Netscaler Express Gateway VPX & Web Interface

As many of you know, Web Interface is dying the true death in 2015. That doesn’t stop people from asking me to set up their netscalers in front of it.

You think given how long both of these things have been around that there would be pretty comprehensive guides on how to do this.
You’d be wrong.

If you have your netscaler in 2 arm mode this becomes even more complicated. I’ll outline the issues I went through, and how to resolve them.

The biggest issue you’ll likely face is that once you think you’ve got everything set up you’ll log in and all will look fine, the LDAP auth will complete but then you’ll get a 401 unauthorized error. This is coming from the internal web interface. The reason for this is probably because you can’t resolve the FQDN of the gateway. Or if you can, it resolves to the internet facing IP and for whatever reason (firewalls, etc) the traffic doesn’t make it’s way back to you.
The way around this is to create another gateway with an internal IP, and either create a hosts file or update your internal DNS to point internally.
Check your XenApp server application event logs for any errors, the main one will probably be due to SSL certificates. Make sure your intermediate certs are in the chain, this is the most common mistake that will break things. You’ll see an error saying that you can’t establish a trusted link. Once you get all this working you’ll probably come across another poorly documented error.

You’ll now be able to see the internal web interface with the published app icons, but clicking on them won’t do anything. You’ll never get an ica file and the client won’t launch.
The reason for this is because by default when you create a new site in Web Interface it will bind the Handler Mappings to the latest version of .Net. What we need to do is bind it to .Net2. This is outlined in the following citrix support article:
Don’t forget to set your servers to trust XML requests, as these will now be coming from your netscaler gateway.

Once you change this you should have get an ica file and your client should then launch.
Congrats, you’ve now replaced your relatively simple secure gateway box with a far more complicated netscaler express gateway VPX!



Published by


Mike Streetz is a Citrix Consultant who works with everyone from small businesses to large enterprises to help their users get work done via Citrix Virtual Apps and Desktops. He has been working in the Citrix space for over 10 years. Mike knows that your users don’t want long logon times, don’t want long waits for files and don’t enjoy when “Citrix is slow”. His job is to help you get the most out of your Citrix environment. Mike has worked with clients to optimize user experience by using tools such as FSLogix alongside Citrix ADC with Global Server Load Balancing to point users to the fastest site to serve their needs. Mike is a Citrix Technology Advocate, CUGC Leader of the Los Angeles chapter, Citrix Certified Professional in Citrix Cloud, Virtual Apps and Desktops and Citrix ADC and holds the Azure Administrator Associate certification. He has previously spoken at the Ruxcon security conference in Australia.