New NetScaler Firmware 12.0 Build 57.19

NetScaler

Citrix has released yesterday a new Firmware for NetScaler 12.0 Build 57.19

The enhancements and changes that are available in Build 57.19.

AAA-TM

  • Key based Authentication Support for LDAP Users
    A NetScaler appliance can now authenticate the LDAP users by using key based authentication.
  • Support for Non-Blocking of TACACS Accounting and Authorization Requests
    The Terminal Access Controller Access-Control System (TACACS) is now not blocking the NetScaler AAA daemon while sending the TACACS accounting request. With this enhancement, the NetScaler AAA daemon allows LDAP, and RADIUS authentication to proceed with the request. The TACACS authentication request resumes once TACACS server acknowledges the TACACS request.

CloudBridge Connector

  • AES 256-bit Support
    The NetScaler appliance now supports AES 256-bit encryption algorithm for IPSec tunnel (CloudBridge Connector) configurations.

GSLB

  • Service Groups Support for GSLB
    The NetScaler appliance now supports service groups for GSLB. The following types of GSLB service groups are supported:
    – IP address-based service groups
    – Domain name-based service groups
    – Domain name-based autoscale service groups
    You can configure the GSLB service groups to use domain names instead of IP addresses when referring to the load balancing endpoints.

Load Balancing

  • Support for Gx Interface in a Cluster Topology
    The NetScaler appliance now supports Gx interface in a cluster topology.

NetScaler Gateway

  • OPSWAT v4 Support for EPA plug-in
    You can now configure the following End-point analysis (EPA) scans for the NetScaler Gateway appliance. The client computers use the NetScaler Gateway plug-in to access the software environment of their enterprise network.
    The following OPSWAT scans are configured on a NetScaler Gateway appliance.
    -Product specific scan
    -Vendor specific scan
    -Generic scan
    The following system scans are configured on a NetScaler Gateway appliance.
    -MAC Address
    -Domain Check
    -Numeric Registry
    -Non-numeric Registry
    -Windows Update

NetScaler SDX Appliance

  • An Interactive GUI for Restoring a NetScaler Appliance
    For a successful NetScaler SDX appliance restore, you need the following resources:
    – A valid license
    – An XVA images
    – A NetScaler image
    – A Single Bundle Image
    If any of these resources are missing in the backup file, the GUI now prompts to upload the resource before proceeding further – enabling you to restore the appliance efficiently in a single go.
    Previously, if any resource was found missing, the process terminated with an error message. The user needed to start the process again after uploading the required resources.
  • Jumbo MTU Support for CLAG
    In a cluster setup that involves one or more NetScaler SDX appliances, you get confirm messages when you perform the following actions:
    – When you click Create to configure a CLAG in one of NetScaler SDX appliances in the cluster setup, a message prompts you to refresh the CLAG settings in the other SDX appliances. At the prompt, select Yes to continue. If you select No, the CLAG is not configured. Note that you must manually refresh the CLAG settings in the other SDX appliances.
    – If you change the MTU setting in one of the SDX appliances, a message prompts you to change the setting in the other SDX appliances. At the prompt, select Yes to continue. If you select No, the MTU is not set. Note that you must manually change the MTU setting in the other SDX appliances.
    For more information about how to configure CLAG on SDX appliances, see https://docs.citrix.com/en-us/sdx/12/configuring-management-service/configure_cluster_link_aggregation.html
  • Support for Automatic LOM Firmware Upgrade
    With this release, the Lights Out Management (LOM) firmware is automatically upgraded after the NetScaler SDX single bundle image is upgraded. When the appliance restarts after upgrading the single bundle image, it checks if LOM firmware upgrade is required and upgrades the firmware accordingly. The LOM upgrade might take a few minutes.
    However, the following exceptions and usage guidelines apply:
    – For SDX 115XX/175XX series appliances with LOM firmware version lower than 3.03, manual upgrade is required. For more information about manual upgrade, see the following documentations:
    https://support.citrix.com/article/CTX137970
    https://support.citrix.com/article/CTX140270
    – SDX 14000-40S platform is not enabled for automatic LOM firmware upgrade. Support will be provided in future releases.
    – Before upgrading the single bundle image, verify that LOM is running successfully by checking health monitoring events in the NetScaler SDX GUI dashboard. If LOM is in hung state, power cycle the appliance by pulling all the AC power cables on the power supplies. Wait for a minute and then replug the AC cables to power up the unit. Next, upgrade the single bundle image and complete the LOM upgrade.
  • ACL Rules for Accessing an SDX Appliance
    Now you can create ACL rules to control and restrict access to your NetScaler SDX appliances, by using the SDX GUI.

NetScaler VPX Appliance

  • Support for High Availability for VPX Instances with SR-IOV Interfaces Running on AWS
    High availability is now supported for VPX instances with SR-IOV interfaces running on AWS.
  • Support for Extra Management CPU for NetScaler VPX Instances
    To achieve better performance for configuring and monitoring of your appliance, you can now allocate an extra management CPU from packet engine pool in all NetScaler VPX models except VPX instances that run on an SDX appliance. Previously the feature was supported only in NetScaler MPX models 25xxx, 22xxx, 14xxx, 115xx, 15xxx, and 26xxx.

Networking

  • Detecting a NetScaler Appliance in a UDP Load Balancing Setup through TTL Updation
    Some enterprises/scenarios running a monitoring application requires the NetScaler appliance of a load balancing setup to be detected as one of the hop in a traceroute. A NetScaler appliance of a load balancing setup is not detected in a traceroute because the appliance, by default, sets the TTL value to 255 instead of decrementing it when forwarding the request to a backend server.
    To meet this requirement, Decrement TTL parameter of a VIP address can be used. This parameter applies to all UDP virtual servers using this VIP.
    When you enable the Decrement TTL parameter of a VIP, the NetScaler appliance decrements the TTL value by 1 instead of setting it to 255 when forwarding requests, which are received on the UDP virtual servers that use this VIP. Monitoring applications using traceroute data can now detect the presence of a NetScaler appliance of a UDP load balancing setup.

Optimization

  • Support for Facebook Video Optimization
    The NetScaler Video Optimization feature now enables you to detect and optimize Facebook video traffic.

Platform

  • Support for Hardware Platforms
    This release now supports the NetScaler MPX 5900 and NetScaler MPX 8900 platforms. For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html.
  • Support for New Hardware Platforms
    This release now supports the NetScaler MPX 26000-100G and NetScaler MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.
  • Support for SDX 8900 Appliance
    This release supports the NetScaler SDX 8900 appliance.
    For more information see the following documentation:
    Citrix NetScaler SDX 8900
    https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/hardware-platforms/8900.html
  • Support for NetScaler Pooled Capacity
    The following new NetScaler MPX platforms now support NetScaler Pooled Capacity:
    * MPX-22000
    * MPX-24000

SSL

  • Support for ECDSA ciphers on the front end and back end of NetScaler VPX Appliances
    The NetScaler VPX appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end. ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.
    Note: ECDSA certificates with only the following curves are supported:
    -prime256v1
    -secp384r1
    -secp521r1
    -secp224r1
    The following ciphers are supported with ECDSA:
    -ECDHE-ECDSA-AES256-GCM-SHA384
    -ECDHE-ECDSA-AES256-SHA384
    -ECDHE-ECDSA-AES256-SHA
    -ECDHE-ECDSA-AES128-GCM-SHA256
    -ECDHE-ECDSA-AES128-SHA256
    -ECDHE-ECDSA-AES128-SHA
    -ECDHE-ECDSA-RC4-SHA
    -ECDHE-ECDSA-DES-CBC3-SHA
    For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/ecdsa_cipher_suite_support_on_mpx_appliances_with_n3_chips.html
  • Support for Subject Alternative Name in a Certificate Signing Request
    The subject alternative name (SAN) field in a certificate allows you to associate multiple values, such as domain names and IP addresses, with a single certificate. By using SAN, you can secure multiple domains, such as www.example.com, www.example.net, www.example.org, with a single certificate. The NetScaler appliance now supports adding SAN entries when creating a certificate signing request (CSR). You can send a CSR to a Certificate Authority to obtain a signed certificate.
    For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/manage-certs/obtain-cert-frm-cert-auth.html.

Secure Web Gateway

  • Support for ICAP for Remote Content Inspection
    The NetScaler Secure Web Gateway (SWG) appliance can now act as an ICAP client and use policies for interacting with third-party security vendors that specialize in antimalware and data leak prevention (DLP). The encrypted files, which were earlier bypassed, can now be scanned by security vendors using ICAP on a NetScaler SWG appliance.
    The appliance intercepts client traffic (HTTP and HTTPS), decrypts it, and sends the decrypted traffic to the ICAP server(s). The appliance supports content inspection in both request mode (REQMOD) and response mode (RESPMOD). While REQMOD is ideal for DLP integration, RESPMOD is used in checking for antimalware. You must configure policies to select the traffic to send to the ICAP servers.

System

  • Support for TCP Fast Open (TFO) in Multipath TCP (MPTCP)
    A NetScaler appliance now supports TCP Fast Open (TFO) mechanism for establishing Multipath TCP (MPTCP) connections and speeding up data transfers. The mechanism allows subflow data to be carried during the initial MPTCP connection handshake in SYN and SYN-ACK packets. Also, while establishing the MTCP connections, the mechanism enables the receiving node to consume data.

Telco

  • License Change for Telco Platform Consolidation
    As part of Telco platform consolidation, the following set of features are now added to the CNS Platinum edition.
    * Telco URL Filtering
    * ABR Video Optimization
    * Adaptive TCP
    * Connection Quality Analytics (CQA)
    To support the effort, the features work on Telco platforms with the purchase of a basic CBM license and CBM Premium license and for other NetScaler platforms, the features work with the purchase of a CNS Platinum license.
    Note: For Telco URL Filtering feature to work on all platforms, it requires an additional URL Threat Intelligence license. You can purchase the license with a subscription service for one year or for three years.
    License support for Telco platforms:
    * CBM_TXXX_SERVER_Retail.lic
    * CBM_TPRE_SERVER_Retail.lic
    * CNS_WEBF_SSERVER_Retail.lic
    Where XXX is the throughput, for example, NetScaler T1000.
    License support for other NetScaler platforms:
    * CNS_XXX_SERVER_PLT_Retail.lic
    Where XXX is the throughput.

More information can be retrieved here