I have a CS VSERVER where I'm using CS policy to decide what "backend" LB vserver should be used based on "HTTP.REQ.HOSTNAME.".

One backend is PROD, second is UAT and based on which hostname is client connecting, it decides what "backend" LB vserver to use.

I have SNI enabled and have two SSL certs configured with option -SNICert. One cert for PROD, second for UAT.

Now I need to enable mTLS, that's not a problem, I set "-clientAuth ENABLED -clientCert Mandatory" in "set ssl vserver <CS_SERVER>" command and bind CA certificates using -CA option. Problem is, that I need separate CAs for PROD and UAT. In this setup every CA will be able to verify clients on both PROD and UAT. We do not want on clients to use UAT certificate and be able to use PROD service.

In summary, based for example SNI information, "uat.myservice.com" client will be verified with CA_1 and CA_2, then for "prod.myservice.com" will be verified with CA_3 and CA_4.

So, if client has a cert from CA_1 and tries to connect to "prod.myservice.com", citrix will refuse.

I tried to used ssl policy and action but no success to achieve this.

Does anyone know how to do it?

Thank you.

This is what I tried, keep hitting a road block...

add rewrite action RW_GEN_CSP_NONCE \
    replace_all \
    HTTP.RES.HEADER("X-CSP-Nonce") \
    base64(rand(16))

However in the GUI there seems to be no path to actually add base64(rand(16))

Any suggestions on how to get a random generated hash header added via netscaler?

I tried the following in CLI:

add rewrite action RW_GEN_CSP_NONCE replace_all HTTP.RES.HEADER("X-CSP-Nonce") base64(rand(16))

add rewrite action RW_GEN_CSP_NONCE replace_all HTTP.RES.HEADER("X-CSP-Nonce") "base64(rand(16))"

Both throw error ERROR: Invalid argument.

What is the proper way to do this, I am at a loss here.

Could someone help on this please? Much appreciate your reply.

I’m currently preparing for the 1Y0-312 exam and have been working through different resources, labs, and Citrix documentation. Midway through my prep, I started using CertsMatrix, which has been really helpful for practicing scenario-based questions and understanding how NetScaler behaves in real enterprise environments.

I’m stuck on a scenario and would appreciate some guidance:

If you have a NetScaler setup handling high traffic across multiple load-balanced services, and users intermittently report session drops during peak hours, what would be the best troubleshooting path?

Should I start by reviewing persistence methods, checking load-balancing algorithms, or analyzing TCP/HTTP connection limits on the virtual server?

Anyone who has taken the exam or dealt with similar production issues your insights would be extremely helpful for my preparation.

Thanks in advance!

I am using Citrix ADC LB.

#NS12.1 Build 57.18

They have some older guides in PDF here:

https://www.citrix.com/products/citrix-adc/resources/deploy.html
And a newer guide here but different format:

https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-common-protocols/lb-microsoft-exchange-server.html

Which guide to go with ?

Also on the newer guide they mention CAS server, which is confusing because Exchange no longer uses a dedicated CAS server.  

I have some issues testing load balancing feature on my appliance (CITRIX ADC MPX 5901 build 11.1). After creating services, service groups, virtual servers and binding the service groups and services to virtual servers, they all appear to be in a DOWN state, both state and effective state.

Please, where may be the issue?

PS1 : The servers appears ENABLED and the services are of different protocols  (HTTP, FTP, TCP, SSL and DNS).

PS2 : Load balancing and SSL Offloading are enabled also

This is what they did:  (All in the GUI, because it looks like on the SDX I could not find a way to configure the ACL via the command line on SDX.)

1.  Enabled ACL

2.  Added a bad rule that removed all access to the SDX SVM.

Because we could no longer connect to the SDX via SSH or HTTPS I connected via the XenServer and issued this command to disable the ACL

pfctl -d   Per:  https://docs.citrix.com/en-us/sdx/12-1/configuring-management-service/access-control-lists.html 

So now I can connect back to the SDX via SSH And HTTPS.

However there does not seem to be a way to remove/cleanup the bad rule.

I can't disable/delete the rule with ACL Disabled.

I can't add a good rule with the ACL disabled.

If I enable ACL then, because of the bad rule, I will immediately be kicked out of the HTTPS and SSH.   

Any Advice?

Thanks,

Carl

I’m testing Citrix Virtual Apps and Desktops on a new set of AI PC endpoints in our environment, and I’m hoping to gather some best-practice insights from others who may be doing similar upgrades. These devices are delivering great local performance, and I’m exploring how to fully leverage their advanced CPU/GPU capabilities within HDX sessions.

Our current setup includes CVAD 2203 LTSR, Windows 11 VDAs, and the latest Workspace App. I’ve enabled various graphics optimizations such as hardware acceleration and enhanced display policies, and I’m now evaluating which settings produce the smoothest user experience, especially for teams working with design tools and analytics dashboards.

I’m curious whether anyone has recommendations for ideal HDX policies, GPU tuning, or endpoint configurations specifically for AI-enhanced PCs. Any shared experiences or tuning tips would be greatly appreciated!

Thank you!

I've tried adding them with request policy on CS and LB and also using NetScaler Web App Firewall profile/policy but it didn't worked.

How can I achieve this?

Thank you!

we are unable to create new Auditing SYSLOG server nor edit existing. It shows the error :

"Password length should adhere to minimum password length value in system parameter settings."

We have global strong local passwd set, and minimum length is 8. All standard checks done. We can delete existing audit syslog server or actions, but not add new one.

Any1 could advice on this?

Thanks

Rasto

is there anything else that i need to configure or that i missed? please advise.

Trying to understand the Content Switch with 'target type = GSLB'.

(NB! its not a GSLB Service pointing to a 'CSVS IP' i'm interrested in, but the setup using CSVS with 'target type = GSLB')

When setting up and creating af content switch policy (with or without action), I get 'CS Policy has no action or CS action doesn't have targetVserver'
(off course I have pointet to an LB vserver of the same protocol..)

Besides the above error, there seems to be NO usable guides how to set it up, and this link doesn't clearify it either 'https://docs.netscaler.com/en-us/citrix-adc/current-release/global-server-load-balancing/how-to/configure-gslb-content-switch.html'

Hope someone has a config they can share, or a usable documentation.

/Frank

HTTP.REQ.HOSTNAME.EQ("adfs.example.com")

This works as expected, as long as the requested URL does not containt "/adfs/ls/"

e.g:

Works:
https://adfs.example.com/
https://adfs.example.com/adfs/

https://adfs.example.com/adfs/ls

https://adfs.example.com/adfs/ls123/

https://adfs.example.com/adfs/ls123/123

Does not work:

https://adfs.example.com/adfs/ls/

https://adfs.example.com/adfs/ls/123

The LB Vserver that is the target has Authentication enabled. In the non-working example, we receive a HTTP 1.1 in the other examples we get redirected to the Auth vserver, as expected. An existing Session will also not work, the HTTP 1.1 persists.

This worked for years before we've updated. I also logged a case with citrix, but so far they did not find the issue.

Anyone else experiencing the same?

Before I go too far down the route of troubleshooting to get this work, I am wondering if someone has already figured this out. (Or maybe it isn't used much.)

After enabling a cloud based WAF, we have had issues when used in combination with Citrix Netscaler maintenance page.

The issue is that the maintenance page seems to stay active, even after the primary Vserver come online after a maintenance window.

Our suspicion is, that session reuse in the cloud, is kept active/open, and thus seen from the cloud service as a valid connection to use. I can manually then close the maintenance vserver and reopen it, which will terminate all existing connections. The Netscaler does not seem to have a way to enforce breaking maintenance connections.

Have you experience anything similar to this?

/Peter

AD1.DOMAIN.COM and AD2.DOMAIN.COM

Created servers ✅

Created Virtual Server with 636 and 389 port (Same IP and same SNIP as the AD1 and AD2 ✅

Created 2 monitors with a SVC account ✅

To check I created services for each AD1 and each port ✅ - Will convert to group after confirmed working

Bound said services to LBVS server and the monitor to each services

I still get the failure - Failed to search on the server but when connecting with said account directly to the server it works. Citrix support has been a bit frustrating as they had me try several things without any real explanation. Our AD people cant see any searches with the account on their end so im wondering what am I doing wrong here?

Kind Regards

Markus

I’m looking for clarification on how Citrix ADC handles SSL certificate updates for Load Balancing VIPs.

Specifically:
If I use the Update method to replace the certificate-key pair bound to an SSL LB VIP, will existing SSL sessions be disrupted? Or will the new certificate only be used for new incoming connections, while existing sessions continue using the old certificate until they expire or renegotiate?

I understand this is how SSL/TLS typically behaves, but I’m looking for Citrix-specific confirmation — ideally from documentation or real-world experience.

Background:
I need this information so I can implement an Ansible automation for implementing SSL certificate upgrades.
After a successful upgrade automation will remove old certificate and key files.

Thanks in advance!

I have two NetScaler and I need to make SAML.

one of them as SP with AAA for LB and use Authentication Virtual Servers. and one as IDP, and in the "Redirect URL :https://xxx.xx.com/saml/login" with Policy I use "true".
when I make SAML IDP Profile use in the "Assertion Consumer Service Url: https://xxx.xx.com/cgi/samlauth" with policy I use "true" , and I try to bind to policy of the IDP on "Authentication Virtual Server" in the NetScaler with the IDP the binding not working and stay blank.

but when I try to connect to the web I get : "ACS URL in request is invalid. Please contact your administrator" and if I do Refresh i get anther error: "Malformed Assertion sent to Netscaler; Please contact your administrator"  I didn't understand why I get this message.

I try to change policy and noting work. 

I have version : 13.1 24.38.nc

I'm working on a NetScaler Google ReCAPTCHA deployment. I got this working with a VPX running NS14.1 34.42.nc and tried to transfer this configuration onto the production MPX 8900 HA pair (also running NS14.1 34.42.nc).

When the authentication virtual server tries to load on the MPX, the browser is redirected to https://<VSERVER>/logon/LogonPoint/index.html which results in:

Error 403 Forbidden You don't have permission to access this resource.

With the same setup on the VPX the browser is redirected to https://<VSERVER>/logon/LogonPoint/tmindex.html

Copying themes across from the VPX to MPX (following the CTX209526 article) made no difference.

The "/var/netscaler/logon" directory is already present on the MPX - I've seen some threads that suggest copying this folder from a working node to a one that is having issues. Can anyone advise on this please and whether this requires a reboot on the destination node?

Thanks

Andy

Once upgraded to 14.1-47.46, both Gateway-vServers (XenMobile & CVAD/HDX-Proxy) and also the WAF-features continued to work fine. Unfortunately, SAML-authentication (LDAP) for ShareFile stopped working:

As workaround, we identified 14.1-43.56... As it didn't suffer from that issue.

Today, CVE-2025-6543 was published, but no new 14.1-build was released :-\