The latest version of the Access Gateway Enterprise Edition software can be downloaded from the My Citrix Web site.
To download the Access Gateway software from MyCitrix.com
Go to the Citrix Web site, click My Citrix, and log on.
At the top of the Web page, click Downloads.
In Search Downloads by Product, select Citrix Access Gateway.
Under Product Software, click the link that matches your edition and software release version to reach the download page
Click the Get Software link to start the download and save it to a folder on your computer.
When the software is downloaded to your computer, you can install the software using the Upgrade Wizard in the Configuration Utility or the command-line interface.
Important: If you are upgrading from Access Gateway Enterprise Edition, Version 8.0, build 48.7 or earlier, to build 49.2 or later using the Upgrade Wizard, the upgrade process can fail and the appliance can become unusable. To upgrade from build 48.7 or earlier, use the command-line interface instructions. If you are upgrading from build 49.2 to a later build, you can use the Upgrade Wizard.
[AGEE_8_0_50_3]
In the Configuration Utility, in the left pane, click System.
In the right pane, click Upgrade Wizard.
Click Next and follow the directions in the wizard.
To upload the software to the Access Gateway, use a secure FTP client to connect to the appliance.
Copy the software from your computer to the /var/nsinstall directory on the appliance.
Open an SSH client to open an SSH connection to the appliance.
At a command prompt, type shell.
At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
To view the contents of the directory, type ls.
To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
To start the installation, at a command prompt, type ./installns.
When the installation is complete, restart the Access Gateway.
When the Access Gateway restarts, at a command prompt type what or show version to verify successful installation.
This document describes the issue(s) solved by this build and includes installation instructions. For more information, see your product Administrator’s Guide located on the product CD or installed on your servers. The guide is in an Adobe Portable Document (PDF) format file. To view, search, and print the documentation, you need Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from the Adobe Web site at http://www.adobe.com.
All product documentation is also available from the Citrix Web site at http://support.citrix.com.
If users log on multiple times to the Web Interface with the same user name and password using Citrix Presentation Server Clients, only one license is used on the Access Gateway.
[AGEE_8_0_55_3]
The Access Gateway supports Certificate Authority (CA) certificates with a public key length of up to 4096 bits.
[AGEE_8_0_53_2]
When users disconnect from the Access Gateway, proxy settings in Internet Explorer are not reset to the original values. This occurs when a group policy enables proxy settings on a per-computer rather than per-user basis.
[AGEE_8_0_51_4]
If a failover occurs on the primary Access Gateway, the new primary appliance takes a certain amount of time to determine if the Secure Ticket Authority is available. During this time, if users try to connect using Citrix Presentation Server Clients and establish an ICA connection, the Access Gateway cannot validate the client connection. When this occurs, the Access Gateway closes the client connection.
[AGEE_8_0_51_4]
If a Bluecoat Secure Gateway proxy is configured with a rule that blocks the HTTP CONNECT command when it is issued to a numeric destination IP address instead of a host name, users are blocked from starting a VPN connection to the Access Gateway.
[AGEE_8_0_51_4]
Counters for SNMP monitoring for the Access Gateway are added. The counters include statistics for authentication, authorization, ICA proxy, and intranet IP address functionality.
[AGEE_8_0_50_3]
When the setting ICA proxy is enabled in a session profile and a client security expression is configured, the error message "Session Action and Rule are incompatible" appears.
With this release, you can enable ICA proxy in a session profile and create a client security expression within a session policy for endpoint analysis. When this is configured, endpoint analysis scans are run using an ActiveX control.
[AGEE_8_0_50_3]
With the Client Choices option, users have the option to log on using either the Secure Access Client or the Web Interface from one Web page after successful authentication to the Access Gateway. Users are presented with two icons and users can choose which method they want to use to connect to the Access Gateway.
The Client Choices feature can be used without using endpoint analysis or implementing access scenario fallback. If a client security expression is not defined, users receive connection options for both the Secure Access and the Web Interface. If a client security expression exists for the user session and the client device fails the endpoint analysis scan, the choice page offers only the option to use the Web Interface.
Client choices are configured using a session profile and policy. It can then be bound globally to a virtual server, to groups, or to specific users.
To configure client choices options globally
In the Configuration Utility, in the left pane, click SSL VPN and click Global.
Under General, click SSL VPN global settings.
Under Client Experience, click Advanced.
On the General tab, click Client Choices and click OK twice.
SmartAccess allows the Access Gateway to determine automatically the methods of access that are allowed for a client device based on the results of an endpoint analysis scan. Access scenario fallback further extends this capability by allowing a client device to fall back from the Secure Access Client to the Web Interface (using Citrix Presentation Server Clients) if the client device does not pass the initial endpoint analysis scan.
To enable access scenario fallback, you configure a post-authentication endpoint analysis scan that decides whether or not users receive an alternative method of access when logging on to the Access Gateway. This post-authentication endpoint scan is defined as a client security expression that is configured either globally or as part of a session profile. If you are configuring a session profile, it is associated to a session policy that is then bound to a group. When this is enabled, the Access Gateway initiates an endpoint analysis scan after user authentication. The results for client devices that do not meet the requirements of a fallback post-authentication scan are as follows:
If Client Choices is enabled, users can log on using the Web Interface only
If Client Choices is disabled, users can be quarantined into a group that provides access only to the Web Interface
The following combination of settings must be configured for the access scenario fallback:
Define client security parameters for the fallback post-authentication scan
Define the Web Interface home page
Disable client choices
If client devices fail the client security check, users are placed into a quarantine group that allows access only to the Web Interface and published applications.
To create a quarantine group
In the Configuration Utility, in the left pane, click Groups and in the right pane, click Add.
In Group Name, type a name for the group, click Create, and click Close.
Important: The name of the quarantine group must not match the name of any domain group to which users might belong. If the quarantine group matches an Active Directory group name, users are quarantined even if the client device passes the endpoint analysis security scan.
After creating the group, configure the Access Gateway to fall back to the Web Interface if the client device fails the endpoint analysis scan.
To configure the Web Interface for quarantined user connections
In the Configuration Utility, in the left pane, click SSL VPN and click Global.
In the right pane, under General tab, click SSL VPN global settings.
In the Global VPN Settings dialog box, under Secure Gateway Setting, next to ICA Proxy, select OFF.
Next to WI Home Page, type the Web address for the Web Interface.
Next to SmartAccess NT Domain, type the name of your Active Directory domain and click OK.
After configuring the global settings, create a session policy that overrides the global ICA Proxy setting and then bind the session policy to the quarantine group.
To create a session policy
In the Configuration Utility, click SSL VPN, click Policies, and click Session.
On the Policies tab, click Add.
In Name, type a name for the policy.
Next to Request Profile, click New.
Under Secure Gateway Setting, next to ICA Proxy, click Override Global and select On.
In the Create Session Policy dialog box, next to Named Expressions, select General, select ns_true, click Create, and click Close.
After creating the session policy and profile enabling the Web Interface, create a global client security policy.
To create a global client security check policy
In the Configuration Utility, in the left pane, click SSL VPN and click Global.
In the right pane, under General, click SSL VPN global settings.
Under Security Settings, click Advanced.
Under Client Security, click New.
In the Create Expression dialog box, click Add, configure the client security expression, click Create, and click Close.
In the Quarantine Group dialog box, select the group you configured in the group procedure and click OK twice.
Notes
Using Client Choices or access scenario fallback requires the endpoint analysis client (an ActiveX control) for all users. If endpoint analysis cannot run or if users select Skip Scan during the scan, users are denied access.
When Client Choices is enabled, if the client device fails the endpoint analysis, users are placed into the quarantine group. Users can continue to log on using either the Secure Access Client or the Web Interface. Citrix recommends that you do not create a quarantine group if Client Choices is enabled.
You can use different Web addresses for the home page and the Web Interface. When both are configured, the home page takes precedence for the Secure Access Client and the Web Interface home page takes precedence for Web Interface users.
[AGEE_8_0_49_2][#28341]
This release includes a beta version of the Secure Access Client for Microsoft Vista.
To install the Secure Access Client for Vista
In a Web browser, type the Web address for the Access Gateway, such as https://gateway.mycompany.com.
When the logon is successful, a message appears that says this is a beta version of the Secure Access Client for Windows Vista. Click the link in the message to install the Secure Access Client.
The installation program runs and when installation is complete, an icon appears in the notification area. After a few seconds, the Secure Access Client attempts a connection to the Access Gateway. A message stating that the connection is established appears.
The following is a list of known issues in this release. Read it carefully before installing the product.
The Secure Access Client for Vista is installed using a Web browser, such as Internet Explorer. To install the Secure Access Client, users must be logged on to the computer as an administrator or be able to provide administrator credentials.
[AGEE_8_0_49_2] [#28474]
If you are using the Secure Access Client for Vista from Access Gateway Standard Edition, make sure it is not running before installing the Secure Access Client for Vista for the Access Gateway Enterprise Edition. If the Secure Access Client for Standard Edition is running, log off and then exit the Secure Access Client.
The Secure Access Client for Vista works only with Access Gateway 8.0, build 48.7 or later.
When the Secure Access Client is installed, users could lose network connectivity temporarily. This is caused by the installation of network drivers. When the drivers are installed, network connectivity is restored.
[AGEE_8_0_49_2][#36429]
The following features are not currently supported with the Secure Access Client for Vista:
Single sign-on with Windows
Local LAN access
Voice over IP softphone support
Name-based application interception
Application name does not appear on the Configuration tab
MD5-based policies
Spoofing internal IP addresses
ActiveX plug-in
Reverse split tunneling
Client cache clean-up
[AGEE_8_0_49_2] [#28411, #28486]
When a user logs on using the Secure Access Client and a valid certificate is not installed on the Access Gateway, the user receives the certificate warning dialog twice before the connection is established.
[AGEE_8_0_49_2] [#28869]
When users are logging on using a Web browser using the Secure Access Client, there is a long delay before the home page appears.
[AGEE_8_0_49_2][#29296]
The following items are not removed from or closed on the client device even though cleanup is configured:
History and Web addresses
File transfer
Applications
Client certificates
Autocomplete items
[AGEE_8_0_49_2][#29702]
When users are logged on using either the Web browser or Secure Access Client, connections can disconnect and then reconnect unexpectedly. This occurs in the following situations:
When eight to 10 simultaneous active or passive FTP connections are made and all the connections have active downloads. The activity across the network connection stops, the connection fails, and then reconnects after several seconds.
When local LAN is enabled, the user tries to connect to a local LAN computer and starts an FTP session.
When users log off from the Secure Access Client.
When a user downloads a file from the Internet with split tunneling enabled and then disables split tunneling and starts another download from the Internet. When the second download is started, the network connection disconnects and then reconnects after several seconds.
These issues occur intermittently with each of these scenarios.
[AGEE_8_0_49_2][#34926]
When user connections are configured with a forced time-out, the message notifying users that the connection is going to end does not appear automatically.
[AGEE_8_0_49_2][#35340]
If the default Web browser on a client device is Netscape Navigator or Apple Safari for Windows Vista, and the user tries to start the home page using the menu from the Secure Access Client icon in the notification area, the Firefox Web browser starts instead of the default browser.
[AGEE_8_0_49_2][#35483]
When an IP address range is configured as part of an intranet application, the Access Gateway intercepts the first address and not the remainder of the IP addresses in the range.
[AGEE_8_0_49_2][#35679]
When starting the Secure Access Client from the logon page in a Web browser and a pre-authentication policy is configured, if the user clicks Skip Scan, the user receives an error instead of the logon page.
[AGEE_8_0_49_2][#35684]
When a proxy server is configured in Internet Explorer 7 and when split tunneling is configured for reverse, when the user connects using the Secure Access Client for Vista, the home page fails to appear. Users can start the home page from the Secure Access Client menu from the icon available in the notification area.
[AGEE_8_0_49_2][#35792]
When reverse split tunneling is enabled and a proxy server is configured in Internet Explorer 7, when users log on to the Access Gateway through a Web browser, the connection to the internal network fails.
[AGEE_8_0_49_2][#35917]
The local LAN destination IP address cannot be accessed even though local LAN access is enabled both on the Access Gateway and in the Secure Access Client.
[AGEE_8_0_49_2][#36042]
Messages in the notification area go outside the size of the message box.
[AGEE_8_0_49_2][#38628]
A pre-authentication endpoint analysis scan can take up to four minutes to complete.
[AGEE_8_0_49_2][#38668]
Client Documentation
The documentation for the Secure Access Client for Vista can be accessed from the Secure Access Client icon in the notification area.
To open the online help for Secure Access Client
On the desktop, right-click the Secure Access Client icon and click Help.
The Access Gateway software is enhanced to include an SNMP object identifier (OID) that differentiates the appliance as either NetScaler or Access Gateway Enterprise Edition. When an SNMP request is executed, it returns the value featureAGEE.
[AGEE_8_0_49_2] [#36506]
New Zealand Daylight Savings Time is supported.
[AGEE_8_0_48_7][#36263]
When configuring antivirus endpoint analysis, you can scan for the age of the last installed virus definitions. For example, if the virus definitions are older than five days, you can prevent the user from logging on until the virus definitions are updated. To do so, in the Add Expression dialog box, in Freshness, type the number of days.
The maximum length for an endpoint analysis expression is increased from 1500 bytes to 9600 bytes.
[AGEE_8_0_46_14][#30055]
Using the Configuration Utility, you can import PKCS#12 certificates to the Access Gateway from a Windows computer. You can import an existing certificate from a Windows computer running Internet Information Services (IIS) or from a computer running the Secure Gateway.
In some cases, the private key cannot be exported, which means you cannot install the certificate on the Access Gateway. If this occurs, use the Certificate Signing Request to create a new certificate.
Before installing the certificate on the Access Gateway, export the certificate using the Microsoft Management Console and the Export Certificate Wizard in Windows. For more information, see the Windows Online Help.
After exporting the certificate, use the Configuration Utility to convert the certificate to PEM format.
To convert the exported certificate to PEM format
In the Configuration Utility, in the left pane, click Access Gateway > SSL > CA Tools.
In the right pane, under Tools, click Import PKCS#12.
In Output File Name, type the name of the new certificate, such as ag1.pem.
In PKCS12 File Name, type the name of the exported certificate, such ag1.pfx.
In Import Password, type the password for the private key.
In Encoding Format, select DES3.
In PEM Passphrase and Verify PEM Passphrase, type a new password for the private key.
When this procedure is complete, a message appears in the lower left status bar that the certificate is converted successfully. When the conversion is complete, you can install the certificate and private key on the Access Gateway.
To install the certificate and private key on the Access Gateway
In the Configuration Utility, in the left pane, click Access Gateway > SSL > Certificates.
In the right pane, click Add.
In Certificate-Key Pair Name, type a new name for the certificate and private key.
In File Location, select Appliance.
In Certificate File Name, type the name of the converted certificate, such as ag1.pem.
In Private Key File Name, type the name of the private key.
In Password, type the password for the private key. This is the password you used when converting the certificate to PEM format.
In Certificate Format, select PEM, click Install, and click Close.
When the certificate is installed on the Access Gateway, it appears in the list in the right pane.
[AGEE_8_0_48_7][#35629]
By default, Windows users open a connection by starting the Secure Access Client from the desktop. You can specify that the Secure Access Client start automatically when the user logs on to Windows by enabling single sign-on. When single sign-on is configured, users’ Windows logon credentials are passed to the Access Gateway for authentication.
Enable single sign-on only if users’ computers are logging on to your organization’s domain. If single sign-on is enabled and a user connects from a computer that is not in your domain, the user is prompted to log on.
Single sign-on with Windows is supported only using Secure Access Client. It is not supported using the ActiveX Plug-in. Single sign-on with Windows is supported on Windows XP, Windows 2003 Server, Windows Server 2000, Windows 2000 Professional, and Windows NT 4.0.
Single sign-on with Windows is disabled by default. To enable single sign-on, use either the Configuration Utility or the command-line interface.
To configure single sign-on with Windows using the Configuration Utility
In the Configuration Utility, in the navigation pane, click SSL VPN.
In the right pane, click SSL VPN Policy Manager.
In the SSL VPN Policy Manager, under Related Tasks, do one of the following:
Click Create New Session Policy
-or-
Click Modify Session Policy
Next to Request Profile, click Modify.
Under Client Experience, click Windows Auto Logon and click OK.
To configure single sign-on with Windows using the command-line interface
At a command prompt, type:
set vpn parameter [–windowsAutoLogon on|off]
[AGEE_8_0_46_14][#29295]
You can configure policies using the following products:
McAfee Versions 11 and 8.5
Trend Micro OfficeScan Corporate Edition Version 7.3
[AGEE_8_0_46_14][#29828, #30036]
Users who are logged on using Windows must close all Web browsers before running Client Cleanup. If Web browsers are not closed and the user manually runs Client Cleanup, the following items are not removed:
File transfers
Client certificates
Autocomplete entries
[AGEE_8_0_56_8]
When a traffic policy is configured with a delta, when users log on to the Access Gateway and attempt to connect to a server in the secure network, the traffic policy is not applied.
[AGEE_8_0_52_2]
When a user attempts to transfer multiple files, the file transfer session expires and the user is prompted to log on again.
[AGEE_8_0_52_2]
When users are connected with the Secure Access Client for Vista and try to download large files over FTP, the download fails.
[AGEE_8_0_49_2][#27447]
Internet Control Message Protocol (ICMP) is not supported if users are logging on using the ActiveX plug-in.
[AGEE_8_0_49_2][#38867]
Single sign-on to Web applications is not supported for the Secure Access Client for Java.
[AGEE_8_0_45_4][#26303]
The Secure Access Client is not installed automatically on Windows 2003 Server.
To install the Secure Access Client on Windows 2003 Server
Click Start > Control Panel > Add or Remove Programs.
Click Add New Programs and click CD or Floppy.
Follow the instruction in the wizard, navigate to the file nsvpnc_setup.exe, and click Next.
[AGEE_8_0_45_4][#26684]
Attempts to download large files using the file transfer tool fail and a negative file size is shown in the configuration window of the client.
[AGEE_8_0_45_4]
If LDAP authentication is configured to use clear text, users are asked to change their password when they log on.
[AGEE_8_0_59_1]
When users log on with LDAP authentication and then attempt to log off, the connection to the LDAP server does not close.
[AGEE_8_0_59_1]
If the same policy is bound to multiple groups and if users belong to more than one group on the Access Gateway, the appliance might restart automatically.
[AGEE_8_0_59_1]
When users connect using Citrix XenApp Plugin for Hosted Apps and the XenApp server does not support session reliability, an ICA connection is established without session reliability.
[AGEE_8_0_59_1]
Authentication might fail when users log on using LDAP, RADIUS, or TACACS authentication.
[AGEE_8_0_59_1]
If an automatic proxy script Web address is configured in Internet Explorer, if the user session times out the Web address is removed.
[AGEE_8_0_59_1]
ActiveX Plug-in
When users are logged on using the ActiveX plug-in and Microsoft Office Groove 2007 is installed on the client device, when users log off from the ActiveX plug-in, Internet Explorer fails.
[AGEE_8_0_54_6]
When users log on to the Access Gateway for the first time using the ActiveX Plug-in, Internet Explorer responds slowly.
[AGEE_8_0_53_2]
The ActiveX Plug-in cannot be installed on newer versions of Windows. To allow installation of the ActiveX Plug-in, in Internet Explorer, enable automatic prompting for ActiveX controls.
[AGEE_8_0_45_4][#28377]
Endpoint Analysis
When users log on, the error message HTTP 403 Forbidden appears.
[AGEE_8_0_58_5]
Endpoint analysis scan results are not logged correctly in the log files.
[AGEE_8_0_57_3]
When users log on and skip the post-authentication endpoint analysis (EPA) scan, the EPA response should be treated as a scan failure. In Internet Explorer 6, the logon page appears. In Internet Explorer 7, the home page appears.
[AGEE_8_0_56_8]
When users log on using Secure Access, if a post-authentication endpoint analysis scan is configured, the Secure Access upgrade fails. Users should log on using a Web browser.
[AGEE_8_0_56_8]
If a post-authentication scan is configured on the Access Gateway, if users skip the scan, the logon page appears. Users should receive the option to log on using clientless access.
[AGEE_8_0_55_3]
When a user logs on using the Secure Access Client and the pre-authentication policy fails, on the Secure Access Client menu, Login is not available. Click Exit to end the Secure Access Client session and then log on again.
[AGEE_8_0_49_2]
When a file server authorization policy is created and if the expression qualifiers fs.dir.createtime, fs.dir.accesstime, fs.dir.writetime, or fs.dir.modifytime are used, Access Gateway administrators receive an invalid qualifier error message.
[AGEE_8_0_49_2][#36429]
When a post-authentication endpoint analysis scan is configured and the client security expression is using the OR qualifier, users receive the post-authentication error page.
[AGEE_8_0_49_2][#36868]
If the endpoint analysis fails on a client device, users receive a generic error message. Error messages are improved providing better descriptions of the problem.
[AGEE_8_0_48_7][#26879]
When an endpoint analysis scan is running, the Web Interface fails to redirect.
[AGEE_8_0_45_4][#29411]
The configuration parameter for configuring SmartAccess endpoint authentication is changed from set vpn param -wiMode [CSG|NONE] to set vpn param âicaProxy [ON|OFF].
[AGEE_8_0_41_8][#26695]
Client security string and client security group rules are not enabled for post-authentication endpoint analysis.
[AGEE_8_0_41_8][#27960]
High Availability
When the Access Gateway is deployed in a double-hop DMZ, and the Access Gateway appliances in the second hop are configured for high availability, the primary Access Gateway fails.
[AGEE_8_0_52_2]
When two Access Gateway appliances are configured as part of a high availability pair and the session action inherits the client security expression, the primary appliance fails.
[AGEE_8_0_46_14][#29705]
Installation Issues
When upgrading the Access Gateway using the Configuration Utility, the Secure Shell (SSH) connection might close during the upgrade, resulting in a failed upgrade. Try installing the upgrade again using the Upgrade Wizard or the command-line interface.
[AGEE_8_0_45_4][#27573]
Logon and Authentication
When you configure external authentication with group extraction for system users, if the total length of all groups exceed 1200 groups, the Access Gateway memory becomes corrupted. To fix this issue, disable group extraction.
[AGEE_8_0_57_3]
When users log on using RADIUS authentication, RADIUS attempts to listen on an invalid socket. When this occurs, users fail authentication.
[AGEE_8_0_57_3]
If the searchFilter value in an existing LDAP profile is removed, authentication fails.
[AGEE_8_0_57_3]
When a forced time-out is configured globally on the Access Gateway and if users log on using Secure Access for ActiveX, logoff fails when users end their session.
[AGEE_8_0_57_3]
When a user is attempting challenge-response authentication with the Access Gateway and the Access Gateway receives a challenge response from the user on a second connection, the first connection continues to point to obsolete information. When the first connection closes, the Access Gateway fails.
[AGEE_8_0_57_3]
During NTLM authentication if the server closes the connection by resetting the connection (RST) or does not have more data to send (FIN), the Access Gateway fails.
[AGEE_8_0_56_10]
When users try to log on multiple times with the Secure Access Client over the same connection, the Access Gateway fails.
[AGEE_8_0_54_6]
When users log on using the Secure Access Client, domain name resolution fails when the Access Gateway is accessed by the host name and not the FQDN.
[AGEE_8_0_54_6]
When ICA Proxy and a post-authentication scan are enabled on the Access Gateway and users log on from a computer running Mac OS X, users receive the Secure Access Client for Java instead of the Web Interface.
[AGEE_8_0_53_2]
When single sign-on with Windows is configured on the Access Gateway and users log on to a Windows computer, the Secure Access Client occasionally fails.
[AGEE_8_0_53_2]
When users log on to the Access Gateway, they receive an error message "No java plugin installed, please install JRE" even though Java Runtime Environment (JRE) Version 1.5 or 1.6 is installed. The Secure Access Client for Java is not compliant with Internet Explorer 7.0.
[AGEE_8_0_51_4]
Users are prompted for a client certificate multiple times when smart card authentication is used with pre-authentication policies.
[AGEE_8_0_50_3]
When the NAS-IP value is configured in RADIUS authentication, the Access Gateway does not send the value when the RADIUS request is sent.
[AGEE_8_0_50_3]
When certificate authentication is configured on the Access Gateway and two-factor is turned off, the Access Gateway configuration cannot be saved.
[AGEE_8_0_49_2][#36646]
When users log on to the portal page using Internet Explorer 7 and the Access Gateway Web address is not in the Trusted Sites list, the ActiveX Plug-in is not installed.
[AGEE_8_0_48_7][#34842, #36628]
Connecting to a remote computer using Remote Desktop caused intermittent errors when used as an intranet application with the Java Plug-In. The remote desktop connection automatically disconnects after a period of time.
[AGEE_8_0_47_8][#25708]
If a client device is connecting from an external network and a proxy configuration script is configured in Internet Explorer, the script is not accessible until the Secure Access Client connection is established. When the client device connects from an external network, it can take one or two minutes for the connection to be established.
[AGEE_8_0_47_8][#29841]
After upgrading from Access Gateway Enterprise Edition Version 7.0 to Version 8.0, after users type the smart card personal identification number (PIN) and select a certificate, the user logon fails.
[AGEE_8_0_47_8][#30109, #35262]
When TACACS authentication is configured on the Access Gateway and then the Access Gateway restarts, logon to the appliance fails using the administrator password.
[AGEE_8_0_46_14][#29143]
If users log on to the Secure Access Client with a password that has an ampersand (&), the logon fails.
[AGEE_8_0_46_14][#29509]
If an intranet IP address is configured and users are logging on to an application using the UDP protocol, only one user can log on.
[AGEE_8_0_46_14][#29590]
When RADIUS and group extraction is configured on the Access Gateway and the configuration is then modified, administrators are prompted to change the group vendor ID to "1." When this value is changed, users are authenticated, but group extraction fails. When configuring the Access Gateway for RADIUS authentication, configure the RADIUS server first and then configure the Access Gateway.
[AGEE_8_0_46_14][#30004]
If JavaScript is disabled in Internet Explorer, the Access Gateway logon page does not appear correctly. Enable scripting in Internet Explorer for the logon page to appear correctly.
[AGEE_8_0_45_4][#26695]
When upgrading the Access Gateway, the LDAP bind password must be reset.
[AGEE_8_0_45_4][#27488]
Logon Points
When a pre-authenication policy is configured, and when the server authenticating the user credentials requires additional information such as an RSA SecurID personal identification number (PIN), if a second authentication request is sent out on the same connection before a response is received for the first request, the Access Gateway fails.
[AGEE_8_0_58_5]
Memory and CPU Optimization
When the central processing unit (CPU) and the network card controller are reading and writing data to the same cache line at the same time, the network card occasionally receives a stale transmission command. This results in packet transmission from a recycled buffer.
[AGEE_8_0_57_3]
Secure Access Client
When an authentication policy is not configured on the Access Gateway and ICA proxy is enabled, when users log off from the Web Interface, users must close and open a new instance of the Web browser to connect to the Web Interface and log on again.
[AGEE_8_0_58_5]
When users upgrade the Secure Access Client from Version 8.0 to a newer version using a Web browser, the new client software might not start the VPN session. Users who see a "Page cannot be displayed" error should wait for the software installation to finish and then navigate to the Logon page in the Web browser and log on again.
[AGEE_8_0_56_8]
When a user who is not a member of the Administrators Group attempts to log on to the Access Gateway, the Winsock interception mechanism is used instead of the TDI interception mechanism, and many features are unavailable to the user.
[AGEE_8_0_56_8]
When the Secure Access Client connects to the Access Gateway, it changes the screen saver time-out to the idle time-out setting on the Access Gateway. When the screen saver times out, user sessions are disconnected.
[AGEE_8_0_55_3]
When users connect using the Secure Access Client, network traffic to the secure network stops after two hours.
[AGEE_8_0_54_6]
Security
This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX117991.
[AGEE_8_0_57_3]
Session and Connection
If the server running the Secure Ticket Authority is configured with a domain name, the IP address is not transferred to the secondary Access Gateway. When a failover occurs, Citrix Presentation Server Clients tries to connect before the IP address of the STA is confirmed and the ICA connection fails.
[AGEE_8_0_58_5]
When Access Gateway connections to the server running the Secure Ticket Authority are closed abruptly, connections using Citrix Presentation Server Clients fail.
[AGEE_8_0_57_3]
The default parameter for Kill existing connections is changed to disabled.
[AGEE_8_0_57_3]
If MAC-based forwarding is enabled and the MAC address of the server running Citrix Presentation Server in the secure network changes, user connections might fail. To correct this issue, use the following steps:
Use the nsapimgr command to flush the server's information. To flush all of the server's information, at a shell prompt type:
nsapimgr -yf allsi
You can flush one server using the following command:
nsapimgr -P 2598 -I 1.1.1.1 -yf onesi
To view the server's information, at a shell prompt type:
nsapimgr -d allsis
[AGEE_8_0_57_3]
When users connect using Client for Windows CE Version 10.x and session reliability is enabled on Citrix Presentation Server, the connection cannot be established.
[AGEE_8_0_56_10]
After you upgrade the Access Gateway from Version 8.0, build 51.4, to build 53.2, users cannot connect with Microsoft Office Communicator when intranet IP addresses are assigned.
[AGEE_8_0_54_6]
When the Access Gateway is configured in a double-DMZ deployment, the Access Gateway Proxy in the second DMZ cannot establish a connection with Citrix Presentation Server in the secure network.
[AGEE_8_0_55_3]
If a proxy server is configured in the Web browser on the client device, the Secure Access Client does local name resolution for the Access Gateway virtual IP address and for any entries in the browser proxy exception list and times out. In addition, the Secure Access Client attempts to connect to the Access Gateway without using the proxy server configured in the browser. The client log files for debugging is not accessible for users who are not logged on as administrators.
[AGEE_8_0_53_2]
Single Sign-On
When single sign-on to the Web Interface is configured and split tunneling is disabled, single sign-on to public Web sites fails.
[AGEE_8_0_47_8][#30049]
Web Interface
When users disconnect from the Web Interface, logic errors on the queued connection to the Secure Ticket Authority cause the Access Gateway to fail.
[AGEE_8_0_56_10]
If ICA traffic is sent to the Access Gateway before Secure Ticket Authority ticket validation occurs, the Access Gateway fails.
[AGEE_8_0_53_2]
Single sign-on to Web Interface Version 4.6 fails.
[AGEE_8_0_53_2]
If Web Interface failover is configured using a session policy, if the primary Web Interface becomes unavailable, failover to the secondary Web Interface fails.
[AGEE_8_0_53_2]
The Access Gateway sends one ticket refresh request to the Secure Ticket Authority per logon session.
[AGEE_8_0_52_2]
When ICA proxy is enabled, the Web Interface is not redirected automatically.
[AGEE_8_0_50_3]
When the Access Gateway is configured to direct user requests to the Web Interface and connections are routed through a local load balancing virtual IP address, failover to a backup load balancing virtual server does not work.
If the appliance is licensed as a NetScaler and the Web Interface is configured to fail over, users receive the error message "HTTP 500 Internal Server error."
[AGEE_8_0_49_2]
When ICAProxy mode and Web Interface mode are enabled, if the user logs on to the Web Interface, connects to other Web pages, and then returns to the fully qualified domain name (FQDN) of the virtual server, the IIS default home page appears.
[AGEE_8_0_47_8][#30144]
The Web Interface and the Secure Ticket Authority must be configured using the complete fully-qualified domain name (FQDN).
[AGEE_8_0_45_4][#28268]
Miscellaneous
When ICA proxy is enabled and an auditing policy is configured, the audit logs do not record information for the states and status of the Access Gateway.
[AGEE_8_0_58_5]
When users log on with a client device that does not have a DNS suffix configured and then attempt to resolve the host name of an intranet host, remote DNS resolution fails because the appliance does not return a valid IP address.
[AGEE_8_0_58_5]
When a user successfully downloads a file using file transfer in the Access Interface, the message "Last login session has been expired. Please login again" appears if users try to download another file.
[AGEE_8_0_58_5]
When Microsoft Visual Studio 2008 is installed on a client device running Windows 2000 and when the user is logged on to the Access Gateway, the device restarts occasionally due to a driver fault.
[AGEE_8_0_58_5]
Endpoint analysis registry scans fail when the registry string values contain spaces.
[AGEE_8_0_58_5]
If the Web address of the server running the Secure Ticket Authority has an underscore in the name, the name is overwritten in the DNS request with 0x20 in an attempt to convert the address to lowercase.
[AGEE_8_0_57_3]
When two virtual servers are configured on the Access Gateway and one user logs into both the virtual servers and starts a published application from each virtual server, if the user logs off from first virtual server and then from the second one, the current users counter on one virtual server decrements to a negative value. When this occurs, users cannot log on to the second virtual server.
[AGEE_8_0_57_3]
If an authorization policy is configured on the Access Gateway and the policy contains FS.SERVER == x.x.x.x and FS.SERVERIP == x.x.x.x, when users try to download a file from the home page, the file download fails.
[AGEE_8_0_57_3]
If the identifier of the Secure Ticket Authority is less than 15 characters and session reliability is enabled, users cannot establish a connection
[AGEE_8_0_57_3]
When a user has an internal address for downloading a proxy configuration script, before establishing the session through the Access Gateway, the Web browser cannot download the script, and network traffic is sent directly to the internal network. After the tunnel is established, the script location is not resolved and traffic is not proxied in the Web browser. This occurs when split tunneling is disabled, split DNS is configured for remote only, and an intranet IP address is assigned. To resolve this issue, after establishing the session, users can open a second instance of the Web browser.
[AGEE_8_0_56_8]
If a user name contains a colon (:) character, when the user logs on to the Access Gateway and attempts to access the portal page, the user receives the message "Server Error. An error has occurred."
[AGEE_8_0_56_8]
An endpoint analysis scan fails when a registry key value contains an underscore as part of the name. In the following example, "HOSTIPS_7000" is the name.
HKEY_LOCAL_MACHINE\\SOFTWARE\\Network\Associates\\ePolicy\Orchestrator\\Application\Plugins\\HOSTIPS_7000
[AGEE_8_0_56_8]
When session reliability is enabled, when a single Secure Ticket Authority (STA) server is configured, on two or more virtual servers, to use domain names instead of IP addresses, the Access Gateway fails. Citrix recommends that users do one of the following:
Bind the STA server globally instead of to the virtual server.
Configure the STA IP address instead of configuring a domain name.
[AGEE_8_0_56_8]
When the Access Gateway is configured as a high availability pair and a failover occurs, licenses are counted erroneously against ICA proxy sessions on the new primary's virtual server. Normal sessions are counted twice, and because all licenses are in use, new sessions cannot be created.
[AGEE_8_0_56_8]
When users log off from the Access Gateway, the license is not released.
[AGEE_8_0_55_3]
If users click on a configured link on the home page and are using Internet Explorer 6, a new instance of the Web browser does not open. If users are using Internet Explorer 7 or Firefox, a new tab or instance of the Web browser does not open.
[AGEE_8_0_55_3]
After users log on, and if users click Back in Internet Explorer, the incorrect home page appears.
[AGEE_8_0_54_6]
If the IP address or fully qualified domain name (FQDN) of the Access Gateway proxy in a double-hop DMZ is bound to a virtual server or to VPN global, and this is configured after adding a server running the Secure Ticket Authority, the Access Gateway fails.
[AGEE_8_0_54_6]
Reliability is improved for extensive user group authentication deployments.
[AGEE_8_0_53_2]
If the Secure Ticket Authority ticket is invalid and is not refreshed, the Access Gateway fails.
[AGEE_8_0_53_2]
When users log on using the ActiveX Plug-in and try to connect to internal Web sites in a secondary Web browser window, Internet Explorer fails.
[AGEE_8_0_53_2]
When calls are placed to an internal phone using Cisco SoftPhone, for a specified time after the connection is established, the audio is not heard on the internal phone and is heard on the SoftPhone.
[AGEE_8_0_53_2]
When Access Gateway appliances in a high availability pair are upgraded, the Secure Ticket Authority identifier is not propagated to the secondary appliance.
[AGEE_8_0_53_2]
When split tunneling is disabled and the automatic proxy script has a direct entry, cannot be downloaded to the client device, or has a host name that cannot be resolved, the Secure Access Client removes the proxy settings in Internet Explorer when users log off from the Access Gateway.
[AGEE_8_0_52_2]
When a client security expression is configured within a session profile or as part of an advanced global client security setting for post-authentication analysis, and the scan fails, SmartAccess fails because the Web Interface does not receive policy names.
[AGEE_8_0_51_4]
On the home page portal, file transfer bookmarks configured by the administrator do not behave the same as those configured by users.
[AGEE_8_0_50_3]
When a user adds a policy expression with a time stamp check, the policy expression works until the Access Gateway is restarted. When the Access Gateway restarts, the policy expression does not load, even though it is in the ns.conf file. In addition, any policy associated with the time stamp policy does not load either.
[AGEE_8_0_50_3]
The local LAN settings of the Secure Access Client are not persistent between Access Gateway sessions.
[AGEE_8_0_48_7][#35041]
When users connect using the Secure Access Client, DNS requests with host names exceeding six characters are not passed through the VPN tunnel.
[AGEE_8_0_48_7][#35915]
Applications that use UDP experience latency on the Access Gateway.
[AGEE_8_0_48_7][#35921]
If the Web proxy server IP address is specified in the Internet Explorer proxy settings and the user logs on using the Secure Access Client, the Access Gateway settings override the Internet Explorer proxy settings. In Internet Explorer, make sure you select the checkbox Use the same proxy server for all protocols.
[AGEE_8_0_47_8][#34845]
The Access Gateway fails when an external HTTP request is sent to an internal virtual server.
[AGEE_8_0_47_8][#34991]
If there are an unusually high number of user connections, CPU utilization goes to 100% and the Access Gateway fails.
[AGEE_8_0_47_8][#35350, #35493]
ICMP ping requests are not returned by the Access Gateway.
[AGEE_8_0_46_14][#29938]
When an intranet IP address is bound globally on the Access Gateway proxy in a double-hop deployment, users are assigned an IP address from the secure network.
[AGEE_8_0_45_4][#26110]
Attempts to download large files using the file transfer tool fail.
[AGEE_8_0_45_4][#27439]
If Norton Personal Firewall is installed on a client device, when users log on using the Secure Access Client, they receive a message from Norton Personal Firewall to allow or block the file nsload.exe. To establish the connection, select Allow.
[AGEE_8_0_45_4][#28709]
A global pointer is not set to NULL after the Secure Ticket Authority (STA) renews the ticket.
[AGEE_8_0_45_4][#29212]
The debugging logs for Windows XP are stored in the folder %systemroot%\Document and Settings\All Users\Application Data\Citrix\AGEE.
[AGEE_8_0_45_4][#29415]
The command to view virtual server statistics is stat vpn vserver.
[AGEE_8_0_41_8][#27936]
If a mapped IP address is not defined, the user receives the error message "500 internal server error."
[AGEE_8_0_41_8][#28287]
