Basics of Citrix Netscaler

There are 2 NetScaler editions; Citrix NetScaler and Citrix NetScaler Gateway. Although these two seem similar, there are some distinct differences depending on the licenses used.

Citrix Netscaler refers to their Application Delivery Controller (ADC), while the Netscaler Gateway, formerly known as the Citrix Access Gateway (CAG), is primarily used for “secure remote access”. It’s basically a Netscaler but with limited functionality due to the Netscaler Gateway license we upload. Netscaler ADC’s are capable of doing much more than just secure remote access. It can be used for load balancing and HA, content switching, application (SSL) offloading, application firewall, cloud connectivity, hybrid cloud solutions and (a lot) more.

The Netscaler uses vServers to deliver different services. We can configure multiple independent vServers on the same Netscaler serving different purposes or services, like a load balancing, content switching and SSL offload etc.

The Netscaler IP Address (NSIP) is the IP address which is used by the Administrator to manage and configure the Netscaler There can only be one NSIP address, and it is used when setting up and configuring the Netscaler for the first time. NSIP cannot be removed and can’t be changed without rebooting the Netscaler.

The Subnet IP Address (SNIP) is used for server side connections, it means, SNIP is used to route traffic from the Netscaler to a Subnet directly connected to the Netscaler. The Netscaler has a mode named USNIP (Use SNIP), which is enabled by default, this makes the SNIP address to be used as the source address when sending packets from the NetScaler to the internal network.

When a SNIP address is configured, a corresponding route is added to the Netscaler routing table, which is used to determine the optimal route from the Netscaler to the internal network. If Netscaler finds the SNIP address in the routing table as a part of the route, it will use it to pass-through the network traffic using the SNIP address as its source address.

A SNIP address is not mandatory as NSIP. If we have multiple subnet we will have to configure a SNIP address for each subnet separately. Also, when multiple SNIP addresses are configured on the same subnet, they will be used in a Round Robin fashion.

The Mapped IP Address (MIP) is similar to the SNIP. The MIP addresses are used when a SNIP address isn’t not available or when USNIP (Use SNIP) is disabled. It will also be used as the source IP address as SNIP. Only when the configured MIP address is the first in the subnet the Netscaler will add a route entry to its routing table.

The Virtual IP Address (VIP) is the IP address of a vServer that the end users will connect to, and through which they will eventually be authenticated etc. The VIP address is never used as the source IP and so it is not involved in back-end server communication, instead this will always be handled by a SNIP and MIP address.

​An external user will contact the Netscaler Gateway over port 80 or 443 and connect to the externally accessible virtual IP (VIP) address of the Netscaler (Gateway) vServer. In the diagram above refer 1.VIP and 1. vServer. Once a connection is established there are few options, for example, using a SNIP address the (unauthenticated) user will connect to the StoreFront server located on the internal network where authentication takes place.

If authentication takes place on the Netscaler, the user’s credentials are forwarded using the NSIP, shown in 2. NSIP, to the internal authentication services (AD), where they will be validated. Once validated, we may have two factor authentications 2. NSIP using SMS passcode tokens. In this way every user will have to fill the username and password plus an additional auto generated token code which will expire every few minutes, which is extremely secure.

Once the user is authenticated, the authentication services will pass through the user credentials to the StoreFront server. The already authenticated user will connect to the StoreFront server, 3. SNIP where it will enumerate the user applications.

Then this information will travel back into the Netscaler and through the Netscaler Gateway vServer to the users screen as shown in 4. vServer

At last, when the user starts an application, the StoreFront server will generate a .ICA file which is send back to the users device and is used to connect the user directly to the requested resource on one of the XenDesktop / XenApp servers. During the last phase of setting up this connection the Gateway server will check up on the earlier generated STA file to validate the session, after that the application or Desktop will be launched as shown in 5. App launch


About Murugan B Iyyappan

Working as a Consultant - Citrix solutions architect with 18 years of experience in the IT industry. Expertise in Citrix products and Windows platform.
This entry was posted in Citrix XenApp. Bookmark the permalink.