Add the following lines in file /etc/ntp.conf:
    # By default, exchange time with everybody, but don't allow configuration:
    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery
    # Local users may interrogate the ntp server more closely:
    restrict ::1
  3. Restart NTP using the following commands:
    > shell
    root@ns# ps -aux |grep "ntp"
    root@ns# kill <PID obtained from step above>
    root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf


Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP VulnerabilitiesBy default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.


Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

  1. On the left, expand System, expand Auditing, and click Syslog.
  2. On the right, switch to the Servers tab and click Add.
  3. Enter a name for the Syslog server.
  4. Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
  5. Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
  6. Select your desired Time Zone and then click Create.

    add audit syslogAction CommandCenter -logLevel ALL -timeZone LOCAL_TIME
  7. On the right, switch to the Policies tab, and then click Add.
  8. Give the policy a descriptive name, select the Syslog server, and then click Create.

    add audit syslogPolicy CommandCenter ns_true CommandCenter
  9. While still on the Policies tab, open the Actions menu and click Global Bindings.
  10. Click Bind.
  11. Check the box next to the Syslog policy you want to bind and click Insert.
  12. Then click OK.

    bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

  1. On the left, expand System, and click SNMP.
  2. On the right, click Change SNMP MIB.
  3. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
  4. This configuration needs to be repeated on the other node.

    set snmp mib -contact -name ns02 -location Corp
  5. Expand System, expand SNMP, and click Community.
  6. On the right, click Add.
  7. Specify a community string and the Permission and click Create.

    add snmp community public GET
  8. On the left, under SNMP, click Traps.
  9. On the right, click Add.
  10. Specify a trap destination and Community Name and click Create.

    add snmp trap generic -communityName public
    add snmp trap specific -communityName public
  11. On the left, under SNMP, click Managers.
  12. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
  13. Change the selection to Management Network.
  14. Specify the IP of the Management Host and click Create.

    add snmp manager
  15. The Alarms node allows you to enable SNMP Alarms and configure thresholds.
  16. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

    set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
  17. You can also configure the MEMORY alarm.

    set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From In addition to the usual OIDs, we have found these very useful to warn of potential problems.

  • ifTotXoffSent – .
  • ifnicTxStalls – .
  • ifErrRxNoBuffs – .
  • ifErrTxNoNSB – .

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

  1. On the left, expand System and click Diagnostics.
  2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
  3. Check the box next to Enable Call Home.
  4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
  5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

  1. Expand System, expand User Administration and click Users.
  2. On the right, select nsroot, and click Change Password.
  3. Specify a new password and click OK.

    set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Knowledgebase articles:


  1. On the left, expand System and click Settings.
  2. On the right side of the right pane, click Change TCP parameters.
  3. Check the box for Window scaling (near the top).
  4. Scroll down and check the box for Selective Acknowledgement. Click OK.

    set ns tcpParam -WS ENABLED -SACK ENABLED
  5. On the right, click Change HTTP parameters.
  6. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

    set ns param -cookieversion 1
  7. Check the box next to Drop invalid HTTP requests and click OK.

    set ns httpParam -dropInvalReqs ON
  8. You can run the following command to see statistics on the dropped packets:
    nsconmsg -g http_err_noreuse_ -d stats
  9. On the left, under Traffic Management, click SSL.
  10. On the right, in the right column, click Change advanced SSL settings.
  11. Change the Deny SSL Renegotiation selection to NONSECURE. Click OK.

    set ssl parameter -denySSLReneg NONSECURE
  12. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/` to restart SSHD.
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160
  13. Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.
    add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES
    add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ‑logAction ShellShock_Log
    bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

  • Maximum logon attempts on NetScaler Gateway Virtual Server
  • Rate Limiting for IP.SRC and HTTP.REQ.URL.
  • nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
  • Syslog logging
  • External website monitoring
  • Obfuscate the Server header in the HTTP response
  • Disable management access on SNIPs
  • Change nsroot strong password, use LDAP authentication, audit local accounts
  • Don’t enable Enhanced Authentication Feedback
  • SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
  • 2-factor authentication
  • Command Center and Insight Center
  • Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bound multiple LDAP servers it would try all of them and for incorrect passwords will lock out the user sooner than expected.

  1. Expand System, expand Authentication, and then click LDAP.
  2. On the right, switch to the Servers tab. Then click Add.
  3. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
  4. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
  5. Change the Security Type to SSL.
  6. Enter 636 as the Port. Scroll down.
  7. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
  8. Enter the credentials of the LDAP bind account in userPrincipalName format.
  9. Check the box next to BindDN Password and enter the password. Scroll down.
  10. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  11. On the right, check the box next to Allow Password Change.
  12. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

    Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  13. Scroll down and click Nested Group Extraction to expand it.
  14. If desired, change the selection to Enabled.
  15. Set the Group Name Identifier to samAccountName.
  16. Set the Group Search Attribute to memberOf.
  17. Set the Group Search Sub-Attribute to CN.
  18. Example of LDAP Nested Group Search Filter Syntax

  19. Scroll down and click Create.

    add authentication ldapAction Corp-Mgmt -serverIP -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  20. Switch to the Policies tab and click Add.
  21. Enter the name LDAPS-Corp-Mgmt or similar.
  22. Select the previously created LDAPS-Corp-Mgmt server.
  23. On the bottom, in the Expressions area, type in ns_true.
  24. Click Create.

    add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt
  25. Click Global Bindings in the right pane.
  26. Click where it says Click to select.
  27. Select the newly created LDAP policy, and click OK.
  28. Enter 100 for the priority, and click Bind.
  29. Click Done.

    bind system global Corp-Mgmt
  30. Under System, expand User Administration and click Groups.
  31. On the right, click Add.
  32. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
  33. In the Command Policies section, click Insert.
  34. Select the superuser policy, and click Insert.
  35. Click Create.

    add system group "NetScaler Admins" -timeout 900
    bind system group "NetScaler Admins" -policyName superuser 100
  36. If you logout:
  37. You should be able to login to NetScaler using an Active Directory account.

CLI Prompt

  1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
  2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.

Next Steps

Return to NetScaler Procedures list

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

63 thoughts on “NetScaler System Configuration”

  1. Hi Carl,

    My question is about High Availability in Netscaler.
    If I had a Netscaler gateway feature enable, all configuration like portal for Storefront and apps in XA and XD will replicated to the secondary node?

    1. If you’re using Portal Themes in the GUI, then yes. But any files you modified will probably have to be manually copied to both nodes.

  2. i try to upgrade a NS 10.5.56 HA Pair / internal Loadbalancer with NS Firmware, but after upgrade the second node, the virtual servers are red/down, so i dont make a failover, and dont upgrade the primary. or is it normal that the virtual servers are red and down?

    1. It’s normal for them to be down. You can open a service group, click the members line, click Monitor Details to see the reason.

      1. hmm ok, Last Response – Probe skipped – node secondary.
        that sounds, that when i make a failover it will work than?

          1. yep, looks good, but i was afraid, because it looks now not same as in NS 10.5, i mean there in HA Pair you see both nodes, virtual server – green, that is different now, passive node leaves vservers now red 🙂

  3. Thanks for some useful tips for a newbie (especially MAC based forwarding). I believe you may have some issues, though, in the section on Multiple Interfaces/VLANs. At step 19 you add a route to via At step 20 the additional route shows as via which was added at step 16 as being on VLAN 50 (or 172 in the second picture), and you delete the route via At steps 21 & 22 you add it back in again. After some thought, I think I know what the intention is, but the example is confusing.

    1. Looks like I’ve been negligent on my 10.5 documentation. I just changed the screenshot and CLI command. It should be been changing the default gateway to the DMZ VLAN, which in this example is Thanks for noticing.

  4. Hi Carl,

    Great article. I have two queries:

    I have built two vpx with dmz nsip & 2. The primary vpx .1 has a subnet ip (for storefront, cx, backend server, etc) of and a license and cert and monitors/virtual servers configured. I want to create a ha pair. My questions are as follows:
    a. Do I need to license for the 2nd vpx.
    b. Do I need to configure anything on vpx2 – license/subnet ip/monitors, etc – will all that not get synched from the primary vpx. I understood all we had to do was create a nsip on vpx2 and then all get’s synched when the HA is setup.


    1. The 2nd appliance must be licensed.

      The 2nd appliance needs a NSIP. Everything else comes from the 1st appliance except network interface configuration and maybe NTP.

      1. They both have a nsip. only primary has a subnet ip to talk to backend servers. They both have the same number of network interfaces. I don’t know what you mean by “except network interface configuration”

        1. Enable/disable interfaces, put interfaces in LACP channels, speed/duplex settings, etc. Usually not needed on VPXs.

          1. Understood. Apologies for asking the obvious. I have a simple setup nsip in dmz and snip in lan side for backend server and nothing special. Only load balancing xen app deployment. I did assume that HA config will replicate all setting from vpx1 to vpx2 – just wasn’t sure if I needed to configure the snip on vpx2. Looks like I don’t.
            Thanks Carl for you prompt responses 🙂

  5. Hi Carl,

    Great article. I am trying to implement rate limiting and it works well using expressions:


    What I would like to do is exclude our internal subnet from matching this policy as our servers communicate through the NetScaler at a much higher rate this what we want to allow clients to connect, so I implemented this:


    Although it still seems to match/drop my traffic when the rate is reached. Any idea on how to prevent this?


    1. Are you saying the expressions is not matching as it should but the action is performed anyways? Or is there a problem with your expression?

      1. The rate limiter is working but seems to be matching all traffic, even when it’s sourced from a address with the following applied on the selector:


        I’m trying to work out a way to rate limit all traffic globally (HTTP) to 6 requests/per second but excluding any traffic from this policy that has an IP source address of (as is our internal network and is trusted, it also communications at a much higher rate then 6req/sec).


        1. Are you trying to limit each source IP to 6 requests/sec? Or are you trying to limit the total traffic to a URL to be 6 requests/sec?

          I assume you have a Responder policy. Can you simply exclude the subnet from your Responder expression?

  6. Hi,
    How can I redirect incoming users who type one https site to another https site in their browser?
    Thanks in advance.

    1. If on the same VIP then you need a certificate that matches both names. Or you can enable SNI (Server Name Indication) and bind both certificates.

      If different VIPs, simply bind a Responder policy to the whichever one you’re redirecting from.

  7. Hi Carl,

    I have a question about upgrading to version 11 that I have been unable to find a clear answer on. We did a POC with Netscaler VPX 10.5-56.22 using a Platinum license. We have now purchased a standard license which I have applied to my 2 Netscalers. In order to upgrade to Netscaler 11 do I have to create new appliances and move all my settings over? Or can I perform an inplace upgrade? I have upgraded the firmware to version 11 but that does not give me the portal themes feature I want to use.

    1. Carl you are the best! I did have a custom theme applied. Turning it back to default resolved my issue. Thanks for all your help!!!

    1. That KB states at the bottom that VLAN tags ARE supported after 9.3 in the VPX. Check to see if you are using a Legacy type adapter in HyperV. That NIC doesn’t have a large enough MTU support for the VLAN tag. As long as the underlying NIC capability for jumbo frames, it’ll work. Just be careful in switching it out as it’ll likely change the MAC and affect the licensing (need to re-key).

  8. Hi Carl,

    I see recently lots of failovers per day on my version, 10.5 53.9, VPX installation. nsconmsg events show IP address conflicts with the mac-addr of the other node for the NSIP and configured VIP’s before a HA failover occurs.

    41481 254 PPE-0 interface(0/1): No HA heartbeats (Last received: Wed Mar 9 17:30:26 2016
    ; Missed 15 heartbeats) Wed Mar 9 17:30:29 2016
    41482 0 PPE-0 remote node DOWN Wed Mar 9 17:30:29 2016
    41483 0 PPE-0 self node Claiming Wed Mar 9 17:30:29 2016
    41484 0 PPE-0 interface(0/1): HA heartbeats received Wed Mar 9 17:30:29 2016
    41485 0 PPE-0 self node Primary Wed Mar 9 17:30:30 2016

    The configuration sync is no problem. Interface 0/1 configured untagged to the Inside LAN vlan.

    Can you give me a hint how to troubleshoot this ?

    Thanks, Maurice

    1. 53.9 is not exactly a recent build.

      Do you have multiple interfaces? If so, are heartbeats working on all of them?

      1. 53.9 is indeed an old but stable version. If this HA issue is bug related then I may want to upgrade.

        The VPX is 2 armed configured; interface 1/1 connected and configured for DMZ VLAN and 0/1 to internal DATA VLAN. Both nodes show in the output of “show ha node” :

        Interfaces on which heartbeats are not seen : 1/1


        1. Is 1/1 a tagged VLAN? If so, turn off tagging on the NetScaler VLAN then go to the interface in NetScaler and select “Tag All”. This will cause heartbeat packets to be tagged using the “untagged” VLAN ID and the switch should pass them between nodes. This should improve HA reliability..

  9. Hi Carl any recommendations toward to disaster recovering a Netscaler VPX? Can I rebuild the VPX via OVF, and restore using the full backup? If so how do I get the full backup config onto new VPX?

    1. NetScaler 11.0 build 64 lets you import a backup.

      My method is to restore /nsconfig/ssl, restore /nsconfig/license (if MAC hasn’t changed), restore /nsconfig/ns.conf and reboot. Also restore any Gateway logon page customizations.

  10. Hi Carl, wondering if you could help. I have an SDX 11515 and want LDAP authentication to a AD server. I have search filter of memberof=CN=GROUP,OU=ouGroup,DC=TEST,DC=GLOBAL,DC=EUROPE,DC=net however still seems to refuse LDAP. The firewall ports are open on 389 and tested via the SVM using telnet.
    Citrix docs specifiy the following Search Filter—String to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame samaccount and the user-supplied username bob would yield an LDAP search string of: (&(vpnallowed=true)(samaccount=bob).

    1. Does it work without the filter?

      Have you tried the filter in ldp.exe?

      You can also try it in a NetScaler instance where you have aaad.debug as a troubleshooting resource.

  11. Thanks Carl,
    we just got a new domain name and want to get users using the new URL and be redirected to the current one in access gateway. How can I achieve this in access gateway and ensure users only type and see new one in browser?
    New dns name will also be https, I assume I will have to include an SSL certificate for it.

    1. You can use SNI to bind both certs and use a Responder to do the redirect. Or you can do two different vServers on different VIPs, each with different certs, and configure a Responder on one of them.

  12. Hi Carl,

    thanks for this great site!

    I’m troubleshooting a case where one-arm Netscaler VPX deployment constantly failovers between Netscaler nodes due to HA heartbeat failures (No HA heartbeats).

    I’m thinking the issue is caused by the fact that the both interfaces 0/1 and 1/1 have been configured to the same VLAN.

    Question: In one arm mode, can the second interface 1/1 be disabled or does there always need to be an additional interface to the management interface 0/1?

    1. If you are only connected to one VLAN and there’s no port channel then you should disable all but one interface. On physical appliances, I usually leave 1/1 plugged in and skip 0/1.

      Heartbeat issues could mean that you’re using tagged packets on your management network but the heartbeats aren’t tagged. There’s a workaround for this.

      1. Carl,
        I have a similar one-arm setup on VPX deployment. I have disabled Interface 0/1 to prevent bridge loops and am seeing DNS probes occasionally failing in addition to HA heartbeat failures. HA monitoring can’t be disabled for 0/1 as it isn’t a supported feature on VPX platform. I’m wondering if i need to use 0/1 as the active interface and disable 1/1, also potentially enabling tag all VLANS on 0/1 to resolve heartbeat failure.

  13. Hi Carl,
    i have got a HA Pair in a 2 arm configuration. I wish to convert this to a one arm configuration but I cannot remove the SNIP address – error:an existing route relies on the presence of this subnet.
    I have tried to remove the route I get error:operation not permitted. what is the correct procedure to remove a SNIP?
    I am able to disable the interface and remove the vlan but that is all i can do.
    Any ideas?

    1. Do you have a VLAN object that is bound to the SNIP?

      You can also go to System > Diagnostics > Running Config and search it for your SNIP to see where else it’s being used.

  14. Carl Hello good evening, I have the following question: if I have my domain .local1 + relationship of trust with the domain .local2, should add to the device NetScaler an LDAP server for each domain (.local1 and .local2) so they can access my application server.

    Thank you

  15. Hi Carl,
    you mention the additional SNMP OIDs which are useful for monitoring. Are there any instructions on how to use them,?

  16. Hello Carl, very good article.

    I would not recommend to activate MBF in most of the case.
    I would rather use simple routing table.
    MBF implies the creation of a specific layer 2 table with all clients IP address which is parse for every response.
    MBF should be use only to avoid asymmetric routing on multiple operator routers.

    1. I agree that routing should be properly configured on every appliance. However, there are many scenarios where only MBF will work. For example, if you put NSIP on a dedicated management VLAN and change the default gateway to a different VLAN then you might need MBF so replies to administrators are sent out the management VLAN instead of the default gateway. Sometimes you can use static routes to fix this problem but not always. This is especially important for DMZ NetScalers where NSIP is on an internal management network (not my recommendation).

  17. Carl,

    I followed your guide and im not getting anywhere fast. I had existing LDAP policies that allow for logon to the netscaler if globally bound. I created a secondary policy for one domain to allow only NSAdmins to login. This policy fails to let the users login who belong to that group. aaad.debug is showing a 4009 reject error. I tried with sAMAccountName and also UserPrincipalName.

    1. Try doing the same LDAP Search Filter in ldp.exe or similar. If you look in aaad.debug, it should give you the full LDAP query.

  18. Hi Carl,
    Quick question regarding Licensing. If I have Universal Licenses for 500 users that I want to use on an HA pair. Can I install the same license on both of my NetScalers? or do i have to split them up 250/250?
    I look forward to your reply.
    Thank you

  19. Carl,
    I’ve got NSIP configured as . The default route is (which is an interface on the firewall). I’ve created a VIP for 2 servers – . When I ping the VIP from my inside network I don’t get reply. In the FW I see that the ICMP is allowed and it is going to but when that VIP replies it comes back via Netscaler’s default route. Both and live on the same FW on 2 different interfaces.

    Today I had a call with Citrix regarding this issue. They suggested to add SNIP for network. I did that. So now Netscaler has for SNIP and for VIP (with servers behind it). In the ARP table we now can see (before adding SNIP we couldn’t).
    Well, that didn’t help the issue. We still going through one interface and coming back from another (default one).
    Any ideas what I am doing wrong on NS?

    Thank you,

    1. For replies, NetScaler uses the routing table by default. You can override this behavior by enabling Mac Based Forwarding. When enabled, NetScaler keeps track of which interface the request came in on and responds out the same interface. Otherwise you’ll need to add static routes so it gets back to your PC.

      1. Thanks Carl! That did the trick. I read that the MBF has to be disabled if GSLB is enabled. We do not have that in place but if one day we decide to go that way will I have to disable MBF? If so my current one-arm design won’t work anymore.
        I just don’t want to put something in place and then re-design it in the future.


        1. I’m not aware of any issues with MBF and GSLB. I have many NetScalers with both enabled. GSLB is nothing more than a DNS resolver so GSLB has no special dependency on networking configuration.

  20. I’ve created a new Instance for internal traffic only. Looking at the old Netscaler, which is administered by the application group and which is going to be going away once this new VPX is in place, there’s only 1 subnet used for NSIP, MIP and VIP. Is it a good idea to keep it like that? I prefer not to make many changes to this environment since it is working and I’d like to move everything over to the new Instance as is, without IPs changes.

    Thank you as always!

    1. That’s fine too. Many one-arm configs only have one interface. If that one subnet is different than your SVM subnet then don’t bind the instance to interface 0/1.

  21. Carl,
    I have an SDX with 5 licenses for 5 Instances. I configured the SDX using our internal IP subnet which is associated with interface 0/1 . I’d like to create 1 Instance for 5 different DMZs (VLANs) and 1 Instance for a couple Internal networks.
    When I create a DMZ Instance with VLAN 211 and subnet even though I pointed to our firewall for its gateway the Instance still wants to use interface 0/1 for management. Well, subnet on 0/1 doesn’t get trunked to interface 10/1 (used for DMZs only). So when new Instance is created it comes up as DOWN. When I connect to it under Network-IP-Routes I can see that the static route for default route is pointing to our Internal subnet not the DMZ. The subnet that is issued to interface 0/1.

    So, does my SDXs IP and gateway have to be in the DMZ subnet? Will every new Instance whether it is built for DMZ or Internal traffic need to depend on interface 0/1 ?


    1. When creating the VM, did you uncheck the 0/1 interface? Feel free to uncheck it.

      SDX SVM must be able to communicate with the NSIP of the appliance. I think it uses TCP 22, TCP 80 and TCP 443.

      Do you need to tag the VLAN containing the NSIP? If so then you need to configure NSVLAN or Tagall.

      1. Carl, thank you for replying. I had to recreate the Instance for everything to work.
        So now interfaces 0/1 and 0/2 are unchecked and interface 10/1 has 3 VLANS
        vlan 210 –
        vlan 211 –
        vlan 212 –
        Default route is pointing to which is a trunk interface on the firewall. Firewall is the gateway for all 3 vlans.

        I was planning to add 2 more DMZs to interface 10/1
        vlan 114 –
        vlan 115 –
        The 2 subnets on 10.190.x.x point to the same firewall but they live on a different trunk port.

        In the Instance under Data Interfaces I selected 10/1 with Allowed Untagged Traffic being TRUE and no VLANs listed.
        Under Management VLAN settings I put Vlan 211 as Vlan for management traffic and selected NSVLAN and Tagged (as per your suggestion) and under Interfaces I selected once again 10/1.

        Could you please confirm that all of the above is correct? With all the multiple DMZ subnets and one default gateway I want to make sure that I configure everything correctly.

        Thanks so much!

        1. Are the new VLANs in a different security zone? If so, it is OK for the NetScaler to be connected multi-homed to both security zones?

          With a single traffic domain there is only one routing table and one default gateway. If you create traffic domains (doesn’t work with all features) then you could have multiple routing tables and multiple default gateways.

          By not entering VLANs at the SVM layer, you instead create the VLANs inside the instance. This is how I normally do it.

Leave a Reply