Maintenance build package name: build-10.1.123.1100.e_nc.tgz
For: NetScaler Gateway 10.1, Build 123.1100.e
Replaces: None
Date: March, 2013
Language supported: English (US)
Readme version: 1.0

Important Notes About This Release

1. Caution! This release may require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

2. Do not interrupt the install/uninstall process of this hotfix by clicking Cancel. Interrupting the process prevents a clean rollback and leaves your original installation corrupted.

Where to Find Documentation

This document describes the issue(s) solved, new features, and known issues in this build and includes installation instructions.

The latest version of the product documentation is available from Citrix eDocs at http://edocs.citrix.com.

Installing This Maintenance Build

The latest version of the NetScaler Gateway software can be downloaded from the Citrix web site.

To download the NetScaler Gateway software from the Citrix web site

1. Go to the Citrix Web site, click My Account, and then log on.

2. At the top of the web page, click Downloads.

3. Under Find Downloads, select NetScaler Gateway.

4. In Select Download Type, select Product Software and then click Find.

5. On the NetScaler Gateway page, click NetScaler Gateway 10.1.

6. Select the software and then click Download.

When the software is downloaded to your computer, you can install the software by using the Upgrade Wizard in the Configuration Utility or the command-line interface.

To install the maintenance build by using the Upgrade Wizard

1. In the Configuration Utility, in the left pane, click System.

2. In the right pane, click Upgrade Wizard.

3. Click Next and then follow the directions in the wizard.

To install this maintenance build by using the command-line interface

1. To upload the software to the NetScaler Gateway, use a secure FTP client to connect to the appliance.

2. Copy the software from your computer to the /var/nsinstall directory on the appliance.

3. Open a Secure Shell (SSH) client to open an SSH connection to the appliance.

4. At a command prompt, type shell.

5. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
   To view the contents of the directory, type ls.

6. To unpack the software, type tar –xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.

7. To start the installation, at a command prompt, type ./installns.

8. When the installation is complete, restart NetScaler Gateway.

9. When the NetScaler Gateway restarts, at a command prompt type what or show version to verify successful installation.

NetScaler Gateway 10.1 Compatibility with Citrix Products

The following table provides the Citrix product names and versions with which NetScaler Gateway 10.1 is compatible.

Citrix Product	Release Version	Notes
Branch Repeater or CloudBridge	5.5, 6.1, 6.2, and 7.0
NetScaler	9.2, 9.3, 10.0 and 10.1.120.1316.e
NetScaler Platforms	MPX 5550, MPX 7500, MPX 10500, Xen VPX
NetScaler VPX	9.1, 9.2, 9.3, 10.1, and 10.1.120.1316.e
Receiver Storefront	1.2, 2.0, and 2.1
VDI-in-a-Box	5.1 and 5.0.3	Compatibility with VDI-in-a-Box, Version 5.0.3 supports the SOCKet Secure (SOCKS) protocol only.
Web Interface	4.5, 5.0.1, 5.1, 5.2, 5.3, and 5.4
XenApp	6.5 for Windows Server 2008 R2
XenDesktop	7.0, and 7.1
XenMobile	8.6	NetScaler Gateway 10.1 enhancement builds, starting with Build 120.1316.e, support XenMobile 8.6.
XenMobile App Edition	App Controller 2.8 and 2.9

Supported Receivers and Plug-ins

Receiver or Plug-in	Release Version	NetScaler Gateway Version
NetScaler Gateway Plug-in for Mac OS X		Supports Mac OS X 10.9 (Mavericks) on 10.1, Build 120.1316.e
NetScaler Gateway Plug-in for Windows		Supports Windows 8.1 on 10.1, Build 120.1316.e
Receiver for Android	3.4.x
Receiver for iOS	5.8.x
Receiver for Mac	11.8	Version 11.8.2 is supported on a minimum of 10.1, Build 120.1316.e
Receiver for Windows	4.0, and 4.1
Worx Home for iOS	8.5 and 8.6	Versions 8.5 and 8.6 are supported on a minimum of 10.1, Build 120.1316.e
Worx Home for Android	8.5 and 8.6	Versions 8.5 and 8.6 are supported on on a minimum of 10.1, Build 120.1316.e
WorxMail for iOS	1.3.3-16	Supported on a minimum of 10.1, Build 120.1316.e
WorxWeb for iOS	1.3.1-3	Supported on a minimum of 10.1, Build 120.1316.e.
WorxMail for Android	1.3.13-233936	Supported on a minimum of 10.1, Build 120.1316.e
WorxWeb for Android	1.3.3-234245	Supported on a minimum of 10.1, Build 120.1316.e

New Features in This Release

NetScaler Gateway 10.1, Build 123.1100.3 supports the following new features:

Tranferring ICA Proxy Sessions Between Devices

If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license. For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user. You can prevent the two sessions by enabling the setting ICA Proxy Session Migration on the virtual server. When you enable this setting, the user session transfers to the new device and uses one Universal license.

To enable session transfer

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.

2. In the details pane, select a SmartAccess virtual server and then click Open.

3. Select ICA Proxy Session Migration and then click OK.

Testing Connections for a XenMobile Deployment

You can test internal servers when you configure XenMobile settings on the appliance. When the test runs, it checks for the following conditions:

• If the connection can reach the servers in the internal network.

• If the correct ports are open on the firewalls.

• If the server is the intended server or not. For example, if the connection test is to an LDAP server, the check validates if the LDAP service is running on the server.

When the connection check is finished, a window opens with the connection results for all of the servers. Success and failure results are color-coded making it easy to distinguish between the two status results. If there is a failure to any of the servers in the internal network, the status appears red and provides a resolution statement that helps you understand and fix the problem.

The test checks the connections for the following servers:

• Device Manager server

• Device Manager load balancing server

• App Controller virtual machine

• Microsoft Exchange Server

• Microsoft Exchange load balancing server

• ShareFile server

• ShareFile load balancing server

• ShareFile StorageZone Controller

• XenMobile NetScaler Connector (XNC)

• LDAP server configured on NetScaler

• LDAP server configured on SharePoint

• DNS server

To test connections to servers in the internal network

1. Log on to the appliance and in Deployment Type, select XenMobile.

2. In the right pane, under the load balancer server settings, click Run Connectivity Checks.

3. Review the server status and then click Close when finished.

New Features from Previously Released Maintenance Builds

NetScaler Gateway, Build 120.1316.e supports the following new features:

• Advanced endpoint analysis that supports the creation of multiple profiles by using the configuration utility. Citrix recommends using the configuration utility and not the command line to configure advanced endpoint analysis profiles. For more information about advanced endpoint analysis scans, see Creating Advanced Endpoint Analysis Scans in Citrix eDocs.

• Device certificates

• Client certificate authentication for Mac OS X computers

• Kerberos Constrained Delegation (KCD)

• NetScaler Gateway Plug-in for Mac OS X 10.9

• NetScaler Gateway Plug-in for Windows 8.1

• Proxy support for traffic policies

• Support for Internet Explorer 11

NetScaler Gateway Plug-in 3.0 supports the following:

1. Mac OS X 10.9

2. Client certificate authentication

3. Device certificates

4. Endpoint analysis scans

Known Issues in This Release

1. If a failover occurs in a high availability pair, when users refresh their web browser, single sign-on (SSO) fails and users are prompted to log on again.

   [From NG_10_1_120_1316_e][#406564]

2. If users log on to Outlook Web App by using clientless access in a Firefox web browser, sending email fails.

   [From NG_10_1_120_1316_e][#418106]

3. Users can use SSO to CIFS/SMB file shares in the internal network with NTLM authentication. Kerberos Constrained Delegation (KCD) authentication is not supported for SSO to CIFS/SMB file shares.

   [From NG_10_1_120_1316_e][#419570]

4. If you configure client certificate authentication and device certificates on a virtual server, when users attempt to log on by using the NetScaler Gateway Plug-in for Mac OS X, the plug-in fails. Client certificates must be installed on in login.keychain. Device certificates must be installed in system.keychain.

   [From NG_10_1_120_1316_e][#423933]

5. If you install certificates in the login and System keychains on a Mac OS X computer and you configure client certificate authentication and device certificates on NetScaler Gateway, when users log on with the NetScaler Gateway Plug-in, the certificate list contains both login and System keychain certificates. The System keychain certificate requires an administrator password to access the key, whereas the login keychain does not. Users who are not administrators cannot access the system keychain and logon to NetScaler Gateway fails.

   [From NG_10_1_120_1316_e][#423944]

6. If the device certificate installed on NetScaler Gateway is in the Certificate Revocation List (CRL), when users attempt to log on with the revoked certificate, NetScaler Gateway accepts the certificate and allows users to log on.

   [From NG_10_1_120_1316_e][#424109]

7. If you configure device certificates on NetScaler Gateway, when users log on for the first time with Mac OS X 10.9 (Mavericks), the Endpoint Analysis Plug-in for Mac OS X does not run the endpoint analysis scan. Users can log on again and the plug-in runs successfully.

   [From NG_10_1_120_1316_e][#424411]

8. When users log on with NetScaler Gateway Plug-in for Mac OS X, the Safari web browser does not trust the Endpoint Analysis Plug-in. In Safari, users need to explicitly trust the Endpoint Analysis Plug-in.

   [From NG_10_1_120_1316_e][#424415]

9. When users log on and receive the prompt from the Endpoint Analysis Plug-in to select a device certificate, if users wait for a length of time (one to five minutes) to select the certificate, the Endpoint Analysis Plug-in fails.

   [From NG_10_1_120_1316_e][#424453]

10. If you configure device certificates in NetScaler Gateway, the NetScaler Gateway Plug-in for Windows must be installed. In addition, the NetScaler Gateway Plug-in and the Endpoint Analysis Plug-in must be the same version.

    [From NG_10_1_120_1316_e][#424853]

11. If you configure device certificates on NetScaler Gateway, to allow the endpoint analysis scan to run while requiring the keychain administrator credentials, users need to explicitly provide access to the certificates key in the keychain by adding the Endpoint Analysis Plug-in to Accessible Apps in Key Access Control.

    [From NG_10_1_120_1316_e][#426579]

12. If you configure NetScaler Gateway Advanced Endpoint Analysis or device certificates, when users log on with Safari, the Endpoint Analysis Plug-in page appears, even though the plug-in is installed on the user device. To allow the endpoint analysis scan to run, users must quit the web browser. When users open the web browser again, the scan runs and users can log on.

    [From NG_10_1_120_1316_e][#426666]

13. If you create and bind multiple advanced endpoint analysis profiles and device certificates to a virtual server and the endpoint analysis scan runs successfully, if you later unbind endpoint analysis profiles, the scan does not run on the user device. This occurs if you use the invalid logical expressions OR and AND consecutively in the profile or scan.

    [From NG_10_1_120_1316_e][#427026]

14. If users log on without administrator priviledges and install the Endpoint Analysis Plug-in, users receive a prompt to restart the devices when the installation is finished. Users need to restart their device.

    [From NG_10_1_120_1316_e][#427335]

15. If you configure a large number of advanced endpoint analysis scans (approximately 17004 byte-size scans), when users log on with the NetScaler Gateway Plug-in for Windows, the endpoint analysis scan fails.

    [From NG_10_1_120_1316_e][#428353]

16. The NetScaler VPX virtual image does not contain the folders admin_ui, themes, vpn, epa in the /var/netscaler/gui folder. When you install the image, the following might occur:

    • If you install a new instance of NetScaler VPX and then change the theme on the Client Experience tab in a session profile, the theme is not applied when users log on.

    • If you set the default theme for the NetScaler Gateway logon page, the User name and password fields are occasionally interchanged and distorted. If you restart the web browser or clear the cache, the fields appear normally.

    To resolve this issue, copy the file GuiCorrection.sh located in the directory /netscaler/ns_gui/epa/scripts/ path and copy the file to the directory /var/netscaler/gui. After you copy the file, in the NetScaler Gateway command-line interface, run the following commands from the shell:

    cd /var/netscaler/gui

    sh GuiCorrection.sh

    Note: You must run this command from the folder to which you copied the file GuiCorrection.sh.

    The command copies all of the relevant files for the Green Bubble and Default themes.

    [From NG_10_1_120_1316_e][#428425, #429052, #429056, #429060]

17. When you create an advanced endpoint analysis scan by using Unicode or special characters in the name, you cannot bind the policy to a virtual server. Citrix recommends using policy names that do not contain Unicode or special characters.

    [From NG_10_1_120_1316_e][#428696, #428725]

18. If users log on from a Windows 8.1 computer and Internet Explorer 11, the web browser redirects to the download plug-in page even though the plug-in is the same version installed on the device. Users can proceed by clicking the Run add on message.

    [From NG_10_1_120_1316_e][#428973]