Release Notes for Build 41.24 of NetScaler 12.0 Release

Cluster

• For validating a Citrix NetScaler cluster setup against IPv6 ready logo suite, Citrix recommends to use cluster link aggregation (CLAG) consisting of only one interface per cluster node.
  [# 679468]

SSL

• 3DES Ciphers Removed from Default Cipher Groups

  The 3DES ciphers have been removed from the DEFAULT and DEFAULT_BACKEND groups on the NetScaler appliance for security reasons and to prevent attacks, such as SWEET32. The following ciphers have been removed:

  - Cipher Name: SSL3-DES-CBC3-SHA

  Description: SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

  - Cipher Name: SSL3-EDH-DSS-DES-CBC3-SHA

  Description: SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

  - Cipher Name: SSL3-EDH-RSA-DES-CBC3-SHA

  Description: SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

  - Cipher Name: TLS1-ECDHE-RSA-DES-CBC3-SHA

  Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=3DES(168) Mac=SHA1

  If your deployment requires 3DES ciphers, you can explicitly bind them to your SSL virtual server, service, or service group by using one of the following commands:

  bind ssl vserver -cipherName 3des

  bind ssl service -cipherName 3des

  bind ssl servicegroup -cipherName 3des
  [# 659417]

Upgrade and Downgrade

• The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.

  Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
  [# 683380]

Admin Partitions

• WWhen you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [# 677765]

GSLB

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [# 682766, 683601, 685391]

Integrated Caching

• When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.
  [# 673506, 684404]

NetScaler Gateway

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).
  [# 685075]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [# 678251]

NetScaler ICA

• When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.
  [# 679494, 684204]

Optimization

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [# 682947]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [# 682864]

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [# 681308]

SSL

• You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
  [# 679708]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [# 678743, 678740]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [# 678474]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [# 675887]

• After you upgrade to this build, the priority of the cipher groups changes in the default profile.
  [# 579059, 679085]

User Interface

• When secure connection is enabled on CCO, config sync doesn't work.
  [# 525671]

AAA-TM

• If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, then "successRule" configured in forms SSO action must be corrected appropriately as the server sends 64 byte cookie on successful SSO.
  [# 681730]

• When AppFlow is enabled, NetScaler fails to process SAML requests/responses.

  Workaround: Disable AppFlow.
  [# 679285]

• The TACACS attribute or group extraction is supported only if the back end is Cisco ACS TACACS+ Server. For TACACS server other than Cisco, the attribute or group extraction is not supported. For more information, see https://support.citrix.com/article/CTX220024.
  [# 651719]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 683224]

• If back-end server domain name does not contain a dot, DNS resolution fails during Kerberos Single Sign-ON (SSO).
  [# 667953]

• NTLM authentication fails when the NetScaler tries to negotiate with an LB virtual server infront of the NTLM server.

  Workaround: NetScaler acceses the NTLM server directly.
  [# 677747]

• A NetScaler appliance configured for NetScaler AAA with LDAP over SSL becomes unresponsive when the connection to the NetScaler AAA daemon is used fully. At this point, the packet engine is unable to process anymore authentication requests.
  [# 660065, 674005]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 680519]

• In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
  [# 676450]

• When SAML authentication is employed as the log on method for Gateway users on FIPS hardware, and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core memory.

  This is applicable only for FIPS hardware platforms.
  [# 677458]

• If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.

  Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.
  [# 678553]

• SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.
  [# 639349]

• If you configure a NetScaler FIPS appliance for SAML authentication, the appliance fails when it tries to process encrypted assertions from an external IDP. However, signed assertions and responses are handled correctly.
  [# 635174]

AppFlow

• When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
  [# 680567]

• If multiple AppFlow policies are bound to the same bindpoint, only the last policy is chosen.
  [# 603177, 647386]

Application Firewall

• On a NetScaler appliance running release 11.1 build 48.0, SQL database queries fail when the Web Application Firewall feature is enabled.
  [# 684855]

• In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.

  Workaround: Use the Google Chrome browser.
  [# 648272]

• Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; &lt;?xml version="Bad tag: ?xml" <blocked>.

  When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  Left angle bracket (<) to HTML character entity equivalent (&lt;) Right angle bracket (>) to HTML character entity equivalent (&gt;) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.

  Workaround: From the CLI, try resetting the checks by using the following command:

  "set appfw profile APPFW_SIRI_TEST -crossSiteScriptingAction none"
  [# 685775]

• In high availability (HA) mode, high memory consumption might cause a failover when the IP reputation feature is enabled. Memory usage increases with the increase in the number of connections when traffic is processed for IP reputation inspection. Increasing the RAM capacity and allocating more memory for each PE is recommended for resolving the memory build-up caused by the increased number of connections.
  [# 668205]

• If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
  [# 682935]

• If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.

  Workaround: Turn off the Learning feature when skipping learned rules.
  [# 671807]

• Application firewall cross site scripting (XSS) protection blocks valid traffic even when relaxation rules for learning XSS blocking are enabled. The learned rule for the blocked XSS is not removed permanently from the learned database. The NetScaler application firewall relearns the same relaxation rule and continues to block valid traffic.
  [# 683197]

• The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
  [# 660546]

• Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
  [# 674864]

• When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.

  To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
  [# 672970]

• An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
  [# 668892]

• A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
  [# 629128]

• The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
  [# 650789, 650317, 658472]

GSLB

• When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
  [# 658108, 679822]

Load Balancing

• If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.
  [# 685856, 687784]

• In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.
  [# 685179, 684834]

• In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.
  [# 673446, 684550, 688305]

NetScaler CLI

• The NetScaler command line interface exits abruptly upon executing the "show dns addRec -format old" command.
  [# 512526, 527066, 545578, 631658, 635938, 643466, 652771, 667794]

NetScaler CPX

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 658734, 658736]

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 680693]

NetScaler GUI

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
  [# 657924]

• In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler build 11.1. The logon page directly appears, and you can log on successfully.
  [# 649052]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
  [# 658132]

NetScaler Gateway

• Intermittently, a NetScaler Gateway appliance dumps core if a connection is reset during data transfer between a client and a VPN server.
  [# 678885, 674356, 676859, 676857, 684178, 692683]

• In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.
  [# 684488]

• In rare situations, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.
  [# 686160, 689726, 690771, 693841]

• When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
  [# 670277]

• In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
  [# 685463]

• In rare cases, a NetScaler Gateway appliance becomes unresponsive because core-to-core Gateway messages are processed incorrectly under heavy load situations.
  [# 684888]

• You can not edit an uploaded document on SharePoint 2013 if you log on to SharePoint 2013 through NetScaler Gateway which has Single Sign-On (SSO) enabled.
  [# 683017]

• Under certain condition, Single-Sign-On feature will try to refer authentication resource which has been removed before and finally caused the crash. This has been fixed.
  [# 685389]

• Windows 8.1 and Windows 10 clients cannot connect to receiver as "set client?wica" request is incorrectly sent on same TCP connection of "cgi/login" request.

  Workaround: Use browser to connect to Receiver.
  [# 685866]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" are nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 679117]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 680403]

• If you update a certKey pair used in SAML IDP samlSPCertName, it creates a duplicate entry and throws a "Cannot allocate memory" error message.
  [# 675983]

• If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.
  [# 685971]

• In a CS-UG setup, if users log on to Access Gateway virtual server directly, they are "looped" back to the VPN logon page.

  Workaround: Log on to Access Gateway through CS-Vserver.
  [# 685670]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
  [# 679744]

• When a VPN virtual server is configured with RfWebUI as a portal theme, the NetScaler Gateway Windows plug-in does not automatically reconnect after the upgrade.
  [# 682689]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.

  Workaround: Use Chrome or Firefox.
  [# 679176]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you can't drag and drop files.

  Workaround: Upload the document instead of using drag and drop.
  [# 679193]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.

  Workaround: Use Firefox to open the document.
  [# 679713]

• Single Sign-On (SSO) to StoreFront fails if the TCP fast open option is enabled for the default TCP profile of a manually created NetScaler Gateway virtual server.
  [# 656619]

• While accessing Gateway through iOS Gateway plug-in, you face issues regarding queuing of outgoing packets and issues pertaining to low memory.
  [# 676447]

• After you start the MAC Gateway plug-in and close it, you cannot reopen until you close Receiver.
  [# 684676]

• A memory leak gradually diminishes the amount of memory available for SSL VPNs. The NetScaler appliance eventually fails unless it is rebooted before memory utilization reaches too high a percentage.
  [# 660223, 677197, 551669, 544066, 684981]

• RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
  [# 672333]

• If custom theme is applied for NetScaler 11.1 build 50.10, text for password field is not displayed.
  [# 671802]

• Citrix Receiver fails to launch ICA sessions using Client Certificate based authentication at Gateway.

  Workaround: Use browser for login.
  [# 685862]

• Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.
  [# 684658]

• If nFactor is configured for Gateway, beginning 11.1 51.x, native clients use authentication policies configured at authentication virtual server. Please refer to https://support.citrix.com/article/CTX223386 for details.
  [# 680378]

• The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
  [# 669942]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.

  Workaround: Use Chrome or Firefox.
  [# 679747]

• If you log on to a VPN in a cluster Deployment, the value of Total Connected Users is shown incorrectly for the NSIP addresses of all the nodes. The correct value is shown for the CLIP address.
  [# 681247]

• When nFactor authentication is configured with multiple factors having custom password expressions, default password for all secondary factors is passwd1.

  Users need to configure passwordExpression in loginSchema to pick the right password for the given factor if the logon flow is non trivial.
  [# 675401]

• After a NetScaler HA failover, Citrix Receiver takes a few seconds to reconnect.
  [# 672067]

• An error message appears when a user a logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.

  Workaround: Log off by closing the browser.
  [# 646706]

NetScaler ICA

• If AppFlow for ICA is enabled on a NetScaler appliance, applications might disconnect intermittently under certain network traffic conditions.
  [# 650607]

• The session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in an HA pair.
  [# 681628]

NetScaler SDX Appliance

• The current software driver for 1Gbe ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.

  Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
  [# 668696]

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.

  Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
  [# 600152]

• When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.

  Workaround: After the estimated time provided initially by Management Service has elapsed, refresh the upgrade progress page in the browser to view the actual status of the upgrade.
  [# 672042]

• A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.

  Workaround:

  * Unless the NetScaler VPX instance is not responding, do not use the force reboot option.

  * Before performing a force reboot, if you have shell access to the NetScaler VPX instance, run the following command:

  fsync /nsconfig/ns.conf
  [# 683743]

• In some cases, individual flow control (RX and TX) might not work for interfaces on the NetScaler SDX appliance.
  [# 643853]

• In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.
  [# 684106]

NetScaler VPX Appliance

• Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
  [# 660000]

• If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.

  Workaround: Run a reset command on the NetScaler VF, after changing the VLAN ID or removing it from the host. For example:

  reset interface 10/1
  [# 672441]

• In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.

  For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
  [# 675746]

• A NetScaler VPX instance running on a NetScaler SDX appliance does not receive any traffic under the following set of conditions:

  - The Intel 710 series NICs of the NetScaler SDX appliance are connected to a switch with an LLDP-enabled port.

  - That port has been disabled and then enabled.
  [# 684860]

• The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
  [# 657492]

• The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
  [# 660159]

• Compatibility issues between Linux-KVM and the Intel XL710 interface might cause a NetScaler virtual appliance configured with a PCI passthrough to become unresponsive during startup.

  Workaround: Restart the Linux-KVM host.
  [# 660139]

• Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
  [# 652640]

• If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
  [# 676417]

Networking

• A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:

  * The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.

  * The appliance sends a packet destined to the external IP address from LO/1.

  * The response packet keeps looping after the appliance receives it.
  [# 669754, 669977, 687943]

• While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
  [# 675626]

Optimization

• The NetScaler video optimization feature does not display the optimization statistics on the Dashboard or in the Reporting section of the NetScaler GUI.
  [# 678095]

• The new video optimization feature is not supported on a partitioned NetScaler appliance.
  [# 677320]

• The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
  [# 678625]

• For the NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
  [# 670449]

• The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
  [# 676593, 677838, 679578, 681853]

Platform

• Interfaces on NetScaler VPX instances are not hot-pluggable, except on NetScaler VPX appliances running on Amazon AWS.

  Workaround: Shut down the NetScaler VPX instances before adding or deleting the interfaces.
  [# 578198, 682586, 680889]

• A NetScaler VPX instance does not reboot successfully when deployed on a KVM linux host with Xeon E5-26xx v2 processors.

  Workaround: Reload the kvm_intel module and specify enable_apicv=N parameter by using the following command:

  modprobe kvm_intel enable_apicv=N
  [# 587727, 615203, 642617, 657386]

Policies

• When the appliance receives a client request, it blocks it for log action in the Responder module and upon receiving another request, if the appliance processes policies for other modules, the log messages do not get logged for the Responder module
  [# 685375]

• If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.

  Workaround: Use advanced expressions instead.
  [# 680916]

Rewrite.

• The NetScaler appliance can sometimes time out while restoring context for the rewrite feature.

  Workaround: Modify the rewrite action to use regular (regex) expressions.
  [# 675347]

SSL

• Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
  [# 675882, 677473]

• A NetScaler appliance might run out of memory and crash if it receives a non-handshake record, such as an alert message, before a DTLS handshake is complete.
  [# 685145, 693355]

• If the OCSP URL in a certificate starts with a value other than http://, and you try to add a certificate-key pair for this certificate and for its issuer certificate, the certificate-key pair add operation fails for the certificate that is added later.

  The following error message appears in a cluster setup:

  ERROR: Invalid URL

  The following error message appears in an nCore setup:

  ERROR: Failed to create/bind Internal Ocsp responder(using certkey AIA URL).
  [# 695316]

• The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.
  [# 668935, 642802, 463835, 684073, 684892]

• The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
  [# 675158]

• If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
  [# 660257]

• Information about internal service parameters is lost when you restart the appliance.
  [# 684152]

• In a high availability deployment, session-tickets functionality is lost after you issue a force failover twice. Sessions are resumed on the basis of session ID instead of session tickets.
  [# 683034]

• In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
  [# 667389]

• Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.
  [# 685669]

• Secure session tickets are not supported in this build. If your deployment uses secure session tickets, do not upgrade from release 11.1-54.x to this build.
  [# 690231]

System

• When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
  [# 674165]

• If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
  [# 331889]

• On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:

  "bind system group grpX -userName userX"

  "bind system group grpX -policyName superuser 1"

  If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
  [# 652345]

• If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
  [# 676599]

• A NetScaler appliance fails when sending log messages to Syslog server over TCP transport.
  [# 685898]

• If a NetScaler appliance sends a large number of packets on a TCP connection, and the network randomly drops a few of the packets, multiple sets of continuous packet loss ("holes") are created. When the appliance retransmits the packets, the network interface card (NIC) drops packets.
  [# 643929]

• A NetScaler appliance might crash if two client connections inadvertently reuse the probe connection in a transparent (multiple server connections use the same client IP port) wildcard configuration.
  [# 685101]

• The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
  [# 678015]

• The NetScaler appliance does not send the HTTP response body for some POST requests.
  [# 685510]

• The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
  [# 654087]

• If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
  [# 677943]

• A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
  [# 657565]

Telco

• In a high availability setup, forcing synchronization does not synchronize Port Control Protocol (PCP) mappings to the secondary node.
  [# 647630]

Upgrade and Downgrade

• When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.

  Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
  [# 646046]

AAA-TM

• POST and Redirect Bindings Support during Logout

  A NetScaler appliance used as a SAML SP now supports POST and Redirect bindings during logout. Previously, only POST binding was supported.
  [From Build 35.6] [# 642102]

• SAMLIDP Single Logout Support for Redirect and Post Bindings

  SAMLIDP single logout support for Redirect and Post bindings is now available.
  [From Build 35.6] [# 642105]

Admin Partitions

• VXLAN Support for Admin Partitions

  A partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs) protocol. A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition will also bind the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651332]

• Configurable Partition Resource Limit

  When you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
  [From Build 35.6] [# 652187]

• Blocking VRRP on Shared VLANs in Admin Partitions

  On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 655514]

• Memory Management in Admin Partitions

  In a partitioned NetScaler appliance, the partition connections are now accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory.
  [From Build 35.6] [# 652198]

• SNMP Traps for Admin Partition Rate Limiting

  On a partitioned NetScaler appliance, a SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.

  Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.

  The threshold and limit values for partition rate limiting are:

  Highest threshold = 80% (applicable for all partition rate limit traps)

  Lowest threshold = 60 % (applicable for all partition rate limit traps)

  Memory limit = 95% (applicable only for partition memory traps)

  The six new SNMP traps are:

  partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.

  partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.

  partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.

  partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.

  partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.

  partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage
  [From Build 35.6] [# 655560]

AppExpert

• Blacklisting Up to One Million URLs by Using URL Sets

  To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.

  The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
  [From Build 35.6] [# 628124]

Application Firewall

• Generate SNMP alarm and log message when application firewall Session limit is reached

  When NetScaler reaches appfw_session_limit and CSRF checks are enabled, the web application freezes.

  To prevent web application freeze, decrease the session timeout and increase the session limit by using the following commands:

  From CLI: > set appfw settings -sessiontimeout 300

  From shell: root@ns# nsapimgr_wr.sh -s appfw_session_limit=200000

  Logging and generating SNMP alarm when appfw_session_limit is reached assists users in troubleshooting and debugging issues.
  [From Build 35.6] [# 589567]

• Application Firewall GUI - Signature Editor

  When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.

  The signature editor displays the following four new rows:

  1. New Rules

  2. Updated Rules

  3. Duplicate Rules

  4. Invalid Rules

  The output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
  [From Build 35.6] [# 656279]

• Configure Application Firewall Session Limit Through the CLI

  You can now use the CLI to configure the Application Firewall session limit. Enter the following command:

  set appfw settings -sessionLimit <value>

  Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
  [From Build 35.6] [# 662582]

Clustering

• TFTP Support in a Cluster Setup

  Trivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.

  The following features are supported:

  * INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication.

  * RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication.
  [From Build 35.6] [# 658631]

• Managing Cluster Heartbeat Messages

  In a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
  [From Build 35.6] [# 655842]

• SNMP MIB Support for Cluster Nodes

  In a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.

  To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
  [From Build 35.6] [# 628136, 623888]

• Disabling Steering for Forwarding Sessions in a Cluster Setup

  The default behavior of a NetScaler cluster is to direct the traffic that it receives (flow receiver) to another node (flow processor) that must then process the traffic. This process of directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering. This steering can be an overhead for real time processing or when high latency links are present in the setup.

  Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver and therefore makes the flow receiver the flow processor.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636825]

• Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster Configuration

  In a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
  [From Build 35.6] [# 648194]

• VRID/VRID6 support for cluster

  When you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
  [From Build 35.6] [# 655726]

• Audit-Log Support in Cluster

  A cluster setup of NetScaler appliances now supports the audit-log feature.
  [From Build 35.6] [# 669938]

DNS

• Securing DNS Keys with Passwords on a Partitioned NetScaler Appliance

  You can now secure the DNS keys with passwords on a partitioned NetScaler appliance.

  Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
  [From Build 35.6] [# 655295]

• Support for Wildcard DNS Domains

  You can now use wildcard DNS domains to handle requests for a nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or a subdomain name.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 558993]

• Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy Mode

  In NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
  [From Build 35.6] [# 626837]

GSLB

• Configuring GSLB by Using a Wizard in the NetScaler GUI

  You can now use a wizard to configure the GSLB deployment types (active-active and active-passive) and parent-child topologies. In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.

  You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664467]

Load Balancing

• Connection Failover Support for IPv6 Load Balancing Configurations

  Connection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.

  You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.

  For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
  [From Build 35.6] [# 472611]

• Setting alertRetries to a Value Higher than the Retries Value

  The alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.

  For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
  [From Build 35.6] [# 422816]

• SNMP OID for Tracking Persistence Sessions on a Per-Vserver Basis

  The vsvrCurPersistenceSessions (1.3.6.1.4.1.5951.4.1.3.1.1.76) SNMP OID provides the number of current persistence sessions on each virtual server.
  [From Build 35.6] [# 346825]

• Configuring Backup Persistence

  You can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 519440]

• Support for RADIUS Shared Secret

  A shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

  You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.

  In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 564185]

NITRO

• View Individual Counter Information

  To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.

  URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>

  Previously, these counter values could be viewed only through the "nsconmsg" Shell command.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 622976]

• Prevent XSS and CSRF Attacks by Disabling Basic Authentication

  As an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 611690, 570838]

NetScaler GUI

• Support for Atomocity in Wizards

  The new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
  [From Build 35.6] [# 669990]

• NetScaler GUI Masks Full Path

  To enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
  [From Build 35.6] [# 661475]

• PHP Version Upgraded from Version 5.3.17 to 7.0.13

  PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
  [From Build 35.6] [# 572765]

NetScaler Gateway

• Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP Method

  NetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IDP to force authentication despite existing authentication context.

  Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.
  [From Build 35.6] [# 665828]

• Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA Proxy

  Now "Destination IP address" and "ICA Proxy policy name" are logged additionally along with other information logged earlier for Outbound ICA Proxy.
  [From Build 35.6] [# 661832]

• Proxy Auto Configuration for Outbound Proxy

  You can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, a PAC file URL is pushed to the client browser, the traffic initiated from browser is then redirected to the respective proxies based on the conditions defined in the PAC file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 378411]

• Support for Logon Lockdown Control

  Logon lockdown control is now supported on a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
  [From Build 35.6] [# 635415]

• Inter-operability with OAuth

  NetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. Gateway is required to be configured with an OAuth action that contains a URL to fetch the certificates to verify incoming JWT. This enables Gateway to inter-operate with OAuth providers.
  [From Build 35.6] [# 671380]

• Support for logging out from a VPN session upon removal of smart-card from the logged on device.

  You can now optionally log out from a VPN session if you remove smart-card from the logged on device.
  [From Build 35.6] [# 654943]

• Support for EPA in GSLB Active-Active deployment

  EPA now functions reliably on GSLB Active-Active deployment.
  [From Build 35.6] [# 619596]

• Support for Logon Lockdown Control

  The User Lockdown Control feature is now available for system role-based access control users on a cluster.
  [From Build 35.6] [# 650547, 490670]

• Multi-Stream ICA Functionality Support for EDT

  NetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
  [From Build 35.6] [# 671878]

• Configuring Separate Ports of a RADIUS Server for Accounting and Authentication Functionalities

  You can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
  [From Build 35.6] [# 355523, 634307]

• PCoIP Proxy Support for VMware View

  NetScaler Gateway now supports the PCoIP protocol which is the core building block for several VDI solutions, including VMware Horizon View solution. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 632624]

• EDT as a Data Transmission Path Support for NetScaler Gateway

  The NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.
  [From Build 35.6] [# 659795, 666135]

NetScaler VPX Appliance

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated.

  DEFAULT: Reset -cpuyield to its factory default value based on license.

  - If license <= 8G, release CPU resources.

  - If license > 8G, use up all the CPU resources allocated to it.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 35.6] [# 625698]

• Support for Key-Pair Based Authentication

  For VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 617478]

• Support for High-Performance VPX on OpenStack

  You can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 660055]

• Support for VMware ESXi 6.5 server

  NetScaler VPX appliances now support VMware ESXi 6.5 server.
  [From Build 35.6] [# 643974]

Networking

• IPv6 Virtual Router Redundancy Protocol Support for a Cluster Setup

  IPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.

  The following are the two VRRP6 features supported on a cluster setup:

  * Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.

  * IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
  [From Build 35.6] [# 657315]

SSL

• Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.

  The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 579751]

• Support for New SDX FIPS Platform

  This release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  SDX 14030 FIPS 30 Gbps

  SDX 14060 FIPS 60 Gbps

  SDX 14080 FIPS 80 Gbps

  For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
  [From Build 35.6] [# 597890]

• Support for New FIPS Platform

  This release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  MPX 14030 FIPS 30 Gbps

  MPX 14060 FIPS 60 Gbps

  MPX 14080 FIPS 80 Gbps

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 592833, 498222, 590397]

• Support for a Hybrid FIPS Mode on the MPX 14000 FIPS Platform

  The new MPX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651814]

• Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS Appliances

  Citrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.

  The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-256-SHA384

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  This following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.
  [From Build 35.6] [# 651524]

• Support for HTTP strict transport security (HSTS)

  NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

  You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636384, 651353]

• Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.

  The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 611983]

System

• Option to Allocate an Extra Management CPU

  According to your requirement, now you can allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
  [From Build 35.6] [# 352233, 235321, 559207, 604165, 615657]

• Configuring Heartbeat Time Interval for Call Home

  The Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, CallHome sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
  [From Build 35.6] [# 655515]

• Protection Against Wrapped Sequence (PAWS) Algorithm

  On a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 652210]

• HTTP version 2 Protocol Support for Plaintext

  A NetScaler appliance now supports HTTP version 2 (HTTP/2) protocol for plaintext messaging. The appliance advertises the service availability to its clients by including an Alt-Svc field in its response so that the client can directly send a subsequent HTTP/2 request instead of an HTTP 1.1 or HTTP/2 upgrade request. Previously, the appliance supported plaintext messaging only as an upgrade request in HTTP version 1.1.
  [From Build 35.6] [# 653154]

• Displaying MPTCP Statistics

  The new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 646498, 350115]

• Configuring SYN-Cookie Timeout Interval

  In addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.

  Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651196]

• Configuring TCP Burst Control Parameters by using NetScaler GUI

  The following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:

  - BurstRateCntrl

  - CreditBytePrms

  - RateBytePerms

  - RateSchedulerQ
  [From Build 35.6] [# 660828]

• Encrypting user passwords by using SHA-512

  For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.

  Note: A user to which the following set of conditions applies cannot log on:

  1. The user is added, or the user's credentials are modified.

  2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
  [From Build 35.6] [# 658393, 204279, 658859]

• Monitoring Rate Limit Errors in Call Home

  The NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
  [From Build 35.6] [# 656569]

• Configuring HMAC Keys for PI Function

  A new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:

  HMAC (<keyValue>)

  The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
  [From Build 35.6] [# 415808]

• Audit-log Support for Admin Partitions

  A partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
  [From Build 35.6] [# 659649]

• Silently Dropping Idle TCP Connections

  In a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664057]

Telco

• Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT Connections

  NetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.

  For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.

  464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.

  For more information about configuring SIP and RTSP ALGs for Large NAT64, see https://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html.
  [From Build 35.6] [# 635880]

For details of a specific release, see the corresponding release notes.

• Build 41.24 (2017-05-25) (Current build) Replaces: 41.22
• Build 35.6 (2017-03-02)