Are you using “public IPs” internally and having troubles with SSO (Single Sign On) from Netscaler AG to Storefront in ICA Proxy or CVPN mode?
If this is your case, then do not worry anymore!

Citrix released: NetScaler Release Build 122.1708.e with some breaking news in this area “SSO to Public IPs (Proxy)”
Does it work out of the box? Of course not…

To make it work you need to create a Netscaler Gateway Traffic Policy using “ns_true” as expression. It may look something like this:

Traffic Policy:

Traffic Profile:


Next step would be to to bind the policy you just created to your AGVIP or even better “Globally“…


When using ICA Proxy mode, make sure your vpn session profile is configured in ICA Proxy mode:


When using CVPN mode, make sure your vpn session profile is configured in CVPN mode:



The trick here is to configure a traffic policy (ICA Proxy), but in CVPN case you also need to update your receiver for web profile by activating “WIhome” and entering the receiver for web adress 🙂