in NetScaler

NetScaler Core-Logic 10.3 changes and enhancements

Core-Logic is becoming a serious enhancement on NetScaler implementations. Especially large implementations and multi-tenant implementations do benefit from the structure Core-Logic provides. We at SAM Office have found that Core-Logic improves manageability of complex NetScaler implementations and we are working on further improvements for our customers.

We believe that the base-code for Core-Logic should be available in public, confirming the support ability of the code by Citrix and experts world wide. Getting the basecode and deeper insights of Core-Logic 10.3 is free of charge; just send an email to, we will send you a copy of the code and some additional whitepapers.

In respect to questions we get from the field, here is a preview on changes made in our latest Core Logic version 10.3:

Core-Logic Version 10.3 has a couple of changes and enhancements in respect to the previous released version 9. Most important change is a switch from “_” to “;” as a delimiter in the stringmaps. This is caused by Jan (, who is busy working on automation tooling for Core-Logic (Netscaler in common). He found it difficult to analyse the stringmap since the “_”  is used massively in the naming conventions.

Second change is we no longer support entries for both HTTP and SSL contentswitches in the SM_CS_CONTROL stringmap. This implies when migrating from 9.0 to 10.3 some entries might translate into two new entries. It was rarely used and we decided to make room a more applicable feature; the LAN setting.

For each contentswitch, in version 10.3 you can define a segment called “LAN”. Based on these subnets, you than can decide what the Core Logic should do with it;

  • A specific (subpath of the) application is only available from this LAN segment, and should be blocked from the internet.
  • In some situations, we found the LAN segment useful to define 3rd Party IPs that were allowed to connect to a B2B servicebus
  • In some cases it is used to connect to the development version of the website.

Version 9.0 checks WILDCARD-DOMAIN, FQDN and FQDN+FIRSTPATH. Version 10.3 also checks FULL-URL (without query).

Some smaller changes:

  • if an entry on HTTP is found, but the refered VServer is down, you now get the ” Sorry page” (thank you Jason to point this one out).
  • integration with AAA is made more predictable (see simple-aaa-logon-cs-policy)

Core-Logic 10.3 has “enhancement” packs available; this is code that further enhances functionality yet was deemed over-engineered for normal implementations:

  • Authorisation on AAA enabled VServers; to get authorisation tables in a stringmap, we needed LUA (enhanced policy expressions). This code, how simple it actualy is, brings the NetScaler configuration in a grey area for support ability by Citrix.
  • Common white-listing / black-listing on the contentswitches / loadbalancing.
  • Contentswitching TCP / UDP ports
    • A TCP or UDP application now can be made available through what we call the “AUTOLB”-mechanism; the name of the loadbalancing VServer determins the publishing contentswitch/port combination.
    • Each TCP Loadbalancer needs to be ” blacklisted” for a global publication or “whitelisted” to only allow specific subnets to use this loadbalancing vserver.
    • For white/blacklisting UDP, we need responder policies on UDP; this is a feature request we made to Citrix.

Here is a slide-deck we use in our presentation on Core-Logic-10.3: Slide-Deck

The SAM Office NetScaler team.


What do you think?