Release Notes for NetScaler 10.1 Enhancement Releases

NetScaler Gateway

• Issue ID 518414: NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or split tunneling is enabled.

CloudBridge Connector

• Issue ID 512191, 513775 , 535483: Memory leaks might occur on NetScaler ADCs connected to a CloudBridge Connector tunnel when one of the ADCs sends monitor probes, through the tunnel, to a service that is bound to an HTTP or SSH load balancing virtual server.

• Issue ID 440781: When the state of a CloudBridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

NetScaler Gateway

• Issue ID 522700, 531535: If the NetScaler Gateway virtual server is behind a proxy server and its fully qualified domain name (FQDN) is not resolvable by the local DNS server, endpoint analysis fails and a "failed sending epaq" error message appears.

• Issue ID 531520: Remote users who use the Windows full client/plugin to access Netscaler Gateway can encounter an issue if the Internet Explorer browser has "Automatic Configuration Script" settings configured for Proxy, and the automatic configuration script file is unreachable from the user device at the time of Gateway session establishment. In this scenario, the Windows plugin incorrectly connects to the Proxy server configured in the Manual Settings and fails to establish the session. The expected correct behavior in this situation would be to bypass the proxy and connect to NetScaler Gateway directly.

  Users are affected only if:

  1. They use Windows full client for establishing the gateway session

  AND

  2. They have both Automatic Configuration script and Manual configuration for Proxy in their Internet Explorer settings

  AND

  3. The configured Automatic Proxy script file happens to be unreachable from the user's device (for example the Automatic Proxy script file address is an internal address and not reachable remotely).

• Issue ID 491076, 535339: Java Runtime Environment (JRE) version 7, update 51 or later, displays a security warning when NetScaler Gateway for Java is launched. In some cases, JRE blocks the launch.

• Issue ID 527757: If a user installs Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, then uses the IE 11 browser to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and a Download or Skip Check button appears in the browser.

• Issue ID 460915: In releases earlier than version 4.18.9, the Citrix DNE LWF driver can send spurious packets that have random MAC addresses. As a result, a switch port configured to allow only one MAC address might shut down.

• Issue ID 524028: After the VPN tunnel is established, external websites fail to load intermittently under the following conditions:

  - If enable_vpn_dnstruncate_fix nsapimgr flag is set on NetScaler.

  - DNS servers on NetScaler are configured to send negative DNS response for external DNS query.

  - Split DNS is set to both

NetScaler SDX Appliance

• Issue ID 511907: The correct label for svm.allocated memory is Allocated Memory (%).

SSL

• Issue ID 491267, 460463: Support for additional ciphers with TLS protocol version 1.2

  Sixteen new ciphers are supported with TLS protocol version 1.2 on all MPX platforms, and on SDX platforms if an SSL chip is assigned to the instance when you provision it.

  1) Cipher Name: TLS1-ECDHE-RSA-RC4-SHA

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=RC4(128) Mac=SHA1

  2) Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=3DES(168) Mac=SHA1

  3) Cipher Name: TLS1-ECDHE-RSA-AES128-SHA

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA1

  4) Cipher Name: TLS1-ECDHE-RSA-AES256-SHA

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA1

  5) Cipher Name: TLS1.2-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  6) Cipher Name: TLS1.2-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  7) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  8) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  9) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  10) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  11) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256

  12) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384

  13) Cipher Name: TLS1.2-AES-256-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA-256

  14) Cipher Name: TLS1.2-AES-128-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA-256

  15) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256

  16) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256

• Issue ID 460458, 448937 , 460465 , 460472: Support for AES-GCM/SHA2 Ciphers

  NetScaler release 10.5 build 53.9 introduces support for the following ciphers:

  - Cipher Name: TLS1.2-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  - Cipher Name: TLS1.2-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  - Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  - Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  - Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256

  - Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384

  - Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256

  - Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384

  Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384

  - Cipher Name: TLS1.2-AES-256-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA-256

  - Cipher Name: TLS1.2-AES-128-SHA256

  Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA-256

  - Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256

  - Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256

  Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256

Networking

• Issue ID 490341: With MAC based forwarding (MBF) option enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.

High Availability

• Issue ID 469857: On a HA setup, even though the source IP is not explicitly set to *, the output of the "show ns rpcNode" commands shows the source IP as *. Therefore, when HA failover happens for the second time, the LB persistency session information is not propagated to the secondary node. This means that the information is not available when a forced failover is performed on the new primary node.

  The fix ensures that the NetScaler IP (NSIP) address of the local box is always set as the source IP address in a HA setup.

NetScaler Gateway

• Issue ID 484245: If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.

• Issue ID 461279: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.

• Issue ID 463871: If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.

• Issue IDs 481889, 486176: In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.

NetScaler SDX Appliance

• Issue ID 423917: DNS configuration is not included in backup files

  Workaround:Configure the DNS configuration through network settings option

Networking

• Issue ID 437359: A parameter Source IP Persistency has been introduced in RNAT rules and Netprofiles:

  Source IP Persistency for RNAT Sessions

  The source IP persistency of a RNAT rule enables the NetScaler ADC to use the same NAT IP address for all RNAT sessions initiated from a particular server.

  Source IP Persistency for NetProfiles

  The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client.

NetScaler SDx Appliance

• Issue ID 0475099: Configuring a wrong DNS IP address was slowing internal communication between Management Service and XenServer. With the current release, the DNS look up will be ignored for internal communication.

Configuration Utility

• Issue IDs 0447077 and 0460857: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.

Networking

• Issue ID 0438557: The NetScaler appliance might consume excessive CPU cycles when processing ACL rules.

NetScaler SDX Appliance

• Issue ID 0456884: When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
• Issue ID 0460376: Management service was showing wrong alert for power supply status with the message that "One of the two power supplies is not working.

Platform

• Issue ID 0436380: The LCD display on the front of every NetScaler SDX appliance, except SDX 11500/13500/14500/16500/18500/20500 and SDX 11515/11520/11530/11540/11542 displays a booting message when the appliance is started or restarted.

  The LCD has a neon backlight. Normally, the backlight glows steadily. When there is an active alert, it blinks rapidly. When the appliance shuts down, the backlight remains on for one minute and then automatically turns off.

  Note: The LCD screen on a NetScaler SDX appliance displays the base model number for that platform. To view the licensed model number of the appliance, log on to the Management Service and check the licensed model number on the top left corner of the screen. For example, if you have purchased an SDX 11515 license, the LCD screen displays SDX 11500, and the Management Service screen displays NetScaler SDX (11515).

  On some SDX platforms, the LCD backlight might not work. Therefore, the display might not be clear.

System

• Issue ID 0360334: SNMP Trap for Port Allocation Failures

  NetScaler ADC sends SNMP trap when port allocation fails on the NetScaler. The following SNMP OID is added: dstip (1.3.6.1.4.1.5951.1.1.0.143)

• Issue ID 0403733: The NetScaler appliance does not make a log entry in the ns.log file when the port limit is exceeded.
• Issue IDs 441843, 457850 and 451285: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

Source IP Persistency for RNAT Sessions

• ENH ID 0437359: The source IP persistency of a RNAT rule enables the NetScaler appliance to use the same NAT IP address throughout a particular RNAT session.

Source IP Persistency for NetProfiles

• ENH ID 0437359: The source IP persistency of a netprofile associated with a virtual server enables the Netscaler appliance to use the same source IP address, specified in the netprofile, throughout a particular session to a server bound to the virtual server.

Networking

• Issue ID 0455936: The source IP persistency functionality might not work for an RNAT rule that does not have the NAT IP parameter set to an IP address.
• Issue ID 0459679: If you have enabled Source IP Persistency on multiple IPv4 RNAT rules that have the same condition but with different NAT IP addresses, the NetScaler command line and the configuration utility displays Source IP Persistency as ENABLED only for one of these rules.

Configuring RISE with NetScaler ADC and Cisco Nexus 7000 Switches

• ENH ID 0413833: You can now use Remote Integrated Service Engine (RISE) technology to integrate a NetScaler ADC and a Cisco Nexus 7000 Series switch. This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.

  With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus 7000 series switch. The key functionalities of the RISE architecture include:

  • Plug and play auto-provisioning

    RISE provides a plug and play auto-provisioning feature. When you directly connect the NetScaler ADC to the Cisco Nexus 7000 series switch, auto-discovery commences.

  • Discovery and bootstrapping

    The discovery and bootstrap mechanism enables the Cisco Nexus 7000 Series switch to communicate with the NetScaler ADC by exchanging information to set up a RISE channel, which transmits control and data packets.

  • Health Monitoring

    The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.

  • Automatic Policy Based Routing (APBR)

    Automatic Policy Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.

Stateful Connection Failover support for Load Balancing Virtual Server in TOS mode

• ENH ID 0436500: In a High Availability (HA) setup, stateful connection failover is now supported for load balancing virtual servers configured in TOS mode.

  With stateful connection failover enabled, the secondary appliance has information about the connections established before the failover and starts serving those already established connections after the failover.

  After HA failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. During the transition period, the client and server may experience a brief disruption and retransmissions.

Variable Support for Policies

• ENH ID 0368447: This enhancement allows state information, in the form of variables, to be stored and used on NetScaler appliances . Variables can be of ulong, text, or map types. A map can have ulong and text type elements. And the map key is always text.

  Note:

  • Variables are not supported in a high availability setup.
  • Once configured, a variable's settings cannot be modified or reset. If the variable needs to be changed, the variable and all references to the variable (expressions and assignments) need to be deleted. Then the variable can be re-added with new settings, and the references (expressions and assignments) can be re-added.

  To use variables by using the command line interface

  1. Create a variable. Variables can be of singleton (ulong and text) and map type.
     //Declares a single valued 64-bit integer variable named my_counter. It is initialized to 0.

     add ns variable my_counter –type ulong

     //Declares a map named user_privilege_map that will contain keys of maximum length 15 characters and text values of maximum length 10 characters, with a maximum of 10000 entries. If the map contains 10000 unexpired entries, assignments for new keys reuse one of the least recently used entries . By default, an expression trying to get a value for a non-existent key will initialize an empty text value.

     add ns variable user_privilege_map -type map(text(15),text(10),10000)

  2. Specify the assignment for the variable. The assignment specifies the value or operation to be performed on that variable.
     //Defines an assignment named inc_my_counter that automatically adds one to the my_counter variable.

     add ns assignment inc_my_counter -var $my_counter -add 1

     //Defines an assignment named set_user_privilege that adds to the user_privilege_map variable an entry for the client's IP address with the value returned by the get_user_privilege HTTP callout. If an entry for that key already exists, the value will be replaced. Otherwise a new entry for the key and value will be added. Based on the previous declaration for user_privilege_map, if the map already has 10000 entries, one of the least recently used entries will be reused for the new key and value.

     add ns assignment set_user_privilege -var $user_privilege_map[client.ip.src.typecast_text_t] -set sys.http.callout(get_user_privilege)

     //Defines an assignment named clear_user_privilege that clears the entry for the client's IP address in the user_privilege_map variable.

     add ns assignment clear_user_privilege -var $user_privilege_map[client.ip.src.typecast_text_t] -clear

  3. Configure the assignment as an action for a policy.
     //Configures the assignment set_user_privilege with a compression policy

     add cmp policy set_user_privilege_pol -rule $user_privilege_map.valueExists(client.ip.src.typecast_text_t).not -resAction set_user_privilege

  To use variables by using the configuration utility

  1. Navigate to AppExpert > NS Variables, to create the variables.
  2. Navigate to AppExpert > NS Assignments, to assign values to the variables.
  3. Navigate to the appropriate feature area where you want to configure the assignment as an action.

For more information, see Variables.

Configuration Utility

• Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.

Adaptive Threshold in NetScaler Insight Center

• ENH ID 0378995: The adaptive threshold functionality in NetScaler Insight Center dynamically sets the threshold value for the maximum number of hits on each URL. If the maximum number of hits on a URL is greater than the threshold value set for the URL, a syslog message is sent to an external syslog server. The threshold value can be set for daily or weekly interval.

  For more information, see Managing Threshold.

Provisioning Palo Alto VM-Series Instances on a NetScaler SDX Appliance

• ENH ID 0357214: Palo Alto Networks VM-Series on Citrix NetScaler SDX enables consolidation of best-in-class security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix NetScaler SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.

  You can provision, monitor, manage, and troubleshoot an instance from the Management Service.

  Note: The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance.
  Important: You must upgrade your XenServer version to version 6.1.0 and install the xs-netscaler-6.1.0-2.6.32.43-0.4.1.xs1.6.10.777.170770-100012 supplemental pack.

  For more information, see Palo Alto Networks VM-Series.

Configuration Utility

• Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.

Authentication and Authorization Enhancements

• ENH ID 0399086: With this release, the following authentication and authorization capabilities are supported on NetScaler SDX appliance:

  • External authentication for RADIUS, TACACS, and LDAP servers.
  • Group extraction capability for LDAP and RADIUS authentication types.
  • Authentication and authorization for requests through SSH. However, the authorization of SSH users is limited to super-user privileges only.
  • Audit logs for RADIUS and TACACS servers. You need to enable the Accounting option for the servers in the Management Service.

  For more information, see Configuring Authentication and Authorization Settings.

User Name and Password Length Extended to 127 Characters

• ENH ID 0325421: User names and passwords on the NetScaler appliance can now be up to 127 characters in length. Usernames and passwords can consist of upper-case and lower-case letters, digits, and the hyphen and underscore characters.

Content Accelerator

• ENH ID 0400961: The NetScaler provides a feature called Content Accelerator, that can be used in a Citrix ByteMobile T1100 deployment, to store content on a Citrix ByteMobile T2100 appliance. For more information, see Content Accelerator.

Configuration Utility

• Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.