Readme Version: 1.0
Notes:
To view, search, and print the PDF documentation, you need Adobe Reader (supported versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can download Adobe Reader for free from the Adobe Systems Web site. Documentation is available on the Citrix Knowledge Center Web site (select Product Documentation). Updates to Citrix technical manuals are posted on the Web site.
To provide feedback on the documentation, go to www.citrix.com and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link.
Licensing documentation is available from the Documentation folder on all product CD-ROMs. For licensing-related issues, see the Readme for Citrix Licensing.
Citrix provides technical support primarily through Citrix Solutions Advisor. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
For the most up-to-date version of this list, click here.
The following is a list of known issues in this release. Read it carefully before installing the product.
Important: Before you install this product, make sure you consult the Pre-Installation Update Bulletin and the product administration guides.
The bulletin offers late-breaking information and links to critical updates to server operating systems and to Citrix installation files. Download and install the updates or you may not be able to install this product properly.
When attempting to upgrade servers running Advanced Access Control 4.2 to Advanced Access Control 4.5, installing the Version 4.5 software on servers running Version 4.2 results in incomplete or failed installations. Citrix recommends uninstalling Advanced Access Control 4.2 before installing Advanced Access Control 4.5. For more information about upgrading existing Advanced Access Control servers, see "Incorrect instructions for upgrading servers running Access Gateway with Advanced Access Control 4.2" in the "Documentation Errata" section of this readme.
After upgrading Advanced Access Control servers from Version 4.2 to Version 4.5, the display order of Web resources cannot be set. This occurs when the configuration data for the access server farm includes access center data when migrated. Although the Migration Tool included with Access Gateway Advanced Edition does not migrate access center data from Version 4.2 farms, the presence of access center data in the farm configuration database influences the presence of this issue. To resolve this issue, remove all access centers from the access server farm before migrating the farm configuration data. [#149357]
To use Access Gateway Advanced Edition, you must upgrade your Citrix License Server to the version available on the product CD. Your existing license files are compatible with the new license server. For information about upgrading your license server, see the Citrix whitepaper Licensing: Migrating, Upgrading, and Renaming (CTX108655) in the Citrix Knowledge Center.
If you use the Access Management Console to manage multiple Citrix Access Suite components, read this section before upgrading the Access Management Console to the 4.5 release.
When you upgrade an Access Suite component to the 4.5 release, you must also upgrade the Access Management Console to manage that component. However, by default, the new 4.5 version of the console only supports 4.5 components. Therefore, if you plan to upgrade some, but not all, of your components to 4.5, you have two options for managing these components:
Each option is explained below.
If you upgrade some Access Suite components to the 4.5 release but not others, Citrix recommends that you use two versions of the Access Management Console to manage the Access Suite components. Each version of the Access Management Console must reside on a separate computer.
Specifically, you should do the following:
Note: You can also publish the 4.5 version of the Access Management Console on a Citrix Presentation Server. Publishing the console allows you to access the console remotely and, as a result, manage different versions of the console from a single computer.
Later if you upgrade an additional component (such as the Citrix Presentation Server), you can also load that component extension into the Access Management Console 4.5. Eventually, when you have upgraded all of the Access Suite components, you can eliminate the earlier version of the Access Management Console.
In some environments you can use a single instance of the Access Management Console 4.5 to manage Access Suite components from both the 4.5 release and earlier releases.
This option has these limitations:
For example, you can do the following:
When you have completed these steps, you can use the Access Management Console 4.5 to manage the Password Manager 4.5 and the Access Gateway Advanced Edition 4.0 or 4.2.
You can also use this approach to manage the Access Gateway Advanced Edition 4.5 and the Password Manager 4.1 from the Access Management Console 4.5. In this case, you must install a hot fix for the Password Manager in the Access Management Console 4.5.
[back to installation issues contents]
Access Gateway Advanced Edition supports Microsoft's Windows Multilingual User Interface Pack (MUI). Please note the following points:
HTML Preview does not render PDF documents for preview by default. If you want to provide PDF documents through HTML Preview, you must also install pdftohtml.exe version 0.36. This executable can be obtained from SourceForge at http://pdftohtml.sourceforge.net/. Instructions for installing pdftohtml.exe appear in Knowledge Base article CTX107543, Customizing HTML Preview in Advanced Access Control, located on the Web at the Citrix Knowledge Center. Please read and review this article before installing the pdftohtml software.
Access Gateway Advanced Edition supports the use of logon credentials in the User Principle Name (UPN) and Alternate UPN formats. Entering service account credentials in these formats while using the Server Configuration wizard is not supported. [#137674]
When running the Server Configuration utility after installing Advanced Access Control, the Server Configuration utility fails to complete the initial configuration. This occurs when the Advanced Access Control server belongs to a Windows workgroup instead of a Windows domain. Advanced Access Control is not supported in networked environments that use Windows workgroups. To resolve this issue, ensure the computer on which you are installing Advanced Access Control belongs to a valid Windows domain. [#144205]
When installing Advanced Access Control using a custom Web site path that contains a percent symbol, an error message appears stating the SAMFilter.dll failed to register. Additionally, the Server Configuration utility fails to perform initial configuration of Advanced Access Control. To prevent this issue from occurring, use only alphanumeric characters in custom paths defined during installation. [#139687]
If an Advanced Access Control server is redeployed using the server name with which it originally joined the access server farm, the Manage Server Roles list in the Access Management Console displays the duplicate server names. [#140402]
If Access Gateway Advanced Edition 4.5 is installed on a server and an installation of Access Gateway with Advanced Access Control 4.2 is attempted on the same server, the installation of Version 4.2 occurs without any notification that a different version of the software is installed. After installation of Version 4.2 finishes, the Server Configuration wizard for Version 4.5 appears. If the wizard is completed and server configuration is allowed to run, an error message displays indicating the server configuration did not complete successfully. [#137661]
If Advanced Access Control is installed on a computer that has been cloned, or configured using an image created on a different computer, the Server Configuration utility does not create the SampleLogonPoint and the server configuration fails. This can occur if ASP.NET is not registered with Internet Information Services (IIS). When a computer is configured with an image created on a different computer, the computer might not have ASP.NET registered even if ASP.NET was registered on the computer from which the image was derived. This can occur if a utility such as Altiris SIDgen is used to clone computers because the utility might not include IIS settings during the cloning process. To resolve this issue, register ASP.NET on the computer before you install Advanced Access Control.
To register IIS
Locate aspnet_regiis.exe and then type aspnet_regiis.exe -i at the command prompt.
[#147466]
On a server where Advanced Access Control and the Access Management Console are installed, the Console no longer runs after uninstalling the Advanced Access Control component (listed in Control Panel as Citrix Access Gateway Server). Instead, a message appears stating securitybroker.dll is missing or improperly registered. To resolve this issue, re-install the Access Management Console from the Access Gateway Advanced Edition Server CD. [#145472]
If you uninstall the Citrix Access Gateway Console component before uninstalling the Citrix Access Gateway Server component, uninstallation of the Citrix Access Gateway Server component fails. This issue occurs because the value of the server table cannot be deleted from the Advanced Access Control configuration database. To prevent this issue from occurring, uninstall the Citrix Access Gateway Server component before uninstalling other Advanced Access Control components. [#140397]
[back to installation issues contents]
This section includes information for the following products and components:
When editing an access control list from the ICA Access Control page in the gateway properties, an error message appears stating the IP range is already in use. This error message appears regardless of whether or not the IP range is actually in use. [#145838]
In a double-hop DMZ deployment, the Access Gateway Proxy in the second DMZ reports periodically that licensing is not configured or is not configured correctly. This happens even when licenses for all appliances and access servers in the deployment are valid. This is because the Access Gateway Proxy is not configured for Advanced Access Control and, therefore, expects appliance-based licensing to be configured. Typically, licensing for all the appliances and access servers in a double-hop DMZ deployment is managed by the Citrix Licensing Server. These warnings do not affect functionality of the Access Gateway appliances or Advanced Access Control server in a double-hop DMZ configuration. [#143978]
When Access Gateway Advanced Edition is deployed in a double-hop DMZ configuration, users cannot log on to the access server farm through the Access Gateway after the Advanced Access Control server is restarted. To resolve this issue, restart the Access Gateway in the first DMZ. [#149672]
When a user uses Netscape Navigator to download and install the Secure Access Client, the user cannot connect to a logon point that requires the Client. When the attempt to connect fails, the user must close the browser and attempt to connect again. This occurs because Netscape Navigator does not download and open the AccessGatewayClientLaunch.vcagc file properly. To resolve this issue, the user must attempt to reconnect and use the Secure Access Client to open the AccessGatewayClientLaunch.vcagc file when prompted. [#145366]
[Back to known issues contents]
When a user logs on to Advanced Access Control and is denied access, the Session Viewer utility displays a session for the user. Typically, the Session Viewer utility displays user sessions only when users log on successfully. [#141328]
When a user logs on to Advanced Access Control, the Session Viewer utility does not display the correct HomePage and Small Form Factor values. For example, if a user accesses the Access Interface but no Web resources are configured, the Session Viewer displays the HomePage value as "Web Email" instead of "Home Page." The Small Form Factor value is displayed as "Yes" even if the browser in use is not on a small form factor device. [#141327]
When a user session is displayed in the Session Viewed utility, the Session Values pane always indicates the Live Edit Client is installed. This occurs even when the Live Edit Client is not installed on the client device. [#137018]
When a user session is displayed in the Session Viewed utility, the Session Values pane does not display corresponding data for the Two Factor Authentication Info value. [#137026]
[Back to known issues contents]
When terminating a session, users must close their browsers before logging in again through the Access Gateway appliance. This issue occurs when users access a logon point through the Access Gateway appliance and when endpoint analysis is configured on the Advanced Access Control server. [#137489]
When launching the Access Gateway Administration Tool from a shortcut on the Desktop, the Administration Tool appears beneath any other applications that might be open on the Desktop. It also does not appear in the Taskbar to indicate it is running. To make the Administration Tool the focus of the Desktop, users must click on the Administration Tool window or press ALT+TAB. [#130170]
Failover to available appliances in an Access Gateway cluster does not occur when the connection policy is configured to require authentication after a network interruption. When an appliance in the cluster becomes unavailable, users are directed to the unavailable appliance for authentication instead of to available appliances in the cluster. [#137066]
[Back to known issues contents]
The following are known issues when Web Interface for Citrix Presentation Server 4.0 or 4.2 are used in an environment that includes Access Gateway Advanced Edition 4.5:
Cookies written during user sessions exceed cookie limit in Internet Explorer
When users access an Access Platform site through the Access Interface using Internet Explorer, the number of cookies written by the Advanced Access Control server exceeds Internet Explorer's cookie limit of 20 per unique domain. When this happens, Internet Explorer discards the oldest cookies so that newer ones can be written. This results in a loss of session state during a typical user session and, consequently, a loss of functionality. This issue also occurs when the Advanced Access Control server is configured to display multiple Access Platform sites. This issue does not occur when using Web Interface for Citrix Presentation Server 4.5 to provide access to published applications through the Access Interface.
Users are unable to set connection preferences from the Access Interface
When users log on to an Access Platform site through the Access Interface, they cannot customize the connection preferences for the site. For example, when users select options from the Connection Preferences page and click OK, the selections are not saved. This occurs because Advanced Access Control causes the cookie set by Web Interface to expire. This issue does not occur when using Web Interface for Citrix Presentation Server 4.5 to provide access to published applications through the Access Interface.
Sessions are not shared when users access published applications
When users launch published applications through Advanced Access Control or an Access Platform site displayed in the Access Interface, the sessions that are created with each access method are not shared. For example, when a user accesses a published application using file type association or Workspace Control, a session is created. When the user disconnects from the application and then reconnects using an Access Platform site displayed in the Access Interface, the session is not used. Instead, a new session is created. While the user's experience remains unaffected, administrators might notice the server running Citrix Presentation Server experiences some decrease in performance. This decrease varies depending on the usage of published applications through Advanced Access Control. This issue does not occur when using Web Interface for Citrix Presentation Server 4.5 to provide access to published applications through the Access Interface.
Installation of Web Interface for Citrix Presentation Server 4.2 on Advanced Access Control server is not supported.
Installing Web Interface for Citrix Presentation Server 4.2 on the same server hosting Version 4.5 of Advanced Access Control is not a supported installation scenario. To use Version 4.5 of Advanced Access Control in an environment that includes Web Interface for Citrix Presentation Server 4.2, Advanced Access Control must be installed on a separate server. This issue does not occur when installing Web Interface for Citrix Presentation Server 4.5 on a server hosting Version 4.5 of Advanced Access Control.
[#146399]
[Back to known issues contents]
When configuring an endpoint analysis scan for Norton AntiVirus Personal, it is possible to enter a random numeric string for the pattern file version parameter as long as the string includes a period (for example, 123.45 or 12345.6879). Correct input for this parameter should be in the YYYYMMDD.NNN format, where YYYY is a 4-digit year, MM is a 2-digit month, DD is a 2-digit day, and NNN is the 3-digit version. This issue occurs because the scan package does not include any validation to ensure the numeric string entered for this parameter is in the correct format. To ensure scans created from this package run correctly, ensure the pattern file version entered is in the correct format. [#145410]
Scans created using the Citrix Scans for McAfee VirusScan endpoint analysis scan package do not detect international versions of McAfee VirusScan 11 installed on client computers. When the scan runs, the value returned for whether or not McAfee VirusScan is installed on the client computer is "false" instead of "true." To work around this issue, ensure the Citrix Scans for McAfee VirusScan endpoint analysis scan package can detect previous international versions of McAfee VirusScan. [#149616]
[Back to known issues contents]
When modifying documents using the Live Edit Client on a Windows 2000 system, changes made to these documents are not saved. To work around this issue, use the Live Edit Client on a system running Windows XP. [#143735]
For Advanced Access Control servers configured to allow HTML Preview of PDF files, PDF documents over 5 MB do not display correctly when users access them using Internet Explorer or Netscape Navigator. When a user attempts to view a PDF document in one of these Web browsers, a blank page is displayed and the document does not appear. To ensure these PDF documents display correctly, access these documents using the Firefox Web browser. [#130219]
When an Advanced Access Control server is configured with the HTML Preview server role and an access policy exists that allows HTML Preview, the Preview option is offered to users who access files through the Access Interface. However, when the server becomes unavailable, users can still select the Preview option to access documents. When users select the Preview option, they cannot preview files. To work around this issue, ensure your access server farm includes a sufficient number of servers that are assigned the HTML Preview server role to provide redundancy in the event of server failure. [#141051]
[Back to known issues contents]
When users log on to Advanced Access Control using credentials in User Principal Name (UPN) or Alternate UPN format, the credentials are not passed through to published Web resources such as Microsoft Sharepoint and Outlook Web Access (OWA), even when policies allow all users access to these resources. This issue occurs on servers using the Windows 2000 operating system only. [#143565]
When creating a duplicate of an existing continuous scan, an error message appears stating an unexpected error has occurred. Instead, the error message should state that the scan already exists. To prevent this error message from occurring, assign a unique name to each continuous scan. [#144981]
If you rename a continuous scan, any continuous scan filters that reference the scan become invalid. This is because the continuous scan filter continues to reference the scan by its original name. To work around this issue, remove the original scan from the continuous scan filter. Then, add the updated scan. [#142084]
If a continuous scan is created with a scan name that includes the characters !, &, (, ) or ", the scan does not run and users cannot access corporate resources. This issue applies to File, Process, and Registry scans. To resolve this issue, avoid using these characters in scan names for continuous scans. [#147682]
If you attempt to modify a continuous scan filter that references a continuous scan that contains symbols (such as *, &, $, etc.), an error message appears stating the stored expression is invalid or corrupt. As a workaround, use only alphanumeric characters in continuous scan names. [#142083]
When downloading files through the Access Interface, the file download message displays "activator.asp" instead of the name of the file being downloaded. This does not effect the download of the file. [#138433]
When a connection policy is configured to execute logon scripts, the time to execute the logon scripts may result in varied logon experiences for users. Depending on the logon script, users may experience delays in authentication lasting from a few seconds to several minutes. Users could mistake this delay in the logon process as a failure to log on successfully to the Advanced Access Control server. [#130185]
HTML Preview shows only the first page of multi-page Microsoft Visio documents. As a workaround, inform authors of Visio files to limit their new files to single pages, such as creating a separate file for each page of a multi-page diagram. Alternatively, users with the appropriate permission can open the file in Visio to view the entire contents. [#130201]
If multiple policies are assigned to one resource and each policy includes a different user group, users might experience delays when attempting to access the resource. To avoid delays when accessing resources, remove unnecessary access policies or consolidate existing access policies for each resource. [#137409]
A policy that is applied to a file share subfolder is not enforced correctly when it overlaps an existing policy that is applied to the parent directory. For example, an administrator defines a file share resource as \\server\CompanyFiles and configures a policy that allows all users full access to the resource. The administrator defines another resource, a subfolder on the file share called DepartmentFiles (\\server\CompanyFiles\DepartmentFiles), and configures a policy that only allows users to preview files. Because the policies overlap, the policy applied to the subfolder DepartmentFiles is not enforced in favor of the policy applied to the parent directory CompanyFiles. Therefore, users who access files in the DepartmentFiles subfolder are allowed full access.
To resolve this issue, redefine the subfolder so that the policy, when applied, does not overlap the policy for the parent directory. In the above example, the administrator redefines the file share subfolder as \\server\FileShare\DepartmentFiles. When users access files in this folder, they are allowed only to preview the files. [#140162]
Users who attempt to access through the Access Interface files that contain the pound (#) or ampersand (&) symbols in the filename receive an "Access Denied" message. This occurs even when policies exist that grant users access to these files. To resolve this issue, ensure that filenames for files accessed through the Access Interface do not include these symbols. [#147848]
[Back to known issues contents]
When an Advanced Access Control server is configured with SafeWord authentication, entering a blank password to log on results in a message stating access is denied. This message is incorrectly worded and should indicate that a blank password cannot be used to log on. [#145477]
By default, when Advanced Access Control is configured with RSA SecurID or Secure Computing SafeWord authentication, the logon page displays the labels "SecurID PASSCODE" or "SafeWord CODE" next to the fields in which users are required to enter their SecurID or SafeWord passcodes. Administrators might consider these labels an advertisement to malicious users of an organization's authentication method. To prevent this, administrators can change the default label text.
To customize the text of SecurID and SafeWord passcode field
<!-- add key="SecondaryAuthenticationPromptOverride" value="Password:" / -->
<!-- add key="SecondaryAuthenticationToolTipOverride" value="Enter Password" / -->
When you enable these keys, the text values you enter appear on the logon page when you configure the Advanced Access Control server with SecurID or SafeWord authentication.
[Back to known issues contents]
After logging on to the Advanced Access Control server, the Access Interface displays a blank page. This occurs when no resources are configured or when no access policies are configured for existing resources, and the logon point is configured to allow access. To prevent displaying the Access Interface when no resources or access policies for resources have been configured, configure the access policy for the logon point to deny access. [#138546]
When accessing resources through the Access Interface with Internet Explorer, the progress bar near the bottom of the browser continues to display loading progress of content even when the page has finished loading. Clicking the Email, Applications, and Home tabs near the top of the Access Interface causes the progress bar to stop displaying loading progress. [#146348]
[Back to known issues contents]
In multiserver iNotes deployments that are load balanced with iNotes Web Access Redirect, the Web proxy rewrites only absolute URLs with the format "//www.thisurl.com/thispath." Additionally, the LTPA token resolves cookies on only one host path instead of all host paths within a multiserver iNotes deployment. This is because the Web proxy rewrites cookies to encode the host into the relative path. [#145196]
[Back to known issues contents]
When a user sets the packaging details from the Diagnostic Facility node, the FTP server address that appears by default is uploads.citrix.com. This address is incorrect. Instead, the correct FTP server address is ftpsupport.citrix.com. [#149763]
Previous releases of the Access Management Console required version 1.1 of Microsoft’s .NET Framework. Where later versions of the .NET Framework were also present, Citrix provided a workaround in the form of a file called mmc.exe.config that ensured version 1.1 was loaded. This workaround is no longer required and must be removed. If you do not remove the workaround, the console does not start and displays an error such as “Snap-in failed to initialize."
To prevent this issue, remove the file \Windows\system32\mmc.exe.config.
Important: Removing this file prevents previous releases of the console from working (because they rely on version 1.1 of .NET Framework). If you have earlier releases and do not wish to upgrade them, contact Citrix Technical Support for an alternative workaround. [#150473]
In Chapter 4, Licensing the Advanced Edition, the section "Licensing Grace Period" indicates that new user sessions cannot be connected during the 30-day grace period that occurs if a license server becomes unavailable. This statement is incorrect. During the grace period, new user sessions can be created.
In Chapter 5, Installing Advanced Access Control, the section Web Email Requirements provides a list of Web browsers with which the Email Interface is compatible. Mozilla Firefox 1.0 is listed which is incorrect. The correct version of Mozilla Firefox is Version 1.5.
Appendix B, Scan Properties Reference includes incorrect information for the Citrix Scans for McAfee VirusScan scan package. The corrected information follows:
Property Name: Minimum required file version
Description/Format: Note that this property is mislabeled and appears incorrectly as "Minimum required engine version." Use format N.N, where N is an integer. You can find the file version number in the "Version" Tab from the properties of the file mcvsshld.exe. [#146595]
The section "Step 2: Adding Entries to the Hosts Files on the Access Gateway and Advanced Access Control Server" of Chapter 6, Configuring Advanced Access Control mentions creating entries in the Hosts files in cases where a DNS server is not present. This statement implies that a DNS server is not a required component of a double-hop DMZ configuration. As well, this section implies that entries in the Hosts files are a required step in deploying this configuration. This information is incorrect. In this release of Access Gateway Advanced Edition 4.5, a DNS server is a required component of a double-hop DMZ configuration. Entries in the Hosts files are not required; however, they are used to enable the Access Gateway in the first DMZ to create a list of Advanced Access Control servers that users are allowed to access when logging on.
In a double-hop DMZ configuration, the DNS server enables the Access Gateway in the first DMZ to communicate with the Access Gateway Proxy in the second DMZ. To install the DNS server, perform the following tasks:
In a double-hop DMZ configuration, the Access Gateway in the first DMZ communicates with the Access Gateway Proxy in the second DMZ to transmit user requests for access to corporate resources to the Advanced Access Control server. Although the Access Gateway in the first DMZ does not communicate with the Advanced Access Control server directly, the Access Gateway must be aware of the Advanced Access Control servers that users are allowed to access when logging on. To do this, you enter the IP addresses of the Advanced Access Control servers in your access server farm in one of the following locations:
[#149459, 149460]
In Chapter 6, Configuring Advanced Access Control, the "Finding Items in Your Deployment Using Discovery" section refers to the "Suite Components" node. Instead, the name of this node should be "Citrix Resources."
In Chapter 6, Configuring Advanced Access Control, the "Configuring Load Balancing and Failover" section contains the following note:
Important Do not prioritize the data collector or master ICA browser server as the first server on the list.
This note is incorrect. Citrix recommends adding these servers to the server list to minimize unnecessary network traffic when resolution requests occur and to ensure application enumeration occurs smoothly.
In Chapter 1, Welcome, the section "Upgrading from Access Gateway with Advanced Access Control" contains a table describing the steps required for upgrading to Access Gateway Advanced Edition 4.5. This table includes the step "Upgrade to Advanced Access Control" which is incorrect. Instead, uninstall Advanced Access Control 4.2 from the server you want to upgrade. Afterwards, you can install Advanced Access Control 4.5 and import migrated configuration data.
In Chapter 2, Upgrade Tasks, the section "Upgrading from Access Gateway with Advanced Access Control" includes a procedure for upgrading a server running Advanced Access Control 4.2 to Advanced Access Control 4.5. This information is incorrect because installing Advanced Access Control 4.5 over an existing installation of Advanced Access Control 4.2 results in an incomplete or failed installation. Instead, uninstall Advanced Access Control 4.2 from the server you want to upgrade. Afterwards, you can install Advanced Access Control 4.5 and import migrated configuration data.
