New feature in Netscaler – Admin partitions

So this was announced on Synergy earlier this year, and now just arrived in the first enhancement build which is downloadable from

NOTE: There is only a VPX available for XenServer but there is a firmware available which works on regular VPX.

So what is Admin Partitions?

It is a kind of Role-based access segmenting, each user has their own partition which contains their own configuration files and view and logging and so on.

So think like SDX where each department is given their own VPX which has their own SLA using their own build version and so on. Partitions works for a single appliance, so users share the same build and appliancce, but they have their own configuration and setup.

Think of it like a Windows PC, where each user has their own login and they customize their own background and change the shortcuts and so on without it affecting the other users.

So how to set it up ?


System –> Partition Administration –> Partitions.


Here we define a name for the partition and we define how much bandwidth for this partition. So this can be Citrix department (ICA-proxy) and how much bandwidth, connection limit and memory limit. So after we have created this we can go back to the partitions menu and see how it looks.

Next we can add a bridge group or VLAN to the partition abd bind it to a user


We can also change partitions from within the GUI from the admin gui


So after I changed partition I can see that I see how much dedicated this resources has.


And note that partitions also creates new local groups


But note this allows us to partition the Netscaler into different resources and dedicated users. So we can create a partition for the Citrix guys, some for the Networking guys and for instance a partition for the Exchange guys and dedicating system resources to each department.

Stay tuned for more!

Netscaler 10.5 and Storefront 2.6

During a new setup for a customer we were using the latest build from Storefront 2.6  and latest NS build 10.5 (53) to ensure that there are no bugs and so on.

The pre-existing Storefront was setup using regular HTTP (Not recommended) but it should work just fine.

After setting up Netscaler against Storefront and adding different policies everything looked to be working fine.

Well almost… Receiver for web worked as it should we managed to authenticate and start applications as they should. But! when using Citrix Receiver (latest version) we stumbled across something funny.

After starting Citrix Receiver and entering username and password the “enter URL” dialog window popped up again



So I did as every IT-guy does, I enabled logging of Receiver and checked the logs on Storefront and doublechecking on different clients and checked that the store actually was saved in the registry.

Since my first things was that Receiver wasn’t able to store info in registry

NOTE: Citrix Receiver stores info under HKEY_CURRENT_USER
That worked as it should, then I enabled logging on Citrix Receiver and saw trough the logs there.

This is done by adding a couple of registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManager

SDKTracingEnabled = true

TracingEnabled = true


dword, ReceiverVerboseTracingEnabled = 1

The logs are generated under %AppData%\Local\Citrix

but no luck there as well, everything looked as it should be, but still no luck. After that I got some tips from some colleagues that I should enable HTTPS since it was the last logical chooise

and voila! then Citrix Receiver worked as it should.

Veeam Cloud Connect for Microsoft Azure walkthrough

With the recent release of Veeam 8, I was exited to hear that Veeam also added support for Cloud Connect Against Azure. So Cloud Connect is a option for Veeam Cloud providers to offer off-site backup for their customers. So it requires that customers already have Veeam in place, but makes it easy for them to just add a “service provider” to the Veeam console and ship off-site backup to cloud provider.

So why use Azure? First of it might be as simple that you don’t have the available space/hardware/ to supply your customers. Also it might be that you don’t have adequate network infrastructure to support your customers. (NOTE that cloud connect) does not use VPN.

NOTE: That this requires that you have an existing azure account and preconfigured virtual networks and resource groups.

So how do we set this up?
First we go into the newest Azure Portal →


Then go into Marketplace and then search for Veeam (You can see Cloud Connect appearing there)


Choose create, NOTE: This will provision a virtual machine instance in Azure, and note that the default instance is a A2 which can have up to 4 data disks (4 TB of total data)  and total of 2000 IOPS in total. What kind of Disk size you want is up to you to decide. If you need more disk size or more IOPS you need to change to another instance size. 


After that is done you can just wait for the provisioning is complete. Now by default the template does a couple of things, firstly it spins up a VM with Veeam Cloud Connect preinstalled and it also precreates an Endpoint (port 6180) which Veeam will use to communicate and send traffic.


NOTE: On the top of the menu pane on the VM you need to take note of the FQDN of the VM (Since you need it later when addind the service on-premise)

Also take note that the virtual machine has an VIP if (which is by default dynamic) but will remain with the VM as long as it is allocated. The same goes with the internal IP which is this case is but we can assign them both as an static IP address.

I can assign the internal static IP address from the portal itself.(This means that it sets it as an static DHCP allocation) I can also define an Instance IP address. By default a Virtual IP address is shared by many virtual machines inside a cloud service, but an instance IP address is a dedicated public IP for a single virtual machine.


So you should define them both, since if a VM goes down and changes IP-address the cloud connect will not work properly.

After you are done with the ip-addresses you can connect to the VM using RDP (This can be done from the main dashboard and choose connect)
When inside the Cloud connect setup will start automatically


(and yes you need a VCP license) after the license is added it gives you an set of instructions on what do to next


First thing we need to do on the Azure part is to add a customer / user to allow them to authenticate and store content.


Add a username and password


Next, define what type of resources that are available to this customer. Note that by default there is a repository on the local drive C:\ (This should be changed to a data disk repository) but by default the instance has no data disks.)


Then you are done on the Azure part! (Note that the Azure provisioning generated a self-signed certificate) which will generate error messages when connecting from on-premise/customer side so this should be changed to a public certificate to avoid that issue.

So now that we have setup everything on the virtual machine in Azure we need to add the “service provider” gateway on our customer VM running Veeam V8.



Note that the DNS name can be found inside the dashboard of the virtual machine in Azure.

Next we need to add username and password that can be used to authenticate against the providers, and note that by default the Veeam VM in Azure uses a self-signed certificate therefore customers need to add the certificate thumbprint to verify the connection.

Next we see that the Cloud repository we created is available after authenticating in the service provider. Note that it is also possible to use WAN accelerators between customers and Azure. But using WAN accelerator requires more CPU and disk IO on the Azure side (therefore you should look at D-instances Azure Vms (Which has SSD diskes)


Now that we have added the cloud repository we are good to go, now we can just create a new copy backup job and point it to the cloud repository.


Workaround for Netscaler VPX and VMware ESXi 5.5 Build 2143827

This is a quick post, but Citrix has published a workaround for the trouble they have with Netsacler loosing connectivity on Vmware with the latest update.

You can find the workaround here –> 

This is only until Citrix manage to fix the issue and includes it in a newer build of Netscaler

Think you manage to get all the news that has appeared from Microsoft the last month ? don’t think so

So there is alot happening at Microsoft these days. I’ve had trouble my self keeping track what has happend the last weeks or so. Therefore I decided to write this blog to just get an overview myself what’s happend.

Microsoft and Dell launch Cloud Platform Suite

Azure: D-series virtual machine instances

Azure: Network security Groups, Multi NICs on virtual machines, Announcement of Azure Marketplace, New VPN gateway sizes, Force tunnelig, GA of Automation Services, preview of Batch Services, Antimalware of VMs in Azure

Azure: Docker and Microsoft

Azure: Traffic manager, nested profiles

Azure: Website migration tool

Azure: Operations Insight announced

Azure: G-sizes, Premium Storage

Azure: Netscaler and Azure

Azure: General availability for disaster recovery

Azure: PowerShell DSC extensions

Office365: Outlook for Mac

Office365: Builtin MDM

Office365: DLP in Office365

Office365: new plans

Office365: Unlimited Storage


Intune: Secure browser

Intune: MAM features for Office

Intune: Mobile data management

System Center and Windows Server vNext announced

Coming with Netscaler soon..

So alot is happeing with Netscaler these days. So this is a quick post to tell abit about what is happening.

1: Netscaler appliance in coming in Azure. There is now ETA to when this is coming but this is really important to Citrix workloads. I’m also guessing that this is because of Citrix Workspace Services that i coming.

2: Netscaler partitions

Heard a rumour that this is coming reaaaaly soon. with partitions a system admin would be able to logical split up a Netscaler into different entities. Think of it like a windows computer with multuple users. Every user has the option to create their own desktop background and customized GUI, and be able to use their own appliations.

So no longer do we need an SDX to do multi tenancy. Even thou we share the same hardware and OS underneath. It is a really cool feature!

Netscaler and real performance tuning

So yesterday I held a session at Citrix User Group in norway regarding Netscaler and performance tuning, not so much I can really say about performance tuning in 45 minutes but I think I managed alright.

The agenda on my list was

* TCP profiles, Multipath TCP, Path MTU
* SSL profiles and tuning
* Autonegotitation and duplex
* Netscaler VPX
* Jumbo frames and LACP
* Last but not least mobilestream

Now most of this is core Netscaler optimization features, expect Mobilestream which is more related to features standing behind Netscaler. So therefore I wanted to write a blogpost about it as well.

Firstly is the TCP profiles. By default there is an TCP profile which hasen’t changed since 1999. So the Netscaler profile is by default there for compability and not for the best performance, but of course there are alot of different factors invovled here. For instance what kind of network infrastructure you have, packet loss, bandwidth, jitter, firewalls and so on.

But, the main thing is that the default profile does not:

Have Window Scaling activated (Window scaling is usefull send more packets inse the scaling window meaning that we can easier send more data)

Have Selective Acknoledgement activated (Means that we don’t need to resend all the data after a packet loss. Meaning that if we sendt packets 1, 2, 3, 4 , 5 and the sender didn’t receive packet 3 we don’t need to resend 4, 5)

Have Nagle alogrithm activated (Gathers up more data and waits until it reaches the full MTU and then sends the data)

So for instance the ICA-protocol which is very chatty and uses small packets (Which uses alot of overhead) means that it is not suiteable for the regular TCP-profile, so this is where the tcp profile

nstcp_xa_xd_profile (Which has all the features I mentioned above enabled in the policy) but of course you also have the mobile users who are jumping back and forth between different WLAN points or mobile antennas which means there is a point with total packet loss. In the default TCP profile it uses TCP reno, which tries to cut the congestion window in half when it detected a packet loss, not going to do the mobile users any good Smilefjes

Therefore Citrix impletented a variant of the TCP congestion features called Westwood+ which tries to determine the current bandwidth with the device and then it cuts the congestion window to reflect the current bandwidth. Which means that the mobile users can faster get to higher speeds again.

Now also with 10.5 ( I belive) is the option to enable MTCP (Multipatch TCP) so meaning that if you have mobile devices which support two atennas (one for mobile data and one for WIFI which can be used at the same time) we can have two TCP connections from the same device used to access content on the netscaler, its just a policy setting and we are good to go.

The problem is that you need to have specific applications written to leverage MTCP (Not all are there yet)

So go into System –> Profiles –> TCP Profiles (you can either use an existing one or create a new one)


Check for Window Scaling


And here for MTCP (If you need it) SACK and for Nagle.
Now there is also an downfall for Nagle since it waits until it waits until a full MTU has been reached before it sends it across the wire and the mobile user has a lot of packet loss, in theory there might be alot of data that needs to be resent across the wire. So for SQL instances for instance, don’t use Nagle! Smilefjes 

and the cool part is that these policies can be applied on each vServer and of course services, so dependant on the services it is hosting you can create a differnet policy.

The other thing is SSL tuning, there is a few tips here as well. First thing is quantum size. Bu default the quantum size is 8 KB meaning that the Netscaler will get 8 KB of data that is going to be sent across the wire and the sent it to the SSL chips for encrypting. We can also chance this quantum size to 16 KB meaning that more data is allowed inside the encrypted package.


So for solutions exposing for instnace downloading of large files, a 16 KB quantum size is to prefer. Regular websites which has alot of small data I recommend sticking to the 8 KB.

And then there is of course the autonegititation and duplex, which is something that everybody expects to work fine these days, but…

I still see some having issues with this and specific network devices, so you should always try to manually set the speed and duplex on the netscaler and the switch/router/firewall it is connected to.

For the VPX alot of tuning tips are the same as the MPX but….

For instnace the VPX has support for multiple packet engines meaning that you have a specific engine inside the Netscaler which runs all the different policies, handles encryption and so on. So for a regular VPX it is by default setup with 2 vCPU (One CPU for mangement and another for the packet engine) So if you have an VPX 3000 (2 vCPU and 2 GB ram might not be enough) so if you are using XenServer og Vmware you have the option to add more CPU and RAM to gain additional packet engines. (NOTE: Hyper-v does not support this feature and is capped at 2 vCPU and 2 GB ram and 2vNIC DON’T add 3 vNic)

But of course if you are running Hyper-V and Netscaler VPX make sure you have the newest drivers and make sure that VMQ (Virtual Machine Queing)

VMQ means that a VM has a dedicated Queue on the physical network card if VMQ is not working the VM has to use the default queue along with all the other VMs, with alot of Broadcom drivers that VMQ does not work.

And there is also LACP (NIC teaming, Port Channel, 802.3ad) which allows for aggreating and failover/redundacy on physical NICs (Note that this requires configuration on the switche/s and the Netscaler and it only works on the MPX and the SDX.

There is also a new feature which came with 10.5 is the suppor for Jumbo frames, this allows us to send up to 9000 MTU in an ethernet frame (the default 1500 MTU) which allows for much less overhead since there is more data in a single frame that requires less ACKs)


This only works on MPX/SDX as well, since a VPX is reliant on what the hypervisor provides.
This can be configured on per interface. But note that this requires support for jumbo frames on the switch / server, but note that this does not work out over the WAN since it stops at the router or the ISP (This they mostly support the default MTU)

But note the Netscaler also has the Path MTU feature (Which allows) to Netscaler to see the path ahead and see what the lowest minimum MTU is. This feature uses ICMP to determine what the lowest MTU is on a next-hop device. Problem is that since it uses ICMP the next hop devices might be firewalls and such and therefore it might not work. This feature is used to avoid IP fragmentation on the network.

That’s it for now, stay tuned for more Netsacler Smilefjes

Multiple vNet site-to-site configuration in Microsoft Azure

In many cases you would need to establish a site-2-site VPN connection between different subscribtions in Microsoft Azure, now this is a pretty simple process in Azure and can be easily done using the management portal.

Example: We have 2 vNETs configured in Microft Azure within the same region (Note that this does not consume bandwith cost, only gateway hours)


vNEt 1 (Test1) IP adsress subnet space and with a Gateway address of

vNet 2 (Test 2) IP address subnet space and with a Gateway address of

In order to setup a Site-to-site VPN connection I just need to define both of these as local networks as well to each other.

Local Networks:

Local vNet 1(Test1) IP address subnet space and with a Gateway address of

Local vNet 2(Test2) IP address subnet space and with a Gateway addres of

So in the management portal I can just define them as local networks to each other

vNet 2 –> Local vNet 1

vNet 1 –> Local vNet 2

and from there just add a same shared key and allow them to connect.

What if we want a third vNet to integrate with one of the other vNets using a Site-to-Site VPN? Is it possible ? Sure it is. With Microosft Azure it is possible to create up to 10 different VPN tunnels, problem is that the management portal only allows for one VPN tunnel at the time for one vNet. So we need to use PowerShell and a custom network xml file in order to finish the configuration here.

We need to create a new virtual entwork called vNet 3 (Test 3) IP address subnet space and with a Gateway address of (This also has to be created as a local network site as well in order to bind it up to another vNet.

In this examples we will bind vNet 3 to vNet 1, which already has an VPN tunnel activated for vNet 2.


First we need to download the vNet configuration XML, which can be done using the command

get-azurevnetconfig –exporttofile c:\folder\name.xml

Open it up and locate the virtualnetwork site for vNet1

    <VirtualNetworkSite name=»test» Location=»North Europe»>
        <Subnet name=»Subnet-1″>
        <Subnet name=»GatewaySubnet»>
        <DnsServerRef name=»″ />
          <LocalNetworkSiteRef name=»test2″>
            <Connection type=»IPsec» />
          <LocalNetworkSiteRef name=»test3″>
            <Connection type=»IPsec» />


Here is where we need to define our local network we which this vNet to connect to. For vNet 3 which does not have any VPN connection set up we can do this via the managmenet portal. or add a

          <LocalNetworkSiteRef name=»test1″>
            <Connection type=»IPsec» />

In the vnet xml file. After we are done adding the connection path to vNet we need to import the XML file to our azure subscribtion.

This can be done using the set-azurevnetconfig –configurationpath c:\folder\file.xml

After this is done we need to change the sharedkey so that the vNets have the same key.

Set-AzureVnetGatewayKey –VnetName test1 –Localnetworksitename test3 –SharedKey 12345QWERT

Set-AzureVnetGatewayKey –VnetName test3 –Localnetworksitename test1 –SharedKey 12345QWERT

After this is done the connections should be established. Note that if they don’t you need to go into the management portal, into vNet 3 and choose connect.

Then you can go into vNet 1 and see the connection is setup against two vNets.


Citrix Netscaler supported for Lync 2013


Microsoft just updated its support matrix for Lync 2013 (Finally) Where Netscaler is listed as supported for Reverse Proxy and for Load balancing –>

You can also read the deployment guide for Netscaler and Lync here –>

Upcoming speaking events

Alot is happening these days, and I am not standing still. So therefore I wanted to list my speaking events in the upcoming future.

Citrix User Group in Norway is having a boat-trip in the end of October –> (If you are working with Citrix this is an excellent oppurtunity to learn more)

Here I have two sessions (In norwegian)

  • Netscaler and Performance tuning
  • Netscaler and security features

Also I was confirmed as an speaker at next years NIC (Nordic Infrastructure Conference) haven’t gotten any confirmation regardiing what sessions yet, but it’s either Azure or 3D graphics!

  • Azure AD
  • Azure RemoteApp
  • 3d graphics

Få nye innlegg levert til din innboks.

Bli med 48 andre følgere