Posts tagged citrix netscaler

NetScaler VPX and the “ssl_error_no_cypher_overlap”

If your management gui is not able to use SSL, or In order to fix the ssl_error_no_cypher_overlap error with the netscaler VPX

access your netscaler via http://yournsip/

Go to “Load Balancing” -> Services -> Internal Services

Open up the nshttps- service

Click over to the SSL Settings tab and click on the Ciphers button

Remove all ciphers and add “DEFAULT” under the “Configured Ciphers Group”

Do the same exact procedure for the nsrpcs-

After you click on, Hit the Save button, and try to connect to your NSIP with https

Facebook Twitter Email Linkedin Digg Delicious

How to Grant your HelpDesk Limited Access to your NetScaler CLI Shell

If you ever needed to troubleshoot login issues with the Netscaler, you know that you have to drop down to the Command Line Interface (shell) in order to trace the aaad.debug log.

But what if you need to give your helpdesk access to the same logs so that they can troubleshoot login issues?  Well, that requires that you give them shell access.

But, as per Citrix, “If a user goes to the shell,  that user is already a root user”, and we sure wouldnt want our helpdesk techs having root access to our Netscalers.  So how do we give them enough access to troubleshoot but not have root, we can create a “Command Policy”

A “Command Policy” is what tells the Netscaler what a user can and cant do, for example, the command policy for “superuser” is “ALLOW .*” (that’s a period and  an asterisk which is Regular Expression for “Any Character”), that means the user with the command policy of superuser can execute any command.

Now to create the command policy for the Helpdesk

  1. Log in to our NetScaler using a superuser account
  2. Under the System Folder, select “Command Policies”
  3. Click the “Add” button and name your new policy “HelpDesk”, make sure that the “Action” is set to “Allow” and enter the following expression under “Command Spec”

    When you are done, it should look like this (you dont need to put text in test command, I only put that there as an example)


Now we have to assign our new policy to our Helpdesk group.  Since my NetScaler is “LDAP enabled” for login in, all I have to do is create a group, assign my new policy, and done. (If your Netscaler is not LDAP enabled, then you will have to go and create users manually and assigning them to the group we are going to create bellow)

  1. Under the same “System” folder, Select “Groups”
  2. Click the “Add” button and name your new group “NetScaler-HelpDesk” (It has to match exactly what your helpdesk group is called in LDAP, in my case I have a group called “NetScaler-HelpDesk”)
  3. Under the “command policies” window, pick your newly created “HelpDesk” Policy, then hit the “Create” and then the “Close” button
  4. Now Fire up putty and try to login with one of your HelpDesk user ID’s, you will see that you can only trace “log” or “debug” files and only in the “/var/log” and “/tmp” directories

    Thats all there is to it.  Now your Helpdesk can troubleshoot NetScaler log in issues while you concentrate on fixing other things


Facebook Twitter Email Linkedin Digg Delicious

Running NetScaler VPX in VMWare Desktop 7

I have production NetScalers, but I also wanted to have a NetScaler on my desktop that I could quickly jump into, make changes, and not worry about breaking something.

Citrix offers a NetScaler Image for ESX, the problem is that the image wont work / load correctly in VMWare Desktop 7, but with a few steps you can have NetScaler running on VMware Desktop in no time.


Before I begin, I’m assuming that you have VMWare Desktop 7 already Installed, and that you have a login to, also, I’m working with NSVPX-ESX-9.2-50.4


  1. Go to and Download the NetScaler VPX for ESX (If you dont see any downloads, you must login first)
  2. Unzip the file using your favorite utility, Once done you should be left with 3 files (.vmdk, .mf, and .ovf)
  3. Create another folder where your “Converted” VM will go
  4. Open up the command prompt (Start -> Run -> CMD) and CD over to the OVFtool folder (for me located at C:\Program Files\VMware\VMware OVF Tool)
  5. Run this command

  6. Now that the command completed, look in your “converted” folder and you should see 2 files (.vmx, .vmdk)
  7. Using your favorite editor, open up the .VMX file and find the line that reads

    Replace that line with
  8. Save the .VMX file, and Move your newly created “converted” folder to wherever it is that you keep your VM machines
  9. Open VMWare Desktop 7, click on File -> Open, find your “converted” folder and select the .VMX file (its probably the only file you can see in the folder)
  10. Now click the Green Start button and off you go, you should end up in a prompt for  asking you for the NetScalers IPv4 address.
  11. Make sure to setup your IP based on the type of Networking you have setup for your VM, if you are using bridged, pick an IP from your routers range, if using NAT assing a 192.168.26.x IP (VMWare Default Range for NAT) and forward port 80 to that IP, if using host only, you dont need to forward port 80 but just make sure you know which IP range it uses
  12. Setup your IP’s any way you want, point your browser over to “http://ipyouchosetouse” and enjoy using your NetScaler on VMWare Desktop 7
Facebook Twitter Email Linkedin Digg Delicious
Go to Top