Citrix NetScaler and Content Switching Setup Guide (Single IP Address Woes…)

Citrix NetScaler and Content Switching Setup Guide (Single IP Address Woes…)

Citrix NetScaler and Content Switching Setup Guide (Single IP Address Woes…)

This post has already been read 234630 times!

Working in the technology industry lots of us have home labs to test and learn.  One of the major pitfalls of this is the fact that many of us only have a single public IP address.  This when hosting multiple internal services required externally can become a bit of an issue and very complex with more than often way too many port forwarding rules in place.  This is also the case with many small businesses only having a single entry point to there network.

How to get around this, Citrix NetScaler Content Switching.

The purpose of this article is to provide a guide to setting up a simple Citrix NetScaler Content Switch to host multiple externally facing services from a single IP address.

First – What is the content switch doing in this example?

Essentially we will be setting up a content switch listening on port 443 on a single IP address accessible from the outside world (normally in a DMZ with a NAT rule in place!).  We will point 3 external fqdn records to the SAME address, allow port 443 through our firewall and forward traffic to our content switch.  Once there we will determine what fqdn the end user is using to get to the content switch and redirect there traffic to the relevant internal service based on the external fqdn.

Now this is by no means everything that can be achieved from a NetScaler Content Switch but it is a great starting point and a common pain point for people running labs at home with 1 entry point.


  • This article assumes you already have a NetScaler Gateway built
  • The 3 external fqdn’s we are going to use are, and
  • will redirect the user to a NetScaler Gateway
  • will redirect the user to a SSL offloaded Non-Addressable vServer hosted on the NetScaler pointing to a XenMobile 10.3 Appliance in the DMZ
  • will redirect the user to a SSL offloaded Addressable vServer hosted on the NetScaler pointing to a StoreFront Server (No Default Store Selected on StoreFront)

Lets get going.

First add 3 external DNS records to point to the public IP Address of your router.  In my case I am using ddns to dynamically update a hosting service with my public IP as it is not static.


Next pick a free internal IP Address (this will be your content switch IP) and add a firewall rul to direct all port 443 traffic to that address


Ping all the external URL’s to ensure that all resolve and all go to the same place


Check that your NetScaler Gateway is up and running and verify that the other services you are about to load balance are all working.  I cannot tell you the number of times I have been setting up monitors and wondering why they are not working only to find that the actual service itself is down!





So, the first thing we will need to do is set up the load balancers on the NetScaler to handle the traffic for the Web Server and XenMobile.  In this example I am going to offload SSL to port 80 for both services.

Navigate to Traffic Management – Load Balancing – Servers


Add a server record for each of the back end services you want to load balance


Next go to Services


Click add and enter the details for the service you want to load balance – make sure to point it to the server you created earlier


Once you click OK you can select a monitor.  This is a pretty important step as this is what binds the service you want to load balance and the back end server together.  It essentially probes the server in a certain way to ensure that the service you want to load balance is working as expected.

Click to assign a monitor


NOTE: NetScaler assigns a default monitor to the service.  Click add to bind a more specific monitor to the service


You will see there are a bunch of built in monitors to choose from


Click on Add to add a specific monitor


From the drop down list select STOREFRONT, click on special parameters and enter the name of your store.

This is a Citrix written monitor to specifically check that StoreFront is working on the server.  If you think about it its way better than just a standard HTTP(s) probe.  The reason for this is that IIS could potentially be running on the server fine but your Store is broken / down / deleted etc.  This intelligent monitor will pick up on that and mark the service as down.


If you are monitoring on a secure port be sure to check the Secure box at the bottom of the mail custom monitor page


Bind the monitor to the service


Once bound hit refresh on the Service Monitor binding page – it will show you on the right is the monitor you have configured is working as expected.  At this point you can shut down IIS on your web server and make sure the monitor goes down and is therefore doing its job correctly


Click close and Done to add the monitor and service


Create another service on port 80 for XenMobile using the same steps as above.  However when setting up the monitor configure a TCP monitor to send a request directly to port 8443 of the XenMobile Appliance.  This will ensure that the XenMobile enrollment port is alive and hence XenMobile is working right rather than just checking port 80!


Once finished you will have 2 services now running


Go to Virtual Servers


Click Add to set up your Load Balancer for the Web Server


Give the vServer a name, a free IP Address, select SSL as the protocol


Click on No Load Balancing Service to bind and select your Web Server service from the list provided


Click to bind a certificate (in this case my wildcard certificate) and click Done

You will now see your Virtual Server ready to accept connections


You can test this by going to the server in a browser


Click Add to set up your XenMobile Load Balancer.

NOTE: In this case I am selecting SSL but setting up the Load Balancer as a Non Addressable vServer.  The NetScaler will send traffic to this vServer and hence the backend service on the users behalf.


Select the Service to bind and add the certificate then click done.

You will now have both vServers ready and running to accept Traffic.


If you want to automate this then use the commands below to set up your NetScaler Load Balancers.  Be Sure to substitute the Server IP Addresses, Certificate Names and Store Names

add server web.bretty.local
add server xenmobile.bretty.local
add service web_server_port_80 web.bretty.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add service xenmobile_port_80 xenmobile.bretty.local HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add ssl certKey -cert wildcardchain.key -key wildcardchain.key
add lb vserver web_vserver_port_443 SSL 443 -persistenceType NONE -cltTimeout 180
add lb vserver xenmobile_vserver_port_443 SSL 0 -persistenceType NONE -cltTimeout 180
add lb monitor custom-storefront-monitor STOREFRONT -scriptName -dispatcherIP -dispatcherPort 3013 -LRTM DISABLED -storename bretty
add lb monitor custon-xenmobile-monitor TCP -LRTM DISABLED -destPort 8443 -secure YES
bind service xenmobile_port_80 -monitorName custon-xenmobile-monitor
bind service web_server_port_80 -monitorName custom-storefront-monitor
bind ssl vserver web_vserver_port_443 -certkeyName
bind ssl vserver xenmobile_vserver_port_443 -certkeyName
bind lb vserver web_vserver_port_443 web_server_port_80
bind lb vserver xenmobile_vserver_port_443 xenmobile_port_80

So, onto the Content Switch, this is where the magic happens.

First Navigate to Traffic Management – Content Switching – Virtual Servers


Click to add a new Content Switch, Select SSL as the protocol to listen on and give it an IP Address.  This will be the IP Address that you redirected your HTTPS traffic to on your firewall earlier.


Don’t bind any policies to the Content Switch just yet but DO add a certificate to the vServer


Your Content Switch vServer will now be running waiting for incoming HTTPS connections.  We have not told it where to direct the traffic so at this point its pretty useless.


Open the Actions.  This is where we will define what to do with the traffic when a policy rule is hit.  For example where to send the traffic coming in on the URL


Click to add an action for the NetScaler Gateway

Give it a name, select NetScaler Gateway Virtual Server from the drop down list then select your NetScaler Gateway from the Target vServer box then click done


Click again to add an action for the XenMobile Service.  This time select Load Balancing Virtual Server from the drop down and select your XenMobile Load Balancing vServer from the Target Load Balancing Virtual Server selection box.


Repeat teh XenMobile step for the Web Server.  You should then have 3 actions to cater for each of the URL’s you will be handling.


Next navigate to policies.  This is where we will tell the Content Switch what URL’s to listen for and what action to take if that URL is picked up in the incoming request hostname


Click to add a new Policy


Give it a name, select the relevane action, then in the expression add the following:


This is effectively telling the Content switch to redirect all traffic coming in on the URL to be directed to the NetScaler Gateway

Repeat this step for the 3 external URL’s editing the expression each time to the URL in question.


Next we need to bind these policies to the content switch so it knows about them.  Open the Content Switch and click where it says No Content Switching Policies Bound


Select your new policies to be bound to the Content Switch


Once all 3 are bound select done your Content Switch is now listening on port 443 for the 3 URL’s you have specified and knows what to do with the traffic once it hits the Content Switch


You are ready to test now.  However if you want to automate the Content Switch set up then here is the script to do it, again substitute the IP addresses and names to suite your environment

add cs vserver content_switch_port_443 SSL 443 -cltTimeout 180
add cs action cs_action_netscaler_gateway -targetVserver netscaler_gateway
add cs action cs_action_xenmobile -targetLBVserver xenmobile_vserver_port_443
add cs action cs_action_web_server -targetLBVserver web_vserver_port_443
add cs policy cs_policy_netscaler_gateway -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"\")" -action cs_action_netscaler_gateway
add cs policy cs_policy_xenmobile -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"\")" -action cs_action_xenmobile
add cs policy cs_policy_web_server -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"\")" -action cs_action_web_server
bind cs vserver content_switch_port_443 -policyName cs_policy_web_server -priority 100
bind cs vserver content_switch_port_443 -policyName cs_policy_xenmobile -priority 110
bind cs vserver content_switch_port_443 -policyName cs_policy_netscaler_gateway -priority 120
bind ssl vserver content_switch_port_443 -certkeyName

Test the URL StoreFront


If you navigate to Content Switch – Policies you will see what policy is service the request


Test XenMobile


Test NetScaler Gateway


You can see all 3 policies have been used to redirect incoming requests


That’s it, hopefully this helps some of you out with your Single IP Address woes and gives you a basic understanding of Citrix NetScaler Content Switching.




29 thoughts on “Citrix NetScaler and Content Switching Setup Guide (Single IP Address Woes…)

  1. Christian

    Hi Bretty , great article.
    To save some ip address on netscaler you could create the vip on load balancing with non addressable set.

    1. Bretty Post author

      That’s what I did in the article with the XenMobile LB. wanted to show both methods addressable and non addressable.
      Thanks for the comment!

  2. Pingback: EUC Weekly Digest – April 23, 2016 – Carl Stalhood

  3. Surya ARBY


    At the beginning I liked to use non adressable Vserver behind a content switching vserver, but in the end it’s a bad idea. In case of troubleshooting it’s great to be able to test your vserver directly without going through the content switching step. Using a non exposed (eventually private) ip address or if you don’t want to use another address, just use the exposed one (protected by a firewall) on another port is better.

    1. Bretty Post author

      I’m working on XenMobile switching. This was just an example of switching traffic. Once I have XenMobile sorted properly I will post that separately.

  4. Pingback: Athentication Vserver – teamnasblog

  5. Bob

    Can you use this method to publish StoreFront externally AND launch your apps/desktops with a single public IP?

    I can get all this to work where I can browse the StoreFront website and login successfully but if I try to launch any of my apps/desktops it fails.

    I thought you needed ICA proxy in Netscaler for this to work with StoreFront?

      1. Bob

        I do have a Netscaler in front of the StoreFront servers but I can only access them via the Netscaler gateway address (this works 100%)

        How do I launch apps/desktops using StoreFront in Citrix Receiver externally without having to login to the Netscaler website?

        1. Bretty Post author

          Receiver will log into the NetScaler Gateway but the session policies assigned will configure native receiver for storefront access via the NetScaler.

          1. Bob

            Stupid question but how do I do this? When I use Citrix Receiver externally and try to add my external Netscaler Gateway URL it prompts me to login but after entering the correct login credentials it just keeps prompting me to login (I know the password is correct because if you enter it incorrectly it tells me that the password is wrong).

            I have tried accessing StoreFront via the Netscaler Gateway address internally and it behaves the same was as accessing it externall (ie: continually prompts me to login).

            So what do I need to do here? You mentioned session policies, do I need a “special” one setup/created for accessing StoreFront via the Netscaler?

            Thanks for the help!

  6. Graham

    Hi Bretty, nice article.

    What certificate did you use for the CS? Was it a wildcard? If not, how did you prevent certificate errors when connecting to the different FQDNs?

    Thanks Graham

  7. Julian

    Hey Dave,

    nice blog post, thanks for sharing!

    View technical questions:

    1. Am I right that a public Name for the CS vServer isn’t needed?
    2. Imagine this setup with a combination with triple a vServer. In your example I add maybe a internal sharepoint server. So now I only want to a authentication for my sharepoint. Here I need a additional public IP for my aaa vServer in combination with my public content switch vserver. Right? So I can set the aaa vserver to my sharepoint LB vServer at NetScaler. When I call my content switch redirects me to my sharepoint lb server, there is a aaa vserver configured, so redirected to, login -> with SSON. Could this be a working setup?

    Thanks and regards

  8. Taylor Shipman

    When I try to bind the policy to the virtual server content switch i get an error saying “Policy cannot bebound to specified policy label” Any ideas? Im setting up a reverse proxy to an internal webserver for users to be able to reset passwords from Netscaler webpage

  9. Daniel

    Was looking for a no-nonsense article for showing a friend of mine how to do this easily for his home lab, with the added bonus of an automation guide. Not surprised your blog came up. Great entry as always.

  10. Paul

    Very good article. A point to note is that the feature set used in creating the Virtual server with content switching requires Enterprise or Platimum licensing.
    Interested to know if anyone was able to accomplished this setup using Netscaler VPX express.

  11. Ram Gopal

    for some reason the LBVips via CS server doesnt work. they work individually but not via the CS server VIP
    i get 404 error or http service error

  12. Kristian

    Awesome guide!

    We have 20-30 services running behind the same IP, but with alot of different root domains, and lots of different certificates (some are LetsEncrypt, that are renewed every 3. month).

    Is it possible to do content switching, without the SSL certificate present? The host header isnt encrypted, so it should be possible?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.