Month: December 2017

Citrix HDX Adaptive Transport, Datagram Transport Layer Security (DTLS)

With the new release of Citrix XenDesktop/XenApp 7.16 the HDX Adaptive Transport it now turned on by default.

With that turned on, clients connecting through NetScaler Gateway will try to connect using UDP 443. If Firewall and NetScaler Gateway is not configured to communicate on UDP 443, the client will fallback to TCP 433.

I have noticed that it takes a short time before it will do the fallback (2-5 sec.). This give a longer logon time when the users are connecting through NetScaler Gateway. With the right configuration, you can eliminate that extra wait time for the users.

First, enable DTLS (Datagram Transport Layer Security) on the NetScaler Gateway configuration:

After enabling DTLS, you need to rebind the Server Certificate again. Do a unbind and a bind, then it will work.

The next is to enable UDP 443 on the Firewall Access and NAT rules. As there are many different Firewall’s I cannot tell you the way to do it one your Firewall.

I found that you can use nMap/Xenmap to test if your configuration of the Firewall and NetScaler Gateway configuration.

Use the flowing command to do the test:

nmap -sT -sU -p 443 -Pn <FQDN>

The test has to be run from a external computer, as we are testing the Firewall and NetScaler Gateway configuration.

This will test TCP 443 and UDP 443, and give this result if you’re Firewall and NetScaler Gateway is configured to accept TCP 433 and UDP 443:

There are different ways to see if a user is connected using UDP 443.

NetScaler Gateway GUI:

NetScaler Gateway CLI:

XenDesktop/XenApp Director:

Server/VDI VDA:

Citrix HDX Adaptive Transport, Datagram Transport Layer Security is supported with Citrix Receiver 4.7 or newer.


Citrix NetScaler Gateway Enterprise Edition, Storefront High Availability, Poor man’s solution

Belive it or not but some still have Citrix NetScaler Gateway Enterprise Edition running. The Citrix NetScaler Gateway Enterprise Edition is a special editions witch was made to replace the Access Gateway 5.x.

As you can see, many of the NetScaler features are not available:

Special the Load Balancing Feature can be a problem, as we the need another Load Balancing system to handle Storefront High Availability.

Well as the Load Balancing feature is not licensed is not the same as it is not there. It is, and we can use it, not to Load Balanced traffic between to Storefront server, but as failover. Many times this will be fine for the owners of the Citrix NetScaler Gateway Enterprise Edition.

I have to Severs with Storefront. To demonstrate the serveres is not in a Storefront Server Group as I need to different setup’s to identify witch server I am connected to.

The Server SF1 looks like this:

The Server XDC1 looks like this:

First, I create the SF1 and XDC1 Servers in the NetScaler configuration:

Then I create the Storefront monitor:

Then I create a service for each server. This has to be a service and not a service group, because we are using failover and not Load Balancing as the feature is not licensed.


As we are doing a Load Balancing Failover configuration, we start with the Virtual Server that will take over if the primary Server is not responding. This does not need to be direct accessible and that is why it does not have an IP address.

Then we create the Virtual Server that the clients are connecting too:


Just ignor the warnings, this is because the feature is not licensed, but when we test you will see that it is working as expected:

Now bind the Load Balancing Service to the Load Balancing Virtual Server:

This we know, J

Finely use the “Protection” to direct the traffic to the secondary storefront when the primary is down:

I know:

This end us up with this:

To test we connect to the virtual server of, and get the Storefront login site of the XDC1:

We will be getting this as long as the Storefront site is working on the XDC1. When I go and stop the Internet Information Service on the XDC1, the NetScaler service svc_xdc1_http goes down:

When I tests again I get the Storefront site on SF1, as the NetScaler sends the traffic to the Backup Virtual Server, because the primary service is down:



As for now, we can use the Load Balancing Failover even when the Load Balancing is not licensed. If Citrix have any plans to change this, we do not know. There in their rights to do that, so be aware of that.

In the example a have used HTTP, but it will work with SSL too. SSL I recommended as the users will type username and password and this we be sendt on the network in clear text if using HTTP.

I do not see it to be a problem that we are using failover and not real Load Balancing. Look at the flowing about max. Connections to a single Storefront Server:

I sure, that the 50 Mb through put of the Citrix NetScaler Gateway Enterprise Edition will be the limit before the Storefront.


NetScaler VPX Hardware

Many customers are using the NetScaler VPX, on their hypervisor. This is a god supplement for the MPX or SDX platforms, if you do not need the SSL Card power of the NetScaler.

The NetScaler VPX are available in the flowing models:

Normally I see the VPX 10 to VPX 3000 at customer’s sites. The VPX 3000 comes with the XenMobile Cloude license, but is limited to XenMobile configuration and Micro VPN tunnels.


As you can see on the models list the from VPX 1000 and up the license support multiple packed vCPU’s (1 vCPU is used for management) When installing NetScaler VPX on your hypervisor Citrix Provided a template for this. This template only add 2 vCPU’s to the virtual NetScaler as this is the same template for all models.

Many forget that it is possible to change the number of vCPU’s if they have VPX 1000 or higher licenses. If you consider changing the vCPU of your NetScaler VPX remember that every vCPU need 2 GB memory as minimum.


If you change this after initial install, you have to check that the extra packed CPU and memory are added. This can be done with the flowing commands:


Lets Encrypt SAN Certificate

After reading, the Citrix blog about using Let’s Encrypt certificate I decided to try this out on my test environment. Source =

I found that I was able to get a free Let’s Encrypt certificate for my test environment, but I also find that when only having one public IP address I needed a SAN certificate to do my testing of different functions on the NetScaler and backend resources.

I flowed the Citrix blog all the way up to Steep 2, where I did some changes:

Step 2, multi hostname response:

As we are requesting a SAN certificate Let’s Encrypt is testing for every hostname and the response code. First, create all the FQDN’s to point to your NetScaler at your DNS provider.

Create html response page for the FQDN’s:

Netscaler > AppExpert > Responder > HTML Page Imports


Create additional FQDN’s response:


Now create responder actions for every FQDN’s

Netscaler > AppExpert > Responder > Action


Create responder policies to point the and to the corresponding html page.

Netscaler > AppExpert > Responder > Policies


Create content switching vserver on port 80. This is where firewall rules, routes, etc. should be added.

NetScaler -> Traffic Management -> Content Switching -> Content Switching Virtual Servers


Bind your responder policies to this content switching server.


Add binding for other responder policies.


Before continuing test the response for and The replay would be citrix and sts, if the responder action, policy and content switching configuration is correct.

Step 3: Create the certificate request

To make the SAN certificate request connect to the Let’s Encrypt server on ssh and run the flowing command:

certbot certonly -–manual –-email -d -d –-rsa-key-size 2048


Copy the marked code to the responder html page for


Do the same for the


Copy the marked code to the responder html page for


Before continuing test the 2 pages is responding with it’s uniq code. When you have tested the response go on:

Let’s Encypt will validate that the page presented contains the expected text and will then issue the certificate, assuming that your responder is properly working and the response matches what Let’s Encrypt expects.

Upon success, Let’s Encrypt will produce a set of files in /etc/letsencrypt/live/  These PEMs need to be converted before they will work with the netscaler.

  • pem – the actual server cert
  • pem – the intermediate certificates required
  • pem – the server cert + the chain
  • pem – the private key for the server cert

To get the certificate installed on the NetScaler flow Step 4, on

Let’s Encrypt will support wildcard certificates in 2018, but for now we can get a SAN certificate with multiple FQDN’s. With NetScaler Content Switching we can then control multiple sites on one public IP.



Powered by WordPress & Theme by Anders Norén