How To: NetScaler 10.1 Deployment Part 5: VPN

In the 5th and final part of this blog series on configuring NetScaler 10.1 I will cover VPN configuration. If you have been following along for the entire series you have a fully functional NetScaler that is successfully load balancing your DNS, LDAP, XML traffic, StoreFront traffic, and secure external access via Access Gateway. I consider VPN the “final piece” of the puzzle in a basic config and I’m going to show you in this post two methods specifically of doing it.

Also, special shout out to my colleagues Tony Mott and Scott Osborne for helping me work out the kinks in these configs.

If you would like to read the other parts in this article series please go to:

Method 1: Client Choices

In this first method, the user (or admin) would go to the same website they are used to going to, i.e. or Leveraging AAA Groups and Active Directory Security Groups, if the user is in the selected group for access they will be presented with a “Client Choices” page where they can choose to connect via the Access Gateway Plugin, connect via Clientless Access (Access Interface page), or proceed to their XenApp/XenDesktop applications and desktops.

The caveat of this method is it requires the vServer be in Smart Access mode which eats Universal Licenses for *every* connection through the vServer. So read up on licensing, there was an excellent blog post by Prashant Batra with Citrix’s Gateway can be found HERE and is an excellent read, or Craig Ellrod wrote a great article HERE…so plenty of material..which is why I won’t rehash all the licensing. So with that being said this is probably the least popular method unless you have a specific reason to deploy in this manner and you have sufficient licensing to support ALL connections not just VPN connections.

Prerequisite: An Active Directory group setup with the accounts that will be allowed to connect via VPN. For this article the group name is “NetScaler Access”. Name is case sensitive so be careful when you’re putting it into the NetScaler. I also followed the post HERE to import the full green bubble theme.

Step 1: Navigate to NetScaler Gateway->Policies->Authentication->LDAP. If you followed my blog series you’ll have a policy there. Highlight it and click “Open”.


Step 2: Click “Modify”


Step 3: Ensure the highlighted settings are configured per the screenshot below. Once complete click “OK” and then “OK” again at the Auth policy to close out.


Step 4: Navigate to NetScaler Gateway->Policies->Authorization. Click “Add”


Step 5: Enter a name. Action should be ALLOW.


Step 6: Set the Expression to ns_true. Click “Create” then “Close”.


Step 7: Navigate to NetScaler Gateway->Policies->Session and click “Add”.


Step 8: My screenshot doesn’t match 100% but set the expression to ns_true and create a “New” Request Profile.


Step 9:  Name the new Profile accordingly and ensure the settings match the below. Click “Advanced”.


Step 10: Click Override Global and “Client Choices”. Click “OK”


Step 11: Ensure the Published Applications tab matches the below settings (of course insert your own sf URL and HTTPS if it is secure). Click “OK”.


Step 12: Navigate to NetScaler Gateway->User Administration->AAA Groups. Click “Add”


Step 13: Enter in the Group Name identical to the group name in Active Directory. Case sensitive! Click the “Authorization” tab and select the prior configured Auth policy from a few steps ago.


Step 14: Navigate to the Policies Tab and select “Session”. Add your VPN Session policy here. Once done click “Create” then “Close”.


Step 15:  Navigate to NetScaler Gateway->Virtual Servers and double click your Access Gateway vServer to open it. At the top, switch the mode from “Basic Mode” to “SmartAccess Mode”.


Congratulations! You should now be able to access your website, authenticate, and if your account is in the “NetScaler Access” AD Group, get a client choices page similar to the below! (If its not similar, go back up to the top and follow my link to the green bubble theme and install it to get a consistent appearance).


Method 2: VPN vServer

Okay, this second method carries a lot of similarities from configuring the first.  We still use Active Directory Groups (AAA Groups) to grant access..but we don’t allow Client Choices, or clientless access. Only access via the Access Gateway Plugin, please! We still need a vServer in “SmartAccess Mode” though because its an SSL VPN connection and not ICA Proxy. I think this particular method of configuration is simpler though..but thats just me.

So lets start off with the config.

First off, follow steps 1 through 8 from above to get your authentication and everything set up.

Starting with Step 9 you’ll see a difference on the settings for the Session Profile, the settings for a standalone vServer session profile should be as below:


Published Applications Tab, notice ICA Proxy is OFF. Nothing configured here because this isn’t for any ICA traffic. SSL VPN only!


Next navigate to NetScaler Gateway->Virtual Servers and click “Add”


Name the vServer, IP, protocol SSL, bind your VPN SSL certificate.


On the Authentication tab, bind your LDAP authentication policy we configured in prior articles.


On the Policies tab, bind your SSL VPN Session Policy


Voila! NAT your firewall, setup your DNS, and browse to or whatever name you setup and login with your credentials..the AG Plug-in should establish a secure SSL connection, Also don’t forget to put your account in the Active Directory Group you configured to be used in AAA Groups..if your not in there, you can’t login.

That concludes this series of articles…granted, we barely touched the surface of what NetScaler can do..and it took 5 decent sized blog posts to do that! I hope to keep covering more things the NetScaler going forward with this blog..I hope this series helped someone out there get going on a NetScaler, or learn something they hadn’t known before! Please leave a comment, I do read them.

If you would like to read the other parts in this article series please go to:


15 thoughts on “How To: NetScaler 10.1 Deployment Part 5: VPN

  1. Thanks for this series. One question if you have time… What if you want to incorporate your “Method 2: VPN vServer” with ICA traffic? I mean, the user clicks “Network Access” from the list of client choices, AGEE setups the SSL VPN, but at the same time redirects the user to the Storefront for the published apps. Any ideas? Thanks.

  2. Hey

    awesome article

    Quick one

    Step 4: Navigate to NetScaler Gateway->Policies->Authentication. Click “Add”

    Should that be “Authorization”

    • Hi Pete,

      I’ve got it in my pipeline to publish a new series updated for 10.5 but as you can tell its quite the undertaking. This 10.1 series should still be applicable, the UI has just changed around some if you fight through it. Otherwise keep a watch for my new series in the coming months.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s