1.NetScaler 10 VPX - Basic Setup

Posted on 2013-06-20
Last Modified: 2016-10-25
We have NetScaler VPX 10 and people access Citrix XenApp / XenDesktop through it (Access Gateway)

Here is our current setup

User access Citrix resources from home using : https//

They get all the published Applications and desktops through it.

Now there are some external vendors / consultants that we need to grant access to some internal applications and intranet sites so that they could do their stuff. We do not want them to access Our XenApp/XenDesktop Stuff.

I was reading SSL VPN in NetScaler access Gateway may help to publish directly

What should our approach be.

Create another Access Gateway Virtual Server?

Create another Website ?

How many certificates do we need ? -- one for XenApp/XenDesktop and other for SSL VPN??

Any suggestions Please
Question by:MOQINFRA
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 11

Accepted Solution

AdamBNYC earned 500 total points
ID: 39262706
Few questions and a few answers.

Are the applications that the external vendors need accessible through Citrix already? If so, i would just create a new AD group and put the dev accounts in there and assign the group to the desired application groups within XenApp/Xendesktop.

The reason I would do this, is that I prefer not to give a full VPN tunnel to external vendors. If security is of highest concern, I would actually create the Vendors their own small XenApp farm, say 2 or 3 virtual servers with the applications that they need. I might even create the farm in the DMZ and control their access based on firewall ACL's.

Back to your original question about "if you need another Access Gateway Virtual Server, The answer is no. You can create the proper policy and tie it to a group within AD for the external vendors and give them permissions to only get the SSL-VPN option. So when they log in, they will not get ICA-proxy, just the full tunnel SSL-VPN.

This will keep things simpler for you and you will not have to purchase additional certs or setup additional vServers, VIP's public IP's, etc.

Author Comment

ID: 39263056

The application havent been published through XenApp/Xendesktop

Although could have been , however they have decided that SSL VPN is more secure as XenApp Sessions may give them more access to environmnet (Which i think is not true) however i dont have the real answer on why they created a separate Virtual server for SSL VPN though

Will you be able to point me the steps on how can i use the already existing virtual Server to add SSL VPN policy

And do i have to create a new key and new CSR for the 2nd virtual server (if we choose that ) or i can resue the key that i had created for 1st cert.

Appreciate your responses.
LVL 11

Expert Comment

ID: 39263073
See here

If you are creating a new virtual server, with a different FQDN out on the internet and dont have a wildcard cert for your enterprise, then yes, you will have to create a new CSR reflecting the desired FQDN for the new portal

Author Comment

ID: 39263285
Will this CSR need a new key or i can use the key that i had created already (on which my accessgateway site for XenApp is running)
LVL 11

Expert Comment

ID: 39263303
On that one, Im not sure. admittedly certificates are a sore spot for me when diving down into these details. Maybe someone else can chime in.
LVL 11

Expert Comment

ID: 39263319
oh, I also had one more thought to keep in the back of your mind. a VPX 10 can only handle 10Mbps of traffic. Depending on how many full tunnel SSL-VPN users you have and what they are transferring, you might hit the ceiling of that virtual appliance.

Author Comment

ID: 39264015
We just purchased the 200 MB license :). VPX200.  Need to install the new license

Author Comment

ID: 39265023
all we need to know is , for a new certificate csr do i need a new key or i have to use the already existing key which we used for the first access gateway virtual server

Author Comment

ID: 39282385
Finally i created a key and a csr


If i have a single site and then use groups as you said , will all users need to have an access gateway plugin for receiver as well
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Citrix XenDesktop, Citrix Studio, Citrix Policies, Citrix XenApp
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question