Aug 102020

I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.

First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.

Then, I downloaded the database file in CSV format.

Next, I downloaded the script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.

SSH into your ADC and go to shell

# mkdir /var/geoip

Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip

Go back to the SSH shell.
# chmod +x

Then convert the files. I’m from USA, so I used the -en file.

# perl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv

This spits out two .gz files.  Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz

Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)

> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv

Then check it and make sure there are no Errors

> show locationparameter

Lines: 307344 Warnings: 0 Errors: 0

Next, create a responder policy. In my example I’m just using .US.

> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES

Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer

> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST

Aug 312015

Another Netscaler – Powershell script leveraging Nitro!
This script will create a Cipher Group with all the right Cipher Suites (depending on VPX\MPX), or let you select one you have already created, and assign it to any ssl vserver.  NOTE:  Very important!!  If you do this to a XD/XA gateway – all users connected through that gateway will be disconnected!!  (they can of course just re-connect).  Below is a video from my test environment.  You will see that “TestCGN” Cipher Group does not exist.  I create it, and then select my owa ssl vserver as the vserver to bind it to (I could have selected them all).  The link to the script is below the video – remember TEST before using it in production!

Edit: Completely slipped my mind to disable SSLv3.  I updated the script to disable SSLv3/TLS1, and enable TLS1.1/1.2.  If you have an SSL Profile set this might fail.  Fixed that too :-)… and updated the video.


Aug 282015

This post will be short and sweet.  I just wanted to post my first attempt at Powershell scripting against Netscaler.  Click here

Read the comments!

This script will connect to your netscaler (I have it do it on a gui enabled snip instead of the nsip, but  you can do it against the nsip… again read the comments).  If the NS is in a HA pair it will report if they are up or down.  Grab all vservers – report up/down/degraded… if degraded it will tell you which service is down.  Then it grabs all the gateways – reports up or down.  Finally it looks for any ica sessions, and will report if they are using Framehawk or not (requires NS 11.0 62.10 or above).

Mar 202015

EDIT:  People have been requesting a tool to deploy SMS2 secret keys en mass, and the developer hasn’t implemented it yet.  Until he does I wrote a powershell script that will remotely connect to the sql database and inject the information needed for each user you select (  I have it setup for TOTP keys… which I think is what most people will use.
EDIT2:  I created a new script that does basically the same thing as the script posted above, but you can direct it against a specific AD group (  Also, if you haven’t yet – upgrade your netscalers to version 11 – much easier to control the portal themes.

Get SMS2

Go to and register for your free copy – an email will be sent to you with a download link and your xml based license.

Prepare your environment

You will need SQL/SQLExpress if you don’t already have it (will assume you do). You also need .NET 4 on the RADIUS server (will assume you have that too).

1. On the server you wish to use for RADIUS authentication open server management and click Add Roles and Features

2. Install the Network Policy and Access Services role and add any features that go along with that role – accept all the defaults.

3. Open the Network Policy Server Console

a. Expand Policies and select Network Policies

b. Right click Connections to other access servers and select properties

c. Change it from Deny access to Grant access and hit ok

d. Expand RADIUS Clients and Servers

e. Right click RADIUS Clients and select New

f. Create a connection for the local computer (so you can test connections).
Friendly name – whatever you want to name it
Address – the IP address of the RADIUS server you are creating
Shared secret – type something in that you will remember (will need it later)
Hit OK

g. Do the same thing for your Netscaler(s) using the NSIP(s) – again remember your shared secret – if you have more than one Netscaler use the same shared secret.
Should look something like this when you are done

4. Install SMS2

a. Next

b. For my purposes I select Custom (I don’t want SMS based authentication – just token)

i. Services I set CloudSMS to not install

ii. Under Clients I set all to install but the Citrix Web Interface Customization and SMS2…

c. Configure AuthEngine – enter the license text from the email you received and hit Check License (should pop up when it expires) – click ok and then Next

d. Leave the account as Local System and hit Next

e. On the next screen change the AuthEngine Address to (will reply on all IP addresses of the server)
Type in your domain controller name/address and fill in user account credentials of a user with access to AD
optionally you can change the BaseDN, but I’ll leave it as the root of my test domain
test your config and hit Next if successful

f. Enter your SQL server information
If the SQL instance is on the RADIUS server itself (as it is in my case) check the box to “Use named pipes (local)”
Click Test Connection – I get an error about how it could not use the database… it wasn’t there yet. I hit test connection again and it is successful.

g. Enter your email information – uncheck SSL and Use Auth if you don’t need them (straight smtp for me) – Finish

h. Configure OATHCalc – Next – Finish

i. Configure AdminGUI/Clients – Set the AuthEngine Address to the IP of the RADIUS server, and hit Finish

j. Next – install – Finish

Configure SMS2 for Token

1. Browse to C:\Program Files\WrightCCS2\Settings (assuming you installed the 64bit version… if not the Settings directory will be in x86)

2. Open Configuration.xml in notepad and change these settings (by default they are True, which will mess things up)

3. Find the <AuthProviders> line

a. Under CloudSMS – disable it (we didn’t install it anyways)

b. Under OATHCalc set it as default

c. Under PINTAN – disable

d. Under Email – disable

4. Save the .xml file and restart the WrightAuthEngine service (if they are not started – start them)

Setup all users for token (this could potentially take a long time)

1. Launch the SMS2 Admin Console

2. Select the user on the right hand side to select, and hit Configuration Menu at the top.

3. Go to the Auth Options tab (don’t need the others)

4. Click TOTP (time-based) and click Generate Shared Secret – record the shared secret if you want

5. Click Save configuration and you will see a popup – click OK and then you will see a QR code – copy it to the clipboard and send it to the user (also keep a record of it if you want)

6. Click Close

7. Do that again and again until you have a token for every user who needs to connect to XenApp/XenDesktop through the gateway

At this point users would download Google Authenticator or Microsoft Authenticator (probably others) to their smartphone and add the account using that QR code. Let’s assume everyone has done that.


1. Download NTRadPing ( – google it if that link doesn’t work… you will find it

2. From your RADIUS server unzip it and run it (remember we created a client connection for the local computer earlier)
Type the IP of your radius server (port is 1812 if it isn’t there by default)
Leave the reply/retries set to default
Type in your secure string that you associated with the local computer RADIUS client
Type in the domain\username of a user you have configured to use one of the authenticator apps
Type in the password followed immediately with whatever code is showing in your authenticator app. If the password is “P@ssword!” then the password would be P@ssword!456123 (where 456123) is the number generated.
Click Send – If you see Reply-Message=Message accepted then you are good to go. If not then something is wrong.

Configure Netscaler

GUI 10.5

1. Logon your netscaler and browse to Netscaler Gateway\Policies\Authentication\RADIUS

2. Click the Servers tab and click Add
Give it a name
Select Server IP and punch in the IP of the RADIUS server
Port will be 1812
Type in the secret key you used to create the Netscaler RADIUS clients on the RADIUS server
Click Details and set Accounting* to OFF
Click Create

3. Click the Policies tab and click Add
Name the policy
Select the Server you just created (if it isn’t pre-selected)
Type in “ns_true” into the Expression field and hit Create

4. Bind the policy to your Netscaler Gateway virtual server(s) (NetScaler Gateway\Virtual Servers)
Select the virtual server and hit edit
Click the + on Authentication
Choose RADIUS and Secondary from the drop downs and hit Continue
Click to select the policy
Tick the policy you just created and hit ok
Click Bind
Click done and save

At this point you should be ready to test logging onto the gateway page

Testing the gateway

1. Hit your gateway address you will probably notice it has changed and looks something like this:
Password1 is your password
Password2 is your token pin

2. Logon using your credentials and the token generated by Google Authenticator (or whatever app you are using).

a. If it works then you are good to go and can move onto customizing the web interface

b. If it does not work unbind the policy and test to figure out where things are going wrong

i. Could be the wrong IP entered in for the Netscaler on the RADIUS server or wrong security string

Fixing the gateway appearance

1. Download Notepad++ and install (

2. Download Tunnelier (

3. Install and run Tunnelier (Bitvise SSH Client)

4. Connect to your netscaler using the password method

5. A command window and a SFTP window will open – select the SFTP window and on the right hand side browse to: /var/netscaler/gui/vpn

6. Select login.js and click the download button at the bottom (will download to your local desktop by default unless you change it on the left side… should be ok).

7. On the right side go into the resources folder and download en.xml

8. Make a backup copy of the files just in case

9. Open login.js using Notepad++
Find this line: if ( pwc == 2 ) { document.write(‘&nbsp;1’); }
and change it to:
if ( pwc == 2 ) { document.write(‘&nbsp;’); }
Just remove the 1 basically
Find the line that starts with: document.write(‘<TR><TD align=right style=”padding-top:
and change right to left

10. Save login.js

11. Open en.xml in Notepad++
Find this line: <String id=”Password2″>Password 2:</String>
Change it to: <String id=”Password2″>Token:</String>
You can name it whatever you want… I’m just using Token:

12. In Tunnelier upload the files to their respective directories overwriting them

13. Refresh your browser and your changes should be reflected.

The only problem now is that this change will not survive a reboot. In older versions of netscaler you could use a rewrite policy to rewrite the page and that would persist. In 10.1+ you have to use a custom theme.


Set a custom theme so the gateway appearance persists a reboot

NOTE: Linux is case sensitive… type things exactly as I have them.

1. Using Tunnelier switch to your terminal window
cp /nsconfig/ns.conf /nsconfig/
mkdir /var/ns_gui_custom
cd /netscaler
tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

What we did there was make a backup of ns.conf (in case something goes awry – reverse the “cp” command to restore it), created a folder, and zipped the contents of /netscaler/ns_gui to /var/ns_gui_custom/customtheme.tar.gz ß that is the file and location that netscaler knows to use for a custom theme.

2. Open your netscaler in your browser, logon and navigate to NetScaler Gateway\Global Settings

3. Click the Change Global Settings link on the right side

4. Click the Client Experience tab and scroll to the bottom

5. Switch the UI Theme to Custom and hit OK

6. TEST the gateway page (I use a chrome incognito window when I make a change as it doesn’t use the cached website)

7. If the test is successful save your netscaler configuration

a. If you have a HA pair I am pretty sure you have to mirror all the steps on the secondary except for setting the UI Theme to Custom. On your secondary:

i. Copy the files to the correct locations on the secondary netscaler

ii. Run the commands from the terminal window

iii. Force a sync from the gui (System\High Availability à Actions)

Oct 222014

Look like update ESXi550-201410101-SG 5.5U2 that causes network issues Netscaler VPX appliances. See the discussion at:

There is now a validated work around:

1) find where loader.conf is located on NetScaler VM    #find / -name loader.conf
For the uploaded NetScaler VM, there are 2 loader.conf: ./flash/boot/defaults/loader.conf and ./flash/boot/loader.conf, we only need to change the first one.
2) add “hw.em.txd=512” to loader.conf, this will change Tx ring size to 512 (note: do not set the ring size to 256, this will cause NetScaler VM core dump)
3) reboot the NetScaler VM
4) migrate it back to a host with latest patches
Citrix released an article on the issue today:
May 302014

This will go over how to setup a single Access Gateway Vserver connecting to Multiple Domains using a single Pair of web interface servers.  This might sound confusing at first but in reality its pretty strait forward.  This article assumes that you already have some basic knowledge of how to setup netscaler and xenapp with WI in a single domain.

Environment  (LB is not required)

  1. Pair of Netscalers v10.1 in LB config.
  2. Pair of Web Interface 5.4 Servers with LB Vserver.
  3. Two AD Forests/Domains.
  4. A few STA servers (Doesn’t matter what domain they are on)
  5. A couple XA farms in Different domains (We are using XA6.5 and XA6)

Step 1

Configure the AD Polices on the NS.  There are many articles out there on how to do this.  The Top two in this list are my first domain and the 3rd one is the second domain.


Multidomain NS Step1

Step 2

Build your Vservers for WI and XML for each Domain.  It helps to have the xml servers for each farm on different ports to save IP address’s.  In this case I have three different farms specified.  The one on port 8888 and 8080 are on the same domain and the xml server setup on port 80 is the second domain.   I had to create a separate IP for the second domain as my WI vserver is also using port 80.  Again if you need help on how to build these their is plenty of articles out there on how to do it.


Multidomain Step2

Step 3.

Configure the AG Vserver to hit multple domains.  The NS will step through these in order of priority until it finds a matching username/password match.  If you have the same username/password combination on both domains it will always grab the one that has the lowest priority.  In this case the Top two Policies hit the first domain and the 3rd one hits the second domain.


MultiDomain Step3

Under the Published Applications Tab for the AG Vserver you need to configure some STA’s.  In my case I used the first domain/farm servers for STA’s.  I would make sure that all the STA’s belong to the same domain/farm.  You do not need to have a STA for each domain here.


MultiDomain STAs

Step 4.

On the WebInterface Servers configure a Xenapp site for Each Domain making sure to point to the XML Vserver’s created in Step2.  Make Sure you have each Site pointing back to the respective Vserver XML LB IP/port and configure it to point to your AG Vserver.   In this case the top Site is pointing to the Second Domain and the Second Site is pointing to the First domain.  For this it really doesn’t matter what domain


Multidomain WIConfig


For the Sta Config on the WI Servers I am using STA servers on the First domain even though the users are coming into the second domain.  All sites/domains should be setup with the same STA servers and they should match what your AG Vserver has configured for STA servers in Step 2.

MultiDomain WI_STA

Step 5.

Configure the AAA Policies and Profiles to hit the AG Vserver.  For this to work the AAA group name must match the AD group that the user is a member of.  In this Case the Second one down ASP_Access is my first Domain, and the one A_Access is the Second Domain.

MultiDomain Step4_1

Inside each AAA Group you have your Session policies that point to the specific URL/Domain.  Each Domain/AAA group should point back to a different Session policy

MultiDomain AAA_Config

Next we need to make sure the Session profile is pointed back to our WI Server site for that domain.  Make sure you have the corresponding  domain specified and the override global check boxes checked.  You will have to create one of these for each domain so that users from that domain hit the appropriate site.

MultiDomain AAA__ses_Profile

Step 6. Profit!!!

Once again if you have users that have the same username and password in multiple domains they will always get the lower priority domain.  If you have any questions feel free to jump on the channel and ask Splatone.



Nov 072012

Citrix is hosting a master class on netscaler, join if you can!

Come and join us for our latest NetScaler Master Class. Go back to basics as well as find out what’s new and what’s coming up soon.

This webinar event provides you the opportunity to learn about the features of the NetScaler, the tips and tricks of configuration and of course, put your questions to the experts. Don’t miss this opportunity to have your say and find out what’s going on in the world of Application Delivery Control in general and NetScaler in particular.

Date: 7th November 2012
Time: 14:00 Hrs GMT (15:00 Hrs CET)