Jump to content
Welcome to our new Citrix community!

Netscaler Gateway and Content Switch

Roel Niesen

Recommended Posts



I'm still using NS 11.1 and have setup netscaler gateway.

This is working.


I added some content filters to pass activesync to a diferent machine.

I also added 2 content switches based on url.




I have 1  cert with cn=ns01.example.com and added san: webmail.example.com and www.example.com


When I go to https://ns01.example.com I get the login page of the netscaler gateway and I can connect to my apps.


When I go to https://webmail.example.com I come als to the gateway, but this unexpected.  When I go to https://webmail.exmaple.com/index.html it's ok.


What  am I doing wrong?





actio: ac_pol_www





Loadbalancing Virtual Server






No Addressable


Load Balancing Virtual Server Serivec Binding





Server => SRV_WWW





ip =>









Link to comment
Share on other sites

You're testing hostname webmail.example.com but having the policy look for www.example.com.

It's likely the request to webmail is then missing the policy you expected and being caught by one of the other policies or the default destination instead (or the content filter) instead.

Its also possible that barring any other header match, the path going to "/" matches on the vpn vserver policy whereas /index.html doesn't.


Finally, what are your content switches triggering off of, because if they are looking at path.eq("/") they may be kicking in on the one request vs. the other you thought.


From CLI, if you do a 

show cs vserver <vservername>


You can see all policy bindings, including the default destination, their priority bind order AND which policies are hit when you do a test (a bit easier than in the GUI to see it all at once).  

Then you can see which policies your two different scenarios are actually hitting. It may be that your priority is wrong and you have a path.eq("/") that matches before your header check. Or you are matching on the default destination when you aren't expecting it.


For better assistance, troubleshooting your policies, share the running config where we can see the policy expressions and bindings (better than in the summary):
show ns runningconfig | grep <cs vserver name> -i

If needed, you can also identify the actions/destinations the cs policies are pointing to,

Link to comment
Share on other sites



I don't understand you (yet):)


This is the config

add server webmail

add service webmail_http webmail HTTP 80 -gslb NONE -maxClient 0 -healthMonitor NO -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

add lb vserver LB_VS_WEBMAIL SSL 0 -persistenceType NONE -cltTimeout 180


add vpn vserver _XD_NS01 SSL 443 -Listenpolicy NONE -deploymentType ICA_STOREFRONT


add cs action ac_webmail -targetLBVserver LB_VS_WEBMAIL

add cs policy cs_pol_webmail -rule "HTTP.REQ.HOSTNAME.CONTAINS(\"webmail.example.com\")" -action ac_webmail


bind lb vserver LB_VS_WEBMAIL webmail_http


set ssl service webmail_https -tls11 DISABLED -tls12 DISABLED

set ssl vserver LB_VS_WEBMAIL -tls11 DISABLED -tls12 DISABLED


bind vpn vserver _XD_NS01 -staServer "https://ns.example.com"
bind vpn vserver _XD_NS01 -portaltheme RfWebUI
bind vpn vserver _XD_NS01 -policy -priority 100
bind vpn vserver _XD_NS01 -policy PL_OS_192.168.251.252 -priority 100
bind vpn vserver _XD_NS01 -policy PL_WB_192.168.251.252 -priority 100
bind vpn vserver _XD_NS01 -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_NS01 -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_NS01 -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_NS01 -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver _XD_NS01 -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_NS01 -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver _XD_NS01 -policy cs_pol_webmail -priority 210

bind ssl vserver LB_VS_WEBMAIL -certkeyName le-certificate

bind ssl vserver _XD_NS01 -certkeyName le-certificate

bind ssl vserver _XD_NS01 -eccCurveName P_256
bind ssl vserver _XD_NS01 -eccCurveName P_384
bind ssl vserver _XD_NS01 -eccCurveName P_224
bind ssl vserver _XD_NS01 -eccCurveName P_521

This is the idea:


When the user go's to https://ns.example.com they should see the netscaler gateway login page and this is working.

Weh the user go's to https://webmail.example.com het comes to the netscaler gateway but the content switch detects webmail.example.be (cs_pol_webmail) and when this valid the action(ac_webmai) is executed to go to LB_VS_WEBMAIL that has a valid certifcate.  The LV_VS_WEBMAIL has a service (webmail_http) that redirect the traffice to the internal server (webmail ).


When I enter that url, I see the gateway again.

When I enter that url + index.html it is working.







Link to comment
Share on other sites


I solved my problem :)


Instead of using the content switch in the unified gateway, I change the unified gateway to non addressable and added a real content switch in front of the unified gateway.

Thanks to Carl Stalhood https://www.carlstalhood.com/netscaler-gateway-11-virtual-server/#unifiedgateway


The 2 are working little bit different.

On the unified gateway, the vpn vserver is always winning when the url is not unique.


With the real contenr switch, the rules are king and when the rules don't match, the traffic is passed to the unified gateway.


Thanks for the assitance.




Roel Niesen

1st Solutions


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...