From Network Security Wiki


  • A Netscaler is deployed in front of Server farm & functions as a Transparent Proxy between Client & server without requiring any client-side Configuration.
#show connectiontable
#config ns
#set ns config -Ipaddress <IP> -netmask <mask>
#add ns ip <IP> <subnet mask> -mgmtAccess [Enabled|Disabled] -type MIP
  • Adding Virtual Server automatically creates a VIP
  • VLAN tagging does not propagate in NS HA Pairs
  • Can create null routes to prevent routing loops
  • 2 interfaces should not be plugged into same port or vlan unless using link aggregation
  • No IP to Interface mapping => Floating IP config
  • Why? In HA, when Primary failes, secondary takes over, no loss of Service.
  • When the Backend Application expects request for a specific Hostname or redirect you to that hostname, Netscaler should be configured as below:
- Configure the VIP for the same Hostname
- Use URL Transformation to achieve the same

LB Methods

Least Connection = Service with fewest active connections
Round Robin = Rotates a list of services
Least Response time(LRTM) = Fewest active connections & lowest average responce time
Least Bandwidth = service serving least amount of traffic measured in mbps
Least Packets = service that received fewest packets
Source IP Hash
Destination IP Hash

Persistence Methods

COOKIE Insert = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session.
SSL Session = Connections having same SSL session ID
RULE = All connection matching a user defined rule
URL Passive = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded
Dest IP =
CALL ID = Same Caller ID in SIP Header

NetScaler Topology Diagram

  • StoreFront and License server can be installed in the same server to save lab resources.
VIP:(NS Gateway) :x.x.x.87

NS IP address details

Integrating with SAML Server

You need to have a SAML Server to achieve below setups:

NetScaler as SP

IP Address Scheme	SAML Server	Netscaler VIP	Netscaler SNIP	Backend Server	LDAP Server


add ns ip -type NSIP -vServer DISABLED -mgmtAccess ENABLED -dynamicRouting ENABLED
add ns ip -type VIP -snmp DISABLED
add ns ip -vServer DISABLED -gui DISABLED -ssh DISABLED -mgmtAccess ENABLED
add service Server3 Ubuntu_Server HTTP 8083 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server4 Ubuntu_Server HTTP 8084 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service Server1 Ubuntu_Server HTTP 8081 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add service Server2 Ubuntu_Server HTTP 8082 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
add ssl certKey -cert
add ssl certKey -cert -key -passcrypt "gScQiu+ULgg="
add ssl certKey testlab-root -cert root.cer -passcrypt "gScQiu+ULgg="
add ssl certKey IDP-Cert -cert idp.crt
add authentication samlIdPProfile SAML-IDP-Profile -samlIdPCertName -assertionConsumerServiceURL ""
add lb vserver Saml-Test-Srv SSL 443 -persistenceType SOURCEIP -cltTimeout 180 -AuthenticationHost -Authentication ON -authnVsName Saml-vServer
add authentication vserver Saml-vServer SSL 443
set ns encryptionParams -method AES256 -keyValue 4bd351ed61dbec30ef34ffeafc8d94acdd35e3336fa0b881780f72b293ec33c89ea91201302a0649da1970d4e5fcb5c50a83c0f95c28a29e9b57c9619dd6259b4c55debd1eff2f6ce714fe5974675220 -encrypted -encryptmethod ENCMTHD_3
bind lb vserver Saml-Test-Srv Server3
add dns nameServer
add lb monitor STAMONNHOP-webServer CITRIX-STA-SERVICE-NHOP -LRTM DISABLED -interval 2 MIN -resptimeout 4 -downTime 5 -destIP -destPort 8083
add authentication samlAction Saml-vServer -samlIdPCertName -samlSigningCertName -samlRedirectUrl "" -samlUserField sAMAccountName -samlRejectUnsignedAssertion OFF -samlIssuerName testlab-AD-CA -Attribute1 sAMAccountName -logoutURL "" -skewTime 30
add authentication samlPolicy Saml-Policy ns_true Saml-vServer
bind authentication vserver Saml-vServer -policy Saml-Policy -priority 100
bind ssl vserver Saml-Test-Srv -certkeyName
bind ssl vserver Saml-Test-Srv -certkeyName testlab-root -CA -ocspCheck Optional
bind ssl vserver Saml-vServer -certkeyName
set ns param -timezone "GMT+05:30-IST-Asia/Kolkata"


        This section is under construction.


        This section is under construction.

Packet Captures

        This section is under construction.

NetScaler as IDP

        This section is under construction.


  • For Netscaler:
> set syslogParams -logLevel ALL

API Calls

Reboot Netscaler
curl -s -k -X POST -H 'Content-Type:application/' --basic --user nsroot:pwd@123 -d '{"reboot":{"warm":true}}'
Last Boot time
curl -s -k -X GET -H 'Content-Type:application/json'  --basic --user nsroot:pwd@123


{{#widget:DISQUS |id=networkm |uniqid=NetScaler |url= }}