Readme for Citrix Access Gateway and Advanced Access Control, Version 4.2
Introduction
Readme Version: 1.3
Contents
Getting Updated Endpoint Analysis Scan Packages
Issues Resolved in this Release
For information about new features and system requirements, see the product administration guides.
To view, search, and print the PDF documentation, you need Adobe Reader (supported versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can download Adobe Reader for free from the Adobe Systems Web site. Documentation is available on the Citrix Knowledge Center Web site (select Product Documentation). Updates to Citrix technical manuals are posted on the Web site.
Documentation for other languages is found on the Citrix Knowledge Center Web site (select Product Documentation).
Licensing documentation is available from the Documentation folder on all product CD-ROMs. For licensing-related issues, see the Readme for MetaFrame Access Suite License Server .
Documentation for other languages is on the Citrix Knowledge Center Web site (select Product Documentation).
Citrix provides technical support primarily through Citrix Solutions Advisors. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
Getting Updated Endpoint Analysis Scan Packages
Endpoint analysis is used to scan and detect information about a client device, such as the operating system version and service pack level. You can incorporate scan results into policies, allowing you to determine access to your networks and resources on the information you gather about the client device. Citrix has made updated Endpoint Analysis Scan Packages available on the Citrix Knowledge Center Web site. These packages are intended for use with Version 4.2 of the Access Gateway with Advanced Access Control. These packages are updated for use with leading third-party security software vendors.
Access Gateway with Advanced Access Control includes two product CDs.
CD 1: Server. Includes the Access Gateway with Advanced Access Control 4.2 installation programs (in multiple languages).
CD 2: Prerequisites. Includes programs (in multiple languages) that might be required to complete your installation. Refer to the Contents.txt file on the Prerequisites CD for a list of these programs. To identify the programs needed for your installation, refer to the Access Gateway with Advanced Access Control Administrator's Guide.
Issues Resolved in this Release
For a list of issues that were resolved since the previous release of this product, click here.
Also note that the following issue is resolved. In this release, the Content Delivery Agent (CDA) configuration wizard does not allow you to enter any IDs containing the extended character set.
Using IDs with Extended Character Set May Cause Some CDAs to Fail
When configuring the CDAs, if the authentication type is SQL and the database name, user name, or password for the SQL server contains an accented character such as À or Á, an error message appears and you cannot continue the CDA configuration. For example, the AlertBroadcaster CDA configuration wizard does not support the extended character set for the SQL server. To prevent this problem, when you install the SQL server with SQL authentication, specify a database name, user name, and password that do not require the extended character set. Note that this is not an issue with the Message Center CDA. [#116560, 116563]
The following is a list of known issues in this release. READ IT CAREFULLY BEFORE INSTALLING THE PRODUCT.
The known issues described in the Readme for Citrix Access Gateway Enterprise, Version 4.0 might also apply to this release.
Notice
Installed File Locations
Because certain installation files build on other components, the following files are installed in directories that cannot be changed:
\image\setup\Access Suite Console\ASC_Framework.msi
\image\setup\Access Suite Console\ASC_Diagnostics_WSI.msi
\image\setup\Access Suite Console\Licensing_WSI.msi
The files are installed in the following locations:
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console - Framework
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console - Diagnostics
C:\Program Files\Common Files\Citrix\MetaFrame Access Suite Console - Licensing
[#116227]
Important: Before you install this product, make sure you consult the Installation Update Bulletin.
The bulletin offers late-breaking information and links to critical updates to server operating systems and to Citrix installation files. Download and install the updates because you may not be able to properly install this product otherwise.
Adding PDF Support to HTML Preview
HTML Preview does not render PDF documents for preview by default. If you want to provide PDF documents through HTML Preview, you must also install pdftohtml.exe Version 0.36 and Ghostview. These programs can be obtained from SourceForge at http://pdftohtml.sourceforge.net/. Instructions for installing the pdftohtml.exe appear in the Knowledge Base article entitled “Customizing HTML Preview in Advanced Access Control” located on the Web at the Citrix Knowledge Center. Read and review this article before installing the pdftohtml software.
This section includes information for the following topics:
RADIUS with Password Authentication Protocol
Access Gateway with Advanced Access Control supports implementations of RADIUS that are configured to use the Password Authentication Protocol (PAP) for user authentication. Other authentication protocols such as the Challenge-Handshake Authentication Protocol (CHAP) are not supported.
If your deployment of Access Gateway with Advanced Access Control is configured to use RADIUS authentication and your RADIUS server is configured to use PAP, you can strengthen user authentication at the logon point by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of upper and lowercase letters, numbers, and punctuation and are at least 22 keyboard characters long. If possible, use a random character generation program to determine RADIUS shared secrets.
To further protect RADIUS traffic, assign a different shared secret to each Access Gateway appliance or each Advanced Access Control server. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. If you do this, you must configure separately each Access Gateway realm that uses RADIUS authentication. If you synchronize configurations among several Access Gateway appliances in a cluster, all the appliances are configured with the same secret.
Note: Before you assign RADIUS shared secrets, you must configure a RADIUS authentication profile on the Advanced Access Control servers that use RADIUS to authenticate users. For more information about authentication profiles, see the Access Gateway with Advanced Access Control Administrator's Guide. [#127856]
To assign a shared secret to a specific RADIUS server:
1. On the Advanced Access Control server, click Start > Programs or All Programs > Citrix > Access Gateway > Server Configuration.
2. Click Configured Logon Points and then select the logon point that you configured to use RADIUS authentication.
3. Click Authentication Credentials.
4. Under RADIUS Servers, select Server specific secrets.
5. Double-click the IP address of the RADIUS server and enter the secret in the Server Credential dialog box.
Using RSA SecurID as Primary Authentication Requires LDAP for Authorization
If you want to use RSA SecurID as your primary authentication for Access Gateway with Advanced Access Control, you must also create LDAP authentication profiles for authorization for the server farm(s). When using LDAP profiles in this case, do not use the Domain Users group of the Active Directory server as part of the policy for access. Instead, place the users in a different group and grant access to the users of that group. Also, you must configure the Authentication Credentials for the LDAP server by using the Citrix Server Configuration tool (available from Start > All Programs > Citrix > Access Gateway > Server Configuration). [#128445]
LogonAgentService Might Prevent Logon by Users Due to Microsoft .NET Thread Request Settings
When users attempt to log on to the Access Gateway, socket time-out and HTTP error messages might display and prevent users from logging on. The service might appear to "hang." To correct this problem, you need to tune certain parameters in an ASP.NET configuration file. Microsoft has published a Knowledge Base article explaining how to correct this problem. For more information, see the Microsoft Knowledge base at http://support.microsoft.com/ and search for Knowledge Base article 821268. [#124089]
Users Cannot Log On by Using User Principal Name (UPN) If Domain and Windows Authentication are Set in Access Suite Console
Users cannot log on to a logon point by using their UPN (username@domainname.com) if the following conditions exist: the Access Gateway server is configured to use Windows Authentication and the logon point is configured to use the selected domain for all users. [#123060]
Authentication Fails When User Attempts to Switch to a Different Logon Point
If a user successfully logs on to a secure (https) Access Gateway session through a Web browser and attempts to edit the URL to point to another valid logon point, the browser page cannot be displayed and might change the URL to use a nonsecure (http) address. As a workaround, log off from the original logon point and then log on to the other valid logon point. [#124115]
Access Gateway Detects a Thin Client Windows Terminal as a PDA or Other Small Form Factor Device When Connecting to a Logon Point
If a user uses a thin client Windows-based terminal (WBT) to connect to the Access Gateway, the Access Gateway displays the PDA logon page (https://FQDN/CitrixLogonPoint/CustomLogonPoint/PDA/results.aspx/) instead of the appropriate logon page (https://FQDN/CitrixLogonPoint/CustomLogonPoint/). As a workaround, users can manually change the URL to https://FQDN/CitrixLogonPoint/CustomLogonPoint/ to get to the correct logon page. [#125522]
Access Gateway Serves Logon Point Web Page after Switching from Advanced Access Control Mode to Standalone Mode
If you remove Advanced Access Control from your deployment (that is, you switch the Access Gateway to standalone mode) and do not restart the Access Gateway, the Access Gateway can serve an Advanced Access Control logon point page. However, any attempt to access the page fails. Always restart the Access Gateway after switching administration modes. [#125642]
Logon Points Containing Blank or Empty Default Navigation Pages Will Not Launch the Secure Access Client When Using Mozilla Firefox
If you configure a logon point that includes a blank default navigation page and a connection policy to launch the Secure Access client, users logging on by using the Mozilla Firefox Web browser will not be redirected to the page that launches the client. As a workaround, refresh the browser window to be redirected. [#126055]
Logging off from a Navigation Page Results in an Error Message
When a user attempts to log off from a navigation page, an error message similar to "an internal server error has been detected" is displayed in the user’s Web browser. This error typically occurs in a multi-server access server farm. As a workaround, ensure that each server in the farm includes the same values for the validationKey and decryptionKey attributes of the machineKey element in the ASP.NET machine.config file. For more information, go to the online Microsoft MSDN library and search for "machineKey Element" or "Configure MachineKey in ASP.NET." [#126283]
Web Client Is Not Detected by Advanced Access Control When Using the Mozilla Firefox Web Browser
When a user logs on to a logon point using the Mozilla Firefox Web browser and attempts to reconnect disconnected published applications, the Citrix Presentation Server Client for Java is launched (if this option is enabled for the logon point). If the user launches applications from the default navigation page, the applications can be launched using the Web Client. In this case, both clients are running during the same user session. As a workaround, use the Internet Explorer or Netscape Navigator Web browser to connect. [#127488]
How to Manually Upgrade the Access Gateway Enterprise 4.0 Index Server to the Access Gateway 4.2 Index Server
Perform the following procedures to upgrade to the Access Gateway Index Server Version 4.2 from Version 4.0. Note: Perform these procedures before installing the Version 4.2 Index Server. [#128454]
1. On your existing index server, copy the Version 4.0 Index Server folder to a temporary location.
The default folder location is %SystemRoot%\Program Files\Citrix\Access Gateway Enterprise\Index Server\.
2. Uninstall the Version 4.0 Index Server.
3. Copy the contents of the Index Server folder from Step 1 to the installation target folder.
The default location for Version 4.2 is %SystemRoot%\Program Files\Citrix\Access Gateway\Index Server\. Make sure that the target subfolder is named \Index Server\.
4. Install the Version 4.2 Index Server as described in the Access Gateway with Advanced Access Control Administrator's Guide.
Make sure that the specified path is the parent folder of the \Index Server\ subfolder (for example,
\Program Files\Citrix\Access Gateway).
Access Gateway Server Configuration Software Does not Detect that Microsoft SQL Server Desktop Edition (MSDE) Is Installed When Upgrading from Access Gateway Enterprise Version 4.0
When using the Access Gateway Server Configuration software to upgrade to Access Gateway with Advanced Access Control Version 4.2 from Access Gateway Enterprise and Access Suite Console Version 4.0, the Server Configuration software does not detect the previously-installed Microsoft SQL Server Desktop Edition (MSDE). As a workaround, see the steps describing how to manually migrate the software in the Advanced Access Control Upgrade Guide. [#122963]
MSDE Fails to Install When Using the Migration Tool to Upgrade from Metaframe Secure Access Manager Version 2.x to Version 4.2
The MSDE installation fails when using the migration tool to upgrade Metaframe Secure Access Manager Version 2.x and selecting the MSDE database option. As a workaround, see the manual steps for migration described in the Advanced Access Control Upgrade Guide. [#124629]
Migrating from Previous Versions Creates Duplicate "Allow Logon" Policies
Migrating from Advanced Access Control Version 4.0 to Version 4.2 creates two identical "Allow Logon" policies for each logon point associated with each configured access center. Additionally, this migration also creates an "Allow Logon" policy without filters for the SampleLogonPoint that allows access for all authenticated users. If you previously upgraded from Version 2.x to Version 4.0, you might have additional duplicate "Allow Logon" policies. As a workaround, ensure that only one Allow Logon policy for all authenticated users exists, and then create your own logon policies according to your needs. [#125979]
Intermittent Error Message Dialog Box Appears after Unlocking Workstation; Clicking OK Might Close Open Console Windows
After you unlock a server or workstation computer running the Access Suite Console, an error message dialog window might appear. (The computer can be locked through a local or remote desktop [RDP] session.) When you click OK, the dialog box that was open closes and the main Microsoft Management Console window is displayed. It is also possible that the entire application may need to be restarted. You can lose any changes that you made in these properties windows. Avoid locking your computer when you have properties dialog windows open.
Web Client Installation Required for Access Gateway Administration Portal Page Is Blocked
When an administrator attempts to log on to the Access Gateway Administration Portal page for the first time using the Internet Explorer or other Web browser, the ActiveX control net6helper.cab is blocked. Repeated attempts to install the control are blocked. As a workaround, the user must manually add the IP address or fully qualified domain name of the Access Gateway appliance to the list of Trusted Sites in Internet Explorer (click Tools > Internet Options > Security) or equivalent in other browsers. [#127135]
Web Client Installation Required for the Navigation Page Is Blocked
When a user attempts to log on to the navigation page for the first time using the Internet Explorer Web browser with pop-up blocking enabled, the Web Client installation is blocked. Repeated attempts to install the control are blocked. As a workaround, the user must manually add the IP address or fully qualified domain name of the Access Gateway appliance to the list of Trusted Sites in Internet Explorer (click Tools > Internet Options > Security) or equivalent in other browsers. [#127902, 127969]
Access Gateway with Advanced Access Control Denies Client Access to WINS Server
Access Gateway with Advanced Access Control might deny access to clients such as the Secure Access Client unless you configure your Windows Internet Naming Service (WINS) server in the Access Suite Console. To provide client access, you must enable split tunneling, add the WINS server IP address to the list of accessible networks in the Access Suite Console, and grant access to the server by creating an access policy for users. For more information, see the Access Gateway with Advanced Access Control Administrator’s Guide. [#127037]
URL and UNC Links Included in Forwarded Emails Fail with Access Denied Message When Clicked
When clicked, URL and UNC links configured as accessible and included in forwarded emails fail with “access denied” or “link not found” messages. Rewritten link names with the "\\n" characters appended to them cause this failure. [#123385]
Access Gateway with Advanced Access Control Allows You to Create an Access Center with a Name Matching Existing Citrix Virtual Directories
Access Gateway with Advanced Access Control allows you to create an access center with a name matching existing Citrix virtual directories; for example, Citrix, CitrixFEI, CitrixAuthService, and so on. However, when you attempt to access these access centers, a "page cannot be found” message is displayed in your Web browser. To ensure that users can connect to access centers successfully, assign unique access center names that are different from existing Citrix virtual directories. [#123860, 124367]
Emailing a New Appointment in the Calendar by Using Web-based Email Might Result in an Error
When a user creates a new appointment with the default or no appointment times and attempts to send it to an email recipient by using the Web-based email interface included with Advanced Access Control, an error might occur. As a workaround, always specify appointment times. [#123275]
When Launching the Secure Access Client from a Netscape Browser Window, the User Is Prompted to Download or Save a File
Netscape Navigator prompts the user to download, open, or save a file named .vcagc when launching the Secure Access Client from a Netscape Navigator browser window. As a workaround, do not download, open, or save the file; also, select the "Do not ask me again" dialog checkbox. [#123986]
UNC File Shares Display the <Initials> Token
If you create a UNC file share in the form of \\server\folder\#<Initials>, any Active Directory users created without specifying initials as part of their user properties will see the share literally as \\server\folder\#<Initials>. When the users attempt to access the share, an error message is displayed. [#123997]
New Email Messages Cannot Be Sent When Popup Blockers Are Enabled
To create a new email message by using Lotus iNotes and Internet Explorer, ensure that the popup window blocking feature of Internet Explorer is disabled (that is, allows popups). [#124662]
Duplicate Resources Associated with Differing Policies Might Result in Unexpected Behavior
The Advanced Access Control software allows administrators to define one or more identical resources associated with different policies. For example, an administrator can define two Web resources pointing to the same URL and assign two different policies. As a result, the software might not behave as expected. Avoid this configuration. [#124688]
Users Can Still Navigate Between Home and Email Tabs in a Browser Even Though Their Session Is Terminated Unexpectedly
If a user's session is terminated unexpectedly and the default navigation page is still available, the user might be able to navigate between the configured Home and Email tabs. Note, however, that the session is terminated. [#124926]
Policy Search Does not Display Any Continuous Scan Filters Associated with Connection Policies
If a connection policy includes a continuous scan filter, the continuous scan filter is not displayed in the Policy Manager. Other filters associated with the connection policy do, however, display. To view filters, in the console tree, select Policies, then select Connection Policies. Select the particular connection policy, right-click it, select Edit Policy Properties from the Context menu, and then select Filter. Any associated continuous scan filter is displayed in the Continuous scan filter drop-down box. [#125084, #125077]
Citrix Activation Host Service Fails to Close Microsoft Office Applications
On Microsoft Windows 2000 Server platforms, the Citrix Activation Host Service might fail to stop and close certain instances of Microsoft Office Visio 2003. As a workaround, stop the Citrix Activation Host Service and the Citrix Activation Engine Service by using the Server Configuration utility and close the application manually by using Task Manager. You can then restart the services. [#125851]
An Access Center Name that Contains Spaces Prevents Deployment of the Access Center
If you create an access center and its name includes one or more spaces, deployment of the access center fails even though the access center appears to be functional in the console. As a workaround, delete the access center and recreate it with a name that includes only alphanumeric characters. [#126183, 127385]
Inbox and Mailbox Icons Are Shown When Email Is not Configured for a File Share Resource
Users connecting to a logon point with a PDA device will see Inbox and Mailbox icons when they access a file share resource even though email is not configured. However, errors are displayed when users click these icons. Administrators should advise users of this behavior. [#126003]
After Uninstalling and Reinstalling the Access Gateway with Advanced Access Control, the Citrix Agent Server Service Is Stopped
After uninstalling and reinstalling the Access Gateway with Advanced Access Control, the Citrix Agent Server Service is shown as stopped in the Server Configuration tool. All services should be started. To start all services simultaneously, click the Start All button available from the Services configuration choice in the Server Configuration tool. [#126052]
Non-ASCII Characters Might not Display When Sending Email By Using a Small Form Factor Device
When using a small form factor device (for example, a Palm Tungsten C handheld running the Palm operating system) to send email through the Access Gateway with Advanced Access Control, non-ASCII characters might not display correctly or at all when the email message is received and opened. [#127855]
The Secure Access Client Cannot Failover if the Authenticate After Network Interruption Option Is Selected
When two Access Gateway appliances are configured in the same server farm for failover and a connection policy with the “Authenticate After Network Interruption” option enabled is configured in Advanced Access Control, the Secure Access Client will not connect to a failed-over appliance. As a workaround, do not enable this connection policy authentication option with failover enabled in this scenario. To ensure the Secure Access Client connects to a failed-over appliance, leave the connection policy authentication option cleared. [#128266, 128264]
Revoked Client Certificates Must Be Removed from Secure Access Client’s Personal Certificate Store
Logging on with the Secure Access Client might fail if a revoked certificate for the client exists on the certificate server. To ensure users can log on successfully by using the Secure Access Client, locate the revoked certificate and remove it from the client’s certificate store. [#128263, 128248]
Citrix Scans for McAfee VirusScan Contains Incorrectly Labeled Property
When you use the scan package “Citrix Scans for McAfee VirusScan” to create a scan, you are mistakenly prompted to specify the “Minimum required engine version.” The property you must specify is actually the build version, not an engine version. To enter the required build version, use format N.N, where N is an integer. You can find the build version number in the “About” information box for the installed application.
MAC Address Scan Package Requires Addresses Separated by Colons and Not Hyphens
The Citrix Scans for MAC Address scan package requires you to use a data set listing group names mapped to valid MAC addresses that you wish to verify on client devices. The MAC addresses in the data set should be in the format NN:NN:NN:NN:NN:NN, such as 00:11:11:06:B3:E9. Note that you should use a colon (:) as the separator in this format rather than a hyphen (-).
Dialog Box for Editing Spanish Scan Rule is Missing Command Buttons
In the Spanish language version of Citrix Scans for Netscape Navigator scan package, the dialog box in which you edit a scan rule may not display the Ok and Cancel buttons normally found at the bottom of the dialog box. To accept edits to a scan rule you can press Enter in the dialog box in which you enter the edits. To cancel your edits, press Esc.
Access Gateway with Advanced Access Control Administrator’s Guide
Correction for Consolidating Event Logging Results
On page 217 of the Administrator’s Guide, the text for Step 4 states: “Under Available Farms, select the access server farm for which you want to view auditing data.” This option is not available from the Event Log Consolidator interface when it is launched from the console. [#128189]
Scan Update Utility Requires Corrected Syntax
CtxEpaParamUpdate Utility Requires Corrected Syntax
On page 162 of the Administrator’s Guide, an incorrect syntax is provided for the CtxEpaParamUpdate utility. You can use this utility to update the required property values you configure in a scan. Use this syntax, including the quotation marks:
“ctxepaparamupdate.exe” package_uri package_version “scan_name” “rule_name” “parameter_name” “new_value”
Note that quotation marks are not used for the package_uri or package_version values. You can find the package_uri and package_version information in the management console in the Properties view of a scan package. Select an existing scan rule and view its Properties to find the official parameter name for a property.
For example, to update the required engine version to 4.4 in a rule named “Rule Blue” for a scan named “Scan Green” created with the McAfee VirusScan Enterprise Edition Scan Package, type:
"C:\Program Files\Citrix\Access Gateway\MSAMExtensions\CtxEpaParamUpdate.exe" C:\Program Files\Citrix\Acess Gateway\Bin\EPAPackages\CitrixVSEMcAfee.cab 1.0 "Scan Green" "Rule Blue" "EngineVersion" "4.4"
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, Florida 33309 USA
954-267-3000
http://www.citrix.com/
Copyright © 2005 Citrix Systems, Inc.
