When NetScaler Gateway was initially designed, the whole idea of this gateway was to act as the secure entry point into the corporate intranet via a VPN tunnel. There were only two mode of operations Clientless VPN (popularly known as CVPN) and Full VPN.

Both these access types needed the user to authenticate with his/her LDAP credentials along with a second factor like RSA Key or a VIP token. Once the user successfully authenticates, he would be authorized to get a CVPN or full VPN tunnel access into the intranet zone.

The specialized case of CVPN came into play when the user would connect using a browser and he/she intended to access webservers behind the gateway without actually installing a VPN client on the client machine. In this case, the user would be able to purposefully restrict his access to HTTP based connections only by choosing the CVPN mode of operations.

Since the expected default mode of access was always full VPN, the default configuration for NetScaler Gateway allowed VPN access which was specified by:

Transparent interception: ON

As the landscape of products changed in Citrix and NetScaler Gateway became a part of the XenMobile Solution as well, we started adding custom rules in the NetScaler Gateway configuration to ensure that XenMobile Client (WorxHome) access is restricted. In light of this, we believe that a more restrictive default would be a better option.

Hence, starting from 11.0.F release, our default NetScaler Gateway VPN access configuration would be as follows:

Transparent interception: OFF

To the best of our understanding, customers should not see any disruption in their daily operations due to this update because we already have a specialized rule in place for full VPN client based access.

For customers who are on the previous versions of NetScaler Gateway and who would like to change their default configuration manually, detailed information has been provided in the following document on our website:


As with all configuration changes, Citrix recommend that this is evaluated in a test environment prior to being implemented in a production environment.