Jump to content
Welcome to our new Citrix community!

Content switching and Citrix gateway configuration


Recommended Posts


A few years ago i've configured our Netscaler to send the incoming internet https traffic to a Storefront server. So, on the firewall all incoming https request is sent to he Citrix Gateway virtual server's ip address that i created in the Netscaler's Citrix Gateway part.

Now, when an outside user asks for the URL "https://apps.ourcompany.com" he arrives on the Storefront.

A few months ago, we had to access a web from the outside and i created a Load Balancing virtual server, but to access it from the web, i forwarded on the firewall port 5555 to his virtal ip address, so users can access the web server but have to type "https://apps.ourcompany.com:5555".

All this works but it's bad...

Now, as we have another web server that has to be accessed from the outside, i can't continue with this...


What i want is that the users:

- access from internet our StoreFront server with "https://apps.ourcompany.com"

- access from internet one web server (say WSA) with "https://humanresources.ourcompany.com"

- access from internet a second web server (say WSB) with "https://accounting.ourcompany.com"

So i created two Content Switching configuration (Virtual Servers and policies  - not sure i did well...) but i first have this question:

To which IP address should be routed the internet incoming 443 traffic on the firewall ?

At this time, it's the Citrix Gateway Virtual Server's ip address. So, the CS Virtual Servers have no chance to receive any data.

TIA for any help,




Link to comment
Share on other sites

Hi again,


As the Unified Gateway needs a special licence, i created the different parts manually and it works with http. Not too bad.


Since a have a wildcard certificate installed on the ADC, i think it should be bound to the Content Switching Virtual Server, for internet httpS incoming requests. Is it right  ?

I don't see this option in the GUI.

Should it be done with CLI with  "bind ssl vs <vServerName> -certkeyName <certificate-KeyPairName>" ?

Or is it not the good place to do it ?





Link to comment
Share on other sites

Hi all,


Thank you for the input.

Things begin to become diificult as far as i use the Content Switch. Here is the situation:


Internet user ----- https/443 -----> Firewall's public ip address -----> LB Virt Server's ip address----> IIS Web Server's LAN ip adress

The LB Virt Server is configured with protocol SSL and port 443. It is bound to a service also using protocol SSL and port 443

My wildcard certificate is bound to the LB Virt Server and installed on the IIS Web Server.

This works but the pb is that only one web server can be accessed . Therefore, i created the following:


Here is the CS policy:


>sh cs policy cs_pol_octime

        Policy: cs_pol_octime   Rule: HTTP.REQ.HOSTNAME.EQ("humanresources.ourcompany.com")       Action: cs_action

        Hits: 0

1)      CS Vserver: cs_octime
        Priority: 100
        Hits: 0



Here is the  CS action:

> sh cs action cs_action
        Name: cs_action
        Target LB Vserver: lb_vs_ssl_octime
        Hits: 0
        Undef Hits: 0
        Action Reference Count: 1


Remark: "lb_vs_ssl_octime" is the LB Virt Server configured previously

And here the CS Virt Server:


> sh cs vserver cs_octime
        cs_octime ( - SSL       Type: CONTENT
        State: UP
        Last state change was at Thu Sep  1 23:06:26 2022
        Time since last state change: 0 days, 02:38:38.210
        Client Idle Timeout: 180 sec
        Down state flush: ENABLED
        Disable Primary Vserver On Down : DISABLED
        Appflow logging: ENABLED
        State Update: DISABLED
        Default:        Content Precedence: RULE
        Vserver IP and Port insertion: OFF
        L2Conn: OFF     Case Sensitivity: ON
        Authentication: OFF
        401 Based Authentication: OFF
        Push: DISABLED  Push VServer:
        Push Label Rule: none
        HTTP Redirect Port: 0   Dtls : OFF
        Persistence: NONE
        Listen Policy: NONE
        IcmpResponse: PASSIVE
        RHIstate:  PASSIVE
        Traffic Domain: 0

1)      Content-Switching Policy: cs_pol_octime Priority: 100   Hits: 0


I think it corresponds to the following flow:


internet user -----https/443-----> Firewall's public ip address-----> CS Virt Server's ip adress-----LB Virt Server's ip address----> IIS Web Server's LAN ip adress


But it ends with "Http/1.1 Service Unavailable" when trying from the web with "https://humanresources.ourcompany.com"    (well, the real equivalent...).


If, from a local PC on the LAN, i do the same request (with the domain/CS Virt Server's ip association in the host file), i can access the final IIS web site.


Not sure you can see what's bad but am i missing something in the flow ?






Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...