Skip to main content

CVE-2023-3519, what you should know and how to fix your Netscaler ADC, NetScaler Gateway

Disclamer: This blogpost is made to help you understanding CVE-2023-3519 and how you can check if you are vulnerable and community guidelines how to fix your environment. This blogpost is not covering the details of the exploits out here as I have no interest in sharing what the red team is doing. All responsibility is your own. I highly recommend you read the blogpost and take action immediately, don’t hesitate. (Last updated 4th October 2023)

Continue reading

Citrix XenApp Essentials – Microsoft Azure

Citrix XenApp Essentials is now available on Microsoft Azure.

Citrix XenApp Essentials is replacing Microsoft Azure RemoteApp and customers can now benefit the technology from Citrix in a simplified portal on Azure to deliver published apps to any device from any Azure datacenter.

Continue reading

Citrix Netscaler Gateway 11

Citrix have released Netscaler Gateway 11

This is a major release and one thing I love about this release is that the entire GUI is again changed and now there is support for VPN access with Android, IOS, Linux.

NetScaler Gateway 11.0 adds the following new features and enhancements:

Citrix NetScaler Gateway 11 with Unified Gateway

This feature extends NetScaler Gateway connectivity with access to any web application through a single URL, along with seamless single sign-on and sign-off. Single URL access can be configured for:

  • Internal organizational web applications
  • Software as a Service applications, including SAML based single sign-on when available
  • Outlook Web Access and SharePoint as clientless applications
  • Load balanced applications served through NetScaler load balancing virtual servers
  • XenApp and XenDesktop published resources.

The feature can be configured and managed with the Unified Gateway wizard in the NetScaler configuration utility. [#00552862, #0438356, #0519875, #0519875]


SmartControl allows policy-based management decisions for ICA connections through the VPN. SmartControl policies can be applied at the session level to control user’s ICA environment and to further manage ICA connections with SmartGroup sorting decisions.

Portal Customization and EULA

The Portal Customization options have been expanded to allow end-to-end customization of the VPN user portal. Administrators can apply themes to their VPN portal design or use themes as a foundation for their own customization or branding. An option to present VPN users an End User License Agreement (EULA) has also been added to the portal design. Portal themes and EULAs can be bound to a VPN virtual server or specified as global VPN parameters.

New and Updated Gateway Clients

NetScaler Gateway release 11.0 adds new plug-in clients for the following operating systems:

  • Android 4.1 or later
  • iOS 7 or later
  • Linux (Ubuntu 12.04 and 14.04)

Each of these clients provides full SSL VPN tunnel functionality through NetScaler Gateway and supports all authentication methods available in NetScaler Gateway 11.

Additionally, the Mac OS and Windows plug-ins have been refreshed and updated for the 11.0 release, including OS X 10.10 (Yosemite) support for the Mac OS X plug-in.

Plug-in Version Decoupling

The NetScaler Gateway client plug-ins are no longer coupled to the Citrix NetScaler Gateway 11 release versioning. Settings for version requirement per client OS type can be configured globally and within session policies.

Plug-in Icon Decoupling from Citrix Receiver

The desktop client plug-ins icons can now be configured to operate independently from Native Citrix Receiver clients. Settings to manage Receiver integration with the NetScaler Gateway Plug-ins can be configured globally and within session policies.

Disabling Automatic Update for the Windows Gateway Client and EPA Plug-ins

This enhancement adds an option in client Endpoint Analysis (EPA) to prevent automatic client updates by disabling the “EnableAutoUpdate” registry key.

Striped Cluster for Citrix NetScaler Gateway 11 in ICA Proxy Mode

This feature allows administrators to deploy NetScaler Gateway with XenApp and XenDesktop in a striped cluster configuration. Administrators can use existing Gateway configurations and scale seamlessly in a cluster deployment without having to restrict the VPN configuration to a single node.

Note that this feature is limited to ICA Proxy basic-mode virtual servers and does not support SmartAccess.

Clientless VPN support for Outlook Web Access 2013 and SharePoint 2013

NetScaler Gateway has improved support for access to Outlook Web Access 2013 and SharePoint 2013 through Clientless VPN (CVPN) sessions.


WebFront is an alternative integration point for XenApp and XenDesktop deployments served by StoreFront. Resident on NetScaler, WebFront uses caching and packet flow optimization in the distribution of user stores. These techniques improve end user experience for Receiver for Web users and speed up single sign-on for native Receiver users. In the NetScaler configuration utility, the WebFront feature is on the Configuration tab at System > WebFront.

ICA Proxy Connection Termination after Session Time Out

Automatic session timeout can be enabled for ICA connections as a VPN parameter. Enabling this parameter forces active ICA connections to time out when a VPN session closes.

Support for Common Gateway Protocol (CGP) over WebSockets

NetScaler Gateway virtual servers have improved intelligence for handling CGP traffic destined for the common CGP port, 2598, over WebSockets. This enhancement allows Receiver for HTML5 user sessions through NetScaler Gateway to support Session Reliability.

SPNEGO Encapsulation for Kerberos Tickets

NetScaler now uses SPNEGO encapsulation on Kerberos tickets that are sent to back-end web applications and servers.

Cross Domain Kerberos Constrained Delegation 

This enhancement adds support for cross-domain Kerberos constrained delegation when both the user and the service realm have a two-way shortcut trust. That is, if the user and service belong to different domains/realms, constrained delegation fails. However, if a user logs on with a user name and password, Kerberos Single Sign-On works for cross-domain access, because the NetScaler Gateway appliance does Kerberos impersonation with the user password. NetScaler Gateway currently does not otherwise support cross-domain constrained delegation.



Download Citrix Netscaler Gateway 11 build 55.20 here (requires MyCitrix ID)

Citrix technology professional – CTP, and Microsoft Most Valuable Professional MVP, Thomas Poppelgaard provides professional services. Write to me on my email or call on my cell +45 53540356

Citrix Command Center 5.1 Build 32.2

Citrix have released a new version of Citrix Command Center 5.1 Build 32.2

What is Citrix Command Center

Command Center is a centralized management and monitoring solution for Citrix NetScaler, NetScaler Gateway, CloudBridge, CloudBridge Advanced Platform and NetScaler SDX Platform.

Whats new in Citrix Command Center 5.1 Build 32.2

The Citrix Command Center Release 5.1, Build 32.2 includes the following new features and enhancements.

  • Authentication Enhancements
  • Counter Reporting Enhancements
  • New SNMP OID Support
  • Host Name Column Added in Device Inventory Page
  • Command Center Appliance Initial Setup Wizard
  • Command Center Appliance Specific Logs
  • New Built-in Tasks Support
  • NetScaler 10.1 SNMP Traps Support
  • Configuration History Email Notifications
  • Ability to Test Email Connectivity
  • CloudBridge Rebranding Changes
  • CloudBridge 2000 & 3000 Support


  1. Authentication Enhancements

    This release, delivers the following enhancements to the authentication capabilities of Command Center:

    RADIUS Authentication Settings
    The way that Command Center handles RADIUS authentication after a forced failover is improved. If you configure Command Center servers in high availability mode with RADIUS authentication, you must provide the Secondary Server Client Identifier details.

    Ability to Verify Authentication Server Settings and Connectivity
    With this release, the authentication server settings specified under Administration > Security > Authentication Settings are verified. If the settings are not accurate, an error message prompts you to specify the correct settings.

    Search for Active Directory Groups
    If you enable group extraction from Active Directory, you can browse and search for Active Directory groups while adding groups in Command Center. The number of search results is limited to 5000 results.

    Counter Reporting Enhancements
    With this release, Command Center can generate a report to plot the difference in the following counter values between the polling cycles: Vserver hits, Request bytes, Response bytes, Total Packets rcvd, Total Packets sent, Current client connections, Current Client Est connections, Current server connections, and Spill Over Hits.

  2. Counter Reporting Enhancements

    With this release, Command Center can generate a report to plot the difference in the following counter values between the polling cycles: Vserver hits, Request bytes, Response bytes, Total Packets rcvd, Total Packets sent, Current client connections, Current Client Est connections, Current server connections, and Spill Over Hits.


Download Citrix Command Center 5.1 Build 32 here (Require MyCitrix ID)