For NetScaler 10.5 and later releases, Web Interface on NetScaler (WIonNS) must use the OpenJDK7 package since NetScaler now uses FreeBSD 8.x/amd64. You can download the package from either one of the following links:

* http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/8.4-RELEASE/packages/java/openjdk-7.17.02_2.tbz

* ftp://mirror.is.co.za/FreeBSD/ports/amd64/packages-8.4-release/devel/openjdk-7.17.02_2.tbz

Background: When the NetScaler is upgraded to version 10.5, it still has OpenJDK1.6 instead of OpenJDK1.7 which is required for NetScaler version 10.5. Therefore, when the configurations are saved (after upgrading), the Web Interface sites become inaccessible.

Workaround: Before you save the configurations on the upgraded appliance, make sure you reinstall the Web Interface on NetScaler version 10.5 by using OpenJDK1.7.

When used as a SAML IdP (identity provider), the NetScaler appliance now allows logon using the following 401-based authentication mechanisms: Negotiate, NTLM, and Certificate.

The output of "show ns ip" now also includes the aaadnatIp address.

The configuration of a AAA-TM virtual server in the NetScaler GUI is simplified for ease of configuring the required authentication mechanism.

When used as a SAML SP (service provider), the NetScaler appliance can now decrypt the encrypted tokens that it receives from the a SAML IdP. No configuration is required on the NetScaler.

When used as a SAML IdP (identity provider), the NetScaler appliance can now be configured to send 16 additional attributes in addition to the NameId attribute. These attributes must be extracted from the appropriate authentication server. For each of them, you can specify the name, the expression, the format, and a friendly name.

These attributes must be specified in the SAML IdP profile as follows:

From the CLI:

> set authentication samlIdPProfile <name> [-Attribute1 <string> -Attribute1Expr <string> [-Attribute1FriendlyName <string>] [-Attribute1Format ( URI | Basic )]] [-Attribute2 <string> -Attribute2Expr <string> [-Attribute2FriendlyName <string>] [-Attribute2Format ( URI | Basic )]]

For example, the following command adds the attribute "MyName":

> add authentication samlIdPProfile ns-saml-idp -samlSPCertName nssp -samlIdPCertName nssp -assertionConsumerServiceURL "http://nssp.nsi-test.com/cgi/samlauth" -Attribute1 MyName -Attribute1Expr http.req.user.name -Attribute1FriendlyName Username -Attribute1Format URI

From the GUI:

Navigate to the screen where you configure the SAML IdP profile, and specify the additional attributes as required.

In a deployment where a NetScaler appliance is configured as a SAML IdP (identity provider) for multiple SAML SPs (service provider), the appliance allows a user to access multiple SPs without explicitly authenticating every time.The appliance creates a session cookie for the first authentication and every subsequent request uses this cookie for authentication.

When used as a SAML IdP (identity provider), the NetScaler appliance now allows logon using certificates.

When authentication is configured to be done by using certificates and then followed by LDAP or other authentication mechanisms, the following behavior holds true:

- In previous releases: If certificate authentication fails (or was skipped), the other authentication mechanism is not processed.

- From this release onwards: Even if certificate authentication is not done, the other authentication mechanism is processed.

The NetScaler AAA-TM feature now supports OAuth and OpenID-Connect mechanisms for authenticating and authorizing users to applications that are hosted on applications such as Google, Facebook, and Twitter.

Note: OAuth on NetScaler is currently qualified only for Google applications.

A major advantage is that user's information is not sent to the hosted applications and therefore the risk of identity theft is considerably reduced.

In the NetScaler implementation, the application to be accessed is represented by the AAA-TM virtual server. So, to configure OAuth, an action must be configured and associated with a AAA-TM policy which is then associated with a AAA-TM virtual server. The configuration to define a OAuth action is as follows:

> add authentication OAuthAction <name> -authorizationEndpoint <URL> -tokenEndpoint <URL> [-idtokenDecryptEndpoint <URL>] -clientID <string> -clientSecret <string> [-defaultAuthenticationGroup <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] ....

Note:

- Refer to the man page for information on the parameters.

- Attributes (1 to 16) are attributes that can be extracted in OAuth response. Currently, these are not evaluated. They are added for future reference.

When used as a SAML IdP (identity provider), the NetScaler appliance can now be configured to digitally sign assertions by using the SHA256 algorithm. Additionally, you can configure the appliance to accept only digitally signed requests from the SAML SP (service provider).

These configurations must be specified in the SAML IdP profile as follows:

From the CLI:

> set authentication samlIdPProfile <name> [-rejectUnsignedRequests ( ON | OFF )] [-signatureAlg ( RSA-SHA1 | RSA-SHA256 )] [-digestMethod ( SHA1 | SHA256 )]

From the GUI:

Navigate to the screen where you configure the SAML IdP profile, and specify the corresponding parameters.

The NetScaler appliance now supports the SiteMinder SAML SP.

When used as a SAML IdP (identity provider), the NetScaler appliance can now be configured to encrypt the assertions by using the public key of the SAML SP (service provider).

Note:

- Make sure the SAML SP certificate is specified.

- For enhanced security, it is recommended that you encrypt assertions that contain sensitive information.

This configuration must be specified on the SAML IdP profile as follows:

On the CLI:

> set authentication samlIdPProfile <name> [-encryptAssertion ( ON | OFF )] [-encryptionAlgorithm <encryptionAlgorithm>]

On the GUI:

Navigate to the screen where you configure the SAML IdP profile and specify the corresponding parameters.

When the NetScaler appliance is configured for Negotiate authentication and sends a 401 Negotiate response to client, if client is not able to reach domain controller or is not domain joined, then it automatically falls back to NTLM authentication and the client starts NTLM handshake. The NetScaler appliance is able to verify the credentials presented as part of NTLM authentication.

This feature allows user logins locally or remotely.

When used as a SAML SP (service provider), in addition to POST bindings, the NetScaler appliance now supports redirect bindings. In redirect bindings, SAML assertions are in the URL, as against POST bindings where the assertions are in the POST body.

Using the CLI:

> add authentication samlAction <name> . . . [-samlBinding ( REDIRECT | POST )]

The NetScaler appliance now stores AAA authentication logs.

- Errors and warnings are logged in the /var/nslog/ns.log file

- Information and debug level logs are logged in the /var/log/nsvpn.log file.

Using the NetScaler Web Logging (NSWL) client, the NetScaler can now retrieve the web logs for all the partitions with which the logged in user is associated. To view the partition for each log entry, customize the log format to include the %P option. You can then filter the logs to view the logs for a specific partition.

Scriptable monitors can now be configured on the admin partitions that are available on a NetScaler appliance.

You can now generate the NetScaler trace for a specific admin partition. To do so, you must access that admin partition and run the "nstrace" operation. The trace files for the admin partition will be stored in the /var/partitions/<partitionName>/nstrace/ directory.

Integrated caching (IC) can now be configured for admin partitions. After defining the IC memory on the default partition, the superuser can configure the IC memory on each admin partition such that the total IC memory allocated to all admin partitions does not exceed the IC memory defined on the default partition. The memory that is not configured for the admin partitions remains available for the default partition.

For example, if a NetScaler appliance with two admin partitions has 10 GB of IC memory allocated to the default partition, and IC memory allocation for the two admin partitions is as follows:

- Partition1: 4 GB

- Partition2: 3 GB

Then, the default partition has 10 - (4 + 3) = 3 GB of IC memory available for use.

Note: If all IC memory is used by the admin partitions, no IC memory is available for the default partition.

While dynamic routing (OSPF, RIP, BGP, ISIS, BGP+) is by default enabled on the default partition, in an admin partition, it must be enabled by using the following command:

> set L3Param -dynamicRouting ENABLED

Note: A maximum of 63 partitions can run dynamic routing (62 admin partitions and 1 default partition).

On a partitioned NetScaler appliance, the scope of updating the L2 and L3 parameters is as follows:

- For L2 parameters that are set by using the "set L2Param" command, the following parameters can be updated only from the default partition, and their values are applicable to all the admin partitions: maxBridgeCollision, bdgSetting, garpOnVridIntf, garpReply, proxyArp, resetInterfaceOnHAfailover, and skip_proxying_bsd_traffic. The other L2 parameters can be updated in specific admin partitions, and their values are local to those partitions.

- For L3 parameters that are set by using the "set L3Param" command, all parameters can be updated in specific admin partitions, and their values are local to those partitions. Similarly, the values that are updated in the default partition are applicable only to the default partition.

The application firewall is fully supported in striped, partially striped, or spotted configurations. The two main advantages of striped and partially striped virtual server support in cluster configurations are the following:

- Session failover support: Striped and partially striped virtual server configurations support session failover. The advanced application firewall security features, such as Start URL Closure and the Form Field Consistency check, maintain and use sessions during transaction processing. In ordinary high availability configurations, or in spotted cluster configurations, when the node that is processing the application firewall traffic fails, all the session information is lost and the user has to reestablish the session. In striped virtual server configurations, user sessions are replicated across multiple nodes. If a node goes down, a node running the replica becomes the owner. Session information is maintained without any visible impact to the user.

- Scalability: Any node in the cluster can process the traffic. Multiple nodes of the cluster can process the incoming requests served by the striped virtual server. This improves the application firewall's ability to handle multiple simultaneous requests, thereby improving the overall performance.

Security checks and signature protections can be deployed without the need for any additional cluster-specific application firewall configuration. You just do the usual application firewall configuration on the configuration coordinator (CCO) node for propagation to all the nodes.

Cluster details are available at http://docs.citrix.com/en-us/netscaler/11/system/clustering.html.

The NetScaler application firewall module offers data leak prevention and supports credit card protection. It can examines the credit card numbers in the response and takes the specified action if a match is found. In some scenarios, it might be desirable to exclude a specific set of numbers from the credit card security check inspection. For example, server responses for some internet applications might include a string of digits that is not a credit card number but matches the pattern of a credit card number. These responses can trigger false positives and therefore get blocked by the application firewall's Credit Card security check. The application firewall now offers the ability to learn and deploy relaxations for the credit card numbers. The credit card relaxation rule provides the flexibility to exclude a specific string of numbers from the safe commerce check without compromising credit card security. These numbers are not examined in the responses even if the credit card check is ON.

Examples of CLI Commands:

1. Bind the credit card number to profile:

bind appfw profile <profile-name> -creditCardNumber <any number/regex> "<url>"

2. Unbind credit card number from profile:

unbind appfw profile <profile-name> -creditCardNumber <credit card number> "<url>"

3. Log: Enable Logging of credit card Numbers

add appfw profile <profilename> - doSecureCreditCardLogging <ON/OFF>

set appfw profile <profilename> - doSecureCreditCardLogging <ON/OFF>

4. Learn:

show appfw learningdata <profilename> creditCardNumber

rm appfw learningdata <profilename> -creditcardNumber <credit card number> "<url>"

export appfw learningdata <profilename> creditCardNumber

All application firewall graphical user interface (GUI) dialog boxes, including the ones for signatures, visualizer, and syslog viewer, are now completely free from any java dependencies and show a significant improvement in the overall performance. The HTML based GUI dialogues have been re-organized for enhanced user experience and intuitive workflow of information. Instead appearing in of pop-up dialog boxes with tabs, the information is now displayed as an in-line expansion. You can expand all the configuration sections and scroll up and down for a comprehensive view.

Geolocation, which identifies the geographic location from which requests originate, can help you configure the application firewall for the optimal level of security. For example, if an excessively large number of requests are received from a specific area, it is easy to determine whether they are being sent by users or a rogue machine. The application firewall offers you the convenience of using the built-in NetScaler database or any other geolocation based database to identify the source of origin of coordinated attacks launched from a country. This information can be quite useful for enforcing the optimal level of security for your application to block malicious requests originating from a specific geographical region. Geolocation logging uses the Common Event Format (CEF).

To use Geolocation Logging

1. Enable CEFLogging and GeoLocationLogging.

>set appfw settings GeoLocationLogging ON CEFLogging ON

2. Specify the database

>add locationfile /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv

or

add locationfile <path to database file>

The NetScaler application firewall offers SQL/XSS security check protections to detect and block possible attacks against the applications. You now have much tighter security control when configuring SQL/XSS protections. Instead of deploying relaxation rules that completely bypass the security check inspection for a field, you now have an option to relax a specific subset of violation patterns. You can continue to inspect the relaxed field in the incoming requests to detect and block the rest of the SQL/XSS violation patterns. The commands used in relaxations and learning now have optional parameters for value type and value expression. You can specify whether the value expression is a regular expression or a literal string.

Command Line Interface:

bind appfw profile <name> -SQLInjection <String> [isNameRegex (REGEX | NOTREGEX)] <formActionURL> [-location <location>] [-valueType (Keyword| SpecialString|Wildchar) [<valueExpression>][-isValueRegex (REGEX | NOTREGEX) ]]

unbind appfw profile <name> -SQLInjection <String><formActionURL> [-location <location>][-valueType (Keyword|SpecialString|Wildchar) [<valueExpression>]]

bind appfw profile <name> -crossSiteScripting <String> [isNameRegex (REGEX | NOTREGEX)] <formActionURL> [-location <location>] [-valueType (Tag| Attribute|Pattern) [<valueExpression>][-isValueRegex (REGEX | NOTREGEX) ]]

unbind appfw profile <name> -crossSiteScripting <String> <formActionURL> [-location <location>] [-valueType (Tag|Attribute|Pattern) [<valueExpression>]]

The field format rules specify the inputs that are allowed in the target form fields. You can also limit the minimum and the maximum allowed length for the inputs. The application firewall learning engine monitors the traffic and provides field format recommendations based on the observed values. If the initial field format learned rules are based on a small sample of data, a few non typical values might possibly result in a recommendation that is too lenient for the target field. Updates to the application firewall have now decoupled violations and learning for the field formats. The firewall learns the field formats regardless of the violations. The learning engine monitors and evaluates all the incoming new data points to recommend new rules. This allows fine tuning the configuration to specify optimal input formats with adequate min/max range values. If a rule has already been deployed for a field/URL combination, the GUI allows the user to update the field format. A dialog box asks for confirmation to replace the existing rule. If you are using the command line interface, you have to explicitly unbind the previous binding and then bind the new rule.

All application firewall graphical user interface (GUI) dialog boxes, including the ones for signatures, visualizer, and syslog viewer, are now completely free from any java dependencies and show a significant improvement in the overall performance. The HTML based GUI dialogues have been re-organized for enhanced user experience and intuitive workflow of information. Instead appearing in of pop-up dialog boxes with tabs, the information is now displayed as an in-line expansion. You can expand all the configuration sections and scroll up and down for a comprehensive view.

You can now use default syntax expressions in cache redirection policies. The NetScaler appliance provides built-in cache redirection policies based on default syntax expressions, or you can create custom cache redirection policies to handle typical cache requests. In addition to the same types of evaluations done by classic cache redirection policies, the default syntax policies enable you to analyze more data (for example, the body of an HTTP request) and to configure more operations in the policy rule (for example, directing requests to either cache or origin server).

The NetScaler appliance now supports transferring IPv6 traffic through a IPV4 GRE tunnel. This feature can be used for enabling communication between Isolated IPv6 networks without upgrading the IPv4 infrastructure between them.

For configuring this feature, you associate an PBR6 rule with the configured IPv4 GRE tunnel through which you want the NetScaler to send and receive IPv6 traffic. The source IPv6 address and destination IPv6 address parameters of the PBR6 rule specify the IPv6 networks whose traffic is to traverse the IPv4 GRE tunnel.

You can now create a cluster that includes nodes from different networks. To configure a cluster over L3, you must add the nodes of different networks to different nodegroups. For more information, see http://docs.citrix.com/en-us/netscaler/11/system/clustering/cluster-setup.html.

You can transition an existing L2 cluster to an L3 cluster. For instructions, see http://docs.citrix.com/en-us/netscaler/11/system/clustering/cluster-usage-scenarios/cluster-migrate-between-l2-l3.html.

By default, a NetScaler cluster steers traffic over the cluster backplane, from the flow receiver node to the flow processor node. You can disable steering so that the process becomes local to the flow receiver and thereby ensure that the flow receiver also becomes the flow processor. Such a configuration can come in handy when you have a high latency link.

Note: This configuration is applicable only for striped virtual servers.

Steering can be disabled at the global NetScaler level or at the individual virtual server level. The global configuration takes precedence over the virtual server setting.

- At the global level, steering can be disabled for all striped virtual servers. It is configured at cluster instance level. Traffic meant for any striped virtual server will not be steered on cluster backplane. The command is:

> add cluster instance <clId> -processLocal ENABLED

- At a virtual server level, you can disable steering for a specific striped virtual server. It is configured on a striped virtual server. Traffic meant for that virtual server will not be steered on cluster backplane. The command is:

> add lb vserver <name> <serviceType> -processLocal ENABLED

For more information, see http://docs.citrix.com/en-us/netscaler/11/system/clustering/cluster-managing/cluster-steering-disable.html.

A cluster nodegroup can now be configured to provide datacenter redundancy. In this use case, nodegroups are created by logically grouping the cluster nodes. You must create active and spare nodegroups. When the active nodegroup goes down, the spare nodegroup which has the highest priority (the lower priority number) is made active and it starts serving traffic.

For more information, see http://docs.citrix.com/en-us/netscaler/11/system/clustering/cluster-managing/cluster-nodegroups-datacenter-redundancy.html.

With the Equal Cost Multiple Path (ECMP) mechanism, virtual server IP addresses are advertised by all active cluster nodes. This means that traffic can be received by any cluster node, which then steers the traffic to the node that must process the traffic. While there are no hassles in this approach, there can be a lot of redundant steering in case of spotted and partially striped virtual servers. Therefore, from NetScaler 11 onwards, spotted and partially striped virtual server IP addresses are advertised only by the owner nodes. This reduces the redundant steering.

You can override this default behavior, by entering the following command in the VTYSH shell:

ns(config)# ns spotted-vip-adv all-nodes

In a dynamic cluster link aggregation (LA) deployment that has link redundancy enabled, you can configure the cluster to select the partner channel or interface on the basis of its throughput. To do this, configure a threshold throughput on the channel or interface as follows:

> set channel CLA/1 -linkRedundancy ON -lrMinThroughput <positive_integer>

The throughput of the partner channels is checked against the configured threshold throughput. The partner channel that satisfies the threshold throughput is selected in FIFO manner. If none of the partner channel meets the threshold, or if threshold throughput is not configured, the partner channel with the maximum number of links is selected.

You can now run dynamic routing on a striped SNIP address in a NetScaler cluster. The routes advertised by the cluster have the striped SNIP as the next hop. There is just one adjacency with the cluster. Internally, the cluster picks one of the active nodes as the routing leader. When the current routing leader goes down, the routing ownership moves to an active node.

Note:

- Striped SNIP addresses are useful mainly for cluster LA (link aggregation) deployments. They can also be used for ECMP, but the multipath routing functionality is unavailable.

- Striped SNIP addresses can also be used in asymmetrical topologies.

- Routing on striped SNIPs and routing on spotted SNIPs can coexist in a cluster.

To specify leader node configurations, in the VTYSH shell, use the "owner-node leader" command.

BridgeGroups are now supported in a NetScaler cluster deployment.

In a L3 cluster, different nodegroups can have different VLANs and subnets associated with them. This can result in a VLAN getting exposed only in some nodes. Therefore, you can now configure dynamic routing on a VLAN to expose the VLAN to ZebOS even when there are no IP addresses with dynamic routing that are bound to it. The command to configure this is:

> add/set vlan <id> -dynamicRouting (ENABLED | DISABLED)

Note:

- This option is also available for VXLAN and BridgeGroups.

- This configuration can also be used for L2 clusters.

You can now configure a NetScaler appliance to log DNS requests and responses. The logs are in SYSLOG format. You can use these logs to:

- Audit the DNS responses to the client

- Audit DNS clients

- Detect and prevent DNS attacks

- Troubleshoot

The rewrite and responder features now support DNS. You can now configure rewrite and responder functionalities to modify DNS requests and responses as you would for HTTP or TCP requests and responses.

The NetScaler appliance supports caching of negative responses for a domain. You can enable or disable negative caching from the command line, by setting cacheNegativeResponses with the set dns parameter command, or in the configuration utility, in the Configure DNS Parameters dialog box.

Note: You can enable or disable negative caching independent of global caching. By default, negative caching is enabled.

Support for binding a single Virtual Server as a backup for multiple GSLB Virtual servers

In a GSLB site deployment, you can now bind a single virtual server as a backup virtual server for multiple GSLB virtual servers in the deployment.

You can now set the maintenance state for your server with minimal interruption and without changing any configuration on the NetScaler appliance. In the maintenance state, the server continues to accept persistent client connections while new connections are load balanced among the active servers. On the NetScaler appliance, configure a transition out of service (TROFS)-enabled monitor and bind it to a service representing the server. Specify a trofsCode or trofsString in the monitor. Upon receipt of a matching code or string from the server in response to a monitor probe, the appliance places the service in the TROFS state. During this time, it continues to honor persistent client connections.

To avoid disrupting established sessions, you can place a service in the TROFS state by doing one of the following:

- Adding a TROFS code or string to the monitor: Configure the server to send a specific code or string in response to a monitor probe.

- Explicitly disable the service and:

- Set a delay (in seconds).

- Enable graceful shut down.

Adding a TROFS Code or String

Note: This enhancement is not applicable to GSLB services.

From release 11, if you bind only one monitor to a service, and the monitor is a TROFS-enabled monitor, it can place the service in the TROFS state on the basis of the server's response to a monitor probe. This response is compared with the value in the trofsCode parameter for an HTTP monitor or the trofsString parameter for an HTTP-ECV or TCP-ECV monitor. If the code matches, the service is placed in the TROFS state. In this state, it continues to honor the persistent connections.

If multiple monitors are bound to a service, the effective state of the service is calculated on the basis of the state of all the monitors that are bound to the service. Upon receiving a TROFS response, the state of the TROFS-enabled monitor is considered as UP for the purpose of this calculation. For more information about how a NetScaler appliance designates a service as UP, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/ns-lb-wrapper-con-10/ns-lb-clienttraffic-con/ns-lb-clienttraffic-gracefulshutdown-tsk.html.

Important!

- You can bind multiple monitors to a service, but only one monitor must be TROFS-enabled.

- You can convert a TROFS-enabled monitor to a monitor that is not TROFS-enabled, but not vice versa.

If you have configured spillover on a virtual server and also configured a trap listener on the appliance, an SNMP trap is now sent to the trap listener when the virtual server experiences spillover. The trap message displays the name of the virtual server that experienced the spillover, the spillover method, the spillover threshold, and the current spillover value. If the spillover is policy based, the rule causing it appears in the Spillover Threshold field. If the virtual server is DOWN or disabled, the status message "vserver not up" appears in the trap message.

The following global timeouts has been introduced for TCP sessions on a NetScaler appliance related to RNAT rules, forwarding sessions, or load balancing configuration of type ANY:

* Any TCP Client. Global idle timeout, in seconds, for TCP client connections. Client timeout set for an entity overrides the global timeout setting.

* Any TCP Server. Global idle timeout, in seconds, for TCP server connections. Server timeout set for an entity overrides the global timeout setting.

These timeout can be set either from the NetScaler command line (set ns timeout command) or from the configuration utility (System > Settings > Change Timeout Values page).

Note: For applying these timeouts to a virtual server or service of type ANY, set these timeouts before adding the virtual server or the service.

In earlier releases, if the internal dispatcher failed, the services that used scriptable monitors also went down and the appliance had to be restarted. From release 11, if the internal dispatcher fails, the pitboss process restarts it. As a result, you no longer have to restart the appliance. For information about user monitors, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-custom-monitors/understand-user-monitors.html.

You can now use IPv6 addresses in the following monitors:

- USER

- SMTP

- NNTP

- LDAP

- SNMP

- POP3

- FTP_EXTENDED

- STOREFRONT

- APPC

- CITRIX_WI_EXTENDED

Note: The monitor for MySQL does not support IPv6 addresses.

If you have set the persistence type to COOKIEINSERT, you can now encrypt the cookie in addition to any existing SSL encryption by using the NetScaler command line and configuration utility.

At the NetScaler command prompt, type:

set lb parameter -useSecuredPersistenceCookie Enabled-cookiePassphrase test

In the configuration utility, navigate to Traffic Management > Load Balancing > Change Load Balancing Parameters and select Use Secured Persistence Cookie and Cookie Passphrase and enter a passphrase.

You can now monitor LDAP services over SSL. To monitor the LDAP services over SSL, use the built-in LDAP monitor or create a user monitor and enable the "secure" option.

If you configure cookie persistence and custom cookie on a virtual server, and later change the name or IP address of the virtual server, persistence is not honored.

This enhancement adds support for cross-domain Kerberos constrained delegation when both the user and the service realm have a two-way shortcut trust. That is, if the user and service belong to different domains/realms, constrained delegation fails. However, if a user logs on with a user name and password, Kerberos Single Sign-On works for cross-domain access, because the NetScaler Gateway appliance does Kerberos impersonation with the user password. NetScaler Gateway currently does not otherwise support cross-domain constrained delegation.

SharePoint 2013 and Outlook Web Access 2013 are supported with clientless VPN access mode.

This feature allows administrators to deploy NetScaler Gateway with XenApp and XenDesktop in a striped style cluster where all nodes in the cluster serve traffic. Administrators can use existing Gateway configurations and scale seamlessly in a cluster deployment without having to restrict the VPN configuration to a single node.

Note that this feature is limited to ICA Proxy basic mode virtual servers and does not support SmartAccess.

NetScaler Gateway now has a full Linux VPN client plug-in. The plug-in is supported on Ubuntu 12.04 and 14.04 distributions.

WebFront is an alternative integration point for XenApp and XenDesktop deployments served by StoreFront. Resident on NetScaler, WebFront uses caching and packet flow optimization in the distribution of user stores. These techniques improve end user experience for Receiver for Web users and speeds up single sign-on for native Receiver users. In the NetScaler configuration utility, the WebFront feature is on the Configuration tab at System --> WebFront.

The desktop client plug-ins icons can now be configured to operate independently from Native Citrix Receiver clients. Settings to manage Receiver integration with the NetScaler Gateway Plug-ins can be configured globally and within session policies.

The Portal Customization options have been expanded to allow end-to-end customization of the VPN user portal. Administrators can apply themes to their VPN portal design or use them as a foundation for their own customization or branding. An option to present VPN users an End User License Agreement (EULA) has also been added to the portal design. Portal themes and EULAs can be bound to a VPN virtual server or specified as global VPN parameters.

NetScaler now uses SPNEGO encapsulation on Kerberos tickets that are sent to backend web applications and servers.

The SmartControl feature allows administrators to apply access policies for various XenApp and XenDesktop attributes through NetScaler Gateway without the need for identical policy duplication on the XenApp or XenDesktop servers.

NetScaler Gateway now has a full iOS VPN client plug-in. The plug-in is supported on iOS 7 and later releases.

This feature extends NetScaler Gateway connectivity with access to any web application through a single URL, along with seamless single sign-on and sign-off. Single URL access can be configured for:

- Internal organizational web applications

- Software as a Service applications, including SAML based single sign-on when available

- Outlook Web Access and SharePoint as clientless applications

- Load balanced applications served through NetScaler load balancing virtual servers

- XenApp and XenDesktop published resources.

The feature can be configured and managed with the Unified Gateway wizard in the NetScaler configuration utility.

NetScaler Gateway virtual servers have improved intelligence for handling CGP traffic destined for the common CGP port, 2598, over WebSockets. This enhancement allows Receiver for HTML5 user sessions through NetScaler Gateway to support Session Reliability.

This enhancement adds support to disable Autoupdate for NetScaler Gateway Endpoint Analysis and VPN plug-in.

Automatic session timeout can be enabled for ICA connections as a VPN parameter. Enabling this parameter forces active ICA connections to time out when a VPN session closes.

The Unified Gateway Wizard for XenDesktop/Xenapp Application creates wrong configurations with the Storefront option. The client launches the Java plug-in instead of Win/Mac/iOS/Android plug-in.

The WebFront enhancement supports the transparent SSO feature when accessed from the Citrix Receiver. WebFront optimizes packet flow and improves performance for users accessing StoreFront through Gateway using Citrix Receivers. Data transferred over WAN is reduced by 41%.

NetScaler Gateway now has an Android client plug-in that supports full VPN capabilities. The plug-in supports Android versions 4.1 and later.

You can now improve the processing power of and increase storage space in your NetScaler Insight Center deployment by adding agents, connectors, and databases. An agent processes HTTP traffic and sends the data to the connectors that distribute this data across databases. You can add multiple agents, connectors, and databases to scale your deployment. In this deployment, you can also the decide the number of resources you have to allocate and determine the elements you need in the database architecture, on the basis of the number of HTTP requests per second, number of ICA sessions, and number of active WAN connections.

You can now configure a DNS server when you set up NetScaler Insight Center. Configuring a DNS server helps resolve the host name of a server into its IP address.

For example, while creating an email server, you now have an option to specify the server name of the server rather than the IP address.

You can now configure NetScaler Insight Center to display the reports in your local time or GMT time.

You can now save the Web Insight reports or HDX Insight reports in PDF, JPEG, PNG , or CSV format on your local computer. You can also schedule the export of the reports to specified email addresses at various intervals.

For more information, see http://docs.citrix.com/en-us/netscaler-insight/11-0/viewing-reports/ni-export-report-con.html.

You can now identify the root cause of a terminated ICA session by viewing the session termination reason on the HDX Insight node. Along with the termination reason, it also displays the session TCP metrics such as ICA RTT and WAN Latency.

You can configure NetScaler Insight Center to display the geo maps for a particular geographical location or LAN by specifying the private IP range (start and end IP address) for the location.

The WAN Insight feature of NetScaler Insight Center gives CloudBridge administrators an easy way to monitor the accelerated and unaccelarted WAN traffic that flows through CloudBridge datacenter and CloudBridge branch appliances, and it provides end-to-end visibility that includes client-specific data, application-specific data, and branch- specific data. With the ability to identify and monitor all the applications, clients, and branches on the network, you can effectively deal with the issues that degrade performance.

After an ICA connection is established between a client and a NetScaler Gateway appliance, errors or old receiver or server versions, can prevent the appliance from exporting the AppFlow records to NetScaler Insight Center.

In such cases, the NetScaler Insight Center dashboard now displays the reasons for which the NetScaler appliance does not export the AppFlow records.

NetScaler Insight Center now supports monitoring NetScaler appliances deployed in LAN user mode. The dashboard now displays the following user access types, depending on the NetScaler deployment:

- Remote user: User connected to XenApp or XenDesktop server through a NetScaler Gateway.

- Transparent mode user: User connected to XenApp or XenDesktop server directly, with no intervening virtual server.

- LAN user: Internal user connected to XenApp or XenDesktop server directly, without configuring the routing rules on a NetScaler ADC.

The HDX Insight reports now support hop diagrams, which provide complete details about the client, NetScaler ADC, and server in an active session.

To display the hop diagram, on the dashboard tab, navigate to HDX Insight > Users >, click on a user name and, in the Current Application Sessions table, click on the session diagram icon.

You can now increase the storage space of NetScaler Insight Center to 512 GB.

The NetScaler Insight Center configuration utility now displays the progress of the upgrade process.

Multi-Hop support for NetScaler Insight Center enables Insight Center to detect which Citrix appliances a connection passes through (CloudBridge, NetScaler, NetScaler Gateway), and in which order, for improved reporting.

When you use the NetScaler provisioning wizard, the option to upload the XVA file has been added to the wizard. To use the XVA file to create a NetScaler instance, you need to first upload the XVA file.

Syslog Viewer helps you in searching through the syslog messages based on various filters. You can narrow your search based on module like API, CLI, CONFIG, EVENT etc. You can further choose the type of message that you want to search through, like, ALERT, CRITICAL etc. Syslog Viewer also provides the option to search through regular expression or based on case sensitive text

If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.

The default timezone when management service creates NetScaler instances is the NTP timezone. When this default timezone is modified using the management service, then the update is synchronized across the NetScaler instances

When you configure an LDAP server and provide the IP address of the LDAP server, the management service automatically fetches the attributes like Server Logon Name Attribute, Search Filter, Group Attribute, Sub Attribute Name. This helps in reducing the error during filling these details for LDAP configuration.

NetScaler SDX supports cluster with three tuple notation.

The Initiate Virtual-NMI generates a core dump of a VPX instance. Initiating a virtual NMI is useful when your NetScaler instance has stopped responding. To generate a virtual NMI, click on Configuration > Diagnostics. Click Initiate NMI under Non-Maskable Interrupt.

Management service now provides support for XenServer 6.5.

You can now partially allocate licenses as required for your deployment. For example, if your license file contains ten licenses, but your current requirement is for only six licenses, you can allocate six licenses now, and allocate additional licenses later. You cannot allocate more than the total number of licenses present in your license file.

NetScaler SDX appliance now supports SNMP MIB configuration. You can configure SNMP MIB from Management Service by navigating to Configuration > System > SNMP > Settings > Configure SNMP MIB

NetScaler SDX Appliance now displays the reboot progress. This helps in keeping the user informed about the various stages of the appliance reboot.

In the Management Service, the user interface for licensing the NetScaler SDX appliances is now identical to the user interface for licensing the NetScaler MPX and NetScaler VPX appliances.

Management service now provides support for SNMP v3 traps in addition to the already existing support for SNMP v2 traps. SNMP v3 provides better administration and security capabilities through better encryption, authentication and data integrity mechanisms.

You can use the Setup Wizard to complete all the first time configurations in a single flow. You can use the wizard to assign various management network IP addresses, configure system settings, change the default admin password, manage and update licenses.

You can also use this wizard to modify the network configuration details that you provided for the NetScaler SDX appliance during initial configuration.

To access the wizard, navigate to Configuration > System, under Setup Appliance, click Setup Wizard.

Options to disable and enable TLSv1, TLSv1.1, and TLSv1.2 has been added in the Management Service. To enable or disable TLS, navigate to Configuration > System. In the System Settings group, click on Change SSL Settings link.

For a configured GRE IP tunnel, the NetScaler appliance encapsulates the entire Layer 2 packet, including the Ethernet header and the VLAN header (dot1q VLAN tag). IP GRE tunnels between NetScaler appliances and some 3rd party devices might not be stable, because these 3rd party devices are not programmed to process some or the Layer 2 packet headers.

To configure a stable IP GRE tunnel between a NetScaler appliance and a 3rd party device, you can use a new parameter with the GRE IP tunnel command set. You can set the GRE payload parameter to do one of the following before the packet is sent through the GRE tunnel:

- Carry the Ethernet header but drop the VLAN header

- Drop the Ethernet header as well as the VLAN header

- Carry the Ethernet header as well the VLAN header

The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance's NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.

This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.

To disable or enable this parameter by using the command line interface

At the command prompt, type:

> set l3param -implicitACLAllow [ENABLED|DISABLED]

Note: The parameter implicitACLAllow is enabled by default.

Example

> set l3param -implicitACLAllow DISABLED

Done

As a part of BGP loop prevention functionality, if a router receives a BGP packet containing the router's Autonomous System Number (ASN) in the Autonomous Systems (AS) path, the router drops the packet. The assumption is that the packet originated from the router and has reached the place from where it originated.

If an enterprise has several sites with a same ASN, BGP loop prevention causes the sites with an identical ASN to not get linked by another ASN. Routing updates (BGP packets) are dropped when another site receives them.

To solve this issue, BGP AS-Override functionality has been added to the ZebOS BGP routing module of the NetScaler.

With AS-Override enabled for a peer device, when the NetScaler appliance receives a BGP packet for forwarding to the peer, and the ASN of the packet matches that of the peer, the appliance replaces the ASN of the BGP packet with its own ASN number before forwarding the packet.

The NetScaler appliance can now log header information of HTTP requests related to an LSN configuration. The following header information of an HTTP request packet can be logged:

- URL that the HTTP request is destined to.

- HTTP Method specified in the HTTP request.

- HTTP version used in the HTTP request.

- IP address of the subscriber that sent the HTTP request.

An HTTP header log profile is a collection of HTTP header attributes (for example, URL and HTTP method) that can be enabled or disabled for logging. The HTTP header log profile is then bound to an LSN group. The NetScaler appliance then logs HTTP header attributes, which are enabled in the bound HTTP header log profile for logging, of any HTTP requests related to the LSN group.

An HTTP header log profile can be bound to multiple LSN groups but an LSN group can have only one HTTP header log profile.

In earlier releases, Layer 2 information (for example, destination MAC address, source VLAN, and Interface ID) about packets related to forwarding sessions were ignored during a PBR lookup. In other words, any packet related to a forwarding session was not considered for matching against a PBR having Layer 2 parameters as its condition.

Now, layer 2 information about a packet related to a forwarding session is matched against layer 2 parameters in the configured PBRs.

This feature is useful in a scenario where packets related to a forwarding session must be processed by another device before being sent to their destination.

Following are the benefits of this support:

- Instead of defining new PBRs that are based on Layer 3 parameters, you can use existing PBRs based on Layer 2 parameters for sending the packets related to forwarding sessions to the desired next hop device.

- In a deployment that includes NetScaler appliances and optimization devices (for example, Citrix ByteMobile and Citrix CloudBridge appliances), PBRs based on Layer 2 parameters can be very handy compared to other, complex configuration for identifying the forwarding session related packets for PBR processing.

- Identifying forwarding session related Ingress packets for sending them to the optimization device.

- Identifying egress packets, which also matched a forwarding session rule, from the optimization device for sending the packets to the desired next hop device.

A new wildcard mask parameter for extended ACLs and ACL6s can be used with the source MAC address parameter to define a range of MAC addresses to match against the source MAC address of incoming packets.

MAC Address Wildcard Mask for PBRs

A new wildcard mask parameter for PBRs and PBR6s can be used with the source MAC address parameter to define a range of MAC addresses to match against the source MAC address of outgoing packets.

The NetScaler appliance, for INAT and RNAT rules, now supports using client port as the source port for server side connections. A parameter Use Proxy Port has been added to the INAT and RNAT command set. When Use Proxy Port is disabled for an INAT rule or a RNAT rule, the NetScaler appliance retains the source port of the client's request for the server side connection. When the option is enabled (default), the NetScaler appliance uses a random port as the source port for the server side connection.  

You must disable this parameter for proper functioning of certain protocols that require a specific source port in the request packet.

A redundant interface set is a set of interfaces in which one interface is active and the others are on standby. If the active interface fails, one of the standby interfaces takes over and becomes active.

Following are the main benefits of using redundant interface sets:

- The back-up links between the NetScaler appliance and a peer device ensure connection reliability.

- Unlike link redundancy using LACP, no configuration is required on the peer device for a redundant interface set. To the peer device, a redundant interface set appears as individual interfaces, not as a set or collection.

- In a high availability (HA) configuration, redundant interface sets can minimize the number the HA failovers.

A redundant interface set is specified in LR/X notation, where X can range from 1 to 4. For example, LR/1.

In a static ARP entry, you can specify the VLAN through which the destination device is accessible. This feature is useful when the interface specified in the static ARP entry is part of multiple tagged VLANs and the destination is accessible through one of the VLANs. The NetScaler appliance includes the specified VLAN ID in the outgoing packets matching the static ARP entry. If you don't specify a VLAN ID in an ARP entry, and the specified interface is part of multiple tagged VLANs, the appliance assigns the interface's native VLAN to the ARP entry.

For example, say NetScaler interface 1/2 is part of native VLAN 2 and of tagged VLANs 3 and 4, and you add a static ARP entry for network device A, which is part of VLAN 3 and is accessible through interface 1/2. You must specify VLAN 3 in the ARP entry for network device A. The NetScaler appliance then includes tagged VLAN 3 in all the packets destined to network device A, and sends them from interface 1/2.

If you don't specify a VLAN ID, the NetScaler appliance assigns native VLAN 2 for the ARP entry. Packets destined to device A are dropped in the network path, because they do not specify tagged VLAN 3, which is the VLAN for device A.

In an active-active deployment, all NetScaler nodes use the Virtual Router Redundancy Protocol (VRRP) to advertise their master VIP addresses and the corresponding priorities in VRRP advertisement packets (hello messages) at regular intervals.

VRRP uses the following communication intervals:

* Hello Interval—Interval between successive VRRP hello messages that a node sends, for all of its active (master) VIP addresses, to the other nodes of the VRRP deployment. For a VIP address, nodes on which the VIP address is in the inactive state use the hello messages as verification that the master VIP address is still UP.

* Dead Interval—Time after which a node of a backup VIP address considers the state of the master VIP address to be DOWN if VRRP hello messages are not received from the node that has the master VIP address. After the dead interval, the backup VIP address takes over and becomes the master VIP address.

You can change these intervals to a desired value on each node. They apply to all VIP addresses on that node.

For ensuring the integrity, data origin authentication, and data confidentiality of OSPFv3 packets, OSPFv3 authentication must be configured on OSPFv3 peers.

The NetScaler appliance supports OSPFv3 authentication and is partially compliant with RFC 4552. OSPFv3 authentication is based on the two IPSec protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). The NetScaler supports only the AH protocol for OSPFv3 authentication.

OSPFv3 authentication use manually defined IPSec Security Associations (SAs) between the OSPFv3 peers and does not rely on IKE protocol for forming dynamic SAs. Manual SAs define the security parameter Index (SPI) values, algorithms, and keys to be used between the peers. Manual SAs require no negotiation between the peers; therefore, same SA must be defined on both the peers.

You can configure OSPFv3 authentication on a VLAN or for an OSPFv3 area. When you configure for a VLAN, the settings are applied to all the interfaces that are member of the VLAN. When you configure OSPFv3 authentication for an OSPF area, the settings are applied to all the VLANs in that area. The settings are in turn applied to all the interfaces that are members of these VLANs. These settings do not apply to member VLANs on which you have configured OSPFv3 authentication directly.

NetScaler VPX appliances now support receiving and transmitting jumbo frames containing up to 9216 bytes of IP data. Jumbo frames can transfer large files more efficiently than is possible with the standard IP MTU size of 1500 bytes.

A NetScaler appliance can use jumbo frames in the following deployment scenarios:

- Jumbo to Jumbo. The appliance receives data as jumbo frames and sends it as jumbo frames.

- Non-Jumbo to Jumbo. The appliance receives data as regular frames and sends it as jumbo frames.

- Jumbo to Non-Jumbo. The appliance receives data as jumbo frames and sends it as regular frames.

Jumbo Frames support is available on NetScaler VPX appliances running on the following virtualization platforms:

- VMware ESX (Note that NetScaler VPX appliances running on VMware ESX support receiving and transmitting jumbo frames containing up to only 9000 bytes of IP data.)

- Linux-KVM

For configuring Jumbo Frames on a NetScaler VPX appliance, you must:

- Set the MTU of the interface or channel of the VPX appliance to a value in the range 1501-9216. Use the NetScaler command line interface or the configuration utility of the VPX appliance to set the MTU size.

- Set the same MTU size on the corresponding physical interfaces of the virtualization host by using its management applications.

The NetScaler appliance supports sending static IPv6 routes through a VXLAN. You can enable the NetScaler appliance to send an IPv6 route through either a VXLAN or a VLAN. A VXLAN parameter is added to the static IPv6 route command set.

The NetScaler appliance supports IPv6 dynamic routing protocols for VXLANs. You can configure various IPv6 Dynamic Routing protocols (for example, OSPFv3, RIPng, BGP) on VXLANs from the VTYSH command line. An option IPv6 Dynamic Routing Protocol has been added to VXLAN command set for enabling or disabling IPv6 dynamic routing protocols on a VXLAN. After enabling IPv6 dynamic routing protocols on a VXLAN, processes related to the IPv6 dynamic routing protocols are required to be started on the VXLAN by using the VTYSH command line.

To ensure that a backup VIP address takes over as the master VIP before the node of the current master VIP address goes down completely, you can configure a node to change the priority of a VIP address on the basis of the states of the interfaces on that node. For example, the node reduces the priority of a VIP address when the state of an interface changes to DOWN, and increases the priority when the state of the interface changes to UP. This feature is configured on each node. It applies to the specified VIP addresses on the node.

To configure this feature on a node, you set the Reduced Priority (trackifNumPriority) parameter, and then associate the interfaces whose state is to be tracked for changing the priority of the VIP address. When any associated interface's state changes to DOWN or UP, the node reduces or increases the priority of the VIP address by the configured Reduced Priority (trackifNumPriority) value.

The front end optimization feature now supports the conversion of GIF, JPEG, TIFF, and PNG images to JPEG-XR format as part of the image optimization functionality.

You can now monitor and display the statistics of the media traffic going through the NetScaler appliance.

The front end optimization feature now supports the conversion of GIF, JPEG, and PNG images to WEBP format as part of the image optimization functionality.

The MPX 25100T and MPX 25160T platforms are now supported in this release. For more information about these platforms, see http://docs.citrix.com/en-us/netscaler/11/netscaler-hardware-installation/netscaler-hardware-platforms/mpx-25100t-25160t.html.

The NetScaler appliance now supports policy extensions, which you can use to add customized functions to default syntax policy expressions. An extension function can accept text, double, Boolean or number values as input, perform a computation, and produce a text, double, Boolean or number result.

Transaction scope variables are added to variables feature. You can now use transaction scope variables to specify separate instances with values for each transaction processed by the NetScaler appliance. Transaction variables are useful for passing information from one phase of the transaction to another. For example, you can use a transaction variable to pass information about the request onto the response processing.

The NetScaler appliance now supports SNI with a SAN extension certificate. During handshake initiation, the host name provided by the client is first compared to the common name and then to the subject alternative name. If the name matches, the corresponding certificate is presented to the client.

DH key generation is optimized on a VPX appliance by adding a new parameter dhKeyExpSizeLimit. You can set this parameter on an SSL virtual server or on an SSL profile and bind the profile to the SSL virtual server. The key generation is optimized as defined by NIST in http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf. Additionally, the minimum DH count is set to zero. As a result, you can now generate a DH key for each transaction as opposed to a minimum of 500 transactions earlier. This helps to achieve perfect forward secrecy (PFS).

The NetScaler appliance now supports the TLS_FALLBACK_SCSV signaling cipher suite value. The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a "man in the middle attack." The server drops these handshakes.

For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/customize-ssl-config/config-protocol-settings.html.

EDH, DHE, ADH, EXP, and ECDHE ciphers are now supported on a DTLS virtual server.

The NetScaler software has been enhanced to automatically detect the format of the certificate-key pair. To do so, the format of the certificate and key file should be the same. If you specify the format in the inform parameter, it is ignored by the software. Supported formats are PEM, DER, and PFX.

The NetScaler appliance now supports the following ECDHE ciphers at the back end:

- TLS1-ECDHE-RSA-RC4-SHA

- TLS1-ECDHE-RSA-DES-CBC3-SHA

- TLS1-ECDHE-RSA-AES128-SHA

- TLS1-ECDHE-RSA-AES256-SHA

Note: This feature is available only for NetScaler MPX platforms.

The following SNMP OIDs have been added to the display the SSL transactions per second:

NS-ROOT-MIB::sslTotTransactionsRate.0 = Gauge32: 0

NS-ROOT-MIB::sslTotSSLv2TransactionsRate.0 = Gauge32: 0

NS-ROOT-MIB::sslTotSSLv3TransactionsRate.0 = Gauge32: 0

NS-ROOT-MIB::sslTotTLSv1TransactionsRate.0 = Gauge32: 0

The NetScaler MPX appliance now supports TLS protocol versions 1.1 and 1.2 on the backend. MPX-FIPS appliances running firmware version 2.2 also support TLSv1.1/1.2 on the backend. On an SDX appliance, TLSv1.1/1.2 is supported on the backend only if an SSL chip is assigned to the VPX instance.

You can configure the SSL virtual server to accept only client certificates that are signed by a CA certificate bound to the virtual server. To do so, enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server.

For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/ssl-profiles.html.

The show ciphersuite command now displays the IETF standard hexadecimal code of the cipher. It is helpful in debugging, because a hex code is unique to a cipher but the cipher name might differ on the NetScaler appliance, OpenSSL, and Wireshark.

At the NetScaler command line, type:

show ciphersuite

In the configuration utility, navigate to Traffic Management > SSL > Cipher Groups.

If user-defined ciphers or cipher groups are not bound to an SSL virtual server, the DEFAULT cipher group is used for cipher selection at the front end and the ALL cipher group is used for cipher selection at the back end. In this release, the predefined cipher suites, such as DEFAULT and ALL, are modified to give strong ciphers a higher priority. For example, earlier RC4-MD5 was given a higher priority but it is deprioritized in the new list because it is a weak cipher.

The NetScaler VPX appliance now supports TLS protocol versions 1.1 and 1.2 on the front end. On an SDX appliance, TLSv1.1/1.2 are supported on the front end even if an SSL chip is not assigned to the VPX instance.

If you configure a common name on an SSL service or service group for server certificate authentication, the subject alternative name (SAN), if specified, is matched in addition to the common name. Therefore, if the common name does not match, the name that you specify is compared to the values in the SAN field in the certificate. If it matches one of those values, the handshake is successful. Note that in the SAN field, only DNS names are matched.

With this release, the default certificate on a NetScaler appliance is 2048-bits. In earlier builds, the default certificate was 512-bits or 1024-bits. After upgrading to release 11.0, you must delete all your old certificate-key pairs starting with "ns-", and then restart the appliance to automatically generate a 2048-bit default certificate.

Call home support for NetScaler VPX models

Call home support has been added to NetScaler VPX models 1000 and higher.

You can now set the maximum congestion window size for a TCP profile on the NetScaler appliance.

During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.

Support for milliseconds, microseconds, and nanoseconds in Time Format Definition table

You can now configure NetScaler web logging clients to capture transaction times in milliseconds, microseconds, and nanoseconds for logging on the NetScaler appliance.

The script used to upload collector archives to Citrix servers is now packaged as part of the official NetScaler build (collector_upload.pl). However, using this script directly is not recommended. Instead, use the -upload option in showtechsupport utility to upload the archives.

The NetScaler appliance supports HTTP/2 connections with clients supporting HTTP/2 protocol.

The NetScaler introduces a new role called sysadmin. A sysadmin is lower than a superuser is terms of access allowed on the appliance. A sysadmin user can perform all NetScaler operations with the following exceptions: no access to the NetScaler shell, cannot perform user configurations, cannot perform partition configurations, and some other configurations as stated in the sysadmin command policy.

The NetScaler appliance fails intermittently when trace is started in 'RX' mode.

In NetScaler release 11, the NTP version has been updated from 4.2.6p3 to 4.2.8p2.

If you upgrade your NetScaler appliance from any earlier release to release 11, the NTP configuration is automatically upgraded with additional security policies. For more information about configuring an NTP server, see http://docs.citrix.com/en-us/netscaler/11/system/basic-operations/configuring-clock-sychronization.html.

The TCP profiles on a NetScaler appliance now support forward acknowledgement (FACK). FACK avoids TCP congestion by explicitly measuring the total number of data bytes outstanding in the network, and helping the sender (either a NetScaler ADC or a client) control the amount of data injected into the network during retransmission timeouts.

If your NetScaler appliance has Internet connectivity, you can now directly upload the newly generated collector archive to the Citrix technical support server from the appliance.

The NetScaler Web Logging (NSWL) client logs a hyphen (-) instead of a user name when %u is specified in the log format.

You can now specify the minimum number of reuse pool connections to be opened from the NetScaler appliance to a particular server. This setting helps in optimal memory utilization and reduces the number of idle connections to the server.

The NetScaler appliance generates SNMP clear alarm traps for successful cases of haVersionMismatch, haNoHeartbeats, haBadSecState, haSyncFailure, and haPropFailure error events in an HA configuration.

When IBM Tivoli IdP is used for SAML authentication with NetScaler appliance as the service provider, there could be an issue with SAML assertion verification.

The status of a LDAP server on the authentication dashboard of the NetScaler GUI, will be shown as UP, regardless of the actual status of the LDAP server, for the following combinations:

- Security type is SSL and port is 389.

- Security type is TLS or PLAINTEXT and port is 636.

The NetScaler implementation of Kerberos does not fully implement the ktutil functionality. While this does not affect Kerberos authentication, it restricts some administrative tasks, such as the ability to merge keytab files.

The IC memory once set for an admin partition, cannot be reduced. An appropriate error message is displayed.

For example, if the IC memory of admin partition is 10 GB, you cannot reduce it to 8 GB. The memory limit can however be increased to a required value.

After adding an admin partition, make sure you save the configurations on the default partition. Otherwise, the partition setup configurations will be lost on system reboot.

RPCSVR services cannot be configured in admin partitions.

Admin partitions are not supported on FIPS appliances. However, owing to this issue, you can create admin partitions on FIPS appliances. You are advised against creating such partitions as they will not function properly.

The GSLB configurations applied in the default partition can be viewed in admin partitions. This is not expected as user must not be able to view configurations that are defined in other partitions.

Hiding or displaying a URL, and some configuration changes might take longer than expected.

The application firewall Graphical User Interface might display a warning when the Qualys signature file is uploaded to the NetScaler appliance. The transformation program that reads the input file is treating a warning message as an error.

If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.

If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.

"Operation timed out" error is displayed in the CLI and the configuration utility while viewing learned rules. This error is only seen intermittently.

On a NetScaler appliance that has standalone application firewall license, when you bind a classic application firewall policy to a load balancing virtual server, an error message is displayed in the graphical user interface. The binding operation is successful. The error message is harmless and can be safely ignored.

The Skip operation for the application firewall learned rules might take longer than expected.

The Graphical User Interface (GUI) for the NetScaler application firewall has significantly changed to provide enhanced user experience and remove browser plugin dependencies. The GUI steps in the current application firewall documents are in need of revision. Some of them do not match the new GUI display.

A POST request with an attached word document is silently blocked by the application firewall for a customized application.

During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

> show appfw JSONContentType

If the default content type is configured, the command output is similar to the following example:

> show appfw JSONContentType

1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

Done

If it is not, the screen shows only the following:

> show appfw JSONContentType

Done

To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

> add appfw JSONContentType ^application/json$ -isRegex REGEX

> show appfw JSONContentType

The customer's application does not work when the application firewall is deployed to inspect the request for security check violations. When the application firewall forwards the request to the backend server, the server responds with a 403 HTTP error code, indicating that it cannot properly validate the CORBA session, and sends the page without the expected data in the form fields. The root cause is under investigation.

Workaround: Turn off form field tagging and credit card checks.

In NetScaler 9.3, if there is a standalone application firewall license, the user is able to bind a classic application firewall policy to the load balancing virtual server. However, in NetScaler 10.1, the design is changed. If the load balancing feature is not licensed, binding a classic application firewall policy to the load balancing virtual server now results in an error message.

Application firewall memory allocation failures might occur, when the integrated cache is also enabled and the memory usage limit for the cache parameter is set to a high value.

The application firewall learning engine stops recommending new rules when the learning database grows to approximately 20-22 megabytes in size. The database size limit is applied on a per profile basis.

In the configuration utility (GUI), selecting the "Remove All Learned Data" action in the application firewall Learned Rules section might not remove the learned data for some of the security checks for the profile.

When a user-defined application firewall signature object is updated by using the configuration utility, the enabled rules might get disabled and the configured actions in some signature rules might not be preserved.

Cisco RISE now supports the following commands:

- show rise param

- set rise param

Following is the usage of the set rise param command:

set rise param [-directMode ( ENABLED | DISABLED )] [-indirectMode ( ENABLED | DISABLED )]

The show rise param command displays the current setting. For example,

RISE-MPX-194-80> show rise param

DirectMode: ENABLED IndirectMode: ENABLED

Done

RADIUS/TACACS remote server auditing does not work.

When L2 mode and MBF is enabled in a cluster deployment, access to * 80 services can fail intermittently.

When a node is removed from a L3 cluster, IPv6 SNIP addresses and routes are being erroneously cleared from the appliance. This behavior is seen only for IPv6 entities. IPv4 SNIPs and routes are not being removed from the appliance.

In a cluster setup, for active FTP, the server cannot initiate a data connection from a random port. Therefore, you must make sure that the "aftpAllowRandomSourcePort" parameter of the "set ns param" command is disabled on the cluster IP address.

When a cluster is connected to more than one upstream router:

- When AS OVERRIDE is not configured on the upstream router, spare nodes will learn VIP routes from one of the routers, but they will be dropped as the path contains its own AS to prevent loop formation.

- When AS OVERRIDE is configured on any upstream router for cluster neighbors, upstream router will change AS path in VIP to its own AS while sending updates to cluster neighbors. Spare nodes will not detect any loop and learnt VIP routes are advertised to other routers.

Spare nodes will not advertise their configured VIP routes but there is no such restriction on BGP learnt routes.

In a NetScaler cluster, a "sh nslogaction" command that is issued from the NSIP address of a cluster node, goes into an infinite loop. The issue is not observed when the command is issued from the cluster IP address.

In a cluster setup, a command that is executed on the cluster configuration coordinator is propagated to the other cluster nodes. Therefore, a command that takes a long time to complete (such as "save ns config"), can take a little extra time to complete on all the cluster nodes. During this time, if you execute another command on the cluster (through another session), that command will fail because the previous command is not yet complete.

You cannot add LB routes in a link load balancing setup that is deployed on a cluster.

The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.

The subnet mask does not appear after an IPv4 address in the network visualizer.

In the network visualizer, if you click a tagged interface that is part of two or more VLANs, only the VLAN at the top of the list of bound VLANs is highlighted.

An interface does not appear as tagged or untagged in the network visualizer.

If you click a VLAN in the network visualizer, details such as VLAN ID and bound interfaces are not displayed in a separate pane.

The bridge group and VLAN association is not displayed in the network visualizer.

In the NetScaler configuration utility, the page at System> Network > IPs does not display the Type for LSN NATIPs, and the value shown for Traffic Domain is incorrect.

Workaround: Run the sh nsip command to display the values in the command line interface.

The Surge protection feature cannot be configured in an admin partition. Since, surge protection parameters are part of the Change Global System Settings (System > Settings) dialog, when you try to update the global settings, the "Operation not supported" message is displayed.

You cannot upgrade to NetScaler 11 from the following builds by using the Upgrade Wizard of the NetScaler GUI:

- All builds of NetScaler 9.3

- All builds of NetScaler 10.1

- Any build before Build 57.x of NetScaler 10.5

Workaround: Use the command line interface to upgrade the NetScaler appliance.

Some websites might not be able to render the page if the AppFlow clientSideMeasurements parameter is enabled along with some front end optimization actions.

If you rename a server associated with a GSLB service and then run the sync gslb command, the GSLB configuration might not synchronize with the other GSLB sites.

Workaround:

Manually update the server name in the other GSLB sites.

If the state of the IPv6 service on which a client's persistent session is running changes to out-of-service, the session might lose persistence before the client's transaction is completed.

If a NetScaler appliance sending a DNSSEC negative response over UDP is not able to include the required records (for example, SOA, NSECs, and RRSIG records) in the Authority section, the appliance might send a truncated response in the wrong packet format.

IPV6 addresses are trimmed when data is retrieved from the packet engine because the prefix length variable is unset during the GET operation.

When displaying the results of the "show lb monitor" command, the numbering of the user-defined monitors restarts from 1 instead of continuing the numbering from the list of built-in monitors.

During login, the icon present in the dock is changed to the previous version's icon. After the login process is finished, the icon changes to the new icon.

Workaround: Quit the plugin and restart it. The new icon shows normally during the login process.

When a VPN works as a SAML SP in a two-factor case, and if the Get /vpn/index after /cgi/samlauth comes to the same core, NetScaler resends the SAML Auth request.

Intermittent issues appear in multi-core systems. It works normally if both requests go to different cores.

The NetScaler Gateway URL cannot be added to a Store with Receiver for Windows if only the SHA 384 cipher is enabled in the Receiver OS.

Chrome is phasing out NPAPI support. From Chrome version 42+ all NPAPI plugins will appear as if they are not installed. This will affect all existing customers. Affected customers will see a download prompt even though the VPN plugin is installed.

Workaround: Google has announced that Chrome will stop supporting NPAPI completely in version 45.

Until then, you can enable NPAPI as follows:

1) In the Chrome URL bar, type:

Chrome://flags

2) Enable the "Enable NPAPI" option.

3) Restart Chrome.

For more information about NPAPI deprecation, see https://support.google.com/chrome/answer/6213033?hl=en

When the maxAAAUsers parameter is UNSET on a VPN virtual server, NetScaler Gateway does not update the value to previously set value. Due to this, numbers of users allowed on a vpn virtual server cannot be increased by applying an UNSET operation. Administrators need to configure a SET operation as a workaround.

For example, if the administrator configures 10 as the maxAAAUsers value, then issues a SET operation for 5, if he issues another UNSET, the number of allowed users does not go back to 10 users.

Customized pages are not loaded successfully in Internet Explorer. This is a known limitation of the browser. To get the customized page in IE, open developer tools by pressing F12. Browse to the NetScaler Gateway URL, and access the customized WebFront site. Customized pages are successfully loaded in Chrome.

A seamless Single Sign-On (SSO) to the same URL domain fails when a plug-in is launched in native mode.

When accessing SharePoint 2007 through Clientless VPN, the VPN session terminates, and some URL requests are not rewritten in Clientless VPN mode.

When exiting Receiver for Windows, the NetScaler Gateway plug-in exits also even when icon decoupling is enabled.

If a user adds multiple personal bookmarks with the same URL or fileshare address, but each bookmark has a different name, then deleting one bookmark will delete all of bookmarks with the same address.

Currently, the EULA feature in portal does not work for certificate authorization. It only works for authentication. EULA works fine in other scenarios.

When customizing a portal theme according to previous processes, for example using the command "vpn parameter UITHEME CUSTOM", the administrator needs to copy the CSS files in the NetScaler shell. Because of the design changes for Portal customization in NetScaler Gateway 11.0, copying the CSS files is required. Complete the steps described in the documentation page at:

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-connect-users-wrapper-con/ng-connect-users-cr-integration-con/ng-connect-custom-theme-page-tsk.html

The following changes to the steps are needed:

After step 3,

4) At command prompt, type "cd /var/netscaler/logon/themes/ "

If you want to customize the Greenbubble theme, then

"cp -r Greenbubble Custom"

Or if you want to customize the Default theme, then

"cp -r Default Custom"

Now, you can make changes to files under "/var/netscaler/logon/themes/Custom"

Make edits to css/base.css

Copy a custom logo to the /var/ns_gui_custom/ns_gui/vpn/media folder

Make changes to labels in files present in resources/ directory. These correspond to different languages.

Note: You can use WinSCP to transfer the files.

If changes to html pages or javascript files are also needed, then edits in "/var/ns_gui_custom/ns_gui/" would be needed.

After all changes are done to files in "/var/ns_gui_custom/ns_gui"

At command prompt, type

"tar -cvzf /var/ns_gui_custom/customtheme.tar.gz /var/ns_gui_custom/ns_gui/*"

5. Use the configuration utility to switch to the custom theme.

The previous Step 5 is not required in NetScaler Gateway 11.0. Once changes are made to one appliance, they propagate to all appliances in HA or cluster configurations.

After setting a netprofile to the virtual server, unbind and rebind the SSL cert-key pair bound to the virtual server to connect with DTLS. If this is not done, the DTLS connection handshake between the client and the NetScaler Gateway appliance fails. After rebinding the SSL certkey pair, the handshake is accepted and the netprofile is honored.

An internet connection is required for publisher verification for the NetScaler Gateway plug-in for Windows. If not connected to the internet when downloading the plug-in from the NetScaler Gateway, the error 'Publisher AGEE_setup.exe couldn't be verified' occurs.

In a double hop setup, when SSL relay is enabled for XenApp and XenDesktop, the XenApp or XenDesktop resource launch fails. The builds affected: 10.1-118.X to 10.5-55.8.

The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.

Smart Control does not work for applications that have SSL relay enabled on the server with few ICAPOLICY rules.

When using the Smart Control configuration, the ICASESSIONTIMEOUT feature is always enabled. There is not an option to disable it.

When you navigate to Settings > Options > Account in an Outlook Web Access browser, the account information does not appear. This issue occurs on IE 10 and IE 11 browsers.

If Storefront has been configured as WIHome parameter, then accessing the Store Apps in Applications tab in the homepage over Full vpn mode with Windows does not work and an error message "Cannot complete your request" is returned.

On Android 4.4.2.devices, after frequent network changes, the VPN session may disconnect. Until the device is rebooted, a new VPN session can not be established. Upgrading the Android version resolves the problem.

If an invalid certificate is selected as part of login, when certificate Authentication is optional, and two factor authentication is ON, the login fails as expected. But an app saves the certificate, though login failed. The user has to manually delete the saved certificate from the EditConnection Page to retry with a valid/no certificate.

A selected certificate does not get saved when SSL renegotiation with two-factor authentication is enabled. The certificate does get saved when certificate authentication is enabled.

Android devices prior to version 5.0, SSL renegotiation fails when TLS1.2 is enabled.

Certificate based authentication fails for devices running Android versions before 5.0. This is applicable if only TLSv1.2 is enabled on server.

After login is successful from browser, the VIP URL changes to "localvip:8080".

When authprofile and authentication are configured to enable load balancing, the NetScaler appliance displays the /VPN/ Index page when it should display the HTTP Error 401- unauthorized access message. This happens intermittently when forms authentication enabled load balancing is modified for 401 authentication.

The wizard does not support the creation of two Intranet Application type seamless SSO URLs using same LB with different site relative string.

The Linux NetScaler Gateway client fails to launch its system tray icon after installation in Ubuntu 14.04.

Root cause: Ubuntu has turned off whitelisting since version 13.10.

Steps to fix:

sudo apt-add-repository ppa:gurqn/systray-trusty

sudo apt-get update

sudo apt-get upgrade

Then logoff and log in again.

References:

http://ubuntuforums.org/showthread.php?t=2217458

http://askubuntu.com/questions/456950/system-tray-icons-disappeared-after-installing-ubuntu-14-04

https://launchpad.net/~gurqn/+archive/ubuntu/systray-trusty

The Client and EPA Plug-ins don't work with the latest Chrome versions as support for NPAPI is disabled by default. The support will be deprecated entirely in Chrome version 45 in September 2015.

From Chrome version 42, all NPAPI plugins will appear as if they are not installed. This will affect customers upgrading from 10.5 to 11.0. This is also applicable to customers who upgrade from 11.0 Beta builds and later Release builds. Affected customers will see a download prompt even though the VPN or EPA plugin is installed.

Work Around:

There is no work around to enable NPAPI for Chrome on Linux.

Users need to use a browser which allows NPAPI (e.g. Firefox).

More about NPAPI deprecation in Chrome browsers can be found at: https://support.google.com/chrome/answer/6213033?hl=en

The Mac OS Endpoint Analysis (EPA) client only supports TLS1.0 and thus cannot perform EPA if the server has only TLS1.1/1.2 enabled.

There is no workaround for this problem, but a customer can still perform EPA with the Mac VPN plugin. EPA from a browser will not be available if TLS1.0 is not enabled.

The NetScaler Gateway client plug-ins will not decouple immediately for previously installed clients after the 'Show VPN Plugin-in icon with Receiver' option is enabled. Users needs to exit the plugin process and restart to complete the decoupling.

The NetScaler appliance is not able to connect a Mac computer to the VPN if only SSLv2 is enabled.

The NetScaler Gateway Client icon in Launchpad is not updated with the new client installation. Launchpad continues to show the previous Black Lock icon even though the new Blue Lock icon is shown elsewhere in the Finder. This happens because the Finder caches application icons and their aliases. As a result, the Launcher does not update the alias icon when the application's icon has been changed.

Workaround - Clear the Finder's icon cache using following article's instructions: http://apple.stackexchange.com/questions/151549/symbolic-link-icons-dont-update (requires reboot) OR modify the application aliias name in /Applications/Citrix by adding few spaces (minimum two).

On the Unified Gateway Dashboard, the ICA sessions counter increases when a Full VPN session is established. Although the ICA sessions counter is not configured to collect ICA data, the ICA sessions counter increases.

In the EULA and native client, the French characters, 'œ' and 'Œ', do not render properly.

Audio over UDP is not supported with ICA sessiontimeout enabled or with Smart Control.

If two-factor authentication is configured with client certificates and LDAP and if 'Deny SSL Renegotiation' is set to 'All', user connections fail. The 'Deny SSL Renegotiation' parameter must be set to 'No'.

To configure Deny SSL Renegotiation

1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.

2. In the details pane, under Settings, click 'Change advanced SSL settings'.

3. Select 'No' for 'Deny SSL Renegotiation' and then click OK.

Web applications do not show the complete name of the bookmark. The VPN URL supports 32 characters, but the portal homepage only supports 8~11 characters.

Sometimes the homepage shows up blank on chrome browser . Refreshing the page solves the issue.

When the HTTP/2 Protocol is used to access the VPN with external authentication, the transaction will not go through. Ensure HTTP/2 is disabled in nshttp_default_strict_profile.

Endpoint analysis (EPA) does not start a security scan on the user's device, and the VPN session does not launch with the proxy configured on a Chrome browser.

When set in the Authentication Profile of a load balancing virtual server that is behind a Unified Gateway, the Authentication Domain parameter will cause single sign-on to fail when the authentication is performed by a traffic manager in a different traffic domain.

Two NSC_AAAC cookies are seen when a request is sent by a Client to the VIP. The value is the same for both cookies. One cookie is for FQDN; the other cookie is for the domain.

Two NSC_AAAC cookies are no longer seen after the version 11.0 beta.

When Unified Gateway is deployed with seamless SSO enabled for virtual server authentication, then the authentication servers and policy realms bound at the authentication virtual server will be ignored. Instead, those authentication policies at Gateway are utilized for authentication. Authentication policies at the authentication virtual server are used when step-up authentication is configured using authentication profiles. Increasing the authentication profile's "authentication level" is the method used to step-up authentication.

An unintentional automatic Linux exit happens under the following conditions:

* The NetScaler appliance is configured for dual, certificate authentication and LDAP authentication.

* The subject field of the client certificate doesn't contain an email attribute value.

The plug-in crashes when VPN logout is performed from browser.

This would cause the logout page to not load in browser which directs user to login page.

Work around:

Manually type NSG URL in browser to login again.

Any port other than 1494 and 2598, that needs to be considered as an ICA or CGP port, needs to be explicitly configured as a global ICA port to get the HDX Insight LAN user configuration working.

If you have configured the ICA session timeout value to a high value, say 10 minutes or more, and there is no traffic flow from the NetScaler appliances, neither the timeline chart nor the tabular chart displays any data. However, the Active sessions and Active Desktops columns display the data until the ICA session timeout occurs.

If the ICA Rtt column is the column in extreme left of the session details table, the pop-up box gets cropped in display.

Insight Agent should only be added after configuring and deploying Insight DB Cluster.

Adding a new data node is now driven by Auto Registration. When a kernel is imported, it requests for input from user and does an auto registration with the Insight Server. This allows the Insight Deployment Manager GUI to display the same. Removing a datanode is not presently supported.

If you use the refresh button, it does not have any effect on the slider. Refresh operation does not have any affect on the time shown in the slider. Also, when you change tabs, it does not impact the slider. You can change the time by changing the time duration.

Geo report is only available for daily, weekly, and monthly reports for Web Insight.

When Netscaler Gateway is deployed with CS vserver front-ending a vpn vserver, the VPN vserver needs to have a valid SSL certificate bound and needs to be UP in order to generate HDX Insight reports.

If there are more than 25 records to display in the skip flow window, then only 25 records are displayed as the window does not provide support for pagination.

In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.

Changing interface Base MAC to a new MAC from the management service will not happen on 10G interface.

If you are upgrading NetScaler SDX 11.0 beta to NetScaler SDX 11.0 GA, then the information displayed on the screen is not proper. This does not affect the upgrade process.

On adding many VPX instances, you may hit the default cache memory limit which could result in unexpected behavior.

Workaround: Increase the default cache memory limit.

If you configure Jumbo MTU with MTU greater than 1500 on an interface which is used by cluster nodes or instances on NetScaler SDX, the management service does not display any error and also the Jumbo MTU functionality does not work.

NetScaler cluster on SDX does not support Jumbo Frames.

After interface reset from management service, L2 mode will stop working for the 10G interface.

Workaround: Disable and re-enable L2 mode from SVM for the VPX.

If a 10G interface is a part of the LACP channel, it might incorrectly report stalling of transmission (Tx) on VPX.

Workaround: Reset the 10G interface using the management service.

On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.

A channel that you bind or unbind to or from 10G interfaces might become unresponsive. In this case only one of the interfaces within the channel will be affected by a Tx unit hang. This results in the Channel becoming unrecoverable at the PF level and only appliance reboot can recover from this situation.

If you are running a NetScaler SDX 11.0 beta version and upgrade to NetScaler 11.0, then some components may not be upgraded. This does not cause any malfunction in the running of the system. However, the upgrade is incomplete.

Workaround: Reset your appliance to factory defaults and upgrade to the latest 10.5 or 10.1 version and then upgrade the appliance to NetScaler SDX 11.0

A NetScaler that is deployed on the Hyper-V may crash or unexpectedly reboot if it uses three or more virtual interfaces in the VPX instance.

A clear config operation does not remove VXLANS. The configuration utility and the CLI continue to show the VXLANs, but with incorrect IDs.

After the clear config operation, reconfiguring a VXLAN entity fails to retrieve the VXLAN SNMP counters.

A TCP connection involved in INAT times out at 120 seconds, regardless of what global timeout value you set for TCP client and server connections. For example, the connection times out at 120 seconds even after you run the following command:

set ns timeout -anyTcpClient 50 -anyTcpServer 50

In a Large Scale NAT deployment, the NetScaler appliance does not generate and send an ICMP error message to the subscriber in the event of a port allocation failure.

RNAT source IP persistency is not supported on a virtual server configured for link load balancing.

For an RNAT connection, the NetScaler appliance drops the first packet that the server sends to the client.

If you configure an INAT rule with the useproxyport parameter disabled, connections to the server fail if the source port is in the reserve port range (0-1023).

NetScaler VPX instances, running on SDX 22040/22060/22080/22100/22120 and SDX 24100/24150 appliances, fail to start after you upgrade to the NetScaler SDX release 11 single bundle image. Starting the NetScaler instances manually also fails.

Workaround: Delete the VPX instances and provision them again by using the Management Service.

For a NetScaler MPX 115xx series appliance, the configuration utility and the command line interface do not display the type of small form-factor pluggable (SFP) transceivers for 10G interfaces.

Workaround: Restart the appliance.

If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.

Workaround: Do one of the following:

-Restart the NTP daemon after starting the NetScaler appliance.

-Add the NTP server by specifying the IP address of the server instead of specifying the host name.

Some IP based expressions might not work for IP addresses starting from octet 128 or greater (128.x.x.x - 254.x.x.x).

The following expressions are not impacted:

- EQ, IN_SUBNET, IS_IPV6, GET1, GET2, GET3, GET4, MATCHES, MATCHES_LOCATION, APPEND, TYPECAST_TEXT_T, TYPECAST_IPv6_ADDRESS_AT

The following expressions do not work:

GT, GE, LT, LE, BETWEEN, NE, ADD, SUB, MUL, DIV, MOD, NEG, BITAND, BITOR, BITXOR, BITNEG, LSHIFT, RSHIFT, TYPECAST_TIME_AT, TYPECAST_IP_ADDRESS_AT, TYPECAST_DOUBLE_AT, TYPECAST_UNSIGNED_LONG_AT, WEEKDAY_STRING, WEEKDAY_STRING_SHORT, SIGNED8_STRING, UNSIGNED8_STRING, SIGNED16_STRING, UNSIGNED16_STRING, SIGNED32_STRING

In both, default or admin partitions, when trying to import a password-protected key file, you get an error indicating that the key file is invalid. This error occurs because the NetScaler cannot import such key files.

FIPS keys that are created on firmware version 2.2 are lost after you downgrade to firmware version 1.1.

Workaround: Export the FIPS keys before you downgrade the firmware. Import the FIPS keys after the downgrade.

If you try to add a certificate bundle with the complete path to a certificate-bundle file, an error message appears. For example,

> add ssl certkey bundle -cert /nsconfig/ssl/bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES

ERROR: Processing of certificate bundle file failed.

Workaround: Specify only the file name. For example,

> add ssl certkey bundle -cert bundle3.pem -key /nsconfig/ssl/bundle3.pem -bundle YES

Secure renegotiation using SSLv3 protocol fails on MPX-FIPS appliances running firmware version 2.2.

Even though the clientAuthUseBoundCAChain parameter can be enabled and disabled in the backend profile, it is supported only on the front end profile.

If you disable SSLv3 on the "nskrpcs-127.0.0.1-3009" service, an "ERROR: Operation not permitted" message appears even though SSLv3 has been successfully disabled on the service.

Server Name Indication (SNI) is not supported on a DTLS virtual server. However, if you enable SNI on a DTLS virtual server, an appropriate error message does not appear.

Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols incorrectly appear as enabled by default on an SSL virtual server.

Workaround: Disable TLS1.1/1.2 explicitly on the virtual server.

On a NetScaler MPX appliance, AES-GCM/SHA2 ciphers are supported only on the front end SSL entities.

If importing a certificate-key file fails because of a wrong file, and you run the command again with the correct file, the operation fails and the following error message appears:

"ERROR: Import failed. Another resource with the same name being processed"

Workaround: Import the file with a different name.

In rare circumstances, the VPX instance can dump kernel core after a warm restart.

FTP connections through a TCP wildcard virtual server on the NetScaler appliance might fail for one of the following reasons:

- A mismatch in TCP parameters is preventing the appliance from reusing the probe connection.

- The server is sending data before the client-side TCP connection is established.

If the HTML injection feature is enabled, the NetScaler appliance injects JavaScript into responses sent to clients. If a subsequent request from one of the clients is generated from the JavaScript, the appliance responds with a 404 error.

In a high availability setup, if stateful connection failover is configured on a virtual server that is serving traffic for some time, running the "clear config extended" command results in a warm restart on both the primary and secondary appliances. Unsetting connection failover on the virtual server results is a warm restart on only the secondary appliance.

In Insight ESX, the Vmtoolsd daemon fails during start up and creats a core dump in the directory /var/core. It does not affect normal VPX functionality. However, operations such as "Shut Down Guest" and "Restart Guest" from the vSphere client summary tab fail.

The initial client connection on the NetScaler appliance might fail if a wildcard virtual server is configured and the useProxyPort option is disabled globally on the appliance.

CSV report exports elements that are present in the GUI. Additional elements like Client IP and Branch IP in the application node are denoted as 0.0.0.0 or " " as these are not present in GUI.

If you upgrade NetScaler Insight Center appliance to release 10.5 build 55.8xxx.e, the compression ratio values will be displayed as -NA-.

NetScaler Insight Center displays the latency value between two hops as 0 ms, though the minimum latency value is 1 ms.

If NetScaler Insight Center does not get a connection closure update for a particular connection ID, and the ID is reused, the IP data of the previous connection may be displayed.

If you define an application in the CloudBridge application classifier that contains a colon (":") in the name, it is not exported correctly to the AppFlow collector.

On the NetScaler Insight Center dashboard, the latency values displayed on the graph and the network topology diagram might not match due to time synchronization issues.

NetScaler Insight Center takes two minutes to display the current connection details on the dashboard.

Since the install wi package command takes more than usual time to complete, it is not possible to return the status from other nodes. Hence it is required that all the WI related packages, that is, JRE+WI be present on system on the same path for all the nodes.