Citrix ADC – Gateway Service is Forbidden

Reading Time: 2 minutes

This is just a quick post about an issue I encountered today with a vanilla ADC VPX with Firmware 13.0-85.15. After importing the VPX and configuring the ADC I could not reach the login page of the Citrix Gateway (ICA-Proxy).

403 – Forbidden – You don’t have permission to access this resource.

My first thougt: This must be a mistake with the DNAT configured by the network administrator translating from the public ip address to a wrong private ip. But a tcpdump on the VPX confirmed that the traffic was routed to the fresh installed Citrix ADC appliance. In the browser develolper options you could cleary see that the response came from the /logon/LogonPoint/index.html and the NSC cookies have been set.

So what is going on here? I started digging in the file system and found out that something in the “/var/netscaler” directory was missing… Can you see it?

Exactly the “logon” directory is not existing.

After grabbing the “logon” folder from a working VPX (same build – but upgraded) and putting it to the right location the Citrix Gateway Service started to be reachable with the login mask as you would expect it!

Conclusion: This seems to be a bug with the provided VPX Appliance Template from the Citrix Download Portal. In this scenario the VPX was deployed on a VMware environment. I dont know if other versions (13.1.x) and Hypervisors are affected as well. Please leave a comment if you made the same experience.


  1. Updated from 12.1.65 to 13.0 – on Citrix advice, and found same issue on one vserver, other two are fine. login folder – is there. Portal themes, cannot be set on this vserver, either in the properties, or by going to the Themes page and trying to bind another theme.

  2. Just resolved issue on my Netscaler. So – Citrix had reccomended upgrade from 12.1.65 to 13.0 to get back into support and resolve crashing issues. 13.0 upgrade- gave Forbidden error. Turned out there were some security issues ,so they reccomended new install from vpx template. Citrix tooks logs, dump files and ns.conf – nothing back. While waiting I built new NS 14.x – started setup manually..dropped in some of the config. When I enabled the gateway server- got same Forbidden error. Just by way of testing/digging – I decided to “unbind” the Rewrite policy on the vserver – same. I then went back to apply it – and bingo! Started to work! My conclusion – must be some bug in the binding of the Rewrite policy when upgrading in-place. Btw – doesnt seem to like changing Portal Themes.. but thats for another day.

Leave a Reply

Your email address will not be published. Required fields are marked *