The Netscaler ADC is an application switch that handles traffic from layer 4 to 7 of the OSI 7 layer model.

The appliances handle features such as:

  • Availability
  • Acceleration
  • Security


Load balance services such as:  Web, DNS, LDAP, App-V, Exchange, SQL

Session Persistence (Sticky sessions) 

Content switching.  For example: Present content in different languages or from different devices

Traffic Domains: Create Mulitple isolated environments

GSLB (Global Server Load Balancing) - To ensure availability is routed to the datacenter closest to the connection endpoint

Surge Protection: Ensure that connections occur at the rate that servers can handle traffic

Priority queuing: Filter Http traffic and ensure users get access to the high priority services


PRR - Proportional Rate Recovery: Reduce web latency caused by packet loss.  Leverage TCP Fast open (TFO) to enable speed & safe data exchange between client and server during the initial TCP handshake

App Compress - Http response compression.  Compress text within HTML, XML, Plain text, CSS, Microsoft Documents

App Cache - In memory storage on the Netscaler appliance that serves web content to users without round trip to an origin server. 


Protect web apps from application layer attacks

Allows legitimate client requests & blocks malicious requests

Built in Denial of Service defences

Protect against legitimate searches in app traffic

Built in Firewall - Protect against app layer attacks such as Buffer overflow, SQL injections, cross-site scripting.  Also offers identity theft protection

Front -End / TCP Optimisation

Reduce the number of requests

Reduce the number of bytes in a page response

Simplify - Optimise the content from server to client browser:

Image Optimisation

Optimise style sheets + javascript

Multipath TCP

Compress traffic with BIX, Cubic Westwood TCP congestion control and Nile or West Nile TCP performance for things such as 3g


MPX - 200-500Gbps - Ultra high performance for the likes of Ecommerce (Physical)

SDX - up to 200Gbps - Up to 115 ADC instances - Consolidate multiple netscalers.  This runs a Xenserver OS  (Physical)

VPX - 10Mbps-100Gbps-Good for SMB or small business or business with less NS infrastructure and lower throughput requirements (Virtual appliance)

CPX - Docker container appliance

ADC in the Cloud (AWS & Azure) - Good for Hybrid or public cloud deployments (Depending on authentication infrastructure location and resoure location)

Boot OS


Kernel OS

ADC Kernel (BSD hands over to ADC Kernel after boot)


As with most network appliances,  the configuration runs in memory until it is commited to disk.

Changes to a Netscaler configuration are saved to the ns.conf file.  You can view the configuration by typing: show ns config

If you wish to view the size of consumed storage on the appliance, got to the shell from cli: shell.  Then type df -h 

To view configuration within running memory: show runningconfig

To save(commit) running config to file: save ns config 

When you browse via the CLI to /nsconfig directory, you will see the ns.conf file.  You may also see ns.conf.0 etc. This is because Netscaler creates a backup of the last file when the configuration is saved.  So you can restore to a previous configuration

Other locations in the shell would be:

/License  (License files stored here)

/SSL (SSL Certs stored here)

/Monitors (Monitor config files stored here)

Console Timeout

If you find the console timeout annoying and would like to change it:

set system parameter -timeout <insert number>   Then save the config: save ns c


Change NSIP

set ns config -ipaddress x.x.x.x 

To add an IP

add ns ip x.x.x.x x.x.x.x -type   (Specify the IP, Mask, and then type eg SNIP etc)

Change System Root Password

set system user nsroot -pass gdfgdfjgdsfjgd

Run the initial Netscaler configuration again


Save config

save ns config, save c

Use Source IP

This is not recommended.  If you really need to have the application server know the client IP, then best to use insert client IP into header option.

Routing Supported

RIP - Routing Information Protocol

OSPF - Open Shortest Path First

BGP - Border Gaeway Protocol

RIPng for IP6 - Routing Information Protocol Next Generatiogn for IP6

OSPF version 3 for IP6


Jumbo Frames

Enable by interface  - set int<insert number> -mtu  <insert number>

sh int


Access Control List

Filter IP addresses

Block DDOS

Extended ACL is more powerful and can be enabled to provide parameters for actions.  you can filter on things like source IP, source port, action, protocol.  you can specify the tasts to allow a packet, deny a packet or bridge a packet



INAT - Inbound NAT - Replaces the destination IP address in packets with private IP of server

RNAT - Reverse NAT - Replaces the source IP from servers with public IP address.


Netscaler   High Availability 

UDP Port 3003 - Heartbeat

TCP 3010 or 3008 (secure) HA synchronisation port

TCP 3011 or 3009(secure) propagation port

When a Netscaler fails over it will update the ARP table of the connected router via a Gratuitous ARP (GARP)

HA Failsafe Node

If both nodes in the HA pair are down, they will automatically demote their status to Secondary.  So both appliances are secondary, which can cause issues.  So enable Fail safe mode so that one of the appliances will remain primary in such a scenario.

HA without GARP

Some routers do not support GARP, so use Virtual MACs (VMACS) so that MACS are floated and shared by the nodes

When Upgrading

Upgrade secondary node first

Configure HA Pair

Secondary node - Stay seocndary(Remain in listening mode)

Primary node - Add IP of secondary via Create HA Node

Secondary - Enable (Actively participate in HA)

Test failover

Always make sure you logon to the active node

Create a SNIP and enable management features on it.  Use this IP to manage the NS pair.  It will always use the active primary

Show HA status

command: show ha node

Show Netscaler IP information

show ns ip

Failover (Force)

force ha failover -force

Load balancing monitors

Usual ping or http connection.  To run more advanced checks use:

ECV - Extended Content Verification - http-ecv.mysql-env  for example.  To run a sql query


EAV - Extended Application Monitor -  To run DNS, FTP or Citrix advanced service checks


Ensure that the connection goes to the same server and sticks (Sticky session).  

Can use: source IP (same client IP to determine)

HTTP Cookie insert - coookie header

ssl session ID


Netscaler builds a persistence table that can be accessed via CLI

Best practice is to use cookie insert for HTTP & SSL and use Source IP for others

LB Protection

If the load balancer fails, you can redirect traffic to an alternative URL by configuring a backup LB Vserver and stateful connection failover

Spillover can occur when:

The number of connections hits the max threshold 

Bandwidth of incoming connections exceeds threshold

When the percentage of weight UP status drops below thresholds