Installing and Configuring NetScaler ADC VPX 10.1

A few weeks ago I wrote a blog about Configuring NetScaler Access Gateway VPX and Citrix StoreFront. This blog was based on the NetScaler Access Gateway Enterprise Edition 10.0 with Citrix StoreFront 1.2. Last week Citrix released NetScaler ADC VPX 10.1 at Synergy 2013. Of course I want to look at it right away. The first thing that noticed me is the improved interface and the new welcome wizard (see screenshots below).

I know you can do a lot with the NetScaler but this blog will be limited to upload the NetScaler VPX to a Citrix XenServer, configure the NetScaler VPX, install the SSL Certificate, setting up the NetScaler Gateway and finally I will install and configure the Web Interface on NetScaler.

Before you begin make sure you have Java Runtime installed and that you have a license file for the NetScaler. The NetScaler needs a SSL certificate, make sure you can create a key by a CA. For this blog I will use and describe the step for creating the key by Go Daddy.

Downloading the NetScaler VPX and the Web Interface Components


For this installation I will download “NetScaler ADC VPX for XenSever 10.1 Build 112.13” from the Citrix website.


For the “Web Interface on NetScaler 10” I will download the “Web Interface on NetScaler Installation Package” and for the Java part I will use the “Open JDK6 Package”

Uploading the NetScaler VPX to the XenServer


In Citrix XenCenter, open the File menu and choose the option Import…


Browse to the NetScalerVDX and click Next


Select your XenServer and click on Next


Select the storage you want to upload the Netscaler to and click Import


Select the network interface you want to connect to the Netscaler to and click Next


Click Finish

Configuring the Netscaler ADC VPX


Start the NetScaler and go to the Console tab of the virual machine (XenCenter). Enter the desired IP Adress (this will be the management interface IP address a.k.a. NSIP), Netmask and Gateway address.


After entering all the network information there should be a menu to appear, but in this version of to the NetScaler it is not the case. From earlier versions I know option 4 is “Save and Quit”, so type in number 4 and hit Enter


After rebooting the Netscaler, open Internet Explorer and enter the NSIP address (management interface IP address). Login with User Name; nsroot and Password; nsroot


The new Welcome screen appears. Fill in the Subnet IP Address (will be used to connect to the resource servers), the Hostname and the DNS server. Select the correct time zone and optionally change the administrator password. Click Continue.


Click Browse to select your license file.


Select the license file uploaded in the previous step and click Continue



Click Yes to reboot the NetScaler

Installing the SSL Certificate


On the Configuration tab go to the Traffic Management > SSL menu, on the right side of the screen click on Create RSA Key


Fill in the following information;

Key Filename: “name”.key, anything you like
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above

Click OK and then Close


The next step is to create a request that needs to send over to the CA. On the right side of the screen click  Create CSR (Certificate Signing Request)


Fill in the following information;

Request File Name: “name”.REQ, anything you like
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step

Country: Your Country
Organization Name: The name of your organization
State or Province: You State or Province
Common Name: This is the address the users will type in their browsers
Challenge Password: A password you like

Click OK and then Close


The .REQ file needs to be download for importing it to the CA. Go to “Manage Certificates / Keys / CSRs”


Select the .REQ file and click Download. Click on Browse to give a “Save in” location, click on Download and then Close.


Open the .REQ file in Notepad and copy all the text. Go to your CA (in my case Go Daddy) to create the key or re-key an existing certificate by pasting the text from the .REQ file.


After creating the certificate, download it. Select IIS7 as server type.


After downloading the certificate, go back to “Manage Certificates / Keys / CSRs” under the SSL menu of the NetScaler and Upload the .crt file.


Go to the menu Traffic Management > SSL > Certificates. On the upper right side on the screen click on Install..


Fill in the following information;

Certificate-Key Pair Name: Any name you want
Certificate File Name: Browse to the .crt file you just uploaded
Key File Name: Browse to the .KEY file created earlier
Password: The password entered when creating the request
Certificate Format: PEM

Click on Create and Close


After the installation you can see the status and the number of days the certificate expires.

Create the NetScaler Gateway Virtual Server


On the Configuration tab go to NetScaler Gateway and then on the right site click on NetScaler Gateway wizard


Click on Next


Fill the IP Address, this is the IP address the outside IP address must point to. Fill in port number 443 and the Virtual Server Name (anything you like). After this Wizard configure your router and/or firewall to redirect port 443 (and optionally port 80) from outside to this IP address.


By Certificate Options choose Use an installed certificate and private key pair. By Server Certificate choose the certificate installed in the previous step.


Fill in the DNS Server IP Address of your DNS server, leave WINS IP Address blank. Choose DNS as Name Lookup Priority and click next


Choose LDAP as authentication type. By Connection Settings fill in the requested information as shown in the screenshot above and click on Retrieve Attributes.


Click OK


Set Configure Authorization to Allow. Optionally you can enable Port 80 redirection. Click Next


Select what is applicable and click Next


Click Finish


Click Exit


The next step is to configure the LDAP server and LDAP policy and assign it to the NetScaler Gateway. Go to menu NetScaler Gateway > Policies > Authentication > LDAP. On the right side of the screen select the Servers tab, and then click Add.


Fill in the following information;

Name: Any name you want
IP Address: The IP address of your AD Domain Controller
Base DN (location of users): Distinguished Name of the domain
Administrator Bind DN: A domain administrator account name
Administrator Password: The password of the domain administrator account
Confirm Administrator Pass: Same as above

Click on Retrieve Attributes


Click OK


Click on Create and Close


Go the Policies tab and click Add


Fill in the following information;

Name: Any name you want
Server: The LDAP server created in the previous step

Select True value and click Add Expression, then click Create and Close


Go to menu NetScaler Gateway > Virtual Servers, select the server created in the previous steps and click Open…


Go to the Authentication tab and click on Insert Policy to apply the policy created in the previous step. Click OK

At this moment you can already logon to the NetScaler with the external URL (you must configured the router to allow the 443 traffic to the Access Gate IP Address).

Installing the Web Interface on NetScaler


Go to menu System > Web interface, on the right side of the screen click on Web Interface Wizard


Click Next


Browse local to the downloaded Web Interface and Java Runtime Tar files. Set Maximum number of sites to 3 and click Next.


Click OK


Select GatewayDirect as Default Access Method, Select the NetScaler Gateway Vserver and enter the STA’s of your XenApp and/or XenDesktop controllers/brokers. Click Next.


You now have to option to customize the Web Interface Site Appearance, fill in what you want to customize and click Next


Click Next


Click Add


Enter the information of your XenApp Controller or XenDesktop Broker and click Create and Close (repeat this step if you want to add more XenApp / XenDesktop farms)


Click Next


Click Finish


Click Exit

Configure the NetScaler to redirect to the Web Interface


Go to menu NetScaler Gateway and on the right side of the screen click Published application wizard


Click Next


Select the Virtual Server Name created in previous steps and click Next.


Enter the Web Interface Address “ and fill in the Single Sign-on Domain. Click Add to add the STA’s of your XenApp server(s) and/or XenDesktop server(s) in this format: “http(s)://<servername>.<domainname>”. In previous versions it was needed to add “/scripts/ctxsta.dll” to this path, but with this version of the NetScaler it’s not needed (In my case).

Click Next


Select “SETVPNPARAMS_POL” and click Next


Click Finish


Click Exit


At this point everything should be working fine and you can now access the NetScaler Gateway with the https://<server adres>


After the logon you will be redirected to the Webinterface with the customizations you have specified during the wizard.


  • Great blog post man, just got a tip from one of my readers. The Netscaler wizard now seems to work much better than the earlier versions. I did a lot hands on with this version on Citrix Synergy.

  • Thanks for the run down on 10.1. Would you by any chance know or have tested if the EPA scanner in 10.1 has improved functionality for Windows Security / Antivirus detection?

  • This is a great blog! I have not had the opportunity to setup the new version; however, this will assist in getting it configured correctly when I do.


  • Robin, great log. I’m not up to date NetScaler so this is a great stepping stone. Keep up the good work.


  • Great post Robin. I had my first look at the 10.1 last week at a customer site and liked the new “neo”. I’ve never completely trusted “wizard” installs. During my install I chose not to use the wizard and elected to use the old guia. Maybe as I have time to try your steps in our lab and then I might trust the wizard.

  • firewall/netscaler novice here,
    On the physical Netscaler device, how many network interfaces do I need, is one DMZ cable/port enough to carry all traffic from web and to internal network for MIP, SNIP, VIP and public traffic?

  • Hi Team,

    I have one question. Where you mentioned the steps to Go to Godaddy or other CA provider & paste the text from our download certificate and create new certificate… there I have a question.

    Can’t we use the same downloaded certificate ? because we don’t have any GoDaddy or other CA Provider and also we don’t like to purchase that as I am just doing this excercise for POC purpose.

    So, can anyone suggest me the alternative way or way by skipping certificate ? I like to use Netscaler VPX.

  • You are my hero … great job on the blog. Nice screenshots and concise instructions…

  • I can assure you, after spending quite some time working on the not very intuitive netscaler, Robin’s how to is simply the best on the Internet. An amazingly accurate and informative article, that will get you through the configuration, with zero difficulty. Thank you Robin, for your efforts in helping us, the Netscaler Challenged!!

  • Hi Robin, extremly nice post.
    I have one question :
    Is the WI installed in the netscaler a better choice than using an (or two) external (Windows) WI 5.4 ?
    The vendor who installed my NS tell me that the ‘future” of the WI into the NS is not “confirmed”.

    I’m lost with the different solution available to loadbalance users on WI (for redundancy and unload on the WI).
    1) simple VIP to LB on the WI (on windows servers)
    2) using the Netscaler access gateway as an ICA proxy
    3) using the WI provided by the Netscaler

    My NS handle more than 200 simultaneous connection, I prefer having 2 windows WI , each handle so 100 connections.


    • Hello Nicolas, WI is official EOL in 2015. There are “rumors” that StoreFront is coming to the NetScaler. Till then I Always install StoreFront servers on externsl Windows Server systems.

  • Hi Robin, Thank you for your informative guides. Using a combination of three of them I’ve configured Storefront 2.0, with Netscaler VPX 10.1 – This is working great internally and externally for Windows clients with the latest Windows Receiver and after downloading the IOS Receiver I’m able to use the same external URL for iPads to connect to, which prompts to download the ICA file and then launches the published app with Receiver – Is there a way though that I can login just using the IOS Receiver app rather than browsing with Safari first?

  • Best step-by-step on the web right here. Exactly what I was needing.. Cheers and thank you Robin!

  • Hi Robin,
    I am using IE10, can you suggest a tool for capturing screenshot sequences including the java applets when you are doing a config for NS10.1?

  • Fantastic blog.

    The only thing I had to do was add an A record to my local DNS so I could resolve the public DNS of my NetScaler to its internal port from the XenDesktop server. Other than that worked a dream.


About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.