Management Citrix NetScaler Lead image: Lead Image © Mellimage,
Lead Image © Mellimage,

Citrix NetScaler steps in for Microsoft TMG/ISA

Into the Breach

Since Microsoft announced the discontinuation of its Threat Management Gateway (TMG) – successor to the Internet Security and Acceleration (ISA) Server – companies have been looking for an adequate replacement. Citrix jumps into the breach with its various NetScaler products. By Thomas Joos

NetScaler is a network product that works as an application accelerator and firewall. In other words, integration of the product into the enterprise is best handled by networking experts, because that's where network traffic is directly influenced and controlled. The complexity of NetScaler far exceeds the requirements for managing Citrix products like XenDesktop or XenApp, so you should not underestimate the product despite its apparent simplicity.

Citrix claims that its NetScaler products are the best replacement for Microsoft TMG. The manufacturer has published a corresponding white paper [1] to support this claim. The main advantages of TMG were the built-in wizards that helped admins provide Exchange services, SharePoint, and Lync efficiently on the Internet. Citrix fills the void created by the withdrawal of TMG with its NetScaler products, which are said to offer the full feature set of TMG. NetScaler also has integrated wizards and templates to keep the configuration as simple as possible (Figure 1). However, that's not all.

Citrix NetScaler uses wizards to help you provide Exchange, SharePoint, and Lync on the web.
Figure 1: Citrix NetScaler uses wizards to help you provide Exchange, SharePoint, and Lync on the web.

What NetScaler Offers

Citrix NetScaler can safely provide web-based services such as Exchange, Lync, and SharePoint to users of the public Internet via the internal network. You could also say that NetScaler publishes these services on the Internet. NetScaler also provides load balancing and Layer 4 connection management, content filtering, and URL filtering and rewriting (Figure 2). Additionally, NetScaler offers network access protection, VPN, and more. Administrators also can integrate and set up programs such as antivirus scanners. Different editions and versions support different network bandwidths.

The NetScaler management interface is web based, where you configure all the required settings.
Figure 2: The NetScaler management interface is web based, where you configure all the required settings.

NetScaler, the successor to Citrix Access Gateway, goes by the name of Citrix NetScaler Access Gateway. It supports safe publishing of XenDesktop and XenApps on the Internet and insecure networks. The management of these publications is handled in the same web interface that controls firewall functions.

NetScaler Products Compared

NetScaler is available in several versions and editions. Citrix offers the solution as a hardware appliance, but also as virtual software for VMware, XenServer, and Hyper-V. The hardware-based appliances are labeled NetScaler MPX and offer a throughput of 500Mbps to 120Gbps (according to the manufacturer). Different devices are targeted at different applications and performance levels [2].

According to Citrix, the software-based appliances, called NetScaler VPX, can handle data at 10Mbps to 3Gbps. They can be virtualized with VMware, Hyper-V (Figure 3), and XenServer. Citrix provides test versions based on virtual servers for downloading. NetScaler officially supports XenServer 5.6 or newer, VMware ESX(i) version 3.5 or newer, and Windows Server 2008 R2. In our lab, I was able to import NetScaler VPX on servers running Windows Server 2012 and Hyper-V. The performance of VPX versions, of course, depends greatly on the underlying physical server.

You can also test and virtualize Citrix NetScaler with Hyper-V.
Figure 3: You can also test and virtualize Citrix NetScaler with Hyper-V.

The other editions are SDX and AWS. NetScaler SDX is designed for very large networks; it also consists of a hardware-based appliance but offers virtualization and up to 40 parallel NetScaler instances with a throughput up to 50Gbps. SDX is thus intended mainly for Internet providers and cloud service providers. AWS relies on Amazon Web Services and is a fully web-based service.

Many companies rely on the inexpensive, virtual VPX environment. It has the same functionality as the MPX models, although large data volumes cannot be processed as quickly. The biggest advantage of the VPX version is rapid deployment via virtual machines. However MPX models have advantages in terms of data encryption, such as in SSL offloading. On top of this, the hardware models feature special encryption cards. For VPX models, virtual servers perform encryption, which is significantly slower.

Management of these editions is almost identical. Admins can use the web-based graphical user interface or issue commands from the command line via SSH.

The manufacturer offers Standard, Platinum, and Enterprise levels of the MPX, VPX, SDX, and AWS versions. Citrix provides the data sheet outlining the differences between the various editions [3].

NetScaler VPX [2] has many variants that differ mainly in speed. Companies can also easily switch from smaller to larger VPX models. Additional licensing of other functions can be managed in the web interface or via SSH. The settings for this are available in the System | Licenses section of the web interface.

NetScaler VPX Testing

For your own tests, you can download installation images, including servers based on Hyper-V, VMware, or Citrix XenServer [4]. Even the free versions of the virtualizer are supported. After unpacking the archive, you only need to import the image into the virtual environment. To learn what you need to watch out for when using Hyper-V, check out the movie on Citrix TV [5]; the NetScaler VPX Express version is a free download [6].

During the installation of NetScaler (i.e., after importing the virtual servers), you can log in to the web interface on http://<IP address of the virtual server>. After entering the login name and password, both nsroot, you can then access the Citrix NetScaler web interface.

If the server is not visible on the network, you need to add a virtual network adapter to the settings of the virtual server. Log in to the virtual machine using SSH, again as nsroot. Then, run ping to determine whether the virtual server has a connection to the network. After that, you can work with the web interface.

Online documentation [7] has instructions on how to set up NetScaler. NetScaler has a wizard for setting up the server, which you can launch via the Configuration tab by clicking on Setup Wizard at the bottom of the right window. After setting up the system, you can modify the settings for the IP addresses in the Network section. The username and password for logging into the web interface are found in the System | Users section. At the bottom, you can create additional users with different roles and change the passwords of existing user accounts.

Citrix NetScaler not only integrates local users and administrators but also Active Directory user accounts. This integration is handled by virtual servers in VPX. To manage them, go to System | Authentication | LDAP | Servers. To integrate Active Directory, you need a name for the virtual server, the IP address of a domain controller, an OU, and the username of an administrator in the domain. Policies for authentication via Active Directory are set in System | Authentication | LDAP | Policies

NetScaler in Production Use

To use NetScaler optimally, the device should have at least two network interfaces. One interface is connected to the internal network and the other to the external network. However, as with Microsoft TMG, NetScaler also works with a single network card.

In production, note that you must import a license file. These can be found in the System | Licenses area of the web interface. In many cases you need the host ID of the NetScaler server to license on the Citrix website. This is the MAC address. If you are using a VPX version, you can determine the MAC address directly in the hypervisor.

Even with the trial version and the free NetScaler VPX Express Edition, you can comprehensively secure networks and publish applications. To do so, you will need to download and install AppExpert templates [8]. They provide configuration support similar to that of the setup wizard for publishing Exchange and SharePoint. The templates are simple XML files.

In the web interface, you will find the AppExpert templates for NetScaler in AppExpert (Figure 4). In the middle of the window, you can open the AppExpert template download page and press Import AppExpert Template to import the virtual appliance.

Citrix NetScaler provides an easy way to import templates into the firewall.
Figure 4: Citrix NetScaler provides an easy way to import templates into the firewall.

After integrating the templates, administrators can connect internal solutions such as Exchange, although not as conveniently as with TMG. Before putting NetScaler into production, you need to gather some network information and make some adjustments. Although the product is installed quickly, publishing the various services can take a long time.

Managing NetScaler

In addition to the features already mentioned, you can integrate NetScaler as an access gateway for XenDesktop or XenApps. To do this, go to the Access Gateway in the web interface. This is where you can centrally manage these areas for publication on the internet. Different subsections and wizards help you with the setup.

You can also monitor internal applications and database operations using the web interface. This is available in the Dashboard, launched in a tab at the top of the web interface (Figure 5). The Reporting tab tells NetScaler to create detailed reports.

NetScaler monitored in the web interface.
Figure 5: NetScaler monitored in the web interface.

You can modify NetScaler suit your needs, start various wizards, and import various AppExpert templates in the Configuration section. In the left pane, select the area in which you want to make the changes, and then adjust the settings in the right pane.

Improved Access to Desktops and Apps

The new 10.1 version of NetScaler lets you provide better protection for published desktops or apps, while at the same time accelerating the publication process and improving the user experience on smartphones and tablets. NetScaler uses the Citrix HDX protocol to do this. Additionally, Citrix has integrated an Exchange ActiveSync proxy into NetScaler that allows users to access Exchange mailboxes securely while on the road using NetScaler.

Companies that rely on NetScaler SDX can create and operate a separate instance for Exchange ActiveSync on this basis. Even if the line speed of the connected smartphones constantly changes (e.g., from 3G to LTE or WiFi), the connections are kept. NetScaler uses Multipath TCP for this. Also, new protocols such as Google's SPDY extension are supported by NetScaler version 10.1. SPDY can significantly speed up HTTP connections.

Companies that rely on older versions of NetScaler can upgrade to version 10.1. MPX and VPX appliances are compatible with the new version. If you have a maintenance agreement with Citrix, you can upgrade for free.


Without a doubt, Citrix NetScaler is an excellent replacement for TMG installations. It is designed not just for large companies but also for small businesses and branch offices. Because the solution is available for free, in some cases, and can be tested comprehensively, administrators should take a look at the solution, especially if they are looking for a TMG replacement. In a virtual test environment, Citrix NetScaler is quick to set up and can be readily integrated into existing networks. Companies that already use Citrix products, can benefit from interaction with NetScaler.