Product Documentation

What's New

Dec 30, 2015

NetScaler Gateway 11.0.64. adds the following new features and enhancements:

Access Insight

NetScaler Insight Center (BUG0440597)

New in this release is a metric for measuring layer 7 latency for Insight that actively monitors a network disruption at a configurable granular level. The following are new features in this release.

  • Live latency monitoring to catch spikes.
  • Notifications sent out to the Insight Center if the latency exceeds the minimum observed latency. (These notifications are sent out if the latency exceeds the minimum observed latency by a configurable threshold factor for a configurable interval of time. The interval of time is used to filter out any outliers from being reported).
  • Run time configurable
  • Flexibility to configure different connections to have different parameters depending on certain “rules”.

Access Insight (ENH051987/ENH0547839)

New in this release is the HDX Insight feature. It reports the details about the ICA session. The NetScaler appliance examines the ICA packet, and generates Appflow records, which exports information records, that help uncover issues. 

Gateway

Dual Hop (ENH0524991

The Dual-Hop enhancement enables next-hop requests to be distributed among several available NetScaler appliances. The Dual-Hop feature expands the capability to load balance across any next-hop server, so that if one next-hop server is unavailable, connections can be re-established using another available server. This enhancement supports the below configurations:

  • Creates a LB virtual server on DMZ NetScaler for the next-hop targets, and allow this LB to be added as a Next-Hop Server.
  • Specifies a next-hop server as an FQDN name so a GSLB solution could be used.

RDP Enforcement (581578)

New in this release, NetScaler administrators can assign RDP capabilities through the NetScaler Gateway configuration. The following are configurable as part of the RDP client profile:

  • Redirection of ClipBoard
  • Redirection of Printers
  • Redirection of Disk Drives

Block ICMP (ENH0589202)

The VPN plugin was enhanced to acknowledge the intranet application protocol flag. ICMP blocking can be configured to separate intranet applications for UDP and TCP. 

EPA Verbose logging (ENH0590932)

The NetScaler appliance was enhanced to provide a verbose log of Passed/Failed EPA scans. The verbose log provides an easy to read reason for failures on the client machine. 

Auth

Skew-time in SAML IDP (ENH0582266)

The NetScaler appliance has been enhanced to provide SAML authentication to an application by activating the SAML Identity Provider (IdP) and/or the SAML Service Provider (SP). If the system time on NetScaler SAML IdP and the peer SAML SP is not in sync, either party may invalidate the messages.

Duration can be setup for valid assertions. This duration, called the "skew time," specifies the number of minutes that the message will be accepted. The skew time can be configured on the SAML SP and the SAML IdP. 

Set SPID Value for IPD SAML Initiated Federation (ENH0582265)

If used as a SAML Identity Provider (IdP), the NetScaler appliance can be setup to serve assertions to pre-configured SAML Service Providers (SP) or those trusted by the IdP. The SAML IdP must have the service provider ID (or issuer name) of the relevant SAML SPs.

Support for Redirect Binding for SAML IdP (ENH0564947)

If used as a SAML Identity Provider (IdP), the NetScaler appliance now supports redirect bindings (in addition to POST binding). 

SAML Extract Multiple Attributes (BUG0577853)

If used as a SAML SP, the NetScaler appliance can now extract multi-valued attributes from a SAML assertion.

Increased Length of SAML Attributes for Extraction (ENH0581644)

In the SAML Service Provider (SP) module, names of the attributes that can be extracted from an incoming SAML assertion can be up to 127 bytes long. The previous limit was 63 bytes. 

NetScaler Gateway 11.0 build 62.10 adds the following new features and enhancements:

Framehawk Virtual Channel

NetScaler Gateway now supports the new UDP-based Framehawk virtual channel.
[# 587560]

Windows 10

NetScaler Gateway now supports Windows 10. 
[# 579428]

NetScaler Gateway 11.0 build 55.20 and 55.23 add the following new features and enhancements:

NetScaler with Unified Gateway

This feature extends NetScaler Gateway connectivity with access to any web application through a single URL, along with seamless single sign-on and sign-off. Single URL access can be configured for:

  • Internal organizational web applications
  • Software as a Service applications, including SAML based single sign-on when available
  • Outlook Web Access and SharePoint as clientless applications
  • Load balanced applications served through NetScaler load balancing virtual servers 
  • XenApp and XenDesktop published resources.

The feature can be configured and managed with the Unified Gateway wizard in the NetScaler configuration utility. [#00552862, #0438356, #0519875, #0519875]

SmartControl

SmartControl allows policy-based management decisions for ICA connections through the VPN. SmartControl policies can be applied at the session level to control user’s ICA environment and to further manage ICA connections with SmartGroup sorting decisions.   [#0525947]

Portal Customization and EULA

The Portal Customization options have been expanded to allow end-to-end customization of the VPN user portal. Administrators can apply themes to their VPN portal design or use themes as a foundation for their own customization or branding. An option to present VPN users an End User License Agreement (EULA) has also been added to the portal design. Portal themes and EULAs can be bound to a VPN virtual server or specified as global VPN parameters.  [#0489467]

New and Updated Gateway Clients

NetScaler Gateway release 11.0 adds new plug-in clients for the following operating systems:

Each of these clients provides full SSL VPN tunnel functionality through NetScaler Gateway and supports all authentication methods available in NetScaler Gateway.

Additionally, the Mac OS and Windows plug-ins have been refreshed and updated for the 11.0 release, including OS X 10.10 (Yosemite) support for the Mac OS X plug-in. [#0495767, #0520483]

NetScaler Gateway Plug-in Upgrade Control

The NetScaler Gateway client plug-ins are no longer coupled to the NetScaler release versioning. Settings for version requirement per client OS type can be configured globally and within session policies.  [#0236620]

Plug-in Icon Decoupling from Citrix Receiver

The desktop client plug-ins icons can now be configured to operate independently from Native Citrix Receiver clients. Settings to manage Receiver integration with the NetScaler Gateway Plug-ins can be configured globally and within session policies.   [#0406312]

Disabling Automatic Update for the Windows Gateway Client and EPA Plug-ins

This enhancement adds an option in client Endpoint Analysis (EPA) to prevent automatic client updates by disabling the "EnableAutoUpdate" registry key.  [#236620]

Striped Cluster for NetScaler Gateway in ICA Proxy Mode

This feature allows administrators to deploy NetScaler Gateway with XenApp and XenDesktop in a striped cluster configuration. Administrators can use existing Gateway configurations and scale seamlessly in a cluster deployment without having to restrict the VPN configuration to a single node.

Note that this feature is limited to ICA Proxy basic-mode virtual servers and does not support SmartAccess. [#0490329]

Clientless VPN support for Outlook Web Access 2013 and SharePoint 2013

NetScaler Gateway has improved support for access to Outlook Web Access 2013 and SharePoint 2013 through Clientless VPN (CVPN) sessions. [#0494995]

WebFront

WebFront is an alternative integration point for XenApp and XenDesktop deployments served by StoreFront. Resident on NetScaler, WebFront uses caching and packet flow optimization in the distribution of user stores. These techniques improve end user experience for Receiver for Web users and speed up single sign-on for native Receiver users. In the NetScaler configuration utility, the WebFront feature is on the Configuration tab at System > WebFront. [#0497619, #0497625]

ICA Proxy Connection Termination after Session Time Out

Automatic session timeout can be enabled for ICA connections as a VPN parameter. Enabling this parameter forces active ICA connections to time out when a VPN session closes.  [#0358672]

Support for Common Gateway Protocol (CGP) over WebSockets

NetScaler Gateway virtual servers have improved intelligence for handling CGP traffic destined for the common CGP port, 2598, over WebSockets. This enhancement allows Receiver for HTML5 user sessions through NetScaler Gateway to support Session Reliability. [#0519889]

SPNEGO Encapsulation for Kerberos Tickets

NetScaler now uses SPNEGO encapsulation on Kerberos tickets that are sent to back-end web applications and servers. [#404899]

Cross Domain Kerberos Constrained Delegation 

This enhancement adds support for cross-domain Kerberos constrained delegation when both the user and the service realm have a two-way shortcut trust. That is, if the user and service belong to different domains/realms, constrained delegation fails. However, if a user logs on with a user name and password, Kerberos Single Sign-On works for cross-domain access, because the NetScaler Gateway appliance does Kerberos impersonation with the user password. NetScaler Gateway currently does not otherwise support cross-domain constrained delegation. [#444387]