When sending SAML Authentication request to external identity provider, the NetScaler ADC now offers an option to send the thumbprint of the certificate that was used to sign the message instead of sending the complete certificate. When the "sendThumbprint" option in SAML action is set to ON, the ADC allows putting the thumbprint in SAML auth request instead of the full X509 certificate. The "sendThumbprint" option is off by default.

NetScaler ADC now supports the session reliability feature, so that sessions that are monitored by the ADC for ICA traffic can seamlessly reconnect even after a network disruption. This feature keeps sessions active even if network connectivity is interrupted, and to indicate that connectivity is lost, the user's device display freezes and the cursor changes to a spinning hourglass until connectivity resumes. The user can resume interacting with the application once the network connection is restored.

Note: Make sure to enable the session reliability feature on XenApp or XenDesktop for NetScaler ADC to support this feature.

NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile.

Upgrade EPA (Endpoint Analysis) libraries in NetScaler Gateway

The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. Previously, NetScaler Gateway administrators had to manually upload a new EPA library using the command line in order to upgrade the EPA libraries in NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories. NetScaler Gateway 10.5.52.1115.e presents a one-click interface for upgrading EPA libraries without upgrading or rebooting the system.

NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.

If you do not want the URL reports to be displayed on the Web Insight node of the dashboard, you can now disable the URL data collection settings.

To modify the setting, on the Configuration tab, navigate to System, and in the right-pane, from the System Settings group, click Change URL Data Collection Settings.

You can now limit the number of days for which the generated reports can persist in the database, after which the reports are permanently deleted.

To change the value, on the Configuration tab, click System and in the right-pane from the System Settings group, click Limit Data Duration Persistency.

NetScaler Insight Center now displays the session reconnect count and the Automatic Client Reconnection (ACR) count for ICA traffic flowing through NetScaler ADCs.

These values are displayed only if the session reliability feature is enabled on XenApp or XenDesktop.

NetScaler Insight Center now displays reports for NetScaler Gateway appliances deployed in a double-hop mode.

The NetScaler fails to parse incoming assertions if it finds a duplicate Status code tag. As per SAML specification, unlike other tags, the StatusCode tag can come nested within itself. With this fix, the nested StatusCode tags are allowed in the assertion during SAML Authentication.

If a user name or password consists of UTF8 characters, basic authentication fails on the NetScaler ADC. With this fix, the ADC now passes the encoding type in the 401 challenge so that the incoming data is accurately encoded.

The NetScaler Gateway and AAA-TM now support advanced expressions in SSO (single sign-on). The attribute values that are extracted as part of the authentication “http.req.user.attribute(1..16)” can now be used for setting the username and password credentials. For more information, see http://support.citrix.com/article/CTX200261

If an authentication profile has a space in its name, the NetScaler parser only takes the first part of the string up to the space character as the name of the profile. The NetScaler ADC may fail if during user authentication it comes across another entity that matches this partial string. With this fix, we now use URLencoding for the profile name to accurately process special characters .

If a user-created signature has an uppercase character in the name, the application firewall profile bound to the signature is not saved in the configuration during an upgrade from a release 10.1 build to a release 10.5 build. If a user creates a signature name with uppercase characters, release 10.1 stores it that way. But in release 10.5, the signature name is converted to a lowercase string in the database. As a result of the database mismatch, the command to add the application firewall profile fails during an upgrade to a release 10.5 build.

During upgrade from release 10 to 10.1, the names of the application firewall learning database files with uppercase or mixed case characters get converted to all lowercase characters. This results in two sets of database files and breaks the learned rule functionality. With this fix, learning data can be successfully retrieved after upgrade for profiles with names in mixed case characters.

If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. The security check violation is still triggered. Note that the browser converts the space to a "+" character. For such a request, the corresponding learned rule with "login+name" for "login name" works as expected when deployed as a startURL relaxation rule.

Workaround: Edit the relaxation rule to replace "%20" with "\s*" for requests with percent encoded space characters.

When the cache redirection virtual server is configured as a forward proxy, if an ASYNC memory allocation failure happens, the NetScaler appliance might fail to respond while trying to access a page on the a server that is already configured as a service on the NetScaler.

Memory leaks might occur on NetScaler ADCs connected to a CloudBridge Connector tunnel when one of the ADCs sends monitor probes, through the tunnel, to a service that is bound to an HTTP or SSH load balancing virtual server.

When the state of a CloudBridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

In a cluster setup, if a NSVLAN is configured, you cannot bind a VLAN to a traffic domain.

The user monitor scripts that use SOAP::Lite might not work.

If you create a GSLB service by using a server name with alphanumeric characters, the server name does not get converted to a server IP address, and the server IP address value is null. As a result, GSLB synchronization fails.

If you bind a CA certificate to a load balancing virtual server using the configuration utility, the Link Certificate view is not displayed in the foreground.

The graphical user interface (GUI) does not display the following search fields on the Cache Objects page:

* HTTP Status Code

* Ignore Marker Objects

* Include-Not Ready Object

An error message appears if you try to replace an SSL client certificate that is bound to an SSL service.

If an unauthorized user logs on to a NetScaler ADC. the ADC displays the following error message:

"Error in retrieving version. Cannot read property 'replace' of undefined".

If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.

The statistics of service group members do not appear correctly in the configuration utility.

To create a certificate signing request, you must click "Create Certificate Signing Request (CSR)" on the SSL overview page for each CSR. To view or manage your CSRs, click "Manage Certificates / Keys / CSRs" under Tools on the SSL overview page.

If, in the NetScaler configuration utility, after you navigate to AppExpert > Responder> Policies and click "Hide built-in responder policies" or "Show built-in responder policies," the page does not immediately refresh, and continuous clicking prevents the page from refreshing.

If an invalid HTTP request that spans multiple TCP segments is sent to a content switching virtual server, the NetScaler ADC might skip the load balancing decision and initiate a connection from the SNIP address to the content switching virtual server. This can cause the ADC to fail.

To prevent this problem, the ADC closes the client connection when this situation arises.

If you use SQL server driver for SQL Server 2000 SP1, the databases are not enumerated for Kerberos authentication on the NetScaler ADC, because the ADC does not process the SSPI packet correctly.

The NetScaler ADC fails if source IP persistence is enabled on a MySQL or MSSQL virtual server that is receiving traffic.

Synchronization of the GSLB configuration fails if the RPC-node password of the GSLB sites contains an exclamation point (!).

If you force synchronization of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.

If you have deployed the NetScaler ADC in a high availability (HA) setup in INC mode, you cannot leverage a SNIP address to host the ADNS Service or a site IP address, because these addresses do not float across the HA nodes. An independent site IP address with SSH enabled is required. With this fix, SSH can be enabled on an independent site IP address.

If you enable NTP synchronization on a NetScaler ADC, the ntpd service binds to port 3010. The binding causes resource conflicts, because the port was reserved for the nsnetsvc service.

By default, HA synchronization enables the following features and modes on the secondary appliance:

- Features: Web logging (WL) and surge protection (SP)

- Modes: L3 and Edge

A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.

The NetScaler ADC might fail if a high idle timeout value is set on a TFTP load balancing virtual server and the ADC runs out of memory.

If a load balancing virtual server on which persistence is configured is bound to a load balancing group that has no persistence setting, the NetScaler ADC does not change the virtual server's persistence setting. As a result, when traffic arrives at the virtual server, it tries to create a persistence session, but that session fails and the number of sessions increases.

If you enable clientless access and enable Single Sign-on, if the proxy server uses NTLM authentication, NetScaler Gateway fails to respond when users log on.

When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.

In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.

If you configure advanced endpoint analysis policies, endpoint analysis encryption, a proxy server, and client certification authentication, the NetScaler Gateway Plug-in does not connect and users receive the error message " 2017: Your computer does not have the necessary security software to connect to the NetScaler Gateway. Please contact your system administrator."

When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.

When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.

The NetScaler ADC fails if AppFlow is enabled and it receives an ICA command longer than 2048 bytes.

If you enable Appflow for ICA on a NetScaler ADC, the NetScaler ADC might fail under certain conditions while parsing the ICA frames.

If you enable AppFlow for ICA traffic and configure a XenApp or XenDesktop server to use advanced encryption, the NetScaler ADC might fail if there is a network disruption. This failure occurs if a user whose session is disconnected because of network disruption is logged off from the server and tries to reconnect.

Workaround: Do not log off the user from the server.

As part of the bandwidth calculation for active and inactive sessions, NetScaler Insight Center displays the following four metrics instead of the bandwidth metric:

-Total Bytes: Bytes transferred per session

-Bytes per Interval: Total bytes transferred per session interval (5 mins, 1 hour, 1 day , 1 week, 1 month)

-Session Bandwidth: Rate at which data is transferred over the session.

-Bandwidth per Interval: Rate at which data is transferred over the session interval.

MTU configuration is lost on 10G static LA/ LACP channel after the SDX appliance reboots.

When a NetSclaer VLAN with tagged option for channels is selected , the native VLAN also gets tagged inside the NetScaler VPX for the channel.

In prior releases of NetScaler SDX, the unsuccessful authentication attempts were not reported in in SNMP traps. From NetScaler 10.5.54x and later, using SNMP traps the administrator can check for such unsuccessful authentication attempts.

The NetScaler ADC might not update its bridge and ARP tables with the information received from GARP messages.

An Access Control List (ACL) rule specifying the TCP protocol and the Established option might not get evaluated if another ACL rule with a higher priority also specifies TCP.

Now, the NetScaler appliance sends all ARP replies from the first interface (lexicographical order) of an LA channel.

Rewrite policy bindings to virtual servers can be lost when you upgrade the NetScaler firmware to version 10.1.128.11. If the rewrite policy is bound to a load balancing virtual server, the policy bindings are not displayed as part of the server configuration, but they are saved when the user saves the configuration. If the rewrite policy is bound to a content switching virtual server, the policy bindings are lost when the user saves the configuration.

The client certificate that is inserted in the backend HTTP header now conforms to the x509 PEM format, which includes spaces and carriage returns. To use the old method (without spaces and carriage returns), at the NetScaler shell prompt, type:

nsapimgr -y -s ssl_cert_insertion_space=0

If you enable Front End Optimization (FEO) with SSL, cache extension, and HTTP compression, the NetScaler ADC fails.

In a high availability setup, a crash in the nsfsyncd process results in HA failover.

If an incoming URL has two or more slashes at the beginning of the path to the file, the URL is not parsed correctly. This can affect the use of policy expressions and the functioning of features such as Rewrite, which use parsed information to examine URLs.

If you enable Front End Optimization (FEO) with SSL and HTTP compression, the NetScaler ADC fails.

Setting 'Request timeout' or 'Request timeout action' in HTTP Profiles can cause the NetScaler to fail in some situations.

In NetScaler 9.3 and previous versions, the NetScaler ADC used the SNIP as the source IP address for authentication requests unless the administrator configured a static route to a different interface. In NetScaler 10.1 and subsequent versions, the ADC uses the NSIP address as the source for authentication requests even when a static route points to a different interface.

To force the ADC to use the SNIP (not the NSIP) as the source IP address in version 10.1 and subsequent versions, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication action.

When a user attempts to use the two form factor method to log on to AAA-TM, the NetScaler ADC might become unresponsive.

When AAA-TM logs users off after their sessions time out, the traffic management session associated with the user is not terminated. If the number of abandoned traffic management sessions exceeds internal limits, the NetScaler ADC might become unresponsive.

The NetScaler ADC AAA-TM user interface has a timeout of 20 seconds. If authenticating through an external authentication server takes more than 20 seconds, the following message appears in the logs: "libaaa recv failed". This message does not indicate that authentication failed or any other problem that affects users. It can safely be ignored.

If AAA-TM is configured to use NTLM authentication, either by itself or as fallback when Kerberos is not available, the NetScaler ADC might become unresponsive when a user attempts to authenticate through NTLM.

Creating an AppExpert application with the name 'ns' (uppercase or lowercase) results in conflicts and therefore the creation of a content switching policy fails.

Workaround: Do not create AppExpert applications with name 'ns' (uppercase or lowercase).

XenDesktop displays the 1030 error if session reliability is ON when NetScaler Gateway is configured on StoreFront as part of STA settings dialog box, and you configure an HDX policy with session reliability set to OFF.

If a NetScaler HA failover occurs when ICA AppFlow is enabled, the session reliability feature does not function.

If a NetScaler failover occurs when ICA AppFlow is enabled, the Citrix Receiver reconnect fails because the Citrix Receiver does not support Automatic Client Reconnect (ACR) feature.

In the NetScaler configuration utility, after you approve Form Field Consistency check learned relaxations, you must close and then reopen the Modify Form Field Consistency Check dialog box before the new relaxations appear in the list.

On a NetScaler ADC that has the application firewall enabled and the buffer overflow check configured to block, the following error message might appear in the logs: "Internal error: additional data generated after partial response <blocked>". This error message indicates that a partial response was sent before the remainder of the response was blocked.

If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.

If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.

If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.

If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.

The General tab on the Modify Field Format Check dialog box is not functional. To work around this issue, you can enable or disable the action items (block, learn, log, stats) in the Application Firewall Wizard, or by using the NetScaler command line.

A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.

When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.

For some requests, the application firewall log message for a Field Consistency violation might not include the name of the field that triggered the violation.

During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

show appfw JSONContentType

If the default content type is configured, the command output is similar to the following example:

> show appfw JSONContentType

1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

Done

If it is not, the screen shows only the following:

> show appfw JSONContentType

Done

To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

add appfw JSONContentType ^application/json$ -isRegex REGEX

show appfw JSONContentType

For some malformed requests, the NetScaler application firewall log messages might not include the client IP address.

The customer's application does not work when the application firewall is deployed to inspect the request for security check violations. When the application firewall forwards the request to the backend server, the server responds with a 403 HTTP error code indicating that it cannot properly validate the CORBA session and sends the page without the expected data in the form fields. The root cause is under investigation.

The workaround is to turn off form field tagging and credit card checks.

In the event of a cache miss, the request is sent as an SSL request instead of an HTTP request to the origin server, even though the backendssl parameter is disabled on the NetScaler ADC.

Cisco RISE now supports the following commands:

- show rise param

- set rise param

Following is the usage of the set rise param command:

set rise param [-directMode ( ENABLED | DISABLED )] [-indirectMode ( ENABLED | DISABLED )]

The show rise param command displays the current setting. For example,

RISE-MPX-194-80> show rise param

DirectMode: ENABLED IndirectMode: ENABLED

Done

The NetScaler 10.5 release does not support Citrix CloudPlatform.

In a NetScaler cluster, UDP fragments from the server are not bridged to the client in case of ANY * virtual servers.

NetScaler cluster nodes may send a large number of ARP requests if a large number of ARP entries are learned over a cluster LA interface.

This build is not suitable for cluster deployment.

The NetScaler command line interface exists abruptly upon executing the "show dns addRec -format old" command.

When configuring an admin partition, in the list of channels (Network > Channels), the state of the LACP channel is incorrectly displayed. This issue is not present in the default partition.

You cannot create load balancing virtual servers or NetScaler Gateway virtual servers with the same name pattern used for virtual servers created in the XenMobile wizards.

If you create a load balancing virtual server with a name matching the pattern _XM_LB_MDM the XenMobile dashboard might display incorrect port values.

If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.

Workaround:

If you are using a Windows computer, do the following:

1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.

2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor

For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com

3. Close all instances of the Chrome browser, and restart the Chrome browser.

If you are using a MAC computer, do the following:

1. Open the terminal.

2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:

open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor

If you are binding classic policies, set empty values for the "Gotoexpression" and "Invoke" columns as these parameters are not applicable for classic policies.

You cannot install a server, client, or intermediate certificate with a FIPS key by using the configuration utility.

Workaround: Use the FIPS wizard to create and install the certificate.

In some cases, while binding an entity, such as a service or a certificate, if you unbind another entity from the list, the list is refreshed and the entities that you selected for binding are no longer displayed. Therefore, you must again select the entities that you want to bind.

Workaround: Bind and unbind entries in separate operations.

When using the XenMobile wizard to configure load balancing for XenMobile 10, server certificates for the services being load balanced will not be bound automatically by the wizard. The server certificate must be manually bound.

In a cluster setup, the configuration utility does not allow you to bind IP addresses to a bridge group.

Workaround: Use the equivalent CLI command (bind bridgegroup) to perform this operation.

You cannot use the configuration utility to add signatures to an existing application firewall policy.

Workaround: Use the command line interface .

If you use the MAC Safari browser to upgrade a NetScaler ADC and, in the upgrade wizard, you click the browse button to choose a build file on the appliance, the dialog box does not shown any files or folders. If you navigate back to the root folder, the dialog box displays the top level folder, but you cannot browse the files in the folder.

Workaround: Click the Settings icon and navigate to Preferences > Security > Manage Website Settings > Java, and then change the "When visiting other websites" setting to "Run in unsafe mode."

When using the expression editor to modify an existing expression, select the expression and click Expression Editor. Alternatively, you can modify the expression directly in the text field.

If a policy is bound to or unbound from system global or the priority of the policy is modified, the changes are not reflected automatically. To see the current status, click the "Refresh" icon at the top right corner of the policy view. After refreshing the view, the policies display their bound status as well as their priorities.

The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.

The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you enter an incomplete file path consisting folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

Workaround: In release 10.1, provide only the FIPS key. For example, rsa.key.

In release 10.5, you must specify the complete file path to the FIPS key. For example, nsconfig/ssl/folder1/folder2/rsa.key.

You cannot change the setting of Tag all VLANs option of a network interface (System > Network > Interface) by using the configuration utility for NetScaler VPX instances running on VMware ESX server.

The NetScaler Graphical User Interface does not support the search functionality to search records in the file browser.

Workaround: Use the search functionality of internet browser.

For integrated caching, the details of a cache object are not available in the configuration utility. However, the list of cached objects is available.

Workaround: Use the CLI command to view the details of a cache object.

You cannot change the setting of Tag all VLANs option of a network interface (System > Network > Interface) by using the configuration utility for NetScaler VPX instances running on Microsoft Hyper-V hypervisor.

The new editor for classic policies has the following limitations:

- The option to modify an expression is not intuitive.

- The options to match any expression, match all expressions, and tabular form are not provided.

- The option to remove individual expressions within a compound expression is not provided.

- Named expressions are not classified and displayed.

- Named expressions cannot be previewed.

- The add or remove bracket buttons are not provided.

Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add) and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).

Some websites might not be able to render the page if the AppFlow clientSideMeasurements parameter is enabled along with some front end optimization actions.

All GSLB features are supported for IPV6 except DNS views, Auto sync, and Static Proximity.

If you rename a server associated with a GSLB service and then run the sync gslb command, the GSLB configuration might not synchronize to the other GSLB sites.

Workaround:

Manually update the server name in the other GSLB sites.

You can incorrectly set the CIP option while adding a canonical name (CNAME) based GSLB service by using the NetScaler command line. The CIP option is valid for IP-based GSLB services only.

When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) build 126.x, the updates made in the Webinterface.conf file are overwritten by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

To avoid this issue, use the following steps when upgrading the HA nodes:

1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.

2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.

3. Force failover to make the upgraded node the primary node.

4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.

5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.

6. Save the configurations.

Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.

When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

If your spillover policy contains the ACTIVETRANSACTIONS or the SURGECOUNT expression (for example, <expression>. ACTIVETRANSACTIONS.GT(<N>)),

traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.

For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:

SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover

The Citrix-WI-Extended monitor cannot be used if the Web Interface server is not set up for explicit authentication mode.

Command line output is not displayed on the GUI while the configuration is synchronized, even if the No Warning check box is not selected.

When you bind a DNS policy to the DEFAULT_GLOBAL bind point, the policy's priority is automatically set to 65545, which exceeds the supported priority range. The “operation not permitted” error message appears.

Workaround: Before binding the policy, manually set its priority to a value within the range of 1-65535, and make sure that the priority you set is not used in other bound DNS policies.

If you configure logon and logoff scripts that are part of a session profile, if the scripts contain Unicode characters, users cannot log on or log off of NetScaler Gateway.

If you created a Netscaler Gateway virtual server by using the Quick Configuration wizard in NetScaler Gateway 10.1, the virtual server needs to be renamed with the prefix _XM_. For example, if the original virtual server name is XMGateway, you must manually rename it to _XM_Gateway. By changing the name with the correct prefix, you can see the virtual server in the wizard.

The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.

When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.

If users log on to Outlook Web App by using clientless access in a Firefox web browser, sending email fails.

When users log on, they receive a prompt to install the Endpoint Analysis Plug-in, even though the latest version of the plug-in is installed on the user device.

If you configure a preauthentication policy that checks for Avira Antivirus on a Mac OS X computer and the virus definitions update by using the SCAN-TIME/VIRDEF-FILE-TIME parameter, the OPSWAT libraries use the date and not the time. You must configure this setting by using the number of days between updates.

If users log on by using the NetScaler Gateway Plug-in dialog box and the endpoint analysis scan fails, the choices pages appears in Internet Explorer. When this occurs, the correct cookies are not sent from Internet Explorer and users receive a 403 forbidden error message or the Endpoint Analysis Plug-in web page appears.

Earlier versions of the NetScaler Gateway Plug-in do not support OPSWAT endpoint analysis scans. When users connect to NetScaler Gateway, logon fails because the earlier version of the plug-in does not support OPSWAT endpoint analysis scans. Users can log on from a web browser and then select Network Access, which starts the upgrade to the latest version of the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in.

When users log on for the first time by using the NetScaler Gateway Plug-in for Mac, the Safari web browser starts the endpoint analysis web page instead of the NetScaler Gateway Plug-in download page.

Applications that use UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) on Mac OS X Yosemite (10.10) such as the ones using audio or video streaming, may be unreliable.

When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.

If you enable digest authentication in Internet Information Services (IIS), if users log on with Unicode credentials, add the IIS website as a bookmark and then click the bookmark, single sign-on fails. Users receive a prompt to enter their user name and password.

If you enable a proxy server and disable ICA proxy in a session profile, users are not able to start published applications.

If you enable the Green Bubble theme and then clear the entire ns config , the Green Bubble theme remains instead of reverting back to the Default theme. To reset the value, you can run the command set vn para uitheme <value>.

If you configure two-factor authentication with client certificates and LDAP and if Deny SSL Renegotiation is set to All, user connections fail. You must set the parameter to No.

To configure Deny SSL Renegotiation

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.

2. In the details pane, under Settings, click Change advanced SSL settings.

3. In Change Advanced SSL Settings, in Deny SSL Renegotion, select No and then click OK.

Citrix recommends that you do not bind Policy Infrastructure (PI) policies to the NetScaler Gateway virtual server. NetScaler Gateway does not support PI policies.

If you configure the Web Interface home page with an IPv6 URL instead of IPv4 or the fully qualified domain name (FQDN), users receive a 400 Bad request error when they log on.

If you configure an endpoint analysis expression that includes hard disk encryption scan types ENC-TYPE and ENC-PATH, a -13 error message always appears. For example, you use the expression HD-ENC_76003_ENC-PATH_

If you configure SSL renegotiation and users log on with a PKI-enabled client certificate, logon fails.

In some instances, the bar line on a graph appears outside the time points on the x-axis.

After a NetScaler upgrade or downgrade, NetScaler Insight Center does not report any data on the dashboard.

If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, the Clear AppFlow Configurations (Configuration > Inventory > <ipaddress> > Application List > <ipaddress> > Action > Clear AppFlow Configuration) operation does not work on the virtual server that has the lowest priority.

Downgrading NetScaler Insight Center from release 10.5 to release 10.1 is not supported.

When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.

If AppFlow for ICA is enabled on a NetScaler Gateway deployed in a double-hop mode, and if MAC Receiver is used to launch audio or video applications, the NetScaler reports an error counter and skips the flow for this session, resulting in NetScaler Insight Center reports not being displayed for that session.

If AppFlow for ICA is enabled on a NetScaler ADC, and if a MAC Receiver is used to launch applications such as a VLC media player, the NetScaler ADC might report an HDX error counter and might skip the flow for that session resulting in NetScaler Insight Center reports not being displayed for that session.

Session reliability fails and the ICA session does not resume if the session between NetScaler Gateway and a XenApp or XenDesktop server is disconnected because an intermediate router sends a TCP reset. This issue occurs even if you have enabled or disabled data collection for HDX Insight.

On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.

The Web Insight reports might not display geo maps for some locations.

Workaround: The tabular representation displays the details.

In a multi-stream ICA connection, when virtual channels are multiplexed over different TCP connections, some channels are migrated from primary to secondary ICA connections. When an End User Experience Monitoring (EUEM) channel is migrated, some application launch counts are not sent to NetScaler Insight Center.

The hop diagram for current session applications does not display the link between the CloudBridge device and the server.

Workaround: Refresh the page.

In some situations, the tables shown in the exported reports might not have borders.

NetScaler Insight Center reports might show a different gateway and network mask for a CloudBridge device used for monitoring AppFlow traffic.

NetScaler Insight Center displays the RTT value as NA if the ICA RTT value exported from the device is zero.

If Appflow for ICA is enabled on a NetScaler ADC, the NetScaler Insight Center reports should show XenDesktop details, but that is not always the case. When certain users access XenDesktop, the reports show the application details instead. This issue occurs if the Local Access Apps (LAA) feature is enabled on XenDesktop

The error indicated by the following message can occur when you use an IE8 browser to access NetScaler Insight Center from XenDesktop 5.6 or XenApp 6.5:

" Object does not support this property or method."

If you use the management service to reset an interface that uses a 1G Fiber SFP, the reset is not detected by the NetScaler VPX instance.

On adding many VPX instances, you may hit the default cache memory limit which could result in unexpected behavior.

Workaround: Increase the default cache memory limit.

On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.

If multiple SDX VPX are sharing the same CPU core, the CPU usage might be approximately 50% higher in NetScaler 10.5 version as compared to NetScaler 10.1 version.

If there are no 0/x interfaces provisioned in a VPX and 10/x or 1/x interface is used for manageability purpose and the user creates a LACP channel on those interfaces (10/x or 1/x), then the VPX will become unreachable by Management Service and the channel configurations will not be propagated to the VPX.

The best way to achieve the same is to create the required channel first and then provision the VPX with the LACP selected.

10G Interface reset from Management Service is not working, although you can still use the interface as the reset operation does not affect the interface functionality.

NetScaler cluster on SDX does not support Jumbo Frames.

In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.

The Management Service allows sharing of interface configured with Jumbo MTU between 10.5-53.x and prior versions of NetScaler 10.5.

NetScaler VPX instances running on Hyper-V 2012 might consume high CPU cycles while processing 2G traffic.

NetScaler VPX release 10.5 is supported on XenServer versions 6.0 and later. When an instance of NetScaler VPX, which is provisioned on XenServer version 5.6 or earlier, is upgraded to release 10.5, the instance may become unresponsive after a restart.

A NetScaler that is deployed on the Hyper-V may crash or unexpectedly reboot if it uses three or more virtual interfaces in the VPX instance.

In a high availability (HA) configuration on Amazon AWS, HA failover might not happen properly.

Workaround: Warm restart the NetScaler VPX instances.

NetScaler VPX cannot be directly imported into Hyper-V on Windows Server 2012 R2 using the "Import Virtual Machine" function of Hyper-V Manager.

Workaround: Create the VPX instance by using the New > Virtual Machine function and connecting the "Dynamic.vhd" file from the Virtual Hard Disks directory which is present after unzipping the release image.

Note: The newly created VPX instance MUST be configured with a minimum of 2GB memory and with 2 vcpus; setting the vcpus is done by changing the virtual machine settings after the instance is created, but before booting.

If you have enabled Source IP persistency on multiple IPv4 RNAT rules that have the same condition but with different NAT IP addresses, the NetScaler command line and the configuration utility display Source IP Persistency as ENABLED for only one of these rules.

In an HA configuration in INC mode running the OSPF routing protocol, the secondary node drops all L3 traffic that has the destination that was advertised by the secondary node.

If a NetScaler appliance on which the cache redirection feature is enabled supports jumbo frames on the client-side connection but not supported on the server-side connection, the client-side connection behaves as a regular connection.

A ZebOS API call to a NetScaler ADC fails when the ns ipv6-routing command is part of the input routing config set.

Jumbo frames are not supported on NetScaler VPX appliances.

Jumbo frames are not supported on NetScaler MPX 15000 and MPX 17000 Platforms.

Jumbo frames are not supported on an IPv6-IPv6 tunnel.

If you disable the TCP Proxy parameter while creating a Reverse Network Address Translation (RNAT) rule on a multi-core NetScaler ADC, the NAT operation fails.

The source IP persistency functionality might not work for an RNAT rule that does not have the NAT IP parameter set to an IP address.

In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.

For a link redundancy using LACP channels configuration with two sub channels, the maximum supported throughput for both the sub channels falls below the configured lrMinThroughput value, link failover does not occur when the maximum supported throughput of the standby sub channel becomes equal to or greater than the lrMinThroughput value.

On a NetScaler ADC, when the MTU of a VLAN and Intermediate System to Intermediate System (IS-IS) Link Sate Packet (LSP) is set to a value lower than 1500, the IS-IS process fails to send the IS-IS protocol data units (PDUs) of the specified MTU size until the process is restarted.

The IS-IS level 1-2 adjacency between NetScaler ADC and Cisco Nexus Router might flap.

When the MTU of a VLAN is set to 500, the adjacency of Intermediate System to Intermediate System (IS-IS) protocol fails in this VLAN, because the IS-IS process on a NetScaler ADC works with a minimum MTU value of 520.

High availability (HA) synchronization does not work properly after you upgrade an HA setup from a release 10.5 beta build to a GA build.

Workaround: Disable HA propagation and HA synchronization before upgrading the HA setup, and enable them after the upgrade process is complete.

NetScaler VPX instances running on a XenServer/HyperV hypervisor do not support Link Layer Discovery Protocol (LLDP).

When the NetScaler appliance forwards packets that are larger than the interface's MTU value, the appliance fragments the packets into 2048-byte packets, regardless of the MTU value configured.

For example, if the appliance forwards a 9000-byte packet on an interface that you have configured with an MTU of 4000, the appliance fragments the 9000-byte packets into 2048-byte packets.

L2 mode is not supported on NetScaler VPX instances running on a Linux-KVM host.

In the NetScaler release 10.5, which includes an OS upgrade, the FreeBSD 8.4 implementation has enhanced the mechanism for quiescing a CPU when the guest OS detects that the CPU is not busy. Some deployments dedicate the VPX management CPU and some share the VPX management CPUs between instances. For some deployments this results in an improved performance as the management CPUs of a multi-instance deployment will behave more efficiently. For other deployments, the apparent CPU load increases. This does not indicate that the management CPU load inside the VPX is heavier, but it means that the hypervisor is busy trying to allocate these CPU resources to another instance and is not succeeding.

NetScaler VPX instances running on VMware ESXi lose network connectivity when you apply either of the following patches:

- ESXi550-201410401-BG

- ESXi510-201410401-BG

Workaround: For more information, see http://support.citrix.com/article/CTX200278.

In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

For example,

> sh ssl service svc1 -cipherDetails

ERROR: No such resource [serviceName, svc1]

If CRL auto refresh is enabled and the LDAP method is selected, the following, incorrect, error message appears: "Either URL or server-IP required on CRL."

This message should indicate that a server IP address is required.

If you try to add a certificate bundle with the complete path to a certificate-bundle file, an error message appears. For example,

> add ssl certkey bundle -cert /nsconfig/ssl/bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES

ERROR: Processing of certificate bundle file failed.

Workaround: Specify only the file name. For example,

> add ssl certkey bundle -cert bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES

An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

If a spike in traffic occurs while the NetScaler ADC is doing a DH-based handshake, some packets might be dropped, because a DH handshake consumes a high number of CPU cycles.

For virtual servers and services using the default TCP profile (nstcp_default_profile) with the MSS parameter set to zero, the NetScaler appliance uses 1460 as the value for TCP MSS instead of using a value based on interface MTU and VLAN MTU.

The NetScaler appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the NetScaler.

During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.

If a NetScaler interface configured for jumbo frames is subjected to persistent congestion, and the NetScaler appliance is operating under low memory conditions, the appliance might not have enough buffers to handle jumbo frames.

Downloading a file over a TCP connection in which the client side has a non-jumbo MSS (less than or equal to 1460 bytes) and the server side has a jumbo MSS (greater than or equal to 1460 bytes), causes a slight increase in latency.

When using MPTCP, if a single SSL record is split into a large number (> 100) of small segments, an SSL buffer overrun causes the NetScaler appliance to crash.

When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

Invalid response from the aggregator [Device not Configured]

NetScaler will fail intermittently when processing SPDY traffic on SPDY enabled vservers, if the HTTP response body is received with chunked transfer-encoding and response header is modified by other NetScaler features.

If an authentication policy is bound to NetScaler system global, authentication of weblog and auditlog services fails.

When configuring Web Interface sites through the wizard, when the "Trust ssl certificate" option is checked, certificates bound to the VPN virtual server are not imported to the JVM.

Workaround: You must import the certificates manually by executing the following command from the shell prompt:

> /netscaler/wi/export_cert.sh

The maximum memory that can be configured for an admin partition is 2048 MB. Setting a value greater than this means that the value is automatically truncated to 2048 MB. This memory limit is per packet engine of the NetScaler.

The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching or front end optimization enabled. This occurs due to some interaction issues.

Workaround: Disable SDPY when integrated caching or front end optimization is enabled.

Wireshark Version for Getting NetScaler Trace

Wireshark is required to open nstrace files (cap and pcap). For NetScaler 10.5 and later releases, Wireshark must be upgraded to version 1.11.3 or any later version. You can download the latest version from: https://www.wireshark.org/download.html.

The "unset authentication localPolicy" command is removed from this version onwards.

FreeBSD version for Auditlog Server

For NetScaler 10.5 and later releases, the auditlog server fails to start if it is deployed on a FreeBSD 6.3 system.

Background: In this release, the NetScaler supports auditlog servers on FreeBSD 8.4. Therefore, auditlog servers that are deployed on FreeBSD 6.3 systems will not start.

Workaround: Upgrade to FreeBSD OS on which you have the auditlog server, from 6.3 to 8.4.

Multipath TCP does not work with NetScaler cache redirection feature.

Configuration Utility

If you create a service on one of the screens that appear while you are configuring a virtual server, you cannot bind the service to the virtual server, because the OK button is not enabled.

Workaround: Close the service pane and try to bind the service again.

Configuration Utility

You can bind multiple services at the same time to a virtual server or a service group. However, you cannot unbind multiple services at the same time from a virtual server or from a service group.

Workaround: Unbind each service separately.

Issue ID 0440208: If a new SSL certificate that requires a key is installed without the key, access to management service GUI is lost.

On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

OpenJDK version for Web Interface on NetScaler (WIonNS)

For NetScaler 10.5 and later releases, Web Interface on NetScaler (WIonNS) must use the OpenJDK7 package since NetScaler now uses FreeBSD 8.x/amd64. You can download the package from either one of the following links:

* http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/8.4-RELEASE/packages/java/openjdk-7.17.02_2.tbz

* ftp://mirror.is.co.za/FreeBSD/ports/amd64/packages-8.4-release/devel/openjdk-7.17.02_2.tbz

Background: When the NetScaler is upgraded to version 10.5, it still has OpenJDK1.6 instead of OpenJDK1.7 which is required for NetScaler version 10.5. Therefore, when the configurations are saved (after upgrading), the Web Interface sites become inaccessible.

Workaround: Before you save the configurations on the upgraded appliance, make sure you reinstall the Web Interface on NetScaler version 10.5 by using OpenJDK1.7.

With previous versions of the NetScaler ADC, OWA 2010 connections did not timeout because OWA sends repeated keepalive requests to the server to prevent timeouts, which interfered with single sign-n and posed a security risk. AAA-tm now supports forced timeouts that ensure that OWA 2010 sessions timeout after the specified period of inactivity.

For more information and configuration instructions, see the documentation.

NetScaler as SAML IDP

The NetScaler ADC can now act as a SAML identity provider (IDP). As an IDP, the ADP accepts SAML tokens from user sthat request access to a protected application, redirecting users to the SAML service provider (SP) logon page to authenticate. After the user authenticates, the ADC generates a SAML assertion that grants access to the protected resource and redirects the user to it. When the user logs out or is logged out by any SP, the ADC sends logout requests to all other SPs that the user accessed during the current session and terminates the session.

For more information, see the NetScaler documentation.

Renegotiate Support for Certificate-based Policies

AAA-TM now prompts for the client certificate only when it requires the certificate to authenticate a user, not every time that a protected application requests authentication. It retrieves the certificate if two factor authentication is not enabled, or if it is configured to extract the user name from the certificate.

KCD Performance Improvements

When creating a KCD Account with a delegated user certificate and CA certificate, AAA now searches the /nsconfig/ssl directory for the two certificate files, where those certificates are kept, instead of searching /nsconfig/krb.

Authentication Server Stickiness

After a user authenticates successfully to an LDAP, RADIUS, or TACACS authentication or authorization server, the NetScaler ADC now connects to the same server for subsequent user authentications or authorizations. When a primary server is unavailable, this feature prevents delays while the ADC waits for the first server to time out before resending the request to the second server.

For example, assume that you have AAA configured on your ADC with three authentication policies--authpol1, authpol2, and authpol3--with priorities set to 10, 20, and 30 respectively. A user requests authentication, and the ADC discovers that the authentication server behind authpol1 does not respond to authentication requests. The ADC then tries authpol2, which responds. When other users attempt to authenticate after this situation occurs, the ADC skips authpol1 and proceeds directly to authpol2.

Responder After AAA

On a NetScaler ADC that has AAA configured, the ADC now invokes responder policies after authenticating users. Previously, users could not bookmark the authentication sign-on page. This limitation no longer exists.

Unlocking Locked-Out User Accounts

You can now unlock a user account that was locked out after too many failed logon attempts or after repeated violations of logon attempt time slice limits. To unlock a locked-out user account by using the configuration utility, navigate to Security > AAA-Application Traffic > Users. In the data pane, select the user account to unlock, and then in the Actions drop-down list, choose Unlock. To unlock a locked-out user account from the command line, type the following command:

unlock aaa user <userName>

AAA-TM can now be configured to authenticate users with an external RADIUS or LDAP authentication server at a specific FQDN instead of only at a specific IP. Configuration via FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might appear on any of several IPs, but always uses a single FQDN.

Note: When you configure AAA to authenticate to an external server via FQDN instead of IP, you add an extra step to the authentication process because the ADC must resolve the FQDN each time that it authenticates a user. If a great many users attempt to authenticate simultaneously, the DNS lookups might slow the authentication process.

To configure authentication by using a server's FQDN instead of IP, follow the normal configuration process except when creating the authentication action, where you substitute the serverName parameter for the serverIP parameter, as shown below:

> add authentication ldapAction <name> -serverName <serverName>

> add authentication radiusAction <name> -serverName <serverName>

For <serverName>, substitute the fully-qualified domain name (FQDN) of the LDAP or RADIUS authentication server.

Web-based Authentication

AAA-TM is now able to authenticate a user to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.

To set up web-based authentication with a specific web server, first you create a web authentication action. Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action. To do this, you create an expression in NetScaler default syntax. Next you create a policy associated with that action. The policy is similar to an LDAP policy, and like LDAP policies uses NetScaler classic syntax.

NetScaler Default Expressions support for authentication subsystem

AAA-TM now supports NetScaler default syntax expressions in the following parts of the authentication subsystem:

* Authentication policy rules. You can use default syntax expressions as Authentication policy rules. The default syntax expression editor now appears in the configuration utility when you create or configure an authentication policy, From the command line, you can simply use default syntax to create the rule for your policy and AAA-TM will recognize and implement it.

* Authentication policy bindings. Authentication policies, when bound, can each be associated with the "nextFactor" policyset. The nextFactor policyset is evaluated if the policy to which it is associated succeeds. nextFactor support permits policy pairing and grouping, and allows you to create cascading chains of policies all of which can be evaluated in turn. There is no upper limit to the number of policies that can be chained in this manner.

All policies bound to a single authentication server must be either NetScaler default syntax policies or NetScaler classic syntax policies. You cannot mix both types of policy on a single authentication server.

Strong Encryption Support in Kerberos KCD

AAA-TM now supports the aes256-sha1 and aes128-sha1 strong encryption methods for Kerberos KCD. Previously, when KCD was configured to use delegated user credentials, AAA used the relatively weak RC4-HMAC encryption algorithm to encrypt the timestamp when sending a ticket-granting request to the Kerberos server. If the system administrator had restricted use of weak encryption algorithms on the Kerberos server, the Kerberos server would respond with an error instead of the requested ticket, causing KCD to fail. AAA now uses aes256-sha1 to encrypt timestamps for delegated user credentials.

Extracting SAML Attributes from Keytab

The AAA Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the NetScaler command line, or by using the configuration utility.

To configure AAA to extract user information from a keytab file at the command line, type the appropriate command:

add authentication negotiateAction <name> [-keytab <string>]

set authentication negotiateAction <name> [-keytab <string>]

For <name>, substitute the name of the negotiateAction. If you are adding a new action, the name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. For <string>, substitute the full path and filename of the keytab file that you want to use.

To configure AAA to extract user information from a keytab file by using the configuration utility, do the following steps:

1) Open Security, AAA, Policies, Authentication, Negotiate.

2) In the Data pane, click the Servers tab.

3) Do one of the following:

* If you want to create a new Negotiate action, click Add.

* If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.

4) If you are creating a new Negotiate action, in the Name text box, type a name for your new action.

The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters.

If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.

5) Under Negotiate, if the Use Keytab file check box is not already checked, check it.

6) In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.

7) In the Default authentication group text box, type the authentication group that you want to set as default for this user.

8) Click Create or OK to save your changes.

Using a Responder HTML Response Page to provide Customized Error Responses

You can use the Citrix NetScaler Responder feature to create custom error responses when a user attempts to authenticate with AAA-TM and authentication fails. The Responder feature is flexible; you can create as many error responses as you wish, and respond to as many different error conditions. For example, if your users log on to different authentication servers in different geographic areas, you can customize responses to each region. A user in the United States can receive an error message that is appropriate to his or her authentication server, and be directed to a customer service telephone number in the United States. A user in Japan can receive the same for his or her different authentication server and customer service telephone number.

Briefly, to create a Responder configuration for this scenario, first create each error message and place that error message on a web server. The web server should not be located on the same physical server as the authentication server, and preferably not on the same subnet. If you have multiple regional data centers that host separate authentication servers, it is advisable to locate each error response in a different data center than hosts the authentication server that it is used for, so that local power outages or Internet connectivity problems do not affect the web server that hosts the error messages. Then, on the ADC, do the following steps:

1) Create one load balancing virtual server for each error message.

2) Create a policy for each error message that selects the requests that should receive this error message if authentication fails, and bind each policy to the appropriate load balancing virtual server.

3) Create a responder action for each error message that contains an HTTP 307 Redirect that points to the URL of the customized error message.

4) Create a responder policy for each error message that selects connections that should receive that error message, and bind that policy to the appropriate responder actions. You must craft a rule for the responder policy that selects connections that meet the appropriate criteria. For example, if you want connections that originate in the USA and that fail authentication to receive this error message, the rule could identify the region by source IP, and the authentication failure by error message.

5) Bind each responder policy to the correct virtual server, as shown below.

> bind lb vserver <vServerName> -policyName <policyName> -priority 1 -gotoPriorityExpression END

For detailed instructions on how to set up a responder configuration of this type by using the command line, see the following article on the Citrix Customer Support web site:

http://support.citrix.com/article/CTX129108

The process of collecting the load time and render time of web pages has been simplified by including the clientSideMeasurements parameter as part of the add appflow action command.

On the command line interface, enable this option by running the following command:

> add appflow action <name> -clientSideMeasurements ENABLED

For details about configuring an AppFlow action, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-ag-appflow-config-actn-tsk.html.

Indication for End of Transaction

A transaction flag now indicates, to external collectors, whether the transaction was successfully completed or was aborted.

NetScaler ADC now exports AppFlow records to a set of collectors if the transaction responses are served from the NetScaler cache.

Configuring RISE with NetScaler ADC and Cisco Nexus 7000 Switches.

You can now use Remote Integrated Service Engine (RISE) technology to integrate a NetScaler ADC and a Cisco Nexus 7000 Series switch. This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.

With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus 7000 series switch. The key functionalities of the RISE architecture include:

- Plug and play auto-provisioning. RISE provides a plug and play auto-provisioning feature. When you directly connect the NetScaler ADC to the Cisco Nexus 7000 series switch, auto-discovery commences.

- Discovery and bootstrapping. The discovery and bootstrap mechanism enables the Cisco Nexus 7000 Series switch to communicate with the NetScaler ADC by exchanging information to set up a RISE channel, which transmits control and data packets.

- Health Monitoring. The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.

- Automatic Policy Based Routing (APBR). Automatic Policy Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.

Layer2 Mode Support in a Cluster

You can now use the Layer2 mode in a NetScaler cluster. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-l2-mode-con.html.

Spotted VIP for NetScaler Gateway clusters. Spotted VIP functionality has been expanded to enable clustering for NetScaler Gateway.

A NetScaler cluster can now be configured to run with less than (n/2 + 1) number of nodes online. To do this, while creating a cluster instance, you must set the "quorumType" parameter to none as shown here:

> add cluster instance <clid> -quorumType None

Traffic domains are now supported on a NetScaler cluster.

You can now add a failover interface set (FIS) on the nodes of a NetScaler cluster. On the cluster IP address, specify the ID of the cluster node on which the FIS must be added as follows:

> add fis <name> -ownerNode <nodeId>

Note:

- The FIS name for each cluster node must be unique.

- A cluster LA channel can be added to a FIS. You must make sure that the cluster LA channel has a local interface as a member interface.

MPTCP is now supported on a NetScaler cluster.

Net profiles are now supported on a NetScaler cluster. You can bind spotted IP addresses to a net profile which can then be bound to spotted load balancing virtual server or service (defined using a node group) with the following recommendations:

- If the "strict" parameter of the node group is "Yes", the net profile must contain a minimum of one IP address from each node of the node group member.

- If the "strict" parameter of the node group is "No", the net profile must include at least one IP address from each of the cluster nodes.

- If the above recommendations are not followed, the net profile configurations will not be honored and the USIP/USNIP settings will be used.

Link Redundancy Support in a Cluster

The NetScaler cluster now provides link redundancy with LACP. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-traf-dist-link-redundancy-con.html.

VRID/VRRP is now supported on a NetScaler cluster.

From NetScaler 10.5 Build 52.11, the cluster feature is licensed with the Platinum and Enterprise licenses. In earlier releases, the cluster feature was licensed by a separate cluster license file.

Note:

- If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.

- When you configure a new cluster in Build 52.11 and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.

GSLB support in a Cluster

Global server load balancing can now be configured on a NetScaler cluster. To do this, you must log on to the cluster IP address to define the GSLB entities and then bind these entities to a a single member cluster node group.

For detailed information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-gslb-con.html.

Specifying a Vary Header Value

When using HTTP compression, you can explicitly specify a "vary" header value for compressed responses. Prior to this enhancement, the vary header was implied to be "Accept-Encoding, User-Agent".

To specify the customized vary header globally:

> set cmp parameter -addVaryHeader ENABLED -varyHeaderValue <string>

To specify the customized vary header for a specific compression action:

> add cmp action <name> <cmpType> -addVaryHeader ENABLED -varyHeaderValue <string>

Distinguish between Commands Executed from Different NetScaler Interfaces

The NetScaler now keeps track of the interfaces through which operations are executed. You can view this information in syslogs (in the NetScaler GUI, navigate to Configuration > System > Auditing > Audit Messages > Syslog messages) or in the ns.log (located at the /var/log/ directory) file.

For example, operations that are performed through the API are flagged as "API CMD_EXECUTED".

The NetScaler graphical user interface (GUI) has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features. The NetScaler ADC configuration utility and NetScaler Gateway configuration utility has also been reimplemented in HTML. As a result of these enhancements, the GUI does not display pop-up dialog boxes for most features and you no longer need Java Runtime Environment (JRE) to access these features through the GUI.

For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/ns-rn-changes-gui-10-5-con.html

Content accelerator is a NetScaler feature that you can use in a Citrix ByteMobile T1100 deployment, to store data on a Citrix ByteMobile T2100 appliance. This saves bandwidth and provides faster response times, because the NetScaler does not have to connect to the server for repeated requests of the same data.

For more information, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-content-accl-con.html.

Multiple Port Content Switching Support for SSL_TCP Virtual Servers

You can now configure the NetScaler ADC so that SSL_TCP content switching virtual servers listen on multiple ports without having to configure separate virtual servers. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as * . As a result, the configuration size is also reduced.

When you create a content switching virtual server, NetScaler now supports using DNS TCP as the protocol used by the virtual server.

Multiple Port Content Switching Support for HTTP and SSL Virtual Servers

You can now configure the NetScaler ADC so that HTTP and SSL content switching virtual servers listen on multiple ports without having to configure separate virtual servers. This feature is especially useful if you want to base a content switching decision on a part of the URL and other L7 parameters. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as *. As a result, the configuration size is also reduced.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-multiport-http-ssl-tsk.html

Content Switching Support for Diameter

The NetScaler ADC now supports content switching for the Diameter protocol. A number of expressions have been added, and you can use them to examine the header and the attribute-value pairs (AVPs) in a Diameter packet. On the basis of that information, you can forward the request to the selected load balancing virtual server.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-diameter-for-cs-tsk.html.

CNAME Record Caching

NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html

Enabling or Disabling the Recursion Available Flag

A new parameter -RecursionAvailabe (YES|NO) is introduced in load balancing virtual server (for DNS and DNS_TCP types). The option by default has a value of NO. When you use the load balancing virtual server to load balance recursive resolvers, you can turn this option to YES. This will cause NetScaler to respond with RA bit set on all responses.

NAPTR DNS Record

NetScaler ADC supports DNS NAPTR (Naming Address Pointer) record type. NAPTR records are generic DNS record type, but are commonly used in internet telephony for service discovery. They therefore enable clients to discover which server the request should go to for a particular service and which protocol to use to connect to the server.

NetScaler ADCs support NAPTR in two modes: ADNS mode and proxy mode. You can create a NAPTR record using both, command line interface and the NetScaler Configuration Utility.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-crt-naptr-rec-tsk.html

AA bit set for response from NetScaler Cache

In the previous releases, for NODATA responses with AA bit, NetScaler would ignore AA bit (authoritative bit) while caching. For such DNS queries NetScaler would reply with NODATA response from cache without setting the AA bit. The behavior has been enhanced with current release. NetScaler will respond with the AA bit for negative cached responses just as it does for positive cache responses.

Support for Database Specific Load Balancing for MySQL

Database specific load balancing is now supported for MySQL databases. If a database is available on multiple servers but is online on only some of these servers, the client request is forwarded to the server on which the database is online. Enable the DBSLB option when you create a load balancing virtual server. To store the database list on the NetScaler ADC, while creating a MYSQL-ECV monitor, enable storeDB.

Support for Fallback to NTLM Authentication

Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.

Support for SQL Server High-Availability (HA) Group Deployment

The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html

Support for Transparent Deployment Mode in MySQL

You can now configure the NetScaler ADC to operate transparently between MySQL clients and servers, and to only log or analyze details of all client-server transactions. Transparent mode is designed so that the ADC only forwards MySQL requests to the server, and then relays the server's responses to the clients. As the requests and responses pass through the ADC, the ADC logs information gathered from them, as specified by the audit logging or AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration. You do not have to add database users to the ADC.

Any NetScaler MPX or VPX appliance subject to a limit on the number of DataStream transactions per second will no longer be restricted by license or platform model number.

GSLB Auto Sync Enhanced to to Sync Static Proximity Database

GSLB autosync has been enhanced to synchronize global server load balancing (GSLB) static proximity databases. When autosync is triggered on the master site, first the static proximity database is synchronized followed by the synchronization of configuration.

For more information see, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-gslb-synchro-static-proximity-db.html

Increased Metadata Cache Capacity

The number of cached objects that the cache memory can store has now been increased.

Cache Object Persistence in a High Availability Setup

When integrated caching is used in a high availability setup, in addition to storing the cached objects on the primary appliance, the objects are also stored on the secondary appliance. This reduces bandwidth usage as cached objects are not lost during failover and the request can then be served directly from the cache of the secondary appliance.

To enable this functionality globally, execute the following command:

> set cache parameter -enableHaObjPersist Yes

To enable this functionality on a specific content group, execute the following command:

> set cache contentGroup <name> -persistHA Yes

Support for Jumbo Frames in RADIUS

The NetScaler ADC now supports RADIUS jumbo frames.

For more information on jumbo frames, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.

Increased Limits on the Number of Service Groups

You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.

Rate Limiting Support for Diameter

You can now configure rate limiting for diameter messages. In the following example, NetScaler limits the rate to 100 messages per second and sends UNABLE_TO_DELIVER if the rate exceeds that limit.

> add ns limitidentifier rslm1 -threshold 100 –timeSlice 1000 -mode REQUEST_RATE -limittype bursty

> add responder action rsact1 respondwith "DIAMETER.NEW_ERROR_ANSWER + DIAMETER.NEW_AVP(263, DIAMETER.REQ.SESSION_ID.VALUE) + DIAMETER.NEW_AVP_UNSIGNED32(268, 3002)"

> add responder policy rspol1 "SYS.CHECK_LIMIT("rslm1")" rsact1

Monitors for XenMobile Device Manger (XDM) and XenMobile Device Connector (XNC)

NetScaler allows a user to create monitors to check the status of the XenMobile Device Manager (XDM) and XenMobile NetScaler Connector (XNC) servers. The citrix-xdm monitor is used to monitor the XDM server while the citrix-xnc-ecv monitor is used to monitor the XNC server. You can add these monitors by using the add lb monitor command from the command-line interface or by using the GUI.

* The XDM monitor uses the username, password, and site path strings to probe the XDM server.

* The XNC monitor uses the username, password, send, and recv strings to probe the XNC monitor.

Python SDK for NetScaler NITRO

NITRO now provides a Python SDK for configuring the NetScaler appliance. The SDK can be downloaded from the Downloads page of the NetScaler appliance's configuration utility.

Python SDK for NetScaler SDX and NetScaler Insight Center NITRO

NITRO now provides Python SDKs for configuring the NetScaler SDX appliance and the NetScaler Insight Center appliance. The SDKs can be downloaded from the Downloads page of the appliance's configuration utility.

Uploading and Retrieving Files for NetScaler Using NITRO

NetScaler operations such as configuring SSL certificates requires the input files to be available locally on the NetScaler appliance. NITRO allows you to perform file operations such as uploading file to the NetScaler, retrieving a list of files and the file content from the NetScaler, and also delete files from the NetScaler. These operations can be performed for files of type: txt, cert, req, xml, and key.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-main-api-10-5-map/ns-nitro-rest-file-ops-ref.html.

Uploading and Retrieving Files for NetScaler SDX Using NITRO

NetScaler SDX operations such as configuring SSL certificates requires the input files to be available locally on the appliance. NITRO allows you to perform file operations such as uploading file to the SDX, retrieving a list of files and the file content from the SDX, and also delete files from the SDX. These operations can be performed for files of type: cert,key, software images etc.

RADIUS accounting.

RADIUS accounting functionality has been added to RADIUS authentication.

Tranferring ICA Proxy Sessions Between Devices

If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license. For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user. You can prevent the two sessions by enabling the setting ICA Proxy Session Migration on the virtual server. When you enable this setting, the user session transfers to the new device and uses one Universal license.

To enable session transfer

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.

2. In the details pane, select a SmartAccess virtual server and then click Open.

3. Select ICA Proxy Session Migration and then click OK.

Advanced endpoint analysis

NetScaler Gateway contains built-in scans for a wide variety of applications and services with the Endpoint Analysis Plug-in for Windows- based computers and Mac OS X computers. Additionally, the expression editor for advanced endpoint analysis has been implemented in HTML within the configuration utility.

On the dashboard, if you move the columns in a table and refresh the page, the column ordering is sometimes reset to default.

The active sessions data on the dashboard now include the following metrics:

Client IP: IP address of the client

Server IP: IP address of the server

NetScaler IP: NetScaler IP address

HDX Insight Center reports now support the following metrics:

-Client side zero window size event: This counter indicates how many times the client advertised a zero TCP window.

-Server side zero window size event: This counter indicates how many times the server advertised a zero TCP window.

-Client side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the client-side connection.

-Server side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the server-side connection.

Hop Diagram Support

The HDX Insight reports now support hop diagrams, which provide complete details about the client, NetScaler ADC, and server in an active session.

To display the hop diagram, on the dashboard tab, navigate to HDX Insight > Users >, click on a user name and, in the Current Application Sessions table, click on the session diagram icon.

Data record logs provide detailed information about appflow records that NetScaler Insight Center collects from NetScaler ADCs.

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html.

The GUI displays a real-time graphical representation of the CPU, memory, and disk resources used by the NetScaler Insight Center virtual appliance.

To display additional details, on the Configuration tab, navigate to NetScaler Insight Center and click Statistics.

For debugging an issue, the technical support bundle that you generate to send to the technical support team now automatically includes NetScaler ADC data along with the NetScaler Insight Center data.

You can also choose to include the debug logs and data distribution logs.

You can now configure the ICA session timeout value for inactive sessions on the NetScaler Insight Center configuration tab.

For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-ica-session-timeout-tsk.html

You can now customize NetScaler Insight Center reports to display the metrics that you want, and you can specify bar graphs or line graphs.

To make these changes, open the drop-down list next to the percentage icon in the top-right corner of the dashboard.

Exporting Reports

You can now save the Web Insight reports or HDX Insight reports in PDF, JPEG or PNG format on your local computer. You can also schedule the export of the reports to specified email addresses at various intervals.

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-export-report-con.html.

If the length of URLs displayed in the Web Insight reports is very long, you can enable the trim URL functionality to remove the query string from the URL.

For details about configuring this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-url-parameter-settings.html

Managing Session Timeout Period

You can now configure the timeout period for how long a user or a group can remain in an idle state before being terminated.

Enable this option while configuring user accounts or user groups.

For more details on configuring a user account or a group account, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-user.html or http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-group.html.

NetScaler Insight Center now saves the following data for a specific time period before it is purged:

* 30 second data - Saves for 6 minutes

* 5 minute data - Saves for 65 minutes

* Hourly data - Saves for 25 hours

* Daily data - Saves for 31 days

Even if Appflow is disabled for a virtual server, you can clear the configuration in the NetScaler Insight Center by selecting Clear AppFlow Configurations from the Action list.

HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP.

Geo Map Support

The NetScaler Insight Center geo maps feature displays the usage of web applications across different geographical locations on a map. Administrators can use this

information to understand the trends in application usage and for capacity planning.

Geo maps provide information that answers questions such as the following:

-Which region has the highest number of clients accessing an application?

-Which region has the highest response time?

-Which region is consuming the most bandwidth?

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-geo-maps.html

Authentication and Authorization Support.

Authentication with the NetScaler Insight Center virtual appliance can be local or external. With external authentication, NetScaler Insight Center grants user access on the basis of the response from an external server. It supports the following external authentication protocols:

-Remote Authentication Dial In User Service (RADIUS)

-Terminal Access Controller Access-Control System (TACACS)

-Lightweight Directory Access Protocol (LDAP)

Authorization through the NetScaler Insight Center virtual appliance is local. The virtual appliance supports two levels of authorization. Users with superuser privileges are allowed to perform any action. Users with readonly privileges are allowed to perform only read operations. The authorization of SSH users requires superuser privileges. Users with readonly privileges cannot log on through SSH.

For more information see, http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-configuring-authentication-authorization-settings.html

HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.

The database cache functionality of NetScaler Insight Center stores database content locally in the cache and serves the content to users without accessing the database server.

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cache-settings.html.

In the dashboard, you can now select and rearrange the columns displayed in the tables. These changes persist across user sessions.

Data Record Log Settings

NetScaler Insight Center now supports data record logs, which provide detailed information about AppFlow records that NetScaler Insight Center collects from NetScaler ADCs.

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html

NetScaler Insight Center adaptive threshold functionality dynamically sets the threshold value for the maximum number of hits on each URL.

For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html

EUEM Session Data on HDX Insight Reports

HDX Insight reports now displays EUEM session data, which indicates the availability of EUEM data when an EUEM channel is established between the client and the server.

The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.

NetScaler Insight Center can now dynamically set the threshold value for the maximum number of hits on each URL. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html

NetScaler Insight Center now facilitates efficient querying of its database.

For details on enabling this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-index-settings.html

You can now enable NetScaler Insight Center to periodically remove the out-of-date content from its database. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cleanup-settings.html

Cache Redirection Insight Support

NetScaler Insight Center now analyzes the traffic flowing through NetScaler ADC to cache servers and origin servers, and provides useful information about the cache performance, such as:

- Bandwidth saved while serving requests from the cache server instead of the origin server.

- Bandwidth consumed when requests bypassed the cache server and were served from the origin server.

- Number of times a URL was accessed from the cache server instead of the origin server.

For details on Cache Redirection Insight, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-webinsight-cache.html.

NetScaler Insight Center now supports monitoring of CloudBridge 2000, 3000, 4000, and 5000 appliances. It analyzes the ICA traffic flowing through the CloudBridge appliances and generates HDX Insight performance reports. With this feature, datacenter administrators can gather information about traffic flowing between XenApp/XenDesktop clients and XenApp/XenDesktop servers.

You can now install NetScaler Insight Center on Microsoft Hyper-V version 6.2.

NetScaler Insight Center now displays reports for multi-stream ICA connections. All statistics that are maintained and reported for single-stream ICA connections are also displayed for multi-stream ICA connections.

No change in state of shut down NetScaler instance through appliance reboot

If any of the NetScaler VPX instances are in shutdown state, and an appliance reboot is carried out then the instances which were in the shut down state continue to be in the same state through the reboot process.

Change Management

You can now schedule Management Service to run NeSclaer configuration difference against a template and show appropriate reporting. Further, you can use the report on the Change Management page of Management Service to view whether there is any difference between the saved configuration and the running configuration of any instance. You can click on the chart to further drill down and view the list of instances, their running configuration, saved configuration, history of configuration changes, any difference between the configurations before and after an upgrade, and any difference between the running configurations and the configuration of the associated audit templates.

The Call Home feature monitors your NetScaler instances for common error conditions.

You can now configure, enable or disable the Call Home feature on NetScaler instances

from the Management Service user interface.

For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-call-home-support-con.html

XenServer IP Address Support in Network Configuration Utility

Now you can use the network configuration utility to assign both the Management Service IP address as well as the XenServer IP address on a new appliance.

SSL certificates and keys for NetScaler instances

Enhanced usability achieved by providing separate view for SSL certificates and keys for NetScaler instances. A new node, SSL Certificate Files, on the Management Service interface allows you to upload and manage the SSL certificates and corresponding public and private key pairs that can be installed on NetScaler instances.

Management Service certificates can be managed from Configuration > Management Service > SSL Certificates Files and NetScaler certificates can be managed from "Configuration > NetScaler > SSL Certificate Files.

Provisioning Palo Alto VM-Series Instances on a NetScaler SDX Appliance

Palo Alto Networks VM-Series on Citrix NetScaler SDX enables consolidation of best-in-class security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix NetScaler SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.

You can provision, monitor, manage, and troubleshoot an instance from the Management Service.

Note: The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance.

For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-paloalto-con.html

Improved Dashboard

NetScaler SDX provides an improved Dashboard. The new Dashboard provides a compact and a better view of key parameters. The fields that are displayed in the Dashboard are not user configurable.

Provisioning support even when none of data ports are connected

When deployments are being set up, usually the interfaces are not connected. Management Service now allows provisioning of NetScaler instances on SDX with data ports as management interface even if they are down.

Security Enhancements on NetScaler SDX Appliance

NetScaler SDX appliance now supports a configuring a password policy and a user-lockout policy to provide security against hackers and password-cracking software.

The password policy enforces a user-specified minimum length and a minimum level of complexity. The password must have at least one uppercase, one lowercase, one numeric, and one special character. The user-lockout policy disables a user-account if an incorrect password is entered a specified number of times.

You can specify the time period (user lockout interval) for how long the user account remains disabled, after which the user account is enabled automatically.

Note: User lockout is disabled by default

Monitoring and Managing Real-Time Status of Entities Configured on NetScaler Devices

You can use NetScaler SDX to monitor and manage the states of virtual servers, services, service groups, and servers across the NetScaler virtual appliances hosted on SDX. You can monitor values, such as the health of a virtual server and the time elapsed since the last state change of a service or service group. This gives you visibility into the real-time status of the entities and makes management of these entities easy when you have a large number of entities configured on your NetScaler devices.

Wizard for Initial Configuration Setting in Management Service

You can use the Setup Wizard to complete all the first time configurations in a single flow. The wizard helps you in configuring network configuration details, system settings, changing the default administrative password, and manage and update licenses.

For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-initial-setup-wizard-con.html

Console Access for NetScaler SDX Appliance

You can access the console of NetScaler instances, the Management Service, XenServer, and third party VMs from the Management Service interface. This is particularly helpful in debugging and troubleshooting the instances hosted on the NetScaler SDX appliance when the instance is not reachable over the network.

For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-console-access-con.html

CLI Support for NetScaler SDX Appliance

You can now use the command line interface to perform operations on the Management Service. Add, Set, Delete, Do and Save commands are supported through command-line interface.

For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-cli-support-svm-con.html

Authentication and Authorization Enhancements

With this release, the following authentication and authorization capabilities are supported for the Management Service on NetScaler SDX appliance:

- External authentication support for for the Management Service using RADIUS, TACACS,

or LDAP servers.

- Group extraction capability for LDAP and RADIUS authentication types.

- Authentication and authorization for requests through SSH. However, the authorization of

SSH users is limited to super-user privileges only.

- Audit logs for RADIUS and TACACS servers. You can enable audit logs by checking the

Accounting option while adding the RADIUS or TACACS server to the Management Service.

New inline wizard for provisioning NetScaler instances with simplified networking configuration steps

You can now use the new inline wizard to provision NetScaler instances from the Management Service. The networking configuration portion of the provisioning workflow has been simplified and streamlined for ease of use. To use the inline wizard, click Configuration > NetScaler > Instances and click Add to add a new instance or Edit to modify a highlighted instance.

LACP Statistics

You can now view the real time status and stats for the LACP channels configured on the SDX appliance from the Management Service. If you have added an LACP channel, you can view the LACP details by clicking on Configuration > System > Channels > LACP Details.

Management Service Statistics

A new gadget, Management Service Statistics has been introduced on the Dashboard to help you monitor the statistics such as Memory, CPU, and Disk usage, of Management Service on NetScaler SDX appliance.

Monitoring and Managing Events Generated on NetScaler Instances

The Events feature to monitor and manage the events generated on the NetScaler instances. The Management Service identifies events in real time, thereby helping you address issues immediately and keep the NetScaler instances running effectively. You can also configure event rules to filter the events generated and get notified to take actions on the filtered list of events.

When system sends any e-mail notification, it will contain host name along with IP address as sender.

You do not require a separate license file to set up a cluster on an SDX appliance. Clustering support will be provided with a valid SDX Platform License.

Jumbo Frame is supported on all data interfaces and channels on NetScaler SDX. Management interfaces are not included. For configuring Jumbo Frame, user has to change the MTU of channel or Interface from the Management Service. All the NetScaler virtual machines sharing this port will get the effective MTU. For third party virtual machines, user has to change the MTU explicitly from the virtual machine to make it effective.

NetScaler SDX supports provisioning and managing a new guest VM CA Access Gateway. For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-ca-siteminder-con.html

Netprofile Support for Link Load Balancing Configurations

You can now associate a netprofile with a link load balancing configuration. The NetScaler ADC then uses one of the IP addresses in the netprofile as the source address for outbound traffic related to the link load balancing configuration.

A netprofile can include a NetScaler owned IP address or an IP set, which is a set of NetScaler owned IP addresses. You can associate a netprofile with link load balancing virtual servers as well as with the bound services. A netprofile associated with a link load balancing virtual server always take precedence over netprofiles associated with the bound services.

For more information on netprofiles, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-lb-clienttraffic-usespecifiedsrcip-tsk.html.

The NetScaler ADC now supports the industry standard (EEE 802.1AB) Link Layer Discovery Protocol (LLDP). LLDP is a layer 2 protocol that enables the NetScaler ADC to advertise its identity and capabilities to the directly connected devices, and also learn the identity and capabilities of these neighbour devices.

Using LLDP, the NetScaler ADC transmits and receives information in the form of LLDP messages known as LLDP packet data units (LLDPDUs). An LLDPDU is a sequence of type, length, value (TLV) information elements. Each TLV holds a specific type of information about the device that transmits the LLDPDU. The NetScaler ADC sends the following TLVs in each LLDPDU:

* Chassis ID

* Port ID

* Time-to-live value

* System name

* System description

* Port description

* System capabilities

* Management address

* Port VLAN ID

* Link aggregation

Note: You cannot specify the TLVs to be sent in LLDP messages.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-llayer-dics-protocol-tsk.html.

Configuring Link Redundancy by using LACP channels

Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.

The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.

The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.

For example, set channel la/1 -lrMinThroughput 2000

Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.

Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.

For example, set channel la/1 throughput 2000 -lrMinThroughput 2000

HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.

HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-lr-lacp-tsk.html.

Increased Number of Interfaces for Link Aggregation Channels

You can now bind up to 16 interfaces to a link aggregation channel. The channel can be either static or LACP.

Support for VXLANs

Now the NetScaler ADC supports Virtual eXtensiable Local Area Network (VXLANs). A VXLAN is an overlay solution that creates layer 2 overlay networks over layer 3 infrastructure by encapsulating Layer-2 frames in UDP packets. Each VXLAN is identified by a unique 24-bit identifier called the VXLAN Network Identifier (VNI). Only network devices within the same VXLAN can communicate with each other.

ZebOS API Access

With a new configuration object, router DynamicRouting, you can use NITRO APIs to configure dynamic routing protocols on a NetScaler appliance.

The ZebOS dynamic routing software package has been upgraded to version 7.10.2.

NetScaler MPX appliances support receiving and transmitting jumbo frames containing up to 9216 bytes of IP data. Jumbo frames can transfer large files more efficiently than it is possible with the standard IP MTU size of 1500 bytes.

A NetScaler MPX appliance can use jumbo frames in the following deployment scenarios:

- Jumbo to Jumbo. The appliance receives data as jumbo frames and sends it as jumbo frames.

- Non-Jumbo to Jumbo. The appliance receives data as regular frames and sends it as jumbo frames.

- Jumbo to Non-Jumbo. The appliance receives data as jumbo frames and sends it as regular frames.

The NetScaler appliance supports jumbo frames in a load balancing configuration for the following protocols:

- TCP

- Any protocol over TCP (for example, HTTP)

- SIP

- Radius

-TFTP

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.

IPv6 Forwarding Session Rules

Now, you can create forwarding session rules for IPv6 traffic. By default, the NetScaler appliance does not create session entries for traffic that it only forwards (L3 mode). For a case in which a client request that the appliance forwards to a server results in a response that has to return by the same path, you can create a forwarding-session rule. A forwarding-session rule creates forwardingsession entries for traffic that originates from or is destined for a particular network and is forwarded by the NetScaler appliance.

When configuring an IPv6 forwarding-session rule, you can specify either an IPv6 prefix or an ACL6 as the condition for identifying IPv6 traffic for which the forwarding-session entry to be created:

- Using an IPv6 prefix . When you specify an IPv6 prefix, the appliance creates forwarding sessions for those IPv6 traffic that are sourced from networks that matches the IPv6 prefix.

- Using an ACL6 rule . When you use an ACL6 rule, the appliance creates forwarding sessions for those IPv6 traffic that match the conditions specified in the ACL6 rule.

Note: When the appliance is configured as a high availability node, Connection Failover for synchronizing IPv6 forwarding session entries with the secondary node is not supported.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-interfaces-confrng-fwd-sessions-tsk.html.

Support for Inter Traffic Domain Entity Bindings

You can now bind services in one traffic domain to a virtual server in another traffic domain. All the services to be bound to a virtual server in a different traffic domain must reside in the same traffic domain.

There is no command or parameter introduced for this support. You configure this support by using the existing bind lb vserver command or the related configuration utility procedure. This capability can facilitate interaction between different traffic domains. In an enterprise, servers can be grouped in different traffic domains. Virtual servers are created in a traffic domain that faces the internet. A virtual server from this traffic domain can be configured to load balance servers in another traffic domain. This virtual server receives connection requests from the Internet to be forwarded to the bound servers.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-supp-traff-enty-tsk.html.

A parameter Source IP Persistency has been introduced in RNAT rules and Netprofiles:

Source IP Persistency for RNAT Sessions

The source IP persistency of a RNAT rule enables the NetScaler ADC to use the same NAT IP address for all RNAT sessions initiated from a particular server.

Source IP Persistency for NetProfiles

The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client.

VMAC Based Traffic Domains

You can now associate a traffic domain with a VMAC address instead of with VLANs. The NetScaler ADC then sends the traffic domain's VMAC address in all responses to ARP queries for network entities in that domain. As a result, the ADC can segregate subsequent incoming traffic for different traffic domains on the basis of the destination MAC address. The NetScaler ADC identifies traffic for a traffic domain if it is destined to the same VMAC address that is associated with the traffic domain.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-vmac-traffic-domain-intro-tsk.html.

vPath feature is available for all the NetScaler platforms from version 10.5 Build 52.11 onwards. To use this feature no special license file is required. For more information on vPath, see http://support.citrix.com/proddocs/topic/netscaler-vpx-10-5/ns-vpath-con.html

The CloudBridge connector feature now supports establishment of Phase-2/IPsec SA (Security Association) between a NetScaler ADC and AWS gateway when AWS sends traffic selectors with IP address 0.0.0.0.

Front End Optimization Support

The NetScaler ADC now supports the front end optimization feature, which reduces the load time and render time of web pages by simplifying and optimizing the content to be served to the client browser.

This feature optimizes HTML content, and the cascading style sheets (CSS), JavaScript, and images that are embedded in the HTML content.

For details, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-feo-con.html.

Release 10.5 51.x is now supported on the MPX 22040/22060/22080/22100/22120 platform, but a LOM firmware upgrade is required.

Variable Support for Policies

Policy variables are named objects that can hold one or more values that can be set and modified at runtime. The concept of variables is essentially the same as in programming languages. Variable values can be of two types:

- ulong (a 64-bit unsigned integer, with values from 0 to 2^64-1)

- text (a sequence of bytes with a configured maximum length).

Additionally, there are two variable types:

- Singletons variables hold one ulong or text value.

- Maps hold one or more entries, each entry having a text key and a ulong or text value. The key can be used to find the value. In a map, more than one map entry may have the same value, but each map entry must have a different key.

For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-pol-variable-con.html.

The Responder feature now supports the Diameter protocol.

A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and send a response based on that information.

Embedded Expressions in Responder Responses

You can now add Netscaler expressions with default syntax to HTML pages that are used with responder actions of the respondWithHtmlpage type. Any expression that is supported for use in a respondWith response can be used in a respondWithHTMLPage response. To embed expressions in HTML pages simply surround the expressions with "${" and "}". This functionality enables you to include information about the request that generated the Responder action in the response.

The Rewrite feature now supports the Diameter protocol.

A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and replace/insert/delete AVPs if necessary.

Support for Common Name Check during Server Authentication

In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group. The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other. If the common name is not checked, a certificate presented by either server is accepted if the IP address matches.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-common-name-for-cert-tsk.html

Setting the Limit for Disabled SSL Chips

You can now set a limit to the number of disabled SSL chips after which the appliance restarts.

At the command prompt, type:

> set ssl parameter -cryptodevDisableLimit <positive_integer>

A chip is marked disabled after the third failed reinitialization attempt.

SSL Renegotiation

SSL renegotiation is now blocked by default. In earlier releases, the default setting was to allow SSL renegotiation.

SSL Certificate Chain

As part of the SSL handshake, when a client requests a certificate, the NetScaler ADC presents a certificate and the chain of issuer certificates that are present on the ADC. An administrator can view the certificate chain for the certificates present on the ADC and install any missing certificates.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-display-cert-chain-tsk.html

Creating an SSL Profile

You can use an SSL profile to specify how a NetScaler appliance processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. Previously, you could specify only one set of global parameters. Now, you can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:

-Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client. For example, an SSL virtual server.

-Backend profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server. For example, an SSL service.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-profiles-tsk.html

Importing SSL Resources from Remote Hosts

The NetScaler appliance now supports importing SSL resources, such as certificates, private keys, CRLs, and DH keys, from remote hosts even if FTP access to these hosts is not available. This is especially helpful in environments where shell access to the remote host is restricted.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-importing-ssl-files-from-remote-hosts-tsk.html

Support for DTLS Protocol

The NetScaler ADC now supports DTLS protocol to secure UDP traffic. The DTLS protocol (RFC 4347), can be used to secure UDP applications such as media streaming, VOIP, and online gaming for communication.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-dtls-server-tsk.html

Sending an SSLv2 Compliant Client Hello Message

As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message based on the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.

Support for ECDHE Ciphers

The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances and the VPX virtual appliance now support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:

- TLS1-ECDHE-RSA-RC4-SHA

- TLS1-ECDHE-RSA-DES-CBC3-SHA

- TLS1-ECDHE-RSA-AES128-SHA

- TLS1-ECDHE-RSA-AES256-SHA

Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

The following ECC curves are supported:

- P_256

- P_384

- P_224

- P_521

By default all four curves are bound to an SSL virtual server.

For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-ecdhe-ciphers-tsk.html

Display HSM Model Number

The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.

> sh fips

FIPS HSM Info:

HSM Label : NetScaler FIPS

Initialization : FIPS-140-2 Level-2

HSM Serial Number : 2.1G1037-IC000253

HSM State : 2

HSM Model : NITROX XL CN1620-NFBE

Hardware Version : 2.0-G

Firmware Version : 1.1

Firmware Release Date : Jun04,2010

Max FIPS Key Memory : 3996

Free FIPS Key Memory : 3994

Total SRAM Memory : 467348

Free SRAM Memory : 62580

Total Crypto Cores : 3

Enabled Crypto Cores : 3

Done

Support for additional ciphers with TLS protocol version 1.2

Twelve new ciphers are supported with TLS protocol version 1.2 on all MPX platforms, and on SDX platforms if an SSL chip is assigned to the instance when you provision it.

1) Cipher Name: TLS1.2-AES128-GCM-SHA256

Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256

2) Cipher Name: TLS1.2-AES256-GCM-SHA384

Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384

3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256

Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256

4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384

Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384

5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256

6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384

7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256

Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256

8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384

Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384

9) Cipher Name: TLS1.2-AES-256-SHA256

Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA-256

10) Cipher Name: TLS1.2-AES-128-SHA256

Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA-256

11) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256

Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256

12) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256

Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256

Restrict Interface-level System Session Timeout

The system session timeout for a specific NetScaler interface (GUI, CLI, API) is now restricted to the timeout value that the administrator has configured for the user that is accessing the interface. For example, let us consider an user "publicadmin" who has a timeout value of 20 minutes. Now, when accessing an interface, the user must specify a timeout value that is within 20 minutes.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-sys-session-timeout-tsk.html.

Explicit Congestion Notification (ECN)

The NetScaler appliance now supports ECN, which sends notification of network congestion state to the sender and takes corrective measures for data congestion or data corruption. When ECN is enabled, the NetScaler automatically differentiates between corruption loss and congestion loss. The NetScaler implementation of ECN is RFC 3168 compliant.

ECN must be enabled on the TCP profile to which you want it to apply.

To enable ECN using the CLI:

> add ns tcpProfile <name> -ecn ENABLED

TCP Timestamp based on RFC 1323

The NetScaler now provides the TCP timestamp as detailed in RFC 1323. Using this timestamp, the NetScaler can provide the Round Trip Time Measurement (RTTM). For this option to work, at least one side of the connection (client or server) must support it.

SNMP Trap for Port Allocation Failures

NetScaler ADC sends SNMP trap when port allocation fails on the NetScaler. The following SNMP OID is added: dstip (1.3.6.1.4.1.5951.1.1.0.143)

SNMP V3 Support for Traps

Trap class, destination along with version will now act as unique identifier for a trap destination. This will allow configuration of same destination with different versions. All commands will take version V2 as default value. Set and Unset commands can no longer change version.

Application Layer Protocol Negotiation (ALPN) Extension support

The NetScaler now supports the APLN extension for negotiating the SPDY protocol over SSL/TLS. The use of ALPN provides higher rate of TPS performance on the NetScaler. APLN replaces the previous method of NPN (Next Protocol Negotiation).

NetScaler now supports BIC and CUBIC TCP congestion control algorithms.

MPTCP Enhancements

The NetScaler now supports the following MPTCP enhancements:

- One RTT subflow setup

- Long-lived MPTCP sessions

- MPTCP fast open

SPDY v3 Support

The NetScaler appliance now supports SPDY v3 with Application Layer Protocol Negotiation (ALPN).

NetScaler support for D-SACK AND F-RTO

The NetScaler appliance can now detect spurious re-transmissions by using TCP duplicate selective acknowledgement (D-SACK) and Forward RTO-Recovery (F-RTO). In case of spurious re-transmissions, the congestion control configurations are reverted to their original state. The NetScaler implementation of D-SACK is RFC 2883 compliant and F-RTO is RFC 5682 compliant.

D-SACK and F-RTO must be enabled on the TCP profile to which you want it to apply.

To enable these settings by using the CLI:

> add ns tcpProfile <name> -dsack ENABLED -frto ENABLED

Differentiated services code point (DSCP) Support

The NetScaler ADC can now retain and forward received DSCP code in end-point mode. This capability supports end-to-end quality of service (QOS) checks for load balanced traffic.

When the configured external authentication server is not available, the NetScaler can be configured to allow local user access to perform administrative tasks. To enable this function, enable the "localAuth" parameter of the "set system parameter" command.

Features Supported in Traffic Domains

The following NetScaler features are now supported in all traffic domains configured on a NetScaler appliance:

* RNAT6

* IPv4 and IPv6 Forwarding Sessions

* NAT64

* NAT46

You can use the new Traffic Domain (TD) parameter to specify or identify a traffic domain in commands and GUI elements related to these features.

For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-supportd-unsupportd-ns-featurs-con.html.

You can now configure rate limiting for traffic domains. The following expression has been added to the NetScaler expressions language for identifying traffic associated with traffic domains.

client.traffic_domain.id

You can configure rate limiting for traffic associated with a particular traffic domain, a set of traffic domains, or all traffic domains.

For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-nw-ratelimit-td-con.html.

To unlock an external user account, you must first add that user to the NetScaler ADC, and then run the "unlock aaa user <user name>" command.

In forms-based single sign-on (SSO), if the designated response size is 0, the NetScaler ADC does not search for the complete response, as it normally would for responses with sizes above 0. It therefore fails to find the login form, and forms-based SSO authentication fails.

When AAA is configured to authenticate users to a Microsoft Sharepoint 2013 server by using NTLM, the user might be prompted to retype his or her credentials even though the user entered those credentials correctly. After the user retypes the credentials, he or she is logged on successfully. The issue is that initially the NetScaler ADC sends an incorrect domain to Sharepoint.

AAA now supports SAML HTTP Redirect bindings. These bindings include an HTTP Refresh command and target URL as a base64-encoded SAMLResponse query string parameter in a SAML HTTP GET response.

If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error. As a workaround, configure an authentication profile and include the hostname.

The AAA-TM SAML service provider (SP) now includes a parameter indicating the trust level assigned to a user authentication request in SAML redirects to the identity provider (IDP). This information enables the IDP to request appropriate authentication credentials.

Occasionally a AAA-TM session on one core of an nCore or cluster ADC is not duplicated to other cores. When this condition occurs, counters do not include the session, which causes monitoring and statistics displays to show incorrect information.

The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.

The NetScaler SAML service provider (SP) feature now supports SiteMinder.

The NetScaler AAA SAML service provider (SP) does not send a SAML logout message to the SAML identity provider (IdP), so users who log onto SAML are unable to log off.

In the NetScaler configuration utility, filtering the active AAA sessions does not work if the filtering is based on Intranet IP addresses. All active AAA sessions are shown, regardless of IP address. With this fix, the configuration utility successfully displays only the AAA sessions active at the IP addresses that you specify.

The NetScaler SAMLIDP now offers 16 SAML attributes. Four options are available for configuring each of these attributes to include attribute name, attribute value, attribute friendly name, and attribute URI specification. You can use the Citrix default syntax expressions to set the attribute values.

If, after successful completion of the single factor authentication, the user attempts to access a resource that requires a higher level (level 2) authentication, in some load balancing topologies, the NetScaler ADC might,respond with a generic 404 message. With this fix, if the initial user authentication used single factor authentication, the ADC sends a logon page to prompt the user to again provide credentials for level 2 authentication.

As part of enhancement for Office365 integration, the NetScaler SAML IDP now sends Destination, SubjectConfirmationData, InResponseTo, and a Conditions section with an Audience field in the SAML Response.

The NetScaler ADC now offers the ability to configure 16 attributes in an LDAP action. These attributes are sent to the Active Directory (AD) during a user search. These values are extracted and stored. During the user session, they can be invoked/referenced in PI expressions.

The NetScaler ADC does not handle an authentication request if the incoming base64 decoded kerberos ticket is more than 10 kilobytes. This fix increases the buffer-size limit to accommodate tickets of up to 65 kilobytes.

The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. The crash is observed when the NetScaler receives URLs that differ only in case.

Examples:

http://10.217.6.239/TesT/

http://10.217.6.239/TEST/

http://10.217.6.239/TEsT/

http://10.217.6.239/TeST/

Note post fix:

Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.

If this is not desired, stream selector results should be converted to one case. Example:

add stream selector sel1 HTTP.REQ.hostname.to_lower

If you delete an appflow action, the NetScaler ADC might fail.

On a NetScaler ADC that has the application firewall enabled and the Learning feature enabled for one or more security checks, the Learning module might become unresponsive. When this happens, no additional learning takes place and no recommendations for new relaxations or rules are generated.

If you update default signatures on the primary NetScaler ADC in an HA pair, you cannot sync the updated signatures to the secondary ADC.

If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.

If you use the configuration utility to make changes to the HTML Cross-Site Scripting check, Allowed/Denied patterns, the application firewall becomes unresponsive after the first POST request it receives after you save your changes. (The Allowed/Denied patterns are accessed through the Modify Signature dialog box.) If you use the command line to make the same changes, no problems occur.

The application firewall parses multipart forms correctly according to the appropriate RFC.

If CEF logging is turned on, only the format of application firewall log messages is expected to change, but the format of other logs is also affected, causing problem with their display. With this fix, turning on the application firewall CEF logging does not modify the format or display of other logs.

If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.

If a NetScaler ADC receives a request for an object that it cached before the application firewall configuration was modified to add any advanced security check protection, the ADC responds with HTTP Error 503 for subsequent requests to access this cached object, because the object does not contain the expected application firewall metadata. With this fix, the existing cached objects without the required metadata are considered stale and are flushed. The request is served from the origin server and the cache is updated with refreshed data.

Signature Bindings Not Shown in PCI-DSS Report

The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "Not Set".

NetScaler Application Firewall Default Signature object now has rules that can be enabled to protect against Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) which could allow arbitrary code execution.

The NetScaler ADC might fail if a transaction is aborted before the application firewall completes processing the request.

The application firewall PCI-DSS report does not contain information about the "SQLInjectionCheckSQLWildChars" parameter.

An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.

With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.

Applying multiple ACL rules causes excessive consumption of CPU cycles. As a result, the NetScaler ADC might become unresponsive.

Traffic latency might be greater than 100 milliseconds in a CloudBridge connector tunnel between two NetScaler appliances.

In a CloudBridge connector tunnel between two NetScaler appliances, encrypted IPSec packets might get re-segmented, causing the NetScaler to become unresponsive.

The command line interface fails when a non-nsroot user without superuser permission executes the "show techsupport" command from the command line interface.

The rbaOnResponse system parameter fails to work after you upgrade NetScaler ADC nCore or nCore VPX from version 9.3 to 10.x.

Java Runtime Environment (JRE) does not work on Internet Explorer version 10.

The "STA Auth ID" property is not shown along with the details of the STA Server.

The NetScaler graphical user interface (GUI) has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features. The NetScaler ADC configuration utility and NetScaler Gateway configuration utility has also been reimplemented in HTML. As a result of these enhancements, the GUI does not display pop-up dialog boxes for most features and you no longer need Java Runtime Environment (JRE) to access these features through the GUI.

For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/ns-rn-changes-gui-10-5-con.html

When using the XenApp/XenDesktop wizard, when you click on "Getting Started", you get an error message that says that you need a AAA license. Therefore, you cannot proceed with the wizard. In an ideal case, the AAA license is not needed when using the wizard.

In the configuration utility, you cannot apply an SSL profile to an SSL VPN virtual server.

Some usability issues while configuring content switching by using the NetScaler configuration utility.

The "XenApp and XenDesktop" wizard is not available in the configuration utility when the appliance is a part of a cluster.

When configuring a Web Interface on NetScaler (WIonNS) site by using the configuration utility, you cannot modify the NetScaler Gateway URL if the SSL certificate that is bound to the VPN virtual server is a wildcard (has an *).

After installing Java, if you disable Java on the Java Control Panel, the graphical user interface (GUI) applet remains blank.

Workaround: Be sure to enable Java on the control panel.

The configuration utility might display an error message while adding IPv6 routes in non-default traffic domains.

If you have configured Mobile Device Manager by using the XenMobile wizard in release 10.1.e build, and then upgraded to release 10.5, the service configuration does not appear in the configuration utility.

Workaround: Rename the two MDM virtual servers by adding "_MDM_" at the beginning. For example, rename _XM_ABC_192.168.1.1_443 to _XM_MDM_ABC_192.168.1.1_443.

The default value for packet count is 45, and the default Encryption Trigger Timeout is 1 ms, but the configuration utility displays both values, incorrectly, as 0.

The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128.

A NetScaler ADC displays a Java error if you access it by using an sshd connection.

To display the newly added HTML imports, you have to refresh the page on the browser.

The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.

After the first reboot of a cluster setup that has large configurations, the NetScaler ADC takes more time to load those configurations and to log you on.

If you configure a NetScaler Gateway wizard, and you upload a certificate that does not belong to the current chain, the configuration utility does not display any warning message.

The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128 .

Workaround: Configure the content switching virtual server with a different IP address.

Statistics do not appear correctly for a DNS load balancing virtual server.

If the number of records in a DNS response for a domain exceeds the Netscaler ADC limit, or if one of the records in the response contains invalid data, the NetScaler ADC does not cache the response. As a result, DNS resolution using NetScaler nameserver entities fails.

The DNS cache entries are not flushed if the DNS caching feature has been disabled for approximately 250 days.

If a server sends a NODATA response that has CNAME record in the answer section and no records in the authoritative and additional sections, the response is marked for CNAME caching on the NetScaler ADC, because it is incorrectly assumed to be a referral response. As a result, the ADC sends a blank response to subsequent queries, of any query type, for the canonical name.

When a NetScaler ADC is deployed as a DNS server with caching enabled, and "flush dns proxyRecords" is used when the ADC is serving a large volume of traffic and has a large number of records in its cache, the ADC might fail.

If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.

Workaround: Use the corresponding CLI command to add the DNS record.

If a GSLB domain is queried through VPN, NetScaler fails.This issue is fixed in this release.

In rare cases, high management-CPU usage occurs and a large number of error messages appear in the log file. As a result, queries to the location database might fail, and the backup load balancing method is used for site load balancing.

Configuring a hash based backup load balancing method on a GSLB virtual server might cause the NetScaler ADC to fail if traffic triggers the backup method.

If you change the GSLB configuration while the GSLB feature is disabled, the NetScaler ADC might process some stale messages when you enable the feature. As a result, the ADC might dump core and restart.

With integrated caching enabled, the NetScaler can crash when the evaluation of a callout 'result expression' (configured with the resultExpr parameter) results in a UNDEF condition.

When a byte-range request is sent for an object, and if that object is expired, a request is sent to the server to revalidate the object. If that object is now modified on the server, the full response is served to the NetScaler. In such a scenario, the NetScaler appliance can crash.

The NetScaler ADC fails if both the following conditions are met:

- a large number of SIP messages are received.

- the size of the SIP messages is greater than the jumbo MTU configured on the ADC.

If the secure option is enabled on a CITRIX-WI-EXTENDED monitor that is bound to a service, then the monitor incorrectly marks the monitor probes as failed.

If you have configured the RADIUS PI expression CLIENT.UDP.RADIUS.ATTR_TYPE(<avp code>) for content switching, rule-based persistency, or the token load balancing method, and you typecast the result of this expression to an integer or IP address by using the expression TYPECAST_NUM_AT / TYPECAST_IP_ADDRESS_AT, the typecast operation fails.

If a client connection is in the CLOSE_WAIT state, the NetScaler ADC does not send PUSH notifications to the client. However, it reports success to the PUSH server.

You can now bind loopback members (for example 127.0.0.1) to service groups. Previously, you could bind loopback members to services only.

If a semantically incorrect command is entered while a domain based service is being resolved to a NetScaler-owned IP address, the NetScaler ADC displays the state of the service incorrectly.

A very slow memory leak occurs on the secondary node in a high availability pair if all of the following conditions are met:

a) The configuration is large (approximately 4MB).

b) The configuration includes a large number of "bind lb group" commands.

c) Configuration changes very frequently, resulting in frequent synchronization.

The NetScaler Gateway wizard creates a VPN virtual server with the default authorization set to Deny. When users connect to the VPN virtual server, they cannot access internal network resources. To allow users to connect, set authorization to Allow.

In a high availability deployment, when users log on with SAML authentication, the secondary appliance fails over.

If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.

If the maximum number of users is set to a number greater than 5 on a NetScaler Gateway virtual server, if you remove the Universal license, the virtual server configuration is also removed.

When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.

In new NetScaler 10.5 Build 50.9 deployments or after upgrading to NetScaler 10.5 Build 50.9, the priority value of policies that are bound to a VPN virtual server are lost. This issue is fixed in NetScaler 10.5 Build 50.10.

Attempts to end the session for an external user fails when you enter the command kill aaa session -username <username>.

When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, NetScaler Gateway can fail.

If you configure a traffic management policy to enable single sign-on to Outlook Web App 2010, enable local authentication on the load balancing virtual server and then change to two-factor authentication with client certificate authentication and LDAP authentication, NetScaler Gateway fails when trying to access the load balancing server.

If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.

If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.

If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.

If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.

On Windows-based devices, there are two new registry entries for NetScaler Gateway that override Citrix Receiver for Windows behavior. The new registry entries specify the following:

- Enable or disable client cleanup on the user device when Receiver is also running.

- Show or hide the NetScaler Gateway Plug-in icon even if it is integrated with Receiver.

To enable client cleanup:

Note: Enable client cleanup on NetScaler Gateway and then set the registry entry on the user device.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client

Name: AllowCleanup

Type: REG_DWORD

Data: 1

To show the NetScaler Gateway Plug-in icon:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client

Name: DisableIconHide

Type: REG_DWORD

Data: 1

Showing active user sessions in the configuration utility or by using the command line might result in high CPU utilization on NetScaler Gateway.

When users connect with clientless access, the appliance fails if the last octet of the IP address of the server in the internal network is equal to or greater than 240.

If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message "Error: Not a privileged user."

If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.

If users connect with the NetScaler Gateway Plug-in for Windows and then attempt to receive a call through a softphone, the call fails.

If users do not have administrative rights, the Endpoint Analysis Plug-in installation fails.

When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.

Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway

When users log on with the NetScaler Gateway Plug-in for Windows, attempts to access internal network resources fail from Windows Metro applications, such as Internet Explorer Metro Mode. This occurs when you configure address pools (intranet IP addresses).

Showing active user sessions in the configuration utility or by using the command line might result in high CPU utilization on NetScaler Gateway.

The Applications reports (Dashboard > HDX Insight > Applications) display incorrect values for Active Apps and Active sessions.

The Applications report might not display any data for geo maps.

In the NetScaler Insight Center graphical user interface, you might not be able to configure a Terminal Access Controller Access-Control System (TACACS) server.

Even after you delete a CloudBridge device from NetScaler Insight Center, it displays the device in the inventory and continues to collect AppFlow data.

A NetScaler ADC fails when it receives ICA traffic from metro receiver client.

If you add more than one NetScaler or CloudBridge devices to the NetScaler Insight Center inventory, the afdecoder subsystem may stop functioning.

If you enable AppFlow on a NetScaler ADC, the ADC might crash due an internal memory dependency.

A NetScaler Insight Center report that displays the launch duration value display multiple rows for the same application

NetScaler Insight Center does not display reports for traffic that passes through any NetScaler virtual servers other than HTTP virtual servers.

In a multi-stream ICA connection consisting of one primary TCP connection and three secondary TCP connections, the NetScaler ADC fails to export the ICA Appflow records for the secondary connections.

The following error might occur if you open the dashboard on the NetScaler Insight Center graphical user interface by using Internet Explorer 8:

Error fetching licensing information.

For more information about browser support, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-access-ni-con.html.

If you access NetScaler Insight Center by using a secure connection, the geo maps do not display any data.

All the metrics except bandwidth and hits display the average values.

NetScaler Insight Center displays the following error message if a NetScaler ADC maintains more than 20 active sessions.

'Excess connection than the CFE limit for NetScaler'

NetScaler Insight Center might not correctly report user sessions with multi-stream ICA connections.

The NetScaler ADC might fail if you enable AppFlow for ICA and access XenApp or XenDesktop through the Windows Receiver client.

When Management Service which was already using an SSL certificate-key pair with a password is upgraded to 10.5 then its HTTPS server will not start. This is fixed in this release.

After a user completes challenge response based log in, the user gets -1 as timeout. This issue is not applicable to other log in scenarios.

On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.

After you unbind the interface from a channel, interface drops the packets sent to the individual interfaces.

Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.

On Decapolis platforms although the number of interfaces are 36/24 but one cannot form as many channels (18/12) on that appliance.

Service Management sends the password to back-end even when the change password field is not checked in the set up wizard. This happens when the nsroot user has set up a simple password which does not meet the criteria for password complexity. An error message is displayed when something is changed using setup wizard.

A VPX looses the VRID configuration in the following scenario:

If a VPX is having VRID configuration on interfaces 10/1 and 10/2 and from the Management Service a channel is created using interface 10/1 and 10/2. Now if you modify the VPX from the Management Service using the VPX modification wizard, it makes the VPX loose VRID configuration on 10/1 and 10/2.

SDX-Rome-10G Management Service incorrectly displays '0/2' under Network Settings section in NetScaler Provisioning page. This interface should not be used to configure NetScaler Instance.

For a case under the following conditions, when:

1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)

2. A management channel created from Management Service is present on SDX, and

3. A VPX is using this management channel.

Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.

On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.

If you are modifying an existing NetScaler instance by removing a previously configured interface from the table and again add the same interface, it throws and error.

On a SDX-VPX, for a management interface, when HA Monitoring or another property in interface is changed via GUI, It throws "operation not permitted" error.

If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.

In case of shared management of CPU in SDX, licenses fail to load on start-up sometimes if the management CPU is overloaded.

Issue: The backup file contains more NetScaler instance than allowed instance in the license applied. Now instance restore for a single NetScaler fails with error message "License does not allow more than x NetScaler instance".

Fix: For instance restore operation, licence validation is done against no of NetScaler selected for restore instead of validating against all NetScaler instance in the backup files.

If you are accessing the Management Service directly through console on NetScaler SDX or Insight Center products, the credentials nsroot/nsroot do not work. The credentials root/nsroot work as before and SSH access to the management service also works as before with either of the credentials.

The installation of supplemental pack 100015 fails on NSSDX-8200 10G platforms. The root cause of failure is that the install script treats a warning as an error and aborts the installation.

There is no workaround for this other than to update to new version 10.1.130.x or 10.5.53.x with supplemental pack version 100016.

In SDX NetScaler cluster, SDX management VLAN modifications are not allowed through cluster IP.

The installation of supplemental pack 100015 fails on NetScaler SDX 8200 10G appliances.

If you are logging in Management Service using Public Key authentication, then password less SSH log-in does not work.

In Management Service, the Tagall setting configured for channels under Management VLAN settings is not available on VPXs.

The management interface of a SDX-8000/SDX8200/SDX-8400 appliance might loose connectivity if the interface is connected to a CAT switch.

Workaround: Set the speed of the interface to 100 Mbps and disable auto-negotiation.

If there is an Xenserver console session open for a NS-VPX during shutdown, then the VPX remains in the halt state.

Restore operation fails when the backup file of newer version is restored in older Management Service version.

On NetScaler SDX 8000 appliances, the Service Virtual Machine (SVM) might not detect the disk correctly, and it marks the status of the disk as down in system health monitoring. However, the provisioning of NetScaler VPX instances work as expected. This issue occurs in the following releases:

- NetScaler 10.1 Build 129.11 or earlier

- NetScaler 10.5 Build 52.11 or earlier

Setting of Jumbo MTU on interfaces or channels which are shared between NetScaler 10.5 and older version VPXes (10.1,9.3) is not supported.

When you upgrade an instance of NetScaler VPX on Amazon AWS to release 10.5 build 50.9, the SSL feature of the VPX instance might not support more than 512 bit encryption.

The NetScaler ADC might use a large amount of CPU cycles when it receives a burst of GRE traffic, which meets the following criteria:

- The NetScaler ADC is not the GRE end point for this traffic.

- The NetScaler ADC creates a NAT session information for this traffic.

The CPU usage might be approximately 10% higher in NetScaler 10.5 version as compared to NetScaler 9.3 version.

For an IPv6 load balancing configuration in which the IPv6 virtual server and the bound services are in different traffic domains, and USIP is enabled, the NetScaler ADC might become unresponsive when the IPv6 virtual server receives traffic.

For a link load balancing with RNAT configuration in which persistence is enabled for the virtual server, the NetScaler ADC might become unresponsive when the virtual server receives traffic.

For a link load balancing with RNAT configuration, the NetScaler ADC might use an incorrect subnet IP (SNIP) address to communicate to the external devices.

The NetScaler ADC might become unresponsive when you run the "bind rnat global" command.

On a NetScaler ADC, ND6 entries might get in INCOMPLETE state due to synchronization mismatch among different internal modules. As a result NetScaler fails to serve traffic for that IPV6 address.

The NetScaler ADC might fail to evaluate listen policies, containing source or destination ipv6 address/subnet, for certain IPv6 addresses.

With more than 1000 IP tunnels configured on a NetScaler ADC, the internal data structure for these IP tunnels might not be updated for some events. This changes the status of these IP tunnels to the DOWN state.

The NetScaler ADC drops IPv4 packets related to the following protocols:

- IPv6 encapsulation (41)

- Fragment Header for IPv6 (44)

- ICMP for IPv6 (58)

In a CloudBridge connector tunnel, IKED packets might get routed back to the same NetScaler ADC instead of the peer tunnel end point.

Old or stale OSPF LSAs might exist after a warm restart, or restart after a power failure, resulting in triple flip.

In a high availability (HA) configuration, VLAN Interface binding configuration might be lost when continuous HA failover happens.

In a high availability (HA) configuration, VMAC configuration might be lost when continuous HA failover happens.

Feature: Load Balancing

For a DHCP load balancing configuration, the NetScaler ADC does not forward any unicast DHCP relay agent (UDP port 67) packets, which are received by the virtual server, to the bound servers.

On running the "show connectiontable -detail LINK" command in NetScaler command line interface, the NetScaler ADC might become unresponsive.

NetScaler SDX appliances does not support jumbo frames.

For a load balancing server configured on a non-default traffic domain, on modifying the IP address of the server also changes the name of the server.

With MAC based forwarding (MBF) option enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.

The SDX 24100/24150 and MPX 24100/24150 platforms are now supported in this release.

NetScaler supports Multi-PE for Hyper-V.

For NetScaler platforms that have Small Form-factor Pluggable (SFP) transceivers, with part number FTLF8519P3BNL, the bootup log files show that the SFPs are unsupported, even though they are functioning properly. This issue occurs in the following releases:

- NetScaler 9.3 (all releases)

- NetScaler 10.1 Build 129.11 or earlier

- NetScaler 10.5 Build 52.11 or earlier

On a NetScaler ADC that has a Small Form-factor Pluggable (SFP) interface with part number FTLF8519P2BNL, disabling this interface might not disable the interface of the peer device.

NetScaler VPX instances running on Xen server might consume high CPU cycles for processing 1G traffic.

Using the "SYS.CHECK_LIMIT” expression in conjunction with any boolean expression can cause the NetScaler to crash.

The NetScaler appliance can crash or the data can get corrupted when the URL (or other string) satisfies the following criteria:

- Length is more than 1300 bytes (800 bytes for HTML_XML_SAFE).

- Has at least one unsafe character.

- A significant initial part of the string does not need encoding (or some smaller initial part of the string does not need encoding and there are lots of characters needing encoding)

- One of the following functions is used on the string in the expression:

* HTTP_URL_SAFE - unsafe characters are not allowed. Safe characters are: a-z, A-Z, 0-9, "-", "_", ".", "!", "~", "*", "'", "(", ")", ";", ":", "@", "?", "=", "$", "%", "&amp;", "+", ",", "/".

* HTTP_HEADER_SAFE - new line ('\n') characters are unsafe.

* HTML_XML_SAFE - unsafe characters are '<', '>' and '&'.

* APPEND_QUERY_PARAMETER - same as HTTP_URL_SAFE

Workaround: As a workaround, remove uses of these functions from your expressions if strings can be long (or truncate the strings to 1300 bytes (800 bytes for HTML_XML_SAFE)). In a number of cases you can avoid using these functions if you concatenate the URL with some string constant to the left of it (for example "" + HTTP.REQ.URL) - if the input was encoded, so will be the result.

In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.

On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.

In a setup with a large number of virtual servers, if only a few virtual servers receive most of the traffic while the other virtual servers are idle, there might be a delay in cleaning up the sessions.

When using Web Interfaces, after logging in to the VPN, users are not authorized to access published resources.

The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.

When using DNS request pipelining with request switching, the audit log feature causes the NetScaler appliance to crash and reboot.

With SPDY enabled, creating an AppFlow structure results in memory initialization issues.

With USIP mode enabled, when the client FIN comes along with the final ACK for the server response, the NetScaler TCP module does not acknowledge the FIN.

SNMP walk shows the operational status of a LA channel as DOWN even when it is in the PARTIAL-UP state.

A new HTTP profile option "rtspTunnel" allows RTSP over HTTP. The RTSP tunnel is detected by the presence of either one of the following

- 'Accept: application/x-rtsp-tunnelled' request header

- 'Content-Type: application/x-rtsp-tunnelled' response header

Once the tunnel is detected, NetScaler stops HTTP tracking for that TCP connection and lets the RTSP flow go through. The "rtspTunnel" option is disabled by default.

The NetScaler intermittently fails to generate traps due to issues in propagating the alarm state to the SNMP daemon.

The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching enabled. This occurs due to some interaction issues.

When trying to log on to the NetScaler using the GUI or the NITRO API, external users (from LDAP, TACACS, and so on) get the following error message: 'User does not exist'.

If you change the IP address of a load balancing virtual server that shares the same server information (IP address, port and service) with an audit server and then clear the configurations, the NetScaler is expected to remove the virtual server, the audit server, and other NetScaler configurations. However, when you now add the virtual server with the original server details, the NetScaler throws an error message that says "resource already exists".

Note: In a HA setup, this behavior is displayed even when you perform a force sync or a force failover operation.

Changes made to the time zone are not reflected till the NetScaler appliance is warm rebooted.

When an interface of a static channel becomes inactive because of an MTU mismatch, the peer device of the channel still sends traffic to that interface.

When the NetScaler deployment has large configuration size, the NetScaler appliance can crash due to issues with memory allocation.

The NetScaler appliance can crash when a large HTTP request URL has a space in it and if the request is broken into multiple packets.

With AppFlow enabled, if any of the HTTP headers (URL, Host, Cookie, and so on) have a length of exactly 255, the NetScaler appliance could crash.

When the Call Home feature is disabled before the Call Home enable operation is successful, a second instance of the Call Home process starts to run. This results in high usage of the management CPU.

When a HTTP profile is bound to a virtual server or service, the configurations of this profile are considered over the configurations of the global HTTP profile (nshttp_default_profile). However, when connection multiplexing is disabled globally and enabled on the virtual server or service, the global setting for connection multiplexing is being considered. This issue has now been fixed.

Users who access a Microsoft Sharepoint server through a NetScaler ADC that has the application firewall enabled are unable to open any document type that requires software that is not part of the browser, such as Microsoft Office files.