Product Documentation
Application Delivery Management
14.1-Current Release 13.1
View PDF

NetScaler Console Cloud Connect

March 24, 2026
Contributed by: 
C

NetScaler Console Cloud Connect establishes a secure, outbound connection from NetScaler Console on-prem to NetScaler Console service through Citrix Cloud™ to enable cloud‑delivered capabilities on NetScaler Console on-prem.

You can configure Cloud Connect to use the following feature in NetScaler Console on-prem:

  • LAS‑Based Licensing (Entitlement Delivery) - When Cloud Connect is enabled on NetScaler Console on-prem and the deployment is running LAS‑compatible versions, LAS is automatically enabled. Licensing entitlements are retrieved and renewed automatically. For more information, see License Activation Service.

  • Asset Delivery - Asset delivery provides encrypted signature updates and encrypted schema updates for inbuilt WAF profiles defined to secure incoming request for authentication, authorization, auditing, VPN, and GUI components. Asset delivery is enabled by default when Cloud Connect is enabled and if necessary administrators can disable. For more information, see Web App Firewall protection for VPN virtual servers and authentication virtual servers.

  • Upgrade Advisory - To use upgrade advisory on NetScaler Console on-prem, Cloud Connect must be enabled. Enabling Cloud Connect allows NetScaler Console to retrieve the latest build information and compare it with the builds of managed NetScaler instances, helping identify EOL, EOM, and instances running older builds of NetScaler instances on NetScaler Console on-prem. Upgrade Advisory is enabled by default when Cloud Connect is enabled. If necessary, administrators can disable it. For more information, see Upgrade advisory.

  • ServiceNow Integration - This integration uses Citrix ITSM connector to communicate between NetScaler Console and the ServiceNow instance. The ServiceNow integration with NetScaler Console uses the ITSM Adapter service for token based authentication. For more information, see Integrate NetScaler Console with the ServiceNow instance.

Prerequisites

Before you configure Cloud Connect, ensure that you have the following prerequisites:

  • Ensure to have internet connection or have a proxy server configured in NetScaler Console on-prem for Citrix Cloud accessibility.

  • The laptop or the machine used to access NetScaler Console for Cloud Connect configuration must have internet connectivity during the initial setup.

  • Ensure that NetScaler Console service account is available.

    • Step 1: Create a Citrix Cloud account or sign in using an existing Citrix Cloud account. For more information on how to create a Citrix Cloud account, see Create a Citrix Cloud account.

    • Step 2: Create NetScaler Console service tenant by managing NetScaler Console service. For more information on how manage NetScaler Console service, see Getting started.

  • Ensure that you have allowed access for the following endpoint URLs:

    Service URLs for Government cloud URLs for APAC, EU, and US regions URLs for Japan Why is it needed?
    Trust Service
    		*.citrixnetworkapi.us - - Used to establish trust between NetScaler Console on-prem and Citrix Cloud services.
    trust.citrixnetworkapi.us trust.citrixnetworkapi.net trust.citrixnetworkapi.jp
    Service URLs


    		*.agent.adm.cloud.us *.agent.adm.cloud.com *.agent.adm.citrixcloud.jp These are the NetScaler Console service endpoints used for Cloud Connect operations. NetScaler Console on-prem initiates outbound communication to these endpoints for cloud‑delivered capabilities.

    *.adm.cloud.us *.adm.cloud.com *.citrixnetworkapi.jp
    adm.cloud.us adm.cloud.com *.adm.citrixcloud.jp
    - netscalermas.cloud.com adm.citrixcloud.jp Used to fetch customer details like endpoint, pop name.
    Citrix Cloud™ connectivity
    		citrix.cloud.us Citrix.cloud.com citrix.citrixcloud.jp Required for authentication and tenant selection during Cloud Connect onboarding.
    accounts.cloud.us Accounts.cloud.com accounts.citrixcloud.jp

  • Ensure that you disable the pop-up blocker in the browser from where you access NetScaler Console on-prem GUI.

  • (Only applicable to Government Cloud) Perform the following steps on NetScaler Console on-prem to connect to Government Cloud region endpoints.

    • On the shell of NetScaler Console on-prem, run the following commands:

       cd /mps/python/util/
        
 python consoleService.py --region gov
 <!--NeedCopy-->

      Notes:

      These commands restart the NetScaler Console processes.

  • (Only applicable to Japan Cloud users) Perform the following steps on NetScaler Console on-prem to connect to Japan region endpoints.

    • On the shell of NetScaler Console on-prem, run the commands:

       cd /mps/python/util/

 python consoleService.py --region japan
 <!--NeedCopy-->

      Notes:

      The command restarts the NetScaler Console processes.

  • Configure the following ports:

     -  443 (NetScaler Console on-prem/proxy to Cloud)  
 -  80 (NetScaler Console on-prem to proxy)
  • Disable the browser pop‑up blocker for NetScaler Console GUI host used to configure Cloud Connect.

Configure Cloud Connect

Workflow 1 – New User (No Citrix Cloud Account and no NetScaler Console service tenant)

  1. Create a Citrix Cloud account. For more information, see Create a Citrix Cloud account.

  2. Sign into Citrix Cloud account and click the NetScaler Console service tile. Upon successful login, the page redirects to the NetScaler Console service tenant creation steps.

    1. Select a region that suits your business needs and click Done.

    2. Select a role and finish the setup. For more information, see Getting started.

  3. Login to NetScaler Console on-prem, click the Cloud icon > Get Started.

    Get Started

  4. Click Connect to NetScaler Console service.

    Connect NetScaler Console service

    1. Log in to your Citrix Cloud account.

    2. Select your account name to complete the login.

    3. You are greeted with a “Login Successful” message.

The Cloud Connect configuration is complete, Cloud Connect shows a Connected status. You can proceed further to enable integrations such as ServiceNow from the Cloud Connect configuration page.

Workflow 2 – Citrix Cloud account exists but NetScaler Console service tenant does not exist

  1. Sign into Citrix Cloud account and click the NetScaler Console service tile. Upon successful login, the page redirects to the NetScaler Console service tenant creation steps.

    1. Select a region that suits your business needs and click Done.

    2. Select a role and finish the setup. For more information, see Getting started.

  2. In NetScaler Console, click the Cloud icon > Get Started.

    Get Started

  3. Click Connect to NetScaler Console service.

    Connect NetScaler Console service

    1. Log in to your Citrix Cloud account.

    2. Select your account name to complete the login.

    3. You are greeted with a “Login Successful” message.

The Cloud Connect configuration is complete, Cloud Connect shows a Connected status. You can proceed further to enable integrations such as ServiceNow from the Cloud Connect configuration page.

Workflow 3 - Citrix Cloud account and NetScaler Console service tenant exists

  1. In NetScaler Console, click the Cloud icon > Get Started.

    Get Started

  2. Click Connect to NetScaler Console service.

    Connect NetScaler Console service

    1. Log in to your Citrix Cloud account.

    2. Select your account name to complete the login.

    3. You are greeted with a “Login Successful” message.

The Cloud Connect configuration is complete, Cloud Connect shows a Connected status. You can proceed further to enable integrations such as ServiceNow from the Cloud Connect configuration page.

Proxy configuration support for Cloud Connect

Cloud Connect supports both unauthenticated and authenticated proxy servers. Proxy server configuration is optional.

Note:

  • Starting from NetScaler Console release 14.1-66.x, Cloud Connect supports SSL interception for explicit proxy deployments. Upload the proxy’s CA certificate to establish trusted communication. For information on managing certificates for proxy-enabled configurations with SSL inspection, see Manage CA certificate.

  • Basic authentication type is supported.

  • The following proxy configuration types are supported:

    • Explicit forward proxy (Non‑Intercepting)
    • Explicit SSL‑intercepting proxy
    • Transparent SSL‑intercepting proxy

    For more information on the proxy configuration types, see Proxy configuration support.

  1. On the Cloud Connect configuration page, click Click to configure proxy server.

    Connect NetScaler Console service

  2. Enable the proxy and enter the IP/FQDN and port.

  3. If necessary, add a Username and Password.

    Connect NetScaler Console service

Cloud Connect status and refresh behavior

Cloud Connect Status

Cloud Connect status reflects the current health of the connection between NetScaler Console on-prem and Citrix Cloud. The supported states are:

  • Connected – The connection is healthy and operating normally.

  • Disconnected – The connection is intentionally disconnected.

  • Pending – Cloud Connect is in the process of being established.

  • Error – An issue is detected with the Cloud Connect connection.

Refresh Cloud Connect Status

Cloud Connect status is automatically refreshed every six hours. Administrators can also use Refresh Cloud Connect Status to trigger an immediate status update.

The refresh action verifies the reachability of the required cloud service URLs.

Cloud Connect diagnostics

The Check Connectivity diagnostic tool helps administrators troubleshoot connectivity issues between NetScaler Console on-prem and NetScaler Console service.

The Check Connectivity tool performs the following checks:

  • Reachability checks for all required Cloud Connect service endpoints.

  • Validation of connectivity through configured proxy settings, if applicable.

The diagnostic results include the following information:

  • Each service URL is displayed as “Reachable” or “Not Reachable”.

  • Any failures are surfaced directly in the UI with descriptive error messages.

After resolving network or proxy issues, administrators must perform the following actions:

  • Re‑run Check Connectivity.

  • Use Refresh Cloud Connect Status to update the overall connection state.

Cloud Connect - Status

You can run Check Connectivity by entering the CCID, even if Cloud Connect is not yet fully established or connected. This step helps confirm that all prerequisites are met before connecting to Cloud Connect.

Click Check Connectivity to verify the connection to your CCID by entering the CCID and ensure that all prerequisites are met, even before Cloud Connect is fully established.

Cloud Connect - CCID search

Click View prerequisites to view all the prerequisites for Cloud Connect.

Cloud Connect - View prerequisites

Error handling and messaging

Based on diagnostics and proxy validation, the following errors might be observed:

  • SSL certificate verification failed – Indicates a missing or invalid proxy CA certificate. This error occurs when an SSL‑intercepting proxy is used and the proxy CA certificate is not uploaded to the Console.

    Cloud Connect - SSL certificate verification failure

  • Required service URL not reachable – Indicates that the proxy configuration is not functioning correctly or the required URLs are not allowed on the network.

    Cloud Connect - Proxy configuration failure

Notifications for Cloud Connect status

NetScaler Console generates notifications to inform administrators about changes in the Cloud Connect status. These notifications alert administrators about the Cloud Connect connectivity issues that might impact the Cloud Connect dependent features, such as upgrade advisory, asset delivery, telemetry‑based services, and integrations.

Cloud Connect notifications are triggered when there is a change in the connection state between NetScaler Console on-prem and Citrix Cloud, including:

  • When Cloud Connect transitions from Connected to Disconnected or Error
  • When Cloud Connect transitions from Disconnected or Error back to Connected

You can also view the Cloud Connect status events under Settings > System Events.

Cloud Connect - System events 1

Cloud Connect - System events 2

Notification frequency

If Cloud Connect remains in a Disconnected or Error state, notifications are sent every six hours. When Cloud Connect connectivity is restored, a single notification is sent to indicate recovery.

Notification channels

Cloud Connect notifications are delivered through the standard NetScaler Console notification framework and can be configured using System Event Notifications. Supported notification channels include:

  • Email
  • Slack
  • PagerDuty
  • ServiceNow

Managing notifications

Cloud Connect status notifications are enabled by default. You can disable the email notifications if necessary. To disable email notifications:

  1. Navigate to Settings > Administration > Configure Event Notification and Digest.

  2. Under Event Notification > Configure System Notifications, search for CloudConnectStatus.

  3. Remove the CloudConnectStatus system event category and click Save.

    Cloud Connect - events notification

Data collected through Cloud Connect

Important:

Cloud Connect is not the channel for the NetScaler telemetry program. Telemetry is collected using an auto‑enabled channel. For telemetry related information, see NetScaler telemetry program.

When Cloud Connect is enabled on NetScaler Console on-prem and you are on LAS‑compatible versions, LAS is automatically enabled. For details on information collected as part LAS related workflow, see License Activation Service.

Troubleshooting cloud connect connectivity issues

  • Issue: Pop‑up blocked during sign‑in

    Solution: Disable the browser pop‑up blocker and retry Cloud Connect onboarding.

  • Issue: Endpoints blocked

    Solution: Verify allow‑listing for the Download/Trust/Service and Citrix Cloud domains (or Japan region equivalents).

  • Issue: LAS grace period warnings

    Ensure NetScaler Console on-prem can reach Citrix Cloud (direct or proxy). The entitlement blob auto‑refreshes; repeated failures trigger grace period and alerts.

Other options

After you enable Cloud Connect, you can use the following options:

  • Modify Tenant - Enables you to change the existing tenant. When you click Modify Tenant, you will be redirected to a new tab and you must sign into Citrix Cloud. After successful login, you can select a different tenant.

    Modify proxy

  • Modify Proxy - Enables you to configure the proxy settings in NetScaler Console on-prem. This action is required when NetScaler Console does not have direct access to the internet through the management network. Click Modify Proxy from the list, update details, and then click Save.

    Modify proxy

  • Disconnect - Disables the Cloud Connect feature. If you choose to disable, all the features enabled as part of Cloud Connect stops working.

    To disable, click Disconnect from the list.

    Disable cloud connect

Build‑Specific feature behavior

The following table provides the feature availability through Cloud Connect in different NetScaler Console on-prem builds:

Build Feature available in Cloud Connect Action required Data collection through Cloud Connect
14.1 66.x and later


LAS-based licensing Configure Cloud Connect


No


ServiceNow Integration
Asset Delivery
Upgrade Advisory
14.1 56.x and later

LAS-based licensing Configure Cloud Connect

No

ServiceNow Integration
Asset Delivery
14.1 51.x and later
LAS-based licensing Configure Cloud Connect
No
ServiceNow Integration
14.1-25.x and later ServiceNow Integration Configure Cloud Connect and enable ServiceNow Integration. No
Between 14.1-8.x and 14.1-21.x Security Advisory and ServiceNow Integration Configure Cloud Connect and enable the feature Yes. After configuring Cloud Connect. For more information, see Data governance for Cloud Connect
14.1-4.x or earlier NA NA NA

FAQs

  1. Does Cloud Connect push configuration to my NetScaler instances?

    No. Cloud Connect does not push configuration to NetScaler instances; it only enables cloud‑delivered services to NetScaler Console on-prem and facilitates license or asset delivery.

  2. Is there any inbound connectivity from Citrix Cloud to my environment?

    No. Cloud Connect uses outbound‑only communication initiated from NetScaler Console on-prem.

  3. Is it required to migrate NetScaler instances to NetScaler Console service?

    No. You don’t need to migrate instances to NetScaler Console service to use Cloud Connect features.

  4. Which proxy authentication types are supported?

    Cloud Connect can be used through proxy. We support both Basic authentication or no authentication proxy integration.

  5. Is Security Advisory still enabled through Cloud Connect?

    Only on specific older 14.1 builds (8.x to 21.x). In later builds, Cloud Connect primarily enables features as described in this topic. From build 14.1 25.x onwards, Security Advisory can be used through an auto-enabled channel. For more information, see Automated telemetry collection mode.

NetScaler Console Cloud Connect
March 24, 2026
Contributed by: 
C
March 24, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.