Issues Fixed in this Release

Citrix® Access Gateway™ 4.5

Product: Citrix Access Gateway Advanced Edition
Current Product Version: 4.5
Previous Product: Access Gateway with Advanced Access Control
Previous Product Version: 4.2
Language: English (EN)
Fixed Issues List: 1.0

The following issues have been fixed since the previous release of this product. For information about new features and system requirements, see the product administration guides.

1. After applying this fix, users whose passwords are set by an administrator to be both blank and changed at next logon can correctly change their passwords the next time they log on.

   [From AAC420W002][#129609, #130928]

2. After applying this hotfix, users no longer have access rights to Advanced Access Control shares and content when their NTFS permissions are removed.

   [From AAC420W002][#129710]

3. Depending on the input locales of user accounts writing to the Event Log, embedded event time stamps are formatted differently (yyyy/mm/dd, dd/mm/yyyy and mm/dd/yyyy). This makes it difficult to locate events in the log. With this fix, the Event Log Consolidator no longer uses the embedded time stamps but those of the Event Log instead.

   [From AAC420W005][#129825, #132211]

4. Policy checks for resources that use token replacement are case-sensitive.

   [From AAC420W002][#130048]

5. When viewing the Web File Browser in the Website Viewer CDA, error pages and access denied pages might appear. The issue occurs when the Web File Browser is run through a proxy. This fix modifies the IIS filter to ignore the offending Web File Browser asp page.

   [From AAC420W005][#130123]

6. When the Access Gateway appliance has a fully qualified domain name (FQDN) that has only one or two parts (such as domain.com, instead of www.domain.com), and the appliance is configured to be part of an Advanced Access Control farm, the appliance does not appear in the Gateway Appliances server list in the Advanced Access Control Access Suite Console.

   [From AAC420W005][#130126]

7. Users and user groups in the Access Suite Console might appear with the name of the security identifier (SID) instead of the user or group name. This happens when the domain contains a large number (2,000 or more) of objects, the SID is truncated when stored in the database, and correct SID-to-name mapping is impossible. After applying this fix, any existing users that appear as SIDs must be removed and then added again.

   [From AAC420W005][#131399]

8. Policy checks for resources that use token replacement are case-sensitive.

   [From AAC420W002][#130048]

9. This fix introduces support for Universal Principal Names (UPN), such as user@domain.com, as a method of authenticating to logon points. To enable or disable UPN support, you must set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MSAM\WebProxy

   Name: EnableUPNUsernamesForWebResources
   Type: REG_DWORD
   Data: 1 (to enable UPN support) or 0 (to disable UPN support)

   Additionally, modify the web.config file for CitrixLogonAgent to hide the domain field on the logon page.

   <add key="HideDomainField" value="true" />.

   Finally, you can add this line item to allow the UPN formatted user name to be passed to RSA. Without this, only the user name is sent.

   <add key="SendCompleteUserNameToRSA" value="true" />

   [From AAC420W002][#130576]

10. After applying this hotfix, attachments through email can be performed from an Advanced Access Control share. No longer does the service account need to be explicitly set as an NTFS security member of that share.

    [From AAC420W002][#131502]

11. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX110950.

    [From AAC420W004][#131634, #139539]

12. If the Advanced Access Control session times out, users of an Access Center Program Neighborhood Content Delivery Agent are still able to launch published applications.

    [From AAC420W005][#132028]

13. Files do not embed in the browser when launched from an Advanced Access Control resource traversing the Web proxy. Instead, they launch using their local associated application.

    [From AAC420W005][#132741]

14. Under McAfee VirusScan Enterprise 8.0, upgrading to a later scan engine and/or updating virus definitions causes End Point Analysis scans to fail.

    [From AAC420W005][#132835]

15. After changing their passwords as prompted by the Windows security policy, users receive a "Failed to change password" error and cannot log on.

    [From AAC420W005][#132934]

16. Administrators cannot add UNCs that contain special characters such as ampersands (&).

    [From AAC420W005][#133077]

17. Tasks, such as Check In, Check out, and Version History that are associated with the Document Library of a Sharepoint site may not be available for use.

    [From AAC420W003][#134191]

18. If a user adds or removes a subfolder in a file share exposed through the File System Browser, other users cannot see that the subfolder was added or removed. The issue occurs because the program maintains a cache of file and subfolder names in the published file shares to reduce the time it takes to display them to each user; the cache does not reflect changes at the subfolder level.

    [From AAC420W004][#134244]

19. Static Web resource content is not cached when traversing the Web proxy, which causes additional hits to the backend resource. With this fix, global static content is cached, which dramatically increases performance because redundant requests are avoided.

    [From AAC420W005][#135194]

20. This fix addresses the following set of issues related to installing the Endpoint Analysis Client:
    • Users of Mozilla-based browsers cannot install the client from the first Web page (Welcome.aspx) when connecting through HTTPS and thus through the Access Gateway.
    • Users of Internet Explorer on Windows XP with Service Pack 2 cannot install the client from Welcome.aspx. As a workaround, users can be redirected to Login.aspx and install the client from there. However, this option does not work when connecting through the Access Gateway.
    • Users of Mozilla-based browsers are presented with a hyperlink to manually download the client if the automatic installation mechanism fails. However, users of Internet Explorer are not presented with the hyperlink; instead, they are redirected to Login.aspx without being able to run an Endpoint Analysis scan.
    • Installing the client requires users to have rights to write both to the "Program Files" folder and to the HKEY_LOCAL_MACHINE registry hive. If Internet Explorer detects that a user does not have such rights, installation of the client is skipped. On Mozilla-based browsers, the rights check is not performed and users attempting to install the client without sufficient rights receive cryptic error messages.

    [From AAC420W005][#135931]

21. Users may have access to file shares even if such access is not explicitly granted by an Advanced Access Control policy.

    [From AAC420W005][#136265]

22. Different access rights of files within file share resources are not honored.

    [From AAC420W005][#136675]

23. Changing passwords when logging on with a user principal name (UPN; for example, user@domain.com) and leaving the Domain field blank does not work.

    [From AAC420W005][#136754]

24. When an IIS Web site is configured to have more than one IP/port combination, the Server Configuration wizard exits unexpectedly when launched.

    [From AAC420W005][#137264]

25. Endpoint Analysis scans for Symantec and Norton products do not identify clients using Symantec Client Security or Symantec AntiVirus Corporate Edition products. This fix introduces new scan packages for Symantec AntiVirus and Firewall components. The firewall scan works with Symantec Client Security Version 2.x and later. The anti-virus scan works with components of Symantec Client Security and with Symantec AntiVirus Corporate Edition Version 9.0 and later and with Symantec AntiVirus Enterprise Edition of the same versions. Citrix recommends that you configure scans and filters for the new packages.

    [From AAC420W005][#137344]

26. If an access policy is set to allow users to open a file using only HTML Preview, the choice page appears erroneously.

    [From AAC420W005][#137538]

27. When adding more than one Endpoint Analysis scan result to a logon point in languages other than English, the results are not saved.

    [From AAC420W005][#137724]

28. When an HTML encoded colon (:) appears in a URL, the URL rewriter generates a URL that later cannot be properly resolved by WinHttp because it considers the URL invalid.

    [From AAC420W005][#137959]

29. The EngineMgrService.exe process may exit unexpectedly when previewing PDF files on an Advanced Access Control file share. The issue occurs when the title tag of the generated HTML is empty or contains something other than a file path.

    [From AAC420W005][#139953]

30. RSA SecurID authentication fails after upgrading from Version 4.0 of Advanced Access Control.

    [From AAC420W005][#140600]

31. When adding a file share with periods the console produces the following error message: "The UNC path is invalid." This happens because Advanced Access Control does not recognize paths to file shares whose names contain a period as valid UNCs.

    [From AAC420W005][#143317]

32. With workspace control enabled, when applications reconnect using Advanced Access Control or the Web Interface, the applications create new Presentation Server sessions instead of sharing the same Windows session.

    [From AAC420W005][#144319]

Copyright © 2006 Citrix Systems, Inc. All rights reserved.
Citrix, MetaFrame, and MetaFrame XP are registered trademarks, and Citrix Presentation Server is a trademark of Citrix Systems, Inc. in the United States and other countries.
All other trademarks and registered trademarks are the property of their respective owners