asked on How to Access NetScaler admin URL from external source
Hi folks
Client has just had a dead Citrix Access Gateway replaced with a NetScaler VPX 200 (NS11.0: Build 63.16.nc, Date: Oct 4 2015). The installation of the NS has been completed by their hosting partner. All hardware, software and licensing is owned by my client - all hosted in remote data centre.
Install has gone without a hitch and users are able to log in to their XenApp 6.5 portal without fail. All access to the system is using Citrix Receiver. StoreFront not installed.
Now, when the client had their Access Gateway installed, IT could access the admin page, remotely, using the https://portalFQDN/lp/adminlogonpoint and monitor & manage the Access Gateway. Since the NetScaler has gone live, the only way to access the management page (http://10.156.X.XXX/menu/st) is to VPN --> RDP to one of the hosted servers then browse the admin url as an internal resource.
The client would like to be able to have admin access via the same external url that is used for Citrix Receiver - just like with their old Access Gateway - https://portalFQDN/lp/adminlogonpoint. Its the same Web Interface server being used with the NetScaler as with the Access Gateway.
The client has had the hosting company working on this but so far all they have had are: "
Any NetScaler experts able to provide me any pointers on getting it to work?
Thanks
Mark
Client has just had a dead Citrix Access Gateway replaced with a NetScaler VPX 200 (NS11.0: Build 63.16.nc, Date: Oct 4 2015). The installation of the NS has been completed by their hosting partner. All hardware, software and licensing is owned by my client - all hosted in remote data centre.
Install has gone without a hitch and users are able to log in to their XenApp 6.5 portal without fail. All access to the system is using Citrix Receiver. StoreFront not installed.
Now, when the client had their Access Gateway installed, IT could access the admin page, remotely, using the https://portalFQDN/lp/adminlogonpoint and monitor & manage the Access Gateway. Since the NetScaler has gone live, the only way to access the management page (http://10.156.X.XXX/menu/st) is to VPN --> RDP to one of the hosted servers then browse the admin url as an internal resource.
The client would like to be able to have admin access via the same external url that is used for Citrix Receiver - just like with their old Access Gateway - https://portalFQDN/lp/adminlogonpoint. Its the same Web Interface server being used with the NetScaler as with the Access Gateway.
The client has had the hosting company working on this but so far all they have had are: "
Please note that concerning External Admin URL, we checked the NetScaler and we need to enable a mode in order to verify that the link can be accessed externally. This will require a downtime of 30 minutes, and if any issues occurred, then we can revert back the changes directly." Once my client confirmed a suitable slot for down time (last night) the hosting company have come back with
We have carried out the activity at, and the downtime was minimal (few minutes). Following the below email concerning the External Admin URL, we have tried to configure it, but unfortunately it did not work out due to some technical challenges. We are still checking on the issue, and will update you as soon as possible with the options available.
Any NetScaler experts able to provide me any pointers on getting it to work?
Thanks
Mark
Remote AccessCitrixSoftware FirewallsNetScaler
Last Comment
Dirk Kotte
I would advise caution. The management URL is the NSIP or Netscaler IP. That is the default web GUI and incoming SSH.
Normally this is accessible from the DMZ or dedicated MGMT VLAN ID. Not a good idea to allow direct access.
VPN will work if the connection has access to the NSIP IP.
You can enable Secure MGMT GUI on a SNIP but not recommended.
For security reasons I isolate the NSIP and apply an ACL using Netscaler CLI.
I allow SSH and 443 GUI from specific IP addresses for management such as Insight appliance, Command Center, and the internal SNMP collector.
You might want to investigate the Netscaler VPN functionality built-in and separate from Secure Gateway VPN.
I'm referring to the Split-Tunnel and Split-DNS capable SSL VPN that you would implement instead of a competing IPSEC VPN such as Cisco or Juniper.
Using "Themes" on Netscaler ADC you can create a custom VPN Home Page using the management GUI. If you upgrade to firmware 11.63 there are many enhancements to the custom Themes section.
Then you can assign a new FQDN and set custom authentication policies that force LDAP, RADIUS or multiple other forms of authentication to internal AD, RSA, and other authentication services.
Does this help?
Normally this is accessible from the DMZ or dedicated MGMT VLAN ID. Not a good idea to allow direct access.
VPN will work if the connection has access to the NSIP IP.
You can enable Secure MGMT GUI on a SNIP but not recommended.
For security reasons I isolate the NSIP and apply an ACL using Netscaler CLI.
I allow SSH and 443 GUI from specific IP addresses for management such as Insight appliance, Command Center, and the internal SNMP collector.
You might want to investigate the Netscaler VPN functionality built-in and separate from Secure Gateway VPN.
I'm referring to the Split-Tunnel and Split-DNS capable SSL VPN that you would implement instead of a competing IPSEC VPN such as Cisco or Juniper.
Using "Themes" on Netscaler ADC you can create a custom VPN Home Page using the management GUI. If you upgrade to firmware 11.63 there are many enhancements to the custom Themes section.
Then you can assign a new FQDN and set custom authentication policies that force LDAP, RADIUS or multiple other forms of authentication to internal AD, RSA, and other authentication services.
Does this help?
ASKER
Thanks both.
Will check with hosting company next week when I'm back on site.
Will check with hosting company next week when I'm back on site.
ASKER
Hi both
The hosting centre have come back with:
So I have setup the published app and it works fine.
Going to request this question be closed.
Thanks
Mark
The hosting centre have come back with:
Following the issue concerning the External Admin URL issue, please note that due to security concerns, Citrix has removed this feature (Adminlogonpoint) in NetscalerGateway which was available earlier in CAG since it was accessible externally.
The following is the only option now if it needs to be accessed via Internet securely:
• Publish the application IE pointing out to NS GUI URL in Citrix XenApp server.
• Provide access to the Western Mideast & other required Login Credentials only.
• Login to Citrix Web Interface externally (portal.in-evo.ae).
• Launch the IE application and access NS Management Console.
So I have setup the published app and it works fine.
Going to request this question be closed.
Thanks
Mark
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for pappaslim's comment #a41431073
for the following reason:
Solutions provided by other Experts were not how this issue was resolved.
My listed 'solution' is how it was resolved and I think that, given that other users may have found this to be an issue, having the knowledge in the system, might be helpful.
Thanks
Mark
Accepted answer: 0 points for pappaslim's comment #a41431073
for the following reason:
Solutions provided by other Experts were not how this issue was resolved.
My listed 'solution' is how it was resolved and I think that, given that other users may have found this to be an issue, having the knowledge in the system, might be helpful.
Thanks
Mark
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Sorry - one of those days. Clicked the wrong comment!!!!How can I umark that comment as the solutiuon so that I can give the points?
You have to click "Request Attention" at the bottom of the first post.
So you can leave a message for the mods.
So you can leave a message for the mods.
you may add a secondary IP and a secondary name like https://admin.yourportal.com.
so these secondary IP can be NATed to the admin-interface-IP
also possible with NAT: redirect https://portalFQDN:4433 to adminIP:443