NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hello.  I've been fighting with my new Netscaler ( - Netscaler is a MPX9700 FIPS)/XenApp 7.15 (Windows 2016) environment a bit.  I am able to successfully get to the StoreFront site directly.  If I try to go through the Netscaler Gateway, I get a 'Cannot complete your request' error.

In troubleshooting, determined we also need to change the port for the acting STA's (Delivery Controller's) to use port 8080 instead of port 80.

I am able to telnet from StoreFront to the Delivery Controller's on port 8080.
I am able to telnet from the Netscaler to the Delivery Controller's on port 8080.
I have verified that the Delivery Controller's are listening on port 8080 by doing a netstat -t.

However - within the Netscaler console, Within the Netscaler Gateway under VPN Virtual Server STA Server Binding, this shows the connections as down.  I have included the port in the path.



Any thoughts on what I am missing?

Thanks in advance.
Citrix NetScaler 12.1 Error: Please ensure Citrix ADC is Synced  to NTP time
I have configured native OTP integrated with Netscaler gateway, hereafter entering the user credentials am able to add my device name, after entering the code by Scanning the QR scanner throwing an error like this... The time between Netscaler, AD and user device effect.
We are changing our certificate authority to SHA2 from SHA1.
Cert authority server has already been setup and now we are changing the crets for member servers and appliances.
As a result we need to change the certificates on our RSA authentication manager from SHA1 to SHA2.
What are the things to keep in mind before changing these certificates?
Do the end user computers need to trust the root CA for these certs?
And if RSA is used for 2 factor authentication on Citrix netscaler then does Citrix netscaler need to trust the root CA as well?

I found the following article to replace the web tier cert:-

Do I also need to change the console and application trust certificates to SHA2?
Citrix NetScaler 11.1 build 53. Is there any way to do reporting for NS Bandwith consumption?
I don't have NS MAS. Not using for Citrix XenApp.  We have some apps to load-balance. We have 10 VIPS for this.
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack

are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …

We have a site that was working and being accessed externally and internally via the web. The vendor upgraded the system by creating a parallel system. The site is no longer working. The odd thing is there is an app and that part is working but access to the sire via web\browser internally or externally is not working. The site is assigned a dns name as an example We point that to a netscaler (called citrix support and they said netscaler is passing traffic fine) the netscaler then fowards onto the iis server but nothing. However there is an app when we put in, the app is able to connect and has all the functions. Explain may be a confusing, is there any suggestions or questions I can answer to help point in the right direction. We compared the old iis server to the new one an cannot find a difference that is causing an issue. Any help, much appreciated. Thanks,
Citrix Cloud comes with all control layer components, along with NetScaler. But that NS works for only ICA proxy. For Other features we have to opt for Azure market place NetSclaer.
This is last year information. Any latest news on this?
HI Citrix Experts

our citrix environment  has

1-  one netscaler VPX 200 version 12.0
2-  one storefront we have only one store front we will add another one later
3- tow deliver controllers

the SSL certs which installed on all them will expire soon so i need to install the new one

we bought wildcard certificate

my question

should i install the cert one all of them on the seam day to avoid any issue and if yes

with one i have to start

first one delivery controller then storefront then netscaler or how

i want to know what kind of side effects our end users will face from inside and outside or environment during the time when i am installing the new certs or i have to do in one weekend

i will use these guides what do you think

for store front

for delivery controllers

for netscaler

if you have better guides or idea please let me know

Hello.  We are nearly done with our setup of Citrix Netscaler 11.1, using StoreFront 3.15 on Windows 2012 R2 and backend XenApp 6.5 Servers.  Once this is up and running in DR, we can then shift our attentions to using these for our 7.15 environment.

The issue, in our DR systems, the Netscaler Gateway is having trouble reaching Storefront.  So, a user will login to the Netscaler Gateway URL and is able to successfully authenticate with their credentials.  Then the handoff to Storefront just spins in the browser.

So, user logs into ""
This should then go to something like :   ""
But instead goes to:  ""

I am not finding or understand where this is going as I am not finding the right logs to assist.  The logging is a bit limited in the new Netscaler/StoreFront layout or rather more broken up so it's hard to determine what is the handoff it is trying and where it is going.

We are going to do a packet capture next to try to troubleshoot this.  On the StoreFront system, I can only see what is event viewer and the installation logs under the StoreFront directory. Neither are helpful.  IIS just presents the same log entries over and over whether the system is working or doing this behavior.

On the Netscaler, the nslog isn't very helpful in this regard.  nor are the logs in the var/log/ directory on the Netscaler.

Citrix Error: You have not been granted access to this published application
XenApp 6.5
StoreFront Server: sf 3.7
netscaler vpx 11.1
when users are trying to launch applications few users are getting this error.
No Luck, After disabling my published Desktop and re-enabling
In NetScaler Client (V. while connecting we get a delay of approx. 90 seconds within "Phase: Pre Authentication EPA" (after "Successfully loaded EPA library"):
                Phase: Pre Authentication EPA
08:15:26.763 | EVENT   | Initiating EPA SCAN
08:15:56.367 | DEBUG   | configFunction ret= 0
08:15:56.367 | EVENT   | Successfully loaded EPA library 
08:17:24.675 | DEBUG   | ns_EvalPolicy: ANTIVIR_0_RTP_==_TRUE_VIRDEF-FILE-TIME_<_7200 returns 2

Open in new window

Do you have any ideas about this?
Thanks and best regards!
Looking for proper way to setup Storefront to use the Netscaler Gateway and route via ica proxy when launching published apps.  Currently we are finding that users are going direct to the server and the traffic is not presenting a proxy connection.  This was discovered while running a packet capture during an application launch.  So want to ensure that this is setup properly and securely.  When set the way we believe to be correct, we cannot launch published apps, we have to route through HDX to have the applications launch.

Environment -   User will reach Netscaler Gateway, 11.1, this routes to Storefront using the Netscaler Gateway configuration on the Netscalers.  The Storefronts Servers are running on Windows 2012 R2 and running version 3.15.  Our backend XenApp farm is XenApp 6.5.  (We are also setting up a 7.15 farm - still in progress) which will eventually use the existing Netscaler's and Storefront servers.

I have provided some screen shots of the current config on StoreFront.

Also, looking for more detailed logs on what gets logged when you launch an application.

Any assistance is appreciated.

Image #1 - Doesn't work - this is configured to use the named Netscaler Gateway - Get an error, "Cannot Start app"
Image #2 - Works - but is using the Direct HDX Connection and bypassing the Netscaler Gateway - This option also will show me that I'm connected directly to the XenApp server when performing a netstat -n | find "2598" on the client.  This is not …
I have a requirement of setting up XenApp Environment, In two different Geo graphical Locations with DR       and High Availability solution.

This solution also requires netscalers in each Location to allow secure access and HA, XA and Netscalers Environment is not open to internet, will be accessed through vpn from another customer location (Not in the same geographical location where Citrix Environment)      and no dns name resolution.

What is best solution.
I would like to deploy Netscaler MAS in our environment.
Is there any dependency with Citrix netscaler platform license for NS MAS configuration? Any documents can be referred?
Citrix XenAppXenDesktop 7.15 LTSR
Windows 2016 and 10 VDAs
Citrix NetScaler VPX 12.0 -- 4 Numbers
Hello Team

How to enable user access  (Success and Failure) auditing in Netscaler? What is default log size or interval.
How can we retain these logs with out over riding
Appearance Issues - Have a Netscaler v 11.1 sitting in front of StoreFront 3.15.  I am trying to do a couple of things and would like some guidance.  I have provided my current configuration as well.

Things to Solve -
#1 - I have some apps that will Word Wrap properly, but others get cut off as shown in attachment - how to force a wrap?
#2 - How to reduce the amount of white Space between Application Name and Folder
#3 - Has anything evolved to provide a detailed view of the applications like in the previous WebInterface display.

Thanks in Advance.

Current config located in \Inetpub\ctxfolder\Citrix\CitrixStore_web\custom\style.css

.storeapp-icon {
    height: 30px;
    width: 30px;
.storeapp  .storeapp-name {
    position: absolute;
    top: -64px;
    left: 39px;
.folder-count {
    left: 2px !important;
    top: 12px !important;
.storeapp-action-link {
    display: none;
.customAuthFooter {
I am setting up a new XenApp 7.15 .  For now, we'd like to leverage our existing netscaler front ends pointing to StoreFront 3.15 servers that sit on Windows 2012.  From my understanding we can provision a new Store for the new farm.  At some point after extensive testing, we will be archiving our XenApp 6.5 farm, so therefore the thought to use the existing frontend for them.  

So, questions:
  • Can I indeed use the same StoreFront server to route users to two different DNS alias to the XenApp 6.15 farm and one to the XenApp 7.15 farm?
  • I noticed there is only 1 base URL so this is an appendate to setup a seperate store.
  • If so, Am I able to use a secondary IIS site on the same server to separate the XenApp 6.5 from XenApp 7.15?

Are there any other tricks other than defining different STA's in each appropriate farm?

Thanks in advance.
I have two domains with trust between them. VDIs/HSDs are in one domain and users are in another domain. When I do LDAP configuration to which domain my Citrix NetScaler should be pointing to? What is the best practice?
Citrix XenAppXenDesktop 7.15 LTSR
Windows 2016 HSD
Windows 10 VDI
Citrix NetScalser 12.x VPX

In my current environment (XenApp 7.17) the Citrix LHC is not working when we try to connect from NetScaler.

I use the OutageModeForced to simulate a DB connection failure on both Delivery Controllers.
When we try to connect from the internal network (directly to StoreFront), it works fine.

But when we try to connect from the NetScaler, we can download the ICA file, but the Citrix Receiver will be stuck at the "Connection in Progress" stage. After a minute or two we will then receive the error: "The published resource is not available currently".

On the StoreFront servers I can see that the XML service is down on one Delivery Controller (which is normal when failing to LHC).  I then looked into the ICA file to check that the STA server is matching the elected LHC server (with the remaining active XML service) and that the STA server is listed in the NSGW VIP with a green light.

At this point, I don't know what to investigate next to find why the LHC mode is not working from NetScaler connections. Any help would be very welcome thanks. :)

I have  Citrix version 6.0 with NetScaler (5500). How can I connect directly to a Citrix server without pass by NetScaler?

We have 3 published virtual Desktop icons when logging into Citrix NetScaler Gateway.  

1 - Published Virtual Desktop icon = Windows 2012 R2 Server
2 - Published Virtual Desktop icon = Windows 10 Pro. Desktop
3 - Published Virtual Desktop icon = Windows 7 Pro. Desktop

I have a problem that is Laptop specific where when I try to launch the 201 R2 icon from the NetScaler portal (version 12.0) the Citrix ica session opens and then freezes after a couple of seconds and then the session disappears/closes before I see the desktop screen.  Usually the 2012 R2 icon is the only one that UI use; but, I have not used it in a while and now it is just not opening for me.

The other 2 icons are opening up just fine on the same laptop.  If I use other computers or laptops the same 2012 R2 icon comes up and works well.  And if I login as a different user on my 'rouge' laptop (test user) I have the same problem; hence it appears that the proble is specific to the laptop.  What can I do to have the 2012 R2 icon work on my laptop?

The Citrix .ica session launches then it closes after a couple of seconds.  I have seen that before and the fix was to uninstall receiver and to re-install it but that did not work in this case.  Equally important, this problem happens when logged in to the NetScaler Gateway while using different internet browsers (Chrome, internet explorer, Edge); but, it is laptop specific.
We are moving to Netscaler 11.1 using StoreFront 3.15 with a backend of XenApp 6.5.

Trying to find the best way/documentation to understand the best way to follow a session.  It used to be use the Secure Gateway logs and the STA logs.  But with the new flow, having a hard time finding logs to follow a session from end to end.  Or, is this type of logging not on by default and needs to be enabled.  Any help is appreciated.

It will help once I get logging into Splunk for the NetScaler and StoreFront, but as noted until I know what logs are useful and how to get them there, this isn't going to help me.

Once we get this working, will need to complete our new XenApp 7.15 and provision endpoints there from NetScaler and Storefront, so really would like to get a handle on the flow now.

Thanks in advance.
On a Netscaler MPX v11.x is it possible to see the bandwidth being used by a particular VIP?
How about for a particular SNIP?
We have newly deployed Xenapp 7.15 LTSR CU3 on Windows 2016 OS. While launching published applications through Storefront from Win 2016 VDA, our session stuck on Windows Sign in prompt. We are not getting user id & password option. We do have RDS security policy is in place “Always prompt for password upon connection”.
But while launching published desktops, we are getting prompt to enter userid & password options. Does anyone has seen this issue?
We are using NetScaler VPX.
We identified the Issue: We do have RDS security policy is in place “Always prompt for password upon connection”.
If we disabled this policy, issues has been resolved.
But as per security team, this policy is must.
Do we have any Citrix article where it confirmed that, this policy has to disable?
We are planning a VDI solution using Citrix Xendesktop. As part of the VDI solution we have an internal Netscaler VPX to load balance the Citrix Storefront servers. As part of the deployment we also have two exchange servers and I am looking for a load balancing solution for the Exchange servers also. my question is if I can use the same Netscaler Appliance that I wil be using for Citrix Storefront servers to load balance exchange servers as well. I may have to create an additional Virtual server on VPX and does that impact any licenses for the Netscaler or can I use it without any additional cost.






NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.