Attachment: CTX108902423.zip
Hotfix readme name: v423_public_readme.doc
Hotfix download file name: CTX108902423.zip
Hotfix download file size: 98.1 MB (102,870,514 bytes)
Hotfix upgrade file name: ag-V423-81.5.upgrade
Hotfix upgrade file size: 98.3 MB (103,128,042 bytes)
For: Citrix Access Gateway 4.2, 4.2.1, 4.2.2
Replaces: Access Gateway 4.2.2 Hotfix (ag-V422-80.3.upgrade)
Date: August, 2006
Languages supported: English (US)
Readme version: 1.0
Download and install an upgrade file
If you are currently running Access Gateway version 4.2, 4.2.1 or 4.2.2, you can upgrade to the 4.2.3 hotfix using an upgrade file. An upgrade file contains only the software binaries that have been updated. When an upgrade file is installed, the version is updated but all configuration settings, licenses, and certificates are maintained on the appliance.
Note: Access Gateway 4.0 and Access Gateway 4.1 can also be upgraded with this hotfix.
Important: This release includes a new version of the Access Gateway Administration Tool, used to administer an Access Gateway cluster from any Windows computer. After upgrading from version 4.0 or 4.1 to 4.2.3, remove and re-install the Administration Tool. Connections to Access Gateway 4.2.3 from an Access Gateway 4.0 or 4.1 Administration Tool fail with the error Server-Address is not responding where the server address is the FQDN or IP address of the Access Gateway.
To install Access Gateway Version 4.2.3
1. In the Administration Tool, click the Access Gateway Cluster tab.
2. On the Administration tab, next to Upload a server Upgrade or saved config, click Browse.
3. Navigate to the upgrade file and then click Open.
4. After clicking Open, wait until the message Upgrade successful appears and then restart the appliance.
Note: If the upgrade file has the extension .zip, extract the files before upgrading the Access Gateway.
To uninstall and reinstall the Administration Tool
1. In the Add/Remove Control Panel uninstall the Administration Tool.
2. Open a Web browser and connect to the Administration Portal using the IP address and port number of the Access Gateway, typically https://IPaddress:9001.
3. On the Downloads tab, click Download Access Gateway Administration Tool installer.
4. Follow the instructions to complete the installation.
Where to Find Documentation
This document describes the issues solved by this hotfix and includes installation instructions. You can find more information about Citrix Access Gateway 4.2 in the Citrix Access Gateway Administrator's Guide. The guide is in the \Documentation directory on the product CD. All product documentation is available from the Access Gateway Administration Portal and from the Citrix Web site at http://www.citrix.com/support.
The Citrix Access Gateway Administrator's Guide is in an Adobe Portable Document (PDF) format file. To view, search, and print the documentation, you need Adobe Reader (supported versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can download the Reader for free from the Adobe Web site at http://www.adobe.com/.
Known Issue(s) in this Release
• When a user session is terminated, the session log fills ups (TT23539)
• The Access Gateway fails after manually synchronizing with a Network Time Protocol server (TT23690)
Issue(s) Resolved in this Hotfix
1. When publishing settings to multiple Access Gateway appliances, the failover settings, syslog settings, and certificates were also published. With this release, failover servers, syslog settings, and certificates are no longer published to all appliances in the cluster. (TT23073)
2. Users that have German characters in the password could not connect to the portal page. (TT23210)
3. When the client hosting desktop sharing ends the session, other clients appeared to remain in the session. When the hosting client ends the desktop sharing session, sessions on other client computers are also disconnected. (TT23680)
4. Sharing the desktop from the same client more than eight times results in a sharing failure. (TT23683)
5. When more than 90 network policies were sent to the client, policies over 90 were truncated. (TT23287)
6. The Secure Access Client was downloading each time the user connected. (TT23513)
7. The server running Advanced Access Control failed with renewing STA/AS tickets. (TT23706)
8. When the Access Gateway is configured to required SSL client certificates, and the root certificates must check the Certificate Revocation List (CRL), connection to the Web Interface fails. (TT22956)
9. The Access Gateway cannot validate the remote certificate chain if MD2 was used in signing the certificate. (TT23499)
10. Connections to a second HTTP-based CDP fails if a first CDP is down. (TT23149)
11. If an FQDN became invalid for any reason, it remains invalid until the DNS cache was refreshed. In this release, only valid FQDNs are cached. (TT23116)
12. End users experienced incorrect RADIUS authorization failures when logging on to the Access Gateway and RADIUS groups were not retrieved for users who are part of an associated group(s) on the RADIUS server. This fix does not involve any change in the configuration on the Access Gateway or RADIUS server. (TT23269)
13. When the Secure Access Client is first installed, a Network Driver Interface Specification (NDIS) driver is installed, which disables the network adapter momentarily. The Secure Access Client does a pre-authentication check against the Access Gateway. If the network adapter was still disabled, the connection failed. The Secure Access Client now waits for the network adapter to come back up before doing the pre-authentication check. (TT23328)
14. When a user is logged onto the Access Gateway, is using tabbed browsing from the Internet Explorer 6 MSN toolbar, logs onto an Advanced Access Control logon point, and is using RSA for authentication, the user gets a “page not found error.”(TT23689
15. Clients cannot log off when connected using a Web browser. (TT23123)
16. Session reliability sessions are dropped when the Secure Ticket Authority (STA) is restarted. (TT23204)
17. If an LDAP password has the UTF-8 characters, such as ä, ë, ö, ü, Ä, Ë, Ö, Ü 2, and the Access Gateway is configured to redirect client connections to the Web Interface using single sign-on with the altered login.cs file (obtained from the Citrix support Web site), the logon failed. A new login.cs file has been posted to the Citrix Support Web site. Download and install the new login.cs following the instructions in the Knowledge Center article. For more information, see article CTX106202 at http://support.citrix.com/kb/. (TT23250)
18. The Web Interface displays applications for users who previously logged off. When a user logs off from the Web Interface and a new user logs on from the same machine, the applications for the first user are displayed. (TT23601)
19. When logging off from the Web Interface, Access Gateway cookies are cleared and Web Interface cookies are expired. (TT23123)
20. When users are connected using desktop sharing, the desktop screen freezes, but users continue to have mouse and keyboard activity. (TT23311)
Other Issue(s) in this Release
Setting network policies
To set up network policies, the most restrictive policy must be configured first and the least restrictive last; for example, you want to allow access to everything on the 10.0.x.x network, but need to deny access to the 10.0.20.x network. Configure the network policy restricting access to 10.0.20.x first and then configure access to the 10.0.x.x network.
Configuring the Secure Access Client to work with proxy servers defined in Internet Explorer
Internet Explorer needs to be configured to bypass the proxy server for the remote internal network so the Secure Access Client can intercept the network traffic and route it to the correct location.
To configure Internet Explorer to use a locally defined proxy server
1. Open Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Connections tab, click LAN Settings.
4. Under Proxy Server, click Use a proxy server for your LAN.
5. In Address, type the IP address and in Port, type the port number.
6. Click Advanced.
7. Under Servers, type the IP addresses and port numbers of the remote networks.
8. Click OK twice.
Copyright 2006 Citrix Systems, Inc. All rights reserved.
Citrix is a registered trademark of Citrix Systems, Inc. and Citrix Presentation Server and Citrix Access Gateway are trademarks of Citrix Systems, Inc. in the United States and other countries.
All other trademarks and registered trademarks are the property of their respective owners.
