Aug 102020

I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.

First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.

Then, I downloaded the database file in CSV format.

Next, I downloaded the script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.

SSH into your ADC and go to shell

# mkdir /var/geoip

Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip

Go back to the SSH shell.
# chmod +x

Then convert the files. I’m from USA, so I used the -en file.

# perl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv

This spits out two .gz files.  Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz

Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)

> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv

Then check it and make sure there are no Errors

> show locationparameter

Lines: 307344 Warnings: 0 Errors: 0

Next, create a responder policy. In my example I’m just using .US.

> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES

Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer

> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST

Jul 172020

One thing I learned is that the Gateway vServer doesn’t really need ICA Proxy unchecked, for what I am trying to do. I am not using EPA scans or anything advanced yet. But you could do it so save a step later. Now I understand this may not be the best way. But sometimes you have to do what you need to do to secure things.

0. Check the Trust Request on the Brokers and enabled it if it’s not enabled.

  1. Open POSH and add asnp citrix* and Run Get-brokersite. If it’s set to false, then run #3 command

2. Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true

Machine generated alternative text:PS get-brokersite 8 as eOLl Sr Oker Servi ceGroupUid : b3493067-oc6b-4438-84e3-b6664469e655 01 or Depth TwentyFour8it onfigLastChangeTime : 7/16/2020 PM onfigurat ion Servi ceGroupLlid ff9d3 cfa-Id33-449c- a 717-85 b9a6fe2d96 on nectionLeasi ngEnabIed False DefaultMinimumFunctionaILeveI Desktop-Grouplconuid DnsResoIutionEnabIed False Is Secondary8roker False Li censeEdition PCT L i censeGr aceSessionsRenai ni ng L i censeNodeI . Concurrent L i censeServerName : vsIctxIicOI Li censeServerPort : 27000 Li censedSessionsActive Licensing8urnIn : 2020.0415 Licensing8urnInDate : 4/14/2020 8:00:00 PM L i censi ngGr aceHoursLeft Li censi ngGr acePer iodAct i ve False L i cens i ngOutOf80xGr acePer iodActi ve False L HostCacheEnabIed True et adat am ap Name : VyStar PeakConcurrentLi censeUsers Reus&achinesWithoutShutdownInOutageAI lowed : False SecurelcaRequired False otaILlni queLi censeusers . 1036 rustManag edAn onymousXmI Servi ceRequ ests False TrustRequestsSentTcT extr Servi ceport . True UseVert1ca Sca 1 ngForR sLaunc es . Fa se

3. Create a NetScaler gateway Dummy VIP (Some organizations don’t allow SF to talk back to the DMZ NetScaler’s vServer, If yours does, then use the current Gateway and ignore the dummy VIP/vServer

Machine generated alternative text:Q Search in Menu System AppExpert Traffic Management Optimization Security Citrix Gateway Global Settings Virtual Servers Portal Themes user Administration KCD Accounts Resources Authentication Integrate with Citrix Products Unified Gateway XenMobile Citrix Gateway / Citrix Gateway Virtual Servers Citrix Gateway Virtual Servers Add Statistics Microsoft. EMS/lntune Integration ND action > Q Click here to search or you can enter Key Value format Name State 'OUT OF SERVICE 'OUT OF SERVICE STA status Protocol 443 443 443 443
  • Added IP and Port
Machine generated alternative text:VPN Virtual Server Basic Settings Name Port ROP server Profile PCDIP vseruer Profile Double Hop Down State Flush AppFlow Logging Logout On Smart Card Removal Certificate 1 No Maximum Users Max Login Attempts Failed Login Timeout ICA only Enable Authentication Windows EPA Plugin upgrade Linux EPA Plugin upgrade Mac EPA Plugin upgrade ICA Proxy Session Migration Enable Device Certificate true true true false
  1. Add STA Brokers
Machine generated alternative text:Published Applications No server 6
Machine generated alternative text:VPN Virtual Server STA Server Binding Add Binding Q Click here to search or you can entel Secure Ticket Authority Server Secure Ticket Authority Server Address Type State
  1. Added DNS Record.
Machine generated alternative text:Neuu Host Name (uses parent domain name if blank): Callback Fully qualified domain name (FQDN): IP address: Create associated pointer (PTR) record Allow any authenticated user to update DNS records with the same owner name Time to live (TTL): ( Add Host Cancel
  1. Go to StoreFront Servers > click on Manage Citrix Gateways
Machine generated alternative text:Create Store Ex ort Multi-Store Provisioning File Manage Citrix Gateways Manage Beacons Set Default Website Refresh Help
  1. Click edit
Machine generated alternative text:Manage Citrix Gateways Add, edit or remcwe the Citrix Gateway appliances through which remote access is prcr.'ided. Remote access through a Citrix Gateway cannot be applied to unauthenticated stores. Alternatively, Citrix Gateway appliances can be imported from file. Citrix Gateways: Display Name StoreFront Role Authenticati... Remove Used by Sto... URL Close
  1. Add the Call Back URL ( For me is the Dummy VIP I created)  Which resolved to a layer 2 IP address on the same Subnet as my Citrix Environment.
Machine generated alternative text:Edit Citrix Gateway appliance - StoreFront Authentication Settings These settings specify how the remote user provides authentication credentials StoreFront General Settings Secure Ticket Authority Authentication Settings Version: VServer IP address: (optional) Logon type O Smart card fallback: Callback URL: O (optional) 10.0 (Build 69.4) or later v70.o: None /CitrixAuthService/AuthService.asmx
  1. Propagate changes on Storefront
Machine generated alternative text:opagate Chang Propagating changes... Details Synchrt: Propag
  1. Go to the DDC, and create a policy. For me, I used the baked in one from Citrix called ” Security Control”
  2. Machine generated alternative text:Policies SmartAcCes Secuöty Policy VyStar External Smart.Acces Security policy Auto comwct client user setting - ICÄ\Fde Redirection Disabled (Default: Enabled' Auto-create client printers Usersetting - Printers DO not auto-create client printers (Default: Auto-create a" client printers) Client clipboard redirection User setting - ICA Prohibited (Default: Client COM port redirection user setting - ICA\Port Redirection Prohibited (Default: Prohibited) Client drive redirection user setting - ICA\FiIe Redirection Prohibited (Default: Allowed) Client fixed drives user setting - ICA\File Redirection Prohibited (Default: Allowed) Client LPT port redirection User setting - ICA\Port Redirection Prohibited (Default: Prohibited) Client network drives user setting - ICA\FiIe Redirection Prohibited (Default: Allo•.Qed) Client optical drives User setting - ICA\FlIe Redirection Prohibited (Defauit: Allowed) Client printer redirection User setting - ICA\Pnnting prohibited (Default: Allowed) Client removable drives User setting - ICA\FiIe Redirection Prohibited (Default: Allowed) Client TWAIN device redirection user setting - ICA\TWAIN Devices Prohibited (Default: Allowed) Client USB device redirection User setting - ICA\USB Devices
Machine generated alternative text:Edit VyStar Citrix VADs Default Policy Studio Settings Users and Machines Summary Assign policy t' •Selected - 9b User and machine oWects: 2 selected Acces control Applies to user settings only Client IP address Applies to user settings only Client name Applies to user settings only C) All objects in the site View selected o UnæsÉgn Assign
Machine generated alternative text:Assi n Poli Access control Applies to: Virtual Delivery Agent: 5.6, 7.0 Server OS 7.0 Desktop OS 7.1 Server OS, 7.1 Desktop OS, 7.5 Server OS, 7.5 Desktop OS, 7.6 Server OS, 7.6 Desktop OS 7.7 Server as, 7.7 Desktop as, 7.8 Server OS 7.8 Desktop as, 7.9 Server OS 7.9 Desktop OS, 7.11 Server OS 7.11 Desktop OS, 7.12 Server OS, 7.12 Desktop as, 7.13 Server as, 7.13 Desktop as, 7.14 Sen,er as, 7.14 Desktop OS, 7.15 Server OS 7.15 Desktop OS 7.16 Server as: 7.16 Desktop OS, 7.17 Server as, 7.17 Desktop OS, 7.18 Server OS 7.18 Desktop OS, 1808 Server OS 1808 Desktop OS, 1811 Server as, 1811 Desktop OS 1903 Server OS, 1903 Desktop OS, 1906 Server OS, 1906 Desktop OS 1909 Multi-session as, 1909 Single-session OS, 1912 Multi-session OS, 1912 Single-session OS Apply policy based on the access control conditions through which a client connects. Access control elements: Mode Enable Connection Vpe NetScaIer Gateway farm name Access condition
  • Remember the Allow or Deny mode is a bit confusing. Allow means that the settings in the policy are to be applied to the NetScaler Gateway connection.
  • Deny, the settings prohibiting something will not be applied to users connecting via Citrix Gateway.

My bandwidth went up some when I applied more Security settings, Red is applying the filter, and green is off.

Machine generated alternative text:oaulsra dauism 4319 ms 1174 Kbps


Machine generated alternative text:SESSION TYPE Desktop DD ms Desktop DD ms DD ms Desktop DD ms DD ms Desktop DD ms DD ms 241 Mg 241 Mg WAN LATENCY OC LATENCY 42 46 BANDWIDTH PER INTERVAL Kbps 9154 Kbps Kbps 1103B Kbps SESSION BANDWIDTH Kbps 9154 Kbps Kbps 1103B Kbps TOTAL BYTES IDIDB2 Kg BYTES PER INTERVAL START TIME 7/16/2020. PM 7/16/2020. PM 7/16/2020. PM 7/16/2020. PM


  1. Testing with it off (Deny the Policy
Machine generated alternative text:Apply policy based on the access control conditions through which a client connects. Access control elements: Mode Connection type NetScaIer Gateway farm name Access condition
  1. Here is my local machine printers
Machine generated alternative text:Printers & scanners Fax Fax - HP OfficeJet 5200 series HPBD4876 (HP OfficeJet 5200 series) Default, App available for this device Microsoft Print to PDF Microsoft XPS Document Writer OneNote for Windows 10 Send To OneNote 2013 Send To OneNote 2016
  1. Now log into the VDA
Machine generated alternative text:s Test Desktop - Desktop Viewuer Settings Home Devices Printers & scanners Connected devices Mouse & touchpad Typing AutoPlay USB Fax - HP OfficeJet 5200 series (from MUSTANG2007) HPBD4876 (HP OfficeJet 5200 series) (from MUSTANG20.. Microsoft Print to PDF (from MUSTANG2007)
  1. Now let se the Filter to allow ( Allow the policy)
Machine generated alternative text:control elements: Mode Enable Connection type NetScaIer Gateway farm name Access condition
  1. Now log into the VDA

No printers from my local machine were able to come in.

Machine generated alternative text:Add a printer or scanner Printers & scanners Fax ITOLaser01 on jhqprt01 Laserfiche Snapshot Microsoft Print to PDF Microsoft XPS Document Writer ent Capture Sapture (color) Print to DocuSign RightFax Fax Printer Send To OneNote 2016 TWRPPRNT
  1. Remember this is a very basic setup, and it’s just to show what it can do. There is much more than what I am showing here.
  • Sources
  • Basic Guide
  • Little more advanced

Then my research and questions on Slack ( If you’re not on this, you’re missing out) A lot of really sharp guys on here.

Jun 042020

How to automate NetScaler ADC firmware upgrades from NetScaler ADM

ADM is neat, and Citrix did a fantastic job on the product. One of the things I would like to do is automation of scheduled NetScaler firmware upgrades. With maintenance Jobs in ADM you can. Here below is a quick guide on how to achieve this for an MPX HA pair. 

Networks>Maintenance Jobs>Create Job

For me it’s a HA pair, select upgrade Citrix ADC/Upgrade Citrix ADC HA

Give it a name and add the NetScaler’s instances for the Upgrade Job.

Select them here.

Choose the File share of the location of the Firmware

You have two options, you can execute now or later. You can schedule this around change control  times.

For now, it looks like this. They must be set 1 hour apart. Meaning, it will upgrade the one now @ 1:27 pm, and select the time for 2:27pm will start the other device.

Later looks like this

You can see here that it has started already for the “Now” Job I created

Let’s look at the execution summary and see what it actually did.

So, it actually followed the steps as if you were doing the manual way.

Secondary is completed.

Let check, the new firmware version. This looks correct.

It sent me an email, and this is what the report looks like

In the Job summary it will show you this.

Now in 50 minutes it will do the primary. As I was on a meeting, it upgraded this. So let just show some screenshots

Let check the other Node!

As you can see this is some cool stuff, and It can do way more than this. Hopefully, if time permits, I can’t show you more in the ADM realm

Aug 312015

Another Netscaler – Powershell script leveraging Nitro!
This script will create a Cipher Group with all the right Cipher Suites (depending on VPX\MPX), or let you select one you have already created, and assign it to any ssl vserver.  NOTE:  Very important!!  If you do this to a XD/XA gateway – all users connected through that gateway will be disconnected!!  (they can of course just re-connect).  Below is a video from my test environment.  You will see that “TestCGN” Cipher Group does not exist.  I create it, and then select my owa ssl vserver as the vserver to bind it to (I could have selected them all).  The link to the script is below the video – remember TEST before using it in production!

Edit: Completely slipped my mind to disable SSLv3.  I updated the script to disable SSLv3/TLS1, and enable TLS1.1/1.2.  If you have an SSL Profile set this might fail.  Fixed that too :-)… and updated the video.


Aug 282015

This post will be short and sweet.  I just wanted to post my first attempt at Powershell scripting against Netscaler.  Click here

Read the comments!

This script will connect to your netscaler (I have it do it on a gui enabled snip instead of the nsip, but  you can do it against the nsip… again read the comments).  If the NS is in a HA pair it will report if they are up or down.  Grab all vservers – report up/down/degraded… if degraded it will tell you which service is down.  Then it grabs all the gateways – reports up or down.  Finally it looks for any ica sessions, and will report if they are using Framehawk or not (requires NS 11.0 62.10 or above).

Mar 202015

EDIT:  People have been requesting a tool to deploy SMS2 secret keys en mass, and the developer hasn’t implemented it yet.  Until he does I wrote a powershell script that will remotely connect to the sql database and inject the information needed for each user you select (  I have it setup for TOTP keys… which I think is what most people will use.
EDIT2:  I created a new script that does basically the same thing as the script posted above, but you can direct it against a specific AD group (  Also, if you haven’t yet – upgrade your netscalers to version 11 – much easier to control the portal themes.

Get SMS2

Go to and register for your free copy – an email will be sent to you with a download link and your xml based license.

Prepare your environment

You will need SQL/SQLExpress if you don’t already have it (will assume you do). You also need .NET 4 on the RADIUS server (will assume you have that too).

1. On the server you wish to use for RADIUS authentication open server management and click Add Roles and Features

2. Install the Network Policy and Access Services role and add any features that go along with that role – accept all the defaults.

3. Open the Network Policy Server Console

a. Expand Policies and select Network Policies

b. Right click Connections to other access servers and select properties

c. Change it from Deny access to Grant access and hit ok

d. Expand RADIUS Clients and Servers

e. Right click RADIUS Clients and select New

f. Create a connection for the local computer (so you can test connections).
Friendly name – whatever you want to name it
Address – the IP address of the RADIUS server you are creating
Shared secret – type something in that you will remember (will need it later)
Hit OK

g. Do the same thing for your Netscaler(s) using the NSIP(s) – again remember your shared secret – if you have more than one Netscaler use the same shared secret.
Should look something like this when you are done

4. Install SMS2

a. Next

b. For my purposes I select Custom (I don’t want SMS based authentication – just token)

i. Services I set CloudSMS to not install

ii. Under Clients I set all to install but the Citrix Web Interface Customization and SMS2…

c. Configure AuthEngine – enter the license text from the email you received and hit Check License (should pop up when it expires) – click ok and then Next

d. Leave the account as Local System and hit Next

e. On the next screen change the AuthEngine Address to (will reply on all IP addresses of the server)
Type in your domain controller name/address and fill in user account credentials of a user with access to AD
optionally you can change the BaseDN, but I’ll leave it as the root of my test domain
test your config and hit Next if successful

f. Enter your SQL server information
If the SQL instance is on the RADIUS server itself (as it is in my case) check the box to “Use named pipes (local)”
Click Test Connection – I get an error about how it could not use the database… it wasn’t there yet. I hit test connection again and it is successful.

g. Enter your email information – uncheck SSL and Use Auth if you don’t need them (straight smtp for me) – Finish

h. Configure OATHCalc – Next – Finish

i. Configure AdminGUI/Clients – Set the AuthEngine Address to the IP of the RADIUS server, and hit Finish

j. Next – install – Finish

Configure SMS2 for Token

1. Browse to C:\Program Files\WrightCCS2\Settings (assuming you installed the 64bit version… if not the Settings directory will be in x86)

2. Open Configuration.xml in notepad and change these settings (by default they are True, which will mess things up)

3. Find the <AuthProviders> line

a. Under CloudSMS – disable it (we didn’t install it anyways)

b. Under OATHCalc set it as default

c. Under PINTAN – disable

d. Under Email – disable

4. Save the .xml file and restart the WrightAuthEngine service (if they are not started – start them)

Setup all users for token (this could potentially take a long time)

1. Launch the SMS2 Admin Console

2. Select the user on the right hand side to select, and hit Configuration Menu at the top.

3. Go to the Auth Options tab (don’t need the others)

4. Click TOTP (time-based) and click Generate Shared Secret – record the shared secret if you want

5. Click Save configuration and you will see a popup – click OK and then you will see a QR code – copy it to the clipboard and send it to the user (also keep a record of it if you want)

6. Click Close

7. Do that again and again until you have a token for every user who needs to connect to XenApp/XenDesktop through the gateway

At this point users would download Google Authenticator or Microsoft Authenticator (probably others) to their smartphone and add the account using that QR code. Let’s assume everyone has done that.


1. Download NTRadPing ( – google it if that link doesn’t work… you will find it

2. From your RADIUS server unzip it and run it (remember we created a client connection for the local computer earlier)
Type the IP of your radius server (port is 1812 if it isn’t there by default)
Leave the reply/retries set to default
Type in your secure string that you associated with the local computer RADIUS client
Type in the domain\username of a user you have configured to use one of the authenticator apps
Type in the password followed immediately with whatever code is showing in your authenticator app. If the password is “P@ssword!” then the password would be P@ssword!456123 (where 456123) is the number generated.
Click Send – If you see Reply-Message=Message accepted then you are good to go. If not then something is wrong.

Configure Netscaler

GUI 10.5

1. Logon your netscaler and browse to Netscaler Gateway\Policies\Authentication\RADIUS

2. Click the Servers tab and click Add
Give it a name
Select Server IP and punch in the IP of the RADIUS server
Port will be 1812
Type in the secret key you used to create the Netscaler RADIUS clients on the RADIUS server
Click Details and set Accounting* to OFF
Click Create

3. Click the Policies tab and click Add
Name the policy
Select the Server you just created (if it isn’t pre-selected)
Type in “ns_true” into the Expression field and hit Create

4. Bind the policy to your Netscaler Gateway virtual server(s) (NetScaler Gateway\Virtual Servers)
Select the virtual server and hit edit
Click the + on Authentication
Choose RADIUS and Secondary from the drop downs and hit Continue
Click to select the policy
Tick the policy you just created and hit ok
Click Bind
Click done and save

At this point you should be ready to test logging onto the gateway page

Testing the gateway

1. Hit your gateway address you will probably notice it has changed and looks something like this:
Password1 is your password
Password2 is your token pin

2. Logon using your credentials and the token generated by Google Authenticator (or whatever app you are using).

a. If it works then you are good to go and can move onto customizing the web interface

b. If it does not work unbind the policy and test to figure out where things are going wrong

i. Could be the wrong IP entered in for the Netscaler on the RADIUS server or wrong security string

Fixing the gateway appearance

1. Download Notepad++ and install (

2. Download Tunnelier (

3. Install and run Tunnelier (Bitvise SSH Client)

4. Connect to your netscaler using the password method

5. A command window and a SFTP window will open – select the SFTP window and on the right hand side browse to: /var/netscaler/gui/vpn

6. Select login.js and click the download button at the bottom (will download to your local desktop by default unless you change it on the left side… should be ok).

7. On the right side go into the resources folder and download en.xml

8. Make a backup copy of the files just in case

9. Open login.js using Notepad++
Find this line: if ( pwc == 2 ) { document.write(‘&nbsp;1’); }
and change it to:
if ( pwc == 2 ) { document.write(‘&nbsp;’); }
Just remove the 1 basically
Find the line that starts with: document.write(‘<TR><TD align=right style=”padding-top:
and change right to left

10. Save login.js

11. Open en.xml in Notepad++
Find this line: <String id=”Password2″>Password 2:</String>
Change it to: <String id=”Password2″>Token:</String>
You can name it whatever you want… I’m just using Token:

12. In Tunnelier upload the files to their respective directories overwriting them

13. Refresh your browser and your changes should be reflected.

The only problem now is that this change will not survive a reboot. In older versions of netscaler you could use a rewrite policy to rewrite the page and that would persist. In 10.1+ you have to use a custom theme.


Set a custom theme so the gateway appearance persists a reboot

NOTE: Linux is case sensitive… type things exactly as I have them.

1. Using Tunnelier switch to your terminal window
cp /nsconfig/ns.conf /nsconfig/
mkdir /var/ns_gui_custom
cd /netscaler
tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

What we did there was make a backup of ns.conf (in case something goes awry – reverse the “cp” command to restore it), created a folder, and zipped the contents of /netscaler/ns_gui to /var/ns_gui_custom/customtheme.tar.gz ß that is the file and location that netscaler knows to use for a custom theme.

2. Open your netscaler in your browser, logon and navigate to NetScaler Gateway\Global Settings

3. Click the Change Global Settings link on the right side

4. Click the Client Experience tab and scroll to the bottom

5. Switch the UI Theme to Custom and hit OK

6. TEST the gateway page (I use a chrome incognito window when I make a change as it doesn’t use the cached website)

7. If the test is successful save your netscaler configuration

a. If you have a HA pair I am pretty sure you have to mirror all the steps on the secondary except for setting the UI Theme to Custom. On your secondary:

i. Copy the files to the correct locations on the secondary netscaler

ii. Run the commands from the terminal window

iii. Force a sync from the gui (System\High Availability à Actions)

Oct 222014

Look like update ESXi550-201410101-SG 5.5U2 that causes network issues Netscaler VPX appliances. See the discussion at:

There is now a validated work around:

1) find where loader.conf is located on NetScaler VM    #find / -name loader.conf
For the uploaded NetScaler VM, there are 2 loader.conf: ./flash/boot/defaults/loader.conf and ./flash/boot/loader.conf, we only need to change the first one.
2) add “hw.em.txd=512” to loader.conf, this will change Tx ring size to 512 (note: do not set the ring size to 256, this will cause NetScaler VM core dump)
3) reboot the NetScaler VM
4) migrate it back to a host with latest patches
Citrix released an article on the issue today:
May 302014

This will go over how to setup a single Access Gateway Vserver connecting to Multiple Domains using a single Pair of web interface servers.  This might sound confusing at first but in reality its pretty strait forward.  This article assumes that you already have some basic knowledge of how to setup netscaler and xenapp with WI in a single domain.

Environment  (LB is not required)

  1. Pair of Netscalers v10.1 in LB config.
  2. Pair of Web Interface 5.4 Servers with LB Vserver.
  3. Two AD Forests/Domains.
  4. A few STA servers (Doesn’t matter what domain they are on)
  5. A couple XA farms in Different domains (We are using XA6.5 and XA6)

Step 1

Configure the AD Polices on the NS.  There are many articles out there on how to do this.  The Top two in this list are my first domain and the 3rd one is the second domain.


Multidomain NS Step1

Step 2

Build your Vservers for WI and XML for each Domain.  It helps to have the xml servers for each farm on different ports to save IP address’s.  In this case I have three different farms specified.  The one on port 8888 and 8080 are on the same domain and the xml server setup on port 80 is the second domain.   I had to create a separate IP for the second domain as my WI vserver is also using port 80.  Again if you need help on how to build these their is plenty of articles out there on how to do it.


Multidomain Step2

Step 3.

Configure the AG Vserver to hit multple domains.  The NS will step through these in order of priority until it finds a matching username/password match.  If you have the same username/password combination on both domains it will always grab the one that has the lowest priority.  In this case the Top two Policies hit the first domain and the 3rd one hits the second domain.


MultiDomain Step3

Under the Published Applications Tab for the AG Vserver you need to configure some STA’s.  In my case I used the first domain/farm servers for STA’s.  I would make sure that all the STA’s belong to the same domain/farm.  You do not need to have a STA for each domain here.


MultiDomain STAs

Step 4.

On the WebInterface Servers configure a Xenapp site for Each Domain making sure to point to the XML Vserver’s created in Step2.  Make Sure you have each Site pointing back to the respective Vserver XML LB IP/port and configure it to point to your AG Vserver.   In this case the top Site is pointing to the Second Domain and the Second Site is pointing to the First domain.  For this it really doesn’t matter what domain


Multidomain WIConfig


For the Sta Config on the WI Servers I am using STA servers on the First domain even though the users are coming into the second domain.  All sites/domains should be setup with the same STA servers and they should match what your AG Vserver has configured for STA servers in Step 2.

MultiDomain WI_STA

Step 5.

Configure the AAA Policies and Profiles to hit the AG Vserver.  For this to work the AAA group name must match the AD group that the user is a member of.  In this Case the Second one down ASP_Access is my first Domain, and the one A_Access is the Second Domain.

MultiDomain Step4_1

Inside each AAA Group you have your Session policies that point to the specific URL/Domain.  Each Domain/AAA group should point back to a different Session policy

MultiDomain AAA_Config

Next we need to make sure the Session profile is pointed back to our WI Server site for that domain.  Make sure you have the corresponding  domain specified and the override global check boxes checked.  You will have to create one of these for each domain so that users from that domain hit the appropriate site.

MultiDomain AAA__ses_Profile

Step 6. Profit!!!

Once again if you have users that have the same username and password in multiple domains they will always get the lower priority domain.  If you have any questions feel free to jump on the channel and ask Splatone.



Nov 072012

Citrix is hosting a master class on netscaler, join if you can!

Come and join us for our latest NetScaler Master Class. Go back to basics as well as find out what’s new and what’s coming up soon.

This webinar event provides you the opportunity to learn about the features of the NetScaler, the tips and tricks of configuration and of course, put your questions to the experts. Don’t miss this opportunity to have your say and find out what’s going on in the world of Application Delivery Control in general and NetScaler in particular.

Date: 7th November 2012
Time: 14:00 Hrs GMT (15:00 Hrs CET)