Jump to content
Welcome to our new Citrix community!

Single ADC Virtual Server for multiple VAD Farms

Recommended Posts



We have a Netscaler setup with a farm with advanced (base) licenses. Some customers need to have the premium features (teams optimizations) and since we cannot mix advanced and premium licenses, we would need to create a second farm with premium licenses. Is it possible to use a single vServer with multiple session policies that leads to differents farms (in the same domain) ? How would you guys handle that case where different licenses are needed ?

Link to comment
Share on other sites

Hi !


Yes single URL for both

Yes the licences for CVAD. We need different license model for delivery groups due to the need of Teams / zoom optimization and it's not possible on the same farm afaik, I would be required to create a new farm with new licenses and move VDA to the new farm but ideally I would like users to keep login with same URL and not having to change things on their side.


Session policies in ADC are configured like this for the virtual server


add vpn sessionAction "Receiver Self Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://controller.ad.domain.com" -ntDomain ad.domain.com -clientlessVpnMode OFF -storefronturl "https://controller.ad.domain.com"
add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://controller.ad.domain.com/Citrix/appsWeb" -ntDomain ad.domain.com -clientlessVpnMode OFF -storefronturl "https://controller.ad.domain.com"
add vpn sessionPolicy "Receiver Self Service" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" "Receiver Self Service"
add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver citrix.evok.ch -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver citrix.evok.ch -policy "Receiver Self Service" -priority 110 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver citrix.evok.ch -staServer "https://controller.ad.domain.com"

 Can we add another controller from another farm to the same virtual server ? And what about the STA ?

Link to comment
Share on other sites

Hi Philippe,


I think what you can do you add the new Citrix farm DDC in the storefront servers. Also add new DDC into STA.



So If you will do this user can login from same URL and use experience will be the same. Also both desktop/application will launch from two locations.





Link to comment
Share on other sites

If when you mean virtual server, you mean gateway (vpn vserver)...

One vpn vserver can direct users to different storefront/cvad environments.


Method 1:  1 vpn vserver and 2 separate storefront (1 per site)

If the deciding characteristic is user groups, then 

1) create your gateway vpn vserver (vpn_vsrv_gateway)

2) create  your two session policies, one to storefront1 and one to storefront2  (if separate storefronts)

3) bind the session policies to the different AAA groups OR bind them both to the vpn vserver and use the aaa.user.is_member_of("groupA") vs aaa.user.is_member_of("groupB") to apply the policy based on which group they are in.

4) Since this gateway could receive users from either CVAD SiteA (via Storefront1) or CVAD SiteB (via STorefront2), then be sure the gateway has all possible STAs listed for both sites.


Method 2:  1 vpn vserver and 1 storefront that is doing multisite aggregation

1) create your gateway vpn vserver (vpn_vsrv_gateway)

2) create  your ONE session policies that goes to StoreFront1 and we will let storefront figure out the user site destinations

3) In storeFront you can aggregate SiteA and SiteB (if both sites are queried users only get apps for the ones published to them)  or use the user mapping feature so only GroupA is sent to SiteA and only GroupB is sent to SiteB

4)  SToreFront needs to know about gateway integration; list sta's potentially from both sites.

5) Configure gateway with jus the one session policy bound to the vpn vserver and a list of all the sta's.


IF you are just referring to the STorefront side of this config, then yes as Manoj showed you one storefront can retrieve resources from multiple storefront sites.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...