NetScaler Gateway

Hi Everyone Got an on-prem NetScaler VM acting as a Citrix Gateway appliance, using SAML to authenticate to Azure. This works fine but the users have password expiry enabled. Now i know how to enable password change if using Active Directory/LDAP for authentication, but can someone point me to any article on how to enable the NetScaler to allow uses to change their password when using SAML talking to Azure? Regards Ken Z

Hi Everyone , I'm encountering an issue where Citrix Workspace fails to load a site URL when using Duo MFA for authentication. Internally, Citrix Workspace works fine, but when attempting to access it externally through Citrix Gateway, the URL input does not work. Does this mean the MFA-DUO prevents URL entry ? When end users authenticate externally using Duo Push in their browsers, the login process completes successfully. Kindly see the attached screenshot error.

hello. Please understand if the sentences are awkward due to the help of a translator. We are currently using portal as a 3rd party with Citrix ADC. Connection from the outside is possible normally, but when connecting for the first time, the Citrix Gateway screen appears briefly and the [loading your apps] message is displayed briefly, and then the portal screen is displayed. The end customer doesn't want to see that screen. Can I skip this message and screen? Thank you

I just upgraded a client from the 14.1 build 12 version to the latest build 21 to get the WAF and Security scans. After we did that their pre-authentication scans are failing for every user. We updated the latest EPA files and it still looks like the EPA.exe file gets damaged during the download as the EXE is not executable after download. Anyone else seen this? I would like to avoid going nfactor, because that is a different PITA when I only have remote access to the client via Teams.

Since upgrading to ADC version 14.1.25.56, we have been experiencing high latency on user connections with the ICA gateway. This has been causing disruptions and impacting user experience. I wanted to check if anyone else in has encountered this issue. Please let me know if you have experienced similar problems or if you have any insights on how we can address this issue promptly.

Hi, I am a simple Citrix User. I have been enjoying the benefits of working remotely, enabled by Citrix for over 18 months. Using an old Windows 10 Desktop. When I try to use a New (Fresh Install) Windows 10 Laptop, I consistently get the error below. I have reinstalled the Citrix App to align with the Win10 Desktop. Any assistance would be gratefully received, as I need to use alternative devices occasionally. Regards Paul

Hi folks, has anybody integrated once that use-case (Citrix NS / mVPN - Intune WebSSOTunnel" in his lab or in production environment? My OAUTH Integration (sh oauthaction) > OAuth status is "completed" - I think here we are fine.. When I open the fully configured (and proofed through MS ) "MS Edge Browser" and initiated an internal intranet domain access I see following issues in my "debug" "/var/log/ns.log" : default SSLLOG SSL_HANDSHAKE_SUCCESS 47561 0 : SPCBId 3883 - ClientIP myMobileIPv4 - ClientPort 50170 - VserverServiceIP myPublicIPv4 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.…

Hi, I am facing problem when I am using SSL VPN on MAC Catalina 10.15 OS using Citrix SSO App. also, tried with Citrix VPN gateway it is not working and there is no send receive bytes when connected to tunnel in VPN status bar. we had logged the case with Citrix last month for the same issue and it was resolved by Citrix SSO app not using Gateway plugin. The problem started when we upgraded it to Firmware 13.0-47.24. I understand most of users who having MAC Catalina 10.15 facing same problem. Is there any way to fix this issue need your suggestion. Regards, Ilyas Ahmed

I have set up Netscaler Unified Gateway and enabled change Password on die Gateway Index.html Site. If i connect with a mobile device like Phone i did not get the link to change the Password. Is there some workaround to enable Change Password possibility for Mobile devices? Our VPX is on 13.1 thank You Dominik Schikora

Hi everyone got a a NetScaler Gateway / Gateway Enterprise Edition License (a.k.a. 'baby NetScaler' or "Secure Gateway Replacement") According to the license screen, the 'responder' feature is licensed I'm trying to create a responder policy that drops packets if a certain expression is true. When I try setting an action of either RESET or DROP I get the error "Action does not exist" but if I set the action to NOOP it saves fine. my question is, do I need a standard/advanced/premium license to get the responder to drop packets via a responder policy, or should I be able to do this on the baby NetScaler? Regards Ke…

Hi folks, has anyone ever managed to switch several EPA actions (policies) in succession for different EPA conformity checks? If you try to link two EPA policies together in an "nFactor flow", the end user receives an error with "Retry EPA Scan" on the EPA client. Unfortunately, conversion via different priority values in the EPA policy does not work either, as linking via "Goto Expressions" (integer value/jump to next priority) is not honored and only the first EPA action is executed (via Goto-Expression: NEXT). The same applies to the implementation via several "nFactor flows" and the EPA policy contained in each of them. Has anyone already su…

I am looking for the differences between the Citrix ADC VPX licensing for Advanced vs Premium editions. I have been looking for this information and can not find any clear information regarding this from Citrix or other sources. Thanks!

Hello, I have a Citrix NetScaler Gateway running through Azure and I can work fine. But found a some problem as forwarding from Gateway to Azure. It's stuck on white page as shown in attached picture for about 3-4 seconds. Is there a way to turn off or not show these pages? Has anyone ever encountered a problem like this?

NS 13.1 build 51.15 I´m Logged in as nsroot show connectiontable | grep -E '1494 | 2598' 10.110.240.107 26970 192.168.190.6 2598 HTTP 0 ESTABLISHED 0 S 10.110.240.107 38885 192.168.190.6 2598 HTTP 0 ESTABLISHED 0 S Other commands: show vserver show vnp vServer Dont give me any clue No AppFirewall No ACL I´m suprised. everything works, but why cant I Netscaler listening on port 1494? I really apprecites your answer :)

Hello, i am struggling with an issue for 10 days now and i can't figure out why. Even the Citrix support can't resolve my issue. The problem happend right after we decommission an old 2012 Active Directory. When i am trying to connect to the Citrix Gateway, i can log in the first page with no error, then i am asked to detect the Citrix Reciever and after that i got the error : Cannot complete you request. I have errors on my storefronts logs saying : System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 The remote server return an error : (403) Forbidden. Url: https://127.0.0.1/Citrix/Partenair…

Hi, I have successfully gotten an AlwaysOn VPN machine tunnel to work properly, However i would like to limit the traffic and cant seem to get any authorization policies to work properly. its always all or nothing.. If i set default authorization deny in my session policy bound to the gateway vserver, then specify authorization allow policies bound to AAA group for which the computer object is a member of this AAA group, can no longer access anything. if i turn session policy default back to allow, then full tunnel access works again... anyone have an idea why this is happening? i tried to different ways, throwing the sucessfull EPA scan into default authorization g…

Hello, I use CS in Netscaler for redirect ADFS login. I use without issue with major application, now in last days I found 2 app that have problem: Cisco Jabber and Microsoft Teams (on Android and on some iOS) WIth this application I can see my ADFS login fine, after login I see message Http/1.1 Service Unavailable. I have problem only for these application other like O365, Sharefile (also from mobile), Cisco Webex Meeting and many other work perfect. Can you help me ? Thanks M.

i have installed netscalar vpx 13.1.54 , i have connected 3 interface to that vm in that one interface in connected to DMZ via swicth and perimeter firewall and 2 interface in connected to internal network via switch data center firewall nsip , vip and snip are in diffrenet vlans , and backend server also diffrenet vlan i have changed the default route to dmz facing interace and configured pbr for nsip interface i was able to configure everthing but while connecting am getting below error not able to establish connection .issue is only via netscalar gateway storefront doest have direct access to gateway fqdn , does it r…

I have a Gateway server configured as a VPN with Radius/Azure MFA Authentication and for whatever reason, the vServer-bound Intranet IP range (/24) is not working. Whenever I manually assign an Intranet IP to a AAA user, it works. Group extraction needs to be configured differently when using Radius so we'll skip this for now but I don't understand why the IIPs assigned at a vServer level are not being used. I just want any user who successfully authenticates to this Gateway to get assigned an Intranet IP from the pool that is bound to the vServer. Any ideas?

We had successfully completed a test and pilot for the Always-On VPN Before Windows logon, but now that the deployment has extended, we started facing major issues with end users. The biggest issue seems to be the error "Your machine is connected to the company network. Citrix Secure Access will logout" when the tunnel should switch from machine to user. We have configured only one DNS Suffix for the Gateway and it's not resolvable from public DNS and didn't see this issue during test/pilot. Weirdly enough we have suspicions this might have something to do with the environment load (there's not much, under 50 sessions), because we're also seeing successful connection…

Hi, Hope someone can help me here 😉 I've set up a new Netscaler (version 13.1 52.19) and I would like to configure a new Netscaler Gateway VS (making use of a nfactor Authentication Profile). Users should authenticate with ldap and radius. Carl has a great article https://www.carlstalhood.com/citrix-gateway-radius-authentication/ and this is functionally working. I'm a bit confused though on how I can change the labels (according the browsers language) and the user interface. A Portal Theme (copy of RfWebUI) is assigned to the Citrix Gateway VS, but I don't know if this is still making any sense as I'm making use of a login Schema? In attachm…

Hello, Just wondering what the recommended or best practice is for allowing ICA traffic from an Access Gateway to the network where the VDA machines are on? Is it just as simple as a Subnet IP on the netscaler of the VDA network? or is a subnet IP required for the VDA network at all? and can just open 1494 or 2598 between which networks?? Thanks!

A company is using a complex setup of client proxy for their windows clients. The setup has different proxy.pac files for each country and department. This is configured using Group Policy, and works fine. But when using Netscaler VPN, then client proxy settings are always reset by the Access Gateway Plugin to whatever is set in the Session Profile. This happens no matter which setting is chosen in the Session Profile ( BROWSER | NS | OFF ) We could of course use a workaround of some sort to solve this - like having a lot of Session Profiles, or having a logon script calling "gpupdate /force"... Is there a method of making NetScaler VPN not touch the…

Is it possibly to create temporary access for a group of users. When the users logout they have to go trough some steps to get access again. Is something like that possible with Netscaler and within Citrix eco-system in general? Really appreciate your answer :)

Hello, we have configured our Netscaler VPX (v13.0) as a SAML-IDP. At the moment we can see in the ns.log file the following error: Apr 9 12:54:42 <local0.info> 10.X.X.X 04/09/2024:12:54:42 GMT server01 0-PPE-0 : default AAATM Message 947022 0 : "Metadata Import: Unable to add certkey, error is 1536" Could anyone help me to understand what could be the problem here?