Monitoring the VMware View VDI Hosts using Citrix NetScaler

Yesterday I was at a long time customer of mine which had implemented VMware Horizon View as a their VDI solution. This customer load balances everything through Citrix NetScaler, it’s pretty much company policy to load balance every infrastructure component unless. Good policy I think.

A little information on how VMware (Horizon) View works from an architectural point of view, (see image below). A VMware VDI connection dataflow is completely serial, it cannot switch connection over servers. You will also need to create a Persistency Group on the NetScaler to tie these protocols together so they stay in the same connection data flow. In the below scenario the environment consists of a single Horizon View deployment using two VMware Connection Servers and two VMware VDI Hosts.

Image from

Not about load balancing. This blog post will not go into detail of how to load balance VMware View (Connections Servers) but how to configure the monitor the VMware VDI Hosts behind the VMware Connection Servers. There are a numerous sites on the topic of load balancing, for instance:

Read more of this post


“Secure Connection Failed” using Firefox to administer NetScaler

When administering different Citrix NetScaler appliances you can run into the below error message.

“Secure Connection Failed” and to be more specific “Error code: sec_error_reused_issuer_and_serial” which basically means that the serial number found within the certificate has already been trusted by you. This makes sense because NetScaler uses a self-signed certificate which is the same across all NetScaler appliances.


Read more of this post

Choose your NetScaler … wisely

I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.

I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.

The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.

Read more of this post

To EPA or not to EPA …

For anyone who has not worked with NetScaler Gateway Endpoint Protection Analysis before. It is pre-check before the user get to see the Gateway Logon page it has to comply certain rules that we have programmed the Gateway with. Sometimes I here people say that there is no future for EPA, but I would like to show a use-case which still is actively deployed using NetScaler Gateway and EPA’s.

This feature was already present with the Citrix Access Gateway Advanced using Citrix Advanced Access Control Option Server, yes did it! :-).

What it does is that upon client request it will launch a small piece of Citrix client software to check if the client meets our requirements for connecting. This is triggered by using an ActiveX component within Internet Explorer of Firefox. If the software is not installed it will prompt the user to do so.

Read more of this post

Contributing to Citrix Education

Last week I was off to Citrix Systems, Santa Clara for attending the next Citrix NetScaler-based CCA exams IDW (Item Development Workshop). An IDW is a workshop that lasts about a week in which you and others will create exam questions (or items) that will appear on the next (or revised) Citrix exam(s). In this particular IDW we are concentrating on the follow-up exams of the old Citrix NetScaler 1Y0-A11 and Citrix Access Gateway Enterprise 1Y0-A13 which are based on the Citrix NetScaler 9 software version.

Citrix NetScaler IDW 2012-01

Unfortunately we forgot to take a picture of all the participants together, so to name a few: from left to right: Lourdes Soler (Citrix), Henny Louwers, Stuart Souter, Alejandra Garcia (Citrix), Craig Pickford and Robert Zehnder.

Read more of this post

Citrix NetScaler with SSD (first impression)

The Citrix NetScaler MPX 5500-7500 and 9500 appliance models now ship with Solid State Drives and says (good?)bye to the platter disk for these particulair models. This was anounced by Citrix back in februari this year:

Citrix has been using Solid State Drives in the MPX 17500/19500/21500 platforms for a longer time but they are only used for mounting the /flash volume. In the MPX 5500/7500/9500 the /flash volume is mounted on a CompactFlash Card. The (platter) Hard Disk Drive which is now being replaced by an SSD is used for the /var volume, this is where all the data and logs files are kept.

I now have a set of Citrix NetScaler MPX 5500 series which has been delivered with such Solid State Drives. The SSD in question is a Samsung 2.5” 128GB SSD (SATA3.0Gbps) which is known as a Samsung 470 series. This particulair SSD can perform sequential reads up to 250 MB/sec and sequential writes at 220 MB/sec. In comparison to the latest releases of Solid State Drives those numbers are not amazing. More information of the SSD :

Read more of this post

Copy webcontent to Citrix NS/AG from FTP site through a Cron job

I have a customer who would like the Citrix NetScaler (Access Gateway and AAA website) website to dynamically retrieve files to show customized content without web developers entering the Citrix NetScaler on a frequent basis.

One thing you do have to remember is that over-customizing the Citrix Access Gateway portal page is in fact not supported by Citrix. I do not think there are a lot of people out there who actually know this. Now, they will not act very difficult if you alter a picture here or there or customize a little text, but be aware of over-customizing. Next to support issues, you can run into trouble when new Citrix NetScaler updates come out that are not going to be aware of your customizations.

Now, this particulair customer over-customizes Smile a lot! What they wanted is to have an iFrame in the Access Gateway (and AAA) page which showed visitors updated news, links, RSS Feeds etc. This iFrame showed the content of a Microsoft Sharepoint environment (please, don’t ask why). We tried publishing this iFrame through Citrix Netcaler but did not work (long story short, it was because of Microsoft Sharepoint). So now we came up with the idea to copy this content periodially to the Citrix NetScaler through the use of a Cron job and FTP. (See image below).

Read more of this post

[BUG] “Unexpected Response” Access Gateway Enterprise in NetScaler build 9.3-53.5

If you are using Citrix Receiver on iOS or Android to access pulished applications on Citrix Access Gateway Enterprise (NetScaler) do not upgrade to the latest firmware which is 9.3-53.5.

Users will get an “Unexpected Response” on an iOS device when they try to login to a Citrix Access Gateway environment. On Android the error statement is “The Citrix Access Gateway you are connecting to is not configured for this device. Please contact your administrator.”

Read more of this post

Configure RSA RADIUS monitoring on NetScaler

Ok, so this one is pretty easy and speaks for itself for the most part but can have some pitfalls while configuring.

In this example we are going to assume that the RSA backend is already in place and functioning properly.


A good question is why would you want to. When you leave the monitoring to default which would be tcp-default it marks the server up as it response to a tcp connection. That would simply not be enough, we need to make sure that the RSA RADIUS Service is actually up and ready to accept connections.


Make sure you have an account configured in RSA Authentication Manager that is authorized to send the response that you want to retrieve from the RSA Radius service. More on the RADIUS Response codes later on and why you would like to use a valid account.

Next to the account we are assuming that authentication is working properly and the Citrix NetScaler IP is added in RSA as a host that is allowed the use RSA Radius Authentication.

Read more of this post

Publish RSA Self-Service Console through NetScaler

This week I was at a customer which would like to publish the RSA Self Service Console so that users can self-service their RSA tokens, passwords and accounts and create some sort of redundancy with multiple RSA Authentication Servers. RSA has limited documentation on publishing the RSA Self-Service Console using a reverse proxy, especially Citrix NetScaler.

First of all, what you need to be aware of is that the RSA Servers works in a Primary/Replica model in which only the Primary can be written to by users, all other RSA Servers are read-only replica’s. So you can not use the replica servers for changing tokens, resetting passwords or enabling accounts. Replica’s can only be used for authenticating purposes.


Read more of this post