Jump to content
Welcome to our new Citrix community!

Citrix ADC VPX - Host Two Separate Sites

Recommended Posts

Hi Folks


I am just throwing this out there to see if it's possible or not because my knowledge of Netscaler beyond settings up a single XenDesktop/XenApp site is limited.


We have an operational Store/Site set up for Corporate employees for XenDesktop and XenApp, but we also finding ourselves operating hosted services for other organizations as well. In order to provide better service to these external clients, and to give them more control over the services we are hosting for them, we are looking into the possibility of setting them up with a unique XenDesktop/XenApp store/site purely for use by external clients that would be a controlled isolated network partition separate from our current Corporate environment. 


Is it possible to have two different stores going through a single netscaler device for authentication etc., such as 

  • Address of Netscaler: (192.168.1.x)
  • Address for Corporate Employees: https://corporate.ourcompany.com (192.168.2.x) 
  • Address for External Clients: https://clients.ourcompany.com (192.168.3.x)


So basically, both addresses would authenticate on the same Netscaler, no matter what address they come in from, and then pass through to the correct stores.

Link to comment
Share on other sites

Yes. A number of ways.

2 gateways and separate logon points; where vpn1 goes to storefront1 and vpn2 goes to storefront2 - useful if you want simpler authentication AND to keep partner/employees separate. Makes it easy to turn off partner/external access if needed separate from Employees.



1 gateway (vpn vserver) with session policies A and B going to separate Stores (Store A and B); which store you hit determines which CVAD sites you get.

You can then bind session policies based on domain or gorup membership depending on your type of authentication requirements.

Link to comment
Share on other sites

The first answer was a quick generic one.

If you want the two different gateways on different VPN vservers (different vips and different networks), then yes you can configure a physical (MPX) or virtual (VPX) adc to participate in multiple networks OR you can use separate VPX's if you really need physical network separation.


A given ADC, can run multiple vpn vservers and they can exist in this different networks as needed.

Given your level of separation, you would probably want method a above: where corporate employess go to fqdn1 on vip1 (vpn1) and then a session policy on this vpn vserver gets these users to the appropriate Corporate Employee storefront and associated cvad site A.

Then fqdn2/vip2 maps to vpn vserver 2 and its storefront/cvad site B.



  • Like 1
Link to comment
Share on other sites

So I was focused just on can you run one vpn doing two things or separate vpn vservers.


The networking can be separated as well; just depending on what you need to do. But the ADC can also participate in separate networks; mostly comes down to routing and networking decisions. Can be further enforced with ACLs if needed.  (If that's what you needed confirmation on.) 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...