With the release of XenDesktop 7, I’m happily redesigning my home lab environment and implementing all of Citrix’s shiny new offerings. Not only will this sharpen my skills, I’m thinking, but I just registered to take the XenDesktop 7 beta exams… I need to play with this stuff right now! In the process, I learned that Citrix is trying hard to phase out as much old technology as possible.

Here are a few things I’ve found so far:

  • To run a licensed XenServer 6.2 or XenDesktop 7 environment, you need to be running (at least) the 11.11 version of Citrix License Server, which no longer runs on Windows Server 2003. Time to upgrade that OS!
  • If you want Storefront, you can’t use Citrix Secure Gateway to tunnel external traffic over SSL anymore. Citrix would like you to implement a NetScaler, please – either a physical box or one of the VPX hypervisor appliances.
  • Web Interface will be end-of-life (EOL) in 2015, so even if you keep that Secure Gateway / Web Interface combo going, please start making other plans. See previous bullet.

As I began searching the Internet, I realized there wasn’t a complete “How To Swap My Secure Gateway for NetScaler VPX” guide out there that answered all my various questions in one place. This will be that guide, for anyone else who’s looking. I based a lot of it on these instructions at The Citrix Blog, but they just weren’t complete enough for a NetScaler novice… this is my attempt to fix that problem and flesh out what’s missing.


Assumptions:  Since you’re migrating from Secure Gateway, you like things to be free. Ideally, you’re working in a lab environment with XenServer as your hypervisor (although it doesn’t have to be – these instructions will still work). Finally, you want to keep things simple – you just want this stuff to work!



  1. Download the NetScaler virtual appliance and VPX Express license key
  2. Import the NetScaler virtual appliance into XenCenter.
  3. Run through the initial NetScaler power-on configuration
  4. Configure NetScaler as a Gateway
  5. Configure Storefront


Step 1:  Download the NetScaler virtual appliance and VPX Express license key


Citrix NetScaler is available as either a physical box or a downloadable virtual appliance. The code is the same, and you can get full functionality out of the VPX version by running it on a hypervisor of your choice. My choice is XenServer, but if you’re using VMware or Hyper-V, just download the appropriate version.

  • Log in to your account at http://www.citrix.com
  • Click Downloads.
  • In the “Find Downloads” box, choose NetScaler ADC and Virtual Appliances.
  • Under “Release 10.1” (newest as of this writing), choose NetScaler VPX Express.
  • Scroll all the way to the bottom and download the newest version (10.1. Build 118.7 as of this writing).
  • Scroll down a bit further and expand the License section of the page.
  • Click Get License next to “NetScaler VPX Express License” and copy down the license key.
    • The license is valid for one year, but you can always return here and download a new license.
    • VPX Express is designed for low-traffic environments like a home lab. You’ll be capped at 5Mb throughput, allowing only a limited number of users.


Step 2:  Import the virtual appliance into XenCenter


  • In XenCenter, right-click your pool and choose Import.
  • Browse to the “NSVPX-XEN-10.1-118.7_nc.xva” file you downloaded earlier (the name will be different if you downloaded a newer version).
  • Go through the Import wizard, choosing the appropriate settings for your environment.
  • Note that I only set mine up with a single network interface to keep things simple.


Step 3:  Run through the initial NetScaler power-on configuration


  • If it isn’t already running, power on your new “NetScaler Virtual Appliance” VM.
  • Switch to the VM’s Console tab in XenCenter.
  • Eventually, you’ll be prompted to enter network information.
  • Enter an IP address, netmask, and gateway address as prompted.
    Start Netscaler software
    tput: no terminal type specified and no TERM environmental variable.
    Enter NetScaler's IPv4 address []:
  • The VM will continue to boot.  At some point, it will let you know you need to wait another 30 seconds before logging in.
  • Now open a web browser on your computer to http://ipaddress.of.your.netscaler
  • At the login screen, use the following:
    • User Name:  nsroot
    • Password:  nsroot
    • Deployment Type:  NetScaler Gateway
  • Click Login to continue the base configuration.
  • The next screen will prompt you for additional network information.
    • Enter the usual things here like the hostname, DNS servers, time zone.
    • Be sure to add a “Subnet IP Address” here, too. The IP address we entered earlier was the management address, but the one you’re entering here is for communication with network clients. If you want to keep things simple, just enter another address in the same subnet.
    • Also check the box to change the Administrator password to something more secure.
    • Click Continue to move on.
  • Now you’ll be prompted to upload a license file. And this is where things get tricky.
  • Log in again at http://www.citrix.com and click My Account.
    • Under “Licensing,” click Activate and Allocate Licenses.
    • Click Single Allocation and enter the license key you copied down earlier.
    • After the key is accepted, you’ll be brought to a new screen with a space to enter a hostname.
    • STOP!  This isn’t what you think it is! For some reason, with NetScaler, instead of a hostname, you need to enter the MAC address of the virtual machine here. Unintuitive, yes?
  • Switch to XenCenter to find the MAC address of the NetScaler VM:
    • Log in at the console of the NetScaler.
    • At the “greater-than” symbol prompt, type shell and enter.
    • At the hash symbol prompt, enter the following command:
      root@netscaler# lmutil lmhostid -ether
    • Make a note of the “FLEXnet host ID” address (just a series of characters, no hyphens or colons).
    • Type the exit command twice to log off from the console.
  • Switch back to the licensing screen on Citrix’s web site:
    • Enter the MAC address in the “hostname” field.
    • Confirm it, and then download the license file.
  • Switch back to the NetScaler web-based configuration page:
    • Click Browse in the “Update Licenses” box and choose your new license file.
    • Verify that you see “1 Licenses Updated Successfully” in green, and then click Continue.
  • At the final screen of the Wecome wizard, click Done.
  • Click Yes when prompted to reboot the NetScaler.
  • Wait until the NetScaler has fully rebooted, and that’s it!  The base configuration is finished!


Step 4:  Configure NetScaler as a Gateway


  • Open a browser to http://ipaddress.of.your.netscaler
  • At the login screen, use the following:

    • User Name:  nsroot
    • Password:  (whatever you assigned earlier)
    • Deployment Type:  NetScaler Gateway
  • Click Login to proceed.
  • You should be greeted with this Welcome wizard:
  • A note on SSL certificates before you get started:
    • If you’ll be transferring a publicly signed SSL cert from your old Secure Gateway box, click the Configuration link at the top of the window now.
    • You can export the .cer and .pfx files from the Secure Gateway server and import them by following the excellent instructions in Derek Seaman’s blog post, or else through whatever other method you find that makes sense.
    • Once that’s done, click Home to return to the wizard.
  • Click Get Started to begin the configuration.
  • Enter the virtual server information, keeping in mind that this will be our Secure Gateway replacement.  Use a name and FQDN that make sense.
  • Click Continue.
  • On the next screen, decide what you’d like to do for your SSL certificate. Either choose the certificate you imported earlier, or else use a Test Certificate for now.
  • Click Continue again after your SSL certificate is configured.
  • On this “Authentication Settings” screen, configure LDAP lookups to Active Directory.
    • Click the Configure New option.
    • Fill out all the fields appropriately for your environment.
    • Note:  for a XenDesktop/XenApp configuration (Secure Gateway replacement) you should use sAMAccountName as the Server Logon Name Attribute.
    • Click Continue when finished.
  • Choose XenApp / XenDesktop in the “Enterprise Store Settings” box.
  • Choose StoreFront for the deployment type and set the options to match your environment.
  • Click Done when finished.
  • The wizard will exit and you’ll find yourself at the Home screen, happily watching several performance monitor graphs. Congratulations! You’ve configured your NetScaler!


Step 5:  Configure StoreFront


  • Assuming you already have StoreFront configured for local network access, you now need to tell it how to handle traffic coming through the NetScaler.
  • Launch the Citrix StoreFront administration console.
  • Click Authentication in the left pane.
    • Click Add/Remove Methods in the right pane.
    • Select Pass-through from NetScaler Gateway.
    • Click OK.
  • Click NetScaler Gateway in the left pane.
    • Click Add NetScaler Gateway Appliance in the right pane.
    • Configure with the settings appropriate for your environment.
    • Note:  the “NetScaler Gateway URL” is the external FQDN accessed by users, and my preference is to create an internal DNS host record for the inside IP address of the virtual server – this will be used in the “Callback URL” field. Also, remember that “Subnet IP address” you entered earlier? That goes here, too.
    • Click Next to continue.
    • Add a Secure Ticket Authority URL by adding your Citrix server information.
    • Click Create to finish adding the NetScaler.
  • Click Stores in the left pane.
    • Click to highlight the store(s) you want to be available through NetScaler.
    • Click Enable Remote Access in the right pane.
      • Choose No VPN tunnel (assuming you just want to recreate Secure Gateway functionality – otherwise, by all means, go nuts and play with the VPN).
      • Check the box to select your NetScaler appliance.
      • Click OK.


Step 6:  Test, smile, and grab a beer


Seriously, if this guide helped you at all, please let me know in the comments below. I couldn’t find anything to get me through this procedure when I started looking, and I hope that by writing this up, it may save someone else some pain and frustration. Good luck, and have fun with your new Citrix technology!


Update, 2013/08/26:  I’m hearing from some people that Netscaler won’t work properly as a Secure Gateway replacement unless an SSL certificate has been installed on the Storefront server and all communication is over HTTPS. That’s how I’m running it today anyway, but this is something to consider if you’re setting up a lab. If someone could let me know for sure either way, I’d appreciate it… Confirmed on 2013/12/08. Thanks, lobster.


26 Responses to “How to Use NetScaler VPX as a Citrix Secure Gateway Replacement”

  1. Thanks for the write up on the NetScaler setup. I had to import my IIS SSL certificate to the NetScaler since I wasn’t coming from an existing CSG. I documented the procedure and troubleshooting steps since it was a real pain. http://enterpriseit.co/networking/import-pfx-ssl-certificate-from-iis-to-citrix-netscaler-vpx/
    I will reference your post for my readers who need instructions for setting up a NetScaler from scratch

  2. Hi, thanks for putting this together. I’m also in the same scenario as you. Got XenApp 6.5 deployed with Web Interface 5.4 and CSG 3.3 and using a free SSL cert (3months) for SSL connection from outside world to connection to the published apps on the XenApp environments and all working well.

    Now I want to deploy the StoreFront with Netscaler since StoreFront doesnt support use of CSG.

    One question though, where can I get a free SSL cert to use for 1yr atleast? I’m currently using a DynDns name since I’m not hosting my own website on my network?

    • I don’t have a recommendation for a free cert, but in my home lab I’m just using one of GoDaddy’s $5.99/year certs, and it works well. There are other cheap ones, too, but that’s what I can recommend from personal experience: http://www.godaddy.com/SSL

      • bigbhaller says:

        StartSSL.com offers free certificates, and is part of the Microsoft certificate program (forgot official name), so Windows clients will natively trust the chain. I also believe Comodo may offer some free ones, but I do not recall if they are server certifcates or just for SMIME.

  3. i followed the guide and when i go to netscaler virtual IP and i see nothing, page times out. The store front version is 1.2 and does not have option to add the netscaler? Is this combination supported?

    • Sorry for the delayed reply… is this still a problem for you? My understanding is that it should work with Storefront 1.2, but I’m not positive – we’re in the process of replacing Web Interface, and we’re starting with Storefront 2.0.

      Do you get anything at all before the page times out?

  4. Hi, i’ve managed to configure Netscaler Access Gateway with StoreFront 2.0 using ur steps above and some other instructions from other site.

    Few issues though

    1. When i configured IIS site/SSL with a store created on the Storefront server, and use https it doesnt work…keep getting “Could not complete your request” but if i remove https in IIS and use http://name of storefront server/store….it works ok. Is it because I have already configured the SSL cert in Netscaler to using the external FQDN users will type in their browser to get to my Storefront page e.g myname.dyndns.org.

    This is the same SSL cert I used on my Web Interface 5.4, which I’ve imported to the Netscaler and the Storefront server.

    2. As above, when I removed the SSL/https binding in IIS and use http://myname.dyndns.org, I can can successfully see the log in page to storefront and the error “Could not complete your request” is not showing.

    It works for internal users, when i log in from my network and able to access published apps on the XenApp 6.5 farm but if i try to log in as an external user via the Internet (not within internal network), i can log in successfully and see all published apps for the user but when I tried opening an apps…comes up with error message saying

    “Unable to launch your application. Contact help desk with the following Information:
    Cannot connect to the Citrix XenApp server. There is no Citrix XenApp Server configured on the specified address”

    So I’m thinking maybe didnt configure it properly within Netscaler Access gateway??? I’ve configured both XenApp servers as STA within access gateway and are showing as UP. What is your email, so I can send a screenshot of my configuration (Netscaler and StoreFront) if I’ve missed anything for remote users to connect.

    I’ve opened firewall ports on 80, 8080 -XML, ICA – 1494, 2598 – session reliability to the Storefront server 192.168.x.x

    Also, how can i see which IP address its trying to resolve to via the ICA? This was possible in Web Interface where you could right-click the published icon and save it the open with notepad to see all the configuration.


    • Sorry for the delayed reply. Did you get this fixed already?

      This was a lot of information to digest all at once, and I’m not really Citrix tech support, but I’ll give you some quick tips. First of all, you mentioned that you have the same SSL cert on your Storefront server and your Netscaler. That won’t work – this setup is very picky about SSL certs being valid and trusted. You’ll need a separate cert for each site, properly configured to each FQDN. If you’re using self-signed certs, you’ll need to add the CA to the Netscaler, too. I normally just use publicly-signed certs so I don’t need to worry about it.

      Also, whenever you reference a server name for communication over SSL, make sure you use the exact FQDN that’s in the cert. For instance, if your Storefront server’s internal (real) name is “SERV01ST01” or something, but the cert is registered to “storefront.mycompany.com” then make sure you use the “storefront.mycompany.com” FQDN everywhere in every console that has an option to talk to the server. Same for the Netscaler.

      • Hey Benjamin I like this Post, But i Have Question which is Out of Scope, I am Using xendesktop 7.1 and Implemented Hosted Shared Desktop Environment (with 3 VM) with Netscalar 10.1.e

        Is that possible to access the VM without using Netscalar VPX. cause i have done the same thing in xendesktop 5.6 without CSG. i just wanted to have a Direct NATing of the StoreFront IP to the Public IP i Have and Open the Port Like 2498, 1494, 3389, 443, 27000 etc

        • (delayed reply – sorry). That’s a little frightening, but yes, technically it could work… although I don’t think there’s an equivalent to the old ALTADDR command with XenDesktop, so I’m not sure how that will play into it. I’ve never tried setting things up that way.

  5. don’t ask me how but i got it to work.

    your site has been instrumental in me getting my test for Xendesktop up and running.

  6. Gijs Laandrecht says:

    Hi Benjamin,

    I do really like your post and I think that everyone can setup netscaler with this post but unfortunately, in Storefront, when I add the Netscaler Gateway Appliance, it says “Appliance added” but nothing is really created.

    Have you had this problem before? I can’t really think of a solution. I am using XD 7.1 and Storefront 2.1.

    Thanks and thanks for the post!

  7. I know this is a pretty old post, hope you’re still replying.

    In step 4, near the end when i get to “Choose StoreFront for the deployment type and set the options to match your environment.” I don’t have the option to choose Storefront, just have Web Interface. Any idea there? Thanks

  8. In response to your update on 2013/08/26:
    Currently running Netscaler 10.1 w/Storefront 2.1
    As a test I ran storefront without ANY certs to determine functionality.
    HTML5 receiver works, clientless receiver works but Receiver for iPad/iPhone do not work nor will receiver 4.x save the configuration. (web access works fine)
    Configuring storefront with a self signed cert and not setting up the chain on the netscaler as you’ve pointed out obviously doesn’t work at all.
    For “full” functionality “all” traffic must be encrypted between the netscaler & storefront

  9. Hi Benjamin, noted that you are using a GoDaddy.com SSL certificate in your Home Lab.

    I am also looking for a solution to enable remote access into my XD7 home lab which is fronted with a Netscaler vpx all running on a single ESX host.

    I am curious to find out how you have gone about obtaining the Godaddy certificate, are you using a static IP home internet connection through which you mapping the DNS record of your public URL? i.e the certificate you have registered is it like your website domain url? In this case how do you redirect the DNS to your home static IP router?

    Currently I only have a Dynamic IP broadband service at home and using a Dynamic DNS resolution for which I have created a self-signed cert. This seems to work fine by importing the root cert into my laptop but it can be troublesome for mobile devices.

    Any information on how to setup something similar to what you have done will be greatly appreciated.


    • I, too, use dyndns for resolution to my home IP address. Just create a CNAME record in DNS for the address you want the SSL cert on and point it to your dyndns hostname. Works fine.

  10. I forgot to add, currently there are no cheap certs available from Godaddy for $5.99, could you please tell me what category does this type of cert comes under.


  11. Hello Benjamin,

    On Citrix XenServer with version 6.2, I set up NetScalar VPX (version NS10.0)

    I tried to set up SSLVPN on the access gateway of NetScalar VPX
    LOCAL authentication is selected for log in the “Citrix Receiver” SSLVPN webpage from the internet.
    One local user account is created.

    I can access the homepage of “Citrix Receiver” SSLVPN webpage from the internet.
    I tried to log in the same username and password several times at “Citrix Receiver” SSLVPN webpage.
    But it still fail. And no error message pop up.

    Is the problem related to MIP/VIP/Subnet IP mis-configured ?
    Have you encounter such problem when you set up SSLVPN on the access gateway of NetScalar VPX ?

    Please help give some advice.
    Thanks very much !


  12. I am a complete netscaler noob. My environment is a brand new XenDesktop 7.5 with a single XD and a single XA server. All is working inside the LAN and the storefront is accessible from the Web I just can’t launch apps or desktops. SSL cert is installed on the storefront server. I set the IP address of the netscaler to and .8 (it asked for two of them before I entered the license info) After the license is installed I get to the Welcome screen hit next and I’m at the NetScaler Gateway Settings screen. What is it looking for here? Does this want the name of the netscaler and IP yet again? When I do redirect 80 to 443 it asked for FQDN. Does it want my active directory domain name or my internet domain name? I’ve tried several various combinations and all result in a message “operation not permitted”.

    • I’m not completely sure what you’re asking here, but the screen you describe wants the FQDN of the Netscaler as it will be accessed from the Internet. It’s the address you got an SSL certificate for – what you’ll type into the browser. So in my example above, it’s “login.mydomain.com,” but it should be whatever you’re using for your device instead… again, this is the external address, registered in DNS and with an SSL certificate to secure it.

    • pjmarcum, I’m having the same exact issue. There is no indication of what it wants here. An external IP maybe? Did you ever figure it out?

  13. THANK YOU very much for sharing !!!!! 🙂

  14. Thanks so much for posting this. It’s an excellent article. However, I wanted to correct you on one minor point that kind of sent me scrambling here. I think you may be incorrect about the EOL date for Web Interface component. You say it’s EOL in 2015. According to what I can see on http://www.citrix.com/support/product-lifecycle/milestones/xenapp.html, it’s not EOL until August 24, 2016, and that’s just for XenApp 6.5, it’s even later for 7.x.

  15. Dear Benjamin,

    I have configured Xendesktop 7.6 and Netscaler VPX1000 in my office test environment. Internal network users can access the applications and desktops through netscaler, without any issue.

    But if i enter Fortinet dyndns address(external.fortiddns.com) in “netscaler Gateway URL” address and try to access from outside office, it will login the netscaler , but while trying to launch the apps, it will throw an error, The certificate is for netscaler DNS address (nsvip.domainname.local), but you have specified the external fortiness address( external.fortiddns.com:666), which has no certificate.

    I want to know where i have to attach this external fortinet’s dyndns certificate in Netscaler. Or i have to do some work around in Hosts file or DNS.

    Suppose Netscaler DNS is : nsvip.domainname.local
    External access FQDN : external.fortiddns.com:666

    Please help me



  1. Single Sign On to Storefront While Encrypting with NetScaler | Matthijs' BlogMatthijs' Blog - […] http://benjamin.eavey.com/2013/07/netscaler-vpx-as-secure-gateway-replacement/ […]
  2. “Cannot complete your request‘” on Netscaler Gateway VPX | blog.appcloud.ch - […] You can find a step by step Netscaler Gateway intro here http://blogs.citrix.com/2013/07/03/citrix-netscaler-gateway-10-1-118-7-quick-configuration-wizard Also a very nice guide you can find…

Please comment and discuss: