On Demand Citrix Nerds consulting services 24 hours a day!
Phone: 1-800-905-0005
Home > Documentation > Netscaler Quick Setup
Installation Documentation
Netscaler Quick Setup using CLI (Command Line Interface)
#MAC address of 00:50:56:00:00:00 is used so that a pre-configured VPX 5 non-expiring free Netscaler license can be used
#SSL certificate file being used was exported with a private key to ssl.pfx with a password of test1 - change your password if you use something different
#SSL Certificate Authority is RapidSSL, but the Intermediate and Root certificates can easily be modified to work with other CA's
#The IP's used for the build were on a 192.168.1.0/24 network - change IP's to match your network
#NSIP (Management) = 192.168.1.20, SNIP = 192.168.1.21, Virtual Server VIP = 192.168.1.22
#Netscaler public access is for citrix.mycorp.com - change to match your FQDN
#Storefront is running via SSL at storefront.mycorp.com - change to match your FQDN
#Citrix Delivery Controller is running on storefront.mycorp.com which is referenced for the STA (Secure Ticket Authority) - change to match your FQDN
#Substitute your own Domain Controller IP address for what for what appears here as 192.168.1.11
#Substitute your own LDAP Base for what for what appears here as dc=mycorp,dc-com with for example dc=domain,dc=local
#Substitute your own LDAP Authentication account for what for what appears here as ldapserviceacct@mycorp.com (This is an Active Directory User service account that has a password that never expires)
#Substitute your own domain user password for what for what appears here as Password987!
#Fast edits so that you can more or less paste in Steps 9, 11, 12, 13, 17 & 18 and have a fully functional Netscaler
#NSIP 192.168.1.20, SNIP: 192.168.1.21, VirtualServer: 192.168.1.22, LDAP Server: 192.168.1.11, LDAP Account: ldapserviceacct@mycorp.com
#LDAP Password: Password987!, DNS: 192.168.1.11, LDAP: dc=mycorp,dc=com, Public FQDN: citrix.mycorp.com, Storefront FQDN: storefront.mycorp.com
#01. VMware - Deploy OVA file
#02. VMware - Change MAC to 005056000000
#03. VMware - Power on Netscaler
#04. VMware console - set IP address (NSIP), subnet mask, default gateway and save
#05. WinSCP to NSIP and copy license file to /nsconfig/license (Non-Expiring for MAC 005056000000)
#06. WinSCP to NSIP and copy ssl.pfx to /nsconfig/ssl
#07. WinSCP to NSIP and copy intermediate.crt to /nsconfig/ssl
#08. WinSCP to NSIP and copy root.crt to /nsconfig/ssl
#09. SSH to NSIP - Set SNIP, set hostname, DNS servers, NTP server and Time Zone
add ns ip 192.168.1.21 255.255.255.0 -vServer DISABLED
set ns hostName ns
add dns nameServer 192.168.1.11
add ntp server time.windows.com
#REM Additional DNS servers: add dns nameServer 192.168.1.12
set ns param -timezone "GMT-08:00-PST-America/Los_Angeles"
#REM Timezome New York: set ns param -timezone "GMT-05:00-EST-America/New_York"
#REM Timezome Chicago: set ns param -timezone "GMT-06:00-CST-America/Chicago"
save config
reboot
#10. Disable Callhome, Disable CUXIP, Enable SSL, Enable Netscaler Gateway, Add SSL cert from PFX and link to Intermediate
disable ns feature ch
set system parameter -doppler disabled
set adm parameter -admserviceconnect disabled
enable ns feature SSL SSLVPN
add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1
add ssl certKey Intermediate -cert intermediate.crt
add ssl certKey Root -cert root.crt
link ssl certKey SSL Intermediate
link ssl certKey Intermediate Root
#11. Create LDAP server and Policy
add authentication ldapAction LDAP_Server -serverIP 192.168.1.11 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED
#REM Optional SSL: add authentication ldapAction LDAP_Server -serverIP 192.168.1.11 -serverPort 636 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED
#REM Optional Backup Domain Controller: add authentication ldapAction LDAP_ServerBkup -serverIP 192.168.1.12 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED
#REM Optional SSL Backup Domain Controller: add authentication ldapAction LDAP_ServerBkup -serverIP 192.168.1.12 -serverPort 636 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED
#REM To filter user accounts which are permitted to logon by Active Directory group named CitrixUsersExternal
#REM set authentication ldapAction LDAP_Server -searchFilter "memberOf=CN=CitrixUsersExternal,CN=Users,DC=mycorp,DC=com"
add authentication ldapPolicy LDAP_Pol NS_TRUE LDAP_Server
#REM Optional Backup Domain Controller: add authentication ldapPolicy LDAP_PolBkup NS_TRUE LDAP_ServerBkup
#12. Redirect HTTP to HTTPS
enable feature lb
add lb vserver http_redirect_to_ssl HTTP 192.168.1.22 80 -persistenceType NONE -redirectURL "https://citrix.mycorp.com" -cltTimeout 180
#13. Create Virtual Server for Netscaler Gateway and set SSL protocols
add vpn vserver VirtualServer SSL 192.168.1.22 443 -icaOnly ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn citrix.mycorp.com
set ssl vserver VirtualServer -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED -HSTS DISABLED -maxage 157680000
set ssl parameter -denySSLReneg FRONTEND_CLIENT
#14. Create Secure Cipher Suite
add ssl cipher SecureCiphers
bind ssl cipher SecureCiphers -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher SecureCiphers -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher SecureCiphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 3
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 4
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 5
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 -cipherPriority 6
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 7
#15. Bind SSL to vServer
bind ssl vserver VirtualServer -certkeyName SSL
#16. Bind vServer to Secure Cipher Suite
bind ssl vserver VirtualServer -cipherName SecureCiphers
unbind ssl vserver VirtualServer -cipherName DEFAULT
#17. Create Session Actions & Polices
add vpn sessionAction AC_OS_Receiver -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -storefronturl "https://storefront.mycorp.com" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_Web -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -sfGatewayAuthType domain
set vpn sessionAction AC_WB_Web -sessTimeout 720
add vpn sessionPolicy PL_OS_Receiver "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_Receiver
add vpn sessionPolicy PL_WB_Web "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_Web
#18. Bind STA, LDAP and Session Policies
bind vpn vserver VirtualServer -staServer "http://storefront.mycorp.com"
bind vpn vserver VirtualServer -policy LDAP_Pol
#REM Optional Backup Domain Controller: bind vpn vserver VirtualServer -policy LDAP_PolBkup
bind vpn vserver VirtualServer -policy PL_OS_Receiver -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver VirtualServer -policy PL_WB_Web -priority 110 -gotoPriorityExpression NEXT -type REQUEST