How to Migrate Existing NetScaler Gateway to Unified Gateway on NetScaler Gateway 11.1

This article describes how to migrate existing NetScaler Gateway to Unified Gateway on NetScaler Gateway 11.1.


User-added image

Since NetScaler 11.1 build 49 there is a built-in Gateway Universal license which brings upto unlimited* user licenses and the full Unified Gateway feature set. So why not use a NetScaler Gateway for more than just as an ICA Proxy? This article will show how to migrate an existing NetScaler Gateway with all policies, actions, etc. to an Unified Gateway, which provides remote access from any device to any application.

*(NetScaler Standard Edition = 500 licenses, NetScaler Enterprise Edition = 1000 licenses, and NetScaler Platinum Edition = unlimited licenses)

Instead of using the Unified Gateway wizard, we will complete the configuration manually which provides the following advantages:

  • Reuse existing NetScaler Gateway instead of configuring a new one from the scratch.
  • Using the StoreFront instead of NetScaler landing page.
    • Access to all apps via native Citrix Receiver.
    • Consolidates all resources.
  • Browse a web application directly via dedicated hostname, leveraging the NetScaler Gateway only for authentication.

NetScaler Login Page

User-added image

StoreFront including webapps

User-added image


  • NetScaler with firmware 11.1 build 49 or higher.
  • Wildcard SSL Certificate or one SAN per application.
  • One external facing IP Address with one DNS record per application.

    In this example, we will use the following URLs:

    URL Backend Description
    portal.nw.lab Storefront NetScaler Gateway
    basic.nw.lab Webserver 1 Webserver with NTML / Basic auth
    kcd.nw.lab Webserver 2 Webserver with Kerberos Constrained Delegation auth
    owa.nw.lab Webserver 3 Outlook Web Access Server

    User-added image

  • One central external facing Content Switch VServer instead of Gateway VServer.
  • Each application has one dedicated hostname.
  • Each application has one Content Switch Policy / Action which matches the FQDN.
  • Each application has one non-addressable Load balancing VServer.
  • The existing Gateway VServer for ICA Proxy and authentication will be moved from direct to non-addressable as well.
  • The policy for the non-addressable Gateway VServer must match the dedicated hostname and “is_vpn_url”, for matching on all NetScaler Gateway and authentication-specific requests.

Authentication Flow for Basic Web Application

User-added image


Leave a Reply