Jump to content
Welcome to our new Citrix community!
  • 0

How to use different IP pools for different session policys

Marcel Stolze1709160310


Hello Citrix Community,


I hope you can help me without despairing! Here is my question, it is possible to assign different IP pools to different session policies in the Netscaler Gateway? Also regardless of whether it is a clientless policy or full VPN policy or is it really the case, that with a clientless policy the netscaler is always used the SNIP / MIP as the source IP?

Link to comment

3 answers to this question

Recommended Posts

  • 0

So, you can use the net profile to assign an alternate SNIP (or other VIP) as the backend IP instead of the default SNIP selected. The net profile is per vpn vserver.

To just assign it so that gateway users (clientless or other) use an alternate IP other than the default snip, use the NET PROFILE adn assign a different SNIP (or a VIP used in this backend network for this purpose).


To use one IP for clientless and other IP for full vpn, you would have to have two separate vpn vservers.

VPN1: uses snip1

VPN2: uses altip (via net profile)


Unless the Intranet IPS assign for clientless and then you can use unique ips for all connectdions...but intranet IPs do not assign SNIPs just alternate, valid backend ips.



  • Like 1
Link to comment
  • 0


1) intranetIPs (ip pools) bind to vpn global, vpn vserver, aaa group or aaa user (for individual IP assignments for this last one).

They aren't applied by session policy (** but see note after this.)

The only way to assign intranet ips to have different pools/subnets for different users, would be to assign specific ranges by GROUP or to separate vpn vservers.


**However, if the point is you want it ON for some sessions and OFF for others, then the session profile setting under the Network type > Advanced Settings for Intranet IP can take the value spillover, nospillover, or OFF (See:  https://support.citrix.com/article/CTX218066).  I did some crude testing, but definitely do some of your own to confirm:  if you set this intranetIp OFF, then the regular SNIP should be used disabling the assignment of intranet IPs for the scope of this policy, meaning you could affect some aaa groups/users while the session policy on the vpn vserver policy could still be on allowing you to create exceptions to the use of the intranetIp.  If intranetIP is OFF then regular snip would be used; where intranetip is set to spillover or no spillover the assigned intranet IP pool would still be used (if it runs outs, the setting determines whether it does or doesn't spillover to the SNIP).


This won't allow you to different IP ranges for different connection types...you would subset of IPs by GROUP or have separate vpn access points.


Depending on whether you are using classic or advanced engine would affect the impact of policy bind points/priorities to achieve the results you want.


2) The Intranet IPs should only apply to the vpn connections and not the clientless access or HDX proxy connections (which should use snip)...but you might have to run a trace to confirm as I couldn't test that fully and haven't compared in years. Result might be affected if you are in ICAProxy vs mixed mode (vpn & icaproxy) mode or not.


You may have to properly configure split tunnel/intranet apps as well if intranet ips will be used (which also won't affect the ica proxy/clientless scenarios)






Link to comment
  • 0

Hey Rhonda,


thank you for your answer :), i know the the options "Use Mapped IP and Use Intranet IP" . I have already tried out a few different scenarios with the two options, but none of them bring me the solution that I needed for the customer. Let me explain, i have a complex scnario with an SDX Appliance with 4 SNIPs (2 Backends and 2 Frontends for LB-Traffic) in different  subnets and 2 upstream gateways (DMZ) wtih USIP Mode enable and some diffrent PBR-Policys to get this working .After the successfull remote login on the netscaler gateway , the client session must pass a two tier firewall architecture to get access on the backendservices. And here is the problem, the customer uses both clientless and fullvpn clients for remote access and the clientless user use one of the two frontend SNIPs, but that's not what the customer wants.  Is there any way to get another source IP,  other than the SNIP/MIP? I mean something like an explicit IP for the clientless connections ? 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...