NetScaler Insight Center

Last Modified: Nov 6, 2020 @ 7:12 am

This article is for Insight Center 11.0 and older. Consider Insight Center 11.1, which works with older NetScaler appliances.


💡 = Recently Updated


Note: HDX Insight only works with Session Reliability on NetScaler 10.5 build 54 or newer. Older builds, including NetScaler 10.1, do not support Session Reliability with HDX Insight. Read the release notes for your NetScaler firmware build to see the latest known issues with AppFlow, Session Reliability, and High Availability.

Requirements for HDX Insight:

  • Your NetScaler appliance must be running Enterprise Edition or Platinum Edition.
  • NetScaler must be 10.1 or newer. Insight Center 11 does work with NetScaler 10.5.
  • HDX Insight works with the following Receivers:
    • Receiver for Windows must be 3.4 or newer.
    • Receiver for Mac must be 11.8 or newer.
    • Receiver for Linux must be 13 or newer.
    • Notice no mobile Receivers. See the Citrix Receiver Feature Matrix for the latest details.
  • ICA traffic must flow through a NetScaler appliance:


For ICA round trip time calculations, in a Citrix Policy, enable the following settings:

  • ICA > End User Monitoring > ICA Round Trip Calculation
  • ICA > End User Monitoring > ICA Round Trip Calculation Interval
  • ICA > End User Monitoring > ICA Round Trip Calculation for Idle Connections

Citrix CTX204274 How ICA RTT is calculated on NetScaler Insight: ICA RTT constitutes the actual application delay. ICA_RTT = 1 + 2 + 3 + 4 +5 +6:  💡

  1. Client OS introduced delay
  2. Client to NS introduced network delay (Wan Latency)
  3. NS introduced delay in processing client to NS traffic (Client Side Device Latency)
  4. NS introduced delay in processing NS to Server (XA/XD) traffic (Server Side Device Latency)
  5. NS to Server network delay (DC Latency)
  6. Server (XA/XD) OS introduced delay (Host Delay)


For Web Insight, HTML Injection for NetScaler 10.0 is only available in Platinum Edition. In NetScaler 10.1, HTML Injection is available in all editions.

The version/build of Insight Center must be the same or newer than the version/build of the NetScaler appliances.

Insight Center 11 lets you scale the deployment by building multiple nodes. After building the first Insight Center Server, you can go to Configuration > NetScaler Insight Center > Insight Deployment Method to enter some planning data (e.g. # of concurrent ICA connections) and it will tell you the number of Insight Center nodes you should build. The number of nodes is based on the VM specs shown at the top of the page.

In this example, it recommends two Database Nodes and two Connectors. Agents are only used for HTTP traffic. There’s more information at NetScaler Insight Center Deployment Management at

Import Appliance

You can use either the vSphere Client or the vSphere Web Client to import the appliance. In vSphere Client, open the File menu and click Deploy OVF Template. vSphere Web Client instructions are shown below.

You might see this operating system error when not using the vSphere Web Client. Click Yes and proceed. It seems to work.

  1. Download Insight Center for ESX and then extract the .zip file.
  2. In vSphere Web Client, navigate to the vCenter object. Open the Actions menu and click Deploy OVF Template.
  3. In the Select source page, if you see a message regarding the Client Integration Plug-in, download the installer, run it, and then return to this wizard.
  4. In the Select source page, select Local file and browse to the NetScaler Insight .ovf file. Click Next.
  5. In the Review details page, click Next.
  6. In the Select name and folder page, enter a name for the virtual machine and select an inventory folder. Then click Next.
  7. In the Select a resource page, select a cluster or resource pool and click Next.
  8. In the Select storage page, change it to Thin Provision.
  9. Select a datastore and click Next.
  10. In the Setup networks page, choose a valid port group and click Finish.
  11. In the Ready to Complete page, click Finish.
  12. View the progress of the import in the Recent Tasks pane at the top-right of the window.
  13. After the appliance is imported, power it on.

IP Configuration and Multi-Node

  1. Open the console of the virtual machine and configure an IP address.
  2. Insight Center 11 lets you configure a DNS server.
  3. Enter 6 when done.
  4. When prompted for Insight Deployment Type, enter 1 for NetScaler Insight Server. The first appliance must always be NetScaler Insight Server.
  5. Enter Yes to reboot.
  6. Subsequent nodes can be Database Node, Connector node, etc. If you choose one of the other node types it asks you for the IP address of the NetScaler Insight Server node.
  7. Once you’ve built all of the nodes, in the NetScaler Insight Server webpage, go to NetScaler Insight Center > Insight Deployment Management.
  8. Scroll down and click Get.
  9. It should show you the nodes. Then click Deploy.

  10. After it reboots you’ll see the performance of each node.
  11. Since the database is on a separate node, you might want to enable database caching. Go to System > Change Database Cache Settings.
  12. Check the box next to Enable Database Cache.

Initial Web Configuration

  1. Point your browser to the Insight IP address and login as nsroot/nsroot.
  2. Click Get Started

  3. Enter the IP address and credentials of a NetScaler appliance and click Add.

    Note: if your NetScaler appliances require https for management communication then this won’t work. Click Cancel. On the Configuration tab, click System. On the right, in the left column, click Change System Settings.
    Change the drop-down to https and click OK.
    On the left, click Inventory. On the right, click Add.
    Enter the NSIP and nsroot credentials again. This time it should work.
  4. At the top of the page, if desired, check the box next to Enable Geo data collection for Web and HDX Insight.
  5. With Load Balancing selected in the View list, right-click your StoreFront load balancer and click Enable AppFlow.

  6. Type in true and click OK.
  7. Note: if your StoreFront Load Balancing vServer uses Service Groups, you might need to enable AppFlow logging on the Service Group. In the NetScaler GUI, edit the Service Group. In the Basic Settings section, check the box next to AppFlow Logging.
  8. Back in Insight Center, use the View drop-down to select VPN.
  9. Right-click a NetScaler Gateway Virtual Server and click Enable AppFlow.
  10. In the Select Expression drop-down, select true.
  11. For Export Option select ICA and HTTP and click OK. The HTTP option is for Gateway Insight.
  12. The TCP option is for the second appliance in double-hop ICA. If you need double-hop then you’ll also need to run set appflow param -connectionChaining ENABLED on both appliances. See Enabling Data Collection for NetScaler Gateway Appliances Deployed in Double-Hop Mode at for more information.
  13. New in NetScaler 11 is the ability to use SOCKS proxy (Cache Redirection) for ICA traffic without requiring users to use NetScaler Gateway and without making any routing changes. You configure this on the NetScaler appliance. See Enabling Data Collection for Monitoring NetScaler ADCs Deployed in LAN User Mode at for more information.
  14. If you want to add more appliances, click the Configuration tab. The Inventory node will be selected by default.
  15. On the right, click Add.

Citrix Blog PostNetScaler Insight Center – Tips, Troubleshooting and Upgrade

Nsroot Password

  1. On the Configuration tab, expand System, expand User Administration and click Users.
  2. On the right, highlight the nsroot account and click Edit.
  3. Enter a new password.
  4. You can also specify a session timeout. Click OK.

Management Certificate

The certificate to upload must already be in PEM format. If you have a .pfx, you must convert it to PEM (separate certificate and key files). You can use NetScaler to convert the .pfx and then download the converted certificate from the appliance.

  1. On the left, switch to the System node.
  2. In the right pane, in the left column, click Install SSL Certificate.
  3. Browse to the PEM format certificate and key files. If the keyfile is encyrpted, enter the password. Click OK.
  4. Click Yes to reboot the system.

System Configuration

  1. Click the Configuration tab on the top of the page.
  2. On the left, click the System node.
  3. On the right, modify settings (e.g.Time Zone) as desired.

  4. To set the hostname, click Change Host name.

  5. To change the Session Timeout, click Change System Settings.

  6. The ICA Session Timeout can be configured by clicking the link. Two minutes of non-existent traffic must occur before the session is considered idle. Then this idle timer starts. See Managing ICA Sessions at for more information

  7. On the left, expand System and click NTP Servers.
  8. On the right, click Add.

  9. After adding NTP servers, click NTP Synchronization.
  10. Check the box next to Enable NTP Sync and click OK.
  11. On the left, expand Auditing and click Syslog Servers.

  12. On the right, click Add.
  13. Enter the syslog server IP address and select Log Levels. Click Create.
  14. In the Action menu you can click Syslog Parameters to change the timezone and date format.

Email Notifications

  1. On the left, expand System, expand Notifications and click Email.
  2. On the right, on the Email Servers tab, click Add.
  3. Enter the SMTP server address and click Create.
  4. On the right, switch to the Email Distribution List tab and click Add.
  5. Enter an address for a destination distribution list and click Create.


  1. On the left, expand System¸ expand Authentication and click LDAP.
  2. On the right, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
  4. Enter the bind account.
  5. Check the box for Enable Change Password.
  6. Click Retrieve Attributes and scroll down.
  7. For Server Logon Attribute select sAMAccountName.
  8. For Group Attribute select memberOf.
  9. For Sub Attribute Name select cn.
  10. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
  11. If desired configure Nested Group Extraction.
  12. Click Create.
  13. On the left, expand User Administration and click Groups.
  14. On the right, click Add.
  15. Enter the case sensitive name of your NetScaler Admins group.
  16. Select the admin Permission.
  17. If desired, configure a Session Timeout. Click Create.

  18. On the left, under System, click User Administration.
  19. On the right click User Lockout Configuration.
  20. If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
  21. On the left, under System, click Authentication.
  22. On the right, click Authentication Configuration.
  23. Change the Server Type to LDAP.
  24. Select the LDAP server you created and click OK.


  1. Go to NetScaler Insight Center > Thresholds.
  2. On the right, click Add.
  3. Enter a name.
  4. In the Entity field select a category of alerts. What you choose here determines what’s available in the Rule section.
  5. Check the box to Notify through Email.
  6. In the Rule section, select a rule and enter threshold values. Click Create.

Geo Map

  1. Download the Maxmind database from
  2. Extract the .gz file.
  3. On the Configuration tab, expand NetScaler Insight Center and click Geo Database Files.
  4. On the right, click the Action drop-down and click Upload.
  5. Browse to the extracted GeoLiteCity.dat file and click Upload.
  6. Click the Inventory node.
  7. Click the IP address for a device in the inventory.
  8. Check the box to Enable Geo data collection for Web and HDX Insight.
  9. You can define Geo locations for internal subnets. Go to NetScaler Insight Center > Private IP Block.
  10. On the right, click Add.
  11. Enter a name.
  12. Enter the starting and ending IP address.
  13. Select a Geo Location. Note that these are not necessarily alphabetical.
  14. Click Create.

Director Integration

Integrating Insight Center with Director requires XenApp/XenDesktop to be licensed for Platinum Edition. The integration adds Network tabs to the Trends and Machine Details views.

If using HTTPS to connect to Insight Center then the Insight Center certificate must be valid and trusted by both the Director Server and the Director user’s browser.

To link Citrix Director with NetScaler HDX Insight, on the Director server run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /confignetscaler. Do this on both Director servers.

Use Insight Center

HDX Insight

HDX Insight Dashboard displays ICA session details including the following:

  • WAN Latency
  • DC Latency
  • RTT (round trip time)
  • Retransmits
  • Application Launch Duration
  • Client Type/Version
  • Bandwidth
  • Licenses in use

HDX Insight can also display Geo Maps. Configure Insight Center with Private IP Blocks.

More info at HDX Insight Reports and Use Cases: HDX Insight at

Gateway Insight

Insight Center 11.0 build 65 adds a new Gateway Insight dashboard.

This feature displays the following details:

  • Gateway connection failures due to failed EPA scans, failed authentication, failed SSON, or failed application launches.
  • Bandwidth and Bytes Consumed for ICA and other applications accessed through Gateway.
  • # of users
  • Session Modes (clientless, VPN, ICA)
  • Client Operating Systems
  • Client Browsers

More details at Gateway Insight at

Security Insight

The new Security Insight dashboard in 11.0 build 65 and newer uses data from Application Firewall to display Threat Index (criticality of attack), Safety Index (how securely NetScaler is configured), and Actionable Information. More info at Security Insight at
localized image


Citrix CTX215130 HDX Insight Diagnostics and Troubleshooting Guide: Syslog messages; Error counters; Troubleshooting checklist, Logs

Citrix Blog PostNetScaler Insight Center – Tips, Troubleshooting and Upgrade

See Troubleshooting Tips. Here are sample issues covered in

  • Can’t see records on Insight Center dashboard
  • ICA RTT metrics are incorrect
  • Can’t add NetScaler appliance to inventory
  • Geo maps not displaying

Upgrade Insight Center

  1. Download the latest Upgrade Pack for Insight Center.
  2. Login to Insight Center.
  3. If you are running Insight Center 10.5 or older, on the Configuration tab, go to NetScaler Insight Center > Software Images and upload the file. If running Insight Center 11.0 or newer, you can skip this step.
  4. On the Configuration tab, on the left, click the System node.
  5. On the right, in the right pane, click Upgrade NetScaler Insight Center.
  6. Browse to the build-analytics-11.0.tgz Software Image Upgrade Pack and click OK.
  7. Click Yes to reboot the appliance.

  8. After it reboots, login. The new firmware version will be displayed in the top right corner.

111 thoughts on “NetScaler Insight Center”

  1. We are having a weird issue with our insight information in Director. TCP connections show up fine but enabling EDT and UDP connection don’t seem to show any information.

  2. Carl
    great articles as always. The reporting in the default product is good, however if you want to find something like the different OS’s and client versions that are being used and by whom there isnt a report for that. You would have to click on each user that made a connection and export the data for each indivdual user. Doesnt sound to bad unless you have over 1000 users, then that is a daunting time expensive task.
    Is there anyway to connect to the Insight database to pull / export data?


  3. Hi Carl,
    Great article, as usual. We are presently running Citrix Insight Center 11.0 64.34 and there is an OpenSSL vulnerability detected in this system. Our current Insight center is tied into Citrix Director version 7.7.0 build 6142 We wish to upgrade to Citrix Insight Center 11.0 70.12, will there be any impact on Citrix Director?

  4. Hi Carl,

    We have Netscaler gateway in DMZ and Netscaler load balance (StoreFront, DDC) on internal network, we have placed Citirx Insight center on internal network,

    What is the required to establish the network connection between DMZ netscaler and Insight manager? Please suggest.

    1. Shashi,

      If you’re using Insight Center appliance specifically, you need to have UDP port 4739 open from the NetScaler to the Insight Center appliance in addition to TCP 80/22/443 open from the Insight Center appliance to the NetScaler.

  5. Has anyone else experienced issues with MAS and AppFlow with a SOCKS Proxy in the Mix? I have set this up previously and it worked fine, however at a particular client i am working with, i don’t see the AppFlow policies getting hit when sessions are launched via Storefront – have checked end to end to no avail, reconfigure all the default.ica files, rebuilt the SOCKS configuration, just no hits…

      1. That’s it, literally as per blog post from way back.. Storefront 3.8, multi stores teatwd, setting CR server as ie proxy works, I just never see app flow hits for apps or desktops, in fact the CR server appears to not get hit either (reset all stats to confirm over the next period) ICA files look as they should, nothing in the way that I can see.. Very strange. HDX data captured via UG relatively ok.

          1. I have indeed, also ran through the latest MAS release today. Ill have to double check on the ULFD setting as I updated netscalers a few days back and never heard of the setting so not 100% sure what it does… Seems odd like that my ICA file appears to work yet I see no CR hits.. I would expect it to break if it wasn’t hitting the CR server

        1. Hi James,

          In Socks Proxy mode, the client should first try to connect through the CR Vserver. However, if for some reason if the connection cannot be established with the CR Vserver , the client will try to directly establish the connection with the SF. This is by design.

          As you mentioned that traffic isn’t hitting your CR Vserver, could you please check the connectivity between the client and CR vserver. The other reason could be some error in the ica file (IP address or port number).

          Could you please investigate on these lines.

          Also what version of NS and NMAS build are you using?

          1. Hi Naresh

            Thanks for the reply – I confirmed traffic is hitting the CR Vserver this morning, i was looking at the wrong stats on the front – whether or not its the right traffic is yet TBD…good to know about the direct attempt with a proxy fail though, i wasn’t sure on that part 🙂

            NS ( and MAS (

            Checked to confirm that the default ica file is containing what i expect it to contain – right IP, right port, all reachable from the client, in fact i managed a single hit on my appflow policy today – no idea how it got 1 single hit

            Strange when looking at the CR VServer via CLI, it doesn’t display protocol as HDX, however in the GUI it does

            I am also experiencing errors with HDX data landing on the MAS Appliance via gateway, i am getting the iCA fragments error – on a nice front, Gateway insight seems to be happy

            Thanks for the time

          2. Hi Guys

            Just another follow up on this one – i noticed here: that the ns param -icaPorts 2598 1494 is specified.

            I checked on my deployment here and noticed that the icaPorts param is set to none – would this negate the global binding of an HDX based policy?

            I have rebuilt AppFlow and reverted to insight Center and appflow is working beautifully for gateway connections now, last step is socks

  6. My Netscaler Insight does show me the Data when logged on directly on NSIC Console but not on Director network tab. All counts are zero in director. Where is problem? Im using HTTP. Latest versions netscaler, Director and Insight Center.

  7. Carl-

    I have an issue that Citrix has been unable to fix as of yet. Insight is collecting Data (after an extensive session which ended up rebuilding Insight from 11.0 66.11 to 11.0 68.10. Previously Insight would collect data and I could see HDX in Director, however Insight would sporadically stop collecting data. This seemed to be resolved by a complete rebuild of Insight to 11.0 68.10.

    Now, Insight collects data, however Director is not displaying this data under Network (all other data is displayed). We have upgraded insight from 7.8 to 7.9, removed NULL records from the Monitor DB, reconfigured Netscaler on Director, unconfigured, checked for port activity, telnet to Insight over 80/443, tried HTTP and HTTPS connections, URL and IP, etc…

    Any idea’s?

  8. can we add two appflow policy in a single vserver so that both the policy can capture the appflow data as per the configuration.

  9. Hi Carl,

    Firstly your docs are brilliant, without them I would still be googling and trawling through pages trying to find a resource. Top work.

    I have deployed Insight Center 11.0 after trying 11.1 and then reading “NetScaler must be 10.1 or newer. Insight Center 11.1 does work with NetScaler 10.5 and NetScaler 11.0.”

    My netscaler is 11.0 and I have a platinum license.

    I have added the NS to Insight Center and it appears ok but it does not show any data from the netscaler.

    The only think it does show is license usage under HDX Licenses.

    I left it over night to give it some time but nothing.

    Can you point me in the direction of trouble shooting documentation?



    1. It’s typically a firewall problem. On the NetScaler, run host and see what port numbers and source IPs it’s using.

      1. Hi Carl, I have put the Insight server in the same lan segment as the netscaler and used the snip address. I can see some data being logged just not everything. Under HDX I can see number of users and response times but nothing else.

  10. We are running NS11.0 build 66.11 (Platinum Edition) in combination with Insight Center 11.0 build 66.11.
    We configured AppFlow for WebInsight(HTTP) and HDXInsight(ICA).

    WebInsight works as supposed 🙂
    But we don’t see any data for HDXInsight 🙁

    Both AppFlow policies are getting hits when looking in the Netscaler WebGUI.
    But in Insight Center we only see data for WebInsight.

    Netscaler Gateway virtual server is running behind a Content Switch (Unified Gateway configuration).

    Any idea what’s going wrong here?

  11. hi carl,

    quick check does citrix Insight support appfirewall standalone applliance? i have some issue where i have configure the appflow policy and also appfwall policy but end up i can see inside the insight center security insight it state there no device configured. i test using normal netscaler and didn’t face any issue.

    head banging already.

  12. Thank you, very helpful.

    I do have a database question that I’ve been trying to find for a few days. Can I ship data to a MS SQL database from the connector or are we limited to just the appliance database?

    1. I’m not aware of any way to use SQL. However, you’re welcome to use any AppFlow Collector. Insight Center is not your only option.

      1. With a Platinum platform license on the NetScaler appliance, you can export the HDX AppFlow data to any collector. With Enterprise, however, you can only export it to the Insight Appliance.

  13. The directions for upgrading NetScaler Insight Center are missing a step – after downloading the upgrade Build Pack, you need to Upload it to the appliance. From Configuration, expand NetScaler Insight Center on the left, then click Software Images. On the right, click the Action drop-down, and select Upload. Browse to the downloaded software bundle and upload it to the appliance. THEN you can follow the directions here to upgrade the appliance.

    1. I think in 10.5 and older you had to upload the file separately. But in 11.0, it lets you browse for the upgrade file directly from the upgrade wizard. I will clarify this. Thanks for noticing.

  14. Hi Carl

    thanks again for the blog. I am trying to configure Insight Web for Netscaler 10.5 Std. All required ports(80, 443 and 4739-UDP) are open. But still I get error as”Add operation failed, Reason: Cannot retrieve nslicense resource” while adding Netscalers.
    I have checked both Netsclaer and Inshight IP default configuration enabled access with non secure request.

    Please can you help me?

      1. Even that(port 22) is open from Insight to Netscaler apliance. I still cannot add the Netscaler node with Insight Center. Any suggestion?

        1. Is Secure Access Only enabled on your NSIP? If so, did you configure Insight Center to use https when communicating with the appliances?

          1. Secure Access Only is disabled on NSIP and Insight System both. Shall I need to configure Insight on same VLAN of NSIP?

          2. VLAN shouldn’t matter as long as Insight can route to the NSIP.

            Try doing a network trace to see what’s not working.

          3. Good afternoon,
            Could you indicate how https access to NetScaler insight activated?

            Thank you

      2. The Insight Appliance uses a combination of SSH, HTTP, and HTTPS to configure the appliances. Also, the license level of the NetScaler will be read at configuration time and only Enterprise and higher appliances will be added.

  15. I’ve been struggling to get the “Applications” menu to show i Unified Gateway. The solution was to set the “Web Interface Portal Mode” to COMPACT in the session policy. That made the Application menu to instantly appear.

  16. Hi Carl

    Do I need to pay extra money for Insight Center to monitor Netscaler?
    We have10.5 build Standard license type Netscalers. Can I install insight center straightway without buying further/seperate licenses for Netscaler Insight Center?

    Please suggest.

    1. Standard Edition includes Web Insight (HTTP). To get HDX Insight, you need Enterprise Edition. But you can install the appliance for all editions and use the Web Insight feature.

    1. Web Insight should show you some HTTP traffic assuming you are terminating and re-encrypting. But I haven’t tried it with Exchange.

  17. Hi Carl, thanks a mill. I have it all working but director is sometimes redirecting to insights login page saying the session has expired on killed. Any idea, I am checking the timeouts this morning. thanks in advance

    1. Maybe increase the timeout for Insight? I think Director uses the credentials you entered when integrating with Insight. If those credentials changed then you might have to re-integrate.

  18. Hi Carl ,

    Thanks a lot for the great article.
    Please could you answer one quick query .

    Is it advisable to have 2 Insight centers one at each site (if the Citrix environment has 2 sites in Active-Passive configuration) ?

    1. That’s a good question. Insight is designed to receive info from multiple NetScaler appliances. If you have two different Insight then you have to go to two different places to see data. Also, I think you can only add one Insight to Director.

      For active-passive, it’s probably OK to have separate Insight per datacenter. Active-active is a more difficult question when accounting for failover.

  19. Hi,

    Occasionally (every 2 weeks), our Insight center stops recording stats and the the graph report would be empty. We found that rebooting Insight Center fixes this problem and it would start recording and displaying stats from then on. Do you know how to reboot Insight Center via remote SSH? (so we can put up a scheduled task) — the normal netscaler commands do not seem to work on insight center.



    1. A customer of mine had a similar problem. Citrix claims it’s fixed in Insight Center 11.0 build 64. But we had to flush the data.

  20. Hi Carl,

    Did you also came across an empty network page at director after integration with insight? I’ve got this with ip/fqdn and with http/https, everything works fine at insight center itself and see the ica sessions.

    build versions are 11.63.16 all the way.

    1. Are you Platinum Edition on XenApp/XenDesktop?

      If https, did you specify a FQDN? And is the Insight Center cert trusted by Director and your browser?

      1. Hi Carl,

        Platinum, just upgraded to 7.7, the insight is a clean install.
        ip-address, fqdn and for both http and https the same empty network screen when checking a users latency etc. certificate is trusted, internal pki

          1. IE, Firefox and Chrome, I’ll double check it all then weird, did this a bunch of times first time for this one.

  21. Hi Carl, Great Blog!

    I am trying to add multiple Netscaler ADC HA pairs(one is at version 11, the other is at 10.5) to Insight Center 11. I am only interested in Web-Insight. I have the following questions:

    1. Do I need to configure the Appflow parameters on Netscaler side – Under Configuration>System>Appflow>Change Appflow Settings (I have made some selections based on what kind of traffic I want to be exported but I have a feeling you don’t need to manually configure this on the Netscaler side and that the Insight Center will enable whatever it needs..?)

    2. If multiple HA pairs are to be configured to export flows to Insight Center, do I need to specify the “Observation Domain Name” & “Observation Domain ID” parameters (these appear on the same menu I mentioned in step 1 – these are not mandatory fields btw) to differentiate one HA pair from the other?
    Presently working on 1 HA pair (11.0) at the moment – I was initially using a random Observation Domain ID but that didn’t work. I removed the Observation Domain ID and Name and the flows started exporting (It selected the default ID of 0). Curious how it will differentiate when I add the 2nd HA pair..

    3. How do you/ Can you export flows for Authentication VServer on Netscaler to Insight Center. (I am not using NS Gateway feature, just using NS Auth Vserver for AD Authentication to permit access to certain Apps).

    Thank you.

    1. 1. Insight Center will configure everything on the NetScaler, including HTTP Injection.
      2. Insight Center groups the AppFlow traffic based on the device (appliance) IP.
      3. I don’t think Auth vServer is one of the options for enabling AppFlow.

  22. Hurts that this still doesnt seem to support using xenith pro terminals… Socks proxy or access gateway configurations don’t work with xenith devices – only reference around the lack of support is in the back of a cloud bridge guide for appflow (all other doco claims its supported) …lots of wasted hours trying to get this to work – fantastic for non wyse devices though ….

    Latest netscaler, latest insight, latest firmware on xenith pro range – no dice

    1. The issue with Xenith terminals, is that Citrix has blacklisted their receiver agent id on the NetScaler, since they did’t go through Citrix QA apparently. You can disable the whitelist on the netscaler using nsapimgr.

      1. Hey Dean

        Now that is very interesting….I can’t say I am surprised though…the Xeniths seem to be in a constant state of “almost”…. Have you had any luck in altering the list?


  23. Hi Carl – Great write-up! I’m definitely a fan of your articles they are very informative. Quick question have you ever seen an issue with Director integration when using HTTPS w/Insight? I am able to view the data when using HTTP assuming I configure the browser to display ‘Mixed content’, however, when using HTTPS I get a ‘No data is available. Network unreachable.’ I can view the data from within Insight Center without issue. Any thoughts?


    1. When you configured Director integration, did you specify a FQDN that matches the cert on the Insight appliance? Is the cert trusted?

      1. Hi Carl, thanks for the quick response! For the Director integration piece I specified the IP address of the NetScaler Insight appliance in the PoSH command. I’m not sure where to specify an FQDN with the PoSH command. The certificate on the appliance was taken directly from IIS on the Director server as PFX, converted to PEM via NetScaler, and uploaded and installed to Insight. The certificate is an external wildcard cert and is trusted.

        1. Your Insight Center appliance has an IP address. You need an FQDN that resolves to that IP. And you need a cert on the Insight Center appliance that matches that FQDN.

          When you run the config command on Director, when it asks you for the Insight Center address, enter the Insight Center FQDN instead of entering the IP.

  24. Hi Carl

    Just a heads up, Session reliability is broken in current NetScaler 10.5 build 59.13 and earlier firmware as noted in the release notes when configured for AppFlow.

    If a NetScaler HA failover occurs when ICA AppFlow is enabled, the session reliability feature does not function.

    [#456218, 438710]

    Applications might fail to launch if you enable AppFlow for ICA on a NetScaler ADC and session reliability on the XenApp or XenDesktop server.


    It should be noted I’m currently experiencing the same issues on the latest NetScaler 11.0 build 63.16 although it is not listed in the known issues. (the above known issues are not listed in the release notes for the just released 10.5 build 60.7 anymore, however it is also not listed in the fixed issues.

    1. Further update regarding SR and AppFlow. SR is supported with AppFlow but not for HA Failover, additionally this function is not planned for inclusion. Instead ACR is utilised for HA Failover events – however this currently does not function due to a bug with Receiver and NetScaler Gateway.

      The important note here is that SR support for HA Failover will not work and support will not be added for this function. SR will however still work client side to mitigate against client connectivity issues.

  25. Hi,
    i don’t know if this thread is still alive .
    i downloaded the geo data db and configure it as mentioned above but i have two issues :
    1- i don’t have the “IP private block ” option under ” Netscaler Insight Center”
    2- i don’t see the map

    Any help would be appreciated .




  26. Could you elaborate this please? I was told that you can monitor NetScaler version 10.5 appliances with Insight Center version 11. Also I was told it is possible monitor Standard version as well, real time data only though.

    “Your NetScaler appliance must be running Enterprise Edition or Platinum Edition.
    NetScaler must be 10.1 or newer. Insight Center 11 does work with NetScaler 10.5.”

    1. The appliance has a sizing tool. Once you import the first appliance you can use the sizing tool to determine if you need more appliances.

        1. No idea. If only one VLAN, I usually disable one of the interfaces in the NetScaler GUI. It might be assuming 0/1 is mgmt and 1/1 is data.

  27. Carl, you forgot a step in upgrading images… Before you can go to System and upgrade, you have to go to NetScaler Insight Center/Software images and upload it there. Then it will appear in the window in step 5….

  28. HI all,
    When I go to Authentication Configuration and select LDAP for server type and my server name under Server name, then click ok, I get the following error:

    “Please select the primary server name”

    Any idea as what could be happening? I cannot find anything on Google.

    1. I always change it to Server IP and enter an IP.

      For Server name, you probably first have to create a server under Traffic Mgmt > Load Balancing > Servers.

      1. LDAP is broken in 11.0 build 62.10 – This is a confirmed issue with a fix included in 11.0 build 63.16.

        To resolve the issue upgrade to the latest NetScaler Insight Center release

  29. Hi Carl,
    Excellent Info. When viewing ICA RTT in Director for XD 7.6 running Windows 7 VDA, it displays N/A. Citrix policies have been applied as above, they exist in registry Citrix policies on VD, EUEM Service auto and started. Is something else missing.

  30. Hi Carl,
    Thanks a lot for all you hard work.
    One question, on a standard netscaler there’s a option to create a Certificate request. This option isn’t available on the HDX insight. Can you explain how I can create a request file?

    1. I usually create it on IIS, export it to .pfx, use NetScaler to convert it to PEM, download the PEM file from NetScaler, and upload to Insight Center. Or you can use openssl to convert PFX to PEM.

  31. Hi Carl, Have you seen an issue with the Geo Map not showing within the Dashboard? I have loaded the same database as described in your article, however when attempting to view from the World window, a constant loading icon is displayed and no map provided. Note that the Geo IP collection for Web and HDX Insight has been enabled on the NetScaler node within Insight also.

Leave a Reply to Magnus Cancel reply

Your email address will not be published. Required fields are marked *