Jump to content
Welcome to our new Citrix community!
  • 0

What is the REAL purpose of NetScaler Gateway URL?



I have a 1-arm NetScaler setting in the DMZ... it is used for GW functionality along with load balancing SFs and DDCs. One SNIP is configured.


In StoreFront > Manage NetScaler Gateways > General Settings > NetScaler Gateway URL box, I am supposed to enter the external gateway URL of the NetScaler GW virtual server.

My question is, what is the real purpose of this URL? 


In the Authentication settings tab, I am using domain authentication and leaving the call back URL blank as it is not needed.  I am also leaving the optional vserver IP address blank (SNIP or MIP).


So does StoreFront server "really" needs to be able to communicate with the external IP of the Gateway or the DMZ VIP of the Gateway or are we just putting the NetScaler GW URL in the configuration because it just gets embedded in the ICA file/ticket that the endpoint/client receives??


My understanding is that the NetScaler initiates the talk with SF when a user logs in and needs to enumerate/launch apps and resources. When SF needs to talk back to NetScaler, it is supposed to reply back to the NetScaler's SNIP where the traffic initiated from...?


Link to comment

4 answers to this question

Recommended Posts

When a user connects to Gateway, the Gateway inserts a header into the StoreFront traffic so StoreFront can match it to a Gateway object. Now StoreFront knows that ICA should be proxied through a specific Gateway FQDN instead of direct (internal). 


StoreFront generates an .ica file that contains instructions for Receiver on how to establish the ICA connection. For Gateway connections, StoreFront puts SSLProxyHost into the .ica file. If not Gateway, then the .ica file contains the VDA IP address instead of SSLProxyHost.

Link to comment

Thanks Carl, that does make sense... 

Just to clarify the point about "...Now StoreFront Knows that ICA should be proxied through...", Storefront uses the Subnet IP (SNIP) of the NetScaler to communicates with the NetScaler for the traffic that gets proxied, right? other than SNIP to SF and SF back to SNIP, we don't need to punch an additional firewall hole to get the StoreFront to reach out to DMZ VIP of the GW, right?

I reviewed your article that shows the ports required, I don't recall seeing anything for SF to GW VIP...

Link to comment



If you are using SmartAccess (EPA checking) then StoreFront will need to talk to the VIP  using the Callback URL you specified, which usually resides in the DMZ. If that is not possible you can generate a 2nd GW vServer and expose this VIP instead to StoreFront through for example a hosts entry on the StoreFront server(s). This dummy VIP only needs the same certificate bound but not session policies (see https://support.citrix.com/article/CTX137385). If you're not using SmartAccess with StoreFront you don't need to specify a Callback URL and StoreFront will not need to talk to the VIP.



Link to comment


This topic is now archived and is closed to further replies.

  • Create New...