Citrix CCA-N: Certified Associate - Networking Practice Exam

What the Citrix CCA-N exam covers

• Citrix ADC Architecture and Fundamentals130 questions
• Citrix ADC Platform and Setup130 questions
• Load Balancing130 questions
• SSL/TLS Offload130 questions
• Citrix Gateway and Secure Access130 questions
• Citrix ADC Security and Management130 questions

Free Citrix CCA-N sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 780.

1. Question 1Citrix ADC Architecture and Fundamentals

   A company wants to terminate HTTPS connections on Citrix ADC so that the back-end web servers receive decrypted HTTP traffic and are relieved of the CPU cost of cryptographic processing. Which Citrix ADC feature directly addresses this requirement?

   • ASSL offloadCorrect
   • BContent switching
   • CIntegrated caching
   • DCitrix Gateway
   ✓ Correct answer: A

   SSL offload configures Citrix ADC to terminate the client SSL/TLS session at the appliance, decrypt the traffic, and forward it to the back-end servers as plain HTTP. The expensive asymmetric and symmetric cryptographic operations are handled by the ADC, often accelerated by dedicated SSL hardware on MPX platforms, which frees back-end server CPU for application processing and centralizes certificate management on the appliance.

   Why the other options are wrong

   • BContent switching directs requests to different back-end groups based on request content such as URL or host header, but it does not decrypt SSL or relieve servers of cryptographic load.
   • CIntegrated caching stores and serves static and dynamic content from the ADC to reduce origin load, which is unrelated to terminating encryption.
   • DCitrix Gateway provides secure remote access for users connecting to internal resources, not generic server-side SSL termination for a load-balanced web tier.
2. Question 2Citrix ADC Architecture and Fundamentals

   An administrator wants to restrict which source networks can reach the Citrix ADC management interface. Which ADC-owned IP address should the management ACLs and access rules primarily protect?

   • AThe NSIPCorrect
   • BThe VIP
   • CThe SNIP used for server traffic
   • DThe GSLB site IP
   ✓ Correct answer: A

   Because the NSIP is the management address that hosts the GUI, SSH, and NITRO API, restricting management access centers on controlling who can reach the NSIP. Administrators use extended ACLs, the nsip management access settings, and source-network restrictions to ensure only trusted subnets can connect to the management plane. Protecting the NSIP limits the attack surface against the appliance's administrative interfaces.

   Why the other options are wrong

   • BThe VIP is meant to be reachable by clients for application access and is not the management interface to lock down.
   • CThe SNIP used for server traffic is part of the data plane and only needs management protection if management access has been explicitly enabled on it.
   • DThe GSLB site IP is for inter-site metric exchange and is unrelated to administrative management access.
3. Question 3Citrix ADC Platform and Setup

   An administrator is setting up high availability on a new Citrix ADC pair. Over which IP address do the two HA nodes perform configuration synchronization and command propagation by default?

   • AThe VIP of the primary node
   • BThe NSIP of each nodeCorrect
   • CA shared floating SNIP
   • DThe default gateway address
   ✓ Correct answer: B

   In a Citrix ADC high availability pair, configuration synchronization and command propagation between the primary and secondary nodes occur over the NSIP (management) addresses of each node. Both NSIPs must reside in the same subnet and be mutually reachable for HA sync and propagation to function. The NSIP is the management and HA-control address, which is why each appliance in a pair must have a unique NSIP.

   Why the other options are wrong

   • AThe VIP of the primary node is a client-facing service address used to receive application traffic and is not the address over which HA configuration synchronization occurs.
   • CThere is no single shared floating SNIP dedicated to carrying HA sync traffic; SNIPs are used for server-side data communication and float between nodes for application continuity, not for control-plane sync.
   • DThe default gateway address is the next-hop router used for forwarding data traffic and is not the address over which the HA pair exchanges configuration synchronization messages.
4. Question 4Citrix ADC Platform and Setup

   An administrator does not want to lose unsaved running-configuration changes when logging out of the Citrix ADC GUI. Which built-in behavior helps ensure changes are committed to ns.conf before the session ends?

   • AThe 'Prompt Credentials for Live Capture'/logout 'prompt to save the configuration' behavior surfaced in GUI System SettingsCorrect
   • BDeleting the ns.conf file so the ADC saves continuously
   • CDisabling the management VLAN
   • DSwitching the appliance to Express edition
   ✓ Correct answer: A

   The Citrix ADC does not auto-save the running configuration on every change; the running configuration is only persisted to ns.conf when an explicit save occurs via the 'save ns config' command, the GUI Save button, or a logout-time save prompt. The GUI surfaces a prompt-to-save behavior so that an administrator about to log out is reminded to commit unsaved changes rather than lose them on the next reboot. This is an operational reminder and the administrator must still perform the actual save action when prompted.

   Why the other options are wrong

   • BDeleting the ns.conf file does not create continuous saving; it would remove the saved configuration and cause data loss on the next reload.
   • CDisabling the management VLAN only affects network reachability and has nothing to do with saving configuration.
   • DSwitching to Express edition changes the feature tier and bandwidth, not the configuration-save behavior.
5. Question 5Load Balancing

   An administrator configures Least Bandwidth as the load balancing method but the application is a bursty file-download service where the goal is to balance the number of in-flight sessions, not megabits per second. Which method better matches the stated goal?

   • ALeast Bandwidth
   • BLeast ConnectionCorrect
   • CURL Hash
   • DSource IP Hash
   ✓ Correct answer: B

   Least Connection balances based on the count of active connections, which directly matches the stated goal of evenly distributing the number of in-flight sessions across the back-end servers. For a download service where the administrator cares about how many simultaneous transfers each server handles rather than raw throughput, connection count is the right metric. The appliance sends each new request to the server currently holding the fewest active connections.

   Why the other options are wrong

   • ALeast Bandwidth selects based on megabits per second consumed, which is exactly the metric the administrator does not want to optimize for in this scenario.
   • CURL Hash chooses servers by hashing the request URL, which is useful for cache affinity but does not balance the number of active sessions.
   • DSource IP Hash maps clients deterministically by source IP and does not balance the number of active sessions across servers.
6. Question 6Load Balancing

   An administrator has a persistency group using COOKIEINSERT as the primary and SOURCEIP as the backup persistence type. A client that accepts cookies sends a request. Which persistence record does the Citrix ADC create and use for that client?

   • AThe COOKIEINSERT (primary) record; the SOURCEIP backup is used only when the cookie method cannot be appliedCorrect
   • BBoth records simultaneously, requiring the client to match both to stay persistent
   • CThe SOURCEIP backup record, because backup persistence always takes priority
   • DNo record, because configuring both primary and backup cancels persistence
   ✓ Correct answer: A

   Backup persistence on the Citrix ADC is a conditional fallback, not a parallel mechanism. When the primary method is applicable, the appliance uses it exclusively and creates only the primary persistence record. For a cookie-accepting client the COOKIEINSERT record is created and honored. The SOURCEIP backup engages only for requests where the primary cannot function, for example a browser that strips or refuses cookies. This ordering is what makes the combined configuration resilient without double-tracking every client.

   Why the other options are wrong

   • BThe claim that both records are created simultaneously and the client must match both is wrong; backup persistence is a conditional fallback activated only when the primary method fails, not an AND condition.
   • CStating that the SOURCEIP backup always takes priority inverts the relationship; the primary COOKIEINSERT method is preferred and used whenever it can be applied.
   • DConfiguring both a primary and a backup persistence type does not cancel persistence; the primary governs when applicable and the backup provides a safety net, strengthening overall affinity.
7. Question 7SSL/TLS Offload

   During a TLS 1.2 handshake terminated on a Citrix ADC 13.x SSL virtual server, the administrator wants to ensure that clients using an ECDSA certificate can negotiate elliptic-curve ciphers. Which configuration element on the appliance must be present for ECDHE-ECDSA cipher suites to be usable?

   • AAn ECDSA certificate-key pair must be bound to the virtual server in addition to enabling the ECDHE-ECDSA ciphersCorrect
   • BOnly an RSA certificate is required, because ECDSA ciphers work with any key type
   • CSNI must be disabled for elliptic-curve ciphers to work
   • DThe SSL session reuse timeout must be set to its maximum value
   ✓ Correct answer: A

   ECDHE-ECDSA cipher suites use ECDHE for key exchange and ECDSA for server authentication. For the authentication portion to succeed, the SSL virtual server on Citrix ADC 13.x must have an ECDSA certificate-key pair bound to it. Without an ECDSA key, the appliance cannot produce an ECDSA signature during the handshake and the suite cannot be negotiated, even if it appears in the bound cipher group.

   Why the other options are wrong

   • BDisabling SNI changes how the appliance selects which bound certificate to present based on the client's requested hostname and has no bearing on whether ECDSA or elliptic-curve ciphers can be negotiated.
   • CAn RSA certificate does not satisfy the signature requirement of ECDHE-ECDSA cipher suites; those suites specifically require ECDSA signing, so an RSA-only binding causes those suites to be skipped during negotiation.
   • DSetting the SSL session reuse timeout to its maximum value affects the duration for which session state is cached for resumption and is entirely unrelated to cipher suite negotiation or certificate key types.
8. Question 8Citrix Gateway and Secure Access

   An administrator wants to consolidate Citrix Gateway, internal web apps, and SaaS access behind a single externally published FQDN and VIP, using content switching to route to the appropriate back-end. Which Citrix ADC feature should be deployed?

   • AUnified GatewayCorrect
   • BBasic ICA proxy only
   • CGSLB site failover
   • DAppFlow logging
   ✓ Correct answer: A

   Unified Gateway uses a content switching virtual server fronted by a single public VIP and FQDN to route traffic to multiple back-ends, including a Citrix Gateway virtual server for CVAD/VPN, load-balanced internal web applications, and SaaS application proxies. This consolidation simplifies firewall and certificate management because everything is published behind one address and one certificate. It is the recommended approach when multiple access services must share a single external entry point.

   Why the other options are wrong

   • BBasic ICA proxy only handles CVAD HDX brokering and cannot consolidate multiple unrelated back-end services behind one VIP.
   • CGSLB site failover distributes and fails over traffic across datacenters; it does not content-switch among different service types behind one FQDN.
   • DAppFlow logging exports flow and analytics data to tools like Citrix ADM and has nothing to do with consolidating services behind a single VIP.
9. Question 9Citrix Gateway and Secure Access

   An administrator is registering a Citrix Gateway with a StoreFront store for remote access. StoreFront prompts for a callback URL for the Gateway. What is the specific purpose of the Gateway callback URL that StoreFront uses?

   • AIt lets StoreFront contact the Gateway over SSL to validate that an inbound request actually originated from that Gateway before trusting itCorrect
   • BIt tells the Citrix Workspace app which external address to use when establishing the HDX session
   • CIt defines the address StoreFront uses to download the ICA file template from the Gateway
   • DIt specifies the LDAP server the Gateway uses to authenticate users on behalf of StoreFront
   ✓ Correct answer: A

   The Gateway callback URL is used by StoreFront to make an outbound SSL connection back to the Citrix Gateway to confirm that a request bearing Gateway credentials truly traversed that Gateway. StoreFront performs this verification before honoring pass-through authentication, making the callback a security check that backs the trust relationship. The callback URL FQDN must be resolvable from the StoreFront servers, reachable on TCP 443, and the name must match the Gateway's SSL certificate; if any of these conditions fail, StoreFront cannot complete verification and enumeration or logon may fail.

   Why the other options are wrong

   • BThe external address used by Citrix Workspace app to connect for an HDX session is defined in the Gateway configuration and delivered in the ICA launch file, not through the callback URL.
   • CStoreFront generates the ICA file internally using data from the Delivery Controller; it does not download an ICA file template from the Gateway via the callback URL.
   • DAuthentication servers such as LDAP are bound directly to the Gateway virtual server and act on behalf of the Gateway, not StoreFront; the callback URL plays no role in directory authentication.
10. Question 10Citrix ADC Security and Management

    A Rewrite policy must modify the request URL only for HTTP GET requests to paths under /app. Which expression correctly combines the method check with the path check using a logical AND?

    • AHTTP.REQ.METHOD.EQ("GET") && HTTP.REQ.URL.STARTSWITH("/app")Correct
    • BHTTP.REQ.METHOD.EQ("GET") || HTTP.REQ.URL.STARTSWITH("/app")
    • CHTTP.REQ.METHOD.PLUS("GET").URL
    • DHTTP.RES.STATUS.EQ(200).AND.GET
    ✓ Correct answer: A

    The && operator performs a logical AND in Citrix ADC advanced (default-syntax) expressions, requiring both sub-expressions to evaluate to true before the overall rule matches. This expression is true only when the HTTP method is GET and the URL begins with /app, precisely scoping the Rewrite action to GET requests for that path. Combining typed boolean sub-expressions with && for AND and || for OR is the standard way to build compound conditions in the policy expression language.

    Why the other options are wrong

    • BUsing || creates a logical OR, which would match any GET request OR any /app request regardless of method, broadening the scope beyond GET-only and violating the stated requirement.
    • CHTTP.REQ.METHOD.PLUS("GET").URL is not valid syntax because there is no .PLUS() operator in the Citrix ADC policy expression language and a method string cannot meaningfully chain to a .URL call.
    • DHTTP.RES.STATUS.EQ(200).AND.GET inspects a response status code and uses invalid pseudo-syntax that does not represent a method check on the request.

Citrix CCA-N practice exam FAQ