Release Notes for Build 41.16 of NetScaler 12.0 Release

September 6, 2017|Release notes version: 2.0
This release notes document describes the enhancements and changes and specifies the issues that exist, for the NetScaler release 12.0 Build 41.16.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.

Additional Changes/Fixes Available in Versions

Version 2.0

Points to Note

Some important aspects to keep in mind while using Build 41.16.


  • You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
    [# 679708]
  • 3DES Ciphers Removed from Default Cipher Groups
    The 3DES ciphers have been removed from the DEFAULT and DEFAULT_BACKEND groups on the NetScaler appliance for security reasons and to prevent attacks, such as SWEET32. The following ciphers have been removed:
    - Cipher Name: SSL3-DES-CBC3-SHA
    Description: SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
    - Cipher Name: SSL3-EDH-DSS-DES-CBC3-SHA
    Description: SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
    - Cipher Name: SSL3-EDH-RSA-DES-CBC3-SHA
    Description: SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
    - Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA
    Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=3DES(168) Mac=SHA1
    If your deployment requires 3DES ciphers, you can explicitly bind them to your SSL virtual server, service, or service group by using one of the following commands:
    bind ssl vserver -cipherName 3des
    bind ssl service -cipherName 3des
    bind ssl servicegroup -cipherName 3des
    [# 659417]

Upgrade and Downgrade

  • The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.
    Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
    [# 683380]

What's New?

The enhancements and changes that are available in Build 41.16.


  • Support for Logon Lockdown Control
    Logon lockdown control is now supported in a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
    [# 635415]
  • Support for Inline Verification of OpenID tokens
    The NetScaler appliance now supports inline verification of OpenID tokens. The administrator can enable the NetScaler appliance to obtain certificates and verify signatures on the token. This feature is currently tested with Google OpenID and Microsoft InTune servers.
    You can use the following new command to enable the NetScaler appliance to obtain certificates and verify signatures on the token:
    add authentication OAuthAction <name> {existing arguments} CertEndpoint <URL>
    where URL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.
    For more information, see
    [# 652311]
  • The following new parameters are now supported for OAuth authentication mechanism:
    [-audience <string>] [-userNameField <string>] [-skewTime <mins>]
    [-issuer <string>]
    You can use the following CLI command to optionally configure the parameters:
    add authentication OAuthAction <name> -authorizationEndpoint <URL> -tokenEndpoint <URL> -idtokenDecryptEndpoint <URL> -clientID <string> -clientSecret <string> -defaultAuthenticationGroup <string> -tenantID <string> -GraphEndpoint <string>
    -refreshInterval <positive_integer> -CertEndpoint <string>
    -audience <string> -userNameField <string>] [-skewTime <mins>
    -issuer <string>-Attribute1 <string> -Attribute2 <string> -Attribute3 <string>
    [# 664959]
  • Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP Method
    The NetScaler SAML SP (Service Provider) module now sends an attribute called 'ForceAuth' in the authentication request to an external IdP (Identity Provider). By default, the ForceAuthn carries a value of False. It can be set to 'true' to provide a hint to IdP to force authentication despite existing authentication context.
    Additionally, the SP module include authentication requests in query parameters when configured for artifact binding.
    For more information, see
    [# 665828]
  • SAMLIDP Single Logout Support for Redirect and POST Bindings
    SAMLIDP single logout is now supported for redirect and POST bindings.
    For more information, see
    [# 642105]
  • POST and Redirect Bindings Support during Logout
    A NetScaler appliance used as a SAML SP now supports POST and redirect bindings during logout. Previously, only POST binding was supported.
    For more information, see
    [# 642102]
  • Number of maximum attempts to connect to RADIUS server increased to 10.
    The maximum number of attempts by a NetScaler appliance to connect to a RADIUS server has increased from 3 to 10. The minimum is 1, and the default is 3.
    Use the following command to configure the appliance with the required number of attempts:
    set authentication radiusaction rad1 authservRetry <number of attempts>
    [# 669949]

Admin Partitions

  • Memory Management in Admin Partitions
    On a partitioned NetScaler appliance, the partition connections now take memory from the partition quota. Previously, all connections took memory from the default partition's quota.
    For more information, see
    [# 652198]
  • Blocking VRRP on Shared VLANs in Admin Partitions
    On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.
    For more information, see
    [# 655514]
  • VXLAN Support for Admin Partitions
    A partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs). A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition also binds the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.
    For more information, see
    [# 651332]
  • Support for sending SNMP traps of all partitions through NetScaler GUI
    On a partitioned NetScaler appliance, you can now use the NetScaler GUI to enable sending SNMP trap messages of all partitions to the configured trap destination. In the default partition, enable the allPartitions option for the traps that you want to send. Previously, you had to use the NetScaler command line to enable this option.
    Navigate to System > SNMP > Traps, select a trap, click Edit, and select or clear the Send Traps of All Partitions check box.
    [# 677551]
  • SNMP Traps for Admin Partition Rate Limiting
    On a partitioned NetScaler appliance, an SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connections or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.
    Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.
    The threshold and limit values for partition rate limiting are:
    - Highest threshold = 80% (applicable for all partition rate limit traps)
    - Lowest threshold = 60 % (applicable for all partition rate limit traps)
    - Memory limit = 95% (applicable only for partition memory traps)
    The six new SNMP traps are:
    - partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.
    - partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.
    - partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.
    - partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.
    - partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.
    - partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage.
    [# 655560]
  • Configurable Partition Resource Limit
    When you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
    For more information, see
    [# 652187]
  • Audit-log Support for Admin Partitions
    A partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
    For more information, see
    [# 659649]


  • Blacklisting Up to One Million URLs by Using URL Sets
    To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.
    The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
    For more information, see
    [# 628124]

Application Firewall

  • Configure Session-Limit Settings to Avoid Web Application Firewall Issues
    To prevent the web application firewall (NetScaler AppFirewall) from becoming unresponsive or resetting connections, you can use one of the following new commands to decrease the session timeout and increase the session limit:
    From CLI: > set appfw settings sessiontimeout 300
    From shell: root@ns# -s appfw_session_limit=200000
    You can also review the SNMP alarm and log messages when the Application Firewall session limit (appfw_session_limit) is reached.
    [# 589567]
  • Configure Application Firewall Session Limit Through the CLI
    You can now use the CLI to configure the Application Firewall session limit. Enter the following command:
    set appfw settings -sessionLimit <value>
    Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
    [# 662582]
  • Application Firewall GUI - Signature Editor
    When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.
    The signature editor displays the following four new rows:
    1. New Rules
    2. Updated Rules
    3. Duplicate Rules
    4. Invalid Rules
    The output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
    [# 656279]


  • Audit-Log Support in Cluster
    A cluster setup of NetScaler appliances now supports the audit-log feature with SYSLOG-TCP, Load Balancing (LB) of SYSLOG servers, SNIP support, and FQDN support for SYSLOG configurations.
    For more information, see
    [# 669938]
  • IPv6 Ready Logo Support for Clusters
    You can now test clustered appliances for IPv6 Ready Logo certification. Modified commands for testing IPv6 core protocols, such as for ND test cases, Router Solicitation processing, and sending route advertisement and router redirection messages are no longer blocked in a clustered setup. Following are the IPv6 functionalities available for testing the IPv6 core protocols.
    1.Link-Local SNIPs
    2. Address Resolution and Neighbor Unreachability
    3. Router and Prefix Discovery
    4. Router Redirection
    5. DoDAD
    For more information, see
    [# 655841]
  • Configuring Owner Node Response Status
    In a cluster setup, on an owner node that has a spotted SNIP address, you can now configure the ownerDownResponse option to specify whether other nodes in the group can respond to PING or ARP requests when the owner node is down. By default, the option is enabled, allowing other nodes in the group to respond to PING or ARP requests when the owner node is down. If you disable this option, other nodes in the group cannot respond to PING or ARP requests when the owner node is down.
    For more information, see
    [# 647740]
  • Disabling Steering for Forwarding Sessions in a Cluster Setup
    The default behavior of a NetScaler cluster is for the node that receives traffic (flow receiver) to direct the traffic to another node (flow processor), which processes the traffic. Directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering.
    Steering can be an overhead for real-time processing or when the setup includes high-latency links. Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver. That is, the flow receiver becomes the flow processor.
    For more information, see
    [# 636825]
  • Redundant Interface Set Support for Cluster Setups
    Redundant interface set support is now available in cluster setups. In a redundant interface set, one of the interfaces is active and the others are on standby. If the active interface fails, one of the standby interfaces takes over and becomes active.
    Following are the main benefits of using redundant interface sets:
    -A redundant interface set ensures connection reliability between a NetScaler appliance and a peer device by providing backup links between them.
    -Unlike link redundancy using LACP, no configuration is required on the peer device for a redundant interface set. To the peer device, redundant interface set appears as individual interfaces, not as a set or collection.
    For more information, see
    [# 657651]
  • TFTP Support in a Cluster Setup
    Trivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.
    The following features are supported:
    * INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication. For more information about configuring INAT, see
    * RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication. For more information about configuring RNAT, see
    [# 658631]
  • Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster Configuration
    In a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
    For more information, see
    [# 648194]
  • VRID/VRID6 support for cluster
    When you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
    For more information, see
    [# 655726]
  • Managing Cluster Heartbeat Messages
    In a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
    For more information, see
    [# 655842]
  • SNMP MIB Support for Cluster Nodes
    In a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.
    To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
    [# 628136, 623888]
  • IPv6 Virtual Router Redundancy Protocol Support for Cluster Setups
    IPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.
    The following are the two VRRP6 features supported on a cluster setup:
    * Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.
    * IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
    For more information, see
    [# 657315]


  • Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy Mode
    In NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
    For more information, see
    [# 626837]
  • Support for Wildcard DNS Domains
    You can now use wildcard DNS domains to handle requests for nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or subdomain name.
    For more information, see
    [# 558993]
  • Admin Partition Support for DNSSEC
    You can now secure the DNS keys with passwords on a partitioned NetScaler appliance.
    Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
    For more information, see
    [# 655295]


  • Configuring GSLB by Using a Wizard in the NetScaler GUI
    You can now use a wizard to configure the GSLB deployment types (active-active, active-passive and parent-child topology). In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.
    You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.
    This feature is supported in High Availability deployment and not in Admin Partition and Cluster deployments.
    For more information, see
    [# 683738]

Load Balancing

  • Backup Persistence support for RULE based persistence
    You can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.
    For more information, see
    [# 519440]
  • Sharing of Persistent Sessions between Virtual Servers
    In some customer environments (telecom and ISP), where a single server handles both control and data traffic, one virtual server is required for handling client authentication traffic, and one for handling data traffic. In such cases, the clients can reach out to the same backend server for both authentication and data traffic.
    You can now do this by enabling the useVserverPersistency parameter for a load balancing group and optionally designating one of the virtual servers in the group as a master virtual server. The master server creates the persistence entries, which can be used by all the virtual servers in the group.
    For more information, see
    [# 491895]
  • SNMP OID for Tracking Persistence Sessions on a Per-Vserver Basis
    The vsvrCurPersistenceSessions ( SNMP OID provides the number of current persistence sessions on each virtual server.
    [# 346825]
  • Setting alertRetries to a Value Higher than the Retries Value
    The alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.
    For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
    Setting the alertRetries value to a value higher than the Retries value helps generate only genuine alerts and avoid false positives during scheduled restarts.
    For more information, see
    [# 422816]
  • Support for RADIUS Shared Secret
    A shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.
    You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.
    In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.
    Note: After you upgrade to release 12.0, you must configure a RADIUS shared secret in an existing RADIUS deployment.
    For more information, see
    [# 564185]
  • Connection Failover Support for IPv6 Load Balancing Configurations
    Connection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.
    You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.
    For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
    For more information, see
    [# 472611]


  • View Individual Counter Information
    To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.
    URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>
    Previously, these counter values could be viewed only through the "nsconmsg" Shell command.
    For more information, see
    [# 622976]
  • Prevent XSS and CSRF Attacks by Disabling Basic Authentication
    As an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.
    For more information, see
    [# 611690, 570838]

NetScaler GUI

  • NetScaler GUI Masks Full Path
    To enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
    [# 661475]
  • Support for Atomicity in Wizards
    The new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
    [# 669990]
  • Support for POST and Redirect Bindings during Logout
    Now, if the NetScaler appliance is used as a SAML SP, it supports POST and Redirect bindings during logout. Previously, only POST binding was supported.
    [# 668254]
  • PHP Version Upgraded from Version 5.3.17 to 7.0.13
    PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
    [# 572765]

NetScaler Gateway

  • Type of Service (ToS) support for UDP
    Type of Service (ToS) support for UDP ensures that once a ToS value is configured for a UDP packet by a sender, NetScaler Gateway retains the value until the packet reaches its destination. On the basis of the configured value and the destination network's configuration, the destination network places the UDP packet in a prioritized outgoing queue.
    Note: Using ToS information, you can assign a precedence to each IP packet and request a specific treatment such as high throughput, high reliability, low latency, and so on.
    For more information, see
    [# 637961]
  • Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA Proxy
    "Destination IP address" and "ICA Proxy policy name" have been added to the information logged for Outbound ICA Proxy.
    [# 661832]
  • Support for logging out from a VPN session upon removal of smart-card from the logged on device.
    You can now specify that a VPN session is immediately terminated if the smart card is removed from the logged on device.
    [# 654943]
  • Outbound ICA Proxy support
    Outbound ICA Proxy support for NetScaler Gateway enables the network administrators to use SmartControl functionalities when Receiver and NetScaler Gateway are deployed in different organizations.
    For more information, see
    [# 608516, 666894]
  • Multi-Stream ICA Functionality Support for EDT
    NetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
    For more information, see
    [# 671878]
  • Support for EPA in GSLB Active-Active deployment
    End Point Analysis (EPA) now functions reliably in a GSLB Active-Active deployment.
    [# 619596]
  • Proxy Auto Configuration for Outbound Proxy
    You can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, the URL of a PAC file is pushed to the client browser. The traffic from the client is then redirected to the respective proxies as determined by the conditions defined in the PAC file.
    For more information, see
    [# 378411]
  • Interoperability with OAuth
    NetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. A requirement is that NetScaler Gateway be configured with an OAuth action that contains a URL indicating from where to fetch the certificates to verify incoming JWT. This enables NetScaler Gateway to interoperate with OAuth providers.
    For more information, see
    [# 671380]
  • Support RADIUS Accounting Capability to Log Connection Establishment and Connection Termination Events for Gateway in ICA Mode.
    NetScaler Gateway in ICA mode can now use RADIUS accounting to log connection establishment events and connection termination events.
    You can use the following new command to enable the ICA accounting functionality.
    set vpn parameter -icaUserAccounting <radius_policy>
    [# 638429]
  • PCoIP Proxy Support for VMware View
    NetScaler Gateway now supports the PCoIP protocol, which is the core building block for several VDI solutions, including VMware Horizon View. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.
    For more information, see
    [# 632624]
  • The AlwaysON feature now supports captive portals.
    [# 654617]

NetScaler SDX Appliance

  • Support for Cluster Link Aggregation
    NetScaler SDX Appliances now support Cluster link Aggregation (CLAG). CLAG allows you to combine a group of cluster-node interfaces into a channel. It is an extension of NetScaler link aggregation (LA). The only difference is that, while link aggregation requires the interfaces to be on the same device, in cluster link aggregation, the interfaces are on different nodes of the cluster or distributed across NetScaler SDX Appliances. For more information, see
    [# 667370]
  • New CPU Visualizer
    The Management Service now provides a graphical representation of the NetScaler SDX appliance's CPU core allocation. The CPU Visualizer enables you to:
    - See how various cores of the CPU are allocated, and see the virtual machines associated with the cores.
    - Distinguish between the dedicated and shared cores.
    - See the hyperthread usage.
    - See the available CPU capacity, so that you can determine how many more virtual machines you can provision in the shared or dedicated mode.
    To access the CPU Visualizer, on the Dashboard, click Core Allocation.
    [# 659234, 615365]

NetScaler VPX Appliance

  • Support for Hyper-V Windows Server 2016
    NetScaler VPX appliances can now run on Hyper-V Windows Server 2016.
    For more information, see the Supported Hypervisors table at this link:
    [# 643975]
  • Support for High-Performance VPX on OpenStack
    You can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.
    For more information, see
    [# 660055]
  • Support for Key-Pair Based Authentication
    For VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.
    For more information, see
    [# 617478]
  • Two New Commands to Control CPU Usage Behavior
    Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:
    1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)
    Allow each VM to use CPU resources that have been allocated to another VM but are not being used.
    Set ns vpxparam parameters:
    -cpuyield: Release or do not release of allocated but unused CPU resources.
    YES: Allow allocated but unused CPU resources to be used by another VM.
    NO: Reserve all CPU resources for the VM to which they have been allocated.
    DEFAULT: Reset -cpuyield to its factory default value based on license.
    - If license <= 8G, release CPU resources.
    - If license > 8G, use up all the CPU resources allocated to it.
    2. show ns vpxparam
    Display the current vpxparam settings.
    [# 625698]
  • Support for VMware ESXi 6.5 server
    NetScaler VPX appliances now support VMware ESXi 6.5 server.
    For more information, see the Supported Hypervisors table at this link:
    [# 643974]


  • Assigning an ACL rule to an Existing Forwarding Session Rule
    You can assign an ACL rule to a Network-address or IPv6-prefix based forwarding session rule, in which case it becomes an ACL based forwarding session rule. You can also change an existing ACL rule to another ACL rule in an ACL based forwarding session rule.
    After the existing related forwarding session entries (if any) have timed out, the rules start using the newly assigned ACL to identify IPv4/IPv6 traffic for which to create a forwarding-session entry.
    For more information, see For more information, see
    [# 657970]
  • NITRO API Support for Configuring IPv6 OSPF Protocol
    NetScaler appliances now support NITRO APIs for configuring the IPv6 OSPF (OSPF v3) protocol.
    [# 654083]
  • New process for Setting Aging Time for Bridge Table Entries
    The bridgeage (Aging Time) parameter, for setting the aging time of bridge table entries, has been deprecated from the NetScaler command line (set bridgetable command) and NetScaler GUI (System > Network > Bridge Table pane > Change Aging Time).
    This release introduces the bridgeagetimeout (Timeout Value For The Bridge Table Entries (seconds) ) parameter as a configurable Layer 2 parameter for setting the aging time of bridge table entries.
    For more information, see
    [# 640772]
  • New Process for Configuring VXLANs
    The process for configuring VXLAN on a NetScaler appliance has changed. You must now perform the following tasks to configure a VXLAN:
    -Add a VXLAN entity.
    -Bind the local VTEP IP address to the VXLAN.
    -Add a bridgetable specifying the VXLAN ID and the remote VTEP IP address.
    Previously, you had to perform the following tasks to configure VXLAN:
    -Create an IP tunnel of type VXLAN and specify the local and remote VTEP IP addresses.
    -Create a VXLAN entity.
    -Bind the VXLAN tunnel to the VXLAN entity.
    For more information, see
    [# 664678]
  • IPv6 Link Local Support on Server Side of a Load Balancing Configuration
    IPv6 link local address is now supported for services, service groups, and servers of a load balancing configuration. You can specify a link local IPv6 address along with the associated VLAN ID in services, service groups, and servers configurations. The NetScaler appliance uses the link local SNIP6 address from the same VLAN as specified in the services, service groups, and servers configurations to communicate with them. A link local IPv6 address and the associated VLAN ID are specified in the following format in services, service groups, and servers configurations: <IPv6_Addrs>%<vlan_id> For example, fe80:123:4567::a%2048:, fe80:123:4567::a is the link local address and 2048 is the VLAN ID.
    For more information, see
    [# 345180]
  • NITRO API Support for Configuring Dynamic Routing Protocols in Admin Partitions
    NetScaler appliances now support NITRO APIs for configuring the following dynamic routing protocols in admin partitions.
    -BGP (IPv4 and IPv6)
    -IPv6 OSPF (OSPF v3)
    [# 654161]
  • Support of Aggregated Statistics of Stateful INAT Sessions
    The NetScaler appliance can now display aggregated statistics of all stateful INAT sessions.
    To display the aggregated statistics by using the NetScaler command line, run the stat inatsession command without the name parameter.
    To display the aggregated statistics by using the NetScaler GUI, navigate to System > Network > Routes. On the INAT tab, click statistics without selecting any stateful INAT rule.
    For more information configuring INAT, see
    [# 594627]


  • NetScaler Video Optimization for Telco Mobile Networks
    The new NetScaler Video Optimization feature supports video optimization techniques for optimizing encrypted (HTTPS) and non-encrypted (HTTP) video traffic over a mobile network. If a NetScaler appliance detects the incoming video traffic as Adaptive Bit Rate (ABR), it uses optimization techniques to optimize the traffic. By enabling the Video Optimization feature on the appliance, a network administrator can optimize an encrypted and non-encrypted video traffic to reduce the overall network bandwidth consumption.
    For more information, see
    [# 631830]


  • Supporting Custom Protocols on the NetScaler Appliance
    You can now use NetScaler protocol extensions to add support for custom protocols on the NetScaler appliance. The protocol extensions on the NetScaler appliance are part of the high-level scripting infrastructure available. The scripting language is based on the Lua 5.2 programming language. To add a custom protocol to a NetScaler appliance, you have to write extension code to implement the applicable behaviors. Presently, only TCP-based custom protocols are supported--for example, Message Queuing Telemetry Transport protocol.
    For more information, see
    [# 633283, 676418]

Role-based Access

  • Configuring Separate Ports of a RADIUS Server for Accounting and Authentication Functionalities
    You can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
    [# 355523, 634307]
  • Support for Logon Lockdown Control for System Role-Based Access Control Users
    The User Lockdown Control feature is now available for system role-based access control users on a cluster.
    [# 650547, 490670]


  • Cluster Support for OCSP Stapling
    OCSP stapling is now supported in a cluster setup.
    For information about OCSP stapling, see
    [# 668510]
  • Support for HTTP strict transport security (HSTS)
    NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.
    You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.
    For more information, see
    [# 636384, 651353]
  • Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS Appliances
    Citrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.
    The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:
    - TLS1.2-ECDHE-RSA-AES-256-SHA384
    - TLS1.2-ECDHE-RSA-AES-128-SHA256
    This following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:
    - TLS1.2-ECDHE-RSA-AES-128-SHA256
    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
    The following ECC curves are supported: P_256, P_384, P_224, and P_521.
    By default, all four curves are bound to an SSL virtual server.
    For more information, see
    [# 651524]
  • Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS Appliances
    The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.
    The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:
    - TLS1.2-AES256-GCM-SHA384
    - TLS1.2-AES128-GCM-SHA256
    - TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
    - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    - TLS1.2-AES-256-SHA256
    - TLS1.2-AES-128-SHA256
    For more information, see
    [# 579751]
  • Updating an Intermediate Certificate without Breaking the Links
    You can now update an intermediate certificate without breaking any existing links if the optional AuthorityKeyIdentifier extension, in the linked certificate issued by the certificate to be replaced, does not contain an authority certificate serial number (authorityCertSerialNumber) field. If the AuthorityKeyIdentifier extension contains a serial number field, the certificate serial numbers of the old and new certificate must be the same.
    For example, let's say there are four certificates: CertA, CertB, CertC, and CertD. CertA is the issuer for CertB, CertB is the issuer for CertC, and so on. To replace intermediate certificate CertB with CertB_new, without breaking the link, the following condition must be met:
    If the AuthorityKeyIdentifier extension is present in CertC and this extension contains a serial number field, the certificate serial number of CertB should match the certificate serial number of CertB_new.
    Previously, the links broke if an intermediate certificate was updated.
    For more information, see
    [# 670108]
  • Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS Appliances
    The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.
    The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:
    - TLS1.2-AES256-GCM-SHA384
    - TLS1.2-AES128-GCM-SHA256
    - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    - TLS1.2-AES-256-SHA256
    - TLS1.2-AES-128-SHA256
    For more information, see
    [# 611983]
  • Cluster Support for SSL Profiles
    The default SSL profiles are now supported in a cluster setup.
    For information about SSL profiles, see
    [# 668625, 664706, 664726, 667119]
  • Support for New MPX FIPS Platform
    This release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:
    Model number System Throughput
    MPX 14030 FIPS 30 Gbps
    MPX 14060 FIPS 60 Gbps
    MPX 14080 FIPS 80 Gbps
    For more information, see
    [# 592833, 498222, 590397]
  • Support for New SDX FIPS Platform
    This release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:
    Model number System Throughput
    SDX 14030 FIPS 30 Gbps
    SDX 14060 FIPS 60 Gbps
    SDX 14080 FIPS 80 Gbps
    For more information, see
    [# 597890]
  • Support for TLS1.2 signature hash algorithm
    The NetScaler appliance is now completely TLS1.2 signature hash (sighash)-extension compliant.
    On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies. NetScaler platforms support sighash combinations as follows:
    -On a VPX instance: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, DSA-SHA1, DSA-SHA224, DSA-SHA256, DSA-SHA384, DSA-SHA512.
    -On an MPX/SDX appliance with N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA1, ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512.
    -On an MPX/SDX appliance without N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512.
    Previously, the appliance supported only RSA-SHA1 and RSA-SHA256 on the front end, and RSA-MD5, RSA-SHA1, and RSA-SHA256 on the back end. In addition, the VPX appliance supported DSA-SHA1 on the front end and back end.
    With this enhancement, a NetScaler appliance can send SHA-384 and SHA-512 signature_algorithm extensions in the back-end Client Hello message. As a result, Windows IIS servers do not reset the connection if a SHA-384 or SHA-512 certificate is used.
    For more information, see
    [# 606904, 665257]


  • Displaying MPTCP Statistics
    The new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.
    For more information, see
    [# 646498, 350115]
  • Direct HTTP/2 Connection Support
    A NetScaler appliance now supports direct HTTP/2 connections with clients. The default HTTP profile now includes a direct HTTP2 option (http2Direct), which by default is disabled. To use this option, you must enable it and associate the profile with services or virtual servers on which you want to use the direct HTTP/2 feature. Previously, the appliance used an HTTP protocol upgrade mechanism to upgrade the connection to HTTP/2.
    For more information, see
    [# 653154]
  • Configuring Memory Anomaly Trigger for Call Home
    Call Home can now proactively monitor the memory utilization of the NetScaler appliance. If memory utilization reaches its highest limit, or if a potential memory anomaly (for example, a leak) is detected, Call Home automatically uploads the system data to the Citrix Technical Support server for troubleshooting.
    For more information, see
    [# 637508]
  • Option to Allocate an Extra Management CPU
    According to your requirement, you can now allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
    For more information about how to allocate an Extra Management CPU, see
    [# 352233, 235321, 559207, 604165, 615657]
  • Monitoring Rate Limit Errors in Call Home
    The NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
    For more information, see
    [# 656569]
  • Silently Dropping Idle TCP Connections
    In a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.
    For more information, see
    [# 664057]
  • Configuring TCP Burst Control Parameters by using NetScaler GUI
    The following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:
    1. BurstRateCntrl
    2. CreditBytePrms
    3. RateBytePerms
    4. RateSchedulerQ
    For more information, see
    [# 660828]
  • Configuring HMAC Keys for PI Function
    A new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:
    HMAC (<keyValue>)
    The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
    For more information, see
    [# 415808]
  • Configuring Encryption Keys for ENCRYPT () and DECRYPT () PI functions
    To encrypt data sent between a NetScaler appliance (standalone, high availability, or cluster) and a third-party application, you can now create your own encryption key and share it with the third-party application. Previously, the appliance randomly generated the key values for all communication with third-party applications. The set ns encryptionParams command now has a parameter with which you can configure an encryption key value that can be shared. The NetScaler appliance can use the key for communication with a third-party application after you share the key and it is manually configured on the third-party appliance.
    For more information, see
    [# 242353]
  • Configuring SYN-Cookie Timeout Interval
    In addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.
    Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.
    For more information, see
    [# 651196]
  • Protection Against Wrapped Sequence (PAWS) Algorithm
    On a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).
    For more information, see
    [# 652210]
  • CONNECT Method for HTTP/2
    The HTTP/2 functionality on a NetScaler appliance now supports the use of the CONNECT method to establish a tunnel connection through a single HTTP/2 stream to a remote host.
    For more information, see
    [# 659955]
  • Encrypting user passwords by using SHA-512
    For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.
    Note: A user to which the following set of conditions applies cannot log on:
    1. The user is added, or the user's credentials are modified.
    2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
    [# 658393, 204279, 658859]
  • Configuring Heartbeat Time Interval for Call Home
    The Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, Call Home sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
    For more information, see
    [# 655515]


  • Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT Connections
    NetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.
    For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.
    464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.
    For more information about configuring SIP ALG for Large Scale NAT64, see
    For more information about configuring RTSP ALG for Large Scale NAT64, see
    [# 635880]
  • IP Address Sequence based NAT allocation for Deterministic Large Scale NAT Configurations
    A new parameter, alloc policy (Allocation Policy), has been introduced in LSN groups as part of deterministic LSN configurations. This parameter specifies one of the following types of deterministic allocation of NAT IP addresses and port blocks to the subscribers:
    -Port block sequence allocation. The NetScaler appliance assigns the first block of ports on the beginning NAT IP address to the beginning subscriber IP address. The next range of ports is assigned to the next subscriber, and so on, until the NAT address does not have enough ports for the next subscriber. At that point, the first port block on the next NAT address is assigned to the subscriber, and so on. Port block sequence allocation already exists in previous releases.
    -IP address sequence allocation. The NetScaler appliance assigns the first port block on the beginning NAT IP address to the beginning subscriber IP address. The first port block on the next NAT IP address is assigned to the next subscriber, so on, until first port block of all NAT IP addresses are allocated to the subscribers. At that point, the second port block on the first NAT IP address is assigned to the next subscriber, and so on.
    IP Address sequence allocation is useful in Large Scale NAT deployments where the upstream servers have limitations on the number of connections per subscriber IP address. Such deployments need wide range of NAT IP address and port block allocation. IP Address sequence allocation meet this requirement. IP Address sequence allocation is introduced in this release.
    For more information about configuring large scale NAT44, see
    For more information about configuring dual-stack Lite, see
    For more information about configuring large scale NAT64, see
    [# 592675]
  • Announce Opcode Support in PCP Servers
    When a PCP server is deleted, or when it is unbound from a large scale NAT(LSN) configuration, it multicasts ANNOUNCE opcode to the subscriber devices, informing them that the PCP server is no longer available.
    For more information about configuring PCP for Large Scale NAT44, see
    For more information about configuring PCP for Large Scale dual-stack lite, see
    For more information about configuring PCP for Large Scale NAT64, see
    [# 632909]
  • Mapping Address and Port using Translation
    Mapping Address and Port using Translation (MAP-T) is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv4 subscribers to the IPv4 Internet. MAP-T is built on stateless IPv4 and IPv6 address translation technologies. MAP-T is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on customer edge (CE) devices and border routers (BR) (in ISP core network).
    In a MAP-T deployment, the CE device implements a combination of stateful NAPT44 translation and stateless NAT46 translation. The CE device performs NAPT44 on IPv4 packets from the subscriber devices and it creates NAPT44 sessions to store the NAPT44 binding information. The CE device then translates the resulting NATted IPv4 packets to IPv6 packets and sends them to the BR device in the ISP's IPv6-only core network. The BR device translates the IPv6 packets from the CE device back to the NATted IPv4 packets using stateless NAT64 and then sends them to the IPv4 Internet.
    MAP-T is nearly stateless, and it does not require the BR device to perform NAT on the traffic, instead, NAT functionality is delegated to the CE devices. This delegation and stateless functionality in BR allows the BR deployment to scale proportionally to the traffic volume.
    The NetScaler appliance implements the BR functionality of a MAP-T solution and is compliant with RFC 7599.
    For more information, see
    [# 642822]

Known Issues

The issues that exist in Build 41.16.


  • NTLM authentication fails when the NetScaler tries to negotiate with an LB virtual server in front of the NTLM server.
    Workaround: NetScaler accesses the NTLM server directly.
    [# 677747]
  • In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
    [# 676450]
  • If forms based SingleSignOn (SSO) is configured for Outlook Web Access (OWA) 2013 servers, then "successRule" configured in forms SSO action must be corrected appropriately as the server sends 64 byte cookie on successful SSO.
    [# 681730]
  • If you configure a NetScaler FIPS appliance for SAML authentication, the appliance fails when it tries to process encrypted assertions from an external IDP. However, signed assertions and responses are handled correctly.
    [# 635174]
  • SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.
    [# 639349]
  • When SAML authentication is employed as login method for Gateway users on a FIPS hardware and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core.
    This is applicable only for FIPS hardware platforms.
    [# 677458]
  • If the back-end server's domain name does not include a dot, DNS resolution fails during Kerberos Single Sign-ON (SSO).
    [# 667953]


  • If multiple AppFlow policies are bound to the same bindpoint, only the last policy is chosen.
    [# 603177, 647386]
  • When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
    [# 680567, 688758]

Application Firewall

  • An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
    [# 668892]
  • Application firewall cross site scripting (XSS) protection blocks valid traffic even when relaxation rules for learning XSS blocking are enabled. The learned rule for the blocked XSS is not removed permanently from the learned database. The NetScaler application firewall relearns the same relaxation rule and continues to block valid traffic.
    [# 683197]
  • The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
    [# 660546]
  • On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.
    [# 683366]
  • In high availability (HA) mode, high memory consumption failover occurs when the IP reputation feature is enabled.
    [# 668205]
  • If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
    [# 682935]
  • When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.
    To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
    [# 672970]
  • If you upgrade NetScaler appliance in a high availability (HA) setup from version to version and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.
    Workaround: Turn off the Learning feature when skipping learned rules.
    [# 671807]
  • In the Visualizer, if you use Mozilla Firefox or Internet Explorer, some buttons in the Visualizer might not work.
    Workaround: Use a different web browser, such as Google Chrome.
    [# 648272]
  • Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
    [# 674864]
  • A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
    [# 629128]
  • The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
    [# 650789, 650317, 658472]

Command Line Interface

  • The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.
    [# 512526, 527066, 545578, 631658, 635938, 643466, 652771, 667794]


  • When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
    [# 658108, 679822]

NetScaler CPX

  • Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see
    [# 658734, 658736]

NetScaler GUI

  • The service group members do not appear in the output of the "show lb vserver" command if it is run on a cluster IP address.
    [# 642802, 668935]
  • If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
    [# 658132]
  • In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler build 11.1. The logon page directly appears, and you can log on successfully.
    [# 649052]
  • If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
    [# 657924]

NetScaler Gateway

  • RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
    [# 672333]
  • A memory leak gradually diminishes the amount of memory available for SSL VPNs. The NetScaler appliance eventually fails unless it is rebooted before memory utilization reaches too high a percentage.
    [# 660223, 677197, 551669, 544066]
  • If you logon to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.
    Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
    [# 680403]
  • If you logon to VPN through Cluster Deployment, the value of Total Connected Users is shown incorrectly in NSIP's of all the nodes. The correct value is shown in CLIP.
    [# 681247]
  • When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
    [# 670277]
  • Single sign-on (SSO) to StoreFront fails if the TCP fast open option is enabled for the default TCP profile of a manually created NetScaler Gateway virtual server.
    [# 656619]
  • If you logon to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and Gantt chart option under Tasks is selected, then various options under Tasks Section (Completed, Late Task and so on) is not accessible.
    [# 681689]
  • In rare situations, the NetScaler appliance dumps core memory if the SSL timeout field has a null value.
    [# 670973]
  • Updating a certificate-key pair used in SAML IDP samlSPCertName creates a duplicate entry and generates a "Cannot allocate memory" error message.
    [# 675983]
  • When a VPN virtual server is configured with RfWebUI as a portal theme, the NetScaler Gateway Windows plug-in does not automatically reconnect after the upgrade.
    [# 682689]
  • If you logon to SharePoint 13 using Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
    [# 679744]
  • If you logon to SharePoint 13 using Clientless Virtual Private Network (CVPN), you can't access OneDrive and Sites options at homepage if "Clientless Mode URL Encoding" is set to ENCRYPT.
    Workaround: Use browsers with incognito mode or set Clientless Mode URL Encoding" to OPAQUE/TRANSPARENT.
    [# 683390]
  • If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.
    Workaround: Use Firefox to open the document.
    [# 679713]
  • When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
    Workaround: Configure new cache policies to ensure that en.xml and config.xml files get cached only once in the NetScaler cache. To configure new cache policies, use the following CLI commands:
    add cache selector en_config_xml_cache_selector http.req.url.path http.req.method http.req.hostname
    add cache contentGroup en_config_xml_cache_group -relExpiry 120 -maxResSize 16000 -memLimit 28 -hitSelector en_config_xml_cache_selector
    add cache policy en_config_xml_cache_pol -rule "HTTP.REQ.URL.PATH_AND_QUERY.STARTSWITH_ANY("vpn_cache_dirs") && (HTTP.REQ.URL.CONTAINS("/resources/config.xml") || HTTP.REQ.URL.CONTAINS("/resources/en.xml"))" -action CACHE -storeInGroup en_config_xml_cache_group
    bind vpn vserver <name-of-customer's-vpn-vserver> -policy en_config_xml_cache_pol -priority 5 -gotoPriorityExpression END -type REQUEST
    Note: If you have multiple active VPN virtual servers, enter the last command multiple times, once for each active VPN virtual server.
    [# 684774]
  • DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.
    Workaround: To enable DTLS feature on a virtual server configured with "listen" policy, the policy must be first removed and then the DTLS feature must be enabled.
    Note: Also, if you configure "listen" policy on a virtual server enabled with DTLS feature, then the "listen" policy is applied and the DTLS feature is disabled automatically.
    [# 679025]
  • If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" is nonfunctional.
    Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
    [# 679117]
  • An error message appears when a user a logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.
    Workaround: Log off by closing the browser.
    [# 646706]
  • If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.
    Workaround: Use Chrome or Firefox.
    [# 679747]
  • The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
    [# 669942]
  • If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you can't drag and drop files.
    Workaround: Upload the document instead of using drag and drop.
    [# 679193]
  • If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See for details.
    [# 680378]
  • After a NetScaler HA failover, the Citrix Receiver takes a few seconds to reconnect.
    [# 672067]
  • If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.
    Workaround: Use Chrome or Firefox.
    [# 679176]

NetScaler ICA

  • Session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in a HA pair.
    [# 681628]
  • If AppFlow for ICA is enabled on a NetScaler appliance, applications might disconnect intermittently under certain network traffic conditions.
    [# 650607]

NetScaler SDX Appliance

  • When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.
    Workaround: Once the estimated time provided initially by Management Service is elapsed, refresh the upgrade progress page in the browser to view the actual status of the upgrade.
    [# 672042]
  • In some cases, individual flow control (RX and TX) might not work for interfaces on the NetScaler SDX appliance.
    [# 643853]
  • The current software driver for 1Gbe port does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.
    Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
    [# 668696]
  • When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
    Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
    [# 600152]

NetScaler VPX Appliance

  • The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset) because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
    [# 660159]
  • If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
    [# 676417]
  • Due to a limitation in XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
    [# 652640]
  • In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.
    For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
    [# 675746]
  • If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.
    Workaround: Run a reset command on the NetScaler VF, after removing or changing the VLAN ID from the host. For example:
    reset interface 10/1
    [# 672441]
  • Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
    [# 660000]
  • Compatibility issues between Linux-KVM and the Intel XL710 interface might cause a NetScaler virtual appliance configured with a PCI passthrough to become unresponsive during startup.
    Workaround: Restart the Linux-KVM host.
    [# 660139]
  • The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
    [# 657492]


  • While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
    [# 675626]


  • The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
    [# 678625]
  • The NetScaler video optimization feature does not display the optimization statistics on the Dashboard or in the Reporting section of the NetScaler GUI.
    [# 678095]
  • The built-in video detection policies have new names, which more clearly represent the purposes of the policies.
    [# 681308]
  • The new video optimization feature is not supported on a partitioned NetScaler appliance.
    [# 677320]
  • When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."
    For example:
    > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE
    > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST
    ERROR: CVPN Policies cannot be bound to multiple entities
    [# 682864]
  • For NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
    [# 670449]
  • The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
    [# 676593, 677838, 679578, 681853]
  • A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
    [# 682947]


  • A NetScaler VPX instance does not reboot successfully when deployed on a KVM linux host with Xeon E5-26xx v2 processors.
    Workaround: Reload the kvm_intel module with enable_apicv=N parameter by using the following command:
    modprobe kvm_intel enable_apicv=N
    [# 587727, 615203, 642617, 657386]
  • Interfaces on NetScaler VPX instances are not hot-pluggable, except on NetScaler VPX appliances running on Amazon AWS.
    Workaround: Shut down the NetScaler VPX instances before adding or deleting the interfaces.
    [# 578198, 682586, 680889]


  • If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.
    Workaround: Use advanced expressions instead.
    [# 680916]


  • Secure session tickets are not supported in this build. If your deployment uses secure session tickets, do not upgrade from release 11.1-54.x to this build.
    [# 690231]
  • In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
    [# 674278, 678890]
  • The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.
    [# 682493]
  • In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
    [# 667389]
  • In a high availability deployment, session-tickets functionality is lost after you issue a force failover twice. Sessions are resumed on the basis of session ID instead of session tickets.
    [# 683034]
  • If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
    [# 660257]
  • A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
    [# 673348, 682192, 682160, 684547, 684992, 687515]
  • The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
    [# 675158]
  • Few clienauth connections are dropped with ocspCheck when configured ocspresponder is domain based.
    [# 675882, 677473]


  • On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:
    "bind system group grpX -userName userX"
    "bind system group grpX -policyName superuser 1"
    If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
    [# 652345]
  • If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
    [# 676599]
  • If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
    [# 677943]
  • Before an event loss In a weblog connection, snd_cwnd sends the weblog client a send_data_0 requesting more data. The event loss causes the appliance to reduce the snd_cwnd congestion window, which causes a pitboss crash because the sack based recovery does not have an interleaving logic.
    [# 674934]
  • If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.
    [# 682762]
  • The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with internet server.
    [# 654087]
  • A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
    [# 657565]
  • If a NetScaler appliance sends a large number of packets on a TCP connection, and the network randomly drops a few of the packets, multiple sets of continuous packet loss ("holes") are created. When the appliance retransmits the packets, the network interface card (NIC) drops packets.
    [# 643929]
  • If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
    [# 331889]


  • In a high availability setup, forcing synchronization does not synchronize Port Control Protocol (PCP) mappings to the secondary node.
    [# 647630]