NetScaler Console service

Data governance

NetScaler Console service is a part of Citrix Cloud services, and it uses Citrix Cloud as the platform for signup, onboarding, authentication, administration, and licensing. Citrix collects and stores data in Citrix Cloud as part of the NetScaler Console service. This document describes what data is collected and methods of data collection, storage, and transmission.

For more information about data protection practices at Citrix, see Citrix Cloud Services Data Protection Overview.

This information is for Security Officers, Compliance Officers, Information Auditors, Network Infrastructure and Operations administrators, and line-of-business owners.

NetScaler telemetry program

The NetScaler telemetry program is enabled in NetScaler Console service from 14.1-28.x build. With this program, the required data is automatically uploaded. For more information about the required telemetry collected, see Data Governance for NetScaler Telemetry.

How do we collect, store, and transmit data?

NetScaler Console service collects data from the managed instances and agents. These instances are deployed in the customer’s premises and data is transmitted from the agent (deployed in the customer’s premise) securely over an SSL channel encrypted using TLS 1.2 protocol to the cloud.

Data is stored in Relational database with multitenant data isolation at the database layer and as files in Elastic File System (EFS) hosted in AWS cloud in the United States, EMEA (Frankfurt), and APJ (Sydney) – depending on the Point of Presence (POP) chosen by the customer. All PoPs are hosted in AWS Commercial regions.

Passwords, SNMP community strings, SSL certificates, and NetScaler config backup are encrypted using a unique per tenant AES 256 key, and stored securely in the database. For more information on the commercial regions that Citrix Cloud uses and the presence of the NetScaler Console service within each region, see Geographical Considerations.

Data categories

For data handling practices, the data is classified into:

  • Customer Content - Any data uploaded to Customer’s account for storage or data in Customer’s computing environment to which NetScaler is provided access to perform certain Services.

  • Logs - Include records of Services, including, but not limited to:

    • Data and information on performance, stability, usage, security, support

    • Technical information about devices, systems

Customer content

The NetScaler Console Service collects information from various sources:

  • NetScaler

  • NetScaler Gateway

  • NetScaler Web App Firewall (WAF) and Bot Management

NetScaler Console Service also collects information about administrator’s session and activity details in addition to the information mentioned in logs.


Logs are used to facilitate the provisioning of software updates, license authentication, support, analytics, and other purposes consistent with Citrix User Agreements.

Metadata and telemetry Logs collected include:

  • NetScaler Service agent hypervisor or public cloud platform or both agent hypervisor and public cloud platform

  • Agent geographical location

  • NetScaler version

  • NetScaler product type

  • Licensing info (Express and subscription)

  • Usage of cloud service by the NetScaler Console admin (thereby improving the admin user experience).

Detailed customer content and logs

  • Event Management (Login > Infrastructure > Events)

    • SNMP traps providing alerts on state and performance of the NetScaler network.

    • Syslog of Web transactions traversing through NetScaler network state information.

    • SMS server, Slack, and PagerDuty profile details for triggering SMS/Slack notifications of events.

    • SMTP server details for email configuration.

    • ServiceNow profile details for creating tickets in ServiceNow.

  • SSL Certificate Management (Login > Infrastructure > SSL Dashboard)

    • SSL certificates, SSL key, SSL CSR, CA issuer, and signature algorithms of the Web apps optimized by the NetScaler instance.
  • Configuration Audit (Login > Infrastructure > Configuration > Configuration Audit)

    • Data Tracking for NetScaler Configuration Audit changes pertaining to the NetScaler instances, which include Web app server IP address and NetScaler IP address details.
  • Configuration Jobs (Login > Infrastructure > Configuration > Configuration Jobs)

    • NetScaler Configuration details, instance IP address, and Web app server IP address details.
  • StyleBooks (Login > Applications > Configuration > StyleBooks)

    • NetScaler configurations stored as a template, which include Web app server IP address details.
  • Instance Management (Login > Infrastructure > Instances)

    • IP address of the NetScaler instances, NetScaler instance type, NetScaler config backup, NetScaler critical events, and geolocation of the data center where the NetScaler instance is deployed (if configured).
  • Infrastructure Analytics (Login > Infrastructure > Infrastructure Analytics)

    • IP address of the NetScaler instances, NetScaler instance type, NetScaler critical events, number of apps associated, and geolocation of the data center where the NetScaler instance is deployed (if configured).
  • Applications (Login > Applications)

    • App Dashboard: applications URL, request method, response code, total Bytes, Web app server details, virtual server IP addresses, client details, browser, client OS, client device, SSL protocol, SSL cipher strength, SSL key strength, NetScaler instance IP address, timestamp of server flaps, and response content type.
  • Analytics (AppFlow/ Logstream)

    • Web Insights (Login > Applications): Virtual server IP address, clients, URLs, browsers, operating systems, requests methods, response statuses, domains, Web app server IP address, SSL certificates, SSL cipher negotiated, SSL key strength, SSL protocol, and SSL failure frontend.

    • HDX Insight (Login > Gateway): ICA user details, ICA application details, VDA server details, desktop details in HDX Insight, geolocation details of app client, HDX active session details, VPN licenses for HDX, client NetScaler IP address, client type, and version.

    • Gateway Insight (Login > Gateway): User details, application details, browsers, operating systems, session modes, Gateway licenses, AAA server details, and AAA policy configured on Gateway.

    • Security Violations (Login >Security): Client IP, URL, security violations (WAF and Bot), attack geolocation, attack timestamp, transaction ID, WAF, and NetScaler security configuration status.

    • API Analytics (Login > Security > API Gateway): Information on API Instances, API Endpoints, total bandwidth, API performance information, total request, response time, errors. Ability to drill down further into each API Instance to get visibility into individual API endpoints, performance. Security related to Auth success, failures; Rate-limiting, SSL cipher, protocol information, and SSL errors.

  • Security Advisory (Login > Infrastructure > Instance Advisory > Security Advisory)

    • Version scan: This scan needs NetScaler Console to compare the version of an NetScaler instance with the versions and builds on which the fix is available. This version comparison helps NetScaler Console security advisory identify whether the NetScaler is vulnerable to the CVE. The underlying logic for this scan is if a CVE is fixed on NetScaler release and build xx.yy, all the NetScaler instances on builds lesser than xx.yy build are considered vulnerable. Version scan is supported today in security advisory.

    • Configuration scan: This scan needs NetScaler Console to match a pattern specific to the CVE scan with NetScaler config file. If the specific config pattern is present in the NetScaler ns.conf file, the instance is considered vulnerable for that CVE. This scan is typically used with version scan.

      Configuration scan is supported today in security advisory.

    • Custom scan: This scan needs NetScaler Console service to connect with the managed NetScaler instance, push a script to it, and run the script. The script output helps NetScaler Console identify whether the NetScaler is vulnerable to the CVE. Examples include specific shell command output, specific CLI command output, certain logs, and existence or content of certain directories or files. Security Advisory also uses custom scans for multiple config patterns matches, if config scan cannot help with the same. For CVEs that require custom scans, the script runs every time your scheduled or on-demand scan runs. Learn more about the data collected and options for specific custom scans in the Security Advisory documentation for that CVE.


The Citrix Services Security Exhibit describes in-depth the security controls applied to Citrix Cloud Services, including access and authentication, system development and maintenance, security program management, asset management, encryption, operations management, HR security, physical security, business continuity, and incident management.

The security of Citrix Cloud products is controlled by encryption and key management policies. Refer to the Security Development Processes whitepaper for more details on how Citrix employs security throughout its product development lifecycle.

Data retention policy for NetScaler Console Service

Data such as statistical measures, dashboards, reports, alerts, events, and logs within the NetScaler Console, and login details are retained for the period the customer subscribes to the service. The user account then converts to an Express account where the user can manage only two virtual servers.

The Express account has a capacity of 500 MB or 1-day of Analytics/Reporting data, whichever limit the account reaches first. If an Express account is not used, or the customer does not log in to the account for more than 30 days, the account and all associated Customer Content are automatically deleted.

For more information about data retention and deletion for Citrix Cloud Services accounts, see the Citrix Cloud Services Data Protection Overview.


All Analytics data in NetScaler Console is retained for a maximum period of 30 days.

Third-party services

The NetScaler Console Service is hosted within Amazon Web Service (AWS) data centers in the United States, EMEA (Frankfurt) and APJ (Sydney) regions – depending on the Point of Presence (POP) chosen by the customer.

Currently, the NetScaler Console Service uses services and APIs from various third-party technologies:

  • Services used for product functionality:

    • Google Maps, AWS EFS, AWS RDS, AWS Elastic Cache, AWS ALB, AWS Route 53, AWS EKS, AWS Secret Manager, AWS ECR repository, and AWS MSK.
  • Third-party services and tools used for monitoring and operating NetScaler Console include:

    • PagerDuty for on-call rotation

    • Log analysis with Splunk

    • Fluentd for log aggregation

    • Slack for communication and alerting

    • AWS Cloudwatch, SQS

    • S3 as storage area in AWS –for storing core files and metrics

    • Prometheus and Grafana for monitoring (in Honeycomb deployment)


Data governance