Maintenance release name: cag_5.0.4.bin, .iso, .xva, or .upgrade
For: Access Gateway 5.0, Model 2010 Appliance
Replaces: None
Date: August, 2012
Language supported: English (US)
Readme version: 1.2

Readme Revision History

Version	Date	Change Description
1.2	August, 2012	Correct version for Receiver Storefront
1.1	February, 2012	Fixed link to Access Controller System Requirements.
1.0	December, 2011	Initial release.

Important Note(s) about This Maintenance Release

• This maintenance release updates Access Gateway 5.0. This maintenance release is applicable to the Model 2010 appliance and Access Gateway VPX that supports Access Gateway 5.0.

Where to Find Documentation

This document describes the issue(s) solved by this maintenance release and includes installation instructions. For more information, see the Access Gateway 5.0 documentation in the Citrix eDocs library.

Access Gateway 5.0.4 Compatibility with Citrix Products

The following table provides the Citrix product names and versions that Access Gateway 5.0.4 is compatible with.

Citrix Product	Release Version
Branch Repeater	5.7.0 and 6.0.x
NetScaler	9.3 and 9.2
Receiver Storefront	1.0
Web Interface	5.4 and 5.3
XenApp	6.0 and 6.5 for Windows Server 2008 R2 5 Feature Pack 2 for Windows Server 2003 5.0 (Windows Server 2003 and 2008)
XenDesktop	5.0 Service Pack 1 and 5.5
XenServer	6.0, 5.6 Service Pack 1, and 5.6 Service Pack 2
XenClient	2, 1.0 Service Pack 1, and 1.0
Citrix online plug-in	12.0 and 13.x

Citrix Receiver and Access Gateway Plug-in Version Requirements for Access Gateway 5.0.4

Access Gateway 5.0.4 supports the following versions of Citrix Receiver and the Access Gateway Plug-in:

Access Gateway Plug-in or Citrix Receiver	Minimum Version
Access Gateway Plug-in for Macintosh	2.1.x
Citrix Receiver for Apple iPad	5.0.2
Citrix Receiver for Apple iPhone	5.0.2
Citrix Receiver for Android	2.1.1078
Citrix Receiver for Macintosh	11.4.x
Citrix Receiver for Windows	3.1

Downloading and Installing This Maintenance Release

You can install this maintenance release on the Access Gateway appliance by using the Access Gateway Management Console.

This maintenance release of Access Controller is supported on the following operating systems:

• Microsoft Windows Server 2008 32-bit, Standard Edition, Data Center Edition, or Enterprise Edition, with all service packs and updates
• Microsoft Windows Server 2008 64-bit, Standard Edition, Data Center Edition, or Enterprise Edition, with all service packs and updates
• Microsoft Windows Server 2008 R2 64-bit, Standard Edition, Data Center Edition, or Enterprise Edition, with all service packs and updates

For system requirements for Access Controller, see Access Controller System Requirements in the Citrix eDocs library.

When you download your product software from My Citrix, you may see multiple download options. Use the following guidelines to download the correct version of Access Gateway:

Access Gateway Appliance

• To reimage an appliance with factory default settings, download the file with the extension .iso

• To upgrade an existing appliance from Version 4.6.x, download the file with the extension .upgrade

• To upgrade an existing appliance from Version 5.0, download the file with the extension .bin

Access Gateway VPX

The virtual image contains the package that you need in order to install Access Gateway VPX on XenServer or VMware. You can download the virtual image from My Citrix after you have purchased Access Gateway VPX. For more information, see Access Gateway VPX Overview in the eDocs library. To install Access Gateway VPX on XenServer, see the topic To install Access Gateway VPX Using XenCenter in eDocs. To install Access Gateway VPX on VMware and vSphere, see the topic Installing Access Gateway VPX Using vSphere in eDocs.

Access Controller

You can upgrade from Access Gateway 5.0 or Version 5.0.1 to Version 5.0.2 or later. For more information, see Upgrading Access Controller in the Citrix eDocs library. You can also install Version 5.0.4 on Windows Server 2008 as a new installation. To install Access Controller on the server, see To install this maintenance release on Access Controller.

To download this maintenance release

1. Go to the Citrix Web site, click My Citrix, and log on.

2. At the top of the Web page, click Downloads.

3. In Search Downloads by Product, select Citrix Access Gateway.

4. Under Product Software, click the link that matches your edition and software release version to reach the download page.

5. Click Get Software to start the download and save it to a folder on your computer.

To install this maintenance release on the Access Gateway appliance

1. In the Access Gateway Management Console, click Snapshots.

2. In the Software Releases and Configuration Snapshots panel, next to Software Releases, click Import.

3. Navigate to the software upgrade file you saved on your computer and then click Open.

   The software installation starts.

After completing the software installation, the new version appears in the Software Releases panel. To make the new version active, select the version, click Migrate and then restart Access Gateway.

To install this maintenance release on Access Controller

The steps for upgrading to Version 5.0.2 or later are:

1. Download the Access Controller software.
2. Run the Setup Wizard to install or upgrade Access Controller.

If you are upgrading from a previous version, when the Setup Wizard runs, it creates a backup of your current configuration, removes your existing installation, and then installs the latest version. When the latest version installs, it restores your configuration automatically.

If you want to remove Access Controller from the server, use Programs and Features in Control Panel. Depending on the options you installed, you must remove the components in the following order:

• Citrix Access Gateway Server
• Citrix Access Gateway Console
• Citrix Licensing
• Citrix Delivery Services Console - Diagnostics
• Citrix Delivery Services Console - Framework

You can remove the Citrix License Server Administration and Citrix Delivery Services Console - Diagnostics components at any time in the uninstallation process. However, you must remove the Citrix Delivery Services Console - Framework component last.

To remove Access Controller components

1. Choose Start > Settings > Control Panel.
2. In Control Panel, double-click Programs and Features.
3. Select a program, click Uninstall and then follow the prompts.

If you are upgrading your cluster from Access Gateway 4.5, Advanced Edition to Access Gateway 5.0 or later, see the following information in the eDocs library:

• Migrating to Access Gateway 5.0
• Migrating from Access Gateway Advanced Edition
• Access Controller Migration Settings
• Access Controller Discontinued Settings and Features

To install Access Controller

1. Follow the instructions to download the maintenance release.
2. Open the folder for Access Controller and then double-click AutoRun.exe.
3. On the startup screen, click Citrix Access Controller.
4. On the Welcome screen, click Next.
5. Read and accept the Citrix license agreement.
6. Select any of the following components to install:
• Server. Installs the Access Controller server software, including the Logon Agent and server configuration tools.
• Delivery Services Console. Installs the configuration and management tool for Access Controller.

Note: If you are upgrading the server, if the components are already installed, the options appear dimmed. The components upgrade automatically.



7. Follow the on-screen instructions to complete the Setup Wizard.

If you are upgrading Access Controller, you receive a prompt to restart the server during installation. When you restart, installation of Access Controller continues.

Upgrading Multiple Access Controller Servers in a Cluster

If you have multiple Access Controller servers in a cluster, you must use the following procedure to upgrade the servers.

To upgrade Access Controller servers in a cluster

1. Copy the 5.0.4 image to each server or make it automatically available for all servers.

   Important: The image location must be available automatically until the upgrade process is complete. If the image is on non-persistent network drive, or if you have to enter credentials to access the image after Access Controller restarts, the upgrade fails.

2. Complete Step 1 of the upgrade process on all servers in the cluster. Do not proceed to Step 2 of upgrade process.

3. When all servers are done with Step 1 of the upgrade and each server restarted, proceed to Step 2 of the upgrade process sequentially on all the servers in the cluster to complete the upgrade.

New Features Supported in This Maintenance Release

Adding Web Resources for a Basic Logon Point in Access Gateway

When you create a basic logon point, you can add Web resources that users can access when they log on with Citrix Receiver. Web resources define the Web pages, sites, or applications that you want to secure in Access Gateway. For more information, see Adding Web Resources to a Basic Logon Point in the Citrix eDocs library.

Customizing the Access Gateway Logon Page

You can create a custom logon page by configuring the settings in either a basic or SmartAccess logon point. You can use the default Access Gateway logon page, use the Citrix Receiver design for your logon page, or create your own logon page with your graphics and logo. For more information, see Customizing the Access Gateway Logon Page in the eDocs library.

New Version of the Access Gateway Plug-in for Access Gateway 5.0.4

Access Gateway 5.0.4 contains an updated version of the Access Gateway Plug-in. Changes made to the internal framework of the Access Gateway appliance prevent compatibility with earlier versions of the plug-in. Users must install Access Gateway Plug-in Version 5.0.4.

Important: To install or upgrade to Version 5.0.4 of the plug-in, users must be an administrator or have administrator rights on the user device, unless you update the plug-in by using an Active Directory group policy.

You can upgrade the plug-in by using one of the following methods:

• Push the Access Gateway Plug-in to all users by using the Microsoft Installer (MSI) package and an Active Directory group policy. For more information, see the topic Installing the MSI Package by Using Group Policy in the Citrix eDocs library.

• Install the Access Gateway Plug-in from a Web browser. Upgrading to the new version of the plug-in occurs automatically when users download the plug-in from a Web browser if users have administrative rights on either a Windows-based or Mac OS X device.

Support for the Citrix Licensing Toolbox

Access Gateway 5.0.x supports licenses that are available from the Citrix Licenses Toolbox in My Citrix. If you download and install licenses from the new portal on any Access Gateway version earlier than Version 5.0.4, the licenses do not appear on the Licensing panel in the Access Gateway Management Console. The licenses work, however, as Access Gateway installs the licenses. In Access Gateway 5.0.4, the licenses appear on the Licensing panel.

New Features from Previously Released Maintenance Releases

Access Gateway Imaging Tool

The Access Gateway imaging tool now exists as a .zip file containing all files necessary for reimaging the appliance. You download the .zip file, extract the files, and run the tool. The tool indicates the location of the USB drive. By using the .zip file, you no longer need to select an ISO file.

Basic Logon Point Session Time-outs in Access Controller

If you configure a basic logon point in Access Controller, you can now configure session time-outs as part of the logon point settings. [#45963]

New Version of the Access Gateway Plug-in

Access Gateway 5.0.3 contains an updated version of the Access Gateway Plug-in. Changes made to the internal framework of the Access Gateway appliance prevent compatibility with earlier versions of the plug-in. Users must install Access Gateway Plug-in Version 5.0.3.

Important: To install or upgrade to Version 5.0.3 of the plug-in, users must be an administrator or have administrator rights on the user device, unless you update the plug-in by using an Active Directory group policy.

You can upgrade the plug-in by using one of the following methods:

• Push the Access Gateway Plug-in to all users by using the Microsoft Installer (MSI) package and an Active Directory group policy. For more information, see the topic Installing the MSI Package by Using Group Policy in the Citrix eDocs library.

• Install the Access Gateway Plug-in from a Web browser. Upgrading to the new version of the plug-in occurs automatically when users download the plug-in from a Web browser if users have administrative rights on either a Windows-based or Mac OS X device.

Certificate Length

If you attempt to import an intermediate certificate to Access Gateway where the Subject field is longer than 128 characters, you receive the error message "Value too long for type character varying (128)."

Multi-Stream ICA Support

The multi-stream ICA feature allows you to partition multiple ICA streams in the same session. With multi-stream ICA, you can partition a single TCP connection into multiple streams based on different types of traffic that are typical for session reliability.

Secure Ticket Authority

You can now configure up to 25 servers running the Secure Ticket Authority (STA).

Static Routing

You can now add up to 256 static routes on the Access Gateway appliance.

Support for Web Interface 5.4

Access Gateway 5.0.1 supports the following Web Interface 5.4 features:

• Password Change. When the Web Interface is the home page, users can change their password after they log on.

• ICA File Signing. The Web Interface digitally signs generated ICA files, to allow compatible Citrix clients and plug-ins to validate that the file originates from a trusted source.

Upgrading Access Controller

You can now upgrade Access Controller from Version 5.0 or Version 5.0.1 to Version 5.0.2 or later without removing the previous version.

User Software

Access Gateway supports the following user software:

• Access Gateway Plug-in for Mac OS X Version 2.0

• Citrix Receiver 2.1

XenApp Services Site

You can configure Access Gateway to use a XenApp Services site, giving users access to virtual applications from their computer desktop or mobile device when they authenticate through the Web Interface.

Known Issues in This Maintenance Release

Installing Access Gateway and Access Controller

1. If you attempt to upgrade Access Controller from Version 5.0.x to Version 5.0.4 and the Windows logon account and Access Controller service account are different, the upgrade fails.

   [From AG_5_0_3][#46319]

Migrating to Access Controller

1. If you have a custom filter using Other Filter with either a custom or unsupported scan in Access Gateway 4.5, Advanced Edition, importing the farm to Access Controller fails and the entire farm is lost. Before you start migrating the farm, remove any filter references within a custom filter in Advanced Access Control.

   [From AG_5_0_1][#44558]

Access Controller

1. If you enable users to access file shares and publish the file share as a resource in the Access Interface, when users log on with Internet Explorer 9 or by using Windows XP with Internet Explorer 8 and upload a file to the file share, occasionally a blank page appears with a "200" error. When users try to return to the file share page, a "Not Responding" error appears in the file share window. If they click OK to close the error dialog box and then refresh the file share window, the uploaded file appears.

   [From AG_5_0_4][#256014]

2. If you create a Web resource in Access Controller and enable single sign-on, if the Web address includes a dynamic system token and the home page token is the URL home page, when users access the resource, the appliance fails.

   [From AG_5_0_4][#274109]

3. If users change the window size setting in Access Interface, the setting does not persist between sessions.

   [From AG_5_0_3][#45997]

4. When you configure Microsoft Exchange Server 2010 and Outlook Web App as a Web resource and enable single sign-on, when users try to open Outlook Web App 2010, Web page errors appear in the Web browser.

   [From AG_5_0_3][#127545]

5. If users log on to Access Gateway and start Outlook Web App from the Access Interface, if users delete emails from the folders in the navigation pane, the content of last mail item from the deleted email continues to appear in the right pane. Users must log off and then log on again to remove the content from the right pane.

   [From AG_5_0_3][#127771]

6. If you configure double source authentication with Active Directory and LDAP with a single user name and if the authentication profile uses the same LDAP database, when users receive a prompt to change their password, the password changes. However, users receive the error message "Try again or contact helpdesk." instead of receiving the Access Interface.

   [From AG_5_0_3][#48910]

7. If you create an endpoint analysis scan expression and associate it with logon point visibility, and then you clear the Only show logon page when these conditions are met check box, the scan fails and users see an "Access is Denied" error message regardless of the scan expression result.

   [From AG_5_0_2][#45859]

8. When users logon with a basic logon point using the Firefox Web browser and start an application published with Web Interface 5.4, when users log off the application remains active.

   [From AG_5_0_1][#45072]

9. Users cannot create and save a Microsoft Word 2007 document from within SharePoint 2007. Users should create the document on their local computer and then upload it to SharePoint.

   [From AG_5_0][#42711]

10. If you configure a Web resource for Outlook Web Access, Outlook Web App, or SharePoint 2007 and do not enable single sign-on, when users log off and then log on again, users are not prompted for their credentials.

    [From AG_5_0][#43906]

11. If users connect to SharePoint 2007, click Shared Documents and then, from the Actions menu, select Export to spreadsheet in the Firefox Web browser, when users click Open, they receive the error message "Excel cannot connect to SharePoint list."

    [From AG_5_0][#43969]

User Connections

1. If you disable session reliability in the Web Interface and if a network interruption occurs while users have an ICA session open, the session disconnects and cannot reconnect for at least 10 minutes by using the Reconnect button in the Access Interface. If you enable session reliability with a time-out limit (the default is 3 minutes), sessions reconnect automatically. After that time, users cannot reconnect to the session for at least 10 minutes by using the Reconnect button in the Access Interface. Users can click the Disconnect button and then click the Reconnect button in the Access Interface to restart the ICA session before the 10-minute time limit.

   [From AG_5_0_3][#45257]

2. If Citrix online plug-in is installed on the user device and the Web Interface is part of your deployment, when users log on to the appliance with Mozilla Firefox 4.0 other plug-ins, including Adobe Flash Plug-in and the Access Gateway Plug-in, do not work.

   [From AG_5_0_3][#45929]

3. If users install Trend Micro 2010 and do not activate the application, when users log on with the Access Gateway Plug-in, the connection establishes and tunneling fails.

   [From AG_5_0_3][#45975]

4. If users start the Access Gateway Plug-in from the Access Interface by clicking Connect to Network in Google Chrome, when users log off by using the Web browser they might occasionally receive Error 118 and Error 324 messages.

   [From AG_5_0_3][#46116]

5. If users attempt to log on to the Web Interface and XenApp 6.5 for Windows 2008 by using Google Chrome, users receive a prompt to install the online plug-in even though the plug-in is already installed on the user device.

   [From AG_5_0_3][#46313]

6. If you configure published applications with filters in XenApp 6.5 for Windows 2008 R2, when users start an application to which the filter is applied and then attempt to start an application that does not have a filter, the application without the filter does not start.

   [From AG_5_0_3][#46662]

7. If users log on using a SmartAccess logon point and connect to published desktops from XenDesktop 5 and Web Interface 5.4 through the Access Interface, the Reconnect button does not work.

   [From AG_5_0_1][#44987, #44986]

8. If you configure Access Controller to use Web Interface Version 5.4 and use a basic logon point for user connections, when users connect to the Access Interface using the Firefox Web browser, the Reconnect and Disconnect options are not available from the Log Off drop-down menu in the Access Interface.

   [From AG_5_0_1][#45077]

9. If users log on using Google Chrome and Citrix online plug-ins Versions 12.0 and 12.1, published applications do not open.

   [From AG_5_0_1][#45134]

10. If you configure AES encryption on Access Gateway and users log on using either Internet Explorer 8 or Google Chrome, users cannot access the logon point. Users must enable TLS 1.0 in Internet Explorer and Google Chrome to access the logon point. If users log on using Windows XP with Internet Explorer 7 or Internet Explorer 8, users cannot access the logon point and the logon page does not appear. Internet Explorer on Windows XP does not support AES-based TLS ciphersuites.

    [From AG_5_0][#43941, #44106]

Citrix Receiver

Access Gateway 5.0.4 provides support for Citrix Receiver for Windows 3.0, Citrix Receiver 2.0, and Citrix Receiver 2.1 on Windows-based and Mac OS X user devices:

1. If users log on to Citrix Receiver with the Access Gateway Plug-in and enter their credentials, if the plug-in upgrades from Version 5.0.3 to a more recent build, occasionally the upgrade stalls and the Citrix Receiver icon is disabled. If users end the Receiver.exe process with the Windows Task Manager and restart Citrix Receiver, the upgrade succeeds.

   [From AG_5_0_4][#261108]

2. If users log on with Citrix Receiver for Windows 3.0 by using Internet Explorer 9 64-bit, Access Gateway does not detect Citrix Receiver. Users can see published applications if they click Skip to Logon. When users start a published application, users receive the prompt "Do you want to open or save launch.ica from Web Interface address."

   [From AG_5_0_3][#46228]

3. If you push the option to uninstall Citrix Receiver for Windows 3.0 from Merchandising Server over a VPN connection, the Access Gateway Plug-in disconnects and the Receiver closes.

   [From AG_5_0_3][#47936]

4. When users disable wireless on a Mac OS X computer and connect using a 3G card, the Access Gateway Plug-in does not upgrade automatically through Citrix Receiver. If users select Check for Updates to upgrade the plug-in, the upgrade fails and users receive the error message "Updates are currently not available."

   [From AG_5_0_2][#45881]

5. If you schedule an upgrade of the Access Gateway Plug-in in Merchandising Server that is a later build of Version 5.0, the Access Gateway Plug-in does not upgrade in Citrix Receiver. For example, Version 5.0.0.120 is installed on the user device and you schedule 5.0.0.125 to upgrade the plug-in. This issue occurs because Citrix Receiver detects that Version 5.0 is already installed on the user device.

   [From AG_5_0][#44686]

Issues Resolved in This Maintenance Release

Access Gateway

1. If an application name contains an ampersand (&), when users log on using clientless access with Internet Explorer and the logon point Web address is not in the trusted sites list, the application fails. If you change the ampersand to a dash in the application name, the application opens.

   [From AG_5_0_4][#047654]

2. If you configure an RSA SecurID profile, if the RSA server is unavailable and then available again, user authentication may subsequently fail.

   [From AG_5_0_4][#159699, #253896]

3. When users log on to Access Gateway VPX and then access specific Web resources, the appliance fails and restarts in recovery mode.

   [From AG_5_0_4][#253129]

4. When users log on and are prompted to change their password, Access Gateway does not check if the old password is correct. When this occurs, the Change expired password dialog box appears. With this release, Access Gateway checks if the password is valid and, if not, prompts users to change their password.

   [From AG_5_0_4][#254307]

5. If you enable single single sign-on to an application published as a Web resource, when users log on to Access Gateway and try to access the application through a Web browser, a script error message appears stating that "a script on this page may be busy or stopped responding."

   [From AG_5_0_4][#256272]

6. Access Gateway 5.0.x supports licenses that are available from the Citrix Licenses Toolbox in My Citrix. If you download and install licenses from the new portal on any Access Gateway version earlier than Version 5.0.4, the licenses do not appear on the Licensing panel in the Access Gateway Management Console. The licenses work, however, as Access Gateway installs the licenses. In Access Gateway 5.0.4, the licenses appear on the Licensing panel.

   [From AG_5_0_4][#259741]

7. When you configure a basic logon point with authentication using the Web interface, when users try to access the Web address on a virtual desktop through the VDI-in-a-Box virtual desktop solution, a blank page appears rather than the VDI-in-a-Box logon screen.

   [From AG_5_0_4][#275100]

8. If users log on to Access Gateway through Citrix Receiver, the Preferences > Plug-in status menu options occasionally are not available.

   [From AG_5_0_3][#47387, #47590]

Access Controller

1. If you configure access in Access Controller to a Web resource that begins with https and publish the resource on the Access Interface, when users try to access the resource, a 504 error appears and the page does not open.

   [From AG_5_0_4][#252492]

2. If you configure an LDAP authentication profile, you use Active Directory as the directory service, and you enable single sign-on, when users try to access an application, authentication occurs on the domain of the server on which Access Controller is installed rather than on the domain of the LDAP server. In this case, authentication fails.

   [From AG_5_0_4][#253907]

3. If you configure a policy on Access Controller to enable access to file shares on network-attached storage (NAS) devices, users can open the share in the root directory of an NAS device, but the link to upload a file or create a folder is disabled.

   [From AG_5_0_4][#261759]

4. If you configure RADIUS authentication and authorization by using the Network Policy Server (NPS) on Windows Server 2008 and you configure a network policy with a user group that contains localized characters, and then create a logon point on Access Controller for the RADIUS type with RADIUS authorization, the following occurs: When you configure a Web resource and an access policy for the localized user group, when users type Japanese characters that correspond to the group name, authentication succeeds and they can logon successfully, but the published Web resource does not appear.

   [From AG_5_0_4][#264882]

5. If you configure RADIUS authentication and authorization by using the Network Policy Server (NPS) on Windows Server 2008 and you configure a network policy with a user group that contains localized characters, and then create a logon point on Access Controller for the RADIUS type with RADIUS authorization, the following occurs: When you configure a Web resource and an access policy for the localized user group, when users who belong to that group type Spanish, French, or German foreign language characters in the group name, authentication fails.

   [From AG_5_0_4][#264928]

Citrix Receiver

1. Occasionally, the Receiver menu option in the notification area shows Logon instead of Logoff even though users are already logged on to Access Gateway.

   [From AG_5_0_3][#48186]

Issues Resolved from Previously Released Maintenance Releases

Installing Access Gateway and Access Controller

1. If you install Access Controller on Windows Server 2008 R2 64-bit, the Diagnostics Facility does not appear in the left pane of the Delivery Services Console. To install the Diagnostics Facility, use the Assembly Registration tool regasm.exe to register the file CdfExtension.dll. To register the file, log on to a command prompt with administrator privileges and then run the following command:

   C:\Windows\Microsoft.NET\Framework\v2.0.50727>RegAsm.exe "C:\Program Files (x86)\Common Files\Citrix\Access Management Console - Diagnostics\CdfExtension.dll"

   Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.4927

   [From AG_5_0_3][#43961]

Access Gateway

1. When you configure Access Gateway settings for the Web Interface on XenDesktop 5 and enable session reliability, the Secure Ticket Authority (STA) servers return STA reconnect tickets with a lifetime erroneously set to only 5 seconds. As a result, session reconnection fails if the network connection interrupts, unless the interruption is very brief. The desktop session closes and users must open XenDesktop again.

   [From AG_5_0_3][#45475]

2. If you configure a SmartAccess logon point and enable single sign-on to the Access Interface, after users change their password from the Preferences tab, they are prompted for credentials when trying to open an application and the error "The user name or password is incorrect" appears.

   [From AG_5_0_3][#45538]

3. If users on a Windows 7 computer log on with the Access Gateway Plug-in through Citrix Receiver with a 3G network adapter, the Logon and Check for Updates options are not available. This does not occur on Windows XP or Windows Vista.

   [From AG_5_0_3][#45697]

4. When you configure Access Gateway settings for the Web Interface on XenDesktop 5, when users open an available desktop from the Web Interface, the application appears briefly and then disappears, but no errors appear.

   [From AG_5_0_3][#45854]

5. If you set the network adapter speed to other settings than auto by using the command line, the configuration does not apply correctly.

   [From AG_5_0_3][#45933]

6. If the total length of LDAP group names exceeds 6 kilobytes (kb), authentication fails.

   [From AG_5_0_3][#46292]

7. If you configure LDAP authentication on Access Gateway, when users log on with the Access Gateway Plug-in from a Google Chrome Version 13.x browser, the domain logon scripts do not run.

   [From AG_5_0_3][#212231]

8. If users upgrade the Access Gateway Plug-in for Windows, users might receive the error message "Program Compatibility Assistant - This program might not have installed correctly - location: cagsetup.exe." Users need to restart their user device when prompted.

   [From AG_5_0_3][#212361]

9. If users log on to Access Gateway and then attempt to open multiple sites from the Access Interface by using Internet Explorer 9, users receive the error message "You are logged off. You cannot log on from this window." Internet Explorer 9 removes the session cookie and users cannot access the session.

   [From AG_5_0_3][#212808]

10. When you create a snapshot, only use ASCII characters in the snapshot name. If you save and export a snapshot on Access Gateway, then change the snapshot name and use non-ASCII characters, when you try to import the snapshot, you receive the following message: "Error: Access Gateway detects corruption in the file you uploaded. Please try again with a different file."

    [From AG_5_0_3][#213282]

11. If you upgrade to Access Gateway 5.0.3 from a previous 5.0.x version, when users change their passwords, labels in the Change Password dialog box appear in English and are not localized. When this occurs, remove and then create the authentication profile again.

    [From AG_5_0_3][#213804]

12. If users upgrade the Access Gateway Plug-in to Version 5.0.3, the plug-in repairs itself when users start the plug-in from the Start menu and attempt to log on for the first time.

    [From AG_5_0_3][#214486]

13. If you configure the root DN as the user base DN for LDAP authentication, the referral is returned and authentication fails.

    [From AG_5_0_2][#31135, #45642]

14. If you do not select the Password never expires option under Account Options in Active Directory, users can log on, but are prompted to change their password even though a password update is not required.

    [From AG_5_0_2][#31424]

15. If you configure an LDAP authentication profile on Access Gateway using the Global Catalog, and clear the "Password never expires" option in Active Directory, authentication fails

    [From AG_5_0_2][#31435]

16. If you attempt to import an intermediate certificate to Access Gateway where the Subject field is longer than 128 characters, you receive the error message "Value too long for type character varying (128)."

    [From AG_5_0_2][#45063]

17. When users log on with the Access Gateway Plug-in and open Outlook Web App 2010 with Service Pack 1, JavaScript error messages appear. Subsequently, Outlook Web App menu buttons no longer work properly.

    [From AG_5_0_2][#45418]

18. If the primary appliance in an appliance failover pair loses network connectivity and the secondary appliance becomes primary, the network is notified that the MAC address changed. When the primary appliance regains the network connection, the local network does not receive the message that the MAC address changed again. When this occurs, connections in the appliance failover pair may fail for up to four hours.

    [From AG_5_0_2][#45499]

19. When Access Gateway runs for more than 25 days, and then after sessions exceed the maximum session time-out value, they do not disconnect. If you do not force the sessions to log out, licenses are not released as expected, which might prevent other users from logging on.

    [From AG_5_0_2][#45501]

20. If you configure LDAP authentication and the group name contains an apostrophe ('), users who are members of that group cannot log on.

    [From AG_5_0_2][#45517]

21. If users enter a fully qualified domain name (FQDN) that is different than the configured host name of the appliance, users receive the error message "404 Hostname not found."

    [From AG_5_0_2][#45688]

22. If you configure RADIUS authentication by using the Network Policy Server (NPS) on Windows Server 2008, authentication fails if the password contains Unicode characters. NPS does not support Unicode characters in passwords.

    [From AG_5_0_2][#212104]

23. If you upgrade Access Gateway from Version 4.6.x to Version 5.0 and use a remote license server with a fully qualified domain name (FQDN), when the upgrade is complete, license files do not appear on the Licensing panel. If you restart Access Gateway, the license files appear.

    [From AG_5_0_1][#30069]

24. If you upgrade Access Gateway 4.6, you must reinstall the Platform license on the appliance to remove the appliance from the 48-hour grace period.

    [From AG_5_0_1][#30531]

25. All logon points become inaccessible after 24 days. If this occurs, restart Access Gateway using the command line.

    [From AG_5_0_1][#30590]

26. If you attempt to upload a certificate using the file extension PFX and receive a "File is invalid" error message, use OpenSSL to convert the certificate to PKCS#12 with the file extension PEM.

    [From AG_5_0_1][#30723]

27. You might receive the error message "hangcheck: hangcheck value past margin!" in the Access Gateway Management Console.

    [From AG_5_0_1][#30787]

28. If the user account requires a RADIUS challenge response, single sign-on to the Web Interface fails.

    [From AG_5_0_1][#30813]

29. When you install Access Gateway 5.0, the appliance does not recognize the license files.

    [From AG_5_0_1][#30833, #30849]

30. If you configure multiple static routes in Access Gateway 4.6.x and then migrate to Access Gateway 5.0, the migration fails.

    [From AG_5_0_1][#30928]

Access Controller

1. If XenApp is part of your deployment and you enable users to open documents by using file type association on a SharePoint 2007 resource, when users attempt to create a new document from SharePoint 2007, the contents of the ICA file appear instead of a blank document.

   [From AG_5_0_3][#43258]

2. If you configure a file or process endpoint analysis scan that includes a hash value on a Windows Vista 64-bit computer, when users log on using Google Chrome, the endpoint analysis first fails, and then succeeds when users click Retry.

   [From AG_5_0_3][#43394]

3. When you start Access Controller, the Deployment Server might not start within the allowed time and an error message appears in the Problem Reports and Solutions page.

   [From AG_5_0_3][#43826]

4. When you configure Microsoft Exchange Server 2010 Service Pack 1 and Outlook Web App as a web resource and enable single sign-on, when users try to open Outlook Web App, none of the menu items appears and users cannot use the application.

   [From AG_5_0_3][#45717]

5. If you enable single sign-on to the Web resources, when users try to open a Web resource, logon fails if user credentials contain localized German, French, Spanish, Japanese, or Simplified Chinese characters.

   [From AG_5_0_3][#45831]

6. If you configure Microsoft Exchange Server 2010 and Outlook Web App as a Web resource and users log on using Google Chrome and then open Outlook Web App, when users click options, such as Compose a Message, Appointment, or Task, click Reply, or open mail in new window, occasionally a "403 Unauthorized access" message appears.

   [From AG_5_0_3][#45866]

7. When you configure Microsoft Exchange Server 2010 Service Pack 1 and Outlook Web App as a web resource and enable single sign-on, when users try to open Outlook Web App, users cannot use the application. For example, when users click on the Inbox and then click on the Delete folder, users receive an access denied error.

   [From AG_5_0_3][#46357]

8. If you attempt to change the service account information by using Server Configuration in Access Controller, the attempt fails with the error message "Unable to connect to the database. Make sure that the service account user has access."

   [From AG_5_0_3][#157405]

9. If you configure Access Controller to allow connections to XenDesktop, when users log on to XenDesktop and then click Log off or Disconnect from the Access Interface, users log off from the Access Interface, but the desktop session stays active.

   [From AG_5_0_2][#212002]

10. If you create a custom filter with a complex expression in Access Controller, when you save the filter, you might receive the error message "The filter cannot be empty" even though it is not empty. This issue does not occur if you modify a custom filter.

    [From AG_5_0_1][#28883]

11. If you do not configure file shares in Access Controller, when users log on, the file shares panel in the Access Interface is empty.

    [From AG_5_0_1][#29726]

12. If you configure a Distributed File System (DFS) link in Access Controller without using the fully qualified domain name, when users click the link from the Access Interface, they receive the error message "Service not available." In this release, Access Gateway supports domain name-based DFS.

    [From AG_5_0_1][#29829]

User Connections

1. When users log on with the Access Gateway Plug-in and fail the endpoint analysis scan, if the remediation message contains a hyperlink, the Web page opens within the error message instead of opening a new instance of the Web browser.

   [From AG_5_0_3][#44281]

2. The DNE driver in the Access Gateway Plug-in might cause the Ethernet connection to randomly disconnect on user devices. Update user devices with the Access Gateway Plug-in from Access Gateway 5.0.3.

   [From AG_5_0_3][#45862]

3. When users log on with the Access Gateway Plug-in, after an unspecified amount of time, Access Gateway forces the VPN connection to close. When the session ends, users lose access to resources in the internal network.

   [From AG_5_0_3][#46398]

4. If you configure address pools on Access Gateway, when users log on with the Access Gateway Plug-in and receive an IP address from the pool, users cannot access resources in the internal network.

   [From AG_5_0_3][#46673]

5. If users log on using the Access Gateway Plug-in with a Sierra or AT&T 3G wireless network adapter, the following might occur:

   • Users cannot connect to network resources in the secure network.

   • User connections drop if you disable split tunneling on Access Gateway.

   • User connections with the Access Gateway Plug-in fail to intercept network traffic when the user device resumes from sleep or hibernate. Users can remove the network adapter and then plug it in again to the user device.

   [From AG_5_0_1][#29637, #30290, #30434]

Citrix Receiver

1. When users start their Windows-based computer, the logon prompt from Citrix Receiver appears even though you configured single sign-on with Windows on Access Gateway. If users disable automatic logon in Citrix Receiver Preferences, users must select Citrix Receiver > Logon to log on.

   [From AG_5_0_3][#44383]

2. When users uninstall Citrix Receiver using Add or Remove Programs in Control Panel, the Access Gateway Plug-in is intermittently not removed. Users must restart the computer to establish network connectivity.

   [From AG_5_0_3][#44533]

3. When you configure the Authenticate after system resume setting on Access Gateway, when users are logged on to Citrix Receiver, an Access Gateway session is not disconnected when the user device resumes active state from hibernation or standby state.

   [From AG_5_0_2][#31064]

4. If a user logs on to Citrix Receiver, connects to Access Gateway, and then uses Citrix Merchandising Server to install updates, after restarting the computer, occasionally the Citrix Receiver fails to launch the Secure Access Plug-in and a "cag_plugin.exe - Bad Image" error appears.

   [From AG_5_0_2][#31073]