Citrix XenDesktop, Turbo, Citrix NetScaler and Network Routing Use Case

Citrix XenDesktop, Turbo, Citrix NetScaler and Network Routing Use Case

Citrix XenDesktop, Turbo, Citrix NetScaler and Network Routing Use Case

This post has already been read 19942 times!

I was fortunate enough this week to speak to Rory from after speaking to a Citrix CTP from and was given a chance to test drive the Turbo Application Delivery method.  Firstly, WOW! What an easy and simple way to deliver applications to Citrix workload’s.  I was really taken aback by how easy it really was to deliver apps seamlessly to servers for users to consume, and in no time at all!!  Seriously, it took about 10 minutes from logging in to having my first delivered published app available to my users, amazing!!

So, after the initial amazement I started to think of use cases that this could really bring some value to the IT Pro’s delivering apps day by day, after a couple of twitter chats with Rory i was drawn the the ability to add IP Routing to containerised apps within Turbo.  I started to think, well – we could block rights to administration web portals (NetScalers) from default browsers and provide specific admin browsers with locked routing to ONLY allow the users to administer the NetScalers from those specific Apps.  This open up loads of options around auditing and control of access to the admin portals without having to involve complex firewall rules and networking, its all done within the application itself, and in minutes !!

So, lets get going.

Lets assume we want to publish 2 Google Chrome Browsers, 1 for general internet use (without access to admin the NetScalers) and a specific Admin Browser with Access to the NetScalers Only.

NetScaler IP Address:

Local Network:

First, my CTP Friend has already written an excellent blog on getting started with Turbo.  This can be found here: and is well worth a read.  I will walk you through downloading and setting up Turbo but Eric will walk you through automating the install!!

From your Citrix Server open up a browser and go to

Screen Shot 2016-02-26 at 19.25.51

Click the Install Turbo Client link

Screen Shot 2016-02-26 at 19.26.03

Save the client to your desktop

Screen Shot 2016-02-26 at 19.26.27

Search for the command prompt and run it as administrator

Screen Shot 2016-02-26 at 19.27.00

Navigate to your downloads and run:

turbo-plugin.exe –all-users

Screen Shot 2016-02-26 at 19.28.32

Let the install run though, as you are installing it for all users your server will need to restart

Screen Shot 2016-02-26 at 19.28.44

While the install is running lets set up the 2 applications in Turbo.

Switch to an internet browser and navigate to and log in as your admin account to the portal.  You will be shown a list of published applications, in this case – none!

Screen Shot 2016-02-26 at 19.31.20

Click on the Hub tab

Screen Shot 2016-02-26 at 19.31.33

Click on Browsers on the right

Screen Shot 2016-02-26 at 19.31.49

Click on add next to Chrome

Rename the application to Chrome No Routes (This will be the default browser for the users – NO Administration Access

Screen Shot 2016-02-26 at 19.32.12

Click Save – this will default to the latest release and allow all internet access outbound – it WONT have any plugging however – that will be covered in another article

Once added and displayed in your portal click the clone icon.

Screen Shot 2016-02-26 at 19.33.04

Give the clone application a name Chrome NetScaler Admin – this will be the application we will restrict to only have access to our NetScalers

Screen Shot 2016-02-26 at 19.33.26

Click on Save and once displayed click the settings icon next to your NetScaler Admin application

Screen Shot 2016-02-26 at 19.33.54

Click on the Network tab then the Routes option

Add the following routes:

IP:// – Deny – this will deny ALL outbound IP Traffic from the application

IP:// – Allow – this will enable access to the NetScaler Admin Portal

Screen Shot 2016-02-26 at 20.21.42

Click save to commit the changes to the application

By this time your Turbo client should have installed and your server restarted.  Log back into the server and run a command prompt as an administrator

Screen Shot 2016-02-26 at 19.27.00

Run the command:

turbo login

Screen Shot 2016-02-26 at 19.37.49

Login as your org account

Screen Shot 2016-02-26 at 19.38.22

run the command:

turbo subscribe –all-users bretty (bretty being the name of your user that you use for Turbo)

Screen Shot 2016-02-26 at 19.39.29

You will see your applications sync to your server

Screen Shot 2016-02-26 at 19.39.48

If you look in the Start Menu you will see your new applications available to run and use

Screen Shot 2016-02-26 at 19.41.04

Lets first run up the NetScaler Admin Browser

Screen Shot 2016-02-26 at 19.45.19

The first time the app runs it will cache and download the application container

Screen Shot 2016-02-26 at 19.40.24

Once it has launched lets test accessing our NetScaler Admin Portal

Screen Shot 2016-02-26 at 19.46.08

Excellent!  We can access the portal – thats our network route to being allowed.  Lets try accessing

Screen Shot 2016-02-26 at 20.23.41

Denied! Excellent – outbound internet access is being denied.  What about another address on my local network.  My router on

Screen Shot 2016-02-26 at 20.23.57

Also denied – brilliant!  So thats the Admin browser sorted out – users can ONLY Access out NetScaler Admin portal and nothing else from the published browser.

Lets move onto our default user browser.

Screen Shot 2016-02-26 at 20.24.28

First lets try

Screen Shot 2016-02-26 at 20.25.06

Excellent – outbound internet access is allowed from the published browser

Lets try out NetScaler Portal

Screen Shot 2016-02-26 at 19.46.08

Not good – we only want access to this to be allowed from the Admin Application

how about another address on the local network

Screen Shot 2016-02-26 at 20.25.23

OK – allowed.  Not good.  We want to block access to admin portals from the general browser and only allow it from the admin browser.

Switch back to the admin portal and open up the Chrome No Routes application for editing.  Navigate to the Network Tab then routes

Screen Shot 2016-02-26 at 20.22.44

Add a route to DENY access to the local network.  NOTE: This is a CIDR block address of /24 – this is blocking access to the whole local subnet – you can add individual addresses here rather than a whole subnet.

Screen Shot 2016-02-26 at 20.28.24

Save the route and switch back to your server.

Open up the admin command prompt and re-run the subscribe command to update the applications

Screen Shot 2016-02-26 at 20.26.42

Relaunch Chrome No Routes

Screen Shot 2016-02-26 at 20.24.28

Test Google again

Screen Shot 2016-02-26 at 20.25.06

Great – still working.  Now try an address on the local subnet

Screen Shot 2016-02-26 at 20.23.41

BLOCKED!  Excellent.

Thats how to publish 2 browsers using one for Admin access to specific portals and one for general access with denied access to admin portals.  A great use case for all those occasions where you need to lock down admin access but don’t have access to complex firewall rules and static IP addresses to restrict access.

Just publish those apps on your existing XenApp or XenDesktop estate and you have some bullet proof browser deployments for your users to consume.

Hope this help some of you out.

Got to say a massive thank you to Rory from Turbo, not only for his assistance with setting up my access to this great product but also for being professional and helpful when i approached him with questions.  A true credit to a massively innovative company.

Check out his blog at :

Thats it for now.




4 thoughts on “Citrix XenDesktop, Turbo, Citrix NetScaler and Network Routing Use Case

  1. Eric

    Great post. Another awesome scenario is e.g. you have a Web app that only works with IE8 & Java 6.x. Out of the box that browser would be very unsecure, so by using the rules you can now open that unsecure browser only for that Web app URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.