NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.

Share tech news, updates, or what's on your mind.

Sign up to Post

From Citrix NetScaler Enterprise VPX 1000, where can we get the information to which SF server user is connected to?
I have 2 Citrix StoreFront servers.
Citrix 7.15 and 6.5 Environments.
Trying to find a document to secure the Citrix Director when you have multiple Delivery Controllers when my workstation crashed.    Sad part is I was pretty far into this, but can't find the document again _ my bad for not marking it.  I have already setup the Virtual server and server group on the Netscaler.  However; I need to do the last piece to do the redirect to secure this so I can point to the VIP for management.

Basically, I am trying to publish the VIP in DNS to access Citrix Director from a published app so I don't need to publish each individual one and this to be https and not http.

Any thoughts on where this document is?  I can't believe I can't find it.  

Thanks in advance.
configured a new global set of IPs (for failover purpose) for my corporate iphones to sync their mail through. we use airwatch as our MDM solution. we have our european and US ips load balanced using netscalers.

The problem is when we have our phones connected to an outside network such as Verizon it works perfectly but when i am connected to an internal network such as my office or home network it does sync mail, it just hangs. As soon as i turn off the wireless on the iphone it syncs! Very very odd...

any ideas?
Citrix ADC VPX 1000 Management CPU always using 100%. As per the below carlstalhood article, we can change CPU Yield to YES from Default. But this change required VPX 200 and lower only. If I do the same change on VPX 1000, is it effective? or is it hamper VPX performance? Please suggest.

NetScaler 12 packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU.
Citrix ADC VPX packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU. -- is also recommending the same setting change. But not given any supported VPX Version.
Citrix ADC (NetScaler) 12.1, how can I get to know, who did the last reboot in the NS VPX?
From NS VPX console or any Putty commands, please share.
We are running Netscaler MPX9700 FIPS devices (11.1.57) with StoreFront to access our XenApp 6.5 and new XenApp 7.15 environments.  I have found recently that our Mac Users are getting the following message "You have not chosen to trust "GeoTrust TLS RSA CA G1", the issuer of the server's security certificate" when trying to launch a published app.  PC users are not having this issue with Chrome, Internet Explorer or Firefox.  MAC users on the other hand see this issue if using Chrome.  They are using version 1912 of Citrix Workspace.  

The Mac users are able to get around this message by installing the certificates in their browser.  From reading, this is something I need to address on the Netscaler rather than users having to address something on their side.  I believe our PC users will receive the same message when they move to a newer Workspace client.  We are currently using Receiver 14.12 on the PC side.

I'm looking for more information as the Certs on the Netscaler are not showing a missing path and can't determine what is missing.

Thanks for any help to point us in the right direction.
Hello.  We are using Netscaler with StoreFront 3.15 pointing to a XenApp 7.15.  Since we no longer have the option for a list of apps and have to use the grid, wondering if there is a way to create additional folders within a Category to help with organization?


Thanks in advance.
Hello.  I've been fighting with my new Netscaler ( - Netscaler is a MPX9700 FIPS)/XenApp 7.15 (Windows 2016) environment a bit.  I am able to successfully get to the StoreFront site directly.  If I try to go through the Netscaler Gateway, I get a 'Cannot complete your request' error.

In troubleshooting, determined we also need to change the port for the acting STA's (Delivery Controller's) to use port 8080 instead of port 80.

I am able to telnet from StoreFront to the Delivery Controller's on port 8080.
I am able to telnet from the Netscaler to the Delivery Controller's on port 8080.
I have verified that the Delivery Controller's are listening on port 8080 by doing a netstat -t.

However - within the Netscaler console, Within the Netscaler Gateway under VPN Virtual Server STA Server Binding, this shows the connections as down.  I have included the port in the path.



Any thoughts on what I am missing?

Thanks in advance.
Citrix NetScaler 12.1 Error: Please ensure Citrix ADC is Synced  to NTP time
I have configured native OTP integrated with Netscaler gateway, hereafter entering the user credentials am able to add my device name, after entering the code by Scanning the QR scanner throwing an error like this... The time between Netscaler, AD and user device effect.
We are changing our certificate authority to SHA2 from SHA1.
Cert authority server has already been setup and now we are changing the crets for member servers and appliances.
As a result we need to change the certificates on our RSA authentication manager from SHA1 to SHA2.
What are the things to keep in mind before changing these certificates?
Do the end user computers need to trust the root CA for these certs?
And if RSA is used for 2 factor authentication on Citrix netscaler then does Citrix netscaler need to trust the root CA as well?

I found the following article to replace the web tier cert:-

Do I also need to change the console and application trust certificates to SHA2?
Citrix NetScaler 11.1 build 53. Is there any way to do reporting for NS Bandwith consumption?
I don't have NS MAS. Not using for Citrix XenApp.  We have some apps to load-balance. We have 10 VIPS for this.
I'm looking for some  assistance with nFactor; where the requirement is to configure the Two Factor for two different Tokens "RSA" & "DUO"; the security group will define the model of Token
First Authentication: LDAP
Second Authentication: RSA if a user is a member of "Citrix-RSA"  Security Group and DUO if the user is a member of "Citrix-DUO"
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack

are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …

We have a site that was working and being accessed externally and internally via the web. The vendor upgraded the system by creating a parallel system. The site is no longer working. The odd thing is there is an app and that part is working but access to the sire via web\browser internally or externally is not working. The site is assigned a dns name as an example We point that to a netscaler (called citrix support and they said netscaler is passing traffic fine) the netscaler then fowards onto the iis server but nothing. However there is an app when we put in, the app is able to connect and has all the functions. Explain may be a confusing, is there any suggestions or questions I can answer to help point in the right direction. We compared the old iis server to the new one an cannot find a difference that is causing an issue. Any help, much appreciated. Thanks,
Environment:        Netscaler in front of StoreFront 3.15 on Windows 2012.
Backend:              XenApp 7.15  (2 Delivery Controller & 2 XenApp Servers on Windows 2016, so 4 VM’s)

Summary: We are currently using the Netscaler/Storefront configuration to front-end our XenApp 6.5 Server farm and IS working properly.
We are setting up a NEW backend XenApp 7.15 farm to replace the existing 6.5 farm.  We will continue to use the same Netscaler’s & StoreFront Systems.  We will need to run parallel for a short time.

Recommendation:  It was recommended to just provision a second Store on the StoreFront systems to point to the new XenApp 7.15 servers – done.  Once tested, we just remove the old 6.5 store and wolla.  So, this is the direction we are trying to setup, but not working.  Explaining what is happening below:

In Netscalers, we have added the following under Netscaler Gateway for the 2nd Store:
1.      Configure NetScaler Gateway Session Policy
2.      NetScaler Gateway Session Policies and Profiles
3.      STA to the New Delivery Controller under VPN Virtual Server under Netscaler Gateway

Question: Do I need to setup a secondary Virtual Server with a new VIP on the Netscaler under Traffic Management, Load Balancing, Virtual server?  From the recommendation I have not done this.

The XenApp 6.5 Farm is using port 8080 to talk to it’s STA’s.  

Question:, we’ve tried both port 8080 and port 443 for the …
Citrix Cloud comes with all control layer components, along with NetScaler. But that NS works for only ICA proxy. For Other features we have to opt for Azure market place NetSclaer.
This is last year information. Any latest news on this?
HI Citrix Experts

our citrix environment  has

1-  one netscaler VPX 200 version 12.0
2-  one storefront we have only one store front we will add another one later
3- tow deliver controllers

the SSL certs which installed on all them will expire soon so i need to install the new one

we bought wildcard certificate

my question

should i install the cert one all of them on the seam day to avoid any issue and if yes

with one i have to start

first one delivery controller then storefront then netscaler or how

i want to know what kind of side effects our end users will face from inside and outside or environment during the time when i am installing the new certs or i have to do in one weekend

i will use these guides what do you think

for store front

for delivery controllers

for netscaler

if you have better guides or idea please let me know

We have setup a Netscaler (11.1)/StoreFront (3.15 - Windows 2012R2)  environment.  I am now setting up users to support the system.  

I am trying to look for the best way to provide read-only access to all the configuration, the ability to view Active Users & ICA Sessions as well as the ability to Enable/Disable StoreFront servers as they are worked on.

I did try to initially add the read-only roll, however the user was still able to execute the initial edit.

Any suggestions are appreciated.  We are finally about ready to roll this out :)

I have a configuration of Netscaler 11.1, Storefront 3.15 (windows 2012 R2) and XenApp 6.5 systems.

We have found through a recent audit that we seeing this finding "The remote installation of IIS leaks a private IP address through the WebDAV interface. This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server."

The interesting thing is, if you go to the IP of the primary StoreFront server the result is the actual StoreFront URL and passes.  It's the secondary node in the cluster presents it's IP in the url instead of the StoreFront URL.

Has anyone else run across this?

Thanks in advance
Hello.  We are nearly done with our setup of Citrix Netscaler 11.1, using StoreFront 3.15 on Windows 2012 R2 and backend XenApp 6.5 Servers.  Once this is up and running in DR, we can then shift our attentions to using these for our 7.15 environment.

The issue, in our DR systems, the Netscaler Gateway is having trouble reaching Storefront.  So, a user will login to the Netscaler Gateway URL and is able to successfully authenticate with their credentials.  Then the handoff to Storefront just spins in the browser.

So, user logs into ""
This should then go to something like :   ""
But instead goes to:  ""

I am not finding or understand where this is going as I am not finding the right logs to assist.  The logging is a bit limited in the new Netscaler/StoreFront layout or rather more broken up so it's hard to determine what is the handoff it is trying and where it is going.

We are going to do a packet capture next to try to troubleshoot this.  On the StoreFront system, I can only see what is event viewer and the installation logs under the StoreFront directory. Neither are helpful.  IIS just presents the same log entries over and over whether the system is working or doing this behavior.

On the Netscaler, the nslog isn't very helpful in this regard.  nor are the logs in the var/log/ directory on the Netscaler.

Citrix Error: You have not been granted access to this published application
XenApp 6.5
StoreFront Server: sf 3.7
netscaler vpx 11.1
when users are trying to launch applications few users are getting this error.
No Luck, After disabling my published Desktop and re-enabling
In NetScaler Client (V. while connecting we get a delay of approx. 90 seconds within "Phase: Pre Authentication EPA" (after "Successfully loaded EPA library"):
                Phase: Pre Authentication EPA
08:15:26.763 | EVENT   | Initiating EPA SCAN
08:15:56.367 | DEBUG   | configFunction ret= 0
08:15:56.367 | EVENT   | Successfully loaded EPA library 
08:17:24.675 | DEBUG   | ns_EvalPolicy: ANTIVIR_0_RTP_==_TRUE_VIRDEF-FILE-TIME_<_7200 returns 2

Open in new window

Do you have any ideas about this?
Thanks and best regards!
Looking for proper way to setup Storefront to use the Netscaler Gateway and route via ica proxy when launching published apps.  Currently we are finding that users are going direct to the server and the traffic is not presenting a proxy connection.  This was discovered while running a packet capture during an application launch.  So want to ensure that this is setup properly and securely.  When set the way we believe to be correct, we cannot launch published apps, we have to route through HDX to have the applications launch.

Environment -   User will reach Netscaler Gateway, 11.1, this routes to Storefront using the Netscaler Gateway configuration on the Netscalers.  The Storefronts Servers are running on Windows 2012 R2 and running version 3.15.  Our backend XenApp farm is XenApp 6.5.  (We are also setting up a 7.15 farm - still in progress) which will eventually use the existing Netscaler's and Storefront servers.

I have provided some screen shots of the current config on StoreFront.

Also, looking for more detailed logs on what gets logged when you launch an application.

Any assistance is appreciated.

Image #1 - Doesn't work - this is configured to use the named Netscaler Gateway - Get an error, "Cannot Start app"
Image #2 - Works - but is using the Direct HDX Connection and bypassing the Netscaler Gateway - This option also will show me that I'm connected directly to the XenApp server when performing a netstat -n | find "2598" on the client.  This is not …
I have a requirement of setting up XenApp Environment, In two different Geo graphical Locations with DR       and High Availability solution.

This solution also requires netscalers in each Location to allow secure access and HA, XA and Netscalers Environment is not open to internet, will be accessed through vpn from another customer location (Not in the same geographical location where Citrix Environment)      and no dns name resolution.

What is best solution.
I would like to deploy Netscaler MAS in our environment.
Is there any dependency with Citrix netscaler platform license for NS MAS configuration? Any documents can be referred?
Citrix XenAppXenDesktop 7.15 LTSR
Windows 2016 and 10 VDAs
Citrix NetScaler VPX 12.0 -- 4 Numbers






NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.