This document describes the issue(s) solved, new features, and known issues in this build and includes installation instructions.
The latest version of the product documentation is available from Citrix eDocs at http://edocs.citrix.com.
The latest version of the NetScaler Gateway software can be downloaded from the Citrix web site.
When the software is downloaded to your computer, you can install the software by using the Upgrade Wizard in the Configuration Utility or the command-line interface.
The following table provides the Citrix product names and versions with which NetScaler Gateway 10.5 is compatible.
If you configure advanced endpoint analysis policies, endpoint analysis encryption, a proxy server, and client certification authentication, the NetScaler Gateway Plug-in does not connect and users receive the error message, '2017: Your computer does not have the necessary security software to connect to the NetScaler Gateway. Please contact your system administrator.'
When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.
In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.
When users are authenticated in the NetScaler Gateway against a LDAP (Lightweight Directory Access Protocol) server configured on FQDN (Fully Qualified Domain Name), authentication fails. As a workaround, LDAP servers can be configured with an IP address.
[From NG_10 _5_54_2][#509970]
When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.
[From NG_10 _5_54_2][#513385]
When the HTTPS proxy is configured with NTLM authentication and the NetScaler Gateway is activated with single sign-on, if the proxy credentials are incorrect, login fails. The TCP connection setup with Proxy closes the connection with 407 error.
[From NG_10 _5_54_4][#515043]
When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.
[From NG_10 _5_54_4][#516257]
NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
[From NG_10 _5_54_4][#518414]
When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
If you enable advanced endpoint analysis on a virtual server, if users connect from a Windows-based computer with Windows BitLocker Drive Encryption, the endpoint analysis scan fails with the error 'Your device does not meet the requirements to logging on to the secure network.' Endpoint analysis scans for BitLocker Drive encryption are not supported.
In a session profile, if you configure the Home Page on the Client Experience tab or the Web Interface Address on the Published Applications tab with a fully qualified domain name (FQDN) that resolves to a local server or a load balancing server, the high availability node might fail during synchronization or configuration changes. This can also occur if you unbind the session policy from the virtual server or if you clear the configuration on the appliance.
When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.
[From NG_10_5_53_9] [#464518]
If you configure two-factor authentication with client certificates and LDAP and if Deny SSL Renegotiation is set to All, user connections fail. You must set the parameter to No.
To configure Deny SSL Renegotiation
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.
- In the details pane, under Settings, click Change advanced SSL settings.
- In Change Advanced SSL Settings, in Deny SSL Renegotion, select No and then click OK.
[From NG_10_5_53_9] [#480009]
If you configure SSL renegotiation and users log on with a PKI-enabled client certificate, logon fails.
[From NG_10_5_51_10] [#487825]
If users log on to Outlook Web App by using clientless access in a Firefox web browser, sending email fails.
When users log on, they receive a prompt to install the Endpoint Analysis Plug-in, even though the latest version of the plug-in is installed on the user device.
If users log on by using the NetScaler Gateway Plug-in dialog box and the endpoint analysis scan fails, the choices pages appears in Internet Explorer. When this occurs, the correct cookies are not sent from Internet Explorer and users receive a 403 forbidden error message or the Endpoint Analysis Plug-in web page appears.
When users log on for the first time from a Mac OS X 10.9 computer, if the Endpoint Analysis Plug-in starts in Safari 7.x, the attempt fails because the plug-in is not installed. Users receive the error message 'There is no application set to open the URL com.citrix.agmacepa.' Users can click Cancel in the message and then click the Download link in Safari.
Earlier versions of the NetScaler Gateway Plug-in do not support OPSWAT endpoint analysis scans. When users connect to NetScaler Gateway, logon fails because the earlier version of the plug-in does not support OPSWAT endpoint analysis scans. Users can log on from a web browser and then select Network Access, which starts the upgrade to the latest version of the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in.
If you configure an endpoint analysis expression that includes hard disk encryption scan types ENC-TYPE and ENC-PATH, a -13 error message always appears. For example, you use the expression HD-ENC_76003_ENC-PATH__e_ENC-TYPE_noneof_0,1,2.
If you configure a preauthentication policy that checks for Avira Antivirus on a Mac OS X computer and the virus definitions update by using the SCAN-TIME/VIRDEF-FILE-TIME parameter, the OPSWAT libraries use the date and not the time. You must configure this setting by using the number of days between updates.
If you configure logon and logoff scripts that are part of a session profile, if the scripts contain Unicode characters, users cannot log on or log off of NetScaler Gateway.
If you enable a proxy server and disable ICA proxy in a session profile, users cannot start published applications.
If you enable digest authentication in Internet Information Services (IIS), if users log on with Unicode credentials, add the IIS website as a bookmark and then click the bookmark, single sign-on fails. Users receive a prompt to enter their user name and password.
During an endpoint analysis scan, NetScaler Gateway does not detect Trend Micro Titanium installed on a Mac OS X computer. As a result, the scan always fails.
If you enable the Green Bubble theme and then run the Clear Config -f Extended+ command , the Green Bubble theme remains instead of reverting back to the Default theme. To reset the value, you can run the set vn para uitheme command.
Citrix recommends that you do not bind Policy Infrastructure (PI) policies to the NetScaler Gateway virtual server. NetScaler Gateway does not support Policy Infrastructure (PI) policies.
If you configure the Web Interface home page with an IPv6 URL instead of IPv4 or the fully qualified domain name (FQDN), users receive a 400 Bad request error when they log on.
If you created a Netscaler Gateway virtual server by using the Quick Configuration wizard in NetScaler Gateway 10.1, the virtual server needs to be renamed with the prefix _XM_. For example, if the original virtual server name is XMGateway, you must manually rename it to _XM_Gateway. By changing the name with the correct prefix, you can see the virtual server in the wizard.
When both the Netscaler VPX and the Storefront server are mounted on the same Microsoft Hyper-V, if you upgrade NetScaler VPX from Version 10.1, Build 121.10 to Version 10.5 Build 51.10, user log on to Storefront fails.
[From NG_10_ 5_ 53_9][#503614]
The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.
When users log on, the IP address assigned from the address pool is overwritten. When this occurs, the destination MAC address changes and the response does not reach the user which results in a time-out in the web browser on the user device.
[From NG_10_ 5_ 53_9][#518008]
If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message 'Error: Not a priviledged user.'
When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.
[From NG_10_5_53_9] [#506689]
If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.
[From NG_10_5_52_11] [#459149]
If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.
[From NG_10_5_52_11] [#489609]
If you configure nested group extraction and leave the Group Name Identifier blank, NetScaler Gateway fails.
[From NG_10_5_52_11] [#500765]
The NetScaler Gateway wizard creates a VPN virtual server with the default authorization set to Deny. When users connect to the VPN virtual server, they cannot access internal network resources. To allow users to connect, set authorization to Allow.
[From NG_10_5_51_10] [#479548]
If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
[From NG_10_5_51_10] [#484245]
When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
[From NG_10_5_51_10] [#484431, #488182, #493939]
If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.
[From NG_10_5_51_10] [#489343]
If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.
Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway.
If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.
[From NG_10_5_52_11] [#494463]
When users connect with clientless access, the appliance fails if the last octet of the IP address of the server in the internal network is equal to or greater than 240.
[From NG_10_5_52_11] [#494605]
If you configure a traffic management policy to enable single sign-on to Outlook Web App 2010, enable local authentication on the load balancing virtual server and then change to two-factor authentication with client certificate authentication and LDAP authentication, NetScaler Gateway fails when trying to access the load balancing server.
[From NG_10_5_51_10] [#485834]
If you are running NetScaler Gateway 10.5, Build 50.9, the priority value of policies bound to the NetScaler Gateway virtual server are lost. You can upgrade to Build 50.10 or 51.10 to fix the issue.
[From NG_10_5_51_10] [#486857]