TCP Profiles on NetScaler

TCP configurations for a NetScaler appliance can be specified in an entity called a TCP profile, which is a collection of TCP settings. The TCP profile can then be associated with services or virtual servers that want to use these TCP configurations.

Built-in TCP Profiles

For convenience of configuration, the NetScaler provides some built-in TCP profiles. For a list of built-in profiles, refer to Citrix Documentation – Built-in TCP Profiles.

For a list of options that are available for a TCP profile, refer to Citrix Documentation – ns tcpProfile.

Note: These values can have serious impacts on network performance. Use these values carefully when adjusting them manually in existing profiles, or when creating new profiles.

To specify service or virtual server level TCP configurations

Command line interface

  1. Configure the TCP profile:

    set ns tcpProfile <profile-name>

  2. Bind the TCP profile to the service or virtual server.

    To bind the TCP profile to the service:

    set service <name>

    For example:

    > set service service1 -tcpProfileName profile1

Configuration utility

  1. Configure the TCP profile.

    Navigate to System >Profiles > TCP Profiles, and create the TCP profile.

  2. Bind the TCP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the TCP profile, which should be bound to the service or virtual server.


  • No Related Posts

Application and Desktop Launch Process for internal network users

Steps happen when users access their desktops and apps:

1. Authentication

User-added image
(1)Citrix Receiver contact StoreFront using http (TCP port 80) or https (TCP port 443)

(2)StoreFront presents an authentication page

(3)User submit credentials

(4)StoreFront contacts AD using keberos (TCP port 88) to authenticate the user

(5)AD returns response to StoreFront

(6)User got logged in to the store.

2. Enumeration

The idea of enumeration is the retrieval of apps and desktops that are assigned to the user and presenting them to the user. So the user can choose resources they would like to launch.

Assuming that the user has already been authenticated to the store

User-added image
(1)After successful authentication, StoreFront passes user credentials to Delivery Controller using http (TCP port 80) or https (TCP port 443) for the list of resources available for specific user

(2)Delivery Controller contacts AD for LDAP request (TCP port 389) to identify user’s identity and group memberships

(3)Delivery Controller contacts Site Database (TCP port 1433) stored on the SQL Server to obtain apps and desktops metadata such as names and icons associated to the resource user group access to

(4)Deliver Controller sends the information back to StoreFront using http (TCP port 80) or https (TCP port 443)

(5)StoreFront presents all the resources directly to Citrix Receiver on user’s endpoint

3.Resource Launch

User-added image
(1)User clicks the icon shown in the store (TCP port 80 or 443)

(2)StoreFront contacts Delivery Controller using http (TCP port 80) or https (TCP port 443)

(3)Delivery Controller reaches out to SQL Server (TCP port 1433) to identify the most suitable VDA

(4)Delivery Controller contacts that VDA (TCP port 80)

For Server OS VDAs, they are always listening for incoming connections

For Desktop OS VDAs, they are now beginning to listen for incoming connections

(5)VDA returns a session key to Delivery Controller

(6)Delivery Controller sends the session key contains all of the connection information to StoreFront (TCP port 80 or 443)

(7)StoreFront put all the connection information into the default .ica file and sends to the endpoint (TCP port 80 or 443)

4.Session Initialization

User-added image
(1)Citrix Receiver on user endpoint directly contacts VDA (TCP port 1494/2598 based on session reliability) using connection information stored in .ica file

(2)VDA notifies Delivery Controller the connection setup (TCP port 80)

(3)Delivery Controller contacts the License Server (TCP port 7279) to check out the license on behalf of the device or user connected to the environment

(4)Delivery Controller commits session connection information to site database on SQL Server (TCP port 1433)

(5)User interact with app or desktop resources (TCP port 1494/2598 based on session reliability)


How to Use Policy Based TCP Profile in NetScaler

Note: Policy based TCP profile is not present in 10.x. It is only available from 11.0 64.x and 11.1.

How to configure policy based TCP profile in NetScaler

Consider the following requirement in a customer deployment. Customer has 3G/4G subscribers, all the 3G subscribers are coming through VLAN-1 and 4G from VLAN-2. Based on this parameter, we can give different TCP profile to these clients.

User-added image

Using the APPQOE policy we have created two policies based on VLAN IDs. The action configured for APPQOE policy will select the profile for the subscriber traffic. On getting the request from client, policy evaluation happens, based on the VLAN ID, corresponding TCP profile is used based on the APPQOE action configured. For instance, in the below configuration when 3G traffic comes in to NetScaler using VLAN1, the APPQOE policy “appqoe_3G” is hit and the corresponding action “action_3G” with 3G_profile is applied for the session.

User-added image

  • add appqoe action action_3G -tcpProfile 3G_profile

  • add appqoe action action_4G -tcpProfile 4G_profile

  • add appqoe policy appqoe_3G -rule “” -action action_3G

  • add appqoe policy appqoe_4G -rule “” -action action_4G

  • bind lb vserver tcpopt_traffic_manager -policyname appqoe_3G –priority 1

  • bind lb vserver tcpopt_traffic_manager –policyname appqoe_4G –priority 2

Policy based TCP Profiles using configuration utility

Navigate to AppExpert -> AppQoE

User-added image

User-added image

User-added image

APPQOE Policy Examples

Some examples for APPQOE policy that can be used for other parameters like source IP, HTTP parameters, subscriber specific information are as follows,

TCP/IP specific rule :

add appqoe policy <name> -rule “CLIENT.IP.SRC.EQ(” -action <action-name>

HTTP specific rule :

add appqoe policy apppol1 -rule “HTTP.REQ.URL.CONTAINS(“5k.html”)” -action appact1

add appqoe policy apppol2 -rule “HTTP.REQ.URL.CONTAINS(“500.html”)” -action appact2

Subscriber specific rule:

add appqoe policy apppol1 -rule “SUBSCRIBER.AVP(250).VALUE.CONTAINS(“hi”)” -action appact1

add appqoe policy apppol2 -rule “SUBSCRIBER.SERVICEPATH.IS_NEXT(“SF1″)” -action appct2

This feature leverages the flexibility available in APPQOE policies and actions to dynamically

select the TCP profile required for the traffic going through NetScaler.

User-added image


WINS could not create the TCP socket for making a TCP connection. Make sure the TCP/IP stack is installed and running properly.

Product: Windows Operating System
Event ID: 4196
Source: Wins
Version: 5.0
Component: System Event Log
Message: WINS could not create the TCP socket for making a TCP connection. Make sure the TCP/IP stack is installed and running properly.

This event record indicates that WINS having a problem with TCP.

User Action

The steps to correct this problem are:

1. Stop the WINS service.
2. Click Start, point to Settings, and then click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Status.
4. Check to see that the connection is operating correctly.
5. If the connection is not operating, click Properties and see if Internet Protocol (TCP/IP) is being used. If not, install the Internet Protocol (TCP/IP).
6. Restart WINS.