NetScaler VPX for XenApp with CLI

Steps to provision Citrix NetScaler VPX for XenApp with CLI

Information of VPX

Information Description
Subnet IP
Virtual IP
Version NS12.0 Build 57.19 – Platinum / Developer License
SSL Cert Lets Encrypt Wild card – *
vNIC Single Only
  1. Import the downloaded VPX (NS12.0 Build 57.19) to vSphere 6.7
  2. Change the MAC Address to match the license file for VPX

However, we do encounter the following error message in vSphere Web Client

Impermissible static Ethernet address: ’00:0c:29:3b:5c:be’. It conflicts with VMware reserved MACs.

Solution: Login to vSphere Host, and

[[email protected]:/vmfs/volumes/5a641927-8bab2d50-1b2f-f44d306f60a1/NS1] ls -l *.vmx
-rwxr-xr-x    1 root     root          2829 Oct 12 09:11 NS1.vmx

vi NS1.vmx

#Enter the following 
ethernet0.checkMACAddress = "false"
ethernet0.address = "00:0c:29:xx:xx:xx"

#Check the ID of the VPX and power it on
vim-cmd vmsvc/getallvms 
vim-cmd vmsvc/power.on 79
  1. Initial configuration of NetScaler VPX after NS IP is configured in console
#Verify NS IP is configured 
sh ns ip

#verify Default Route is configured
sh ns runningConfig | grep route

#Host Name
set ns hostName

#Subnet IP
add ns ip -vServer DISABLED

#Set DNS Server
add dns nameServer

#Add NTP Server
add ntp server
enable ntp sync

#Upload and install License
cd /nsconfig/license 

#SCP the license from workstation to VPX
scp VPX-xx.lic [email protected]:/nsconfig/license

#verify license is installed and updated successfully
sh ns license

#Set Timezone - Required to reboot
set ns param -timezone "GMT+08:00-MYT-Asia/Kuala_Lumpur"

#save configuration and reboot
save ns config 

Enable the following features
* WL – Web Logging
* LB – Load Balancing
* SSL – SSL Offload
* AAA –
* CH – Call Home

enable ns feature WL SP LB SSL SSLVPN AAA CH

Import the Lets Encrypt Certificate following the link below
Import PFX to NetScaler VPX

If you had performed factory reset of VPX with

clear ns config full
save ns config

The imported SSL Certificate will still remained and you can import it with

add ssl certKey -cert "/nsconfig/ssl/AventisLab.pem" -key "/nsconfig/ssl/AventisLabKey.pem"
add ssl certKey LetsEncryptIntermediate -cert LetsEncryptIntermediate.cer
add ssl certKey LetsEncryptRoot -cert LetsEncryptRoot.cer
link ssl certKey LetsEncryptIntermediate
link ssl certKey LetsEncryptIntermediate LetsEncryptRoot

Point the public URL ( to internal Store Front

#Add DNS A Record to point URL to Internal Store Front Server
add dns addRec

Configure the LDAP Authentication via AD Server
* LDAP Name =
* LDAP Policy =

#LDAP Authentication 
add authentication ldapAction -serverIP -ldapBase "dc=UAT,dc=aventislab,dc=com" -ldapBindDn [email protected] -ldapBindDnPassword XXXXXXX -ldapLoginName sAMAcoountName -authentication DISABLED -requireUser NO

add authentication ldapPolicy NS_TRUE

#Verify LDAP Authentication is working
ldapsearch -b "dc=uat,dc=aventislab,dc=com" -D "[email protected]" -h -p 389 -w 'XXXXXXXX'

Add the following Policies – Based on the Policies generated by using the Wizard

add vpn sessionAction AC_OS_192.168.1.178 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "" -ClientChoices OFF -ntDomain -clientlessVpnMode OFF -storefronturl "" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_192.168.1.178 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "" -ClientChoices OFF -ntDomain -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_OS_192.168.1.178 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_192.168.1.178
add vpn sessionPolicy PL_WB_192.168.1.178 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_192.168.1.178

Add the VPN Server with Virtual IP =

#VPN Server
add vpn vserver _XD_192.168.1.178_443 SSL 443 -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn

#HTTP to HTTPS redirect
add lb vserver HTTP 80 -persistenceType NONE -redirectURL "" -cltTimeout 180

Bind the AAA, Portal Theme, staServer and policies to VPN Server – _XD_192.168.1.178_443

bind vpn vserver _XD_192.168.1.178_443 -staServer ""
bind vpn vserver _XD_192.168.1.178_443 -portaltheme X1
bind vpn vserver _XD_192.168.1.178_443 -policy

bind vpn vserver _XD_192.168.1.178_443 -policy PL_OS_192.168.1.178 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver _XD_192.168.1.178_443 -policy PL_WB_192.168.1.178 -priority 110 -gotoPriorityExpression NEXT -type REQUEST

Bind the Lets Encrypt Wild Card SSL Cert to _XD_192.168.1.178_443

bind ssl vserver _XD_192.168.1.178_443 -certkeyName

#Save ns config
save ns config

Open Edge and login to

Launch the App

App successfully launched in HTML5

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top