New NetScaler Firmware: 12.0 Build 53.22

AAA-TM

• Support for RSA Private Key Decryption for SAML Operations on a NetScaler MPX FIPS Appliance

  A NetScaler MPX FIPS appliance used as a SAML service provider now supports encrypted assertions.

• Support for SHA2 Message Digest on a NetScaler MPX FIPS Appliance

  A NetScaler MPX FIPS appliance functioning as a SAML service provider or a SAML identity provider can now be configured to use the SHA2 algorithms on FIPS hardware.

• Audience Restriction Check Support for NetScaler configured as SAML SP

  A NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. The audience restriction condition evaluates to “Valid” only if the SAML replying party is a member of at least one of the specified audiences. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.

• Group Attribute Parsing Support from a SAML Assertion

  You can now configure a NetScaler appliance to parse attributes in SAML assertions as group attributes. Parsing them as group attributes enables the appliance to bind policies to the groups. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.

Licensing

• Support for Higher Number of vCPUs

  With NetScaler Pooled Capacity, the NetScaler VPX instances can be configured for bandwidth licensing up to 100G and 20 vCPUs.

  With NetScaler Check-in/Check-out licensing, the NetScaler VPX instances can be configured with bandwidth licenses up to 100G

NetScaler CPX

• Ability to Assign Multiple Interfaces to NetScaler CPX

  You can now assign dedicated network interfaces to the NetScaler CPX container by using a NetScaler CPX-specific environment variable. The network interfaces that you define are held by the NetScaler CPX container until you uninstall the NetScaler CPX container. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.

NetScaler Gateway

• SNI Support for NetScaler Gateway

  A NetScaler Gateway appliance can now be configured to include a server name indication (SNI) extension in the SSL “client hello” packet sent to the backend server. The SNI extension helps the backend server identify the FQDN being requested during the SSL handshake and respond with the respective certificates.

  Note: Enable SNI support when multiple SSL domains are hosted on same server.

  For more information, see http://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html.

NetScaler VPX Appliance

• OVS DPDK for NetScaler VPX Instances Running on KVM

  You can configure a NetScaler VPX instance running on KVM to use Open vSwitch (OVS) with the Data Plane Development Kit (DPDK). This configuration provides better network performance. Also, certain NetScaler VPX deployments require the VPX host on KVM to operate on the vhost user ports exposed by OVS rather than the standard MacVTap-based vhost interfaces.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-ovs-dpdk-kvm.html.

• Active/Passive Multi-NIC Multi-IP HA-INC Deployment on Azure

  You can deploy a NetScaler VPX pair with multiple IP addresses and network interfaces in active/passive high availability (HA) Independent Network Configuration (INC) mode. Use the new Citrix NetScaler HA template on Azure for deployment, or use Windows PowerShell commands.

  For more information, see the following topics:

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-multiple-azure-nics-ip-for-vpx-in-ha-mode.html

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-gslb-active-standby-ha-deployment-azure.html

• NetScaler VPX Check-In/Check-Out Licensing Support for New Licenses

  You can now purchase and use the new 10Gbps+ NetScaler VPX Check-In/Check-Out Licenses for NetScaler VPX instances deployed on any supported hypervisors, and for instances used in cloud deployments. The newly supported licenses include 10Gbps, 15Gbps, 25Gbps, 40Gbps and 100Gbps versions of the Standard, Enterprise, and Platinum editions.

• SR-IOV Support with Intel X710 10G and XL710 40G NICs

  You can now configure a NetScaler VPX appliance to use single-root I/O virtualization (SR-IOV) technology with Intel X710 10G and XL710 40G NICs.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-SR-IOV-KVM.html

• Support for SR-IOV Interfaces for NetScaler VPX Instances on AWS

  After you have created a NetScaler virtual instance on AWS, you can use the AWS CLI to configure the virtual appliance to use SR-IOV network interfaces. For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/Config-NS-VPX-SRIOV-AWS.html

• Auto-Provision a NetScaler VPX Instance by Using Virtual Machine Manager

  You now have the option to auto-provision a NetScaler VPX instance by using the Virtual Machine Manager. If auto-provisioning is enabled, the IP address, gateway, and netmask are automatically assigned to the instance during initial setup. If auto-provisioning is not enabled, you must provide the networking configuration manually.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/provision-on-kvm-using-vmm.html

Platform

• Support for Pooled Licensing

  NetScaler MPX 115xx models are now supported with pooled licensing. For more information about pooled licensing, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.

SSL

• Secure Implementation of Session Tickets

  You can now secure session tickets by using a symmetric key to encrypt them. Additionally, to achieve forward secrecy, you can specify a time interval at which the session-ticket key is refreshed. Session-ticket keys can be generated by the appliance, or you can manually enter session-ticket key data. Entering this data manually is helpful in HA or cluster deployments so that the appliances can decrypt each other’s session tickets.

  For more information about this enhancement, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/secure-implementation-of-session-tickets.html.

• Recording the time taken for an SSL handshake in the syslog

  The time taken for an SSL handshake to complete can now be recorded in the system log (syslog). To do this, set the log level in the syslog parameters to All.

Telco

• Configuring IPSec Application Layer Gateway for Large Scale NAT44

  If communication between two network devices (for example, client and server) uses the IPSec protocol, IKE traffic (which is over UDP) uses port fields, but Encapsulating Security Payload (ESP) traffic does not. If a NAT device on the path assigns the same NAT IP address (but different ports) to two or more clients at the same destination, the NAT device is unable to distinguish and properly route the return ESP traffic. Therefore, IPSec ESP traffic fails at the NAT device.

  NAT-Traversal (NAT-T) capable IPSec endpoints detect the presence of an intermediate NAT device during IKE phase 1 and switch to UDP port 4500 for all subsequent IKE and ESP traffic (encapsulating ESP in UDP). Without NAT-T support on the peer IPSec endpoints, IPSec protected ESP traffic is transmitted without any UDP encapsulation. Therefore, IPSec ESP traffic fails at the NAT device.

  The NetScaler appliance supports IPSec application layer gateway (ALG) functionality for large scale NAT configurations. The IPSec ALG processes IPSec ESP traffic and maintains session information so that the traffic does not fail when the IPSec endpoints do not support NAT-T (UDP encapsulation of ESP traffic).

  For more information, see For https://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/configure-ipsec-application-layer-gateway-for-large-scale-nat.html.

• URL Filtering for Telco Mobile Networks

  The new NetScaler URL Filtering feature for telco mobile network provides policy based control of websites by using information contained in a URL. The feature helps administrators monitor and comply with government mandated safe internet usage policies on mobile networks. As an administrator, you can filter websites by using either the URL Categorization feature or the URL List feature.

  URL Categorization. Controls access to websites and web pages by filtering traffic on the basis of a predefined list of categories.

  URL List. Controls access to blacklisted websites and web pages by denying access to URLs contained in a URL set imported into the appliance.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/url-filtering.html

• IPFIX Logging Support for Large Scale NAT

  The NetScaler appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s).

  The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.

  IPFIX based logging of LSN events is available for the following events in the context of NAT44, NAT64, and Dual-Stack Lite.

  * Creation or deletion of an LSN session.

  * Creation or deletion of an LSN mapping entry.

  * Allocation or de-allocation of port blocks in the context of deterministic NAT.

  * Allocation or de-allocation of port blocks in the context of dynamic NAT.

  * Whenever subscriber session quota is exceeded.

  For more information about IPFIX logging for large scale NAT44, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html.

  For more information about IPFIX logging for dual-stack lite, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html.

  For more information about IPFIX logging for large scale NAT64, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-nat-64/log-monitor-largescale-nat64.html.

• NetScaler Video Optimization: Support for QUIC over UDP Protocol for Encrypted ABR Traffic

  The NetScaler video optimization feature is now enhanced to optimize video delivery over TCP (as HTTP and HTTPS traffic) and UDP (as QUIC traffic). The appliance can detect incoming video traffic as Adaptive Bit Rate (ABR) and optimize both the unencrypted and the encrypted video. The new capabilities are especially useful for reducing the overall network bandwidth consumption in mobile networks.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/NetScaler-Video-Optimization.html

  ---

AAA-TM

• If external LDAP authentication uses a case-insensitive user name, NetScaler AAA is unable to lock the user name after the number of attempts specified by the Max Login Attempts parameter.

• If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.

• A NetScaler appliance configured for NetScaler AAA becomes unresponsive during a VPN session if both of the following conditions are met:

  • The primary session is in the timed out state.

  • The secondary session is in sync but the actual state of the session is reset to zero.

• An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).

• A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.

• If the LDAP bind account password used on a NetScaler appliance contains the “at” special character (@), test connection performed on LDAP server fails, and the dashboard shows that the LDAP server is down.

AppFlow

• A NetScaler appliance does not generate AppFlow records if an action is set to RESET in an SSL or responder policy.

Application Firewall

• If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.

• After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the ‘APPFW_RESET’ and ‘APPFW_DROP’ AppFw profiles do not appear when you run the sh appfw profile command with the “more” option.

  For example:

  sh appfw profile | more

  1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF

  2) Name: APPFW_RESET LogEveryPolicyHit: ON

  3) Name: APPFW_DROP LogEveryPolicyHit: ON

  4) Name: APPFW_BLOCK UseHTMLErrorObject: OFF

  This issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.

• The NetScaler appliance crashes when security insight is enabled and the application firewall detects a violation of the maximum limit for fld_name length.

  Set the fld_name length limit to the same value as MAX_AS_NAME_LEN.

Clustering

• The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:

  • The policy engine (PE) receiving the traffic is in the DOWN state.

  • The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.

Content Switching

• In some cases, the NetScaler appliance might fail after a set command is run on a content switching virtual server.

Load Balancing

• Resetting a server connection resets the connections to all services configured with the same IP address and port number. As a result, connections to the service group members are also reset. With this fix, deleting a service that has the same IP address and port number as that of other service group members does not affect the service group connections.

• In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.

• In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.

• The NetScaler appliance resets a client-side TCP connection if a virtual server with spillover (SO) persistence enabled is bound to the load balancing group. With this fix, the client-side TCP connection is not reset.

• If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance’s ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.

NITRO

• If you make multiple NITRO API calls in parallel, the responses might return incorrect results.

• Restarting a NetScaler appliance after upgrading it to release 12.0 might cause the appliance to fail to respond to NITRO requests.

• The .NET SDK GET call fails with the following exception if it is made with a parameter that accepts boolean values:

  Invalid argument value [<attribute>].

  Example:

  When the “internal” attribute of service_args is set to “true”, a get on service_args yields the following exception:

  Invalid argument value [internal]

NS-Gateway

• NetScaler: AAA-TM

  After an upgrade from an earlier release 10.5 build 60.7 to release 11.1 build 52.32, if the client sends an invalid basic authorization header as “Authorization: Basic (null)”, then NetScaler appliance does not perform single sign-on (SSO) to access the backend.

NetScaler GUI

• When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.

NetScaler Gateway

• A user of Internet Explorer version 8 or 9 can’t establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn’t respond.

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.

• In rare situations, a NetScaler Gateway appliance dumps core when processing forms based SSO to URLs larger than 4 KB.

• If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.

• In rare situations, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.

• The NetScaler appliance deletes the JSESSIONID cookie from the HTTP request before sending the request to the origin server.

• In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.

• When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the “nsauto.exe” file because the path to the file is incorrectly truncated.

  The issue is noticed when you modify the following registry entry:

  NtfsDisable8dot3NameCreation

  This registry entry truncates the applications file path in Windows.

• NetScaler Gateway does not comply with RFC7230 for POSTLOGINFLAGS headers.

• In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.

• Both of the following issues are fixed:

  – A NetScaler Gateway appliance becomes unresponsive because the Gateway plug-in continuously tries to connect to the Gateway server.

  – The VPN plug-in displays the Connect button instead of automatically logging on, even when the client certificate is cached and the AlwaysON feature is enabled.

• Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.

• A single sign-on (SSO) attempt might use the wrong domain in a configuration that has parent and child domains. If SSO expressions are used to compute the correct domain, the NetScaler appliance uses the domain obtained at the time of logon instead of the one computed with the expression.

• In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.

NetScaler NITRO

• NetScaler logon credentials are locked and the error message “connection limit CFE exceeded” appears if the following conditions are met:

  – The “show ns runningconfig” command takes a long time to execute

  – The same command is re-run multiple times while the first command is still running at the background.

  The NetScaler appliance remains locked until the command completes.

NetScaler Secure Web Gateway

• A NetScaler Secure Web Gateway appliance does not support the URL List feature in a high availability setup.

NetScaler VPX Appliance

• After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.

  With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.

• DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.

Networking

• When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.

• If the IP address (type VIP) of a virtual server is bound to a net profile, deleting the virtual server also removes the IP address from the net profile.

Optimization

• The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.

Policies

• A log message is not logged for the Responder module when the NetScaler appliance receives a request and processes policies for a different module while a client request sent to the Responder module awaits log processing.

• Clearing a NetScaler system configuration causes the appliance to fail if an HTTP profile references a patset configuration entity.

• The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same “universally unique identifier” (UUID) for different transactions.

SSL

• The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.

• A certificate without a common name field in the subject name fails to load.

• Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.

• In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.

• If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.

  Example

  1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.

  2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.

  3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.

  4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.

• The service group members do not appear in the output of the “show lb vserver <name>” command if it is run on a cluster IP address.

• In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.

  Error :: No such resource

• For requests less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the POST method by default.

  To set the method by using the NetScaler CLI

  At the command prompt, type;

  set ssl ocspResponder <name> -httpMethod GET

• If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:

  ERROR: Invalid OID for SAN entry in certificate

• Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.

System

• A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.

• In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.

• When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.

• The NetScaler appliance does not include the latest DATA_ACK packet in the retransmitted data segments. It reuses DATA_ACK packets that were sent in the original data segment.

• In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.

• The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.

• A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe connection information with different incoming connections destined to the same server.

• The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.

• If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.

• If a NetScaler-inserted cookie is deleted from the end of a cookie header, the appliance does not remove the preceding semicolon. As a result, an extra semicolon is sent at the end of the cookie header when forwarding it to the back-end server.

• A NetScaler appliance might crash, if a particular sequence of white space and CR-LF characters is sent to an HTTP or SSL virtual server instead of a valid HTTP request.

• An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.

• Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.

Telco

• In NetScaler T-13xx platform, the NetScaler software incorrectly calculates the minimum memory required for large scale NAT (LSN) configurations. The NetScaler appliance might become unresponsive if the memory limit is set to a value lower than the incorrectly calculated minimum required memory displayed in “show extendedmemory” output.