Readme for Citrix Access Gateway Enterprise, Version 4.0
Introduction
Readme Version: 1.2
Product Name Change
The package that you purchased, Access Gateway Enterprise, consists of the Access Gateway hardware plus the Advanced Access Control Option software.
For simplicity in the software documentation, however, the name Access Gateway Enterprise refers just to the Advanced Access Control Option, formerly known as MetaFrame Secure Access Manager.
Contents
Issues Resolved in this Release
For information about new features and system requirements, see the product administration guides.
To view, search, and print the PDF documentation, you need Adobe Reader (supported versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can download Adobe Reader for free from the Adobe Systems Web site. Documentation is available on the Citrix Knowledge Center Web site (select Product Documentation). Updates to Citrix technical manuals are posted on the Web site.
Documentation for other languages is found on the Citrix Knowledge Center Web site (select Product Documentation).
Licensing Documentation
Licensing documentation is available from the \Documentation folder on all product CD-ROMs. For MetaFrame Presentation Server, licensing documentation is also available from the Document Center. For licensing-related issues, see the Readme for MetaFrame Access Suite License Server .
Documentation for other languages is found on the Citrix Knowledge Center Web site (select Product Documentation).
Citrix provides technical support primarily through Citrix Solutions Advisor. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
Issues Resolved in this Release
For a list of issues that were resolved since the previous release of this product, click here.
The following is a list of known issues in this release. READ IT CAREFULLY BEFORE INSTALLING THE PRODUCT.
Contents of the Product CDs
Access Gateway Enterprise includes two product CDs.
CD 1: Server. Includes the Access Gateway Enterprise 4.0 installation programs (in multiple languages).
CD 2: Prerequisites. Includes programs (in multiple languages) that might be required to complete your installation. Refer to the Contents.txt file on the Prerequisites CD for a list of these programs. To identify the programs needed for your installation, refer to the Access Gateway Enterprise Administrator's Guide.
Notices
Installed File Locations
Because certain installation files build on other components, the following files are installed in directories that cannot be changed:
\image\setup\Access Suite Console\ASC_Framework.msi
\image\setup\Access Suite Console\ASC_Diagnostics_WSI.msi
\image\setup\Access Suite Console\Licensing_WSI.msi
The files are installed in the following locations:
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console – Framework
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console – Diagnostics
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console – Licensing
[#116227]
Important: Before you install this product, make sure you consult the Installation Update Bulletin.
The bulletin offers late-breaking information and links to critical updates to server operating systems and to Citrix installation files. Download and install the updates because you may not be able to properly install this product otherwise.
This section includes information for the following products:
Upgrading to Access Gateway Enterprise
Upgrading to Access Gateway Enterprise
Migration Tool Is Available with English UI Only
A migration tool is available on the Server CD to migrate MetaFrame Secure Access Manager 2.x data to your new installation of Access Gateway Enterprise. The user interface for this tool is English only, but it also supports European-language environments. This is the preferred way to upgrade and migrate data.
However, the tool does not support Japanese environments. As a workaround, see the manual steps for migration described in the Access Gateway Enterprise Upgrade Guide. [#118282]
New Advanced Gateway Client Is Required for Version 4.0
The Advanced Gateway Client included with MetaFrame Secure Access Manager 2.2 is not compatible with Access Gateway Enterprise 4.0. Therefore you must uninstall the previous client and then install the new Advanced Gateway Client. The new client is available on the Server CD in the Setup\AdvancedGatewayClient subfolder or from the download Web site at http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=21202&pID=15005.
[back to installation issues contents]
Do Not Install Access Gateway Enterprise on a Domain Controller
If you install Access Gateway Enterprise on a computer that acts as a primary or backup domain controller, the Server Configuration utility does not complete the configuration process and an error message appears. To prevent this issue, install Access Gateway Enterprise on a computer that does not perform the functions of a domain controller.
Check the Machine Name for Unsupported Characters before Installing Access Gateway Enterprise
Installing Access Gateway Enterprise on a server that has characters not supported by Microsoft (such as an underscore, white space, or symbol) in the machine name can cause unexpected results in functionality. Before installing Access Gateway Enterprise, make sure that the machine name has only supported characters, which includes alphanumeric characters and the hyphen. [#119542]
Restart the Server before Running the Server Configuration Utility
If you install the license server and Access Gateway Enterprise on the same server, you must reboot the server before running the Server Configuration utility. Failure to do so results in a Server Configuration error. [#120850]
Steps to Add the Access Suite Console Extension Manually to the MMC
After installing the Access Suite Console, you can launch it from the shortcut on the Start menu or add the snap-in to the Microsoft Management Console (MMC) manually.
To add it manually, use the following steps and pay attention to the important note in the last step:
1. Select Start > Run > MMC.exe.
2. Select File > Add/Remove Snap-in.
3. Select Add > MetaFrame Access Suite Console > Add > Close.
4. Highlight MetaFrame Access Suite Console and click OK.
5. Double-click MetaFrame Access Suite Console to start a discovery and add the EPA node to the installation.
Important: Do not expand the plus (+) next to MetaFrame Access Suite Console before double-clicking it. If you do so, discovery does not start and the EPA node will not be added. [#116841]
Using IDs with Extended Character Set May Cause Some CDAs to Fail
When configuring the CDAs, if the authentication type is SQL and the database name, user name, or password for the SQL server contains an accented character such as À or Á, an error message appears and you cannot continue the CDA configuration. For example, the AlertBroadcaster CDA configuration wizard does not support the extended character set for the SQL server. To prevent this problem, when you install the SQL server with SQL authentication, specify a database name, user name, and password that do not require the extended character set. Note that this is not an issue with the Message Center CDA. [#116560, 116563]
RADIUS Authentication Accepts Only ASCII Characters in User Names
When configuring RADIUS authentication, you must create user names with ASCII characters only. If the user name consists of non-ASCII characters, such as Japanese characters, the logon to Access Gateway Enterprise fails. [#118566]
[back to installation issues contents]
Installing the Secure Gateway on a Non-English Operating System
The Secure Gateway cannot be installed using the Network Service account on a computer that is running a non-English version of Windows Server 2003. By default, on these computers, the Secure Gateway installer provides the option to run the service only as the LocalSystem account, which is not secure. Other accounts may be listed, such as ASPNET, if Internet Information Services is installed. For security reasons, Citrix recommends that the Secure Gateway run on an account with fewer privileges, such as Network Service.
To install the Secure Gateway to use the Network Service account:
1. Download the Windows Installer SDK from the Microsoft Web site.
2. Using the Orca tool from the Windows Installer SDK:
• Open the Secure Gateway MSI file, CSG_GWY.msi
• On the Transform menu, click New Transform
• In the Custom Action table, delete the following actions: Ctx_Check_Privileges_Silent and Ctx_Verify_Password_Silent
• On the Transform menu, click Generate Transform and then save the transform as FIX_SG.mst
3. Close Orca.
4. To install the Secure Gateway, at a command prompt, type: msiexec /qb /I CSG_GWY.msi CTX_SERVICE_ACCOUNT="NT AUTHORITY\local language name" TRANSFORMS=FIX_SG.mst
where local language name is the name of the Network Service. For example, the name of the network service in Spanish is Servicio de red.
[#112576]
URLs for Logon Agent and the Secure Gateway Must Have Matching Lowercase FQDN
When configuring the authentication service in the Secure Gateway Configuration wizard and Logon Agent Configuration wizard, you must enter the identical Fully Qualified Domain Name (FQDN). Both should be lowercase letters only. If the URLs differ, even in capitalization, the HTTP headers are not written and the connection is made directly to the Access Gateway Enterprise server, bypassing the Secure Gateway. [#117311]
Links in Some Web Resource Pages Display Extra Characters
A Web resource containing text content with published UNC paths or URL address links may display extra characters in the links. For example, after being routed through the Web proxy, a Web page containing the text link https://server101/folder55.asp might display the link as https://server101/folder55.asp?clearname=\\server98\share\19.doc. The links work correctly with the extra characters displayed. Clicking the link opens a browser window directed at the proper resource. If the Web resource is set to bypass the Web proxy, this issue does not occur. For more information about bypassing the Web proxy, see the Access Gateway Enterprise Administrator's Guide. [#114831]
[Back to installation issues contents]
This section includes information for the following products:
Users Cannot Authenticate if Server Is Set to Use an Alternative Proxy
If the Internet Explorer settings (Internet Explorer > Internet Options > Connections > LAN Settings) on servers running Access Gateway Enterprise are set to Use a proxy server for your LAN, users cannot authenticate because Access Gateway Enterprise does not support proxy servers other than the Secure Gateway or Access Gateway. To use the Secure Gateway or the built-in Web proxy with Access Gateway Enterprise, clear the option Use a proxy server for your LAN or select the additional setting Bypass proxy for local addresses.
Correct Link to Download the New Advanced Gateway Client
If users are prompted to install the Advanced Gateway Client, the link incorrectly goes to the main Citrix Web page. Instead, they can use the following link to download the client: http://www.citrix.com/English/SS/downloads/details.asp?dID=2755&downloadID=21202&pID=15005
[#120698]
Embedded Application CDA Sessions Are Reconnected as ICA Sessions during Reconnection
When a user disconnects an Embedded Application CDA session and then subsequently reconnects, the session reconnects as a stand-alone ICA session. This occurs because MetaFrame Presentation Server cannot distinguish between ICA sessions launched through the Embedded Application CDA and other ICA sessions such as those launched through the Program Neighborhood CDA. As a workaround, disable the "Enable users to reconnect" SmoothRoaming option accessed at the logon point level. [#87106]
Alert Broadcaster CDA Advanced Configuration Wizard Displays Multiline Alert Messages in One Continuous Line
When a multiline alert message is created using carriage returns (Shift + Enter), the messages are displayed as single line messages in the Alert Broadcaster Manager and the global Advanced Configuration wizard. In the wizard, the messages show the pipe ( | ) character to indicate line breaks. Currently, there is no workaround for this issue. [#88593]
Underscores in Server or Domain Names Might Prevent Users from Logging on Successfully
If underscores are present in an Access Gateway Enterprise server's host name or in the fully qualified domain name (FQDN) of an Access Gateway Enterprise server farm, users may not be able to log on successfully to the server. This occurs because Access Gateway Enterprise does not support using underscores in the FQDN or the server's host name. If you experience problems with logging on to an Access Gateway Enterprise server, check to be sure that the host name as well as the FQDN of the server farm does not use underscores. [#91505]
Published Applications with "&", "*", or "%" in the Name Do Not Display Icons
The icon for an application that has an ampersand (&), asterisk (*), or percent (%) symbol in its name may not display in the Program Neighborhood CDA. This is a known issue with Microsoft .NET Framework 1.1. For more information, see the Microsoft Knowledge Base Article 826437. [#92931]
Web Parts for SharePoint Portal Server 2003 Are Not Supported for CDA Development
This version of Access Gateway Enterprise does not support Web Parts for SharePoint Portal Server 2003; Therefore, CDAs that use this Web Parts standard may not function. [#109001]
Email Synchronization Might Not Function Properly When a Microsoft Exchange Server Is Restarted
When a Microsoft Exchange server is restarted, email synchronization might not function properly because the Exchange communication ports may change. This occurs because the port discovery query tool supplies the Advanced Gateway Client with the original list of ports with which to communicate with the server. The port discovery query tool runs only when the Email Synchronization configuration changes.
As a workaround, reconfigure the Email Synchronization settings in the Access Suite Console. You can avoid this issue by using static Exchange ports. [#109255]
Microsoft Visio Documents Previewed with Live Edit Might Not Display Correctly
When you view a Microsoft Visio document in HTML from the default navigation page using the Preview command, the document might not display correctly because certain post-installation steps in Visio are not yet completed by the Access Gateway Enterprise service account user.
If you encounter this issue, complete the post-installation tasks for Microsoft Visio 2003:
1. Open Microsoft Visio 2003.
2. From the File menu, select Open and select a Visio document. Visio asks whether you want to display additional help resources from Microsoft Office Online and also prompts you for your name and initials.
3. Answer the prompts and close the program.
4. Open the Services console and restart the Citrix Activation Engine service.
[#107368]
Visio 2002 Document Preview Shows First Page Only
HTML Preview may show only the first page of multi-page Microsoft Visio documents when using Visio 2002 or earlier. To prevent this problem, Citrix recommends using Visio 2003. [#115006]
Live Edit Save As Fails to Display File Names
The Live Edit Save As window displays only directory names, not the names of files in the directories. To use the Save As feature, select Save As, navigate to the desired folder in the Live Edit Save As window, and then click Save. If a file with the same name exists, Save As returns the message: "The file already exists. Would you like to overwrite it?" In this case, either rename the file before saving it or click OK to overwrite the existing file. [#88511]
Using Localhost for Database Server Name May Prevent Successful Installation of Access Gateway Enterprise Software
When installing the Access Gateway Enterprise software, using "localhost" as the database server name may cause the installation to fail. This occurs when LAN settings in Internet Explorer are configured to use a proxy server without bypassing for local addresses. The proxy server then fails to resolve "localhost" to 127.0.0.1. To resolve this issue, choose a different name for the database server and reinstall Access Gateway Enterprise. [#113893]
Limitations of Lotus iNotes R5.x and R6.x
IBM Lotus iNotes has the following known limitations in this release:
• On any platform, Lotus iNotes R5.x does not support the Netscape 7.2 browser
• On the Apple Mac OS X platform, Lotus iNotes R5.x and R6.x do not support the Safari browser
[#112114]
Single Sign-On between Access Gateway Enterprise and Lotus/Domino Requires Matching Logon IDs
To enable single sign-on between Access Gateway Enterprise and Lotus Notes/Domino through iNotes/Domino Web Access, users’ Notes/Domino logon ID must match their Active Directory logon ID. Because Notes/Domino supports multiple logon IDs, Notes/Domino administrators can modify Notes/Domino LDAP so that users have a logon ID that matches their Active Directory logon ID. [#118808]
Lotus iNotes Using Token Replacement Requires User Names of Eight Characters or Fewer
By default, Lotus Notes/Domino .nsf files consist of the user’s first name initial and the first seven characters of the last name. Therefore, building database file names using a token design of #FirstNameInitial #LastName does not work properly for users with a last name greater than seven characters. To resolve this issue, enter all users’ last names in an LDAP schema object not currently used and reference this object as a token within Access Gateway Enterprise. [#118808]
Lotus iNotes Version R5 Does Not Allow Deleting Files from Email Messages
Deleting attached files fails when editing IBM Lotus iNotes Version R5 email. As a workaround, if you attached a file to a message but do not want to send the file, save the contents of the message, exit the email message without sending it, and then recreate and send the email message. [#119238]
Problem Seeing Logon Page for Access Gateway Enterprise Connecting through the Secure Gateway Using Netscape 7.x or Safari 1.x Browsers
Users with two or more browser instances on the same computer using Netscape 7.x or Safari 1.x connecting through the Secure Gateway fail to see a Logon page and instead see a notice that the page is under construction. This problem does not occur on other supported browsers, including Internet Explorer 5.5 with SP2 and above. [#116331]
Citrix Activation Engine Service Fails to Close Microsoft Office Applications
On Microsoft Windows 2000 Server platforms, the Citrix Activation Engine Service might fail to stop and close certain instances of Microsoft Office Excel 2000, particularly if users view a file containing a divide by zero error in HTML Preview. As a workaround, stop the Citrix Activation Host Service and Citrix Activation Engine Service and close the application manually using Task Manager. Then restart the services. This problem does not occur on other platforms. [#116114]
Increasing Security of HTML Preview
On Microsoft Windows Server 2003 platforms, as an optional method to increase the security of HTML Preview, run the Activation Services under the less privileged Network Service account. To do this, in the Services console, modify the Properties of both the Citrix Activation Host Service and Citrix Activation Engine Service to use the Network Service account.
Then, in Windows Explorer, modify the Properties of the ActivationCache folder of the installation directory of Access Gateway Enterprise to allow only the needed security permissions and deny Full Control for the Network Service account.
Finally, configure the Network Service account to launch and access each of the Microsoft Office applications as well as the Citrix Activation Host Service. To do this, from the Start menu, run dcomcnfg.exe. In the Component Services window, expand Console Root > Component Services > Computer > My Computer, and select DCOM Config. In the right pane, for the service and Office applications, right-click and select Properties. On the Security tab, for both Launch Permissions and Access Permissions, click Customize, click Edit, click Add, type Network Service, and click OK.
After adding the account for the Citrix Activation Host Service and Microsoft Office applications, restart the Citrix Activation Host Service and Citrix Activation Engine Service to apply the changes. [#115375]
Certain PDAs Show Only English User Interface
Certain PDAs, such as the Toshiba Genio e550C and Hewlett-Packard (HP) iPAQ h2210, have a limitation that shows only the English user interface for Access Gateway Enterprise, even if you specify another language on your PDA. There is no workaround for this issue. [#106290]
Repositioning CDAs in the Access Center Is Allowed Only in Internet Explorer
When viewing the access center in Microsoft Internet Explorer, users can drag individual CDAs to reposition them. However, this functionality is disabled in other Web browsers. [#118155]
Large Numbers of Rule Conditions for Scans Can Slow Performance
Adding rules or editing rule conditions for scans that already have a large number of rule conditions can cause slow performance and high memory use. The responsiveness of the endpoint analysis section of the management console might become increasingly slow. Citrix recommends that a rule contain no more than six conditions, and that each condition have no more than six properties.
As a workaround, if you need to combine more conditions, Citrix recommends using policies and values or creating additional scans. [#113453, 110534]
Connecting a Client Device to Access Gateway Enterprise through a Proxy Server May Fail
Using the MetaFrame Presentation Server Client for Win32 to connect a client device to an Access Gateway Enterprise farm through a proxy server may fail. As a workaround, perform the following manual configuration steps on all servers in the Access Gateway Enterprise farm. [#118385]
1. Make a copy of the following file:
C:\Program Files\Citrix\Access Gateway Enterprise\Bin\Binders\ICAFile.xslt
2. In a text or XML editor, open the following file:
C:\Program Files\Citrix\Access Gateway Enterprise\Bin\Binders\ICAFile.xslt
3. Locate the line containing the following text:
[WFClient]
4. Add a new line immediately after the line found in Step 3.
5. On the new line, add the following text: ProxyType=Auto.
6. Save the file and exit the editor.
7. Restart all Access Gateway Enterprise services. You do not need to restart the Microsoft Internet Information Services.
Opening a File in Internet Explorer Directly from Standard File Download UI May Fail
When using Access Gateway Enterprise to download files, the standard browser download UI appears. Clicking the Open button (instead of the Save button) may result in the following error message: "Cannot find the C:\Documents and Settings\Administrator.EN\Local Settings\Temporary Internet Files\Content.IE5\ directory name\ file name. Do you want to create a new file?"
As a workaround after receiving this error, save the file to a local device and then open the file with an appropriate application. [#116469]
Forest Trusts and Access Gateway Enterprise Domains
Access Gateway Enterprise fails to display all domains, users, or devices that exist in domains related through a forest trust to domains in the Access Gateway Enterprise forest. In this case, create external trust relationships between the Access Gateway Enterprise domains and the domains in the forest trust. [#118520]
Extra Condition Options Displayed during Endpoint Analysis Rule Creation
When you create or edit Endpoint Analysis rules that contain multiple conditions, Access Gateway Enterprise may display more condition options than are actually available. In this case, cancel the rule edit wizard and then start creating or editing the rule again. If the erroneous options appear again, finish editing the rule and then save it. Access Gateway Enterprise deletes the extra condition options and saves the rule. [#110725]
Domain Name Format in Citrix Scans for Domain Membership
The Endpoint Analysis package "Citrix Scans for Domain Membership" reads domain names in NetBIOS format. You can create a custom version of the package that reads domain names in Fully Qualified Domain Name (FQDN) format by modifying the sample code included in the Endpoint Analysis Software Development Kit (SDK). Edit the sample code package to read domain names from the lookup table stored at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache. [#116741]
Clearing Server Names from Client Device Endpoint Analysis Cache
Using the Empty Cache feature of the Manage Endpoint Analysis tool on a client device clears the cache but does not clear the list of Access Gateway Enterprise server names. As a workaround, to clear server names from the list, exit Manage Endpoint Analysis and navigate to folder C:\Documents and Settings\username\Application Data\Citrix\EPA. Delete the folder named for any server you want cleared from the list and restart Manage Endpoint Analysis. If the operating system on the client device is Microsoft Windows 98 or Me, the Application Data\Citrix\EPA folder uses machine name instead of user name. [#117206]
Access Suite Console May Fail to Respond When Deleting Endpoint Analysis Rules
The Access Suite Console occasionally fails to respond when deleting Endpoint Analysis scan rules. In this case, exit and restart the Access Suite Console and then continue deleting scan rules. [#117410]
Access Gateway Enterprise Email Interface Does Not Support Outlook Web Access Tasks
The email interface included with Access Gateway Enterprise can view but not open tasks created in Microsoft Outlook Web Access. This is a known issue and there is no workaround. [#112498]
Website Viewer Page Covers File Activation Choice Page
When you open a document in the Website Viewer CDA, the scroll bar and Activate button on the File Activation choice page are sometimes not visible in the Website Viewer window. In this case, resize the Website Viewer window. [#109487]
Error Message Returned for Embedded Application
When you configure an Embedded Application CDA to display an application published in a specific zone on MetaFrame Presentation Server, if users who do not have access to that zone try to run the embedded application, the following error message appears: "Protocol driver error." The correct error message for this case should be: “The access center cannot launch the published resource.” [#112133]
Duplicated Windows User Names Cause Erroneous Policy Settings
A new Microsoft Windows account with the same user name as a deleted account has the same access to Access Gateway Enterprise resources as the deleted account. To avoid this, prevent the creation of duplicate user names by disabling but not deleting Windows accounts. [#118665]
BlackBerry 7290 May Have Display Errors
On the BlackBerry 7290 device, the navigation bar for top-level menus (Inbox, Calendar, Contacts, and so on) does not use the full width of the screen. However, the menus function correctly and lower-level menus display properly. [#113145]
In addition, when you enter text into the message box for an email message or note, the text displays with an extra space between characters. The text displays correctly when recipients view the email messages, but emails and notes retrieved on the BlackBerry 7290 display with extra spaces between characters. [#113148]
BlackBerry 7290 and Pocket PC Browser Version Display Error
When you first log on to Access Gateway Enterprise from a BlackBerry 7290 device or Windows Pocket PC, the following message appears: “Your browser is not fully supported by this version of MetaFrame Secure Access Manager. Some content might not be displayed properly.” In this case, close the Web page that displays this message and continue using Access Gateway Enterprise. Other small form factor devices may exhibit the same behavior. [#113299]
Email Folders Display 1000 Messages
The email interface included with Access Gateway Enterprise can display the most recent 1000 messages in a folder. To view earlier messages, users can either delete some messages or move messages to another folder. [#90250]
Web-Based Email Interface Included with Access Gateway Enterprise Using Exchange 5.5 Cannot Resolve Partial Names Properly
When Access Gateway Enterprise is configured to use Microsoft Exchange 5.5 for its email interface, the Check Names functionality sometimes prevents users from selecting multiple recipients at once. This occurs when the recipients have similar prefixes and the function selects a name using a partial match, leaving users unable to select other similar names; for example: test2@testdomain.com and test200@testdomain.com.
As a workaround, users can select a single recipient from the drop-down list and make sure that the name fills completely before selecting another name. This issue does not occur in later versions of Exchange. [#118956]
View Only Trusted Web Sites through Web Proxy
Unauthorized users may attempt to access your Access Gateway Enterprise environment using Access Gateway Enterprise sessions that are linked to untrusted Web sites. To prevent such access, allow users to access only trusted Web sites through the Web proxy. [#118361]
HTML Preview May Fail for Unsupported, Password-Protected, and Macro-Enabled Files
Users may receive an error message when attempting to view an unsupported file type using the HTML Preview feature. [#118904]
To prevent this problem, disable macros in Microsoft Office applications and disable previewing of the following file types:
• Master documents in Microsoft Word (see Word Help for an explanation of Master document)
• Password-protected documents, workbooks, and presentations (encrypted)
• Word documents that use framesets
• Files that contain Excel 4.0 macros
• Corel WordPerfect files
Also note that for files with embedded objects, VBA, scripts, and so on, the following rules apply:
• VBA is ignored and not executed, but the VBA project (such as source code and dialog definitions) is retained
• Embedded and linked objects are converted to graphic images and displayed in the approximate location where they were in the source file
• Linked or embedded objects with password protection are not converted
Access Center Name Must Be Unique on the Server
If you create an access center that has the same name as an IIS virtual directory, the access center writes an error message in the Application section of the Event Viewer on the server where you added the access center.
To prevent this, prior to creating access centers, open Internet Information Services (IIS) Manager and ensure that no IIS virtual directories with the name of the planned access center already exist on any server hosting an access center. [#96850]
File Names in File Shares Have Maximum Length of 209 Characters
Access Gateway Enterprise fails when uploading files with names longer than 209 characters to a file share. The Application Error page displays the message “Access Control Gateway has encountered an error.” In addition, the Event Viewer on the server that holds the file share for CitrixAGE Audit messages contains the text: “VFileSystemBrowser::UploadFile(): A runtime error occurred uploading file (null) to the network folder \file share name.” In this case, rename the file so it has 209 or fewer characters in the name, plus a three-character extension. [#115585]
Microsoft .NET Framework Error May Occur on Locked RDP Connections When Using Windows Server 2003 with Service Pack 1
On Microsoft Windows Server 2003 platforms with Service Pack 1 installed, if a workstation is locked (either manually or using a screensaver) during a Remote Desktop Connection (RDC) session to the Access Gateway Enterprise server with the console running, upon logging back on, the user may see a “generic error occurred in GDI+" exception message.
If the message appears, the user should click Continue to resume. This problem does not occur on Server 2003 platforms without Service Pack 1 installed. [#119544]
Workspace Control Settings for Reconnecting Are Supported Only for Clients 8.x or 9.x
When creating a new logon point for clients to connect to MetaFrame Presentation Server, the Workspace Control settings to enable users to reconnect are supported for clients that are Version 8.x or 9.x but not for earlier versions. [#113806]
When Not Using the Secure Gateway, Client Must Be Able to Resolve the Logon Address
If the Secure Gateway is not used to connect to Access Gateway Enterprise and the Logon Agent is installed on a server other than Access Gateway Enterprise, the client may not be able to resolve the logon address, resulting in a "page not found" error message.
To prevent this, when configuring the Logon Agent, use the Fully Qualified Domain Name (FQDN) of the Access Gateway Enterprise server hosting your authentication service. If Access Gateway Enterprise is installed on a multi-server farm, use the load balanced FQDN of the farm. This problem does not occur if the client connects through the Secure Gateway, which resolves the address automatically. [#114833]
Client for Java Launches Published Desktop in Full Screen Mode
When you use the Client for Java to connect to Access Gateway Enterprise, published desktops display in full screen mode regardless of the size set on the computer running MetaFrame Presentation Server. [#117828]
Endpoint Analysis Virus Scan Failure Due to Build Number Value or Format Matching
Endpoint analysis anti-virus scans may fail due to mismatches between the known anti-virus software build number and the value or format of the build number stored in the anti-virus application software. If a client device known to run the correct anti-virus software version fails endpoint analysis anti-virus scan due to a version mismatch (for example, 9.1.0.7 not 9.1.0.6; or 9.1.07 not 9.1.0.7), update the endpoint analysis scan conditions with the build value and format listed in the anti-virus program executable file.
For example, with McAfee virus scans, check that the build number and format listed in the file properties of program file mcvsshld.exe match the build number format and value returned when you view “About McAfee Virus Scan.” If the number or format does not match, select the rule you created for the endpoint analysis scan, double-click the Minimum Required Engine Version property, enter in the Property Value field of the Edit Property dialog box the build number stored in the mcvsshld.exe file properties, and then click OK. [#118828, 118830]
Successful Access to Web Resource Is Not Logged if the Web Proxy Is Bypassed
You can configure Event Logging in farm properties to log when users are allowed access to Web resources that are HTML MIME types. Logging this type of event is expected whether or not the user accesses the resource through the Web proxy. However, if the Web proxy is bypassed, users successfully access the resource but the event is not logged. When the Web proxy is used, the event is logged. [#116576]
IIS 6.0 Web Server Does Not Handle URL Addresses Greater Than 260 Characters.
If users request a URL address that contains more than 260 characters and the Web server they send the request to is running Internet Information Services (IIS) 6.0, the Web server returns a "Bad Request (Invalid URL)" error. By default in IIS 6.0, the maximum number of characters you can submit in a URL is 260 characters. [#119192]
Cannot Open Documents in a SharePoint 2001 Network Resource from Netscape or Firefox
Users cannot open documents in a network resource defined for SharePoint 2001 when using Netscape or Firefox browser software. Users can open documents in SharePoint 2003 when using Netscape or Firefox browser software. Users are able to open documents in SharePoint 2001 from Internet Explorer. [#119177]
Text on a Web Page That Appears as a URL Is Rewritten by the Web Proxy
Web page text that follows the regular expression pattern of a URL, such as http://www.citrix.com, is rewritten by the Web proxy as a URL even if it is not tagged as a hyperlinked URL. [#111964]
Notepad Text Files Cannot Be Launched through a Web Proxy
Applications associated with the Notepad file type .txt cannot be opened through a Web proxy. For example, if you attempt to open a text file in Microsoft SharePoint 2003, the following error message appears: “Wrong file name, directory name or volume label.”
As a workaround, specify that text files open in Microsoft Word. This is not a problem with other file types, such as those associated with PDF files and Microsoft Office applications. [#120659]
Netscape 7.x Browser on Macintosh OSX Platform with Client for Java 9.0 Does Not Launch Applications
The Netscape 7.x browser on an Apple Macintosh OSX platform using the Client for Java Version 9.0 cannot open published applications. If you attempt to do so, an error states that Sun JRE 1.3.1 is not supported and JSE 1.4 is required, even though version 1.4 is already installed on the client.
As a workaround, set the logon point for the Client for Java to use the locally installed Presentation Server client. Alternatively, you can use the Client for Java Version 8.0, which opens the applications correctly. [#112136]
[Back to known issues contents]
Client for Java Includes Encryption Setting
When using the New Logon Point wizard, if you select the Client for Java, the setting for Encryption is enabled by default but does not identify the type of encryption. This setting enables secure communication with RC5 128-bit encryption between Presentation Server Clients and the computer running MetaFrame Presentation Server. [#116106]
[Back to known issues contents]
MetaFrame Indexing DRE Terminates Unexpectedly When Initializing or Resetting
If you click the Initialize DRE or Reset DRE buttons from the Advanced tab of the Index Server Administration Utility, the MetaFrame Indexing DRE service terminates unexpectedly. When this occurs, the Administration tab displays a red slashed circle to indicate the service is not connected.
As a workaround, start the MetaFrame Indexing DRE service manually:
1. Go to the Start menu.
2. Select Programs > Administrative Tools > Services.
3. Locate and start the MetaFrame Indexing DRE service.
[#108790]
[Back to known issues contents]
For a list of issues that were resolved since the previous release of this product, click here.
Configuring the Secure Gateway for Port and IP Address Monitoring Results in "The Selected Port Is in Use" Error Message
When configuring the Secure Gateway to monitor a port and IP addresses, the following error message might appear: "The selected port is in use. Please select another port." This message can occur when the Secure Gateway service monitors IP addresses that were removed from the network. To work around this issue, make sure that no other network application is listening on the selected port.
To clear the port, stop the Secure Gateway service:
1. From the Start menu, select Programs > Administrative Tools > Services.
2. Locate and stop the Secure Gateway service.
You can now use the Configuration wizard to select the port and IP addresses that you want the Secure Gateway to monitor.
[#74635]
Setting the SSLCertificateAuthorityRevocationPolicy Registry Key to "Offline" Might Result in Server Performance Issues
Using the default value, offline, of the SSLCARevocationPolicy registry key might result in slowed server performance. This occurs because the Secure Gateway checks the local cache for revoked certificates when a user connects to the server. For clients connecting to internal Web servers, this setting is considered secure.
Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use the Registry Editor at your own risk.
To change how Secure Gateway checks for revoked certificates, add the following registry key on the Secure Gateway server: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.0\SSLCARevocationPolicy
If you want the fastest performance and are not concerned about security, set this value to off. This stops Secure Gateway from checking a certificate authority (CA) for a current certificate revocation list (CRL) of revoked certificates.
If you want maximum security and are not concerned about slowing performance, set this value to on. This causes the Secure Gateway to check a CA for a current CRL of revoked certificates every time an SSL connection is made to the server.
Note: Do not change the key type, which must be REG_SZ.
[#88568]
Check the Secure Gateway Maximum Connection Limits
If you are experiencing problems with the number of connections to the Secure Gateway, check the maximum connections value that is set in the Secure Gateway Configuration wizard. On the Connection Parameters screen, if you type in a new value for Maximum connections and then select or clear the Unlimited check box, the maximum connections limit is reset to the default value of 250. [#99748]
Prevent Indexing from Search Engines
To prevent indexing of the Secure Gateway by Web sites such as Google and Yahoo, create a file called Robots.txt with the following commands in the file:
User-agent: *
Disallow: /
After creating the file, install Robots.txt in the root of the server.
For more information about Robots.txt, see the following Web sites:
http://www.robotstxt.org/wc/norobots.html
http://www.google.com/remove.html
http://search.msn.com/docs/siteowner.aspx?t=SEARCH_WEBMASTER_REF_RestrictAccessToSite.htm.htm
[#105369]
Configuring Inbound Client Connections with Different Ports May Result in an Error
If you add an IP address and use a different port than 443 and then later delete the IP address and port in the Network Interface List on the Configure inbound client connections screen, an error appears when you click Next.
To correct this problem, stop and start the Secure Gateway service:
1. From the Start menu, select Programs > Administrative Tools > Services.
2. Locate and stop the Secure Gateway service.
3. After the Secure Gateway service stops, restart the service.
[#112023, 112159]
Secure Gateway Fails to Start if the Name of the Logon Point Has Spaces
If the Secure Gateway points to a logon point whose name includes one or more spaces, the service fails to start. As a workaround, replace the space with %20, as in the following example:
http:my.company.com/CitrixLogonPoint/My%20Logon%20Point
Alternatively, you can modify the httpd.conf file by adding quotes around the URL in the httpd.conf file for the Secure Gateway. For example:
ProxyPass "<http://my.company.com/CitrixLogonPoint/My Logon Point/>"
ProxyPassReverse "<http://my.company.com/CitrixLogonPoint/My Logon Point/>"
[#120539]
[Back to known issues contents]
Adding or Removing Snap-Ins
The Access Suite Console requires Microsoft .NET Framework Version 1.1. If both Versions 1.0 and 1.1 are present on your system and you use Version 2.0 of the Microsoft Management Console (MMC), you cannot add or remove Access Suite Console snap-ins using the Add/Remove Snap-in dialog box. As a workaround, start the MMC (select Start > Run and type mmc) and open your console (.msc) file from the File menu. Use the Add/Remove Snap-in dialog box to manage Access Suite Console snap-ins. Note that this issue does not occur with Version 1.2 of the MMC. [#110503]
Access Gateway Enterprise Administrator's Guide
Correction for Sample Lotus Notes/Domino Http Address
On page 132 of the Administrator's Guide, the correct Lotus Notes/Domino http addresses for dynamic token replacement require brackets before and after the <username>. The sentences should read:
"If you are using Lotus Notes/Domino, you can use dynamic token replacement to accommodate explicit links to individual user database files. For example, enter http://servername/mail/#<username>.nsf, where servername is the NetBIOS name, IP address, or FQDN of your Lotus Notes/Domino server and #<username> is the token replaced with the user’s user name obtained from Active Directory or Windows NT Directory Services."
Advanced Gateway Client Executable Is Included on Server CD in English Only
The note on page 145 of the Administrator’s Guide states: "The Advanced Gateway Client and Endpoint Analysis Client are available as stand-alone MSIs and EXEs on the Server CD..." However, the CD includes only the English version of the Advanced Gateway Client MSI.
You can download the French, Spanish, German, and Japanese versions of the stand-alone Advanced Gateway Client EXE (designed for Windows 98 or other platforms that do not support MSI installers natively) from the Citrix Web site. [#120926]
Message Center CDA Help
Topic: Defining the Number of Threads and Messages Per Page
The third paragraph should read:
"Messages: The maximum number of messages per page you want Message Center to display. You can specify any number from 1 to 25. If the number of messages exceeds the number you specify, users can click Next or Previous to scroll through the messages." [#85593]
Embedded Application CDA Help
Topic: Configure Embedded Application
The topic includes the following Tip: Edit the user help file (<wwwroot>/<accesscenter>/CDS/Embedded Application/<lang>/Help/help.htm) to describe the specific published application or desktop you associated with Embedded Application in Step 4.
The path to the help.htm file is correct if the Embedded Application CDA is installed on the server running Access Gateway Enterprise and you access this file using the Internet Information Services (IIS) Manager snap-in for the Microsoft Management Console (MMC).
However, if you locate the file using Windows Explorer, the browser path is relative to the CDA installation directory, such as:
C:\Program Files\Citrix\Access Gateway Enterprise\CDA\WebContent\<CDA install folder name>\help\<lang>\help.htm
where <CDA install folder name> is the folder where the CDA is installed, and <lang> refers to the language, such as en for English, de for German, and so on. [#114565]
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, Florida 33309 USA
954-267-3000
http://www.citrix.com/
Copyright © 2005 Citrix Systems, Inc.
