Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

Access Gateway Enterprise Edition 8.0, Maintenance Build 54.6

Document ID: CTX116965   /   Created On: Apr 16, 2008   /   Updated On: Apr 24, 2008
Average Rating: 5

Maintenance build readme name: AGEE_8_0_54_6.HTML
Maintenance build package name: build_andes_54.6.tgz
For: Access Gateway Enterprise Edition, Version 8.0, Build 54.6
Replaces: None
Date: April, 2008
Language supported: English (US)
Readme version: 1.0

Installing this Maintenance Build

The latest version of the Access Gateway Enterprise Edition software can be downloaded from the MyCitrix Web site.

To download the Access Gateway software from MyCitrix.com

  1. Go to the Citrix Web site, click MyCitrix, and log on.

  2. At the top of the Web page, click Download and then click Product Software.

  3. Click Citrix Access Gateway > Enterprise Edition - Appliance Firmware to start the download.

  4. Follow the instructions on the screen.

When the software is downloaded to your computer, you can install the software using the Upgrade Wizard in the Configuration Utility or the command-line interface.

Important: If you are upgrading from Access Gateway Enterprise Edition, Version 8.0, build 48.7 or earlier, to build 49.2 or later using the Upgrade Wizard, the upgrade process can fail and the appliance can become unusable. To upgrade from build 48.7 or earlier, use the command-line interface instructions. If you are upgrading from build 49.2 to a later build, you can use the Upgrade Wizard.

[AGEE_8_0_50.3][#37681, #39120]

To install the maintenance build using the Upgrade Wizard

  1. In the Configuration Utility, in the left pane, click System.

  2. In the right pane, click Upgrade Wizard.

  3. Click Next and follow the directions in the wizard.

To install this maintenance build using the command-line interface

  1. To upload the software to the Access Gateway, use a secure FTP client to connect to the appliance.

  2. Copy the software from your computer to the /var/nsinstall directory on the appliance.

  3. Open an SSH client to open an SSH connection to the appliance.

  4. At a command prompt, type shell.

  5. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
    To view the contents of the directory, type ls.

  6. To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.

  7. To start the installation, at a command prompt, type ./installns.

  8. When the installation is complete, restart the Access Gateway.

  9. When the Access Gateway restarts, at a command prompt type what or show version to verify successful installation.

Where to Find Documentation

This document describes the issue(s) solved by this build and includes installation instructions. For more information, see your product Administrator’s Guide located on the product CD or installed on your servers. The guide is in an Adobe Portable Document (PDF) format file. To view, search, and print the documentation, you need Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from the Adobe Web site at http://www.adobe.com.

All product documentation is also available from the Citrix Web site at http://support.citrix.com.

New Features from Previously Released Maintenance Builds

The Access Gateway supports Certificate Authority (CA) certificates with a public key length of up to 4096 bits.

[AGEE_8_0_53_2][#41474]

When users disconnect from the Access Gateway, proxy settings in Internet Explorer are not reset to the original values. This occurs when a group policy enables proxy settings on a per-computer rather than per-user basis.

[AGEE_8_0_51.4][#38934]

If a failover occurs on the primary Access Gateway, the new primary appliance takes a certain amount of time to determine if the Secure Ticket Authority is available. During this time, if users try to connect using Citrix Presentation Server Clients and establish an ICA connection, the Access Gateway cannot validate the client connection. When this occurs, the Access Gateway closes the client connection.

[AGEE_8_0_51.4][#38966]

If a Bluecoat Secure Gateway proxy is configured with a rule that blocks the HTTP CONNECT command when it is issued to a numeric destination IP address instead of a host name, users are blocked from starting a VPN connection to the Access Gateway.

[AGEE_8_0_51.4][#39841]

Counters for SNMP monitoring for the Access Gateway are added. The counters include statistics for authentication, authorization, ICA proxy, and intranet IP address functionality.

[AGEE_8_0_50.3][#24161]

When the setting ICA proxy is enabled in a session profile and a client security expression is configured, the error message "Session Action and Rule are incompatible" appears.

With this release, you can enable ICA proxy in a session profile and create a client security expression within a session policy for endpoint analysis. When this is configured, endpoint analysis scans are run using an ActiveX control.

[AGEE_8_0_50.3][#36244]

Client Choices

With the Client Choices option, users have the option to log on using either the Secure Access Client or the Web Interface from one Web page after successful authentication to the Access Gateway. Users are presented with two icons and users can choose which method they want to use to connect to the Access Gateway.

The Client Choices feature can be used without using endpoint analysis or implementing access scenario fallback. If a client security expression is not defined, users receive connection options for both the Secure Access and the Web Interface. If a client security expression exists for the user session and the client device fails the endpoint analysis scan, the choice page offers only the option to use the Web Interface.

Client choices are configured using a session profile and policy. It can then be bound globally to a virtual server, to groups, or to specific users.

To configure client choices options globally

  1. In the Configuration Utility, in the left pane, click SSL VPN and click Global.

  2. Under General, click SSL VPN global settings.

  3. Under Client Experience, click Advanced.

  4. On the General tab, click Client Choices and click OK twice.

Access Scenario Fallback

SmartAccess allows the Access Gateway to determine automatically the methods of access that are allowed for a client device based on the results of an endpoint analysis scan. Access scenario fallback further extends this capability by allowing a client device to fall back from the Secure Access Client to the Web Interface (using Citrix Presentation Server Clients) if the client device does not pass the initial endpoint analysis scan.

To enable access scenario fallback, you configure a post-authentication endpoint analysis scan that decides whether or not users receive an alternative method of access when logging on to the Access Gateway. This post-authentication endpoint scan is defined as a client security expression that is configured either globally or as part of a session profile. If you are configuring a session profile, it is associated to a session policy that is then bound to a group. When this is enabled, the Access Gateway initiates an endpoint analysis scan after user authentication. The results for client devices that do not meet the requirements of a fallback post-authentication scan are as follows:

  • If Client Choices is enabled, users can log on using the Web Interface only

  • If Client Choices is disabled, users can be quarantined into a group that provides access only to the Web Interface

The following combination of settings must be configured for the access scenario fallback:

  • Define client security parameters for the fallback post-authentication scan

  • Define the Web Interface home page

  • Disable client choices

If client devices fail the client security check, users are placed into a quarantine group that allows access only to the Web Interface and published applications.

To create a quarantine group

  1. In the Configuration Utility, in the left pane, click Groups and in the right pane, click Add.

  2. In Group Name, type a name for the group, click Create, and click Close.

Important:  The name of the quarantine group must not match the name of any domain group to which users might belong. If the quarantine group matches an Active Directory group name, users are quarantined even if the client device passes the endpoint analysis security scan.

After creating the group, configure the Access Gateway to fall back to the Web Interface if the client device fails the endpoint analysis scan.

To configure the Web Interface for quarantined user connections

  1. In the Configuration Utility, in the left pane, click SSL VPN and click Global.

  2. In the right pane, under General tab, click SSL VPN global settings.

  3. In the Global VPN Settings dialog box, under Secure Gateway Setting, next to ICA Proxy, select OFF.

  4. Next to WI Home Page, type the Web address for the Web Interface.

  5. Next to SmartAccess NT Domain, type the name of your Active Directory domain and click OK.

After configuring the global settings, create a session policy that overrides the global ICA Proxy setting and then bind the session policy to the quarantine group.

To create a session policy

  1. In the Configuration Utility, click SSL VPN, click Policies, and click Session.

  2. On the Policies tab, click Add.

  3. In Name, type a name for the policy.

  4. Next to Request Profile, click New.

  5. Under Secure Gateway Setting, next to ICA Proxy, click Override Global and select On.

  6. In the Create Session Policy dialog box, next to Named Expressions, select General, select ns_true, click Create, and click Close.

After creating the session policy and profile enabling the Web Interface, create a global client security policy.

To create a global client security check policy

  1. In the Configuration Utility, in the left pane, click SSL VPN and click Global.

  2. In the right pane, under General, click SSL VPN global settings.

  3. Under Security Settings, click Advanced.

  4. Under Client Security, click New.

  5. In the Create Expression dialog box, click Add, configure the client security expression, click Create, and click Close.

  6. In the Quarantine Group dialog box, select the group you configured in the group procedure and click OK twice.

Notes

  • Using Client Choices or access scenario fallback requires the endpoint analysis client (an ActiveX control) for all users. If endpoint analysis cannot run or if users select Skip Scan during the scan, users are denied access.

  • When Client Choices is enabled, if the client device fails the endpoint analysis, users are placed into the quarantine group. Users can continue to log on using either the Secure Access Client or the Web Interface. Citrix recommends that you do not create a quarantine group if Client Choices is enabled.

  • You can use different Web addresses for the home page and the Web Interface. When both are configured, the home page takes precedence for the Secure Access Client and the Web Interface home page takes precedence for Web Interface users.

    • [AGEE_8_0_49.2][#28341]

Secure Access Client for Vista

This release includes a beta version of the Secure Access Client for Microsoft Vista.

To install the Secure Access Client for Vista

  1. In a Web browser, type the Web address for the Access Gateway, such as https://gateway.mycompany.com.

  2. When the logon is successful, a message appears that says this is a beta version of the Secure Access Client for Windows Vista. Click the link in the message to install the Secure Access Client.

The installation program runs and when installation is complete, an icon appears in the notification area. After a few seconds, the Secure Access Client attempts a connection to the Access Gateway. A message stating that the connection is established appears.

The following is a list of known issues in this release. Read it carefully before installing the product.

Installation Issues

The Secure Access Client for Vista is installed using a Web browser, such as Internet Explorer. To install the Secure Access Client, users must be logged on to the computer as an administrator or be able to provide administrator credentials.

[AGEE_8_0_49.2] [#28474]

If you are using the Secure Access Client for Vista from Access Gateway Standard Edition, make sure it is not running before installing the Secure Access Client for Vista for the Access Gateway Enterprise Edition. If the Secure Access Client for Standard Edition is running, log off and then exit the Secure Access Client.

The Secure Access Client for Vista works only with Access Gateway 8.0, build 48.7 or later.

When the Secure Access Client is installed, users could lose network connectivity temporarily. This is caused by the installation of network drivers. When the drivers are installed, network connectivity is restored.

[AGEE_8_0_49.2][#36429]

Other Known Issues

The following features are not currently supported with the Secure Access Client for Vista:

  • Single sign-on with Windows

  • Local LAN access

  • Voice over IP softphone support

  • Name-based application interception

  • Application name does not appear on the Configuration tab

  • MD5-based policies

  • Spoofing internal IP addresses

  • ActiveX plug-in

  • Reverse split tunneling

  • Client cache clean-up

    • [AGEE_8_0_49.2] [#28411, #28486]

When a user logs on using the Secure Access Client and a valid certificate is not installed on the Access Gateway, the user receives the certificate warning dialog twice before the connection is established.

[AGEE_8_0_49.2] [#28869]

When users are logging on using a Web browser using the Secure Access Client, there is a long delay before the home page appears.

[AGEE_8_0_49.2][#29296]

The following items are not removed from or closed on the client device even though cleanup is configured:

  • History and Web addresses

  • File transfer

  • Applications

  • Client certificates

  • Autocomplete items

    • [AGEE_8_0_49.2][#29702]

When users are logged on using either the Web browser or Secure Access Client, connections can disconnect and then reconnect unexpectedly. This occurs in the following situations:

  • When eight to 10 simultaneous active or passive FTP connections are made and all the connections have active downloads. The activity across the network connection stops, the connection fails, and then reconnects after several seconds.

  • When local LAN is enabled, the user tries to connect to a local LAN computer and starts an FTP session.

  • When users log off from the Secure Access Client.

  • When a user downloads a file from the Internet with split tunneling enabled and then disables split tunneling and starts another download from the Internet. When the second download is started, the network connection disconnects and then reconnects after several seconds.

These issues occur intermittently with each of these scenarios.

[AGEE_8_0_49.2][#34926]

When user connections are configured with a forced time-out, the message notifying users that the connection is going to end does not appear automatically.

[AGEE_8_0_49.2] [#35340]

If the default Web browser on a client device is Netscape Navigator or Apple Safari for Windows Vista, and the user tries to start the home page using the menu from the Secure Access Client icon in the notification area, the Firefox Web browser starts instead of the default browser.

[AGEE_8_0_49.2] [#35483]

When an IP address range is configured as part of an intranet application, the Access Gateway intercepts the first address and not the remainder of the IP addresses in the range.

[AGEE_8_0_49.2] [#35679]

When starting the Secure Access Client from the logon page in a Web browser and a pre-authentication policy is configured, if the user clicks Skip Scan, the user receives an error instead of the logon page.

[AGEE_8_0_49.2] [#35684]

When a proxy server is configured in Internet Explorer 7 and when split tunneling is configured for reverse, when the user connects using the Secure Access Client for Vista, the home page fails to appear. Users can start the home page from the Secure Access Client menu from the icon available in the notification area.

[AGEE_8_0_49.2] [#35792]

When reverse split tunneling is enabled and a proxy server is configured in Internet Explorer 7, when users log on to the Access Gateway through a Web browser, the connection to the internal network fails.

[AGEE_8_0_49.2] [#35917]

The local LAN destination IP address cannot be accessed even though local LAN access is enabled both on the Access Gateway and in the Secure Access Client.

[AGEE_8_0_49.2][#36042]

Messages in the notification area go outside the size of the message box.

[AGEE_8_0_49.2][#38628]

A pre-authentication endpoint analysis scan can take up to four minutes to complete.

[AGEE_8_0_49.2][#38668]

Client Documentation

The documentation for the Secure Access Client for Vista can be accessed from the Secure Access Client icon in the notification area.

To open the online help for Secure Access Client

On the desktop, right-click the Secure Access Client icon and click Help.

Miscellaneous

The Access Gateway software is enhanced to include an SNMP object identifier (OID) that differentiates the appliance as either NetScaler or Access Gateway Enterprise Edition. When an SNMP request is executed, it returns the value featureAGEE.

[AGEE_8_0_49.2] [#36506]

New Zealand Daylight Savings Time is supported.

[AGEE_8_0_48.7][#36263]

Endpoint Analysis

When configuring antivirus endpoint analysis, you can scan for the age of the last installed virus definitions. For example, if the virus definitions are older than five days, you can prevent the user from logging on until the virus definitions are updated. To do so, in the Add Expression dialog box, in Freshness, type the number of days.

The maximum length for an endpoint analysis expression is increased from 1500 bytes to 9600 bytes.

[AGEE_8_0_46.14][#30055]

Importing Certificates from a Windows Computer

Using the Configuration Utility, you can import PKCS#12 certificates to the Access Gateway from a Windows computer. You can import an existing certificate from a Windows computer running Internet Information Services (IIS) or from a computer running the Secure Gateway.

In some cases, the private key cannot be exported, which means you cannot install the certificate on the Access Gateway. If this occurs, use the Certificate Signing Request to create a new certificate.

Before installing the certificate on the Access Gateway, export the certificate using the Microsoft Management Console and the Export Certificate Wizard in Windows. For more information, see the Windows Online Help.

After exporting the certificate, use the Configuration Utility to convert the certificate to PEM format.

To convert the exported certificate to PEM format

  1. In the Configuration Utility, in the left pane, click Access Gateway > SSL > CA Tools.

  2. In the right pane, under Tools, click Import PKCS#12.

  3. In Output File Name, type the name of the new certificate, such as ag1.pem.

  4. In PKCS12 File Name, type the name of the exported certificate, such ag1.pfx.

  5. In Import Password, type the password for the private key.

  6. In Encoding Format, select DES3.

  7. In PEM Passphrase and Verify PEM Passphrase, type a new password for the private key.

When this procedure is complete, a message appears in the lower left status bar that the certificate is converted successfully. When the conversion is complete, you can install the certificate and private key on the Access Gateway.

To install the certificate and private key on the Access Gateway

  1. In the Configuration Utility, in the left pane, click Access Gateway > SSL > Certificates.

  2. In the right pane, click Add.

  3. In Certificate-Key Pair Name, type a new name for the certificate and private key.

  4. In File Location, select Appliance.

  5. In Certificate File Name, type the name of the converted certificate, such as ag1.pem.

  6. In Private Key File Name, type the name of the private key.

  7. In Password, type the password for the private key. This is the password you used when converting the certificate to PEM format.

  8. In Certificate Format, select PEM, click Install, and click Close.

    9. When the certificate is installed on the Access Gateway, it appears in the list in the right pane.

    [AGEE_8_0_48.7][#35629]

Single Sign-On with Windows

By default, Windows users open a connection by starting the Secure Access Client from the desktop. You can specify that the Secure Access Client start automatically when the user logs on to Windows by enabling single sign-on. When single sign-on is configured, users’ Windows logon credentials are passed to the Access Gateway for authentication.

Enable single sign-on only if users’ computers are logging on to your organization’s domain. If single sign-on is enabled and a user connects from a computer that is not in your domain, the user is prompted to log on.

Single sign-on with Windows is supported only using Secure Access Client. It is not supported using the ActiveX Plug-in. Single sign-on with Windows is supported on Windows XP, Windows 2003 Server, Windows Server 2000, Windows 2000 Professional, and Windows NT 4.0.

Single sign-on with Windows is disabled by default. To enable single sign-on, use either the Configuration Utility or the command-line interface.

To configure single sign-on with Windows using the Configuration Utility

  1. In the Configuration Utility, in the navigation pane, click SSL VPN.

  2. In the right pane, click SSL VPN Policy Manager.

  3. In the SSL VPN Policy Manager, under Related Tasks, do one of the following:

    Click Create New Session Policy
    -or-
    Click Modify Session Policy

  4. Next to Request Profile, click Modify.

  5. Under Client Experience, click Windows Auto Logon and click OK.

To configure single sign-on with Windows using the command-line interface

At a command prompt, type:
set vpn parameter [–windowsAutoLogon on|off]

[AGEE_8_0_46.14][#29295]

Supported Products

You can configure policies using the following products:

  • McAfee Versions 11 and 8.5

  • Trend Micro OfficeScan Corporate Edition Version 7.3

[AGEE_8_0_46.14][#29828, #30036]

Known Issues in this Release

  1. If a post-authentication scan is configured on the Access Gateway, if users skip the scan, the logon page appears. Users should receive the option to log on using clientless access.

    [AGEE_8_0_54.6][#42208]

  2. After you upgrade the Access Gateway from Version 8.0, build 51.4 to build 53.2, users cannot connect with Microsoft Office Communicator when intranet IP addresses are assigned.

    [AGEE_8_0_54.6][#42912]

  3. When a traffic policy is configured with a delta, when users log on to the Access Gateway and attempt to connect to a server in the secure network, the traffic policy is not applied.

    [AGEE_8_0_52_2][#29643]

  4. When a user attempts to transfer multiple files, the file transfer session expires and the user is prompted to log on again.

    [AGEE_8_0_52_2][#29661]

  5. When users are connected with the Secure Access Client for Vista and try to download large files over FTP, the download fails.

    [AGEE_8_0_49.2][#27447]

  6. Internet Control Message Protocol (ICMP) is not supported if users are logging on using the ActiveX plug-in.

    [AGEE_8_0_49.2][#38867]

  7. Single sign-on to Web applications is not supported for the Secure Access Client for Java.

    [AGEE_8_0_45.4][#26303]

  8. The Secure Access Client is not installed automatically on Windows 2003 Server.

    To install the Secure Access Client on Windows 2003 Server

    1. Click Start > Control Panel > Add or Remove Programs.

    2. Click Add New Programs and click CD or Floppy.

    3. Follow the instruction in the wizard, navigate to the file nsvpnc_setup.exe, and click Next.

    [AGEE_8_0_45.4][#26684]

  9. Attempts to download large files using the file transfer tool fail and a negative file size is shown in the configuration window of the client.

    [AGEE_8_0_45.4][#27439]

New Fixes in this Release

  1. After users log on, and if users click Back in Internet Explorer, the incorrect home page appears.

    [AGEE_8_0_54.6][#41560]

  2. When users try to logon multiple times with the Secure Access Client over the same connection, the Access Gateway fails.

    [AGEE_8_0_54.6][#42160]

  3. If the IP address or fully qualified domain name (FQDN) of the Access Gateway proxy in a double-hop DMZ is bound to a virtual server or to VPN global, and this is configured after adding a server running the Secure Ticket Authority, the Access Gateway fails.

    [AGEE_8_0_54.6][#42200]

  4. When users connect using the Secure Access Client, network traffic to the secure network stops after two hours.

    [AGEE_8_0_54.6][#42299]

  5. When users are logged on using the ActiveX plug-in and Microsoft Office Groove 2007 is installed on the client device, when users log off from the ActiveX plug-in, Internet Explorer fails.

    [AGEE_8_0_54.6][#42437]

  6. When users log on using the Secure Access Client, domain name resolution fails when the Access Gateway is accessed by the hostname and not the FQDN.

    [AGEE_8_0_54.6][#42533]

Fixes from Previously Released Maintenance Builds

ActiveX Plug-in

  1. When users log on to the Access Gateway for the first time using the ActiveX Plug-in, Internet Explorer responds slowly.

    [AGEE_8_0_53_2][#41093]

  2. The ActiveX Plug-in cannot be installed on newer versions of Windows. To allow installation of the ActiveX Plug-in, in Internet Explorer, enable automatic prompting for ActiveX controls.

    [AGEE_8_0_45.4][#28377]

Endpoint Analysis

  1. When a user logs on using the Secure Access Client and the pre-authentication policy fails, on the Secure Access Client menu, Login is not available. Click Exit to end the Secure Access Client session and then log on again.

    [AGEE_8_0_49.2][#35400]

  2. When a file server authorization policy is created and if the expression qualifiers fs.dir.createtime, fs.dir.accesstime, fs.dir.writetime, or fs.dir.modifytime are used, Access Gateway administrators receive an invalid qualifier error message.

    [AGEE_8_0_49.2][#36429]

  3. When a post-authentication endpoint analysis scan is configured and the client security expression is using the OR qualifier, users receive the post-authentication error page.

    [AGEE_8_0_49.2][#36868]

  4. If the endpoint analysis fails on a client device, users receive a generic error message. Error messages are improved providing better descriptions of the problem.

    [AGEE_8_0_48.7][#26879]

  5. When an endpoint analysis scan is running, the Web Interface fails to redirect.

    [AGEE_8_0_45.4][#29411]

  6. The configuration parameter for configuring SmartAccess endpoint authentication is changed from set vpn param -wiMode [CSG|NONE] to set vpn param –icaProxy [ON|OFF].

    [AGEE_8_0_41.8][#26695]

  7. Client security string and client security group rules are not enabled for post-authentication endpoint analysis.

    [AGEE_8_0_41.8][#27960]

High Availability

  1. When the Access Gateway is deployed in a double-hop DMZ, and the Access Gateway appliances in the second hop are configured for high availability, the primary Access Gateway fails.

    [AGEE_8_0_52_2][#39840]

  2. When two Access Gateway appliances are configured as part of a high availability pair and the session action inherits the client security expression, the primary appliance fails.

    [AGEE_8_0_46.14][#29705]

Installation Issues

  1. When upgrading the Access Gateway using the Configuration Utility, the Secure Shell (SSH) connection might close during the upgrade, resulting in a failed upgrade. Try installing the upgrade again using the Upgrade Wizard or the command-line interface.

    [AGEE_8_0_45.4][#27573]

Logon and Authentication

  1. When ICA Proxy and a post-authentication scan are enabled on the Access Gateway and users log on from a computer running Mac OS X, users receive the Secure Access Client for Java instead of the Web Interface.

    [AGEE_8_0_53_2][#39468]

  2. When single sign-on with Windows is configured on the Access Gateway and users log on to a Windows computer, the Secure Access Client occasionally fails.

    [AGEE_8_0_53_2][#41081]

  3. When users log on to the Access Gateway, they receive an error message "No java plugin installed, please install JRE" even though Java Runtime Environment (JRE) Version 1.5 or 1.6 is installed. The Secure Access Client for Java is not compliant with Internet Explorer 7.0.

    [AGEE_8_0_51.4][#38837]

  4. Users are prompted for a client certificate multiple times when smart card authentication is used with pre-authentication policies.

    [AGEE_8_0_50.3][#35197]

  5. When the NAS-IP value is configured in RADIUS authentication, the Access Gateway does not send the value when the RADIUS request is sent.

    [AGEE_8_0_50.3][#36763]

  6. When certificate authentication is configured on the Access Gateway and two-factor is turned off, the Access Gateway configuration cannot be saved.

    [AGEE_8_0_49.2][#36646]

  7. When users log on to the portal page using Internet Explorer 7 and the Access Gateway Web address is not in the Trusted Sites list, the ActiveX Plug-in is not installed.

    [AGEE_8_0_48.7][#34842, #36628]

  8. Connecting to a remote computer using Remote Desktop caused intermittent errors when used as an intranet application with the Java Plug-In. The remote desktop connection automatically disconnects after a period of time.

    [AGEE_8_0_47.8][#25708]

  9. If a client device is connecting from an external network and a proxy configuration script is configured in Internet Explorer, the script is not accessible until the Secure Access Client connection is established. When the client device connects from an external network, it can take one or two minutes for the connection to be established.

    [AGEE_8_0_47.8][#29841]

  10. After upgrading from Access Gateway Enterprise Edition Version 7.0 to Version 8.0, after users type the smart card personal identification number (PIN) and select a certificate, the user logon fails.

    [AGEE_8_0_47.8][#30109, #35262]

  11. When TACACS authentication is configured on the Access Gateway and then the Access Gateway restarts, logon to the appliance fails using the administrator password.

    [AGEE_8_0_46.14][#29143]

  12. If users log on to the Secure Access Client with a password that has an ampersand (&), the logon fails.

    [AGEE_8_0_46.14][#29509]

  13. If an intranet IP address is configured and users are logging on to an application using the UDP protocol, only one user can log on.

    [AGEE_8_0_46.14][#29590]

  14. When RADIUS and group extraction is configured on the Access Gateway and the configuration is then modified, administrators are prompted to change the group vendor ID to "1." When this value is changed, users are authenticated, but group extraction fails. When configuring the Access Gateway for RADIUS authentication, configure the RADIUS server first and then configure the Access Gateway.

    [AGEE_8_0_46.14][#30004]

  15. If JavaScript is disabled in Internet Explorer, the Access Gateway logon page does not appear correctly. Enable scripting in Internet Explorer for the logon page to appear correctly.

    [AGEE_8_0_45.4][#26695]

  16. When upgrading the Access Gateway, the LDAP bind password must be reset.

    [AGEE_8_0_45.4][#27488]

Session and Connection

  1. If a proxy server is configured in the Web browser on the client device, the Secure Access Client does local name resolution for the Access Gateway virtual IP address and for any entries in the browser proxy exception list and times out. In addition, the Secure Access Client attempts to connect to the Access Gateway without using the proxy server configured in the browser. The client log files for debugging is not accessible for users who are not logged on as administrators.

    [AGEE_8_0_53_2][#29342, #41563]

Single Sign-On

  1. When single sign-on to the Web Interface is configured and split tunneling is disabled, single sign-on to public Web sites fails.

    [AGEE_8_0_47.8][#30049]

Web Interface

  1. If ICA traffic is sent to the Access Gateway before Secure Ticket Authority ticket validation occurs, the Access Gateway fails.

    [AGEE_8_0_53_2][#39426]

  2. Single sign-on to Web Interface Version 4.6 fails.

    [AGEE_8_0_53_2][#39909]

  3. If Web Interface failover is configured using a session policy, if the primary Web Interface becomes unavailable, failover to the secondary Web Interface fails.

    [AGEE_8_0_53_2][#40894]

  4. The Access Gateway sends one ticket refresh request to the Secure Ticket Authority per logon session.

    [AGEE_8_0_52_2][#29505, #29513]

  5. When ICA proxy is enabled, the Web Interface is not redirected automatically.

    [AGEE_8_0_50.3] [#39077]

  6. When the Access Gateway is configured to direct user requests to the Web Interface and connections are routed through a local load balancing virtual IP address, failover to a backup load balancing virtual server does not work.

    If the appliance is licensed as a NetScaler and the Web Interface is configured to fail over, users receive the error message "HTTP 500 Internal Server error."

    [AGEE_8_0_49.2][#35062]

  7. When ICAProxy mode and Web Interface mode are enabled, if the user logs on to the Web Interface, connects to other Web pages, and then returns to the fully qualified domain name (FQDN) of the virtual server, the IIS default home page appears.

    [AGEE_8_0_47.8][#30144]

  8. The Web Interface and the Secure Ticket Authority must be configured using the complete fully-qualified domain name (FQDN).

    [AGEE_8_0_45.4][#28268]

Miscellaneous

  1. Reliability is improved for extensive user group authentication deployments.

    [AGEE_8_0_53_2][#37665]

  2. If the Secure Ticket Authority ticket is invalid and is not refreshed, the Access Gateway fails.

    [AGEE_8_0_53_2][#39807]

  3. When users log on using the ActiveX Plug-in and try to connect to internal Web sites in a secondary Web browser window, Internet Explorer fails.

    [AGEE_8_0_53_2][#40683]

  4. When calls are placed to an internal phone using Cisco SoftPhone, for a specified time after the connection is established, the audio is not heard on the internal phone and is heard on the SoftPhone.

    [AGEE_8_0_53_2][#41047]

  5. When Access Gateway appliances in a high availability pair are upgraded, the Secure Ticket Authority identifier is not propagated to the secondary appliance.

    [AGEE_8_0_53_2][#41374]

  6. When split tunneling is disabled and the automatic proxy script has a direct entry, cannot be downloaded to the client device, or has a host name that cannot be resolved, the Secure Access Client removes the proxy settings in Internet Explorer when users log off from the Access Gateway.

    [AGEE_8_0_52_2][#39810, #40581]

  7. When a client security expression is configured within a session profile or as part of an advanced global client security setting for post-authentication analysis, and the scan fails, SmartAccess fails because the Web Interface does not receive policy names.

    [AGEE_8_0_51.4][#38360]

  8. On the home page portal, file transfer bookmarks configured by the administrator do not behave the same as those configured by users.

    [AGEE_8_0_50.3][#38070]

  9. When a user adds a policy expression with a time stamp check, the policy expression works until the Access Gateway is restarted. When the Access Gateway restarts, the policy expression does not load, even though it is in the ns.conf file. In addition, any policy associated with the time stamp policy does not load either.

    [AGEE_8_0_50.3][#38440]

  10. The local LAN settings of the Secure Access Client are not persistent between Access Gateway sessions.

    [AGEE_8_0_48.7][#35041]

  11. When users connect using the Secure Access Client, DNS requests with host names exceeding six characters are not passed through the VPN tunnel.

    [AGEE_8_0_48.7][#35915]

  12. Applications that use UDP experience latency on the Access Gateway.

    [AGEE_8_0_48.7][#35921]

  13. If the Web proxy server IP address is specified in the Internet Explorer proxy settings and the user logs on using the Secure Access Client, the Access Gateway settings override the Internet Explorer proxy settings. In Internet Explorer, make sure you select the checkbox Use the same proxy server for all protocols.

    [AGEE_8_0_47.8][#34845]

  14. The Access Gateway fails when an external HTTP request is sent to an internal virtual server.

    [AGEE_8_0_47.8][#34991]

  15. If there are an unusually high number of user connections, CPU utilization goes to 100% and the Access Gateway fails.

    [AGEE_8_0_47.8][#35350, #35493]

  16. ICMP ping requests are not returned by the Access Gateway.

    [AGEE_8_0_46.14][#29938]

  17. When an intranet IP address is bound globally on the Access Gateway proxy in a double-hop deployment, users are assigned an IP address from the secure network.

    [AGEE_8_0_45.4][#26110]

  18. Attempts to download large files using the file transfer tool fail.

    [AGEE_8_0_45.4][#27439]

  19. If Norton Personal Firewall is installed on a client device, when users log on using the Secure Access Client, they receive a message from Norton Personal Firewall to allow or block the file nsload.exe. To establish the connection, select Allow.

    [AGEE_8_0_45.4][#28709]

  20. A global pointer is not set to NULL after the Secure Ticket Authority (STA) renews the ticket.

    [AGEE_8_0_45.4][#29212]

  21. The debugging logs for Windows XP are stored in the folder %systemroot%\Document and Settings\All Users\Application Data\Citrix\AGEE.

    [AGEE_8_0_45.4][#29415]

  22. The command to view virtual server statistics is stat vpn vserver.

    [AGEE_8_0_41.8][#27936]

  23. If a mapped IP address is not defined, the user receives the error message "500 internal server error."

    [AGEE_8_0_41.8][#28287]

Copyright © 2008 Citrix Systems, Inc. All rights reserved.
Citrix, MetaFrame, and MetaFrame XP are registered trademarks, and Citrix Presentation Server is a trademark of Citrix Systems, Inc. in the United States and other countries.
All other trademarks and registered trademarks are the property of their respective owners.


This document applies to:

  • Access Gateway 8.0 Enterprise Edition
Search
Knowledge Center
Advanced Search
Presentation Server
Presentation Server Clients (ICA)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Citrix Developer Community
©1999-2008 Citrix Systems, Inc. All rights reserved.