Qualys Security Scan is used as scanning tool for all the ports of NetScaler NSIP and SNIP which are open and identify if it is working fine.At the time Qualys Security Scan is scanning, NetScaler Gateway becomes inaccessible over port HTTPS. Ping to NetScaler Gateway IP remains to work as expected, however users would not be able to access NetScaler Gateway IP address and ends up not accessing Internal Resources

Citrix is aware of this issue and a fix will be included in an upcoming release. Please refer to the release notes of the latest product to know the status of this issue.

---

Problem Cause

NetScaler has HSM gateway binary which runs on management core. It takes requests from PE and forwards it to HSM (via hardserver). That binary always assumes that it will only receive socket connection from PE. When the Qualys scan runs on management IP, it will find gateway’s port open and it will connect to it and try to send some data. Since that binary only understands the data from PE, it will not be able to interpret Qualys data and NetScaler Gateway is not reachable / accessible over port 443