Hotfix AG2000_v455 Rev B - Access Gateway Standard Edition 4.5

Hotfix readme name: AG2000_v455.html
Hotfix package name: ag2000-V455-45.upgrade
For: Access Gateway Standard Edition and Access Gateway Advanced Edition, Version 4.5, Model 2000 Appliance
Replaces: None
Date: October, 2007
Language supported: English (US)
Readme version: 1.2

Readme Revision History

Important Note(s) about this Release

• To download and save this readme to your computer, click Readme.zip at the top of this page. To install this hotfix, see the installation instructions below.
• This hotfix updates the Access Gateway Standard Edition and Access Gateway Advanced Edition. This hotfix is applicable to the Model 2000 and the Model 2010 appliance that supports the Access Gateway Standard Edition, Version 4.5 and Access Gateway Advanced Edition, Version 4.5.
• Active Directory group policies cannot be applied when users are connecting to the Access Gateway using Secure Access Client.

[From AG_455][#24198, #24308]

• If client devices are using Windows XP, you can install one version of the Secure Access Client from either Access Gateway Standard Edition or Access Gateway Enterprise Edition. If the two versions of the Secure Access Client co-exist on the client device, a session using either client could fail. Citrix recommends installing and running one version only of the Secure Access Client on client devices that are running Windows XP.
  
  If the client device is running Windows Vista, both versions of the Secure Access Client can be installed. Each version of the Secure Access Client checks for the other version. If the Secure Access Client detects that another version has a connected session, the Secure Access Client exits and leaves the connected session alone.

  [From AG_455][#24320, #24378]

To install this hotfix:

1. Download the hotfix package from the Hotfixes and Service Packs page of the Citrix Web site at http://downloadns.citrix.com.edgesuite.net/2513/ag2000-v455-45.upgrade.
2. Copy the hotfix package to an empty folder on the hard drive of the computer that is running the Access Gateway Administration Tool.
3. Click Start › Programs › Citrix › Access Gateway Administration Tool 4.5 › Access Gateway Administration Tool 4.5.
4. Click the Access Gateway Cluster tab and expand the window for the Access Gateway.
5. Click the Administration tab.
6. Next to Upload an upgrade or saved configuration, click Browse.
7. Locate the upgrade file that you want to upload and click Open. The file is uploaded.
8. Restart the Access Gateway appliance and the server running Access Gateway Advanced Edition.

Important

After the upgrade is installed on the Access Gateway, you must uninstall the Administration Tool and then reinstall it using the Administration Portal page.

To uninstall and reinstall the Administration Tool

1. Click Start > Control Panel > Add or Remove Programs.
2. Click Citrix Access Gateway Administration Tool version number and click Remove.
3. In a Web browser, type the Web address and port number of the Administration Portal, such as https://ipaddress:9001.
4. Type your credentials and click OK.
5. Under Access Gateway Administration Tool, click Install the Access Gateway Administration Tool.

New in this Release

Configuring Authentication using One-Time Passwords

If authentication on the Access Gateway is configured to use a one-time password with RADIUS, such as provided by an RSA SecurID token, the Access Gateway attempts to reauthenticate users using the cached password. This occurs when changes are made to the Access Gateway using the Administration Tool or if the connection between the Secure Access Client and the Access Gateway is interrupted and restored.

This can also occur when user connections are configured to use Citrix Presentation Server Clients and connect to the Web Interface using RADIUS and LDAP. When a user starts an application and uses it, then returns to the Web Interface to start another application, the Access Gateway uses cached information to authenticate the user.

If authentication is configured with a one-time password, authentication on the Access Gateway fails, and the user is eventually locked out and unable to log on.

With this release, you can prevent the storage of one-time passwords in the cache, which forces the user to authenticate again.

To prevent caching of one-time passwords

1. In the Administration Tool, click the Authentication tab.
2. Open the authentication realm that uses the one-time password.
3. Select Use the password one time and click Submit.

[From AG_455][#24296, #24312]

Access Gateway and Citrix WANScaler Support

The Access Gateway works with Citrix WANScaler to support TCP optimization. WANScaler enhances Common Internet File System (CIFS) and HTTP connections and accelerates traffic through the Access Gateway. The Access Gateway is installed in the DMZ and the WANScaler is installed behind the Access Gateway in the secure network. Clients connect through the Access Gateway and WANScaler to resources in the secure network.

Two settings must be configured to support TCP optimization:

• Preserve TCP options for each network that is configured on the Access Gateway. You configure network resources and then for each network that is to have the TCP settings preserved, you apply the policy for that network.
• Configure the Access Gateway to communicate with the WANScaler Client. When this is configured, the Access Gateway sends a filter list to the WANScaler Client with the settings for TCP optimization.

To configure TCP optimization on Access Gateway Standard Edition

1. In the Access Gateway Administration Tool, click the Global Cluster Polices tab.
2. Under Advanced options, select Enable TCP optimization with WANScaler Client and click Submit.
3. On the Access Policy Manager tab, in the right pane, under Network Resources, select a configured network resource, or create a new resource.
4. Select Preserve TCP options and click OK.
5. Drag the network resource to the user group to which the policy applies.

Where to Find Documentation

This document describes the issue(s) solved by this hotfix and includes installation instructions. For more information, see the Access Gateway Standard Edition Administrator's Guide located on the product CD or installed on the Access Gateway. The guide is in an Adobe Portable Document (PDF) format file. To view, search, and print the documentation, you need Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from the Adobe Web site at http://www.adobe.com.

All product documentation is also available from the Citrix Web site at http://www.citrix.com/support.

Issue(s) Resolved in this Hotfix

1. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX113815.

   [From AG_455][#22699]

2. When a user logs onto Access Gateway Advanced Edition using Internet Explorer 7, and then a network interruption occurs, users log on again using their credentials. After this, when users log off, the Web logon portal page does not close as expected.

   [From AG_455][#23949]

3. If the client computer is running Windows Vista and Internet Explorer 7, the ActiveX control that performs the pre-authentication check and starts Secure Access Client from the portal page does not run unless the Access Gateway's fully-qualified domain name (FQDN) is in the trusted sites list in Internet Explorer. If Internet Explorer 7 is running in protected mode, the Secure Access Client has limited functionality. For example, when installing the Secure Access Client, users are asked to save the executable instead of the installation starting automatically.
   
   To use single sign-on with Vista and Internet Explorer 7, Internet Explorer must be configured for administrator use.

   [From AG_455][#24021]

4. When Symantec Enterprise Vault 6.1 is installed in the internal network and the user logs on through the Access Gateway to the Access Interface on the server running Access Gateway Advanced Edition, Outlook Web Access in Internet Explorer fails to respond for approximately five minutes and then starts to work correctly.

   If users are connecting directly to the server running Access Gateway Advanced Edition, there is no delay.

   [From AG_455][#24077, #24092]

5. There is a 244 character limit for DNS suffixes that are configured on the Name Service Providers tab. The limit is increased to 1023 characters.

   [From AG_455][#24213]

6. If the Access Gateway user configuration requires a client certificate for authentication, when users log on, the user name contains the realm name, such as realmname\username. Client certificate criteria can be configured to require only the user name or the realm name. For example, if the expression client_cert_end_user_subject_common_name=user_only is used, the user logging on is authorized for the group only if the common name of the client certificate subject is the user name. If the expression client_cert_end_user_subject_organizational_unit=realm is used, the user logging on is authorized for the group only if the Organizational Unit (OU) of the client certificate subject is the realm name.

   [From AG_455][#24219]

7. If the Access Gateway is configured to use the Advanced Access Control option, if an incorrect DNS server is configured on the Access Gateway, it can take a long time for the appliance to restart.

   [From AG_455][#24225]

8. If users have McAfee Host Intrusion Prevention installed, the Secure Access Client fails when users attempt to open an application on their local device. When this occurs, the Secure Access Client icon is removed from notification area, however users can connect to resources in the internal network.

   [From AG_455][#24228]

9. The Secure Access Client sends connection requests to the local DNS server and not to a configured proxy server to resolve the public name of the Access Gateway.

   [From AG_455][#24260]

10. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX113817.

    [From AG_455][#24323, #24324, #24325, #24326, #24327]

11. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX113816.

    [From AG_455][#24329, #24330, #24331, #24332, #24333, #24334]

12. If you have added users to groups on the Access Gateway for which client certificate criteria is configured, and added the same users to other groups that do not require client certificate criteria, users only get the group or groups for which no client certificate criteria is defined. Users do not get the group or groups for which client certificate criteria is defined.

    [From AG_455][#24341]

13. When the Secure Access Client is installed, and non-administrative users log on to Windows XP, name resolution fails until the DNS cache is flushed or the connection times out.

    [From AG_455][#24358]

14. When users are logged on to the Access Gateway, and the system administrator starts the Citrix Real-time Monitor, the Access Gateway can fail.

    [From AG_455][#24382]

15. To enable file logging of client connections, right-click the Secure Access Client icon and click Connection Log. On the Options menu, click Log to file. When this option is enabled, the items that appear in the Connection Log are written to the log file. The log file is overwritten each time the Secure Access Client starts.

    [From AG_455][#24398]

16. If client devices are using Windows Vista and are connecting to Version 4.5.5, the Secure Access Client is downloaded from the portal page. If client devices are connecting to earlier versions of the Access Gateway, they must use the standalone version of the Secure Access Client for installation. This version of the Secure Access Client for Vista can be downloaded from the Citrix support Web site.

[From AG_455][#24427]

17. When the Access Gateway is configured using a double-hop DMZ, and connects to the Advanced Access Control option, users are not able to download the Endpoint Analysis Client or the LiveEdit Client.

    [From AG_455][#24434]

18. When the Secure Access Client is upgraded to Version 4.5.5, Citrix recommends restarting the client device.

    [From AG_455][#24473]

19. When users are logged on to the Advanced Access Control option through the Access Gateway, when users logoff, the session is not disconnected. Users must manually disconnect by right-clicking the Secure Access Client and selecting Disconnect.

    [From AG_455][#24496]

20. Licensing statistics appear different when viewing statistics on the Access Gateway and then viewing statistics in Advanced Access Control. When Access Gateway Advanced Edition is configured, view the licensing statistics from the server that is running Advanced Access Control.

    [From AG_455][#24570]

21. If users start an endpoint analysis scan, and the connection between the Access Gateway appliance and the server running Advanced Access Control fails, users receive an error 500 in the Web browser. If the connection is successful, and the response from the server running Advanced Access Control is not what is expected, users receive an error 403.

    [From AG_455][#24631]

22. Access Gateway Standard Edition Version 4.5.5 fails when two or more servers running the Secure Ticket Authority are configured.

    [From AG_455][#24719, 24726]

23. When you capture a file in Ethereal, and then try to save the file, Ethereal fails.

    [From AG_455][#24727]

24. When the Access Gateway is configured with two servers running the Secure Ticket Authority, and users are connecting using Citrix Presentation Server Clients, the Access Gateway fails.

    [From AG_455][#24781]

Copyright © 2007 Citrix Systems, Inc. All rights reserved.
Citrix, MetaFrame, and MetaFrame XP are registered trademarks, and Presentation Server is a trademark of Citrix Systems, Inc. in the United States and other countries.
All other trademarks and registered trademarks are the property of their respective owners