The Citrix NetScaler MPX 9700/10500/12500/15500 FIPS appliances running firmware version 2.2, now support the ECDHE cipher group on the frontend. This group contains the following ciphers:

• TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA 0xc012

• TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014

• TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 0xc027

• TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 0xc028

• TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013

Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

The following ECC curves are supported:

- P_256

- P_384

- P_224

- P_521

By default all four curves are bound to an SSL virtual server.

The Citrix NetScaler MPX 9700/10500/12500/15500 FIPS appliances running firmware version 2.2, now support the ECDHE cipher group on the backend. This group contains the following ciphers:

- TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA 0xc012

- TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014

- TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 0xc027

- TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013

Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

The following ECC curves are supported:

- P_256

- P_384

- P_224

- P_521

By default all four curves are bound to an SSL virtual server.

When SAMLIDP profile on Netscaler is configured to have signature/digest algorithm (as rsa-sha256) but if SAML SP sends SAML request signed using sha1, it does not throw an error. Instead we are sending 302 redirect to /vpn/tmindex.

When you upgrade a CloudBridge 4000 appliance from release 7.0.0 build 195 to release 7.3.1 build 47 or later by using the Single Bundle Upgrade process, the upgrade might fail.

Workaround: To resolve this issue, complete the following procedure:

1. Create an administrator profile on the management service of the appliance.

2. Bind the profile to the CloudBridge Accelerator.

3. Restart the upgrade process

If you upgrade the CloudBridge appliance to release 7.4.0, the page continues to display the text "Upgrade in progress."

Workaround: Log onto the appliance by using a new tab or a new window.

RADIUS/TACACS remote server auditing does not work.

The cluster backplane cannot be modified for cluster nodes that are bound to nodegroups that have the "state" or "priority" parameter configured.

Workaround: Do the following:

1. Unbind the node from the nodegroup.

2. Update the backplane of the cluster nodes.

3. Bind the node to the nodegroup.

In a cluster nodegroup that has the "state" or "priority" parameter configured, the "show cluster nodegroup" command provides incorrect information about the active nodes and the backup nodes.

If you use the Safari browser on a MAC operating system to access an MPX-FIPS appliance, and then click Traffic Management > SSL > FIPS > ResetFIPS in the configuration utility, the configuration is saved but the appliance does not restart.

Workaround: Use the NetScaler CLI to perform a warm restart. At the command prompt, type:

reboot -f -w

In the configuration utility, if you select the Validate Credentials option while configuring a XenDesktop farm, the NetScaler ADC might display the following error message: "Username, password and ddc domain are required for Xen Desktop monitor."

A user who launches the XenApp/XenDesktop wizard and creates a VPN virtual server is shown a check box for redirecting requests from HTTP to HTTPS. When the user selects the checkbox and enters the FQDN, VPN virtual server creation fails.

Workaround: Do not select the check box. Use the CLI to add a load balancing virtul server on a nonstandard port, and set the redirect URL (add lb vserver <NameOfVserver> HTTP <NSIP/ VIP IP> <NonStandardPort> -redirectURL "https://FQDN")

add lb vserver <NameOfVserver> HTTP <NSIP/ VIP IP> <NonStandardPort> -redirectURL

Azure's DNS server is marked DOWN when added as a UDP server. The problem does not occur if you specify TCP when adding the DNS server.

The NetScaler appliance ignores the replace_if_present_flag in the SMPP request (submit_sm) message. This flag is used if the submitted message should replace an existing message, so the appliance should forward the submitted message to the server to which an earlier message with the same criteria (same source, destination, and service type) was sent. Instead, the appliance forwards it to the server selected by the load balancing algorithm.

In the NetScaler GUI, the page at System> Network > IPs does not display the Type for LSN NATIPs, and the value shown for Traffic Domain is incorrect.

Workaround: Run the sh nsip command to display the values in the command line interface.

When "dynamicReceiveBuffering" is ENABLED in the default TCP profile, WorxHome may fail to connect to XenMobile server through NetScaler Gateway.

Workaround: Disable dynamic receive buffering on the default TCP profile.

If you configure endpoint analysis policies on NetScaler Gateway, when users log on by using either Safari or Firefox web browsers and if Symantec Endpoint Protection is installed, the link to download the Endpoint Analysis Plug-in does not appear after the time expires. This only occurs when the setting Network Threat Protection in Symantec Endpoint Protection is enabled and if the Endpoint Analysis Plug-in is not previously installed. The failure is due to the Port Scan setting, which can be changed by using the instructions in the article "Built-in signatures for Symantec Endpoint Protection IPS" for Mac on Symantec's web site.

The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.

If you enable and then disable the double hop option, a SOCKS mode ICA application fails to launch.

In Android devices, when users click the RDP link to download the RDP file through the NetScaler Gateway, download fails and the users are unable to launch the remote desktop.

When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.

If you upgrade NetScaler Insight Center to release 10.5, build 55.8xxx.e, the compression ratio values are displayed as -NA-.

The current-connection details displayed on the NetScaler Insight Center dashboard have a latency of about 2 minutes.

If NetScaler Insight Center does not get a connection closure update for a particular connection ID, and the ID is reused, the source IP address of the previous connection might be displayed.

On the NetScaler Insight Center dashboard, the latency values displayed on the graph and the network topology diagram might not match due to time synchronization issues.

If a CloudBridge session is inactive, the WAN Insight node of NetScaler Insight Center continues to display older data.

Workaround: Disable Database Cache Settings

1. On the Configuration tab, in the navigation pane, click the System and in the right pane click Change Database Cache Settings.

2. To clear the cache, select Reset Database Cache .

3. To enable the cache, select Enable Database Cache.

4. Click OK.

If you upgrade NetScaler Insight Center release 10.5 build 55.8004e to release 10.5 build 8xxx.e, the columns names will not be displayed on the dashboard.

Workaround: Click the Settings icon, and click "Go back to default."

If you change the GUI access setting from HTTPS (the default) to HTTP, NetScaler Insight Center might not display CloudBridge reports.

In an SDX appliance, if you have a cluster or HA setup that has L2 mode enabled, when a node fails, the upstream switch continues sending Layer 2 mode traffic to that node until its bridge table entry times out on the upstream switch (default 300 seconds).

Workaround: Reduce the MAC-address table ageing time on the upstream switch.

If an nsroot user uses the Management Service to edit the resource attributes of devices, and the resource validation is done from the tenant to which the device belongs, the resource validation fails while validating the CPU cores.

When a user with nsroot or similar privileges modifies a VPX instance that was originally created by a user from admin domain, the modification might fail because of inadequate resources, even though the admin domain has enough resources.

In rare circumstances, a NetScaler VPX instance deployed on Microsoft Azure cloud can dump kernel core after a warm restart.

When you create an LDAP action on the LDAP policy page, the GUI does not immediately include the action's name in the drop-down list.

Launching an application through CVPN mode with Receiver for HTML5 fails or takes a long time during some launches, and an attempt to launch through ICA proxy mode from an Internet Explorer browser fails.

The VIP address added when a virtual server is created is not removed when the virtual server is removed. The address continues to appear in the "show ip" command output. The same issue occurs with the "clear config extended" command.

The showtechsupport command reports permission errors while collecting debug information. The error messages can be ignored.

The /var/core directory might not be available for core dumps in some circumstances.

This release does not support Web Interface on NetScaler (WIonNS).

In full VPN mode, user logon through a Chrome browser generates an error page after the logon process, before app enumeration.

High availability session propagation is not supported in Azure. The NetScaler HA nodes can't maintain sessions across failover, because Azure disallows promiscuous mode. A NetScaler node can send or receive packets at only the original assigned IP address.

The MAC address of a VPX interface might change when a VPX instance in Azure Cloud is shut down and then restarted. Be sure to use the license utilities to obtain a Host ID when generating a license for VPX in Azure, rather than directly using the MAC address.

A VPN client does not receive a clean-up prompt when logging off.

The /var/core directory might not be available for core dumps in some circumstances.

A RADIUS response packet that a NetScaler ADC generates by applying a responder policy is limited to 1 NSB (1500 bytes). Therefore, jumbo packets are not supported for such responses.

Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.

Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.

FIPS keys that are created on firmware version 2.2 are lost after you downgrade to firmware version 1.1.

Workaround: Export the FIPS keys before you downgrade the firmware. Import the FIPS keys after the downgrade.

Importing an RSA key as a FIPS key might fail.

Workaround: Restart the appliance.

While adding a backend SSL service, TLS1.1/1.2 appear as enabled. However, TLS1.1/1.2 are not supported on backend SSL services.

You cannot update the FIPS firmware to version 2.2 by using the configuration utility.

Workaround: Use the NetScaler command line to update the firmware.

In previous releases, evaluation of an interface-based expression was based on the information available in the connection block and in the individual frame. Now, only the information in the frame is considered, and this information can change during the course of a transaction. As a result, the evaluation might be incorrect.

Workaround: Use VLAN-based expressions instead.

The initial client connection on the NetScaler appliance might fail if a wildcard virtual server is configured and the useProxyPort option is disabled globally on the appliance.

FTP connections through a TCP wildcard virtual server on the NetScaler appliance might fail for one of the following reasons:

- A mismatch in TCP parameters is preventing the appliance from reusing the probe connection.

- The server is sending data before the client-side TCP connection is established.

In an LSN deployment, FTP over Jumbo interfaces might not work.

If a SNIP address is added to subnet other than the one that includes the NSIP address, loop-back services go down.

The NetScaler appliance does not support an outbind operation. That is, the appliance does not support an operation in which the message center initiates an SMPP session to an ESME.

The second factor user name field is now editable for SAML two-factor authentication. Previously, the user name was automatically filled in from the first factor, and could not be edited.

In a multi-domain AD environment, the NetScaler appliance is now able to detect an expired password and allows the user to change the expired password. You can do this without configuring LDAP referral.

RADIUS Responder Support

The NetScaler ADC default expressions language now supports RADIUS expressions in Responder policies. You can use the new RADIUS expressions to construct simple responses, such as rejecting RADIUS requests from specific networks. Responder does not need to contact the RADIUS server to generate a response, so even if all RADIUS servers are down, it can send an error message to RADIUS requests instead of simply dropping those requests.

For example, to create a Responder policy to block logins from the IP 10.224.85.130, you would type the following:

> add responder action resp_act_radius_reject respondwith radius.new_accessreject

> add responder policy resp_pol_radius_reject "radius.req.avp(4).value.eq(\"10.224.85.130\")" resp_act_radius_reject

> bind responder global resp_pol_radius_reject 102 END -type RADIUS_REQ_OVERRIDE

To add a responder policy label for policies containing RADIUS expressions, you use "-policylabeltype RADIUS" as shown below:

> add responder policylabel <name> -policylabeltype RADIUS

For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.

RADIUS Rewrite Support

The NetScaler ADC default expressions language now supports RADIUS expressions in Rewrite policies. You can add new RADIUS attribute-value pairs (AVPs), delete AVPs, and replace AVPs with different AVPs before forwarding a request to the RADIUS server or a response to the client. You can use the new RADIUS expressions to rewrite connections between users authenticating to AAA-TM and the RADIUS authentication server. Among other things, you can:

* Remove the "domain\" portion of the username attribute before sending the authentication request to the RADIUS server:.

* Insert vendor specific attributes, such as an MSISDN field used by a telephone company.

* Rewrite RADIUS accounting values to fit a prescribed standard format, such as modifying the Calling-Stating-Id so that it consists of a leading "1" followed by the ten-digit MDN value.

* Insert the RADIUS Accounting "Called-Station-Id" AVP into the received message. 

The following types of Rewrite actions support RADIUS expressions:

* INSERT_AFTER

* INSERT_BEFORE

* INSERT_AFTER_ALL

* INSERT_BEFORE_ALL

* DELETE

* DELETE_ALL

* REPLACE

* REPLACE_ALL

You can use any RADIUS expression in a Rewrite policy. Rewrite policies that contain RADIUS expressions are supported in both the request and response flows. Request policies are evaluated after Content Switching and Responder policies.

You can bind request-side Rewrite policies that contain RADIUS expressions to the RADIUS_REQ_OVERRIDE and RADIUS_REQ_DEFAULT bind points, and response-side policies to the RADIUS_RES_OVERRIDE and RADIUS_RES_DEFAULT bind points. You can use the new RADIUS_REQ and RADIUS_RES elements when creating Rewrite policy labels with RADIUS expressions.

To add a Rewrite action and policy to insert the Called-Station-ID AVP into the received message, and bind the policy to the RADIUS request override bind point, you could type the following commands:

> add rewrite action rw_act_insert_csid insert_before radius.req.avp_end "radius.new_avp(34, RADIUS.REQ.AVP(30).VALUE)"

> add rewrite policy rw_pol_insert_csid "RADIUS.IS_SERVER" rw_act_insert_csid

> bind rewrite global rw_pol_insert_csid 20 NEXT -type RADIUS_REQ_OVERRIDE

For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.

Citrix application firewall has now extended the protection capability to secure applications that use GWT. The application firewall understands and interprets GWT RPC requests, inspects the payload for security check violations, and takes specified actions. Web servers following GWT RPC mechanisms can now be secured by the Citrix application firewall without a need for any specific configuration to enable the GWT support.

Citrix application firewall uses the positive security logic to mitigate zero day attacks. In addition to recommending the configured Field Type, the learning engine now provides recommendations for a Character-Map, based on the observed traffic pattern. A Character-Map is a set of all characters that are allowed in the input field. The learned rules can be deployed either using the Field Type or the Character-Map for specifying the Field Format of a form field.

The application firewall now supports logging of the complete HTML request when a request time security check violation is detected. You can collect the trace for a specific profile and see the triggered log message in the corresponding trace record.

Support for ongoing learning for the currently deployed Field Formats has been added to the application firewall. Before this enhancement, if a form field has the deployed Field Format rule, the learning engine stops recommending new rules. After this enhancement, learning continues and new recommendations are suggested based on all the observed values for a particular form field. Deploying a learned field format rule from the configuration utility, overwrites any existing binding.

A cluster nodegroup can now be configured to provide datacenter redundancy. In this use case, nodegroups are created by logically grouping the cluster nodes. You must create active and spare nodegroups. When the active nodegroup goes down, the spare nodegroup which has the highest priority (the lower priority number) is made active and it starts serving traffic.

For more information, see http://docs.citrix.com/en-us/netscaler/11/system/clustering/cluster-managing/cluster-nodegroups-datacenter-redundancy.html.

BridgeGroups are now supported in a NetScaler cluster deployment.

Support to retain the Checking Disabled (CD) bit in a DNSSEC query

If you configure the ADC as a DNS proxy to load balance DNSSEC aware resolvers (servers), you must set the Recursion Available option while configuring the DNS virtual server. If a DNSSEC query arrives with Checking Disabled (CD) bit set, the query is passed on to the server with the CD bit retained and the response from the server is not cached. In earlier releases, the ADC unset the CD bit before passing it to the server and also cached the server response.

You can now view the configuration details of the entities bound to a GSLB domain. The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain. To view the details, you can use either the command line or the configuration utility.

For more information, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-config-con/ns-gslb-bind-dom-vsvr-tsk.html.

The NetScaler ADC now includes an IP geolocation database, GeoLite2 (published by MaxMind). The database is available in a format supported by NetScaler ADC at: /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv.

You can use this IP geolocation database as the location file for the static proximity based GSLB method or in location based policies.

Note: The ADC includes the GeoLite2 database available from http://www.maxmind.com.

You can now clear the statistics of a GSLB virtual server and service. NetScaler ADC provides the following two options to clear the statistics:

-Basic: Clears the statistics that are specific to the virtual server but retains the statistics that are contributed by the bound GLSB service.

-Full: Clears both the virtual server and the bound GSLB service statistics.

For more information, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-config-con/ns-gslb-config-vsvr-tsk.html.

The NetScaler ADC now supports NAT44 Large Scale NAT (LSN) and is compliant with RFC 6888, 5382, 5508, and 4787.

The phenomenal growth of the internet has resulted in the shortage of public IPv4 addresses. CGN provides a solution to this issue by maximizing the use of available public IPv4 addresses by sharing few public IPv4 addresses among a large pool of Internet users. CGN is a collection of technologies and NAT44 is one of them.

NAT44 LSN translates private IPv4 address in public IPv4 addresses. It includes network address and port translation methods to aggregate many private IP addresses into fewer public IPv4 addresses. NAT44 LSN is designed to handle NAT in large scale.

The LSN feature of the NetScaler ADC is very useful for Internet Service Providers (ISPs), carriers, and in enterprise data centers, providing millions of translations to support a large number of users, and at very high bandwidth throughput.

Note: Large Scale NAT is also called Carrier Grade NAT.

The following are some of the sub-features of LSN on a NetScaler ADC:

* Mapping: Support of Endpoint-independent mapping (EIM), Address-dependent mapping ( ADM), and Address-Port dependent mapping.

* Filtering: Support of Endpoint-independent filtering (EIF), Address-dependent filtering, and Address-Port-dependent filtering.

* Quotas: Configurable limits on number of ports and sessions per subscriber.

* Static Mapping: Support of manually defining an LSN mapping.

* Hairpin Flow: Support for communication between subscribers or internal hosts using public IP addresses.

* ALGs: Support of application Layer Gateway (ALG) for FTP, ICMP, and TFTP protocols.

* LSN Clients: Support for specifying or identifying subscribers for LSN NAT by using IPv4 addresses and extended ACL rules.

* Deterministic/ Fixed NAT: Support for pre-allocation of block of ports to subscribers for minimizing logging.

* Logging: Support for logging LSN session for law enforcement.

Support for SIP Load Balancing over TCP/TLS

The NetScaler ADC now supports load balancing SIP traffic over TCP or TLS. To configure you ADC to load balance SIP requests to a group of SIP proxy servers, create a load balancing virtual server with the load balancing method and the type of persistence set to one of the following combinations:

- Call-ID hash load balancing method with no persistence setting

- Call-ID based persistence with least connection or round robin load balancing method

- Rule based persistence with least connection or round robin load balancing method

Also, a number of new default syntax expressions have been added that operate on SIP connections. These expressions can be bound only to SIP based (sip_udp, sip_tcp or sip_ssl) virtual servers, and to global bind points. You can use these expressions in content switching, rate limiting, responder, and rewrite policies.

Support for SMPP Load Balancing

The NetScaler ADC now supports SMPP load balancing and provides optimal distribution of SMS requests across your servers, preventing poor performance and outages. To configure your ADC for SMPP load balancing, add an ESME as a user on the ADC, configure an SMPP load balancing virtual server and service, and specify a custom server ID in the service configuration.

A new monitor of type SMPP is available to monitor SMPP servers. This monitor opens a TCP connection and sends an enquire_link packet to check the status of the server. Depending on the success or failure of the probe, the service is marked as UP or DOWN.

New Trap for Spillover

If you have configured spillover on a virtual server and also configured a trap listener on the appliance, an SNMP trap is now sent to the trap listener when the virtual server experiences spillover. The trap message displays the name of the virtual server that experienced the spillover, the spillover method, the spillover threshold, and the current spillover value. If the spillover is policy based, the rule causing it appears in the Spillover Threshold field. If the virtual server is DOWN or disabled, the status message "vserver not up" appears in the trap message.

If users are logged on with Citrix Reciever, if the server running the Secure Ticket Authority (STA) becomes unavailable, the STA ticket does not refresh and session reliability fails. To fix this problem, upgrade NetScaler Gateway to Version 10.5 Build 51.10xx.e. This release supports configuring multiple STA servers on NetScaler Gateway.

Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway.

You can configure content switching on the NetScaler Gateway appliance. When users connect, the appliance terminates SSL connections and then does content switching prior to honoring policies on NetScaler Gateway. For more information about content switching, see Content Switching in the NetScaler documentation.

The following example contains the general steps for configuring content switching with NetScaler Gateway:

1. Configure the NetScaler Gateway virtual server.

2. Configure internal load balancing virtual servers for any traffic that is being content switched.

3. Define the services over which connections communicate and then bind the services to the load balancer. For example, you can use the following commands:

> add service artemis-xm 19.70.1.2 HTTP 443

> add service sharefile_server 10.70.1.3 HTTP 443

> bind lb_vserver lb_appc artemis_xm

> bind lb_vserver lb_sharefile sharefile_service

4. Define the URLs with specific patterns to go to one of the two internal load balancers. All other network traffic goes to NetScaler Gateway. For example, you can use the following commands:

> add csaction appc_cs -targetLbVserver lb-appc

> add csaction sharefile_cs -targetLBVserver lb-sharefile

> add policy patset cs_list

> bind patset cs_list "/zdm/"

> bind patset cs_list "/devicecheck"

> add cspolicy appc_cs -rule "http.req.uri.contains_any(cs_list)" -action appc_cs

> bind vpn vserver artemis_ng -policy appc_cs -priority 10

> add cspolicy sharefile_cs "http.req.url.startswith('/sharefile')...

> bind vpn vserver argemis_ng -policy sharefile-cs -priorit 11

Users can log on to NetScaler Gateway by using Risk-Based Authentication that is part of delegated forms authentication support in StoreFront.

Upgrading EPA libraries from NetScaler configuration utility

The NetScaler configuration utility now provides a one-click wizard for upgrading EPA libraries. This wizard helps the admin upgrade EPA libraries without upgrading or even rebooting the appliance.

How to upgrade:

1. Download the latest EPA library package from the Citrix Download website on a machine where you have access to NetScaler configuration utility.

2. On the NetScaler configuration utility, navigate to NetScaler Gateway > Upgrade EPA libraries.

3. Click Browse and select downloaded EPA library package from machine and click Upgrade. This will start upgrade process.

4. After the upgrade is complete, the screen will be accessible again and it will show the updated library version.

5. To view and configure EPA scans of newer Library, refresh the configuration page. After page refresh, the Opswat EPA wizard will show newer EPA scans which can be configured right away.

Effect of EPA library upgrade on user (client) systems:

- Windows: If windows user does EPA for first time after EPA libraries upgrade, EPA (or VPN) plugin will download newer windows EPA library in background and cache it. As EPA library download happens in background users will not notice anything during EPA scan.

- Mac: In case of Mac, as part EPA libraries upgrade EPA and VPN plugin on NetScaler gets upgraded. So, if Mac user does EPA for first time after EPA libraries upgrade, EPA or/and VPN plugin will get upgraded.

So user will see download prompt in case of EPA plugin and/or auto-upgradation of VPN plugin.

Once plugin is upgraded, going forward, EPA will work normally.

In addition to the logon page with the user name and password fields, the NetScaler ADC now offers an advanced logon page with support for dynamic form providers for interactive authentication. The dynamic form providers on the advanced logon page can be invoked if you use the Citrix default syntax to configure authentication policies.

Disconnecting ICA Connections

You can end ICA connections by using the NetScaler Gateway configuration utility or the command-line interface.

NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.

NetScaler AAA module now supports SRV-REC look ups for LDAP server referrals.

NetScaler Gateway now honors the PresharedKey setting in the RDP server profile, and uses this key to encrypt data sent to the STA server, in a dual gateway RDP proxy deployment.

The RDP Proxy feature on NetScaler Gateway now requires special licensing, and needs to be explicitly enabled using the 'enable feature rdpproxy' command. In addition, the 'psk' attribute, used to protect the user information sent to the STA server, is now mandatory whenever a rdpserverprofile is configured.

NetScaler Gateway provides an RDP enforcement feature. NetScaler administrators can disable RDP capabilities through the NetScaler Gateway configuration.

The following are configurable as part of the RDP client profile.

- Redirection of ClipBoard

- Redirection of Printers

- Redirection of Disk Drives

Enhancing the RDP Proxy messages to include information concerning the controls that are in place at connection.

You can now configure NetScaler Insight Center to display HTTP header metrics. Each set of metrics that you specify appears in a separate node in the Web Insight report on the dashboard.

To enable HTTP header report setting:

1. On the Configuration tab, click System.

2. In the System Settings group, click Change HTTP Header Report Settings, and select the reports to display.

SDX Bandwidth Metering

Bandwidth metering provides the flexibility to dynamically allocate the bandwidth among various NetScaler instances. Dynamic bandwidth allocation helps in distributing unused bandwidth of an instance to other instances and at the same time ensuring that each instance always gets the minimum allocated bandwidth.

Bandwidth metering also allows an administrator to monetize available bandwidth on the NetScaler SDX through a consumption based usage model. The enhancement also includes logging and reporting of bandwidth usage, in addition to allocation of bandwidth. The bandwidth usage can be viewed using various graphs.

Resource Allocation using NetScaler SDX Administrative Domains

NetScaler SDX administrative domains provides you with the capability to create multiple administrative domains. Creating domains allows the administrator to segregate resources based on their departments in the organization. This provides a better control over resources and how they are distributed among various domains for optimal use.

NetScaler SDX now provides support for two data interfaces for Trend Micro IWSVA virtual machine. It also provides support for configuring VLAN on data interfaces.

Using the Management Service interface, you can now disable the nsrecover login account. To disable the nsrecover login account, navigate to "Configuration > System > Configure System Settings" and clear the "Enable nsrecover Login" check box.

The management service now uses the SHA512 encryption method to encrypt the nsrecover passwords stored on the SDX appliance.

The NetScaler ADC now supports Network Interface Card (NIC) bundling in a high availability configuration. With this enhancement, a single IP address and MAC address can be shared by a primary and a secondary interface. For example, as long as the primary interface is up, all the traffic flows through it. If the primary interface goes down, or if its priority changes such that the secondary interface has a higher priority, the secondary interface takes over and uses the same IP address and MAC address.

You can now set the value by which the VRRP priority of a vrID parameter is decremented or incremented when the status of an interface goes down or up respectively.

You can now configure the dead interval parameter of hello messages for sending VRRP advertisements.

You can now configure the hello interval parameter for sending VRRP (Virtual Router Redundancy Protocol) advertisements.

Connection failover helps prevent disruption of access to applications deployed in a distributed environment. The NetScaler appliance now supports stateful connection failover for connections related to RNAT rules in a NetScaler High Availability (HA) setup.

In an HA setup, connection failover (or connection mirroring) refers to the process of keeping an established TCP or UDP connection active when a failover occurs. The primary appliance sends messages to the secondary appliance to synchronize current information about the RNAT connections. The secondary appliance uses this connection information only in the event of a failover. When a failover occurs, the new primary NetScaler appliance has information about the connections established before the failover and hence continues to serve those connections even after the failover. From the client's perspective this failover is transparent. During the transition period, the client and server may experience a brief disruption and retransmissions.

Connection failover can be enabled per RNAT rule. For enabling connection failover on an RNAT rule, you enable the connFailover (Connection Failover) parameter of that specific RNAT rule by using either NetScaler command line or configuration utility. Also, you must disable the tcpproxy (TCP Proxy) parameter globally for all RNAT rules in order for connection failover to work properly for TCP connections.

All NetScaler MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 appliances now support the Thales nShield(R) Connect external Hardware Security Module (HSM). With a Thales HSM, the keys are securely stored as application key tokens on a remote file server and can be reconstituted only inside the Thales HSM. Thales HSMs comply with FIPS 140-2 Level 3 specifications.

Note: Thales integration with the ADC is currently supported for TLS version 1.0.

FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.

For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.

Limitations

- Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.

- Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.

- You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.

- Secure renegotiation using SSLv3 protocol is not supported.

For more details about this update, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/fips/update-fipscard-firmware-version_2_2.html.

The NetScaler MPX appliance now supports TLS versions 1.1 and 1.2 on the backend.

MPX-FIPS appliances running firmware version 2.2 also support TLS versions 1.1 and 1.2 on the backend.

On an SDX appliance, TLS versions 1.1 and 1.2 are supported on the backend only if an SSL chip is assigned to the VPX instance.

The RADIUS accounting ID is now logged as an ASCII string instead of as a binary value in the NetScaler auditlog records.

You no longer have to configure internet connectivity on the NetScaler appliance in order to use a hardware serial number or license activation code to allocate a NetScaler license. Instead, you can use a proxy server.

On the NetScaler GUI, navigate to Configuration > System > Licenses > Manage Licenses > Add a New License, select the Connect through Proxy Server check box, and specify the IP address and port of your proxy server.

The NetScaler appliance can crash if there is an authentication failure in 401-based authentication when web authentication is used.

Applications might fail to launch if you enable AppFlow for ICA on a NetScaler appliance and TCP options are present in the ICA packets.

The NetScaler Insight Center dashboard displays the WAN latency value as zero until the CloudBridge appliance acquires a number of traffic samples.

If a user-created signature has an uppercase character in the name, the application firewall profile bound to the signature is not saved in the configuration during an upgrade from a release 10.1 build to a release 10.5 build. If a user creates a signature name with uppercase characters, release 10.1 stores it that way. But in release 10.5, the signature name is converted to a lowercase string in the database. As a result of the database mismatch, the command to add the application firewall profile fails during an upgrade to a release 10.5 build.

For accurate handling of International characters, the appropriate default charset must be configured for the application firewall profile to process requests that do not have the charset specifications.

If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. With this fix, relaxation rules with percent encoded characters work as expected.

During upgrade from release 10 to 10.1, the names of the application firewall learning database files with uppercase or mixed case characters get converted to all lowercase characters. This results in two sets of database files and breaks the learned rule functionality. With this fix, learning data can be successfully retrieved after upgrade for profiles with names in mixed case characters.

If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.

When performing the SQL Injection inspection or the Cross Site Scripting violation inspection, the NetScaler application firewall transforms the target characters in the name as well as the value part of the form field. However, when the streaming code is engaged, the transform operation is carried out only for the submitted values, not for the form Field names. With this fix, the field names are also evaluated for the transform operation in streaming mode. Special SQL characters or Cross Site Scripting tags are now transformed in the form field names as well as the form field values in both streaming and non-streaming mode.

"Operation timed out" error is displayed in the CLI and the configuration utility while viewing learned rules. This error is only seen intermittently.

When cookie consistency check is deployed in the proxing mode, the application firewall does not expire the cookies as expected. This occurs when the server sends the Set-cookie header without the domain information. Protected resources are vulnerable to access through reuse of these cookies after the session has expired.

During binding a signature to an application firewall profile, the NetScaler appliance might fail when it is under memory pressure.

When any form protection check is enabled and the default request content-type parameter of the application firewall profile is not configured, an incoming request without a content-type header is treated as a form, even if it is not a form. The transfer-encoding header gets deleted, and a content-length header gets added, but the request is forwarded to the server as a chunked request. The server is unable to process the chunked data and determines it to be a bad request. With this fix, the form analysis is carried out only when "multipart/form-data", or "application/x-www-form-urlencoded" content type is either specified in the request or set as the default request content type in the profile that is applied when the content-type is not specified in the request.

If a large number of long standing sessions expire and are freed during application firewall processing, a tight-loop condition might occur, causing the NetScaler appliance to fail.

The NetScaler appliance might become unresponsive when processing a request, because of an interoperability issue between the application firewall, SSL, and the responder module. The issue arises under the following set of circumstances:

The configuration includes an application firewall profile protecting an SSL virtual server.

A responder policy is configured to reset the connection, and this policy is bound either globally or to the virtual server that receives the request.

In release 10.5.e (enhancement builds only) as well as in the 11.0 release builds, application firewall processing of the Cookie header was changed. In those releases, every cookie is evaluated individually, and if the length of any one cookie received in the Cookie header exceeds the configured BufferOverflowMaxCookieLength, the Buffer Overflow violation is triggered. As a result of this change, requests that were blocked in 10.5 and earlier release builds might be allowed, because the length of the entire cookie header is not calculated for determining the cookie length. In some situations, the total cookie size forwarded to the server might be larger than the accepted value, and the server might respond with "400 Bad Request".

With this fix, the change has been reverted. The behavior is now similar to that of the non-enhancement builds of release 10.5. The entire raw Cookie header is now considered when calculating the length of the cookie. Surrounding spaces and the semicolon (;) characters separating the name-value pairs are also included in determining the cookie length.

The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections (such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response) are enabled for the profiles. This might result in a memory leak, and memory allocation failures might occur even after the traffic surge subsides.

IPv6 management access was blocked when it arrived on an accelerated bridge.

Memory leak might occur on NetScaler ADCs of a CloudBridge Connector tunnel when monitor probes of a service, which is bound to a HTTP or SSH load balancing virtual server, are sent through the tunnel.

The user monitor scripts that use SOAP::Lite might not work.

The NetScaler ADC now includes an IP geolocation database, GeoLite2 (published by MaxMind). The database is available in a format supported by NetScaler ADC at: /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv.

You can use this IP geolocation database as the location file for the static proximity based GSLB method or in location based policies.

Note: The ADC includes the GeoLite2 database available from http://www.maxmind.com.

LSN Statistics are not available in the configuration utility or the dashboard utility.

In a high availability LSN deployment with LSN port block Allocation and LSN session synchronization options enabled, the NetScaler ADC might not synchronize LSN sessions information to the secondary node if the information is related to subscribers that are being allocated a NAT port block.

In a high availability LSN deployment, with LSN port block size set for an LSN group, the secondary node might become unresponsive.

The following SIP parameters cannot be configured from the NetScaler configuration utility (that is, from Traffic Management > Load Balancing > Change SIP Settings):

- RNAT secure source port

- RNAT secure destination port

Workaround: These parameters can be set by using the "set lb sipParameters -rnatsecuresrcport <port> -rnatsecuredstport <port>" command.

The NetScaler ADC does not forward a queued alert_notification message to an ESME even after the ESME becomes available.

If the NetScaler appliance sends a trap indicating spillover on a virtual server whose name is longer than 114 characters, the trap listener (destination) logs a "bad type returned" message, but the message in the ns.log file is correct.

The output of the "show lb vserver -format text" command shows parameters even that are not applicable for a virtual server type.

In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.

In an IPSec tunnel, the NetScaler appliance might remove sessions between client and server before encrypting (IPSec) DNS response packets, resulting in the loss of these DNS packets in the tunnel.

After installing Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, when users attempt to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and the buttons Download or Skip Check appear in the browser.

For two-factor authentication, when changing the second factor username from the username provided for the first factor, the authentication fails in an nCore system.

In releases earlier than version 4.18.9, the Citrix DNE LWF driver can send spurious packets that have random MAC addresses. As a result, a switch port configured to allow only one MAC address might shut down.

For JRE (Java run tine environment) 7 update 51 or later: These JRE versions display a security warning, or the plugin launch is blocked when the NetScaler Gateway for Java is launched.

In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.

NetScalers experienced NSPPE crashes due to the presence of stale grp_names pointer in dummy_session.

Delegated Forms Authentication (DFA) does not work. The DFA server responds with 400 bad request when DFA is attempted by Netscaler Gateway. This is a regression. The build 10.5.52.1115.e works fine.

The RDP file is not generated if that STA server is DOWN because the StateLess RDPProxy logic always uses the 1st bound STA server.

When using the Internet Explorer proxy setting, and auto-proxy scripts are configured, at the time of VPN establishment the auto-proxy URL is unreachable. The VPN plugin uses the proxy server from the manual proxy server setting; even if, it is disabled.

After the VPN tunnel is established, external websites fail to load intermittently under the following conditions:

- If enable_vpn_dnstruncate_fix nsapimgr flag is set on NetScaler.

- DNS servers on NetScaler are configured to send negative DNS response for external DNS query.

- Split DNS is set to both

NetScaler Gateway can crash at ns_handle_free_sta_resources () function in certain cases when multiple users are performing RDP launches/logoffs while STA server goes down and comes back up. This issue is related to STA handling specifically for RDP Proxy functionality

When NetScaler Gateway is used for RDP access, authentication to the backend RDP server fails for some users.

NetScaler Gateway now applies Authorization policies to RDP traffic flowing through the gateway.

NetScalers experienced a NSPPE crash. The crash happens due to the combination of the following features: AccessGateway processing DNS packets from the AG client when IntranetIP (IIP) is configured, Software ReceiveSideScaling (RSS) and Core2Core (C2C) system overload.

When the NetScaler Gateway is used to secure RDP access, the RDP client connection to the backend server can timeout if the server is accessed via FQDN.

In a high-availabiltity (HA) configuration, the secondary appliance may fail occasionally due to a duplicate free-attempt of a AAA context.

NetScaler Gatway ignores the PresharedKey attribute configured in the RDP Server Profile, while sending data to the STA server in a dual gateway RDP Proxy deployment.

When the NetScaler Gateway appliance is configured for RDP proxy functionality, if one of the gateway virtual servers has a RDP server profile configured, all subsequently added gateway virtual servers automatically inherit that profile; even if, they are not meant to provide RDP proxy functionality. Additionally, the gateway virtual servers that have inherited the RDP server profiles are lost when the appliance is rebooted.

Workaround: First, add gateway virtual servers that do not need an RDP server profile. Then, add the gateway virtual servers that need an RDP server profile.

The NetScaler Gateway appliance may fail under the following conditions:

- FQDN based access is enabled for launching the apps/Desktop

- sta redundancy is enabled.

This issue is fixed now.

Once a RDP server profile has been set on a Gateway virtual server, a subsequent set operation to modify the RDP server profile is not effective.

The NetScaler appliance crashed because of the (radius) User Accounting feature. Connections opened to the AAAd by this feature. The (radius) User Accounting feature did not activate a flag during connection termination. This resulted in a crash.

If a RDP client attempts to connect to a NetScaler Gateway IP using the CREDSSP mechanism, and the port is not configured to accept RDP connections; the NetScaler Gateway appliance may crash. This issue is now fixed..

The NetScaler appliance requires an internet connection for publisher verification. This is for the NetScaler Gateway plug-in for Windows. The internet connection is essential when downloading the plug-in from the NetScaler appliance to verify that the following error occurred: "Publisher AGEE_setup.exe couldn't be verified".

If the new session entry points to the same memory that was used for the session entry earlier, then some of the values need to be reset. During session entry creation the values are reset.

/var/mps/system_health directory is not created for Insight Center. Because of this the techsupport files are not created for Insight Center.

Workaround: You can manually create the system_health directory after which the techsupport would work as intended.

When you reset management or data interface from Management Service, the interface will not advertise all the supported speeds to the peer devices.

When multiple SSH connections are opened to multiple VPXs from management service, sometimes the management service fails. This happens because of the open multi-threading issue present with libssh2 library version 1.2.7. This problem has been resolved with an upgraded of libssh2 library and the corresponding changes are available from NetScaler's 10.5 56.x release.

The NetScaler SDX GUI is not accessible.

Workaround: Logon to the SSH shell using "nsrecover" user credentials and reboot the SVM.

Performing SNMP walk using the EMC SMART tool is slow.

The management Service does not support provisioning or modifying a NetScaler instance with gateway IP address from a different subnet as that of the NetScaler IP (NSIP) address.

The NetScaler SVM and the CloudBridge management server had a memory leak that could eventually cause failures.

An ACL6 rule might not get evaluated for a series of TCP packets.

The NetScaler appliance might not properly process packets related to forwarding session entries configured on the appliance.

If you try to create a FIPS key of fewer than 2048 bits on firmware version 2.2, an error message appears. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.

If you are running FIPS firmware 2.2 on your appliance, some commands might fail after 9 days.

An MPX-FIPS appliance might not restart if you attempt a warm reboot.

Workaround: Perform a full reboot. That is, do not use the -warm option when restarting the appliance.

If you restart a NetScaler appliance that has FIPS firmware version 2.2, the FIPS key might be temporarily unavailable.

If you upgrade the FIPS firmware on your appliance to version 2.2 and then restart it, you might notice some loss in the configuration.

On an MPX-FIPS platform running firmware version 2.2, if you have configured SSL services at the back end, an attempt to download a file fails if its size is greater than 16KB.

When trying to log on to the NetScaler using the GUI or the NITRO API, external users (from LDAP, TACACS, and so on) get the following error message: 'User does not exist'.

When Html injection, client-side-measurements, and integrated caching are enabled and the mainpage gets cached with the prebody and postbody javascripts embedded in it, then, if we disable client-side-measurements and access the mainpage, the NetScaler crashes while updating the javascripts.