Creating a Citrix NetScaler Test environment

Citrix ADC/NetScaler Test environment by Johannes Norz

last update: November 2020

Creating a Citrix NetScaler Test environment

New since February 2020: Instead of downloading, you may just use my environment, hosted at my private data centre.

Being a Citrix Certified Instructor I am very much aware of the Red/Green/Blue website used during official Citrix NetScaler training (CNS-220, CNS-222). I created my own test website. I usually use it during product demonstrations to present anything from basic load balancing to the web application firewall.

I am also aware of problems with the original Citrix labs: They sometimes seem to not load balance. Actually, they do, but, because this page is compromised of several files, it may appear to show the same colour all the time. I wanted to avoid this, so my pages don’t use external style-sheets, scripts and images, instead, I added everything into the HTML file (you may include images using base 64 encoding).

I discontinued developing these test-websites, as I am hosting a free to use online-version however nowadays, however, I will not stop distributing the current version. You may download my test website from here. I will update my page every now and then. You can download it as often as you like. The download will ask you for your name. I promise not to abuse it, instead, I’ll just count the numbers of downloads.

There are 3 servers:

  1. the red server
  2. the blue server
  3. the green server

My labs can be used together with official Citrix lab guides (but using my IP addresses instead) or using my great wonderkitchen tuturial.

Requirements and prerequisites


My environment is made of a single Windows server (I tested using 2012R2 Server) and a NetScaler VPX. You may very well use some entry-level virtualization solution like VMWare workstation or Hyper-V on your laptop computer, but professional environment like Xen-Server, KVM and similar may also be used of course.

My download does not include the machines, but the website only. There is no license included, however, you may request a demo license using your Citrix account)


I also provide files for Linux, requiring PHP. I tested using CentOS 7.4.1708. You may set up an apache web server, install php, add multiple IPs and configure apache to use several virtual instances. It should be easy. I currently don’t provide WAF-test files for Linux.

Installation procedure

Import a Citrix NetScaler VPX into your virtualization solution. ( -> downloads -> NetScaler ADC -> Reliese xxx -> Virtual Appliances).

Install a Windows Server (I tested using 2012R2, but I guess it will work with any version from 2008). This server should have 4 GB RAM as a minimum

IP addressing

I used as an NSIP, as a SNIP, 192.168.200 ff for virtual servers

Windows machine used to 24

Windows set up (sorry, no description for Linux setup, basically it’s very easy)

Roles and features

After setting up this windows machine you have to set up IIS. Start Server Manager (if it’s not already started) and click “Add roles and features”. Click Next 3 times.

Select Active Directory Certificate authority,  Web Server IIS and DNS. If asked select following roll- services:

  • .NET Extensibility 4.5
  • ISAPI Extensions
  • ISAPI Filters
  • .NET Extensibility 3.5
  • Certificate Authority
  • Certificate enrolment web service

Setting up the Certificate Authority:

  • stand-alone CA
  • root CA
  • create a new key
  • SHA 256 (or higher)
  • confirm all the rest of the questions

IP configuration

select your network adapter. Change the IP address. Set as an IP address (you may use any other address range you like, but I use 192.168.0.x in my example). DNS should be, gateway depending on your settings.

Click advanced. add 4 more IP addresses ( to

IIS settings

Copy my files into c:\inetpub directory.

Open Internet Information Server Management.

Open your server and select sites. Right-click your server and select add website. Create 4 virtual websites:

Sitename: Sitie1 (2,3,4)
Site path: C:\inetpub\wwwroot1 (2,3,4)
type: HTTP
IP address: (22,23,24)
hostname: (empty)

ASPx is just needed for the Citrix NetScaler Web Application Firewall test page. Check, if ASPX works correctly surfing to If it does not: follow these Microsoft instructions.

additional software

If you want to use this machine as a workstation as well install Google’s Chrome Browser together with Mozilla FireFox. Alternatively, you may create a dedicated work station or use your desktop work station.

You’ll very likely need the SSH terminal putty, the secure copy tool WinSCP and the network monitor WireShark. They can be considered to be the tools used by a NetScaler admin during his daily work.



in DNS manager create a new Forward lookup zone called

Create hosts:


1st lab: create a load balancing vServer


  • srv_red ->
  • srv_green ->
  • srv_blue ->


  • svc_red (HTTP/80)
  • svc_green (HTTP/89)
  • svc_blue (HTTP/80)

Loadbalancing vServer

  • lb_vsrv_colors (

additional labs:

  • add persistence (source IP, cookie-based, …)
  • disable services and see what hapens (re-enable these)
  • unbind red service, create an additional loadbalancing vServer (non addressable), called lb_vsrv_red. Set this one in protection as a backup virtual server. Disable service blue and green. Which status does lb_vsrv_colors have now? Does it work? Why? rebind red service.

2nd lab: certificates

  • use the wizard to create a key and a CSR (hostname * Surf to Request a certificate. download this certificate as BASE 64. Install it into NetScaler
  • create a lb vServer lb_vsrv_colors_secure ( Bind the 3 services and your newly created certificate. Surf to

3rd lab: content switching

  • create a new content switching vServer cs_vsrv_browser
  • create two new cs-policies
    • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Trident”)
    • HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Chrome”)
  • bind these policies to cs_vsrv_browser. The Trident policy should invoke the red, the Chrome policy the blue server. Surf to using an MS- Internetexplorer, a Google Chrome and a FireFox.

4th lab: responding

  • create a responder policy to forward users from to and bind it to lb_vsrv_colours
  • create a responder policy forwarding users from to
  • unbind the responder policy from lb_vsrv_colours

5th lab: rewriting

  • create a rewriting policy rewriting requests for into and bind it to lb_vsrv_colours
  • remove server header from HTTP-response and bind it to lb_vsrv_colours
  • add a server header into HTTP response stating your server to be an Apache and bind it to lb_vsrv_colours

6 thoughts on “Creating a Citrix NetScaler Test environment

  1. fabrice chrzanowski

    you say : “I used as a NSIP, as a SNIP, 192.168.200 ff for virtual servers”
    So you are using only one network ‘
    I created a lab on HV windows 10 Laptop
    I have 2 vswitch (private) on my NS1
    Config of my NS 1 : ENABLED NetScaler IP Active ENABLED ENABLED -N/A- 0 ENABLED Subnet IP Active ENABLED ENABLED -N/A-

    I created a DC and ping OK from NS1 to ad
    Is it a good configuration
    So when will start to created my virtual server for load balacing with VIP must I use
    10.0.0.x ???


    1. Johannes Norz Post author

      It’s OK to have SNIP and NSIP in different subnets. In fact SNIPs are designed to reside in different subnets. That’s the main difference to Mapped IPs, the type of IPs we used in very old versions of NetScalers like 8.x.

      You usually put your SNIPs into the same network as the backend servers or, if this is not possible (i.e. for security reasons) you put it into the same subnet as the router pointing there. VIPs may reside in different subnets as well.

      I just did a single subnet deployment it as this is a testing environment, I wanted to keep it as simple as any possible. In production you usually put NSIP into management network, the VIP into client network and the SNIPs into server network. If you go with a HA deployment (you should) you’ll probably add a SNIP into management network as well, however it will be used for management only.

      So, to answer your final question: The VIP has to be reachable from client side. They usually get separated from SNIPs. However there has to be a working route from VIP to client’s IP



  2. fabrice chrzanowski

    Can I also use same subnet for nsip and snip ?
    Exemple my NS
    and my snip
    Will all work correctly with all the features of NS Plt ?

    1. Johannes Norz Post author

      Of course it will! You may place these IPs in same or different subnets. Best choice depends on your design. I have done anything you can think of: all IPs in the same subnet, NSIP and SNIP in oe subnet, VIP in an other, VIP and SNIP in the same, NSIP in a different one. Anything is fine, anything is supported!

  3. Chrzanowski

    How are you
    So I did all the labs with one subnet
    All fine

    Now I!m doing the lab on NetScaler gateway to configure Ica hdx proxy
    I could also create a vip in the same subnet but I don’t want to show that to my customer . How can I build my lab to simulate external client connecting to my NS . Can I use PfSense tks for your help


Leave a Reply

Your email address will not be published. Required fields are marked *