Citrix has released yesterday a new Firmware for NetScaler

The enhancements and changes that are available in Build 48.13.

AAA-TM

  • Support to pass through RADIUS attribute 66 (Tunnel-Client-Endpoint)
    The NetScaler appliance now allows the pass-through of RADIUS attribute 66 (Tunnel-Client-Endpoint) during RADIUS authentication. By applying this feature, the clients IP address is received by second-factor authentication from entrusting to make risk-based authentication decisions.
    A new attribute “tunnelEndpointClientIP” is introduced in both “add authentication radiusAction” and “set radiusParams” command.
    To use this feature, at the NetScaler command prompt, type:
    • add authentication radiusAction <name> {-serverIP <ip_addr|ipv6_addr|*> | {-serverName <string>}} [-serverPort <port>] … [-tunnelEndpointClientIP (ENABLED|DISABLED)]
    • set radiusParams {-serverIP <ip_addr|ipv6_addr|*> |{-serverName <string>}} [-serverPort<port>] … [-tunnelEndpointClientIP(ENABLED|DISABLED)]
    [# 614884]
  • WebView credential type support for authentication mechanisms
    The authentication of NetScaler Gateway appliance can now supports AUTHv3 protocol. The WebView credential type in AUTHv3 protocol support all type of authentication mechanisms (including SAML and OAuth). The WebView credential type is a part of AUTHv3, which is implemented by Citrix Receiver and browser in web applications.
    [# 653138]
  • Support to notify the number of unsuccessful login attempts
    The NetScaler appliance can now log the number of unsuccessful login attempts made from the last successful log on. The feature works only if the persistentLoginAttempts option is enabled on the appliance. By default, the option is disabled on the appliance.
    A NetScaler administrator can use this information to verify if any unauthorized attempts have occurred on a secured external user account.
    To use this feature, at the NetScaler command prompt, type:
    set aaa parameter [–maxloginAttempts <value> [-failedLoginTimeout <value>]] -persistentLoginAttempts (ENABLED | DISABLED)
    Example:
    set aaa parameter –maxLoginAttempts 4 –failedLoginTimeout 3 –persistentLoginAttempts ENABLED
    [# 671478]
  • Optimization of Kerberos authentication on NetScaler AAA
    The NetScaler appliance now optimizes and improves the system performance while Kerberos authentication. The NetScaler AAA daemon remembers the outstanding Kerberos request for the same user to avoid load on Key Distribution Center (KDC), which avoids the duplicate requests.
    [# 681896, 690321]
  • Support for validating end-to-end LDAP authentication
    The NetScaler appliance can now validate end-to-end LDAP authentication through NetScaler GUI. To validate this feature, a new “test” button is introduced in NetScaler GUI. A NetScaler administrator can leverage this feature to achieve the following benefits:
    • Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis.
    • Reduces time on validating and troubleshooting issues related to individual scenarios.
    [# 697083]
  • Simplified login protocol support for NetScaler AAA
    The login protocol between NetScaler AAA traffic management virtual servers and NetScaler AAA virtual servers is simplified to use internal mechanisms as opposed to sending the encrypted data through query parameters. By leveraging this feature, the replay of requests is prevented.
    [# 700114]
  • Support of name-value attribute for LDAP authentication
    You can now configure the attributes of LDAP authentication with a unique name along with values. The names are configured in the LDAP action parameter and the values are obtained by querying for the name.
    To use this feature, at the NetScaler command prompt, type:
    add authentication ldapAction <name> [-Attribute1 <string>]
    Example:
    add authentication ldapAction ldapAct1 Attribute1 mail
    [# 700710]
  • Support for AAA.USER and AAA.LOGIN expressions
    The AAA.USER expression is now implemented to replace the existing HTTP.REQ.USER expressions. The AAA.USER expression is applicable to handle non-HTTP traffic, such as Secure Web Gateway (SWG) and role-based access (RBA) mechanism. The AAA.USER expressions are equivalent to HTTP.REQ.USER expressions.
    You can use the expression at a variety of actions or profiles configuration.
    For example,
    add tm trafficAction tm_act -SSO ON -userExpression “AAA.USER.NAME”
    Note: If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.
    [# 701211]
  • Support for encrypted tokens on OpenID connect
    The NetScaler appliance with OpenID Connect mechanism now supports sending of encrypted tokens along with signed tokens. The NetScaler appliance uses JSON web encryption specifications to compute the encrypted tokens and supports only compact serialization of encrypted tokens.
    A new attribute “relyingPartyMetadataURL” is introduced in both “add authentication OAuthIDPProfile” and “set authentication OAuthIDPProfile”.
    To activate this feature, at the NetScaler command prompt, type:
    • add authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]
    • set authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]
    [# 702669]
  • Support for 14-day password expiry notification for LDAP based authentication
    The 14-day password feature on NetScaler appliance provides the administrator an option to notify the end users about the password expiry. By using this feature, the end users are notified about their password expiry (number of days left before expiry).
    To leverage this feature, the customer’s has to perform the following configuration changes in LDAP configuration:
    • If the LDAP configuration has “ldapBase” parameter as “cn=users, dc=domain, dc=com” attributes, then it has to be changed to “dc=domain, dc=com” attributes.
    • The LDAP search base has to be changed from “Users” to one level higher (at the domain level).
    To enable this feature, at the NetScaler command prompt, type:
    set aaa parameter –pwdExpiryNotificationDays 14 <positive_integer>
    [# 703474]

Admin Partition

  • Displaying the availability of partition MAC address
    You can now use the show ns PartitionMAC command to display a list of configured PMACs (Partition MAC) addresses on a NetScaler appliance. The command displays all the PMAC addresses and the corresponding partitions (if assigned). In the case of a non-SDX platform, the command displays all the PMAC addresses and their corresponding partitions because the PMAC address is assigned to a partition only on need basis (when a partition bound a shared VLAN). However in the case of a SDX platform, you might have some unassigned PMACs in the lis
    [# 683620]

Clustering

  • Policy-based backplane steering support for cluster
    The policy-based backplane steering (PBS) is a mechanism in cluster deployment, which will steer the traffic across cluster nodes based on the hash method defined for the flow. The flow is defined by a combination of L2 and L3 parameters similar to Access Control List (ACL).
    The PBS will support both IPv4 and IPv6 traffic. In case of IPv6 deployments, the steering is supported by an additional option “[dfdprefix <positive_integer>]”, and provide the flexibility to choose the same flow processor for the same IP prefix. The prefix option is supported for source IP or destination IP hash methods only.
    To support this feature, new attributes are introduced in existing ACL commands.
    [# 683464]

DNS

  • Support for DNS name servers over TCP
    The NetScaler appliance in forwarder mode now supports TCP and UDP-TCP name servers.
    – If you have configured a TCP name server, then the NetScaler appliance sends the DNS request over TCP.
    – If you have configured a UDP-TCP name server, then the NetScaler appliance sends the DNS request over UDP. However if the truncated bit is set in the DNS response, the appliance sends such DNS requests over TCP.
    [# 679817, 697499, 708456]

GSLB

  • Updated GEO IP database files
    The NetScaler appliance now includes the following two IP geolocation database files. These are GeoLite2 files, published by MaxMind.
    – Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4
    – Citrix_Netscaler_InBuilt_GeoIP_DB_IPv6
    These database files are available in a format supported by the NetScaler appliance in the directory /var/netscaler/inbuilt_db.
    You can use these IP geolocation databases as the location file for the static proximity based GSLB method, or in location based policies.
    After an upgrade, if the /var/netscaler/inbuilt_db/ directory contains the database file (Citrix_Netscaler_InBuilt_GeoIP_DB.csv ) from the earlier NetScaler software versions, the file is retained.
    [# 666268]
  • Support for viewing the GSLB synchronization summary
    You can now view the summary of the last GSLB sync operation. This is applicable to both manual and real-time GSLB synchronization.
    [# 678547]
  • New directory synchronized as part of GSLB synchronization process
    As part of the GSLB synchronization process, the /var/netscaler/inbuilt_db/ directory is also synchronized in addition to the /var/netscaler/locdb/ and /var/netscaler/ssl/ directories.
    [# 699729, 699287]
  • Support for setting site persistence for the IP address based and domain name based service groups
    You can now set site persistence for the IP address based and domain name based service groups.
    [# 701512]

Licensing

  • Support for checking NetScaler license expiration information through GUI and CLI
    Now you can check NetScaler license expiration information through GUI or CLI. Previously, customers were notified of an expired license only after a system rebooted, causing the NetScaler appliance to restart as an unlicensed appliance.
    To check license information through the NetScaler GUI, navigate to Configuration > System > Licenses. Alternatively, run the command “show ns license” to view the license information.
    [# 556558]

Load Balancing

  • Packets per second rate limiting support on DSR virtual servers
    Packets per second rate limiting are now supported on DSR virtual servers. You can configure a stream selector and a responder policy to collect statistics at the packet level flowing through all the connections identified by the selector. If the number of packets per second exceeds the configured threshold, the policy applies the configured action (RESET or DROP).
    [# 688195]
  • Addition of IPANDVLAN as a subscriber lookup method
    You can now choose either the IP or IPANDVLAN as the key lookup method to the subscriber policy enforcement and management system. IPANDVLAN key lookup method is supported only when the subscriber interface is set to GxOnly.
    [# 698306]

NITRO

  • Retrieving LOM Port firmware version
    The nshardware NITRO API resource now supports retrieving the LOM port’s firmware version of a NetScaler appliance.
    [# 695712]
  • Auto-ordering of operations in NITRO macro API
    The NetScaler appliance performs the operations listed in NITRO macro API request in the correct order even if they are listed incorrectly. For example, even if a bind operation is listed before an add operation for a load balancing virtual server in a NITRO macro API request, the appliance performs the add operation before the bind operation.
    [# 701814]
  • Auto-enabling of features in NITRO macro API
    The NetScaler appliance can automatically enable those features whose operations are listed in a NITRO macro API request. For auto-enabling of features, the following header must be specified in the NITRO macro API request:
    X-NITRO-ENABLEFEATURE: YES
    For example, if a NITRO macro API request lists operations related to load balancing feature and if this feature is not enabled, the appliance automatically enables the feature before performing the load balancing operations.
    [# 701817]
  • Auto save config for NITRO macro API
    The NetScaler appliance can automatically perform save config operation after performing all the operations listed in a NITRO macro API request. For auto save config operation, the following header must be specified in the NITRO macro API request:
    X-NITRO-SAVECONFIG: YES
    [# 701917]

NetScaler CLI

  • Displaying number of unsuccessful logon attempts
    Upon successful logon to a NetScaler appliance, the command interface now displays the number of unsuccessful logon attempts since the last successful logon. A NetScaler administrator can use this information to verify if any unauthorized activity has occurred on a secured user account.
    [# 682166]

NetScaler GUI

  • Configuring priority load balancing
    You can now configure priority load balancing using the NetScaler GUI. The priority load balancing feature enables you to assign a priority number for each of the services or service groups that are bound to a priority load balancing virtual server. A service or a service group with the lowest number has the highest priority. Application traffic is distributed only to this service or a service group as long as this service or a service group is UP. The service or a service group that is assigned the next priority number becomes operational only when all the services or members in the service group with the highest priority are DOWN. However, when any of the services or a member in the service group with the highest priority becomes available again, the traffic is directed to that service or the service group.
    [# 697183, 696663]

NetScaler Gateway

  • Support for RDP redirection
    A NetScaler Gateway appliance now supports RDP redirection with connection broker or session directory. An RDP proxy communication no longer requires an exclusive URL for every connection from client to the server. Instead, the proxy uses a single URL to connect to an RDP server farm, reducing the maintenance and configuration overhead for an administrator.
    [# 612519]
  • Support for randomizing RDP file name with RDP proxy
    When you click on an RDP URL, an RDP file is downloaded. Upon clicking the RDP URL again a new RDP file with the same name is downloaded, resulting in a pop-up for the replacement of the new file with the existing file. To avoid this, the RDP file name is now randomized by appending output of time () function in the format <rdpFileName>_<outputof time()>.rdp. By doing this, the appliance generates a unique RDP file name every time you download a file.
    Configuration:
    add rdpclientprofile <profileName> -rdpfileName <filename> -randomizeRDPFilename <YES/NO>
    [# 695990]
  • Populate RDP URLs based on LDAP attribute
    You can now configure a NetScaler Gateway appliance to retrieve a list of RDP servers (IP/FQDN) from an LDAP server attribute. Based on the list you retrieve, the appliance displays the RDP URLs for the servers to be accessed.
    Configuration:
    add rdpclientprofile <Name> –rdpUrlLinkAttribute <string>
    [# 698917, 699370]
  • Simplified SaaS apps configuration
    With this enhancement, configuring and publishing a SaaS app is simplified using an app catalogue. The NetScaler Gateway appliance now has built-in catalogues of commonly used SaaS apps that allow app specific fields to get auto populated for a simplified configuration experience. Also, administrators can create their own SaaS apps catalouge.
    [# 699991]

NetScaler SDX appliance

  • Support for SNMP version 3
    While provisioning a NetScaler VPX instance, now you use either SNMP version 3 (v3) or SNMP v2. Earlier, only SNMP v2 was supported in admin profiles. SNMP v3 sets up a secure channel between the VPX instance and the SDX user interface to send SNMP traps. To enable SNMP v3, from the NetScaler Management Service select Configuration>NetScaler>Admin Profiles>Add. In the Admin Profiles page, select the radio button for SNMP v3 and add the details.
    [# 674022]
  • SSH public key authentication support for LDAP users
    The NetScaler SDX appliance can now authenticate the LDAP users through SSH public key authentication for logon. The list of public keys is stored on the user object in the LDAP server. During authentication, SSH extracts the SSH public keys from the LDAP server. The logon succeeds if any of the retrieved public key works with SSH.
    For key-based authentication, you must specify the location of the public keys by setting a value of Authorizedkeysfile in /etc/sshd_config file in the following aspect:
    AuthorizedKeysFile .ssh/authorized_keys
    [# 696281]
  • SNMP OIDs for health monitoring
    Now you can use specific OIDs for health monitoring items such as power supply, fan, temperature, and voltage through OID 1.3.6.1.4.1.5951.6.2.1000.6.
    [# 697395]

NetScaler VPX appliance

  • Support for Azure autoscale feature
    Now NetScaler VPX instances deployed on Azure support autoscale with Azure virtual machine scale sets. When integrated with the autoscale feature, NetScaler VPX instances provide improved:
    – Load balancing and load management
    – High availability
    – Network availability
    For more information about Azure autoscale, see https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview
    [# 690441]
  • From this release, you can migrate a NetScaler VPX instance by using VMware vMotion. The vMotion feature does not support NetScaler VPX instances configured to use SR-IOV and PCI passthrough interfaces. Supported interfaces are E1000 and VMXNET3.
    [# 690477, 676805, 460577]
  • For a high availability setup on AWS, now you can deploy a VPX pair running on two different AWS availability zones or two different subnets. Previously, a VPX pair running on the same availability zone and the same subnet only could be deployed in a high availability setup.
    [# 696692]
  • Support for XenServer versions 7.1 and 7.4
    Now VPX appliances are supported on XenServer versions 7.1 and 7.4.
    [# 702581]

Networking

  • Virtual servers with multiple IP addresses
    The NetScaler supports creating a single load balancing virtual server with multiple non-consecutive/consecutive IPv4 and IPv6 addresses. Each IP address bound to the virtual server is treated as an individual virtual server. These virtual servers have the same protocol and other virtual server level settings.
    A virtual server with multiple IP addresses offloads you from creating a large number of virtual servers with the same settings and service bindings. As a result, it effectively reduces the possibility of reaching the maximum limit on virtual server entities.
    [# 249033]
  • MD5 authentication support for Border Gateway Protocol
    The NetScaler appliance supports MD5 authentication for Border Gateway Protocol (BGP). When authentication is enabled, any TCP segment belonging to BGP exchanged between the NetScaler appliance and its peer device is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same MD5 password. If authentication fails, the BGP neighbor relationship is not being established.
    [# 455254]
  • MAC based forwarding for a load balancing setup
    Some load balancing setups require that the NetScaler appliance bypasses the global MBF (if enabled) for these setups and instead use the route/ARP lookups for sending packets to the destination.
    The MBF parameter of a net profile is used to disable or enable MBF for a specific load balancing configuration. MBF can be set for the client side as well as the server side of a load balancing configuration by binding net profiles (MBF enabled or disabled) to the virtual server and the services.
    For example, if a net profile with MBF disabled is bound to the virtual server of a load balancing configuration, the NetScaler appliance bypasses the global MBF (if enabled) and instead use the route/ARP lookups for sending response packets to clients.
    [# 466092]
  • Stateful ACL rules
    A stateful ACL rule creates a session when a request matches the rule and allows the resulting responses even if these responses matches a deny ACL rule in NetScaler appliance. A stateful ACL offloads you from creating additional ACL rules/forwarding session rules for allowing these specific responses.
    Stateful ACLs can be best used in an edge firewall deployment of a NetScaler appliance having the following requirements:
    – The NetScaler appliance must allow requests initiated from internal clients and the related responses from the Internet.
    – The appliance must drop the packets from the Internet that are not related to any client connections.
    [# 646179]
  • Statistics for RNAT6 rules
    You can display statistics related to the RNAT6 feature to monitor the performance or to troubleshoot problems related to the RNAT6 feature. You can display a summary of statistics of the RNAT6 rules. The statistical counters reflect events since the NetScaler appliance was last restarted. All these counters are reset to 0 when the NetScaler appliance is restarted.
    [# 667022]
  • Support for processing Class E IPv4 packets
    By default, the NetScaler appliance drops any packets if they contain any Class E IPv4 address in the source IP or the destination IP fields. If your setup is using Class E IPv4 addresses, you can configure the NetScaler appliance to process Class E IPv4 packets.
    [# 694316]
  • Logging support extended ACL6 rules
    You can configure the NetScaler appliance to log details for packets that match an extended ACL6 rule. In addition to the ACL6 name, the logged details include packet-specific information, such as the source and destination IP addresses. The information is stored either in a syslog or nslog file, depending on the type of logging (syslog or nslog) that you have configured in the NetScaler appliance.
    [# 694979]

Optimization

  • Deprecating SPDY from NetScaler 12.0
    The SPDY functionality is deprecated from NetScaler 12.0 onwards. As an alternative, Citrix recommends you to use HTTP2 protocol for handling HTTP traffic.
    [# 700025]

SSL

  • Selective SSL logging
    In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. If only a few virtual servers are critical to the deployment, examining the entire log to find information about the client authentication and SSL handshake successes and failures for just those critical virtual servers is a time-consuming and tedious task. With this enhancement, you can log SSL-related information, such as client authentication and SSL handshake failures, for only a specific virtual server or group of virtual servers. This information is especially helpful in debugging failures. To log the information, you must add an SSL log profile.
    [# 492689]
  • Support for ECDHE ciphers on the front end of Thales nShield® external HSM
    The NetScaler appliance now supports ECDHE ciphers on the front end of Thales nShield® external HSM. This group contains the following ciphers:
    – TLS1-ECDHE-RSA-AES256-SHA 0xc014
    – TLS1-ECDHE-RSA-AES128-SHA 0xc013
    – TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012
    – TLS1-ECDHE-RSA-RC4-SHA 0xc011
    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
    The following ECC curves are supported: P_256, P_384, P_224, and P_521.
    By default, all four curves are bound to an SSL virtual server.
    [# 505629, 703038]
  • Support for ECDHE ciphers on the front end of SafeNet network external HSM
    The NetScaler appliance now supports ECDHE ciphers on the front end of SafeNet Network external HSM. This group contains the following ciphers:
    – TLS1-ECDHE-RSA-AES256-SHA 0xc014
    – TLS1-ECDHE-RSA-AES128-SHA 0xc013
    – TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012
    – TLS1-ECDHE-RSA-RC4-SHA 0xc011
    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
    The following ECC curves are supported: P_256, P_384, P_224, and P_521.
    By default, all four curves are bound to an SSL virtual server.
    [# 594000]
  • Support for ECDSA ciphers on the front end and back end of NetScaler MPX/SDX 14000 FIPS appliances
    The NetScaler MPX/SDX 14000 FIPS appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end. ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.
    Note: ECDSA certificates with only the following curves are supported:
    -prime256v1
    -secp384r1
    -secp521r1
    -secp224r1
    The following ciphers are supported with ECDSA:
    -ECDHE-ECDSA-AES256-GCM-SHA384
    -ECDHE-ECDSA-AES256-SHA384
    -ECDHE-ECDSA-AES256-SHA
    -ECDHE-ECDSA-AES128-GCM-SHA256
    -ECDHE-ECDSA-AES128-SHA256
    -ECDHE-ECDSA-AES128-SHA
    -ECDHE-ECDSA-RC4-SHA
    -ECDHE-ECDSA-DES-CBC3-SHA
    [# 603605]
  • Support for AES-GCM and SHA2 ciphers at the back end of the NetScaler VPX appliances
    The NetScaler VPX appliances now supports the following AES-GCM and SHA2 ciphers for a secure server-side connection.
    – TLS1.2-AES256-GCM-SHA384
    – TLS1.2-AES128-GCM-SHA256
    – TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
    – TLS1.2-AES-256-SHA256
    – TLS1.2-AES-128-SHA256
    [# 636383]
  • Support for creating an ECDSA certificate-key pair
    You can now create an ECDSA certificate-key pair directly on a NetScaler appliance by using the NetScaler CLI or the NetScaler GUI. Earlier, you could install and bind an ECC certificate-key pair on the appliance, but you had to use OpenSSL to create a certificate-key pair.
    Only P_256 and P_384 curves are supported.
    Note: This support is available on all platforms except NetScaler MPX 9700/1050/12500/15500.
    [# 636962]
  • Built-in secure front-end SSL profile
    The SSL infrastructure on the NetScaler appliance is continually updated to address the ever-growing requirements for security and performance. A new built-in front-end SSL profile, called ns_default_ssl_profile_secure_frontend, is now available for setting up a highly secure SSL virtual server. The settings required for an A+ rating (as of May 2018) from Qualys SSL Labs are preloaded into this profile. Earlier, you had to explicitly set each of the parameters required for an A+ rating to an SSL virtual server or an SSL front-end profile. You can now bind the ns_default_ssl_profile_secure_frontend profile to the SSL virtual server and the required parameters are automatically set on the SSL virtual server. To get an A+ rating for the server, you must also bind a SHA2 or SHA256 server certificate to the SSL virtual server.
    Note: The secure front-end profile cannot be edited.
    [# 644007, 636386]
  • Optimizing ECDSA computation on some NetScaler appliances
    ECDSA computation has been optimized by using a combination of software and hardware offload capabilities.
    [# 677460]
  • Addition of TLS1.2 ciphers in the DEFAULT_BACKEND cipher group
    TLS1.2 ciphers are added to the DEFAULT_BACKEND cipher group.
    [# 698452]

Secure Web Gateway

  • Support for ICAP for Remote Content Inspection
    The NetScaler Secure Web Gateway (SWG) appliance can now act as an ICAP client and use policies for interacting with third-party security vendors that specialize in antimalware and data leak prevention (DLP). The encrypted files, which were earlier bypassed, can now be scanned by security vendors using ICAP on a NetScaler SWG appliance.
    The appliance intercepts client traffic (HTTP and HTTPS), decrypts it, and sends the decrypted traffic to the ICAP server(s). The appliance supports content inspection in both request mode (REQMOD) and response mode (RESPMOD). While REQMOD is ideal for DLP integration, RESPMOD is used in checking for antimalware. You must configure policies to select the traffic to send to the ICAP servers.
    [# 638345]

Security

  • Audit Logging support for ICAP content inspection
    If an HTTP request or response is content inspected using ICAP protocol, the appliance stores the ICAP details as log messages in the ns.log file.
    [# 699320]
  • ICAP support for NetScaler ADC
    A NetScaler appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.
    [# 702971]

System

  • 64-bit images for MPX and VPX appliances
    The NetScaler image for MPX and VPX appliances now is 64 bit. In previous releases, the NetScaler image for MPX and VPX appliances was 32 bit.
    When compared to a 32-bit image, a 64-bit NetScaler image delivers:
    – Better performance for DNS, SYN, and Logstream
    – More available memory on most platforms
    – 2X improvement in TCP Concurrent Connections (on platforms with large system memory)
    – 2.5X improvement in SSL and SSLVPN concurrent sessions (on platforms with large system memory)
    – 25X improvement in cache objects (on platforms with large system memory)
    [# 513830]
  • USIP configuration support for HTTP 1.1 and HTTP/2 protocols
    The User Source IP (USIP) address configuration is now supported for both HTTP/1.1 AND HTTP/2 protocols in a NetScaler appliance.
    [# 652126, 678599]
  • Extending audit log message limit for SYSLOG server
    The NetScaler appliance can now send audit log messages up to 16 KB to an external SYSLOG server. Previously, the appliance can send messages only up to 1 KB.
    [# 685218]
  • Securing passwords and community strings in NetScaler GUI
    To secure user password, LDAP password, RADIUS key, administrator password, and SNMP community string, the NetScaler GUI now masks all the characters in the string. Previously, the characters appeared as clear text.
    [# 695293]

Telco

  • Large Scale NAT support in a NetScaler cluster setup
    Large scale NAT44 and large scale NAT64 configurations are now supported in a NetScaler cluster setup.
    A NetScaler cluster is a group of NetScaler appliances that are configured and managed as a single system. A NetScaler cluster provides scalability and availability. Each NetScaler appliance in a cluster setup acts as an independent LSN entity and is managed as a single system.
    The LSN configuration in a cluster setup is same as in a standalone appliance except for a specific pool of LSN IP addresses are owned by only one node at a time. In other words, an LSN IP pool entity is configured as a spotted entity in a particular node. All the nodes of a cluster setup can have a specific LSN IP pool entity. To make sure that the packets related to an LSN session is received on the same cluster node that performed the NAT operation, policy-based backplane (PBS) steering is configured. PBS steers the received related packets of an LSN session to the same cluster node.
    Most of the features of large scale NAT44 and large scale NAT64 existing for a standalone and high availability features are also supported for cluster setups.
    [# 620717]
  • Support for disabling ARP on large scale NAT IP addresses
    The NetScaler appliance now supports disabling of ARP for large scale NAT (LSN) IP addresses. In a large scale deployment of NetScaler appliance with dynamic routing protocol configured, LSN IP addresses are advertised through the dynamic routing protocol. Disabling ARP for LSN IP addresses in this deployment prevents the NetScaler appliance from unnecessarily advertising these IP addresses through ARP.
    [# 667547, 683981]
  • Statistics for large scale NAT IP pools
    The NetScaler appliance supports displaying statistical information on utilization of large scale NAT (LSN) IP pools. You can display a summary of statistics of all LSN IP pools or of a particular LSN IP pool. The summary statistics of all LSN IP pools display the total number of NAT IP addresses utilized by each type of LSN configuration: Large Scale NAT44, DS-Lite, and Large Scale NAT64. This statistics also displays IP pool percentage utilization for TCP and non-TCP sessions for each type of LAN configuration.
    The statistical counters reflect events since the NetScaler appliance was last restarted. All these counters are reset to 0 when the NetScaler appliance is restarted.
    [# 679517]
  • Change of default allocation policy for deterministic Large Scale NAT configurations
    For deterministic large scale NAT Configurations, the default NAT IP allocation policy (as part of LSN group entity) has been changed to IP address sequence allocation type.
    IP Address sequence allocation is useful in large scale NAT deployments where the upstream servers have limitations on the number of connections per subscriber IP address. Such deployments need a wide range of NAT IP address and port block allocation. IP Address sequence allocation meet this requirement.
    [# 702428]