NetScaler Unified Gateway – Native Receiver

NetScaler unified gateway is one of the great new features in NS version 11. If you’ve worked with some of the more advanced features, then you may be familiar with one of the more common requests:

Make a NetScaler Gateway (CAG) the target vServer of a content switching vServer.

Fortunately, this is exactly what Unified Gateway does – essentially, Unified Gateway is a content switching vServer with one of the possible target vServers as a non-addressable NetScaler Gateway. This is slightly different than the 10.5 enhancement release feature which allowed for CSW policies to be bound to a CAG\VPN vServer. While the ability to do this still exists in NS version 11, the unified gateway is the preferred method to accomplish this.

I recently switched to a unified gateway configuration and ran into an issue with native receiver – or self-service – or mobile receiver – or whatever you want to call Receiver on Android\iOS.

The New Configuration

The new NetScaler Gateway vServer is a non-addressable as you can see here (IP\port are


And all of the content switching policies are on the CSW vServer itself. The issue I ran into was that I could not connect with my mobile device via Receiver – despite the mobile receiver policy being bound to the CAG vServer.

The Problem

When I tried to connect with my mobile Receier app, I was not able to connect – once I sent the support logs via email, I noticed the following:

02-02 06:56:43.317 D/DSDownloadAccountRecordTask::getAccountRecord( 6054): Entry
02-02 06:56:43.317 D/DSDownloadAccountRecordTask::getAccountRecord( 6054): accountServiceUrlAfterRewrite=
02-02 06:56:43.317 D/getAGHeaders( 6054): adding X-Citrix-Gateway header
02-02 06:56:43.358 I/HttpClientHelper( 6054): SslSdkProtocolNumber value is 0x2 from user's settings
02-02 06:56:43.358 I/HttpClientSocketFactory( 6054): Tring to configure TLSv1
02-02 06:56:43.358 I/HttpClientSocketFactory( 6054): Enabling protocol TLSv1(2)
02-02 06:56:43.470 E/DSDownloadAccountRecordTask::getAccountRecord( 6054): Received unexpected HTTP 503 response
02-02 06:56:43.472 W/System.err( 6054): com.citrix.client.deliveryservices.utilities.DeliveryServicesException
02-02 06:56:43.473 W/System.err( 6054): at com.citrix.client.deliveryservices.accountservices.asynctasks.DSDownloadAccountRecordTask.getAccountRecord(

If you notice above, there was an HTTP 503 response when trying to reach the account services address on the VPN vServer.

The Solution

There are probably two solutions to this, though I have not verified both of them.

The first solution is to create a content switching policy that points to the CAG\VPN vServer – this policy basically says that any traffic coming from the Receiver app should be directed to the CAG vServer.


The expression in this case is:


The other option that would likely work in this case is to set the CAG\VPN vServer as the default content switching action on the CSW vServer, though I have not tested this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.