Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

Access Gateway Enteprise Edition 8.0 Maintenance Build 48.7

Document ID: CTX114595   /   Created On: Sep 14, 2007   /   Updated On: Sep 27, 2007
Average Rating: not yet rated

Maintenance build readme name: AGEE_8_0_48.7.HTML
Maintenance build package name: build_andes_48.7.tgz
For: Access Gateway, 8.0 Enterprise Edition, Build 48.7
Replaces: None
Date: September, 2007
Language supported: English (US)
Readme version: 1.0

Where to Find Documentation

This document describes the issue(s) solved by this build and includes installation instructions. For more information, see your product Administrator's Guide located on the product CD or installed on your servers. The guide is in an Adobe Portable Document (PDF) format file. To view, search, and print the documentation, you need Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from the Adobe Web site at http://www.adobe.com.

All product documentation is also available from the Citrix Web site at http://www.citrix.com/support.

New in this Release

Endpoint Analysis

When configuring antivirus endpoint analysis, you can scan for the age of the last installed virus definitions. For example, if the virus definitions are older than five days, you can prevent the user from logging on until the virus definitions are updated. To do so, in the Add Expression dialog box, in Freshness, type the number of days.

The maximum length for an endpoint analysis expression is increased from 1500 bytes to 9600 bytes.

[AGEE_8_0_46.14][#30055]

Importing Certificates from a Windows Computer

Using the Configuration Utility, you can import PKCS#12 certificates to the Access Gateway from a Windows computer. You can import an existing certificate from a Windows computer running Internet Information Services (IIS) or from a computer running the Secure Gateway.

In some cases, the private key cannot be exported, which means you cannot install the certificate on the Access Gateway. If this occurs, use the Certificate Signing Request to create a new certificate.

Before installing the certificate on the Access Gateway, export the certificate using the Microsoft Management Console and the Export Certificate Wizard in Windows. For more information, see the Windows Online Help.

After exporting the certificate, use the Configuration Utility to convert the certificate to PEM format.

To convert the exported certificate to PEM format

  1. In the Configuration Utility, in the left pane, click Access Gateway > SSL > CA Tools.
  2. In the right pane, under Tools, click Import PKCS#12.
  3. In Output File Name, type the name of the new certificate, such as ag1.pem.
  4. In PKCS12 File Name, type the name of the exported certificate, such ag1.pfx.
  5. In Import Password, type the password for the private key.
  6. In Encoding Format, select DES3.
  7. In PEM Passphrase and Verify PEM Passphrase type a new password for the private key.

When this procedure is complete, a message appears in the lower left status bar that the certificate is converted successfully. When the conversion is complete, you can install the certificate and private key on the Access Gateway.

To install the certificate and private key on the Access Gateway

  1. In the Configuration Utility, in the left pane, click Access Gateway > SSL > Certificates.
  2. In the right pane, click Add.
  3. In Certificate-Key Pair Name, type a new name for the certificate and private key.
  4. In File Location, select Appliance.
  5. In Certificate File Name, type the name of the converted certificate, such as ag1.pem.
  6. In Private Key File Name, type the name of the private key.
  7. In Password, type the password for the private key. This is the password you used when converting the certificate to PEM format.
  8. In Certificate Format, select PEM, click Install, and click Close.
When the certificate is installed on the Access Gateway, it appears in the list in the right pane.

[AGEE_8_0_48.7][#35629]

Miscellaneous

New Zealand Daylight Savings Time is supported.

[AGEE_8_0_48.7][#36263]

Single Sign-On with Windows

By default, Windows users open a connection by starting the Secure Access Client from the desktop. You can specify that the Secure Access Client start automatically when the user logs on to Windows by enabling single sign-on. When single sign-on is configured, users’ Windows logon credentials are passedto the Access Gateway for authentication.

Enable single sign-on only if users’ computers are logging on to your organization’s domain. If single sign-on is enabled and a user connects from acomputer that is not in your domain, the user is prompted to log on.

Single sign-on with Windows is supported only using Secure Access Client. It is not supported using the ActiveX Plug-in. Single sign-on with Windows is supported on Windows XP, Windows 2003 Server, Windows 2000 Server, Windows 2000 Professional, and Windows NT 4.0.

Single sign-on with Windows is disabled by default. To enable single sign-on, use either the Configuration Utility or the command line interface.

To configure single sign-on with Windows using the Configuration Utility

  1. In the Configuration Utility, in the navigation pane, click SSL VPN.
  2. In the right pane, click SSL VPN Policy Manager.
  3. In the SSL VPN Policy Manager, under Related Tasks, do one of the following:

    Click Create New Session Policy
    -or-
    Click Modify Session Policy

  4. Next to Request Profile, click Modify.
  5. Under Client Experience, click Windows Auto Logon and click OK.

To configure single sign-on with Windows using the command line interface

At a command prompt, type:
set vpn parameter [-windowsAutoLogon on|off]

[AGEE_8_0_46.14][#29295]

Supported Products

You can configure policies using the following products:

  • McAfee Version 11 and McAfee Version 8.5
  • Trend Micro OfficeScan Corporate Edition Version 7.3

[AGEE_8_0_46.14][#29828, #30036]

Known Issues in this Release

  1. Single sign-on to Web applications is not supported for the Secure Access Client for Java.

    [AGEE_8_0_45.4][#26303]

  2. The Secure Access Client is not installed automatically on Windows 2003 Server.

    To install the Secure Access Client on Windows 2003 Server

    1. Click Start > Control Panel > Add or Remove Programs.
    2. Click Add New Programs and click CD or Floppy.
    3. Follow the instruction in the wizard, navigate to the file nsvpnc_setup.exe, and click Next.

    [AGEE_8_0_45.4][#26684]

Issue(s) Resolved in this Release

  1. If the endpoint analysis fails on a client device, users receive a generic error message. Error messages are improved providing better descriptions of the problem.

    [AGEE_8_0_48.7][#26879]

  2. When users log on to the portal page using Internet Explorer 7 and the Access Gateway Web address is not in the Trusted Sites list, the ActiveX Plug-in is not installed.

    [AGEE_8_0_48.7][#34842, #36628]

  3. The local LAN settings of the Secure Access Client are not persistent between Access Gateway sessions.

    [AGEE_8_0_48.7][#35041]

  4. When Web Interface failover is configured and users log on to the Access Gateway, redirection fails and users receive the error message "HTTP 500 Internal Server error."

    [AGEE_8_0_48.7][#35062]

  5. When users connect using the Secure Access Client, DNS requests with host names exceeding six characters are not passed through the VPN tunnel.

    [AGEE_8_0_48.7][#35915]

  6. Applications that use UDP experience latency on the Access Gateway.

    [AGEE_8_0_48.7][#35921]

  7. Connecting to a remote computer using Remote Desktop caused intermittent errors when used as an intranet application with the Java Plug-In. The remote desktop connection automatically disconnected after a period of time.

    [AGEE_8_0_47.8][#25708]

  8. If a client device is connecting from an external network and a proxy configuration script is configured in Internet Explorer, the script is not accessible until the Secure Access Client connection is established. When the client computer connects from an external network, it can take one or two minutes for the connection to be established.

    [AGEE_8_0_47.8][#29841]

  9. When single sign-on to the Web Interface is configured, and split tunneling is disabled, single sign-on to public Web sites fails.

    [AGEE_8_0_47.8][#30049]

  10. After upgrading from Access Gateway Enterprise Edition Version 7.0 to Version 8.0, after users type the smart card personal identification number (PIN) and select a certificate, the user logon fails.

    [AGEE_8_0_47.8][#30109, #35262]

  11. When ICAProxy mode and Web Interface mode are enabled, if the user logs on to the Web Interface, connects to other Web pages, and then returns to the fully qualified domain name (FQDN) of the virtual server, the IIS default home page appears.

    [AGEE_8_0_47.8][#30144]

  12. If the Web proxy server IP address is specified in the Internet Explorer proxy settings and the user logs on using the Secure Access Client, the Access Gateway settings override the Internet Explorer proxy settings. In Internet Explorer, make sure you select the checkbox Use the same proxy server for all protocols.

    [AGEE_8_0_47.8][#34845]

  13. The Access Gateway fails when an external HTTP request is sent to an internal virtual server.

    [AGEE_8_0_47.8][#34991]

  14. If there are an unusually high number of user connections, CPU utilization goes to 100% and the Access Gateway fails.

    [AGEE_8_0_47.8][#35350, #35493]

  15. When TACACS authentication is configured on the Access Gateway and then the Access Gateway restarts, logon to the appliance fails using the administrator password.

    [AGEE_8_0_46.14][#29143]

  16. If users log on to the Secure Access Client with a password that has an ampersand (&), the logon fails.

    [AGEE_8_0_46.14][#29509]

  17. If an intranet IP address is configured and users are logging on to an application using the UDP protocol, only one user can log on.

    [AGEE_8_0_46.14][#29590]

  18. When two Access Gateway appliances are configured as part of a high availability pair and the session action inherits the client security expression, the primary appliance fails.

    [AGEE_8_0_46.14][#29705]

  19. ICMP ping requests are not returned by the Access Gateway.

    [AGEE_8_0_46.14][#29938]

  20. When RADIUS and group extraction is configured on the Access Gateway and the configuration is then modified, administrators are prompted to change the group vendor ID to "1." When this value is changed, users are authenticated, but group extraction fails. When configuring the Access Gateway for RADIUS authentication, configure the RADIUS server first and then configure the Access Gateway.

    [AGEE_8_0_46.14][#30004]

  21. When an intranet IP address is bound globally on the Access Gateway proxy in a double-hop deployment, users are assigned an IP address from the secure network.

    [AGEE_8_0_45.4][#26110]

  22. If JavaScript is disabled in Internet Explorer, the Access Gateway logon page does not appear correctly. Enable scripting in Internet Explorer for the logon page to appear correctly.

    [AGEE_8_0_45.4][#26695]

  23. Attempts to download large files using the file transfer tool fail.

    [AGEE_8_0_45.4][#27439]

  24. When upgrading the Access Gateway, the LDAP bind password must be reset.

    [AGEE_8_0_45.4][#27488]

  25. When upgrading the Access Gateway using the Configuration Utility, the Secure Shell (SSH) connection might close during the upgrade, resulting in a failed upgrade. Try installing the upgrade again using the Upgrade Wizard or the command line interface.

    [AGEE_8_0_45.4][#27573]

  26. The Web Interface and the Secure Ticket Authority must be configured using the complete fully-qualified domain name (FQDN).

    [AGEE_8_0_45.4][#28268]

  27. The ActiveX Plug-in cannot be installed on newer versions of Windows. To allow installation of the ActiveX Plug-in, in Internet Explorer, enable automatic prompting for ActiveX controls.

    [AGEE_8_0_45.4][#28377]

  28. If Norton Personal Firewall is installed on a client device, when users log on using the Secure Access Client, users receive a message from Norton Personal Firewall to allow or block the file nsload.exe. To establish the connection, select allow.

    [AGEE_8_0_45.4][#28709]

  29. A global pointer is not set to NULL after the Secure Ticket Authority (STA) renews the ticket.

    [AGEE_8_0_45.4][#29212]

  30. When an endpoint analysis scan is running, the Web Interface fails to redirect.

    [AGEE_8_0_45.4][#29411]

  31. The debugging logs for Windows XP are stored in the folder %systemroot%\Document and Settings\All Users\Application Data\Citrix\AGEE.

    [AGEE_8_0_45.4][#29415]

  32. The configuration parameter for configuring SmartAccess endpoint authentication is changed from set vpn param -wiMode [CSG|NONE] to set vpn param –icaProxy [ON|OFF].

    [AGEE_8_0_41.8][#26695]

  33. The command to view virtual server statistics is stat vpn vserver.

    [AGEE_8_0_41.8][#27936]

  34. If a mapped IP address is not defined, the user receives the error message "500 internal server error."

    [AGEE_8_0_41.8][#28287]

  35. Client security string and client security group rules are not enabled for post-authentication endpoint analysis.

    [AGEE_8_0_41.8][#27960]

Installing the Maintenance Build

This maintenance build can be installed using the Upgrade Wizard in the Configuration Utility or the command line interface.

To install the maintenance build using the Upgrade Wizard

  1. In the Configuration Utility, in the navigation pane, click System.
  2. In the right pane, click Upgrade Wizard.
  3. Click Next and follow the directions in the wizard.

To install the maintenance build using the command line interface

  1. Download the maintenance build from MyCitrix.com by clicking Support > Downloads > Product Software.
  2. Copy the maintenance build to an empty folder on the hard drive of your computer.
  3. To upload the software to the Access Gateway, use a secure FTP client to connect to the appliance.
  4. Copy the software from your computer to the /var/nsinstall directory on the appliance.
  5. Open an SSH client to open an SSH connection to the appliance.
  6. At a command prompt, type shell.
  7. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
    To view the contents of the directory, type Is.
  8. To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart the Access Gateway.
  11. When the Access Gateway restarts, at a command prompt, type what or show version to verify successful installation.

Copyright © 2007 Citrix Systems, Inc. All rights reserved.
Citrix, MetaFrame, and MetaFrame XP are registered trademarks, and Citrix Presentation Server is a trademark of Citrix Systems, Inc. in the United States and other countries.
All other trademarks and registered trademarks are the property of their respective owners.


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Browse and search our Beta library. Planning, installation, maintenance, and readme info merged into one collection.
©1999-2009 Citrix Systems, Inc. All rights reserved.