Citrix Workspace app for Mac and Windows OS fails with “cannot connect to the server” from the internet when connected externally

We observed that removing the response-rewrite policies made it possible to login with LDAP-only in Receiver.

However, we needed two-factor auth and thus had to bind the policies.

With response-rewrite policy bound (the one setting header “X-Citrix-AM-GatewayAuthType” = SMS).

Binding the policy setting “PWDCount=0”, made the Receiver fail.

Entrust – SMS Passcode reported back that if Netscaler version is 12.x, the policy must be replaced with this:


and a corresponding action:

add rewrite action RWA-RES-REMOVE_2ND_PASSWORD replace_all “HTTP.RES.BODY(99999)” “”\r\n”+n”<style type=\”text/css\”>\r\n”+n”[for=\”passwd1\”] { display: none;}\r\n”+n”#passwd1 { display: none; }\r\n”+n”</style>\r\n”+n”\r\n”+n”</body>\r\n”+n”</html>\r\n”” -search “text(“</body>n</html>”)”


  • No Related Posts

Performance issue is observed if USIP/RNAT + TCP Timestamp is enabled on Client machine as well as on NetScaler

1) When (USIP + Timestamp) is enabled on NetScaler (LB Vserver and Service) and also if we enabled TCP timestamp on Client machine through Registry settings. RESULT: NetScaler is sending the same TSVAL to backend server and Latency issues found. Once after refreshing the browser NetScaler sends the TSVAL properly to backend server and the required page gets displayed.

2) When (USIP + Timestamp) is enabled only on NetScaler (LB Vserver and Service) and if the Client is not enabled with TCP timestamp. RESULT: NetScaler is sending TSVAL properly to backend and no latency issues found.

3) When (SNIP +Timestamp) is enabled on NetScaler (LB Vserver and Service) and if the Client is enabled with TCP timestamp. RESULT: NetScaler is sending the same TSVAL to backend server. However, no delay issue observed.

4) Also we could see the NetScaler is advertising the MSS value as 1448 instead of 1460 when TCP timestamp is enabled on NetScaler.


  • No Related Posts

FAQ: Can Idle Session Timeout Be Configured For A Specific User Through NetScaler GUI?


Can idle session timeout be configured for a specific user through NetScaler GUI?

Answer: Yes, follow the below steps:

This parameter is user specific and needs to be changed for each user or group.

1. Go to System > User Administration > User.

2. Select the User

3. Modify the idle timeout (In seconds).

Below is the screenshot showing the idle session timeout for nsroot user modified to 9000 sec. The default idle session timeout value is 900 sec.

User-added image

The idle session timeout information can be changed from CLI as well.


set system user <username> -password <*******> -timeout 9000

Example: set system user nsroot -password abcd -timeout 9000

User-added image


  • No Related Posts

How to Increase Seed Database Size for the URL Filtering Feature

Complete the installation of NetScaler release 12.0 build 53.110 and wait for the NetScaler node to return to service after reboot next follow the steps bellow to perform the necessary steps:

  1. Modify the file “/flash/boot/loader.conf” appending the following line:

After the change the file should look like this…


This change is needed in order to accommodate the larger Seed DB sizes available with the new SDK.

  1. Next, reboot the node for the new setting to take effect.

  1. Change Seed DB size level to the max value with the “SeedDbSizeLevel” parameter:
> set urlfiltering parameter -SeedDbSizeLevel 5

The updated seed DB size will take effect on the next automatic seed DB update. The update schedule is defined by the HoursBetweenDbUpdates and TimeOfDayToUpdateDB parameters. An update will only occur if a new version is available.

  1. Verify downloaded Seed DB size.

Once the Seed DB update process has been successfully completed, check the “/var/gcf1/data” directory and verify the size of the matches (approximately) the configured CLI level.

NOTE: In order to use the larger sizes the next steps have to be made first in order for the system to be able to allocate that memory.

With smaller sizes of the DB the URL filtering feature it’s possible that will require more frequent access to the non-local DB through an Internet connection.


  • No Related Posts

NetScaler – 12.0-41.24 RADIUS LB vserver not working

Upgraded the box to 12.0-41.24 and now RADIUS authentication errors for the services there after are observed.

when configuring Authentication RADIUS server and pointing it to NetScaler local Load Balancer ip address we get error:

Server 'x.x.x.x' is reachable​Either 'x.x.x.x' is not a valid Radius server'1812/udp' is not a valid Radius authentication port or Radius client is not configured properly on Radius server

Checked radius server config, SNIP of NetScaler was configured properly, password was matching, RADIUS service is up with a ping monitor bound.

In trace it is seen that NSIP reaching out to RADIUS LB VIP and nothing else.

LBVIP never forwards the request out

You can run a wireshark trace or from shell to check connectivity between RADIUS server and NetScaler.

Command to run nstcpdump,

Go to Shell.> host <RADIUS IP>


  • No Related Posts

XenApp/XenDesktop 7.X NetScaler MAS Integration With Citrix Director Breaks On Group Policy Update

  • After the above configuration, the Network tab in the Trends page In Citrix Director shows latency and bandwidth effects for applications, desktops, and users across your deployment.


  • After Director Server reboot or on running Group Policy update the Netscaler MAS integration with Citrix Director Breaks and the Network tab in Citrix Director Trends page does not show the statistics.


  • Re-configuring the Netscaler MAS Integration with Citrix Director fixes the issue untill next Group Policy update of Director Server reboot.
  • As per CDF traces we see the below error :

DirectorService,_#dotNet#_,0,,1,CDF_NET_ERROR,”DirectorService:1:1:[t:53, s:gfmgwn5ibtsyl5yz10ritnx5] Loading plugin panel file C:inetpubwwwrootDirectorbin..DisplayConfigHdxInsightPluginHdxInsightForUDPluginConfig.xml failed with exception failed to get configuration information and inner exception : The data is invalid.

DirectorService,_#dotNet#_,0,,1,CDF_NET_ERROR,”DirectorService:1:1:[t:53, s:gfmgwn5ibtsyl5yz10ritnx5] Loading plugin panel file C:inetpubwwwrootDirectorbin..DisplayConfigHdxInsightPluginHdxInsightPluginConfig.xml failed with exception failed to get configuration information and inner exception : The data is invalid.


  • No Related Posts

FAQ: NetScaler SSL Cipher

Q: Does NetScaler 10.5 support SHA-2 ciphers?

A: SHA-2 ciphers are supported on NetScaler from release 10.5 build 53.9.

From release 10.5 build 53.9, ECDHE, AES-GCM, and SHA-2 ciphers are part of the default group. ECDHE/DHE cipher suites must be used to achieve Perfect Forward Secrecy (PFS). However, ECDHE, AES-GCM, and SHA-2 ciphers are supported on the front end SSL entities only. From NetScaler 11.1, ECDHE,AES-GCM and SHA-2 are supported on the Backend entities too.

For more information refer to Citrix Documentation – Ciphers Supported by the NetScaler Appliance


  • No Related Posts

To add ShareFile for XenMobile clients to XenMobile

When you add ShareFile for XenMobile clients to XenMobile, you can enable SSO access to Connector data sources from ShareFile for XenMobile clients. To do so, be sure to configure the Network access policy and the Preferred VPN mode policy as described in this section.


  • XenMobile must be able to reach your ShareFile subdomain. To test the connection, ping your ShareFile subdomain from the XenMobile server.
  • The time zone configured for your ShareFile account and for the hypervisor running XenMobile must be the same. If the time zone differs, SSO requests can fail because the SAML token might not reach ShareFile within the expected time frame. To configure the NTP server for XenMobile 10, use the XenMobile command-line interface.

    Note: Be aware that the Hyper-V host sets the time on a Linux VM to the local time zone and not UTC.

  • Log in to the Sharefile administrator console using a ShareFile admin account and verify the SAML SSO settings in Admin > Configure Single Sign-On.
  • Downloadandwrapthe ShareFile for XenMobile clients.


  1. In the XenMobile console, click Configure > Apps and then click Add.
  2. Click MDX.
  3. Enter a Name and, optionally, a Description and App category for the app.
  4. Click Next and then upload the .mdx file for the ShareFile for XenMobile client.
  5. Click Next to configure the app information and policies.

The configuration that enables SSO from ShareFile for XenMobile clients to ShareFile does not authenticate users to network shares or SharePoint document libraries. To enable SSO between the Secure Hub micro VPN and ShareFile StorageZones Controller, complete the following policy configuration:

  • Set the Network access policy to Tunneled to the internal network.

    In this mode of operation, all network traffic from the ShareFile for XenMobile client is intercepted by the XenMobile MDX framework and redirected through NetScaler Gateway using an app-specific micro VPN.

  • Set the Preferred VPN mode policy to Secure browse.

    In this mode of tunneling, SSL/HTTP traffic from an MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf. This policy setting enables the MDX framework to detect and respond to authentication challenges issued by web servers.

Complete the Approvals and Delivery Group Assignments as needed.

Only the users in the selected delivery groups will have SSO access to ShareFile from the ShareFile for XenMobile clients. If a user in a delivery group does not have a ShareFile account, XenMobile provisions the user into ShareFile when you add the ShareFile for XenMobile client to XenMobile.


FAQ: Key Sizes/Certificates Supported by NetScaler

A VPX virtual appliance supports certificates of 512 or more bits, up to the following sizes:

  • 4096-bit server certificate on the virtual server
  • 4096-bit client certificate on the service
  • 4096-bit CA certificate (includes intermediate and root certificates)
  • 2048-bit certificate on the back-end server
  • 2048-bit client certificate (if client authentication is enabled on the virtual server)

The following is the behavior on NetScaler SDX appliance:

  • If VPX instance has at least one SSL chip assigned to it, then it supports certificates as supported by a MPX appliance
  • if VPX instance has NO SSL chip assigned to it then it supports certificates as supported by a VPX appliance

Note: From release 11.0, the default certificate on a NetScaler appliance is 2048-bits. In earlier builds, the default certificate was 512-bits or 1024-bits. After upgrading to release 11.0, you must delete all your old certificate-key pairs starting with “ns-“, and then restart the appliance to automatically generate a 2048-bit default certificate.

Additional Resources


  • No Related Posts