Container based AppDelivery Controller – NetScaler CPX – Part 1

Purpose of this post is to share my experience with running NetScaler CPX from a Docker Image. Our objective is to implement a NetScaler CPX test/development platform as a Docker container based app.



In this post we will look into installing and configuring Docker, NetScaler CPX and DVWA container as a web backend for security test purposes. DVWA should NEVER be deployed on a Production web server, it is solely for security testing (Damn Vulnerable Web Application).
In the end of this post I will show how you could use Portainer as web UI for managing Docker containers.

In this part we are using SSH CLI/Commandline to manage our NetScaler CPX instance.
Next parts will focusing on using NMAS and Nitro API calls to manage NetScaler CPX instances.
A few notes:

  • Netscaler CPX images are managed by following methods:
    • CPX is configured by deploying configuration jobs from NMAS
    • CPX is configured by NITRO API
    • CPX is configured by Command Line (SSH CLI)


Why Container based?

  • Security
    • Segregration and isolation
    • Management and Traffic flow control 
  • Efficiency
    • Rapid app deployment
    • Portability across platforms (Platform independency – Build once, deploy anywhere)
    • Leightweight footprint with minimal overhead
  • Standardization and productivity
    • Consistency
    • Repeatable development, build, test and production environments
  • Return on Investment and reducing cost
  • Multi-Cloud
    • Microsoft Azure
    • Amazon AWS
    • Google Compute Platform GCP
    • OpenStack



Docker host:

  • Ubuntu Server 14.04 or later
  • 1 vCPU, 4GB memory at least
  • Internet connectivity (Repository)
  • NetScaler CPX has been downloaded from Citrix and uploaded to the Docker Host



Traffic Flow in NetScaler CPX

When you provision a NetScaler CPX instance on a Docker host, the Docker engine creates a virtual interface, eth0, on the CPX instance. This eth0 interface is directly connected to a virtual interface (veth*) on the docker0 bridge. Docker also assigns an IP address to the NetScaler CPX instance in the network

The default gateway for the CPX instance is the IP address of the docker0 bridge, which means that any communication with the NetScaler CPX instance is done through the Docker network. All incoming traffic received from the docker0 bridge is received by the eth0 interface on the NetScaler CPX instance and processed by the NetScaler CPX packet engine.

The following figure illustrates the architecture of a NetScaler CPX instance on a Docker host.


CPX Architecture and Traffic Flow

NetScaler CPX Licensing

License a NetScaler VPX by NMAS Configuration Job or from the NetScaler CPX API, see link below.

Docs Citrix NS CPX Licensing

Unlicensed CPX

Throughput = 20 Mpbs
SSL Connections = 250

Licensed CPX

Throughput = 1000 Mpbs
SSL Connections = 1500

Install Docker

Following method describes steps needed to install Docker CE (Community Edition) on Ubuntu Server:

Add Docker Repo:

Install Docker:

Load CPX Docker image:

Verify images and running containers:

Install and run CPX as Container:

Run “docker ps”

This shows the port mappings


Login with SSH :

ssh root@ -p 32770


Default login is root/linux.

Use COMMAND when the CPX container is accessed from SSH CLI, eg.: “show ip” will show configured NSIP and SNIP adresses.

Add additional IP at Docker Host:

ip addr add dev eth0

NAT rules with IP Tables

Create NAT Rule on Docker Host:

Restart container

Restart Docker Container:

Commit container changes

Commit changes made in Docker container:

docker commit CONTAINER-ID cpx:12.0-41.22

Start NetScaler CPX with access to host network

Use NetScaler CPX together with another Docker Container App

Deploy DVWA as a Docker Container

DVWA is a Security Test Web platform, primarily for Security Professionals. We use this as a basic web server here for testing Load Balancing and WAF functions in NetScaler CPX.

Use following command to download Damn Vulnerable Web App (DVWA) as a docker container.

Docker pull citizenstig/dvwa
docker run -d -p 80:80 citizenstig/dvwa

Configure NetScaler CPX with SSH

Login with with SSH:

ssh root@ -p 32770

Verify State is UP

Add non-addressable Load Balancer VIP as we will use a Content Switch in front:

Verify LB UP State:

Add Content Switch vServer:

Bind Policy to Content Switch vServer:

iptables -t nat -A PREROUTING -p ip -d -j DNAT –to-destination


Portainer as UI for Docker containers

Portainer is a simple lightweight management UI which allows you to easily manage your different Docker environments.

Portainer consists of a single container that can run on any Docker engine (deployed as Linux container or a Windows native container)

sudo docker run -d -p 9000:9000 –restart always -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer

In this example I run NetScaler CPX inside Portainer.

Insert variable “EULA=yes” into CPX Container


Monitor simple performance stats:

Overview of containers:



Leave a Reply

Your email address will not be published. Required fields are marked *