Configure Citrix NetScaler 10.5 including Gateway and Citrix StoreFront 2.5.2

Citrix released the Citrix NetScaler 10.5, in this blog I will show you how to setup this new NetScaler, including creating and installing a SSL certificate and how to create and configure the Gateway feature. I will also show you the steps that needs to be made within Citrix StoreFront 2.5.2 configuration.

Before starting with the installation and configuration make sure there is a license file for the NetScaler and that there are at least three IP address available for the configuration. The Access Gateway function needs a SSL certificate, make sure you can create a SSL certificate by a Certificate Authority (CA) and that there is an external DNS record in place.

For this blog a used NetScaler VPX for XenServer 10.5 Build 50.9 as source. The steps for downloading and uploading the NetScaler to the hypervisor are not covered in this blog, for these steps see my previous NetScaler blog (click here). Also the steps of how to install Citrix StoreFront are not covered, you can find these steps in my StoreFront blog (click here).

Good news, with NetScaler 10.5 you no longer need java, which is a really big improvement! There are a lot more improvements like a SSL certificate chain check (see later in this blog) and a very improved setup wizard. Let’s get started…

Configuring NetScaler 10.5

After downloading the NetScaler sources from the Citrix site and uploading it to the hypervisor it’s time to walk through the console configuration wizard.

Turn on the NetScaler and open the NetScaler console on the hypervisor. Fill in the following information:

–          IPv4 address
–          Netmask
–          Gateway IPv4 address

Choice option 4 to Save and quit. After that the NetScaler will reboot

After rebooting the NetScaler, open a browser and browse to the NSIP address (management interface IP address) you entered in the previous step. Login with User Name; nsroot and Password; nsroot

Citrix NetScaler 10.5 has a very improved First-time Setup Wizard making it possible to setup the NetScaler in a few clicks. Click on step 2, Subnet IP Address

Good explanation about the subnet IP Address within this wizard, even an infographic is displayed, nice! Fill in the Subnet IP Address and click Done

Click on Step 3 to configure Host Name, DNS IP Address, and Time Zone

Fill in the NetScaler Host Name, the DNS IP Address and the correct Time Zone. Click Done

If you have a license file select Upload licenses files from a local computer and click Browse

After uploading the license file, click Reboot

Create a SSL certificate

The next step is the install the SSL certificate. Browse to Traffic Management > SSL and click on Create RSA Key

Fill in the following information;

Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Ok

Click on Create CSR (Certificate Signing Request)

Fill in the following information;

Request File Name: anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Browse to the bottom of the page and fill in the following information;

Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like
Company Name: Your Company Name

Click OK

To download the request file click on Manage Certificates / Keys / CSRs

Select the request file (in my case this is robinhobocom.txt) and click Download

Open the request file with Notepad and copy all the text. Go to your Certificate Authority (in my case this is Go Daddy) to create the key or re-key an existing certificate by pasting the text from the request file.

After creating the certificate, download it. Select IIS7 as server type

Browse to Traffic Management > SSL > Certificates and click on Install

Fill in a Certificate-Key Pair Name (anything you like). On the right side of the Certificate File Name click the arrow down button and select Local to browse to the downloaded certificate

Browse to the Key File Name (on the appliance), select PEM as Certificate Format. Fill in the password entered when creating the request file and click on Install

After the installation you can see the status and the number of days the certificate expires

Configuring the NetScaler 10.5 Gateway

Under Integrate with Citrix Products, click on XenApp and XenDesktop

The Before you Begin checklist is presented, we have already a server certificate installed, the LDAP authentication server details will be configured during this wizard. Click Get Started

An infographic is displayed with your deployment options, at this point the Single Hop deployment is my only option. Select Storefront as integration point and click Continue

Fill the Virtual Server Name (anything you like), the NetScaler Gateway IP Address, this is the IP address where the outside IP address must point to. Fill in the port number 443 and optionally you can enable the redirect request from port 80 to a secure port. Fill in the address without “https”. Click Continue

Select Use existing certificate, select the certificate that is installed in the previous steps and click Continue

Citrix NetScaler checks if the certificate chain of the SSL certificate is complete, a really great new feature. In my case the certificate chain is incomplete. NetScaler is displaying the missing parts of the chain that are needed and where to find them!

After installing all the certificates NetScaler displays the Server Certificate including the complete chain.

Scroll down to configure the LDAP configuration. Select Add new server and fill in the following information;

IP Address: The IP Address of a Domain Controller
Port: 389
Base DN: For example DC=RobinHobo,DC=Com
Service account: An account with AD read rights
Server Logon Name Attribute: choose sAMAccountName for XenApp/XenDesktop deployments
Password: The service account password
Confirm Password: same as above

Click Continue

An LDAP authentication policy and server are now automatically created

Scroll down to configure the StoreFront server, fill in the following information;

StoreFront FQDN: The FQDN of the StoreFront server
Site Path: The site Path of the Receiver for Web Store URL. For me this is /Citrix/HoboWeb
Single Sign-On Domain: Your internal domain name
StoreName: Your StoreFront storename
Secure Ticket Authority Server: The STA address of your XenApp or XenDesktop controller
Protocol: Protocol used by the server Storefront Server
Storefront Server: IP address of the StoreFront Server
Port: The port number used by StoreFront

Optionally you can enable Load Balancing and enter the IP address of the virtual loadbalance server

Click on Continue

To configure your Xen Farm select what you are using, XenApp, XenDesktop or both. Fill in the IP address of the XenApp / XenDesktop Controller server and the used services port. If you want to configure Load Balancing on your controllers select Load Balancing to enter the IP address of the virtual LB server. Click Continue

To apply Optimize TCP Profile Settings, Optimize SSL Quantum Settings, HTTP Caching and HTTP Compression, click Apply

Click OK

To Apply AppFW policies and profiles, click Apply

To apply HDX Insight AppFlow policies, click Apply

Click Done

Optionally you can change the default theme of the NetScaler webinterface, to do so, Browse to NetScaler Gateway > Global Settings and click Change Global Settings

Open the Client Experience tab

Browse to the bottom and select the UI Theme you want. I select the Green Bubble theme because I have the same theme with Storefront. Click OK

Save the configuration and reboot the NetScaler

Configure Storefront 2.5.2 for Remote Access

The final step is to configure Citrix Storefront 2.5.2 for remote access with Citrix NetScaler 10.5. Logon to the Storefront server and open the console.

Browse to Authentication and click on Add/Remove Methods. Make sure you enable Pass-through from NetScaler Gateway and click OK

Go to NetScaler Gateway and click on Add NetScaler Gateway Appliance

Fill in the following information;

Display name: Any name you like
NetScaler Gateway URL: The external URL of the Gateway
Version: 10.0 (Build 69.4) or later
Logon type: Domain
Callback URL:
The external URL of the Gateway

Click Next

Click Add to add a Secure Ticket Authority (STA)

Add http://<FQDN of XenApp/XenDesktop controller> and click OK

Click Create

Click Finish

Open the Stores page and click on Enable Remote Access

Select No VPN tunnel, select the just created NetScaler Gateway appliance and click OK

At this point everything should be working fine. If you open a browser en browse to the external URL you will see that HTTPS is used and that the certificate icon is displayed

After logon you will see the published Applications and Desktops in the Storefront interface with the same these as the NetScaler Gateway


  • Hello,
    tried the same today and it worked. Instead of a full license I tried it with a NetScaler Express license. In this license AAA is not included. The wizzard you show and explain here doesn’t work in this case. So I had to use the “old” 10.1 wizard which is a bit hidden.
    You could add this to your post for the people who use the Express to grant remote access for only a few people in their company.

  • Hello,
    I’ve the same error “upload an issuer certificate with the following subject name”
    I’ve upload DigiCertCA.crt certificat & “mydomain.crt” certificat:
    The certificate chain is incomplete.
    Upload an issuer certificate with the following subject name:
    /C=US/O=DigiCert Inc/ Global Root CA
    How do you resolve this problem ?
    Thanks for this article, It’s was very usefull form me !

  • Fantastic!!! Thank you for your assistance. I was a little bit confused with a new interface.

  • Great post Robin.
    I have just gone through this pain and have 2 notes worthy of a mention.
    1 – Netscaler MPX8200 running 10.1.126 does not support certificate algorithm stength above 256. You get ‘Invalid Certificate Type’ when trying to install a cert with a higher algorithm such as 384ECDRSA. This might be different on higher spec’d machines.
    2 – for those behind firewalls, that have the Access Gateway in a DMZ, we had to create an access gateway virtual server with an internal DMZ addess to act as the Callback URL. We then added a host entry on the storefront/DDC servers to resolve the External URL to the internal DMZ address. This may not be the correct way to do it, but we have no routing from our internal network to the external interface of the netscaler and at 2am, you kind of run out of options 🙂

  • Hi all,

    In training we did the same setup and used the same version of netscaler, 10.5 and zendertje 7.5.

    everything works well but when connecting to a desktop windows 8.1 we all had double mouse cursors.

    Did one of you had the same problem?

  • Robin,

    Very Nice write up!

    I am having an issue with Netscaler VPX 3000, and wondering if you have come across it.

    When ever I try to generate a CSR, after all the fields all filled out, my browser just spins. Nothing happens. I have let it sit for 30 min and and I get kicked off the Netscaler GUI and have to log back in. Any assistance would be greatly appreciated. Thanks!


  • I have done all has mention in this great tutorial, but I keep getting “cannot complete request” when going trought netscaler, but if I use internal, works perfect, any idea?

  • Sorry nevermind, I have fix the problem, I was putting the wrong callback URL. Great article and site, thanks

  • Have 10.5 netscaler up and running. Can connect with receiver for windows, but when trying to connect with ipad or iPhone it fails to connect. Error says could not connect to server. I am new to this and am learning on the fly. Any help as to where to look would be great.

  • I am stuck with Cannot complete your request error when I try to access from external….

    Confused by you select port 443 for your storefront servers but used http and not ssl

  • Great walkthrough – thank you! Once everything is in place, what is your base URL for connectivity? It is difficult to read in the screenshot.

    Would it be something like:

    Or is there more after that?

    • My base URL is https//storefront.hobo.lan. This is my internal Base url. The url of Receiver for web url adds /Citrix/HoboWeb on the end.
      Please let me know if you have any more questions.

  • Hi Robin,
    That is a great article, thank you!

    I am stuck at IP addressing. Which address should be used here:
    “Netscaler Gateway IP Address, this is the IP address where the outside IP address must point to”

    In my home lab:
    I have external IP (e.g
    My home network
    My LAB network (VMWare Workstation and separate vlan)
    My netscaler has two NICs from both networks. So which IP should be used as NS Gateway IP?

    • Hi Serg, in which LAN do you want to setup the Gateway? You must configure NAT from your external IP to the IP of the new Gateway, and is must be possible to connect to the storefront and XenDesktop servers from the SNIP address of the NetScaler.

      • Actually the main goal for me is to make my Gateway accessible from outside of my network, so it is not really important in which LAN to setup (lab – 10 or home – 192). But as my home router is in 192 network so I can configure port forwarding and as I understand I have to put my GW to the same network.
        I have two SNIP configured (for both networks)

  • Hi Robin,

    thanks a lot for this very good how to. Everything is working just the Session is not open up. I get this error message:

    “Cannot start Desktop”

    How can i troubleshoot this? Do you have an advise?


    • I am also getting the “Cannot Start Desktop” message on the outside world. I have https forwarded in from the firewall to the Netscaler. Internally things are fine. Any thoughts are appreciated.

  • Great guide as always!

    One thing I would like to see is how to use SHA-256 to create CSR’s now that SHA-1 is being phased out.

    Many Thanks!

  • Hi Robin,

    Thanks for sharing, following your step by step guide I got the Netscaler with Storefront running.

    We are also using Godaddy SSL cert and had bought 2 certs (wildcard multi domains). 1 for the Netscaler and 1 for the Storefront server.

    We also set the internal Storefront URL and external Netscaler access gateway URL the same and of course the 2 certs we got from Godaddy includes the both same internal and external URL.

    While connecting through Windows machines, everything works perfectly fine, but not though Mac OS and iPad devices.

    On Mac OS, safari has no problem with the Godaddy cert, but once the app is launching and when Citrix receiver is kicked in, the Citrix receiver will not launch the app and display the following message:

    “You have not chosen to trust “Go Daddy Secure Certificate Authority – G2″, the issuer of the server’s security certificate”

    Tried to manually add the cert. to Mac OS keychain but no joy.

    On iPad, Citrix receivers says “Certificate Not Trusted” when adding an account, even the Ignore certificate warnings is checked, still no joy.

    Any idea why would this happen? Something to do with the SSL cert. chain?


  • Just one more thing to add, the Netscaler never com pain that the chain of the cert is incomplete like your screen shot.


  • Hi Robin, thanks for your very good post. It is possbile to loadbalance and monitor storefront (SSL) 2.6 and xml service (80) runniing on the same xendesktop controller server with the default ports.

  • Great Article very informative.

    I do also have a question particularly around Monitors for Storefront on my Netscaler 10.1 (in the DMZ) when i add the Storefront Monitor to my server group both server state is DOWN. If i remove this and use say a standard https monitor all 3 state UP.

    The only thing i can think of is firewall at this moment.
    I have enabled ports 80/443

    Could you breakdown port access required for the Storefront monitors to show up when passing from DMZ to internal Storefront servers? That would help me out a great deal.

    Thanks in advance


  • Hi Robin,
    Great presentation!!!

    I have followed your steps and almost there except after I provide user name and password I am getting “cannot complete your request” only when accessing it externally. Internally works fine. I have wildcard SSL and to the best of my knowledge it’s installed on the Netscaler. I am using the latest Netscaler
    Any idea what I am missing?

  • Dear Robin
    my knowledge in Citrix is low 🙁
    I deployed netscaler
    about STA I haven’t found any good instruction
    I have Xenapp 7.6 and didn’t find anything on Xenapp 7.5 and 7.6
    I found ctxsta.dll on C:\Program Files\Citrix\Broker\Service
    I created Scripts folder and published it on IIS and add execute permission in handler mapping
    when I login too https://gateway.***.net/vpn/index.html I find this error: Http/1.1 Internal Server Error 43531
    could you help me?

      • Dear Robin
        I changed the FQDN to IP
        now it’s OK
        still when I login to xenapp from gateway I have this error:
        Http/1.1 Internal Server Error 43531

  • Dear Robin, we have NS 10.5 (53.9) iPAD 5.2.9 (15) and Storefront 2.6. Comodo Certificate.
    With Android & Windows Receiver everythings ok, with iPAD: Connection is starting > Servererror > More Info > Server was disconnected from Session.

    Any Hints are welcome
    Regards Armin

  • Hey Robin,

    It is important to use only A-Z and 0-9 symbols in the passwords. Symbols like ! or # are not supported in the interface. On the commandline it will work.

    Re-issued different times to find out the difference. After checking the website i found the problems.

    For googlers:
    Invalid Password Netscaler Gateway

    Thanks for this post!

  • One thing more 🙂

    It is from a local network not possible to access the public IP from your environment.

    It will cause in this error:
    Error: Cannot complete your request

    Fix to connect on your SF server:
    Open C:\Windows\System32\Drivers\etc\hosts

    Add: (your url)

    This will connect the domain directly to the
    (public) internal ip. is reachable.

    Another way is to add a second vserver. But this is my way.

  • It looks like VMware put out a patch that the Netscaler VM’s do not get along with. I rolled back my VMware host to the previous patch level and all is well. Sitting up the second Netscaler for HA went smooth afterwards..

  • Hi Robin,

    Excellent guide. I’m testing this on an inside LAN only for now and all working as expected. My only issue is when I try to launch an application through the netscaler I get the below error message

    “Unable to launch your application. Cannot connect to the citrix xenapp server.SSL Error 43: The proxy denied access to ;10;STA—–port 1494

    If I browse straight to the webinterface URL the applications launch fine

    Any thoughts?


  • Hi Robin, I have set up netscaler with 2 network interfaces, one internal and one dmz, the internal interface has the management ip and subnet ip, and the dmz network is bound to the the virtual gateway address via vlan id.Yet I keep getting a page cannot be displayed everytime the url for the netscaler is launched on the dmz address. NATing to the external ip hasnt been established yet. Firewall is set to allow all. Can you please advice? Everything seems to be in order.

  • Hi Robin, that was it. Working now. Thank you so much for your guides and the advice. It has been really helpful.

  • Hello Robin,

    Thank for article, but can you help me with the question.
    I am publishing XenApp.
    Auth – ok.
    I can see my Apps, but on clicking them i got: starting, connection in progress.

    here the file:


    1C Предприятие=

    [1C Предприятие]
    InitialProgram=#1C Предприятие
    Title=1C Предприятие
    WinStationDriver=ICA 3.0






    thank you!

  • Very Nice Article – my query is i dont want to LDAP authentication at Netsclar level . wanted to display directly storefron web page .. can this is possible ?

  • Thank you for this article Robin, great work.

    Do you have anything written up integrating latest MDM and XenDesktop/App with Netscaler 10.5 using the same FQDN and SSL Cert?

  • Hi Robin great write up and appreciate all the guides you publish they have been a huge help.

    I had a question in regards to https:// for internal traffic.

    I currently have a ssl cert installed on the netscaler from go daddy and https:// works great for external traffic, I’m using the basic netscaler vpx and only have one storefront server and wanted to know if I needed to purchase another cert for internal 443 or if that one very is enough

    • Hi Brian, you can install your own Certificate Authority within your own domain and create a certificate for your internal StoreFront address as long as you install the root certificate of your internal domain on the NetScaler.

  • Firstly, great article!

    Regarding comment above “you can install your own Certificate Authority within your own domain and create a certificate” I have a question…

    I’ve just installed a Netscaler VPX Express and I have 2 x Storefronts. In terms of a certificate, I was about to buy a Verisign cert which I assume I only install on the Netscaler VPX express? Is it mandatory to put a certificate on the Storefronts to secure traffic between the Netscaler and Storefronts? If so, can I use the external cert or so I have to create an internal certificate?

    I’m worried about the complexity of the internal certs when I thought I only had to install a cert for the external facing Netscaler…

    • Hi Brad, your internal LB address for your StoreFront servers is properly different than that of your external NetScaler Gateway address.Therefor you need a different certificate for your StoreFront LB address. This can be a certificate created by your own cert. auth. (if using an internal domain name for your FQDN Storefront LB). The root CA of your internal domain must be installed on the NetScaler and be bind at the Gateway vServer. For your external access you need a public trusted SSL cert. Kind Regards, Robin

  • So great ,attractive, full of detail and well described guide.
    I couldn’t leave the page before say to Robin Hobo:
    Thank You.
    In this page you described the scenario in my mind. So you are a mind reader 🙂

  • Hi Robin
    My Storefront NS9.3 works fine on internal network but when I access applications externally via Access Gateway, I get a msg “There is no xenapp server configured with this specified address”
    I have come across a few articles which say “to proxy the ICA traffic through one NATed IP address”
    Can you please advise, where these settings are on Netscaler

    Appreciate your help

    • Hi Geoge, No only HTTPS (443) traffic must be NATed and HTTP (80) optional if you want to redirect HTTP to HTTPS. There must be a misconfiguration in the Gateway VS on the NetScaler itself. Er the firewall ports open from the SNIP address to the XenApp servers?

  • Hi, I have followed all these steps with Netscaler 10.5 and StoreFront 3.6, but, I get “HTTP Error 404. The requested resource is not found.” error.. after logging in.
    Any suggestions to debug this problem!

    • Hi NP, check the StoreFront URL (including Storename) in the NetScaler configuration. Also check if any ports are blocked on the firewall from the SNIP address to the Storefront servers. Regards, Robin

  • Hi, I have a Netscaler 5500 and citrix support helped me setup the Netscaler Gateway virtual server, and Web interface site. I got an SSL cert from godaddy and testing internally works fine. I want to test externally. Can you tell me what ports to open and which IP do I need to NAT to the public IP? is it the SIP, NIP or Netscaler Gateway virtual server IP? There is no Storefront installed. thank you

  • Hi, I attempted this with Netscaler 11.1 and SF 3.9. I tried to use the export NetScaler Gateway configuration feature on the Netscaler to upload on SF but received the message “Gateway vServer Receiver for Web URL does not match the StoreFront Receiver for Web URLs”. I entered in the Netscaler Gateway manually in SF as you directed but after logging in through the Unified Gateway I just get a blank white screen. Any suggestions?

  • Hi Robin, helpful post but I have a basic question:

    Can you configure both an internal (for Receiver) and the external access (for Gateway) in 1 Store or do you have to make 2 separate Stores for that?

    Thank you

    • Hi, it’s depending on the configuration. If the requirements are the same for external and internal access you can use the same Store.

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.