Jump to content


Content switching, ICA proxy, browser detect, AD group detect ?

Started by chris jones , 20 April 2017 - 03:59 AM
1 reply to this topic

chris jones Members

chris jones
  • 1 posts

Posted 20 April 2017 - 03:59 AM

Hi there,
I've had a look through the support forums but I can't find a definitive answer as to whether what I'm trying to do is possible.
I'm updating to a new version of XenApp, clients currently connect via an old pair of NetScalers (v9.3) which I also want to upgrade.
I've got all the Xenapp infrastructure humming away nicely, the Netscaler is proving a little more difficult to tame.
Can I do all these things at once on the VPX I'm testing with ?
1. Client in pilot group on new hardware send to new storefront (base Netscaler gateway works fine)
2. Client not in pilot group on new hardware send to old WI (I'll use an AD group CS rediect)
3. Client in pilot group but on old hardware send to new WI 5.4 which shows new Xenapp apps
4. Client not in pilot group or new hardware send to old WI showing old Xenapp
And here's the important part - All via ICA proxy, nothing but 443 out of the Netscaler on the client side of the world.
I've got the newer client to new Citrix working fine, I've got the new client going to the old Citrix fine, 
I've got the old XPe client going to the 5.4 WI fine (CS policy to detect IE7 and below) but it doesn't seem to authenticate at the Netscaler just gets passed to the WI as part of the content switching rule.
From there it passes an ICA file back and doesn't want to proxy.
Can I authenticate at the netscaler, have it content switch based on browser type and still proxy ICA traffic ?. 
I can't seem to get all these things working at once.
Other options I have are building a VPX for the old hardware clients and let attrition take it's course... That means I'll need some fluid licensing as clints drop off I'll move the hosts from old Xenapp to new Xenapp boxes.
It's too expensive for the client to replace all the old XPe boxes at once.
It's taken me two weeks to get this far (haven't really touched Netscalers before) getting a bit frustrated, am I missing something ?


Carl Stalhood CTP Member

Carl Stalhood
  • 12,369 posts

Posted 20 April 2017 - 12:03 PM

On NetScaler Gateway, configure LDAP with Group Extraction.


Go to Gateway > User Administration > AAA Groups and add groups that match your AD groups (case sensitive).


Create session policies/profiles for each group and bind to the AAA groups. Each profile can point to different Web Interface or StoreFront. The bind point needs a lower priority number than whatever's bound to your Gateway vServer.