Jump to content
Welcome to our new Citrix community!

Unable to add a intranet IP in Virtual server for a SSL VPN

Recommended Posts

Recently, i been working on a SSL VPN, i reached the point where i connect the VPN in a virtual machine.



The thing is that this VM didn't get a internal IP address, i look in some Carl Stalhood documentation that is important to add a Intranet IP on your virtual server, but launch an error saying that resources already exist.



the question es where or what i have to do to resolve this thing, i look in google, but there is no much information about this. Thank you. 


Link to comment
Share on other sites

Intranet IPs are a range of IPs that you allocate to the vpn vserver so that you can allow each vpn connection a unique backend IP instead of using the usual SNIP for all clients.

The IPs in the intranet IP range must be valid on the network segment the netscaler uses to reach backend resources, unique on the network and not otherwise in conflict with other ip address sources.  Be sure they do not conflict with your already assigned SNIPs and NSIP address in use.


Most  times the vpn connections can source all traffic using the same SNIP and intranet IPs are not needed.  

If using the Gateway to access Citrix VDI's via ICA Proxy, then intranet IPS are not used and the SNIP is required.

User's must be in full vpn mode to use an intranet IP; no supported in either ica proxy or clientless mode.


You mentioned that you are connecting the VPN client from within a virtual machine. Is this a test environment or are you using the vpn within a vm or vdi scenario?


In general, the steps to configure the intranet IPs:

1) Create and allocate a valid subnet range of IPs to use as the intranet IPs.  Again, should be valid for the NetScaler to use to for NetScaler to backend communication with enough IPs for each vpn client to consume (on a concurrent basis).  Ranges can be allocated per vpn vserver, vpn global, aaa group. Or individual IPs assigned per aaa user (but this is more work and only needed if you require a specific ip per client).

- Verify the subnet does not overlap with your NSIP, SNIPs, or any VIPs alreadys in use on the NetScaler.


2) Create a session policy/profile that enables Intranet IPs:ON and determine if spillover is allowed or not.  Should be the Network tab (first tab in the session profile).  Spillover:ON allows the SNIP (even though it says MIP) to b used if no more Intranet IPs available. Spillover:OFF disables spillover. If more sessions than you have IPS, they will be denied.  If Intranet IPs is off, then ips won't be allocated.  Bind session policy to the vpn vserver.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...