Configuring NetScaler Access Gateway VPX and Citrix StoreFront

NOTE: An up-to-date blog with NetScaler 10.5 and Storefront 2.5.2 can be found here!

In this blog I will describe step-by-step how to configure the Citrix NetScaler Access Gateway VPX with Citrix StoreFront. Including uploading the VPX to the XenServer, configuring the NetScaler, creating and installing the SSL certificate, creating the Access Gateway and the configuration of it, the redirection to the Citrix StoreFront server and finally the configuration of Citrix StoreFront server itself.

Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The Citrix NetScaler Access Gateway needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.

To install and configure Citrix StoreFront 1.2 see my previous blog here.

Downloading and Uploading the NetScaler Access Gateway VPX to the XenServer


For this installation I will download “Access Gateway VPX for XenSever Build Enterprise Edition” from the Citrix website.


After downloading the VPX, open XenCenter, open the File menu and choose the option Import…


Browse to the VDX and click on Next


Select your XenServer and click on Next


Select the storage you want to upload the Netscaler to and click Import


Select the network interface you want to connect to the Netscaler to and click Next


Click Finish

Configuring the Netscaler Access Gateway VPX


Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.


After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter


After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot


In the Configuration page, click Setup Wizard..


Click Next


Enter the Host Name (bearing in mind the license file where the name is case sensitive). In my case the resource servers are on the same subnet, so I choose the option Mapped IP and fill in the IP Address and Netmask.


Click on Manage Licenses


Click on Add to browse to your license file.


Click OK


Click on No (!!)


Click on Next


Click Finish


Optionally click on Configure Time Zone


Select the correct time zone and press OK


Click Exit


Click on Reboot


Select Save configuration and press OK

Installing the SSL Certificate


On the Configuration tab go to the SSL menu, on the right side of the screen click on Create RSA Key


Fill in the following information;

Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click on Create and then Close


The next step is to create a request that needs to send over to the CA. On the right side of the screen click on Create CSR (Certificate Signing Request)


Fill in the following information;

Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Common Name: This is the address the users will type in their browsers
Organization Name: The name of your organization
Country: Your Country
State or Province: You State or Province
Challenge Password: A password you like

Click on Create and then Close


The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”


Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.


Open the .REQ file in Notepad and copy all the text. Go to your CA (in my/this case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.


After creating the certificate, download it. Select IIS7 as server type.


After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.


Go to the menu SSL > Certificates. On the lower side on the screen click on Install..


Fill in the following information;

Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Private Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM

Click on Install and Close


After the installation you can see the status and the number of days the certificate expires.

Create the Access Gateway Virtual Server


On the Configuration tab go to VPN and then on the right site click on Access Gateway wizard


Click on Next


Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.


By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.


Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next.


Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes


Click OK


Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next


Select what is applicable and click Next


Click Finish


Click Exit


The next step is to configure the LDAP server and LDAP policy and assign it to the Access Gateway. Go to menu VPN > Policies > Authentication/Authorization > Authentication > LDAP. On the right side of the screen select the Servers tab, on the lower side of the screen click Add


Fill in the following information;

Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above

Click on Retrieve Attributes


Click OK


Click on Create and Close


Go the Policies tab and click Add


Fill in the following information;

Name: Any name you want
Server: The LDAP server created in the previous step

Select True value and click Add Expression, then click Create and Close


Go to menu VPN > Virtual Servers on the right side of the screen, right click the server and click Open


Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK

At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).

Configure Access Gateway to redirect to Citrix StoreFront


Go to menu VPN and on the right side of the screen click Published application wizard


Click Next


Select the Virtual Server Name created in previous steps and click Next


Enter by “Web Interface Address” the internal web address of the Citrix StoreFront server. By “Single Sign-on Domain” enter your domain name. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).

Click Next


Select “SETVPNPARAMS_POL” and click Next


Click Finish


Click Exit


Citrix StoreFront has by default a “Green Bubble” theme. This theme is also available in the NetScaler Access gateway. To configure the same theme on the NetScaler go to menu VPN > Global Settings and on the right side of the screen click Change global settings.


Open the Client Experience tab and select the GREENBUBBLE UI Theme. Click OK


Go to the Published Applications tab and set ICA Proxy ON. Click OK

Configure Citrix StoreFront

The final step is to configure the Citrix StoreFront server to work with the NetScaler Access Gateway.


Go to the StoreFront server and open the Authentication tab, on the right side, click on Add/Remove Methods


Select all the options and click OK


Go to the Gateways tab, on the right side of the screen click Add Gateway Server


Fill in the Display name (any name you like). In the Gateway URL field fill in the external NetScaler address users will enter in there browsers (https://..) and add “/Citrix/<storename>Web” to the end of it (see screenshot). Click Next.


Fill in the Callback URL, this is the external NetScaler address (https://..) click Next.


Click Add and enter the STA’s of your XenApp and/or XenDesktop servers and click OK


Click Create


Click Finish


Go to the Stores tab and click Enable Remote Access


Select Full VPN tunnel and click OK

At this point everything should be working fine. If the NetScaler does not successfully forward to the StoreFront website make sure the NetScaler can find the NetBIOS name of the Citrix Storefront server (or alias). If this is not the case add the DNS Address record of the StoreFront server (or alias) to the DNS of the NetScaler.


You can now access the Citrix NetScaler Access Gateway with the https://<server adres>


After the logon you will be redirected to the Citrix StoreFront server with the same UI Theme.


Cannot Complete your Request

When receiving this error, make sure you applied the following:

Edit the Windows Host file and add a new entry with the IP Address of your (internal) Gateway VIP Address pointing to the external address. For example;

As an alternative you can create a DNS record


  • Nice Article!

    I noticed in some newer versions (i’m running NS10.0: Build, Date: Feb 18 2013, 03:27:14
    ) there is no UI option green bubble anymore!

    keep up the good work!


  • thanks for the post, we plan on testing this config to replace CSG.
    I was wondering about the network design for this config. Do you have the VPX in the DMZ and storefront on a windows box on the internal network?

      • Loved your post !! one question are both the gateway vm and the Netscaler app supposed to be on the DMZ ? my current setup is gateway is on the DMZ and the Netscaler app is on the internal lan with a Mip that is also on the also on the same lan.

        thanks for the help 🙂

        • Thank you. For this post the NetScaler and the Access Gateway are in the DMZ, but you can install the Access Gateway in the DMZ and the NetScaler on the internal LAN, no problem.

  • It’s not working for me, but one question, do you need log in two times or just one time and then you will be redirected to your apps directly?

    • If you have configured your StoreFront as as described in above blog you only have to log on once. (at the NetScaler interface). What is not working for you?

  • From the beginning I had problems with authentication. On netscaler it’s ok but when redirect me to storefront is not working and even is I put my credentials I can’t log in. SSL is fine but there is no way. Any ideas? Internally I can log in to storefront. Netscaler is in DMZ.

    • If you add the following entry to the host file on every StoreFront server the problem is probably solved: “IP address Access Gateway server” “external address” (for example:

      • Hi Robin ,

        I have the infamous 1100 error from time to time ….
        setup : netscaler 10.5 ( DMZ) storefront 2.6
        will the host file will help in my case or other fixes ?
        thanks for your help

  • Other question
    How to configure store access through netscaler. Web works ok. Thanks for your help.

  • Very nice blog! Everything worked for me via the web client, but the receiver client won’t work either internally or externally. Any tips greatly appreciated.

  • Does this not work if the StoreFront server is running HTTPS?

    I have followed the instructions and when I go to my NAGEE site it changes the URL to but I just get a 404 error.

    As i’ve poured over the guide again and again the only difference I can find in my setup is my Storefront server is running HTTPS.

    • Nevermind I think I figured it out. In the published application settings i changed the URL for my storefront server to http instead of https and it seems to be forwarding through now.

      It looks like I have some quirky authentication issue to overcome and I should be in business.

  • Thanks very much for the clear step-by-step instructions. It really helped a lot!

    Only thing is that on my VPX appliance, which I downloaded only a week ago, so it should be the latest version, I did have to add the extension /scripts/ctxsta.dl to the STAs in order to be shown in the UP status.
    Other thing is NOT to add the domain suffix to the host name of the Netwescaler when you run the Setup Wizard. I did, but only after I removed it, I could log on and start the Desktop. Before I got the infamous “Connection error 1030” error.

  • Great guide. Can you advise if you have to configure profiles and http headers for legacy clients the way you need to with Web Interface?
    If so is it possible to add this to your guide for reference?

  • Chris,
    i think i have this error here. In which wizards you didnt add the domain suffix?

    Regards, Falko

  • Good document I’m stilling having some problems, in my internal network I can access the GW server which redirects to Storefront and logons work, I can see applications from both XenApp and Appcontroller although none of them launch yet (get SSO and other errors).

    If I try to access the gateway externally I can only do so via the external IP address and while it brings up the Storefront logon details it will not actually log me in so I’m a bit baffled, I’ve followed all guides that I can see. Any help appreciated

    • This may be a few things.. Do you have enabled “Pass-through from Citrix Access Gateway” as authentication type in StoreFront? Do you have set the Callback URL correct, and can you add you external URL to you local host file pointing to the internal IP adress of the Access Gateway (on the StoreFront server). Can you also check if your STA’s are properly set within Storefront?

  • Hello,

    Is it easy to configure Active sync for smartphone with Access Gateway?

    Thank you for this article.

  • Hi Robin,

    Thanks for nice article.

    What will be STA path for XenDesktop 7 ???

    – Yash Pradhan

  • Hi Robin, Great post and thanks for the effort you put into your posts.
    I hope you can help me with something. I’ve followed it just as you have posted but when I authenticate at the access gateway it brings me to the storefront fine. I can’t log in there though. When I enter the username and password nothing happens, it just looks for the password again. No warning messages or anything.
    Any ideas?


    • Conor, If you add the following entry to the host file on every StoreFront server the problem is probably solved: “Internal IP address Access Gateway server” “external address” (for example: Also check if your STA’s are correct and that the NetScaler Authentication type is enabled within StoreFront.

      • Thanks Robin,
        No joy with that. STA’s are all showing green and remote access is enabled.

    • Hey Guys … I’m facing the exactly same problem connor talked about.

      I’ve also tried the hosts file solution in both of my store front servers, but no deal.

      Any clues ? Almost losing the few hairs I have.

  • Hello Robin,

    Do you have any experience with Receiver for WindowsRT and netscaler 10.0 with strorefront?


    • I’ve tried it on my Surface tablet, but it does not work since I use StoreFront 2.0. Can make the connection, but don’t see my Published Apps and Desktops. Hope they come soon with a Receiver for Windows RT update which do support StoreFront 2.0..

  • Thanks for the great article, I followed your instructions and got it working up to the point of trying to launch an app.

    I am able to log in through the Netscaler Gateway my apps are listed after authenicated but when I click on one to try to launch it I am given a message saying simply “Cannot Start App”

    If I navigate directly to the storefront server I am able to start the app fine. Any ideas about what might be going on?

    Thanks again for your help.

  • Hi, Do you require additional licenses for storefront if you have Xenapp enterprise licenses?

  • Robin, I’m a bit confused, probably just being stupid, but where / how do I configure my Access Gateway internal IP address? Going through the installation I have ended up with a single IP address for the Access Gateway, which is on the external network. I have two seperate networks (External) and (Internal) and I am getting very confused trying to configure the networking for Netscaler and Access Gateway.

    • The first IP address are for the NetScaler itself, in this post after installing the SSL certificate I started the Access Gateway wizard. Here you configure the Access Gateway IP address.

  • Hi Robin,

    Great article, my question is about the STA’s. Should they be my XenApp servers or can I point them to my StoreFront server? Storefront sits on a different server to any of my XenApps.


    • You need to configure your XenApp or XenDesktop controllers as STA, not your StoreFront server.

  • Hi Robin, How can I configure the access gateway AND storefront 2.0 for ipad and mobile device access?

  • Hi Robin,

    Excellent article buddy, it has helped me out loads.

    Can you kindly give some insight into how VPN access (access to networkshare’s and resources not Xenapp or XD) is setup in a netscaler environment?
    I am a little confused.

  • This site was… how do you say it? Relevant!!
    Finally I’ve found something that helped
    me. Thank you!

  • Hi Robin,

    I was not able to make it work in ly lab – yet. I am using a newer version of Netscaler VPX (10.1) and a newer version of StoreFront (2.1) so it looks slightly different.

    I am confused by the Callback URL. The URL ends with /CitrixAuthService/AuthService.asmx. ASMX is an extension which I see being used for web service endpoints on IIS, but the VPX is running FreeBSD so I don’t understand how the VPX is listening for web service calls at this URL I configured it with the address of the virtual server running on the appliance, is that correct?


  • Great guide.

    For me I’m still having problems opening and starting apps externally, internally everything works fine.
    Externally everything works fine (login, autologin on storefront) but it stops when I open the application. It gives me the ica and starts the app but it keeps saying “connecting” and eventuall giving me error 1030.

    We are using proxy.

    Any ideas?


    • It seems that the NetScaler cannot connect to your XenApp/XenDesktop server where the app/desktop is hosted. Are there any firewalls that blocks the connection?

  • Hi Robin,

    thanks for this great article.
    Do you make a new article with Netscaler ADC 10.1 and Storefront 2.1 in the future?


    • Thanks! I have no plans to write that blog, maybe with a new mature release of the NetScaler.

  • Hello Robin,

    I have a question regarding NetScaler AG and STA. I have one StoreFront, one Delivery Controller and one XenApp Server in my internal network. From there everything is working fine. But when I connect from external through NetScaler I got a HTTP 500 after login. Futhermore my STA is showing as down in the NetScaler console. Where do I find the ctxsta.dll or how can I make my XenApp server to become a STA? I am confused. Thanks in advance for your help.

    • By default, a XenApp server, a XenDesktop Controller and the Citrix AppController can be used as STA. Have you tried it with FQDN?

  • Hi Robin,

    Top article, has helped me out a lot. Just wondering if this works with XenApp 7.5?

  • I am trying to get applications to show up in the NetScaler Access gateway, but I get a “This content cannot be displayed in a frame”. I was wandering if anyone got this to work with 10.5 and Citrix 2.5.

    My main use case is that I want to publish links securely but not host the hyperlinks on xenapp. This seems like a pretty basic function for this device.

    Thanks alot

  • great article. You may also want to add in a step about creating either a hosts record on the storefront machines internally for the VIP for example or creating dns record. If you don’t have those setup then you may encounter issue after authenticating with the error “Cannot Complete your Request”

  • Do we still need to add the load balance storefront URL and Call back URL to the DNS host files on the StoreFront server? I dont see it listed anywhere in Citrix’s documentation.

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.