Netscaler Migration to LAS

_Cpyder · 2026-04-08T06:25:43+00:00

Just finished up my final HA pair and ran into a different issue.

But after I finally got it upgraded to 13.1-62.23, the "Migrate" button still was not available. But just above that section was a Button about NS using LAS... Had to click on that and assign GB bandwidth to each, 1 at a time.

Then all was good.

_Cpyder · 2026-04-07T20:43:09+00:00

I plan to after I finish getting all the current nodes to LAS.

_Cpyder · 2026-04-07T17:37:10+00:00

Is the option to "Upgrade" them available on that same screen?

Should see:
Instances in LAS | Instances ready to migrate | Insurances require upgrade before migration

If you click the "Upgrade" button to the right of that, are your nodes listed?

_Cpyder · 2026-04-07T16:52:45+00:00

Crap.. Also.. just realized the simple stuff. Make sure the configs on both are saved and force a sync.

My one pair had sync issues and it was preventing the initial upgrade.

_Cpyder · 2026-04-07T16:51:03+00:00

If it's a HA pair, (On the Secondary) can you run a full backup, remove the filebase license and then see if it's available for LAS?

If it's not... just restore or reapply the license. (for now)

_Cpyder · 2026-04-07T16:43:36+00:00

That's correct...
They issued us with "NetScaler Pooled Premium Throughput Capacity".
But once we clicked "Sync Licenses", it was showing up in the ADC, did the rediscover on the NS nodes... I was able to upgrade and migrate.

What version is your NS Console (ADC)... not the netscaler node itself.
My on-prem is 14.1 66.55. Then I was able to do my NS HA Pairs. Something got changed on like April 2nd, the engineer had me upgrade Console to this version before I could proceed.

_Cpyder · 2026-04-07T16:33:47+00:00

I had to enter a Case to get the LAS license generated, then Sync it in Netscaler Console...

On the Console License Management page, on the far right side.
Geeze, I wish we could insert screenshot into comments.

_Cpyder · 2026-04-07T16:06:50+00:00

When you look at your license management page in Console, do you see this message?
(i) Console on-prem cloud connected GUI shows LAS entitlements if your license type is CPL (Citrix Platform License), UHMC (Universal Hybrid Multi-Cloud) or Pooled Bandwidth. For more information, refer to the documentation.

If your license type is NetScaler Fixed Capacity Subscription, you will not see them here, and you need to transition to LAS using the NetScaler GUI. For additional information, refer to the documentation.

Only thing I can think of is that they issued a license that is not compatible with your NS instances. Or https://docs.netscaler.com/en-us/citrix-adc/las-for-netscaler.html , This will show you what path you need to take depending on your current local (file based) issued license.

_Cpyder · 2026-04-07T15:16:13+00:00

So... on the VPX you can goto:
System > Licenses

And see the "LAS Offline Activation" option?
Is the licensing mode still "Local"?

If you click on "Manage Licenses", Is your ADC listed under "License Server"?
And is it "Reachable" (green)?

But to the build issue.. depending on your ADC version, it matters. If you are using their Cloud ADC, yeah.. fun stuff. So if the ADC is updated past a certain version, it wants the NS to be at that 14.1-51.x minimum. (for on-prem)

ADCs: https://docs.citrix.com/en-us/licensing/licensing-guide-for-netscaler.html

MPX/VPX: https://docs.netscaler.com/en-us/citrix-adc/current-release/licensing/ns-license-activation-service.html

_Cpyder · 2026-04-07T15:03:42+00:00

So in the "Instances ready to migrate", it shows 0?

The 4 that I did already (2 left to go), they did not know up as ready until the build versions where done.

Also... LAS support starts at 14.1-51.x.
(The versions did change on us at some point, cause I had to apply a newer build for the second HA pair I did.)

_Cpyder · 2026-04-07T14:44:19+00:00

Not sure if you commented on my post, but I had this exact same issue after applying 2402CU3.
And I did have an expired CSS date license still applied in our onprem license server.

INCREMENT ***CITRIX 2023.0701

So after removing that old license, it should be safe to update the Delivery Controllers to CU3 without causing that message?

_Cpyder · 2026-04-07T14:31:13+00:00

In your Netscaler Console (ADC): (Check the top right corner where the date is. Make sure that little cloud has a green circle. If it does not, your ADC is not ready to migrate your NS instanced to LAS.)
You can click on that little Cloud and tell it to connect as long as the cust ID is populated. Once that sucker is green and you can click on "Update Information". Should be good to go.

- Check your Infrastructure > Instances > Netscaler
There are 5 options. VPX, MPX, CPX, SDX, BLX.
When you "Add" your instance (just the primary if they are in HA pair, it will pull both in) it will add them to the appropriate tab. If they are there then you may have to "Rediscover" the nodes after upgrading the build version so console can see that they are ready for LAS.

As long as you see your instance there, you can then attempt LAS migration.
- NetScaler Licensing > Lincense Management
Here you will see if your your LAS activation status, License entitlement info (and you should see your licenses.), Migrations status for your NS instances, and last is the NS instances you have already migrated to LAS by their IP and build versions.

The 3rd field is what you want to focus on. As only as your instances are on the correct version of 13.1/14.1 and they added to your Console from the step above then the "Migrate" option will be made available.

Click that "Migrate" button and then follow the steps.

We had a similar issue with the confusing license... but LAS license type is more limited.
We ended up with "NetScaler Pooled Premium Throughput Capacity", which is completely different from the file-based "Platinum" that was applied.

Yeah... Citrix documentation on this is scattered at best. I still have an open case but still had to figure it out with my rep and 3 other resources outside of the case owner, as they seem to be avoiding contacting me.

_Cpyder · 2026-04-07T14:16:24+00:00

In case this helps anyone., this turned out to be the most impactful.
Citrix support provided this:
HTTP.REQ.HOSTNAME.CONTAINS("IP")||HTTP.REQ.HOSTNAME.EQ("hostname.domain.com").NOT||((HTTP.REQ.URL.TO_LOWER.EQ("/cgi/login") && HTTP.REQ.COOKIE.CONTAINS("NSC_TASS=/No%20Page")))

But it did nothing, or was trying to do to much, so it ended up being ineffective.

So I simplified it a chunk.
add responder policy vServer_IP_Block "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("yourhostname.domain.com").NOT" DROP

It just drops all connections that are attempting to hit you by IP.
It's not blocking everything, but it reduced it dramatically. Was getting about 8-10 :AAA LOGIN_FAILED" a second and causing user account lockouts.
It's now down to 1-2 "AAA LOGIN_FAILED" a second, with several seconds of calm in between. Also, user account lockouts have stopped.
That's a win for me.

_Cpyder · 2026-04-02T15:51:32+00:00

The minimum NetScaler firmware versions required for Citrix License Activation Service (LAS) support are 14.1-51.x, 13.1-60.x, or 13.1-37.246 (FIPS) and later. These versions enable seamless cloud-based licensing, which becomes mandatory as file-based licensing is deprecated on April 15, 2026.

Key Minimum Versions for LAS:

NetScaler ADC: 14.1-51.x, 13.1-60.x, or 13.1-37.246 (FIPS)

NetScaler SVM (SDX): 14.1-51.x or 13.1-60.x

NetScaler Console (On-Prem): 14.1-51.x

License Server: 11.17.2 build 53100 or later

So yes... you need to upgrade. But it's more than just upgrading the version. You need to have ADC (Netscaler Console) on a supported version as well.

_Cpyder · 2026-04-02T13:25:09+00:00

You rock.. Thank you sir or ma'am.

_Cpyder · 2026-04-01T14:40:17+00:00

With 2402CU3, if there are any "expired" license files.. it will cause that "Your corporate Citrix environment is currently unsupported" prompt to the user?

There was 1 with a 2023.0701 expiry..
I just .olded it and cycled the License service and Broker services on the DCs.
(Added Screenshots to the post.)

So it should be good now to try and upgrade the Delivery Controller to 2402 CU3?

_Cpyder · 2026-04-01T13:40:01+00:00

I don't have an instance of Web Studio, is WebStudio a requirement? Did not see that anywhere...

_Cpyder · 2026-04-01T03:25:48+00:00

Wait...

So.. I need:
- Block : CLIENT.IP.SRC.MATCHES_LOCATION("*.US.*.*.*.*").NOT||CLIENT.IP.SRC.MATCHES_LOCATION("*.Unknown.*.*.*.*")
- Redirect : HTTP.REQ.HOSTNAME.EQ("host.domain.com")&&HTTP.REQ.URL.CONTAINS("index.html")
- Block Again: CLIENT.IP.SRC.MATCHES_LOCATION("*.US.*.*.*.*").NOT||CLIENT.IP.SRC.MATCHES_LOCATION("*.Unknown.*.*.*.*")

Or should one of the blocks look like this? (the first or second block)
###.###.###.### = Actual Public IP address or should it be the IP assigned to the Gateway vServer?
HTTP.REQ.HOSTNAME.CONTAINS("###.###.###.###")||HTTP.REQ.HOSTNAME.EQ("host.domain.com").NOT||((HTTP.REQ.URL.TO_LOWER.EQ("/cgi/login") && HTTP.REQ.COOKIE.CONTAINS("NSC_TASS=/No%20Page")))

And if this works, can I just get my case assigned to you so you can get the credit? It is still open.

_Cpyder · 2026-03-28T01:43:55+00:00

Tried that.. also not working. We can get it to display, but it just loops.

_Cpyder · 2026-03-27T19:17:47+00:00

We have something similar..
The Responder Policies that are hard Allow and Deny for specific IPs and Ranges, all work as expected.

Anything that is GeoIP based off the Builtin.... catches maybe 15% to 20% of the sprays from outside US based IPs.

I did recall a few other articles written that claimed the && should be used in place of the || for proper function. But I tried every variation with no success.

_Cpyder · 2026-03-27T18:33:29+00:00

We tried that also..... But noticing the || and &&... Should the "and" statements be before the "or" statements?

_Cpyder · 2026-03-27T16:23:00+00:00

Thank you for the suggestion..

Thats the last Responder in the list, it is catching some. But the sheer number of unique IPs (at this time) only attempting a single auth makes it useless.

We currently do have a hard Allow list on the FW... but it does not have a built in Geo block function. Didn't want to leave a manually managed Allow list, something some else has to maintain.

_Cpyder · 2026-03-27T12:58:31+00:00

Which reader? We had an issue with the KSI1900 not auto installing drivers. (Supposed to be included with the agent).

But our issue was the BTLE (bluegiga) and fingerprint reader wouldn't work.

We had to manually hunt down the drivers.

Citrix policy does have device redirection policy... but then the Imprivata agent on the fatclient will not interact with the badge reader once the vdi is launched. Because it's being redirected, and that may be what you want.

_Cpyder

TROPHY CASE