NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Appearance Issues - Have a Netscaler v 11.1 sitting in front of StoreFront 3.15.  I am trying to do a couple of things and would like some guidance.  I have provided my current configuration as well.

Things to Solve -
#1 - I have some apps that will Word Wrap properly, but others get cut off as shown in attachment - how to force a wrap?
#2 - How to reduce the amount of white Space between Application Name and Folder
#3 - Has anything evolved to provide a detailed view of the applications like in the previous WebInterface display.

Thanks in Advance.

Current config located in \Inetpub\ctxfolder\Citrix\CitrixStore_web\custom\style.css

.storeapp-icon {
    height: 30px;
    width: 30px;
.storeapp  .storeapp-name {
    position: absolute;
    top: -64px;
    left: 39px;
.folder-count {
    left: 2px !important;
    top: 12px !important;
.storeapp-action-link {
    display: none;
.customAuthFooter {
I am setting up a new XenApp 7.15 .  For now, we'd like to leverage our existing netscaler front ends pointing to StoreFront 3.15 servers that sit on Windows 2012.  From my understanding we can provision a new Store for the new farm.  At some point after extensive testing, we will be archiving our XenApp 6.5 farm, so therefore the thought to use the existing frontend for them.  

So, questions:
  • Can I indeed use the same StoreFront server to route users to two different DNS alias to the XenApp 6.15 farm and one to the XenApp 7.15 farm?
  • I noticed there is only 1 base URL so this is an appendate to setup a seperate store.
  • If so, Am I able to use a secondary IIS site on the same server to separate the XenApp 6.5 from XenApp 7.15?

Are there any other tricks other than defining different STA's in each appropriate farm?

Thanks in advance.

In my current environment (XenApp 7.17) the Citrix LHC is not working when we try to connect from NetScaler.

I use the OutageModeForced to simulate a DB connection failure on both Delivery Controllers.
When we try to connect from the internal network (directly to StoreFront), it works fine.

But when we try to connect from the NetScaler, we can download the ICA file, but the Citrix Receiver will be stuck at the "Connection in Progress" stage. After a minute or two we will then receive the error: "The published resource is not available currently".

On the StoreFront servers I can see that the XML service is down on one Delivery Controller (which is normal when failing to LHC).  I then looked into the ICA file to check that the STA server is matching the elected LHC server (with the remaining active XML service) and that the STA server is listed in the NSGW VIP with a green light.

At this point, I don't know what to investigate next to find why the LHC mode is not working from NetScaler connections. Any help would be very welcome thanks. :)
We have Citrix Xenapp 7.15 update 1.

We have two delivery controllers. we noticed when we restart one of the two, we run into issue launching apps for about 5 minutes or so.  We noticed when we look at studio, it shows that VDAs are readjusting to point to the "up" delivery controller. This could take up to 5 minutes, during that time, logging in is temporarily on hold, and so is launching applications.

Any idea why that happens and how we can reduce that time before we restart a DC?
Hi, I am looking to configure MFA for a Citrix NetScaler using Symantec VIP. I was wondering does anyone know if Symantec VIP requires an on-prem server for authentication or does the NetScaler just access the Symantec VIP Cloud offering directly ?
How can I view logging regarding state changes of NetScaler Gateway Virtual Servers? After upgrading to the latest version
sometimes user are getting to the proper login page and desktop and other times they redirected to a default site.

NetScaler (11515)
 NS11.1: Build 57.13.
Has anyone used the Netscaler content switching to have information from an internal server get published on an external hosted ERP Website?
Basically I am trying to take an internal Tableau Server to Netsuite.
Citrix Netscaler 12.0 ReWrite Policy


I am currently implementing a rewrite policy on my Netscaler testing environment to be able to insert a footer on the login page to inform users of anything they need to be aware of. The policy is working as expected, however when making a change to the policy, it is not reflecting the change on the logon page. It seems to be cached, but I am unsure where. I have tried 2 different browsers and also re-creating the Virtual Server and re binding the policy. I am following this guide:

Any help would be appreacited.


We are looking to implement Windows Hello for Business in our environment.

On Citrix Environment:

XenApp 7.16
Windows 2016 Backend and VDA
Netscaller VPX NS11.1
Azure MFA (On-Prem) Radius
StoreFront 3.13
On AD side we meet all the requirements for Windows HFB

We introduced MS AD FS On-Prem as part of the Hello For Business prep.


Since Windows HFB works using Hardware TPM( or Software Substitute), curious how Citrix will handle that with a XenApp shared Desktop environment.


Any Thoughts, Links for Citrix+ Hello For Business, guidance, etc are welcomed.

We have one user that receives:   Error: not a privileged user when she attempts to connect through the web interface to our Netscaler for VPN access to our network.   Assuming this must be something incorrect with her local client software but can't figure out what or why?  We have tried re-installing it.   We have 200+ users using the same web url and method to connect from home and do not receive this error.  Can anyone help with some basic instructions?  We are not sys admins and they have not responded...we just need to get her working.   Thanks for any assistance.
Hello All,

I am about to implement Sharefile with Storage Zone Controllers on premises using the Setup Netscaler for Sharefile wizard.
In the first screen of the wizard in the "Load Balancing Virtual server configuration", there is a checkbox asking to configure Storage Zone Connectors for file shares. I am wondering if I will need to check this option since I will not be configuring any client or deploying XenMobile. What I want sharefile for is to be able configure users in the Sharefile control plane (Citrix Portal) and grant them access to upload documents through this portal. Also I will like to be able to share documents via an url sent in an email.
Would I need to check the connectors check box in my scenario?
We have a netscaler VPX allowing external access to our Citrix environment, we are using gateway direct authentication on the web interface site. the authentication policies on the netscaler are pointing to our ISE radius servers.
We have 2 x domains eame and mod, if an eame user logs in they can connect with no issues, if a mod user logs in they are authenticated but then get the 401 access denied error, i have gone through 100's of posts about this an everything looks fine and works for the eame users any help is appreciated
Hi all

We have recently implemented a pair of Citrix Netscaler VPX200 devices. Along with these we have setup Citrix Command Center to monitor the status/health of the devices and report back via e-mail.

Within the SSL VPN Session Profile configuration on the Netscalers we use an IP Pool which will assign an IP from a range to be used to allow the client to talk to the internal network. This is due to our proxy servers ignoring requests if they are from a 192.168.x.x range, which most home networks are.

Whilst the reporting of the Netscaler from Citrix Command Center is working as it should, it is detecting the IP Pool assignments as seperate 'Entities' and therefore reporting on them. When a user logs off the VPN, it detects this entity as being down and sends out an alert. I can't change the severity of the 'Entity Down' alert as this will let us know if any loadbalancers or virtual servers go down.

Does anyone know a way around this, such as a rule which will ignore the VPN IP Pool from alerts, or something similar?

Many Thanks

Hi all
I have now successfully setup my Citrix Command Center to poll my 3 Netscalers, and send out alerts via E-Mail.
However we use an IP Pool of 250 IP's which will get assigned to users using our SSL VPN via Netscaler. When a user disconnects from the VPN, Citrix Command Center detects this under an EntityDown error and e-mails me.

I know I could change the severity of the EntityDown failure, however it does report on legitimate objects within Netscaler.

Does anyone know a way to keep the alerts of EntityDown, but exclude the IP Pool from it?

Many Thanks

Hi Experts,

We are facing an issue with our netscaler environment as the state for 2 ADFS servers (internal) is showing as Down.  Because the ADFS servers are showing as down the requests are not redirecting causing issues with users accessing emails and SharePoint.

I have resolved this temporarily by redirecting traffic to our standby ADFS server , however, we need to get the production server up and running on netscaler. Both the servers are online and I can ping and RDP to these servers. Its a 2008 R2 server with ADFS 2.0 and I can access the management console for ADFS and no issues really there.

I have attached a couple of images to show what we are seeing in netscaler and hopefully this helps. It seems that it is trying to connect to the internal ADFS server on port 443 but unable to.

Hoping someone has come across these issues before and would be able to assist me.

Thanks for your help.

After upgrading to citrix netscaler vpx to 11.0-66.11 from version 10.5 the Netscaler Gateway function was coming up as unlicensed.
This netscaler had been workign for more then a year.
So thinking that the license may have expired I went to mycitrix and allocated a license that was valid till 2017.
After applying the license the Netscaler was showing a licensed but the VIP was showing as down.
Upon checking the VIP it did not have a certificate assigned to it.
On going to manage certificates I could see the actual certificate there.
So I went to Traffic Management -> SSL -> Certificates and tried to install the certificate again.
On filling all the fields and clinking install I received the error - "Certificate with key size greater than RSA512 or DSA512 bits not supported".
Our certificate was generated with a key size of 2048 but had been working OK with netscaler OS version 10.5.
Please advise if anyone has seen this before and what can I do to resolve the issue.
We have an issue that we are trying to help a client resolve, unfortunately both of us don't know enough about this Citrix connection we inherited.  They have a Netscaler GW server on VPX that provides the portal for users incoming connections both on our internal LAN and through the firewall for external users.

We now have a point to point, Layer 2 connection with a separate VLAN.  We are able to ping the IP of our URL to the internal IP address but we don't get a return from the web server for the portal login page.  All our other traffic is routing fine between the two VLANS which makes us thing there is some additional firewall setting or issue within the Netscaler itself.
Is it possible to add the reCaptcha v2 widget into the logon page for NetScaler 11.x application gateway? Management would like to use reCaptcha in conjunction with AD auth as the initial part of login and then, based on client group, direct the user to the applications or to RSA for secondary auth for sensitive applications.
Hi, i have a website running IIS 8.5 (win 2012 R2) which runs over HTTP. i have a virtual directory within the same website which i want to secure over HTTPS.
i have both HTTP & HTTPS bindings for the website.

I have a citrix netscaler in front of the website which has been configured to perform SSL offload. the service on the netscaler which sends traffic to the website is both HTTP& HTTPS
I have disabled anonymous authentication and enabled basic authentication for the virtual directory, however i have not checked the 'Require SSL' box for the Virtual Directory.

When a client connects to the Virtual Directory via HTTP they get prompted for username & password and if they enter this, it lets them in, the same happens if the connct via HTTPS

What i need to do is redirecrt/ rewrite the HTTP connection just for the Virtual Directory so that it forces it to be a HTTPS connection. any ideas?

many thanks

I am trying to figure out a piece of puzzle with my new Citrix Xenapp 7.6 installation (my first of this edition).

I have one Xenapp terminalserver, one storefront server and one Netscaler gateway.

I can input my information (link) into Citrix Receiver from outside my local network and be able to launch applications and desktops directly from within the Receiver. But when i try to do the same from inside my local network it will not work. It just refuses to accept the link/logon.

There is probably a simple resolution, and misconfiguration by me.

I appreciate any responses from you Citrix gurus :)
Hello all,

I have configured EPA using a preauthentication policy.  This works however mobile devices are unable to connect and I expect this to become a problem sooner rather than later so am working on a solution.  I configured the scan within the session action as suggested here by Punit:

This seems to work however Windows machines are able to skip check and still gain access rather than being denied.  And knowing that, on mobile devices I hit skip check to bypass.  I am not sure: should I be seeing the EPA prompt at all on mobile devices and, if I am, does that mean that the 'REQ.HTTP.HEADER User-Agent' check in the session policy expression is failing?

So i have two questions.  1. Is there a better way to enable EPA but provide a bypass for mobile devices?  and 2. how can I force a 'skip check' to = a failed scan and deny access?

Netscaler 10.5
Xenapp 6.5
I am currently using RNAT to grant our internal workstations internet access.

Is there a way to monitor/restrict these outgoing connections?


thank you.
I am building a Citrix 7.6 environment to host an application for external access. I am under the impression I need a Netscaler device (Which I've seen for like $15k) to make that happen. Can anyone please confirm this? Can I get external access without a Netscaler?
Hi all,
I have a Citrix XenApp 6.5 farm that has 26 Xenapp servers, 2 Data Collectors, 2 web servers and 2 storefront servers. Also using a Netscaler for Load balancing.

In the mornings between 7 - 8 some users are having a connection issue trying to log in. Not all users just some. And the ones that may have a problem today will not have the problem tomorrow but other users will.

Everyone comes in at 8:00 AM so that's high volume time, but I get the early birds that have trouble as well.

The exact error is when they type in their username and password to authenticate is the remote server failed to execute the application launch requested.

And yes I am running PRE_LAUNCH applications, however I disabled them this morning.






NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.