Citrix & Virtualisation

NetScaler Explained: Load Balancing and Security in One

29 December 2025 · 0x1m3 · 5 min read

NetScaler started as a load balancer. Over two decades, it evolved into a multi-function Application Delivery Controller (ADC) that handles traffic management, security, and now AI workload governance — all from a single appliance.

For network administrators and infrastructure teams, understanding what NetScaler does (and how its components work together) is essential for designing resilient, secure application delivery architectures.

The Core Functions

Load Balancing

At its foundation, NetScaler distributes incoming traffic across multiple backend servers. This ensures no single server becomes a bottleneck and provides high availability when individual servers fail.

NetScaler supports multiple load balancing algorithms:

- Round robin — Distributes requests sequentially across servers - Least connections — Routes traffic to the server with the fewest active connections - Least response time — Sends traffic to the server responding fastest - URL hash — Routes requests for the same URL to the same server (useful for caching) - Source IP hash — Maintains session persistence by routing the same client IP to the same server

Beyond basic distribution, NetScaler performs health monitoring. It checks backend servers at configurable intervals using TCP, HTTP, HTTPS, or custom monitors. When a server fails a health check, NetScaler removes it from the pool automatically and reintroduces it once it recovers.

For Citrix Virtual Apps and Desktops (CVAD) environments, NetScaler load balances StoreFront servers, Delivery Controllers, and XML brokers — ensuring users always reach a healthy entry point.

SSL/TLS Offloading

Every HTTPS connection requires encryption and decryption. These cryptographic operations consume CPU resources on your application servers. SSL offloading moves that processing to NetScaler, which handles the TLS handshake and certificate management.

The backend servers receive unencrypted traffic (or re-encrypted traffic if you require end-to-end TLS), freeing their CPU for application logic. In high-traffic environments, this measurably improves application response times.

NetScaler also centralises certificate management. Instead of managing TLS certificates on every backend server, you manage them in one place. Certificate renewals, cipher suite configurations, and TLS version policies apply at the NetScaler layer.

Web Application Firewall (WAF)

NetScaler's integrated WAF inspects HTTP/HTTPS traffic and blocks common web application attacks:

- SQL injection — Blocks malicious database queries embedded in user input - Cross-site scripting (XSS) — Prevents script injection into web pages - Buffer overflow — Detects oversized requests designed to exploit memory vulnerabilities - Cookie tampering — Protects session cookies from modification - Form field consistency — Validates that form submissions match the expected structure

The WAF operates using both positive security (allowing only known-good patterns) and negative security (blocking known-bad signatures). For production web applications, a combined approach provides the strongest protection.

This is not a separate product requiring a separate deployment. The WAF runs on the same NetScaler appliance that handles load balancing and SSL offloading. One appliance, one management interface, one policy framework.

Content Switching and Rewrite

NetScaler can route requests to different backend server groups based on URL path, HTTP header, or domain name. An API request to /api/v2/ routes to your API servers. A request to /app/ routes to your web application servers. A request to cdn.yourdomain.co.za routes to your static content servers.

The rewrite engine modifies HTTP requests and responses in transit — adding headers, changing URLs, inserting security headers, or stripping sensitive information from responses.

The New Capability: AI Gateway

NetScaler AI Gateway is the most significant recent addition. As organisations deploy Large Language Models (LLMs) — whether self-hosted or accessed through APIs like Azure OpenAI — they face new traffic management challenges.

AI Gateway addresses these with:

- Token rate limiting — Controls the number of tokens consumed per user, application, or time period. This prevents runaway costs from uncontrolled LLM usage and ensures fair access across teams. - Request routing — Distributes LLM requests across multiple model endpoints, applying the same load balancing intelligence NetScaler uses for traditional applications. - Splunk integration — Streams AI Gateway telemetry to Splunk for monitoring, cost analysis, and usage reporting. Track which applications and users consume the most tokens, identify anomalous usage patterns, and correlate AI workload data with broader infrastructure metrics. - Policy enforcement — Apply security policies to AI traffic, including authentication, authorisation, and content filtering.

For organisations running Citrix environments alongside AI workloads, this means a single NetScaler appliance manages both traditional application delivery and LLM traffic governance.

How It All Fits Together

In a typical enterprise deployment, NetScaler sits at the network edge — between your users and your applications:

1. User request arrives → NetScaler terminates the TLS connection (SSL offloading) 2. WAF inspects the request → Blocks malicious traffic before it reaches backend servers 3. Content switching evaluates the URL → Routes the request to the correct server group 4. Load balancing selects a server → Distributes the request based on algorithm and health status 5. Response returns → Rewrite engine applies response policies (security headers, content modification) 6. Response delivered → NetScaler encrypts and returns the response to the user

For Citrix CVAD and DaaS environments, NetScaler provides Gateway services — the secure entry point for remote users accessing virtual desktops and applications. It handles authentication (including multi-factor authentication), micro-VPN connections, and session management.

Deployment Options

NetScaler is available as:

- Hardware appliance (MPX) — Dedicated hardware for high-throughput environments - Virtual appliance (VPX) — Runs on VMware, Hyper-V, Citrix Hypervisor, Nutanix AHV, or cloud platforms - Cloud-native (CPX) — Containerised NetScaler for Kubernetes environments - Managed service (SDX) — Multi-tenant hardware platform for service providers

For South African organisations, VPX on local infrastructure or cloud-hosted VPX in Azure South Africa regions are the most common deployment models.

OAS and NetScaler

OAS has deployed and managed NetScaler across South African enterprises for over two decades. As a Citrix Platinum Partner, OAS provides NetScaler design, deployment, and ongoing management — from basic load balancing configurations to full ADC deployments with WAF, AI Gateway, and Citrix CVAD integration.

---

NetScaler protects your applications, balances your traffic, and now manages your AI. All in one.

Explore NetScaler →

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions