Getting started with a Citrix ADC MPX and VPX SWG appliance

After installing your Citrix Secure Web Gateway hardware (MPX) or software (VPX) appliance and performing the initial configuration, you are ready to configure it as a secure web gateway appliance to receive traffic.


  • OCSP check requires an internet connection to check the validity of certificates. If your appliance is not accessible from the internet by using the NSIP address, you must add access control lists (ACLs) to perform NAT from the NSIP address to the subnet IP (SNIP) address, which is accessible from the Internet. For example,

     add ns acl a1 ALLOW -srcIP = <NSIP> -destIP "!="
     set rnat a1 -natIP <SNIP>
     apply acls
  • You must specify a DNS name server to resolve domain names. For more information, see Initial configuration.
  • Make sure that the date on the appliance is synchronized with the NTP servers. If the date is not synchronized, the appliance cannot effectively verify whether an origin server certificate is an expired one.

To use the Citrix SWG appliance, you must perform the following tasks:

  • Add a proxy server in explicit or transparent mode.
  • Enable SSL interception.
    • Configure an SSL profile.
    • Add and bind SSL policies to the proxy server.
    • Add and bind a CA certificate-key pair for SSL interception.


A Citrix SWG appliance configured in transparent proxy mode can intercept only HTTP and HTTPS protocols. To bypass any other protocol, such as telnet, you must add the following listen policy on the proxy virtual server.

The virtual server now accepts only HTTP and HTTPS incoming traffic.

set cs vserver transparent-pxy1 PROXY * * -cltTimeout 180 -Listenpolicy "CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443)"`

You might need to configure the following features, depending on your deployment:

  • Authentication Service (recommended) – to authenticate users.  Without the Authentication Service, user activity is based on client IP address.
  • URL Filtering – to filter URLs on the basis of categories, reputation score, and URL lists.
  • Analytics – to view user activity, user risk indicators, bandwidth consumption, and transactions breakdown in Citrix Application Delivery Management (ADM).

Secure web gateway wizard

The SWG wizard provides administrators with a tool for managing the entire SWG deployment by using a web browser. It helps guide the customers to bring up an SWG service quickly and helps simplify the above configuration by following a sequence of well-defined steps.

  1. Open your web browser and enter the NSIP address that you specified during initial configuration. For more information about initial configuration, see Initial configuration.

  2. Type your user name and password.

    localized image

  3. If you have not specified a subnet IP (SNIP) address, the following screen appears.

    localized image

    In Subnet IP Address, enter an IP address and subnet mask. The check mark in a green circle indicates that the value is configured.

  4. In Host Name, DNS IP Address, and Time Zone, add the IP address of a DNS server to resolve domain names, and specify your time zone.

  5. Click Continue.

  6. (Optional) You might see an exclamation mark, as shown below

    localized image

    This mark indicates that the feature is not enabled. To enable the feature, right-click the feature and then click Enable Feature.

    localized image

  7. In the navigation pane, click Secure Web Gateway. In Getting Started, click Secure Web Gateway Wizard.

    localized image

  8. Follow the steps in the wizard to configure your deployment.

Add a listen policy to the transparent proxy server

  1. Navigate to Secure Web Gateway > Proxy Servers. Select the transparent proxy server and click Edit.

  2. Edit Basic Settings, and click More.

  3. In Listen priority, enter 1.

  4. In Listen Policy Expression, enter the following expression:


    This expression assumes standard ports for HTTP and HTTPS traffic. If you have configured different ports, for example 8080 for HTTP or 8443 for HTTPS, modify the above expression to reflect those ports.


SWG is not supported in a cluster setup, in admin partitions, and on a Citrix ADC FIPS appliance.