How to Access NetScaler admin URL from external source

Mark Galvin
Mark Galvin used Ask the Experts™
Hi folks

Client has just had a dead Citrix Access Gateway replaced with a NetScaler VPX 200 (NS11.0: Build, Date: Oct 4 2015). The installation of the NS has been completed by their hosting partner. All hardware, software and licensing is owned by my client - all hosted in remote data centre.

Install has gone without a hitch and users are able to log in to their XenApp 6.5 portal without fail. All access to the system is using Citrix Receiver. StoreFront not installed.

Now, when the client had their Access Gateway installed, IT could access the admin page, remotely, using the https://portalFQDN/lp/adminlogonpoint and monitor & manage the Access Gateway. Since the NetScaler has gone live, the only way to access the management page (http://10.156.X.XXX/menu/st) is to VPN --> RDP to one of the hosted servers then browse the admin url as an internal resource.

The client would like to be able to have admin access via the same external url that is used for Citrix Receiver - just like with their old Access Gateway -  https://portalFQDN/lp/adminlogonpoint. Its the same Web Interface server being used with the NetScaler as with the Access Gateway.

The client has had the hosting company working on this but so far all they have had are: "
Please note that concerning External Admin URL, we checked the NetScaler and we need to enable a mode in order to verify that the link can be accessed externally. This will require a downtime of 30 minutes, and if any issues occurred, then we can revert back the changes directly.
" Once my client confirmed a suitable slot for down time (last night) the hosting company have come back with
We have carried out the activity at, and the downtime was minimal (few minutes). Following the below email concerning the External Admin URL, we have tried to configure it, but unfortunately it did not work out due to some technical challenges. We are still checking on the issue, and will update you as soon as possible with the options available.

Any NetScaler experts able to provide me any pointers on getting it to work?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
not so simple, because the webadmin use the same port as the virtual server.
you may add a secondary IP and a secondary name like
so these secondary IP can be NATed to the admin-interface-IP

also possible with NAT:   redirect  https://portalFQDN:4433 to adminIP:443
Brian MurphySenior Information Technology Consultant

I would advise caution.  The management URL is the NSIP or Netscaler IP.  That is the default web GUI and incoming SSH.

Normally this is accessible from the DMZ or dedicated MGMT VLAN ID.  Not a good idea to allow direct access.

VPN will work if the connection has access to the NSIP IP.  

You can enable Secure MGMT GUI on a SNIP but not recommended.

For security reasons I isolate the NSIP and apply an ACL using Netscaler CLI.

I allow SSH and 443 GUI from specific IP addresses for management such as Insight appliance, Command Center, and the internal SNMP collector.

You might want to investigate the Netscaler VPN functionality built-in and separate from Secure Gateway VPN.

I'm referring to the Split-Tunnel and Split-DNS capable SSL VPN that you would implement instead of a competing IPSEC VPN such as Cisco or Juniper.

Using "Themes" on Netscaler ADC you can create a custom VPN Home Page using the management GUI.  If you upgrade to firmware 11.63 there are many enhancements to the custom Themes section.

Then you can assign a new FQDN and set custom authentication policies that force LDAP, RADIUS or multiple other forms of authentication to internal AD, RSA, and other authentication services.

Does this help?
Mark GalvinManaging Director / Principal Consultant


Thanks both.

Will check with hosting company next week when I'm back on site.
Mark GalvinManaging Director / Principal Consultant


Hi both

The hosting centre have come back with:
Following the issue concerning the External Admin URL issue, please note that due to security concerns, Citrix has removed this feature (Adminlogonpoint) in NetscalerGateway which was available earlier in CAG since it was accessible externally.

The following is the only option now if it needs to be accessed via Internet securely:
•      Publish the application IE pointing out to NS GUI URL in Citrix XenApp server.
•      Provide access to the Western Mideast & other required Login Credentials only.
•      Login to Citrix Web Interface externally (
•      Launch the IE application and access NS Management Console.

So I have setup the published app and it works fine.

Going to request this question be closed.

Mark GalvinManaging Director / Principal Consultant


I've requested that this question be closed as follows:

Accepted answer: 0 points for pappaslim's comment #a41431073

for the following reason:

Solutions provided by other Experts were not how this issue was resolved.

My listed 'solution' is how it was resolved and I think that, given that other users may have found this to be an issue, having the knowledge in the system, might be helpful.

as explained by Brian Murphy ... Management is reacheble over a dedicated NetScaler-IP
"The management URL is the NSIP or Netscaler IP. That is the default web GUI and incoming SSH.
 Normally this is accessible from the DMZ or dedicated MGMT VLAN ID."  
You may Access this IP from insight-lan also (from published IE it is possible too)
Mark GalvinManaging Director / Principal Consultant


Sorry - one of those days. Clicked the wrong comment!!!!How can I umark that comment as the solutiuon so that I can give the points?
You have to click "Request Attention" at the bottom of the first post.
So you can leave a message for the mods.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial