This article contains information about enabling HTTPS secure access to the Citrix ADC GUI by using the Subnet IP (SNIP) or Mapped IP (MIP) address of the appliance.

Background

Secure access to the Citrix ADC GUI is enabled by default for the NetScaler IP (NSIP). You might also want to enable secure access to the Citrix ADC appliance by using the SNIP/MIP address of the appliance.

After configuring SNIP/MIP address for secure access to a high availability pair, the secure access is available to the primary appliance, if you access the SNIP/MIP address of the high availability pair.

Instructions

Configure Using Citrix ADC CLI

Enable Secure Access to Citrix ADC GUI

Complete the following procedure to enable secure access to Citrix ADC GUI by using the SNIP address of the appliance:
Note: To enable secure access by using the MIP address of an older Citrix ADC appliance, replace SNIP with MIP in the following procedure.

1. Ensure that the SNIP address is configured on the appliance on which you want to enable secure management and GUI access.
   If none of these IP addresses are configured on the appliance or you do not want to use the existing IP addresses, then run the following command from the command line interface of the appliance to add a SNIP address:
   nsroot@localhost> add ns ip <IP_Address> <Subnet> -type SNIP -gui SECUREONLY -mgmtAccess ENABLED

2. Run the following command to verify if the Citrix ADC server certificate exists on the appliance:
   nsroot@localhost> sh ssl certkey

   Name: ns-server-certificate
   Cert Path: ns-server.cert
   Key Path: ns-server.key
   Format: PEM
   Status: Valid,   Days to expiration:999989
   Certificate Expiry Monitor: ENABLED
   Expiry Notification period: 30 days
   Certificate Type:       "Client Certificate"    "Server Certificate"
   Version: 3
   Serial Number: 01
   Signature Algorithm: sha256WithRSAEncryption
   Issuer:  C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=default KPPNZY
   Validity
           Not Before: Mar  7 23:13:51 2022 GMT
           Not After : Feb  2 23:13:51 4760 GMT
   Subject:  C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=default KPPNZY
   Public Key Algorithm: rsaEncryption
   Public Key size: 2048
   Ocsp Response Status: NONE
   
   

3. If the command in the preceding step does not display the Citrix ADC server certificate, then run the following command to add the certificate:
   nsroot@localhost> add ssl certkey ns-server-certificate –cert ns-server.cert –key ns-server.key

4. Run the following command to verify the status of the internal service for the SNIP address:
   nsroot@localhost> show service –internal

   nshttps-<SNIP_Address>-443 (<SNIP_Address>:443) - SSL
   State: DOWN
   Last state change was at Thu Mar 17 21:32:19 2022
   Time since last state change: 0 days, 20:59:35.160
   Server Name: #ns-internal-<SNIP_Address>#
   Server ID : None        Monitor Threshold : 0
   Clear Text Port: 80
   Max Conn: 0     Max Req: 0      Max Bandwidth: 0 kbits
   Use Source IP: NO
   Client Keepalive(CKA): NO
   Monitoring Owner: 0
   Access Down Service: NO
   TCP Buffering(TCPB): NO
   HTTP Compression(CMP): NO
   Idle timeout: Client: 180 sec   Server: 360 sec
   Client IP: DISABLED
   Cacheable: NO
   SC: OFF
   SP: OFF
   Down state flush: DISABLED
   Monitor Connection Close : NONE
   Appflow logging: DISABLED
   TCP profile name: nstcp_internal_apps
   HTTP profile name: nshttp_default_internal_apps
   Process Local: DISABLED
   Traffic Domain: 0
   
   

5. Run the following command to bind the server certificate to the internal service for the SNIP address:
   bind ssl service nshttps-<SNIP_Address>-443 -certkeyName ns-server-certificate

6. Run the following command to verify the status of the internal service for the SNIP address:
   nsroot@localhost> show service –internal

   nshttps-<SNIP_Address>-443 (<SNIP_Address>:443) - SSL
   State: UP
   Last state change was at Thu Mar 17 21:32:19 2022
   Time since last state change: 0 days, 20:59:35.160
   Server Name: #ns-internal-<SNIP_Address>#
   Server ID : None        Monitor Threshold : 0
   Clear Text Port: 80
   Max Conn: 0     Max Req: 0      Max Bandwidth: 0 kbits
   Use Source IP: NO
   Client Keepalive(CKA): NO
   Monitoring Owner: 0
   Access Down Service: NO
   TCP Buffering(TCPB): NO
   HTTP Compression(CMP): NO
   Idle timeout: Client: 180 sec   Server: 360 sec
   Client IP: DISABLED
   Cacheable: NO
   SC: OFF
   SP: OFF
   Down state flush: DISABLED
   Monitor Connection Close : NONE
   Appflow logging: DISABLED
   TCP profile name: nstcp_internal_apps
   HTTP profile name: nshttp_default_internal_apps
   Process Local: DISABLED
   Traffic Domain: 0
   
   

7. Open a web browser on the local computer.

8. Enter the secure SNIP address of the appliance, such as https://<SNIP_Address>, in the address bar of the web browser.

Disable Secure Access to the Citrix ADC GUI

Run the following command to disable secure access to the Citrix ADC GUI by using the SNIP/MIP address of the appliance:
nsroot@localhost> set ns ip <SNIP_Address> -gui ENABLED -mgmtAccess ENABLED

Configure Using the Citrix ADC GUI

Enable Secure Access to Citrix ADC GUI

Refer to the following resources to enable secure access to the Citrix ADC GUI by using the SNIP/MIP address of the appliance:

• NetScaler How to Guides - How do I setup secure access to NetScaler Management GUI

Disable Secure Access to the Citrix ADC GUI

To disable secure access to the Citrix ADC GUI by using the SNIP/MIP address of the appliance, navigate to System > Network > IPs > Edit (SNIP ) and uncheck Secure Access only check-box.

For a complete list of all operations that can be performed ns ip command refer to Citrix Documentation.