Citrix Study Guide

Citrix CCP-N: Certified Professional - Networking Study Guide

Citrix CCP-N (Certified Professional - Networking) validates advanced configuration and troubleshooting of Citrix ADC (NetScaler), covering AAA/nFactor authentication, Web App Firewall, AppExpert (content switching, rewrite, responder), integrated caching and front-end optimization, Citrix ADM/AppFlow analytics, and GSLB. It targets network engineers and administrators who already hold CCA-N and design, deploy, and operate ADC in production. The 90-minute exam has roughly 800 items in the bank, with a passing score of 660 (scaled).

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice Citrix CCP-N questions free Create free account

Domain 1: Authentication, Authorization, and Auditing (AAA-TM / nFactor)

Key concepts you must know · 131 practice questions

AAA-TM requires two mandatory components: a dedicated authentication (AAA) virtual server that holds the authentication policies and login schema, and a traffic-management (LB or CS) vServer that has authentication enabled and references the AAA vServer by name with the -authnVsName parameter.
An authentication profile lets an LB/CS vServer reference a non-addressable (no IP) authentication virtual server; the profile is bound to the traffic vServer and points to the AAA vServer.
Form-based AAA-TM authentication redirects the unauthenticated client with an HTTP 302 to the AAA login page, while 401-based authentication returns an HTTP 401 challenge so the browser shows a native credential prompt.
On successful login the ADC creates an AAA session, issues the NSC_AAAC session cookie to the client, and redirects the user back to the originally requested (landing/return) URL stored in the session.
The NSC_AAAC cookie is scoped to a cookie domain; two applications served under FQDNs in different cookie domains do not share the cookie, so the user must re-authenticate for each.
A single AAA virtual server can be shared by multiple LB vServers by setting the same -authnVsName on each; for SSO across them the AAA vServer must use a configuration that supports single sign-on.
Single sign-on to back-end web applications is configured with a Traffic policy and Traffic profile, which can replay user credentials, a SAML assertion, a Kerberos ticket (KCD), or form-fill data to the protected server.
Always use advanced (default-syntax) AAA policies; classic authentication policies are deprecated. nFactor is built on advanced authentication policies plus login schema XML.
Authorization policies are evaluated against the established AAA session on each request before forwarding; if an authorization rule's condition does not match the user, its (allow/deny) action is not applied to that request.
For LDAP group extraction set the Group Attribute (typically memberOf) and the Sub Attribute Name in the LDAP action so group membership can drive authorization.
Bind a trusted CA-signed server certificate that matches the AAA virtual server's FQDN so the SSL handshake on the authentication vServer succeeds without browser warnings.
Auditing is configured by binding an audit syslog (or nslog) policy/action to the authentication virtual server or globally to capture AAA login, logout, and failure events.
Configure resilience with a backup authentication virtual server or multiple authentication servers within the policy so authentication fails over when the primary directory or server is down.
For monitoring or health-probe paths that must skip login, create a 'No-Authentication' (NO_AUTHN) policy/action and bind it for the probe URL while leaving default authentication for all other traffic.

Domain 2: Web App Firewall (WAF)

Key concepts you must know · 133 practice questions

A WAF profile takes effect only when it is referenced by a policy and that policy is bound to a bind point (an LB or CS virtual server, or the global/default bind point); an unbound policy inspects no traffic.
The positive security model (whitelist) permits only requests conforming to explicitly defined allowed behavior and blocks everything else; it is implemented via Start URL, Field Formats, Form Field Consistency, Cookie Consistency, and similar checks.
The negative security model (blacklist) allows all traffic by default and blocks only requests matching known-bad patterns from the signatures database (SQL injection, XSS, command injection, etc.).
Positive-model protection is more configuration effort but gives tighter control; negative-model blocks only known-bad and lets unknown traffic pass - a profile with positive checks but no signatures has no negative-model protection.
WAF policies bound at the same point are evaluated in ascending priority order, so the policy with the lower priority number (e.g., priority 90 before 200) is evaluated first.
The Start URL check enforces an allow list of URLs where a session may begin; URL Closure extends it to permit any URL that appeared as a hyperlink in a previously served, allowed page.
The Field Formats check enforces a per-field allow list of expected data type, length, and character set; relaxation rules add field-specific exemptions to reduce false positives.
Cookie Consistency verifies that cookies returned by the client were originally set by the server and have not been tampered with or added; add third-party/analytics cookies to the relaxation (exemption) list.
The recommended deployment workflow is to enable Log (and Learning) first, review violations and learned rules, deploy relaxations, then enable Block - flipping Block on without learning risks false positives.
The Learning engine observes live traffic and generates recommended relaxations and field formats; the administrator reviews and selectively deploys them in the Learning interface.
WAF signatures (the negative-model rule set) can auto-update from the Citrix signature update server to keep protection against newly disclosed attacks current.
The Transform option for cross-site scripting (and SQL) neutralizes dangerous content by encoding it rather than blocking the request, allowing the request through in a defanged form.
Profile type determines available checks and parsing: the HTML profile type enables form-oriented HTML checks (Start URL, Form Field Consistency, Field Formats); XML and Web 2.0/JSON profile types target their respective content.
Security Insight in Citrix ADM provides WAF violation analytics and an application threat/safety index; SQL Comments Handling set to CHECKALL inspects content inside SQL comments rather than ignoring it.

Domain 3: Content Switching, Rewrite, and Responder (AppExpert)

Key concepts you must know · 132 practice questions

Advanced (default-syntax) content switching policies bound to a CS vServer are evaluated in ascending priority-number order, and the request is sent to the target of the first policy that evaluates TRUE - the lowest-numbered matching policy wins.
A goto priority expression on a CS policy binding can alter evaluation flow, jumping forward to a specified priority or to END to stop further evaluation.
Bind a default LB vServer to the CS vServer using the default (no-policy) target binding so requests matching no policy still reach a backend; without a default target and no matching policy the CS vServer has no reachable destination.
HTTP.REQ.HOSTNAME.EQ("shop.example.com") matches the Host header with a case-insensitive exact match; content switching decisions operate on the inbound request, so expressions must use HTTP.REQ.
To switch on the Host header of TLS traffic, the CS vServer must be type SSL with server certificates bound so the ADC can terminate SSL and read the encrypted header; an HTTP-type CS vServer cannot read it.
Common request expressions: HTTP.REQ.URL.PATH.STARTSWITH("/api/v2") matches a path prefix; HTTP.REQ.URL.QUERY.VALUE("version").EQ("2") matches a query parameter value; HTTP.REQ.HEADER("User-Agent").CONTAINS("Mobile") matches a header substring.
HTTP.REQ.URL.PATH.GET(1) returns the first slash-delimited path segment (e.g., 'images' from /images/logo.png); GET(n) is 1-indexed.
A reliable SOAP routing expression matches the SOAPAction request header, e.g., HTTP.REQ.HEADER("SOAPAction").CONTAINS("GetOrderStatus").
Host-header-based CS policies only need request headers, not the full body, so they make the switching decision early without buffering the request payload.
Authentication can be enabled directly on a CS vServer and associated with an AAA virtual server hosting an nFactor flow, so authentication happens before content switching.
Responder acts on the request and can return a custom response (RESPONDWITH), redirect (REDIRECT), reset, or drop; a responder policy can serve a maintenance HTML page when a target LB vServer is DOWN.
Rewrite modifies request or response content (headers, URL, body) in flight using a rewrite action (REPLACE, INSERT_HTTP_HEADER, DELETE, etc.) bound via a rewrite policy; unlike responder it lets the request continue to the backend.
Policy-based target selection can compute the target LB vServer name dynamically from request data, reducing the number of CS policies needed.
Review per-binding policy hit counters on the CS vServer (also visible in Citrix ADM Web Insight) to verify which policy is matching and which backend is responding.

Domain 4: Citrix ADC Optimization

Key concepts you must know · 134 practice questions

Integrated Caching is gated by the platform license: the Standard edition does not include it, so an Advanced (formerly Enterprise) or Premium (formerly Platinum) license is required to store or serve cached objects.
A content group is configured as static or dynamic: static treats a URL as a single cached object, while dynamic stores multiple variants of the same URL differentiated by selectors (hit and invalidation selectors).
A hit selector built on parameterized expressions (e.g., HTTP.REQ.URL.QUERY or HTTP.REQ.COOKIE.VALUE("sessionid")) lets the cache store and match a separate variant per user or per query value.
The flashCache parameter set to YES collapses a thundering-herd of simultaneous misses for the same object into one origin fetch that many waiting clients share.
relExpiry sets freshness relative to caching time (e.g., 43200 seconds = 12 hours for catalog images); absExpiry sets an absolute clock time (e.g., 02:00) at which the object expires.
Each content group has a maxResSize parameter capping the largest response (in KB) it will store; responses larger than this limit are passed through uncached even if otherwise eligible.
The total cache size is governed globally by the Integrated Caching memory usage limit parameter, not per content group.
By default the appliance treats responses carrying Set-Cookie as non-cacheable to avoid serving one user's cookie to another.
Both a request-time CACHE evaluation and a response-time store are needed to cache an object; the CACHE action serves from cache on a hit and stores eligible responses on a miss.
To prevent caching specific traffic, bind a higher-priority cache policy with a rule such as HTTP.REQ.METHOD.EQ("POST") and the NOCACHE action.
Invalidate stale objects at deploy/update time via an invalidation policy whose action invalidates the content group using an invalidation selector matching the changed item (e.g., product ID).
Cache hit ratio (requests served from cache as a percentage of total cacheable requests) is the key effectiveness metric; enable insertAge or Via header insertion to identify cache hits in response headers.
Front-End Optimization (FEO) requires the integrated cache because optimized content must be stored and reused; it optimizes on first access then serves the optimized copy thereafter.
FEO techniques include lossy and lossless image optimization (Optimize Images), as well as minification and combining of CSS/JS to reduce round trips and payload size.

Domain 5: Citrix ADM, AppFlow, and Analytics

Key concepts you must know · 134 practice questions

The Citrix ADM agent is a lightweight virtual appliance deployed in a remote datacenter or cloud to act as a proxy between the ADM server and managed ADC instances, establishing one secure outbound channel back to ADM.
Each managed instance is associated with the agent that has network reachability to the instance's NSIP/management IP; that agent polls inventory and analytics and applies configuration jobs and StyleBook deployments.
Instance discovery can be automatic by scanning a configured IP range and can integrate with public-cloud auto-scale group APIs so new ADC instances are added to inventory without manual steps.
Configuration jobs push CLI commands to many instances at once and support variable substitution from a CSV file (e.g., a unique VIP per instance); jobs can be saved as reusable templates and scheduled.
Job scheduling supports one-time future runs or recurring runs by frequency/day/time (e.g., weekly Sunday 02:00); the execution summary records per-instance success/failure and offers a retry on failed devices action.
StyleBooks are declarative configuration templates; common building blocks are defined once and referenced by many StyleBooks for reusable, modular configuration, and a StyleBook configuration pack represents a deployed application instance.
ADM high availability uses two ADM nodes with a floating IP where the secondary takes over if the primary fails.
ADM licensing uses the ADM license server with pooled capacity licensing, allocating bandwidth/instance capacity from a shared pool across managed ADCs.
Role-Based Access Control (RBAC) with custom roles and access policies provides least-privilege administration; for example, publish StyleBooks and grant developers permission to deploy only those StyleBooks.
Integrate ADM with an external authentication server such as LDAP or RADIUS for centralized administrator login on top of RBAC.
Configuration Audit tracks instance configuration against templates and detects drift from a defined golden configuration.
Operational jobs include scheduled instance backups (with retention settings) and maintenance/upgrade jobs that upload a build image and run an upgrade across selected instances.
To enable analytics, turn on the relevant features (Web Insight, Security Insight, HDX Insight, etc.) on the instances so the ADM agent is set as the AppFlow and Syslog collector.
An on-prem ADM agent can connect outbound to the ADM service (cloud), and agent placement is driven by network locality and the volume of instances and telemetry each agent must handle per site.

Domain 6: GSLB and Advanced Traffic Management

Key concepts you must know · 136 practice questions

In GSLB the ADC acts as the authoritative DNS name server (ADNS) for the GSLB domain; when a client's local DNS resolver queries that domain, the ADC applies its GSLB method and returns an A or AAAA record for the chosen site.
Sub-domain delegation needs an NS record in the parent zone delegating the GSLB sub-domain to the ADC plus an ADNS service on the ADC's SNIP listening on UDP/TCP port 53.
Metric Exchange Protocol (MEP) is the proprietary protocol between GSLB sites that shares site/network metrics, remote GSLB service UP/DOWN state, and persistence information; it runs over TCP 3011 (or TCP 3009 when secured with SSL).
A GSLB site is defined as LOCAL (the ADC being configured) or REMOTE (a partner datacenter), and includes the Site IP used for MEP communication.
GSLB object hierarchy: GSLB services (representing the LB/CS vServers at each site) are bound to a GSLB virtual server, which is associated with the GSLB domain and applies the configured load-balancing method.
Defining a GSLB service requires associating it with a previously created GSLB site (LOCAL or REMOTE) and specifying the IP address and port of the actual LB/CS vServer it represents.
Static Proximity selects the site geographically closest to the client's local DNS server by matching the client IP against an imported, up-to-date location (geo-IP) database.
Dynamic Proximity uses Round Trip Time (RTT) measurements between sites and the client's LDNS to pick the lowest-latency site dynamically.
Weighting GSLB services (assigning higher weights to a larger datacenter's services) skews traffic distribution proportionally; an ordered/backup method lets a secondary site act as backup behind a primary.
GSLB persistence can be based on source IP or an HTTP cookie so a client is consistently directed to the same site; MEP can share persistence session entries between sites.
Bind explicit monitors to GSLB services for accurate health when MEP-based state is insufficient; Empty Down Response (EDR) and MEP-based service-state triggers control behavior when services go DOWN.
DNS views (split DNS) implemented with DNS policies evaluating the client subnet return different answers to internal versus external clients for the same name.
DNSSEC zone signing uses a Key-Signing Key (KSK) and a Zone-Signing Key (ZSK) to provide authenticated, integrity-protected DNS responses for the GSLB zone.
DNS security and tuning include DNS rate limiting (mitigating DNS floods), DNS caching, the DNS profile/security options, and the negative TTL (minimum TTL) set in the zone's SOA record.

Citrix CCP-N exam tips

Memorize the AAA-TM wiring: a traffic vServer references the authentication vServer via -authnVsName (or an authentication profile for a non-addressable AAA vServer). Many questions hinge on whether a component is bound or merely created.
For WAF questions, internalize positive vs negative model and the safe rollout order (Log + Learning, review, relax, then Block). Remember a policy must be bound to a bind point to inspect any traffic.
Drill the advanced policy expression syntax (HTTP.REQ.HOSTNAME, URL.PATH.STARTSWITH, URL.QUERY.VALUE, HEADER, GET(n)) and the rule that the lowest-numbered matching policy wins on a CS vServer.
Know the license editions that gate features (Integrated Caching and FEO need Advanced or Premium, not Standard) and the difference between static and dynamic content groups with selectors.
For GSLB, lock in the port numbers (ADNS on 53, MEP on 3011/3010), the LOCAL vs REMOTE site model, and which proximity method maps to geo-IP (Static) versus RTT (Dynamic).

Study guide FAQ

What is the difference between authentication and authorization in AAA-TM?

Authentication verifies the user's identity (via LDAP, RADIUS, SAML, etc.) and establishes an AAA session marked by the NSC_AAAC cookie. Authorization then evaluates bound authorization policies against that established session on each request to allow or deny access to specific back-end resources before forwarding the request.

When should I use the positive security model versus the negative security model in Web App Firewall?

Use the positive (whitelist) model when you can precisely define legitimate behavior and want tight control - it is more configuration effort but blocks anything not explicitly allowed. Use the negative (blacklist/signature) model for frequently changing applications where defining every allowed pattern is impractical; it blocks only known-bad traffic and passes everything else. Most production deployments combine both.

How do content switching policy priorities determine which backend a request reaches?

Advanced CS policies bound to a CS vServer are evaluated in ascending priority-number order, and the request goes to the target of the first policy that evaluates TRUE - so the lowest-numbered matching policy wins. A goto priority expression can change the flow, and a default (no-policy) target LB vServer catches any request that matches no policy.

What role does the Citrix ADM agent play and why is agent placement important?

The ADM agent is a lightweight appliance that acts as a local proxy: it collects configuration, metrics, and AppFlow data from the ADC instances it can reach and relays them to the ADM server over a single secure channel, and it applies configuration jobs and StyleBook deployments. Each instance is bound to an agent that can reach its management IP, so placement is driven by network locality and the volume of instances and telemetry each agent must handle per site.

Test yourself: 800 Citrix CCP-N practice questions