[NetScaler Gateway] How to Integrate NetScaler ICA Proxy Gateway with 3rd-party WAF

To overcome the challenge, we can seperate the FQDN based on different type of traffic:

  • FQDN_Authn: HTTPs protocol, used for authentication and desktop/application enumeration.
    • Go through WAF.
  • FQDN_ICA: ICA over TLS protocol, used for desktop/application launch.
    • Bypass WAF.

On NetScaler gateway, you can retain 1 gateway vServer as usual. But on Firewall, different entrance must be configured for 2 FQDNs to separate the traffic.

On StoreFront, you need to configure Optimal HDX Routing. The following is an example:

1. Create 2 gateways on StoreFront:

a. Gateway for FQDN_Authn:


b. Gateway for FQDN_ICA:


2. Select the Store, click Configure Remote Access Setting. Enable remote access and select the gateway you created in step 1.a.


3. Select the Store, click Configure Store Settings > Optimal HDX Routing. Select the gateway you created in step 1.b. Click Manager Delivery Controllers. Select the DDCs for the Store.

Note: Manage Zones can be checked too if you have Zones set in DDC.



  • No Related Posts

Leave a Reply