When a Citrix NetScaler is configured using a graphical interface a browser is used to connect to the Citrix NetScaler. Starting NetScaler release 10 a part of the configuration is migrated from Java Applets to HTML5, but most configuration are still depending on Java Applets.

When you open a more advanced configuration the Java Applet is loaded automatically., If it hangs at 1% “Downloading Applet…” you might want to read this article.If it hangs at 99% “Logging in” continue reading.

After loading the Java Applet and trying to log in the following error is raised.

Diagram

In my case the Citrix NetScaler was placed in a different VLAN than my client was, the VLANs where separated by a firewall.

What is good to know is that for the normal GUI  communication is done via TCP port 80 for non-secure (HTTP) or TCP port 443 for secure (HTTPS). The Java Applet communicates uses different ports: TCP port 3008 for secure or TCP port 3010 for non-secure .

Source: Communication ports used by Citrix Technologies [PDF]

Port Query

To determine if your client could reach the port you can use Port Query GUI (provided by Microsoft – link). This standalone utility can verify if ports can be reached and tells you within seconds if this is the problem.

• Specify the destination IP or FQDN of the NetScaler IP (NSIP)
• Select query type Manually input query ports
  • Ports to query: 80,443,3008,3010
  • Protocol: TCP
• Click on Query

The query should return LISTENING for port 80+3010 for non-secure communication or 443+3008 for secure communication.

This example clearly shows that TCP port 3008 and 3010 are filtered by a firewall.

.