September 27, 2017

This section provides the FAQs on the following NetScaler MAS features. Click a feature name in the following table to view the list of FAQs for that feature.

Analytics Authentication Configuration Management
Certificate Management Event Management Instance Management
Stylebooks System Management  


Should I enable EUEM virtual channel on NetScaler Gateway instances deployed in single-hop mode?

EUEM virtual channel data is part of HDX Insight data that the NetScaler MAS receives from Gateway instances. EUEM virtual channel provides the data about ICA RTT. If EUEM virtual channel is not enabled, the remaining HDX Insight data are still displayed on NetScaler MAS.

EUEM virtual channel is a default service running on Citrix virtual desktop applications (VDA). If it is not running, start the “Citrix End User Experience Monitoring” process in VDA services.

How do I enable NetScaler MAS to monitor web-application and virtual-desktop traffic?

  1. Navigate to Infrastructure > Instances.

  2. Select the NetScaler instance on which you want to enable analytics.

  3. Select Enable/Disable Insight from the Action menu.

  4. In the Configure Insight page that opens, select all the virtual servers on which you want to enable analytics.

  5. Click Enable AppFlow.

For more details, see How to Enable Analytics on Instances.


For NetScaler instances of 11.0 release, 65.30 build and above, there is no option on NetScaler MAS to enable Security Insight explicitly. Ensure that you configure the AppFlow parameters on the NetScaler instances. The NetScaler MAS starts receiving the Security Insight traffic along with the Web Insight traffic.

For more information on how to set the AppFlow parameters on NetScaler instances, see To set the AppFlow parameters by using the configuration utility.

After I add the NetScaler instances, does NetScaler MAS automatically start collecting analytical information?

No. First, enable analytics on the virtual servers hosted in NetScaler instances that are managed by NetScaler MAS. For more details, see How to Enable Analytics on Instances.

Should I access the individual NetScaler appliance for enabling analytics?

No. All configuration is done from the NetScaler MAS user interface, which lists the virtual servers hosted on the specific NetScaler instance. For more details, see How to Enable Analytics on Instances.

What are the types of virtual servers that can be listed on a NetScaler instance to enable analytics?

Currently, the NetScaler MAS user interface lists the following virtual servers for enabling analytics:

  • Load balancing virtual server
  • Content switching virtual server
  • VPN virtual server
  • Cache redirection virtual server

How do I attach an extra disk to NetScaler MAS?

To attach an extra disk to NetScaler MAS:

  1. Shut down the NetScaler MAS virtual machine.

  2. In the hypervisor, attach an extra disk of the required disk size to NetScaler MAS virtual machine.

    For example, to increase disk space of a NetScaler MAS virtual machine from 120 GB to 200 GB, attach a disk space of 200 GB instead of 80 GB. The newly attached 200 GB of disk space is used to store Database data, NetScaler MAS log files. The existing 120 GB disk space is used to store core files, Operating System Log files, and so on.

  3. Start the NetScaler MAS virtual machine.

What do you mean by collectors are not configured on Citrix ADC instances?

A collector receives AppFlow records generated by the Citrix ADC appliance.

Citrix ADM receives Security Insight and Web Insight traffic from the Citrix ADC instances when the AppFlow feature is enabled. When you enable the AppFlow feature on a Citrix ADC instance, you must specify at least one collector to which the AppFlow records are sent. If the collectors are not configured on the Citrix ADC instances, Citrix ADM does not receive the traffic from the instances.

For example, five Citrix ADC instances are added to Citrix ADM. If collectors are not specified for two instances, no traffic flows to Citrix ADM. Self-service diagnostics detects the issue and displays the issue as “Collectors are not configured on 2 instances.”

For more information about how to configure the AppFlow Feature, see Configuring the AppFlow Feature.


What is load balancing of authentication requests?

The authentication-server load balancing feature enables NetScaler MAS to load balance the authentication requests. These requests are normally directed to the external authentication servers. When the authentication servers are load balanced, the authentication load is split across multiple authentication servers. Thus, avoiding an authentication server from being overloaded.

You can create an authentication service to connect with and get user information from your existing external authentication server using the authentication protocols like LDAP, RADIUS, or TACACS.

Why do we need to cascade external authentication servers?

Cascaded external authentication servers provide uninterrupted authentication processing, allowing access to legitimate users if an authentication server fails. There is no limitation on which types of authentication servers you can cascade. You can have all RADIUS servers, or all LDAP servers, or a combination of RADIUS and LDAP servers.

How many external authentication servers can I cascade?

You can cascade up to 32 external authentication servers in NetScaler MAS.

Do I have an alternative when external authentication fails?

In a scenario, when external authentication completely fails, even when you have cascaded several servers, users get locked.

For example, the external servers can become unreachable, or a new user’s credentials might not have been entered in any of the external authentication servers.

To prevent locking users in such situations, enable fallback local authentication.

For more details, see Fallback local authentication.

What is fallback local authentication?

Fallback local authentication is an option to authenticate your users locally when external authentication fails. If external authentication fails, NetScaler MAS accesses the local user database to authenticate your users.

In NetScaler MAS, navigate to System > Authentication > Authentication Configuration. On this page, you can add multiple external authentication servers in a cascade, and you can select the Enable fallback local authentication option.

What is extraction of external user groups?

If you have added external servers for authenticating the users, you can import (extract) existing user groups into NetScaler MAS. Import user groups once and provide a group permission to a user group rather than importing individual users and giving them individual permissions. You do not have to recreate the users on NetScaler MAS.

Why do we need to assign group permissions?

When you are using NetScaler’s load balancing feature, you can integrate NetScaler MAS with external authentication servers. Then, import the user group information from the authentication servers. Log in to NetScaler MAS and manually create the same group information in NetScaler MAS and assign permission to those groups. The user and user group permission is managed in NetScaler MAS and not in the external server. The users have different role-based access permissions on the external servers. Configure the same permissions for the users in NetScaler MAS also. Instead of configuring permissions individually for each user, you can configure a group-level permission so that the user-group members can access specific services on the load balanced virtual servers. The typical permissions that you can assign are permissions to manage NetScaler instances, NetScaler SDX instances, virtual servers, and so on, so that the users of that group can manage only those instances or virtual servers. You can later edit the permissions given to the users at the group level. You can even remove one or more user groups; other group users still function on NetScaler MAS.

Configuration Management

Can I perform configuration across multiple NetScaler instances simultaneously using NetScaler MAS?

Yes, you can use configuration jobs to perform configuration across multiple NetScaler instances.

What are configuration jobs on NetScaler MAS?

A job is a set of configuration commands that you can create and run on one or more managed instances. You create jobs to:

  • Make configuration changes across instances
  • Replicate configurations on multiple instances on your network
  • Record-and-play configuration tasks using the NetScaler MAS GUI
  • Convert the recorded tasks into CLI commands

You can use the Configuration Jobs feature of NetScaler MAS to create a configuration job, send email notifications, and check execution logs of the jobs created.

Can I schedule jobs using built-in templates in NetScaler MAS?

Yes, you can schedule a job by using the built-in template option. A job is a set of configuration commands that you can run on one or more managed instances. For example, you can use the built-in template option to schedule a job to configure syslog servers. You can choose to execute the job immediately, or schedule the job to be executed later.

You can save the configuration of a job that was previously created, and run the job again after modifying the commands, the parameters, the configuration source, and targeted instances. This configuration is useful when the same set of commands has to be executed on a different instance, or when the job encounters an error and stops further execution.

Certificate Management

Does the deletion of SSL certificates from NetScaler MAS lead to deletion of certificates from NetScaler instances?



What is the default user name and password?

  • After you complete the initial network configuration, you can log on to NetScaler MAS from the hypervisor or SSH console, using the default user name and password (nsrecover/nsroot).

  • The default user name and password to log on from the GUI is nsroot/nsroot.

How to change the default password?

To change the password:

  1. In NetScaler MAS, navigate to System > User Administration > Users.

    The Users page is displayed.

  2. Select the user name nsroot and click Edit.

    The Configure System User page is displayed.

  3. Select Change Password and create a password of your choice.

  4. Click OK.

    You can now use the new password to log on from GUI and hypervisor or SSH console.


    You cannot modify the user name.

Does NetScaler MAS support SAN Storage?

Citrix recommends you to host the NetScaler MAS VHD on a local storage. When hosted on storage devices in a storage area network (SAN), NetScaler MAS might not work as expected.

Does NetScaler MAS support additional disk?

Yes. A new installation of NetScaler MAS HA pair allocates 120 GB of storage by default. For more than 120 GB storage, you can add one additional disk for a maximum of 3 TB storage. Adding more than one additional disk is not supported.

In a HA pair, if the password is changed in the primary node and if Break HA pair option is selected later, what is the behavior?

You can log on to both standalone nodes using your new password.

If two standalone servers have different passwords, what is the impact in deploying these two servers in HA pair?

It is recommended to have default password for both servers when you deploy two standalone servers to HA pair.

The HA configuration is complete, but the primary node GUI is not accessible. What can be the reason?

It takes a few minutes for the configuration to take effect. You can try accessing again after a few minutes.

What DB is supported in Citrix ADM standalone and Citrix ADM HA?

Both Citrix ADM standalone and Citrix ADM HA support PostgreSQL.

What is the potential data loss to the secondary node?

The secondary node listens to the heartbeat messages that the primary node sends through the Citrix ADM database. If the secondary node does not receive the heartbeats for more than 180 seconds, then the secondary node performs an SSH-based check on the primary node. If the heartbeat and SSH-based check fail, the primary node is considered to be down.

In this scenario, the secondary node takes over as the primary node and the 180 seconds timeframe can be considered as the possible data loss to the secondary node.

What happens if the primary node is down?

The secondary node takes over and becomes the primary node.

Event Management

How can I monitor all the events that have been generated on my managed NetScaler instances using NetScaler MAS?

As a network administrator, you can view details such as:

  • Configuration changes
  • Log on conditions
  • Hardware failures
  • Threshold violations
  • Entity state changes on your NetScaler instances along with events, and their severity on specific instances.

You can use the NetScaler MAS events dashboard to view reports generated for critical event severity details on all your NetScaler instances.

What are event rules?

Using NetScaler MAS, you can configure rules to monitor specific events. Event Rules make it easier to monitor many events generated across your NetScaler infrastructure.

You can filter a set of events by configuring rules with specific conditions and assigning actions to the rules. When the events generated meet the filter criteria in the rule, the action associated with the rule is executed.

The conditions for which you can create filters are severity, NetScaler instances, category, and failure objects. The actions you can assign to the events are:

  • Send an email notification
  • Forward SNMP traps from managed NetScaler instances to the NetScaler MAS
  • Send an SMS notification

Instance Management

What are data centers in NetScaler MAS?

A NetScaler MAS data center is a logical grouping of the NetScaler instances in a specific geographical location. Each server can monitor and manage several NetScaler instances within a data center. You can use the NetScaler MAS server to manage data such as syslog, application traffic flow, and SNMP traps from the managed instances. For more details on configuring data centers, see How to Configure Data Centers for Geomaps in NetScaler MAS.

What are the different Citrix Appliances that NetScaler MAS supports?

Instances are the Citrix appliances or virtual appliances that you want to discover, manage, and monitor from NetScaler MAS. Add these instances to the NetScaler MAS server. You can add the following Citrix appliances and virtual appliances to NetScaler MAS:

  • NetScaler MPX

  • NetScaler VPX

  • NetScaler SDX

  • NetScaler CPX

  • NetScaler Gateway

  • NetScaler SD-WAN WO

  • NetScaler SD-WAN EE

You can add instances either while setting up the NetScaler MAS server for the first time or later.

What is an instance profile?

An instance profile is used by NetScaler MAS to access an instance.

An instance profile contains the user name and password for access to one or more instances. A default profile is available for each instance type. For example, the ns-root-profile is the default profile for NetScaler instances. It contains the default NetScaler administrator credentials. When you change the credentials required for access to instances, you can define custom instance profiles for those instances.

Can we add unlimited SD-WAN instances in NetScaler MAS? Can NetScaler MAS handle all scalar and vector counters for SD-WAN?

Currently, there is no license limit on SD-WAN instances that can be added to NetScaler MAS. NetScaler MAS has a set of built-in reports that internally polls both scalar and vector counters.

Can I rediscover multiple NetScaler VPX instances in NetScaler MAS?

Yes, you can rediscover multiple NetScaler VPX instances in NetScaler MAS to learn the latest states and configurations of the instances.

Navigate to Networks > Instances > NetScaler VPX, select the instances that you want to rediscover. In the Action menu, click Rediscover. For more information, see How to Rediscover Multiple VPX Instances.

Can NetScaler MAS be installed on NetScaler SDX?



Can stylebooks be used to configure different NetScaler instances running on different versions of the NetScaler software?

Yes, you can use stylebooks to configure different NetScaler instances running on different versions if there is no discrepancy between the commands across different versions.

When a stylebook is used to configure multiple NetScaler instances at the same time, and configuration of one NetScaler instance fails, what happens?

If applying the configuration to a NetScaler instance fails, the configuration is not applied on any more instances, and already-applied configurations are rolled back.

Do NetScaler backups made through NetScaler MAS include configurations applied through Stylebooks?


System Management

Can I assign a host name to my NetScaler MAS server?

Yes, you can assign a host name to identify your NetScaler MAS server. To assign a host name, navigate to SystemSystem Administration > System Settings, and click Change Hostname.

The host name is displayed on the Universal license for NetScaler MAS. For more information, see How to Assign a Host Name to a NetScaler MAS Server.

Can I back up and restore my NetScaler MAS configuration?

Yes, you can back up configuration files (NTP files and SSL certificates), system data, infrastructure and application data, and all your SNMP settings. If your NetScaler MAS ever becomes unstable, you can use the backed-up files to restore your NetScaler MAS to a stable state.

To back up and restore your NetScaler MAS configuration,

  1. Navigate to SystemAdvanced Settings > Backup Files.
  2. Click Back Up or Restore as needed.

For more information, see How to back up and restore configuration on NetScaler MAS.

Citrix recommends that you use this feature before performing an upgrade or for precautionary reasons.

What are Thresholds and Alerts on NetScaler MAS?

You can set thresholds and alerts to monitor the state of a NetScaler instance and monitor entities on managed instances.

When the value of a counter exceeds the threshold, NetScaler MAS generates an alert to signify a performance-related issue. When the counter value returns to the clear value specified in the threshold, the event is cleared.

Can I generate a technical support file for NetScaler MAS?

Yes. Citrix recommends that you generate an archive of NetScaler MAS data and statistics before contacting technical support for debugging an issue. The archive is a TAR file that you can send to the technical support team.

You can generate a technical support file that contains debug logs, duration for which debug logs were collected, and distinct and diverse logs from the NetScaler MAS database.

To configure and send a technical support file, navigate to SystemDiagnosticsTechnical Support, and then, click Generate Technical Support File. For more information, see How to generate a tech support file for NetScaler MAS.

What is syslog purging?

Syslog is a standard protocol for logging. Syslog enables isolation of the system that generates information and the system that stores the information. You can consolidate logging information and derive insights from the collected data. You can also configure syslog to log different types of events.

To limit the amount of syslog data stored in the database, you can specify the interval at which you want to purge syslog data. You can specify the number of days after which all Generic Syslog data, AppFirewall data, and NetScaler Gateway data will be deleted from NetScaler MAS.

Can I configure NTP server on NetScaler MAS?

You can configure a Network Time Protocol (NTP) server in NetScaler MAS to synchronize the NetScaler MAS clock with the NTP server. Configuring an NTP server ensures that the NetScaler MAS clock has the same date and time settings as the other servers on the network.

To configure an NTP server, navigate to SystemNTP Servers, and then click Add. For more information, see How to configure NTP server on NetScaler MAS.

From which version is the NetScaler MAS active-passive HA deployment supported?

The NetScaler MAS active-passive HA deployment mode is supported from NetScaler MAS version 12.0 build 51.24.

I had a NetScaler MAS active-active HA setup and had configured a NetScaler appliance with load balancing virtual server on it for unified GUI access. How do I update this configuration?

After you upgrade the NetScaler MAS HA pair to active-passive mode, you have to run the following command on the NetScaler appliance to update the load balancing configuration:

add lb monitor MAS_Monitor TCP-ECV -send “GET /mas_health HTTP/1.1\r\nAccept-Encoding: identity\r\nUser-Agent: NetScaler-Monitor\r\nConnection: close\r\n\r\n\”” -recv “{\“statuscode\“:0, \“is_passive\“:0}” -LRTM DISABLED

Can I configure load balancing of the NetScaler MAS HA pair on a Netscaler Instance using port 443?

No, you cannot configure load balancing of the NetScaler MAS HA pair on a NetScaler Instance using port 443.

When you configure the http-ecv and https-ecv monitors on NetScaler, it does not monitor the NetScaler MAS HA nodes correctly.

Can a NetScaler MAS server backup file be used to restore the configuration of another NetScaler MAS server?


After NetScaler MAS backs up a NetScaler instance, can that backup file be used to restore the configuration of another NetScaler instance through NetScaler MAS?

Yes. Download the NetScaler MAS backup file, upload it into another NetScaler instance’s backup repository, and restore that instance. Ensure the following:

  • The network information and authentication information do not conflict. For example, check for IP-address or port conflicts, mismatched password profiles.

  • The restored VPX instance has the same NSIP address and NetScaler license as the one that was backed up.

Before restoring an instance in a high availability pair, verify that:

  • The IP address and state (primary or secondary) stored in the backup file and the original HA configuration matches.
  • The new primary and secondary have the same type of NetScaler license.

Can we force NetScaler MAS to use a SNIP address to communicate with the NetScaler instances, instead of using the NSIP address of the NetScaler MAS server?

Yes, you can add a SNIP address (with management enabled) in NetScaler MAS for communication with NetScaler instances.

When I back up NetScaler Instances in NetScaler MAS, is the result a** full back-up or a basic back-up?

Backups of NetScaler instances by NetScaler MAS are full backups.

Is there a troubleshooting guide for NetScaler MAS?

Yes. See https://support.citrix.com/article/CTX224502.

How are NetScaler instances managed when a NetScaler MAS HA failover occurs?

If the heartbeat and SSH based check fails, the primary node is considered to be down and the secondary node takes over as the primary node. All the NetScaler instances are updated with the latest primary node details as their SNMP trap destination by default.

The new primary (active) NetScaler MAS node checks to determine whether the previously active node was configured as AppFlow collector or syslog server. If it was, the new primary node adds the AppFlow collector or syslog server details to the information sent to the instances.

For syslog it replaces the old server details.

What happens when the NetScaler MAS HA node that went down comes back up?

After returning to service, the NetScaler MAS node remains passive unless the active node fails over

How are NetScaler instances distributed across NetScaler MAS HA nodes?

The primary NetScaler MAS node manages all the NetScaler instances.

How are virtual server licenses managed if there was a NetScaler MAS HA failover?

Suppose you have a NetScaler MAS primary node with vServer licenses applied. If it goes down, the new primary node manages the vServer licenses for a grace period of 30 days. Reapply the licenses on the new primary by the end of the grace period. For alternatives, contact Citrix support.

Is a load balancer mandatory for a NetScaler MAS HA setup?

No, but if there is no load balancer, NetScaler MAS nodes must be accessed through their own IP addresses. The passive node is marked with the tag “Passive,” and Citrix recommends not to create any configurations on the passive node.

localized image

Does NetScaler MAS support an external database?


Can a NetScaler instance that is being managed by NetScaler MAS be used as a Load balancer for NetScaler MAS HA?


What data is synchronized between NetScaler MAS HA nodes?

Complete NetScaler MAS database is synchronized, and the following folders are synchronized:

  • /var/mps/tenants/root/

  • /var/mps/ns_images/

  • /var/mps/sdx_images/

  • /var/mps/xen_nsvpx_images/

  • /var/mps/cbwanopt_images/

  • /var/mps/sdwanvw_images/

  • /var/mps/mps_images/

  • /var/mps/ssl_certs/

  • /var/mps/ssl_keys/

  • /mpsconfig/ssl/

  • /var/mps/backup/

  • /var/mps/esx_nsvpx_images/

  • /var/mps/locdb/