Q. Which hardware platforms are supported for NetScaler Secure Web Gateway (SWG)?

A. NetScaler SWG is available is on the following hardware platforms:

  • NetScaler SWG MPX 14020/14030/14040
  • NetScaler SWG MPX 14020-40G/14040-40G
  • NetScaler SWG MPX 14060-40S/14080-40S/14100-40S
  • NetScaler SWG MPX 5901/5905/5910
  • NetScaler SWG MPX/SDX 8905/8910/8920/8930
  • All Cavium N2 and N3 based SDX platforms

Q. What are the two capture modes that I can set when creating a proxy on the SWG appliance?

A. The SWG solution supports explicit and transparent proxy modes. In explicit proxy mode, the clients must specify an IP address and a port in their browsers, unless the organization pushes the setting onto the client’s device. This address is the IP address of a proxy server that is configured on the SWG appliance. Transparent proxy, as the name implies, is transparent to the client. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPS traffic.

Q. Does NetScaler SWG have a configuration wizard?

A. Yes. The wizard is located on the SWG node in the configuration utility.

Q. Which NetScaler features are used when configuring NetScaler SWG?

A. Responder, AAA-TM, content switching, SSL, forward proxy, SSL interception, and URL filtering.

Q. What authentication methods are supported on NetScaler SWG?

A. In the explicit proxy mode, LDAP, RADIUS, TACACS+, and NEGOTIATE authentication methods are supported. In transparent mode, only LDAP authentication is supported.

Q. Is it necessary to install the CA Certificate on the client device?

A. Yes. The NetScaler SWG appliance emulates the origin server certificate. This server certificate must be signed by a trusted CA certificate, which must be installed on the clients’ devices so that the client can trust the regenerated server certificate.

Q. Can I use a NetScaler Platform license on the NetScaler SWG platform?

A. No. The NetScaler SWG platform requires its own platform license.

Q. Is HA supported for a NetScaler Secure Web Gateway deployment?

A. Yes.

Q. Which file contains the logs for NetScaler SWG?

A. The ns.log file records NetScaler SWG information. You must enable logging by using the CLI or GUI. At the command prompt, type: set syslogparams -ssli Enabled.

In the GUI, navigate to System > Auditing. In Settings, click Change Auditing Syslog Settings. Select SSL Interception.

Q. Which nsconmsg commands can I use to troubleshoot issues?

A. You can use one or both of the following commands:

nsconmsg -d current -g ssli
nsconmsg -d current -g err

Q. If the certificate bundle is built-in, how do I get updates?

A. The latest bundle is included in the build. For updates, contact Citrix Support.

Q. Can data be captured on NetScaler MAS from NetScaler SWG?

A. Yes. You must enable Analytics in the Secure Web Gateway wizard.

Important: Ensure that you are using the same 12.0 build for MAS and SWG.

Q. What is URL Filtering Service?

A. URL Filtering is a web content filter that controls access to a list of restricted websites and web pages.  The filter restricts user access to inappropriate content on the internet based on URL category, category groups, and reputation score. A network administrator can monitor the web traffic and block user access to highly risky websites. You can implement the feature by either using URL Categorization or URL List feature based on policy enforcement. For more information, see URL Filtering topic.

Q. How does URL Filtering fit into NetScaler SWG?

A. URL Filtering leverages with NetScaler SWG appliance to control access to specific websites. The SWG appliance at the edge of the network acts as a proxy to intercept the web traffic and perform actions such as authentication, inspection, caching, and redirection. The filter then controls access to websites using URL Categorization or URL List feature with policy enforcement.  

Q. How often is the URL Categorization database updated?

A. If you are using URL Categorization feature to control access to restricted websites, you must periodically update the categorization database with the latest data from cloud-based vendor service. To update the database, the NetScaler SWG GUI enables you to configure the URL filtering parameters such as Hours Between DB Updates” or “Time of Day to Update DB.  

Q. What use-cases are a best fit for URL Filtering service today?

A. Following are some of the targeted use cases for enterprise customers:

Q. Is there a memory limit for caching in URL Categorization service?

A. Yes. The memory limit for caching is set as 10 GB and you can configure it through the CLI interface only.

Q. What does the URL Categorization database return if no category matches the incoming request?

A. If the incoming request does not match a category or if the URL is malformed, the appliance marks the URL as “Uncategorized” and sends the request to the cloud-based service maintained by the categorization vendor. The appliance continues to monitor the cloud query feedback and updates the cache so that future requests can benefit from the cloud lookup.

Q. What is a URL reputation score and how do you control access to malicious websites based on the reputation score?

A. A URL reputation score is a rating that NetScaler SWG assigns to a website. The value can range from 1 to 4, where 4 is a malicious web site and 1 is a clean website. If a network administrator monitors a user accessing highly risky web sites, then access to such sites is controlled based on the URL reputation score and security level you have configured on the NetScaler SWG appliance. For more information, see URL Reputation Score.

Q. If you filter websites using a URL Set but incorrectly filter a specific website, what is the process to enable exceptional websites?

A. URL Filtering uses a responder policy to control access to web sites. To whitelist a specific URL as an exception, in the SWG wizard, create a patset policy and add the exceptional URL with “allow” action. Once you create the policy, exit the wizard and do the following steps:

To change the priority of a policy expression by using the NetScaler SWG GUI:

  1. Log on to the NetScaler SWG appliance and navigate to Secure Web Gateway > Proxy Virtual Servers.
  2. In the details page, select a server and click Edit.
  3. In the Proxy Virtual Servers page, go to Policies section and click the pencil icon to edit the details.
  4. Select the patset policy and in Policy Binding page, specify the priority value lower than other bound policies.
  5. Click Bind and Done.

Q. What are the key benefits of using NetScaler SWG URL Filtering feature?

A. URL Filtering feature is easy to deploy, configure, and use. It provides the following benefits and allows enterprise customers to:

  • Monitor web traffic and user transaction
  • Filter malware and Internet-borne security threats.
  • Control unauthorized access to malicious websites.
  • Enforce corporate security policies to control access to restricted data.

Q. If you are using a URL List feature to filter websites, how to edit a URL list policy?

A. You can modify a URL List policy through the NetScaler SWG Wizard by overwriting or deleting the imported list bound to the responder policy.

Q. What does the metadata associated to a URL contain?

A. Each URL in the categorization database has a metadata associated to it. The metadata contains an URL category, category group, and reputation score information. For example, if the URL is a shopping portal, the metadata will be Shopping, Shopping/Retail, and 1 respectively.

Use the following expressions to get these values for the incoming URL. The expressions are given below:


Q. What type of license and subscription you need for URL Categorization feature?

A. URL Categorization feature requires an URL Threat Intelligence subscription service (available for one year or three years) with NetScaler SWG edition.  

Q. What are the ways I can configure URL Filtering?

A. There are two ways of configuring URL Filtering. You can either do it through the NetScaler SWG command interface or through the NetScaler SWG Wizard. Citrix recommends that you use the wizard to configure filtering policies.

Q. What are the types of URL categories that you can block?

A. The URL Categorization database contains millions of URLs with metadata. The administrator can configure a responder policy to decide which URL categories can be blocked and which URL categories can be allowed for user access. For information about the URL category mapping, see Mapping categories page.

Q. What must we do if we are unable to access Origin servers that use WebSocket, such as whatsapp

You must enable webSocket in the default HTTP profile.

At the CLI, type:

> set httpprofile nshttp_default_profile -webSocket ENABLED

What is ICAP?

ICAP stands for Internet Content Adaption Protocol.

Which version of NetScaler SWG supports ICAP?

ICAP is supported in NetScaler SWG release 12.0 build 57.x and later.

What are the two ICAP modes supported on NetScaler SWG?

Request modification (REQMOD) mode and response modification (RESPMOD) mode are supported.

What is the default port for ICAP?