Applicable Products
- NetScaler Secure Web Gateway
For: NetScaler Gateway 10.5, Build 54.9
Replaces: None
Date: December, 2014
Language supported: English (US)
Readme version: 1.4
Important Note
Caution! Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Where to Find Documentation
This document describes the issue(s) solved, new features, and known issues in this build and includes installation instructions.
The latest version of the product documentation is available from Citrix eDocs at http://edocs.citrix.com.
Installing This Maintenance Build
The latest version of the NetScaler Gateway software can be downloaded from the Citrix web site.
To download the NetScaler Gateway software from the Citrix web site
Go to the Citrix Web site, click My Account, and then log on.
At the top of the web page, click Downloads.
Under Find Downloads, select NetScaler Gateway.
In Select Download Type, select Product Software and then click Find.
On the NetScaler Gateway page, click NetScaler Gateway 10.5.
Select the software and then click Download.
When the software is downloaded to your computer, you can install the software by using the Upgrade Wizard in the Configuration Utility or the command-line interface.
To install the maintenance build by using the Upgrade Wizard
In the Configuration Utility, in the left pane, click System.
In the right pane, click Upgrade Wizard.
Click Next and then follow the directions in the wizard.
To install this maintenance build by using the command-line interface
To upload the software to the NetScaler Gateway, use a secure FTP client to connect to the appliance.
Copy the software from your computer to the /var/nsinstall directory on the appliance.
Open a Secure Shell (SSH) client to open an SSH connection to the appliance.
At a command prompt, type shell.
At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
To view the contents of the directory, type ls.To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
To start the installation, at a command prompt, type ./installns. Convective heat transfer kakac solution manual.
When the installation is complete, restart NetScaler Gateway.
When the NetScaler Gateway restarts, at a command prompt type what or show version to verify successful installation.
NetScaler Gateway 10.5 Compatibility with Citrix Products
The following table provides the Citrix product names and versions with which NetScaler Gateway 10.5 is compatible.
Citrix Product | Release Version | Notes |
Branch Repeater or CloudBridge | 5.5, 6.1, 6.2, 7.0, 7.1, and 7.2 | |
NetScaler | 9.2, 9.3, 10.1, and 10.5 | |
NetScaler Platforms | MPX 5550, MPX 7500, MPX8200, MPX 10500, Xen VPX | |
NetScaler VPX | 9.1, 9.2, 9.3, 10.1 and 10.5 | |
Receiver Storefront | 1.2, 2.1, and 2.5 | |
VDI-in-a-Box | 5.2, 5.3 and 5.4 | Note: Compatibility with VDI-in-a-Box, Version 5.0.3 supports the SOCKet Secure (SOCKS) protocol only. |
Web Interface | 4.5, 5.0.1, 5.1, 5.2, 5.3, and 5.4 | |
XenApp | 6.5 for Windows Server 2008 R2 | |
XenDesktop | 7.0, 7.1, and 7.5 | |
XenMobile | 9.0 | |
XenMobile App Edition | App Controller 2.8 and 2.9 |
Supported Receivers and Plug-ins
Receiver or Plug-in | Release Version | NetScaler Gateway Version |
NetScaler Gateway Plug-in for Mac OS X | 3.0.1 | Supports Mac OS X 10.9 (Mavericks) |
NetScaler Gateway Plug-in for Windows | 10.5 | Supports Windows 8.1 |
Receiver for Android | 3.4 and 3.5 | |
Receiver for iOS | 5.8 and 5.9 | |
Receiver for Mac | 11.8.x | |
Receiver for Windows | 4.0, and 4.1 | |
Worx Home for iOS | 8.5 and 8.6 | |
Worx Home for Android | 8.5 and 8.6 | |
WorxMail for iOS | 1.3.3-16 | |
WorxWeb for iOS | 1.3.1-3 | |
WorxMail for Android | 1.3.13-233936 | |
WorxWeb for Android | 1.3.3-234245 |
New Features from Previously Released Maintenance Builds
On Windows-based devices, there are two new registry entries for NetScaler Gateway that override Citrix Receiver for Windows behavior. The new registry entries specify the following:
Enable or disable client cleanup on the user device when Receiver is also running.
Show or hide the NetScaler Gateway Plug-in icon even if it is integrated with Receiver.
To enable client cleanup
Note: Enable client cleanup on NetScaler Gateway and then set the registry entry on the user device.
HKEY_LOCAL_MACHINESOFTWARECitrixSecure Access Client
Name: AllowCleanup
Type: REG_DWORD
Data: 1To show the NetScaler Gateway Plug-in icon
HKEY_LOCAL_MACHINESOFTWARECitrixSecure Access Client
Name: DisableIconHide
Type: REG_DWORD
Data: 1[From NG_10_5_52_11] [#406312]
NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile.
[From NG_10_5_54_4][#451933]
Fixed Issues in This Release
If you configure advanced endpoint analysis policies, endpoint analysis encryption, a proxy server, and client certification authentication, the NetScaler Gateway Plug-in does not connect and users receive the error message, '2017: Your computer does not have the necessary security software to connect to the NetScaler Gateway. Please contact your system administrator.'
[From NG_10_5_54_2][#466641]
When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.
[From NG_10_1_130_9][#500207]
In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.
[From NG_10_1_130_9][#508831]
When users are authenticated in the NetScaler Gateway against a LDAP (Lightweight Directory Access Protocol) server configured on FQDN (Fully Qualified Domain Name), authentication fails. As a workaround, LDAP servers can be configured with an IP address.
[From NG_10 _5_54_2][#509970]
When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.
[From NG_10 _5_54_2][#513385]
When the HTTPS proxy is configured with NTLM authentication and the NetScaler Gateway is activated with single sign-on, if the proxy credentials are incorrect, login fails. The TCP connection setup with Proxy closes the connection with 407 error.
[From NG_10 _5_54_4][#515043]
When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.
[From NG_10 _5_54_4][#516257]
NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
[From NG_10 _5_54_4][#518414]
Known Issues in This Release
When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
[From NG_10_5_53_9][#411152]
If you enable advanced endpoint analysis on a virtual server, if users connect from a Windows-based computer with Windows BitLocker Drive Encryption, the endpoint analysis scan fails with the error 'Your device does not meet the requirements to logging on to the secure network.' Endpoint analysis scans for BitLocker Drive encryption are not supported.
[From NG_10_5_53_9][#442649]
In a session profile, if you configure the Home Page on the Client Experience tab or the Web Interface Address on the Published Applications tab with a fully qualified domain name (FQDN) that resolves to a local server or a load balancing server, the high availability node might fail during synchronization or configuration changes. This can also occur if you unbind the session policy from the virtual server or if you clear the configuration on the appliance.
[From NG_10_5_53_9][#451758]
When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.
[From NG_10_5_53_9] [#464518]
If you configure two-factor authentication with client certificates and LDAP and if Deny SSL Renegotiation is set to All, user connections fail. You must set the parameter to No.
To configure Deny SSL Renegotiation
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.
- In the details pane, under Settings, click Change advanced SSL settings.
- In Change Advanced SSL Settings, in Deny SSL Renegotion, select No and then click OK.
[From NG_10_5_53_9] [#480009]
If you configure SSL renegotiation and users log on with a PKI-enabled client certificate, logon fails.
[From NG_10_5_51_10] [#487825]
If users log on to Outlook Web App by using clientless access in a Firefox web browser, sending email fails.
[From NG_10_5_50_10][#418106]
When users log on, they receive a prompt to install the Endpoint Analysis Plug-in, even though the latest version of the plug-in is installed on the user device.
[From NG_10_5_50_10][#446735]
If users log on by using the NetScaler Gateway Plug-in dialog box and the endpoint analysis scan fails, the choices pages appears in Internet Explorer. When this occurs, the correct cookies are not sent from Internet Explorer and users receive a 403 forbidden error message or the Endpoint Analysis Plug-in web page appears.
[From NG_10_5_50_10][#447689]
When users log on for the first time from a Mac OS X 10.9 computer, if the Endpoint Analysis Plug-in starts in Safari 7.x, the attempt fails because the plug-in is not installed. Users receive the error message 'There is no application set to open the URL com.citrix.agmacepa.' Users can click Cancel in the message and then click the Download link in Safari.
[From NG_10_5_50_10][#454662]
Earlier versions of the NetScaler Gateway Plug-in do not support OPSWAT endpoint analysis scans. When users connect to NetScaler Gateway, logon fails because the earlier version of the plug-in does not support OPSWAT endpoint analysis scans. Users can log on from a web browser and then select Network Access, which starts the upgrade to the latest version of the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in.
[From NG_10_5_50_10][#454670]
If you configure an endpoint analysis expression that includes hard disk encryption scan types ENC-TYPE and ENC-PATH, a -13 error message always appears. For example, you use the expression HD-ENC_76003_ENC-PATH__e_ENC-TYPE_noneof_0,1,2.
[From NG_10_5_50_10][#457436]
If you configure a preauthentication policy that checks for Avira Antivirus on a Mac OS X computer and the virus definitions update by using the SCAN-TIME/VIRDEF-FILE-TIME parameter, the OPSWAT libraries use the date and not the time. You must configure this setting by using the number of days between updates.
[From NG_10_5_50_10][#467180]
If you configure logon and logoff scripts that are part of a session profile, if the scripts contain Unicode characters, users cannot log on or log off of NetScaler Gateway.
[From NG_10_5_50_10][#469799]
If you enable a proxy server and disable ICA proxy in a session profile, users cannot start published applications.
[From NG_10_5_50_10][#470220]
If you enable digest authentication in Internet Information Services (IIS), if users log on with Unicode credentials, add the IIS website as a bookmark and then click the bookmark, single sign-on fails. Users receive a prompt to enter their user name and password.
[From NG_10_5_50_10][#470495]
During an endpoint analysis scan, NetScaler Gateway does not detect Trend Micro Titanium installed on a Mac OS X computer. As a result, the scan always fails.
[From NG_10_5_50_10][#474615]
If you enable the Green Bubble theme and then run the Clear Config -f Extended+ command , the Green Bubble theme remains instead of reverting back to the Default theme. To reset the value, you can run the set vn para uitheme command.
[From NG_10_5_50_10][#478536]
Citrix recommends that you do not bind Policy Infrastructure (PI) policies to the NetScaler Gateway virtual server. NetScaler Gateway does not support Policy Infrastructure (PI) policies.
[From NG_10_5_50_10][#481722]
If you configure the Web Interface home page with an IPv6 URL instead of IPv4 or the fully qualified domain name (FQDN), users receive a 400 Bad request error when they log on.
[From NG_10_5_50_10][#482263]
If you created a Netscaler Gateway virtual server by using the Quick Configuration wizard in NetScaler Gateway 10.1, the virtual server needs to be renamed with the prefix _XM_. For example, if the original virtual server name is XMGateway, you must manually rename it to _XM_Gateway. By changing the name with the correct prefix, you can see the virtual server in the wizard.
[From NG_10_5_50_10][#484962]
When both the Netscaler VPX and the Storefront server are mounted on the same Microsoft Hyper-V, if you upgrade NetScaler VPX from Version 10.1, Build 121.10 to Version 10.5 Build 51.10, user log on to Storefront fails.
[From NG_10_ 5_ 53_9][#503614]
The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.
[From NG_10_5_54_51_10][#511757]
When users log on, the IP address assigned from the address pool is overwritten. When this occurs, the destination MAC address changes and the response does not reach the user which results in a time-out in the web browser on the user device.
[From NG_10_ 5_ 53_9][#518008]
Issues Fixed from Previously Released Maintenance Builds
Endpoint Analysis
If users do not have administrative rights, the Endpoint Analysis Plug-in installation fails.
[From NG_10_5_53_9][#506686]
Licensing
If the maximum number of users is set to a number greater than 5 on a NetScaler Gateway virtual server, if you remove the Universal license, the virtual server configuration is also removed.
[From NG_10_5_51_10] [#447452]
Logon and Authentication
If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message 'Error: Not a priviledged user.'
[From NG_10_5_53_9][#501369]
When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.
[From NG_10_5_53_9] [#506689]
If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.
[From NG_10_5_52_11] [#459149]
If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.
[From NG_10_5_52_11] [#489609]
If you configure nested group extraction and leave the Group Name Identifier blank, NetScaler Gateway fails.
[From NG_10_5_52_11] [#500765]
The NetScaler Gateway wizard creates a VPN virtual server with the default authorization set to Deny. When users connect to the VPN virtual server, they cannot access internal network resources. To allow users to connect, set authorization to Allow.
[From NG_10_5_51_10] [#479548]
If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
[From NG_10_5_51_10] [#484245]
When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
[From NG_10_5_51_10] [#484431, #488182, #493939]
If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.
[From NG_10_5_51_10] [#489343]
Miscellaneous
If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.
[From NG_10_5_53_9][#374296]
Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway.
[From NG_10_5_53_9][#495867]
If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.
[From NG_10_5_52_11] [#494463]
When users connect with clientless access, the appliance fails if the last octet of the IP address of the server in the internal network is equal to or greater than 240.
[From NG_10_5_52_11] [#494605]
If you configure a traffic management policy to enable single sign-on to Outlook Web App 2010, enable local authentication on the load balancing virtual server and then change to two-factor authentication with client certificate authentication and LDAP authentication, NetScaler Gateway fails when trying to access the load balancing server. Iphone backup unlocker registration key.
[From NG_10_5_51_10] [#485834]
If you are running NetScaler Gateway 10.5, Build 50.9, the priority value of policies bound to the NetScaler Gateway virtual server are lost. You can upgrade to Build 50.10 or 51.10 to fix the issue.
[From NG_10_5_51_10] [#486857]
Session and Connection
If users connect with the NetScaler Gateway Plug-in for Windows and then attempt to receive a call through a softphone, the call fails.
[From NG_10_5_53_9][#498679]
When users log on with the NetScaler Gateway Plug-in for Windows, attempts to access internal network resources fail from Windows Metro applications, such as Internet Explorer Metro Mode. This occurs when you configure address pools (intranet IP addresses).
[From NG_10_5_53_9][#505029]
Showing active user sessions in the configuration utility or by using the command line might result in high CPU utilization on NetScaler Gateway.
[From NG_10_5_52_11] [#502043]
Attempts to end the session for an external user fails when you enter the command kill aaa session -username <username>.
[From NG_10_5_51_10] [#446334]
In a high availability deployment, when users log on with SAML authentication, the secondary appliance fails over.
[From NG_10_5_51_10] [#490075]
Languages supported: English (US)
Readme version: 1.0
Where to Find Documentation
This document describes the issue(s) solved, new features, and known issues in this build and includes installation instructions.
The latest version of the product documentation is available from Citrix eDocs at http://edocs.citrix.com.
Installing This Enhancement Build
The latest version of the NetScaler Gateway software can be downloaded from the Citrix web site.
To download the NetScaler Gateway software from the Citrix web site
Go to the Citrix Web site, click My Account, and then log on.
At the top of the web page, click Downloads.
Under Find Downloads, select NetScaler Gateway.
In Select Download Type, select Product Software and then click Find.
On the NetScaler Gateway page, click NetScaler Gateway 10.5.
Select the software and then click Download.
When the software is downloaded to your computer, you can install the software by using the Upgrade Wizard in the Configuration Utility or the command-line interface.
To install the enhancement build by using the Upgrade Wizard
In the Configuration Utility, in the left pane, click System.
In the right pane, click Upgrade Wizard.
Click Next and then follow the directions in the wizard.
To install this enhancement build by using the command-line interface
To upload the software to the NetScaler Gateway, use a secure FTP client to connect to the appliance.
Copy the software from your computer to the /var/nsinstall directory on the appliance.
Open a Secure Shell (SSH) client to open an SSH connection to the appliance.
At a command prompt, type shell.
At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
To view the contents of the directory, type ls.To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
To start the installation, at a command prompt, type ./installns.
When the installation is complete, restart NetScaler Gateway.
When the NetScaler Gateway restarts, at a command prompt type what or show version to verify successful installation.
NetScaler Gateway 10.5 Compatibility with Citrix Products
The following table provides the Citrix product names and versions with which NetScaler Gateway 10.5 is compatible.
Citrix Product | Release Version |
Branch Repeater or CloudBridge | 5.5, 6.1, 6.2, 7.0, 7.1 and 7.2 |
NetScaler Platforms | MPX 5550, MPX 7500, MPX8200, MPX 10500, Xen VPX |
NetScaler | 10.1 and 10.5 |
NetScaler VPX | 9.3, 10.1, and 10.1.120.1316.e |
Receiver Storefront | 2.0, 2.1, 2.5 and 2.6 |
VDI-in-a-Box | 5.2, 5.3 and 5.4 |
Web Interface | 5.4 |
XenApp | 6.5 for Windows Server 2008 R2 |
XenDesktop | 7, 7.5, and 7.6 |
XenMobile | 9.0 |
Supported Receivers and Plug-ins
Receiver or Plug-in | Release Version |
NetScaler Gateway Plug-in for Mac OS X | 3.0.1 |
NetScaler Gateway Plug-in for Windows | 10.1 and 10.5 |
Receiver for Android | 3.4 and 3.5 |
Receiver for iOS | 5.8 and 5.9 |
Receiver for Mac | 11.8.x |
Receiver for Windows | 4.0 and 4.1 |
Worx Home for iOS | 9.0.2 |
Worx Home for Android | 9.0.1 |
WorxMail for iOS | 9.0.2 |
WorxWeb for iOS | 9.0.1 |
WorxMail for Android | 9.0.1 |
WorxWeb for Android | 9.0.1 |
New Features in This Release
Citrix Netscaler Gateway Plugin Download
This release of NetScaler Gateway includes support for the following:
Disconnecting ICA Connections
You can end ICA connections by using the NetScaler Gateway configuration utility or the command-line interface.
To disconnect ICA sessions by using the command-line interface
Search for active ICA connections by running the command show icaConnection.
When you find the connection, run one of the following commands to disconnect the active sessions:
kill vpn icaconnection [-username] [-all]
For example, kill vpn icaconnection –username abc
This disconnects all the ICA connections that belong to user abc.
kill vpn icaconnection –all
This disconnects all of the existing ICA connections on Netscaler Gateway.
To disconnect ICA connections by using the configuration utility
In the configuration utility, on the Configuration tab, click NetScaler Gateway.
In the details pane, under Monitor Connections, click ICA Connections.
The ICA Connections page appears.To end a particular ICA connection, select the row and click End ICA Connection.
To end all the active ICA connections, click End All ICA Connection.
Netscaler Gateway Plugin 3 0 For Mac Downloads
Note: Whenever a search filter is used, End ICA Connection will be disabled unless a row is selected.
[From NG_10_5_52.1115.e][#377266]
Upgrade EPA (Endpoint Analysis) libraries in NetScaler Gateway
The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. Previously, NetScaler Gateway administrators had to manually upload a new EPA library using the command line in order to upgrade the EPA libraries in NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories. NetScaler Gateway 10.5.52.1115.e presents a one-click interface for upgrading EPA libraries without upgrading or rebooting the system.
To complete the task from configuration utility:
Download the latest EPA library package from the download page on www.citrix.com.
In the NetScaler configuration utility, click Configuration and expand NetScaler Gateway. Click Upgrade EPA Libraries under Customize EPA Libraries. The Upgrade EPA Libraries page appears.
In the Choose File field, click Browse and select the EPA package file that you have downloaded in your computer. By default the file is searched from your computer, so the down arrow of Browse is selected as Local. Click Upgrade. Once the upgrade is completed, the page becomes accessible and displays the updated EPA library version.
For accessing and configuring EPA scans with the new library, refresh the page. The Opswat EPA wizard displays the updated EPA scans that can be configured for use immediately.
Results of EPA library upgrade on client systems:
As part of the upgrade of the endpoint analysis library, new client plug-ins are installed on the NetScaler system. These updated plug-ins will be automatically updated on client systems when clients connect to the NetScaler Gateway.
EPA library upgrades on Windows
Once the EPA libraries are upgraded, the EPA and VPN plug-in download the newer Windows EPA library in the background the next time users connect. Users do not notice anything different during the EPA scan.
EPA library upgrades for Mac
For Mac clients, the EPA and VPN plug-ins are downloaded after completing the upgrade. Users will see a download prompt for the EPA plug-in and the VPN plug-in will automatically upgrade.
Once the plug-in is upgraded, EPA works normally.
[From NG_10.5 52.1115.e][#504584]
Known Issues in This Release
If you try to launch the killed application from NetScaler Gateway in the same AAA session, the multi stream ICA connection might fail. Close the application and relaunch.
[From NG_10_5_52_1115_e][#514419]
Applications that use UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) on Mac OS X Yosemite (10.10) such as the ones using audio or video streaming, may be unreliable.
[From NG_10_5_e][#515013]