Citrix

Product Documentation



Download full document

What's New in Previous 10.5 Builds

Jul. 24, 2015

The enhancements and changes that were available in NetScaler 10.5 releases prior to Build 65.11. The build number provided below the issue description indicates the build in which this enhancement or change was provided.

AAA-TM

  • Strong Encryption Support in Kerberos KCD

    AAA-TM now supports the aes256-sha1 and aes128-sha1 strong encryption methods for Kerberos KCD. Previously, when KCD was configured to use delegated user credentials, AAA used the relatively weak RC4-HMAC encryption algorithm to encrypt the timestamp when sending a ticket-granting request to the Kerberos server. If the system administrator had restricted use of weak encryption algorithms on the Kerberos server, the Kerberos server would respond with an error instead of the requested ticket, causing KCD to fail. AAA now uses aes256-sha1 to encrypt timestamps for delegated user credentials.

    [From Build 50.10] [#427766]

  • Responder After AAA

    On a NetScaler ADC that has AAA configured, the ADC now invokes responder policies after authenticating users. Previously, users could not bookmark the authentication sign-on page. This limitation no longer exists.

    [From Build 50.10] [#258274, 258277]

  • Extracting SAML Attributes from Keytab

    The AAA Negotiate Action command can now extract user information from a keytab file instead of requiring you to enter that information manually. If a keytab has more than one SPN, AAA selects the correct SPN. You can configure this feature at the NetScaler command line, or by using the configuration utility.

    To configure AAA to extract user information from a keytab file at the command line, type the appropriate command:

    add authentication negotiateAction <name> [-keytab <string>]

    set authentication negotiateAction <name> [-keytab <string>]

    For <name>, substitute the name of the negotiateAction. If you are adding a new action, the name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters. For <string>, substitute the full path and filename of the keytab file that you want to use.

    To configure AAA to extract user information from a keytab file by using the configuration utility, do the following steps:

    1) Open Security, AAA, Policies, Authentication, Negotiate.

    2) In the Data pane, click the Servers tab.

    3) Do one of the following:

    * If you want to create a new Negotiate action, click Add.

    * If you want to modify an existing Negotiate action, in the data pane select the action, and then click Edit.

    4) If you are creating a new Negotiate action, in the Name text box, type a name for your new action.

    The name can be from one to 127 characters in length and can consist of upper- and lowercase letters, numbers, and the hyphen (-) and underscore (_) characters.

    If you are modifying an existing Negotiate action, skip this step. The name is read-only; you cannot change it.

    5) Under Negotiate, if the Use Keytab file check box is not already checked, check it.

    6) In the Keytab file path text box, type the full path and filename of the keytab file that you want to use.

    7) In the Default authentication group text box, type the authentication group that you want to set as default for this user.

    8) Click Create or OK to save your changes.

    [From Build 50.10] [#405134]

  • NetScaler as SAML IDP

    The NetScaler ADC can now act as a SAML identity provider (IDP). As an IDP, the ADP accepts SAML tokens from user sthat request access to a protected application, redirecting users to the SAML service provider (SP) logon page to authenticate. After the user authenticates, the ADC generates a SAML assertion that grants access to the protected resource and redirects the user to it. When the user logs out or is logged out by any SP, the ADC sends logout requests to all other SPs that the user accessed during the current session and terminates the session.

    For more information, see the NetScaler documentation.

    [From Build 50.10] [#406525]

  • With previous versions of the NetScaler ADC, OWA 2010 connections did not timeout because OWA sends repeated keepalive requests to the server to prevent timeouts, which interfered with single sign-n and posed a security risk. AAA-tm now supports forced timeouts that ensure that OWA 2010 sessions timeout after the specified period of inactivity.

    For more information and configuration instructions, see the documentation.

    [From Build 50.10] [#247952, 419622, 426196]

  • KCD Performance Improvements

    When creating a KCD Account with a delegated user certificate and CA certificate, AAA now searches the /nsconfig/ssl directory for the two certificate files, where those certificates are kept, instead of searching /nsconfig/krb.

    [From Build 50.10] [#412687]

  • AAA-TM can now be configured to authenticate users with an external RADIUS or LDAP authentication server at a specific FQDN instead of only at a specific IP. Configuration via FQDN can simplify an otherwise much more complex AAA configuration in environments where the authentication server might appear on any of several IPs, but always uses a single FQDN.

    Note: When you configure AAA to authenticate to an external server via FQDN instead of IP, you add an extra step to the authentication process because the ADC must resolve the FQDN each time that it authenticates a user. If a great many users attempt to authenticate simultaneously, the DNS lookups might slow the authentication process.

    To configure authentication by using a server's FQDN instead of IP, follow the normal configuration process except when creating the authentication action, where you substitute the serverName parameter for the serverIP parameter, as shown below:

    > add authentication ldapAction <name> -serverName <serverName>

    > add authentication radiusAction <name> -serverName <serverName>

    For <serverName>, substitute the fully-qualified domain name (FQDN) of the LDAP or RADIUS authentication server.

    [From Build 50.10] [#338718, 314443]

  • Unlocking Locked-Out User Accounts

    You can now unlock a user account that was locked out after too many failed logon attempts or after repeated violations of logon attempt time slice limits. To unlock a locked-out user account by using the configuration utility, navigate to Security > AAA-Application Traffic > Users. In the data pane, select the user account to unlock, and then in the Actions drop-down list, choose Unlock. To unlock a locked-out user account from the command line, type the following command:

    unlock aaa user <userName>

    [From Build 50.10] [#437164]

  • Web-based Authentication

    AAA-TM is now able to authenticate a user to a web server, providing the credentials that the web server requires in an HTTP request and analyzing the web server response to determine that user authentication was successful.

    To set up web-based authentication with a specific web server, first you create a web authentication action. Since authentication to web servers does not use a rigid format, you must specify exactly which information the web server requires and in which format when creating the action. To do this, you create an expression in NetScaler default syntax. Next you create a policy associated with that action. The policy is similar to an LDAP policy, and like LDAP policies uses NetScaler classic syntax.

    [From Build 50.10] [#431391]

  • NetScaler Default Expressions support for authentication subsystem

    AAA-TM now supports NetScaler default syntax expressions in the following parts of the authentication subsystem:

    * Authentication policy rules. You can use default syntax expressions as Authentication policy rules. The default syntax expression editor now appears in the configuration utility when you create or configure an authentication policy, From the command line, you can simply use default syntax to create the rule for your policy and AAA-TM will recognize and implement it.

    * Authentication policy bindings. Authentication policies, when bound, can each be associated with the "nextFactor" policyset. The nextFactor policyset is evaluated if the policy to which it is associated succeeds. nextFactor support permits policy pairing and grouping, and allows you to create cascading chains of policies all of which can be evaluated in turn. There is no upper limit to the number of policies that can be chained in this manner.

    All policies bound to a single authentication server must be either NetScaler default syntax policies or NetScaler classic syntax policies. You cannot mix both types of policy on a single authentication server.

    [From Build 50.10] [#418615]

  • Renegotiate Support for Certificate-based Policies

    AAA-TM now prompts for the client certificate only when it requires the certificate to authenticate a user, not every time that a protected application requests authentication. It retrieves the certificate if two factor authentication is not enabled, or if it is configured to extract the user name from the certificate.

    [From Build 50.10] [#425621]

  • Authentication Server Stickiness

    After a user authenticates successfully to an LDAP, RADIUS, or TACACS authentication or authorization server, the NetScaler ADC now connects to the same server for subsequent user authentications or authorizations. When a primary server is unavailable, this feature prevents delays while the ADC waits for the first server to time out before resending the request to the second server.

    For example, assume that you have AAA configured on your ADC with three authentication policies--authpol1, authpol2, and authpol3--with priorities set to 10, 20, and 30 respectively. A user requests authentication, and the ADC discovers that the authentication server behind authpol1 does not respond to authentication requests. The ADC then tries authpol2, which responds. When other users attempt to authenticate after this situation occurs, the ADC skips authpol1 and proceeds directly to authpol2.

    [From Build 50.10] [#358894]

  • When sending SAML Authentication request to external identity provider, the NetScaler ADC now offers an option to send the thumbprint of the certificate that was used to sign the message instead of sending the complete certificate. When the "sendThumbprint" option in SAML action is set to ON, the ADC allows putting the thumbprint in SAML auth request instead of the full X509 certificate. The "sendThumbprint" option is off by default.

    [From Build 54.9] [#505673]

  • SHA256 Signature and Digest Algorithms Support

    AAA now supports encrypted SAML assertions. The NetScaler implementation of SAML allows signing certificates of less than 2048 bits, but displays a warning message. It also supports the SHA256 hash algorithm for signatures and digests. Citrix recommends that all signing certificates be of at least 2048 bits, and that you use SHA256 as SHA-1 is no longer considered secure.

    [From Build 56.22] [#440382, 457134]

AAA-TM, Responder

  • Using a Responder HTML Response Page to provide Customized Error Responses

    You can use the Citrix NetScaler Responder feature to create custom error responses when a user attempts to authenticate with AAA-TM and authentication fails. The Responder feature is flexible; you can create as many error responses as you wish, and respond to as many different error conditions. For example, if your users log on to different authentication servers in different geographic areas, you can customize responses to each region. A user in the United States can receive an error message that is appropriate to his or her authentication server, and be directed to a customer service telephone number in the United States. A user in Japan can receive the same for his or her different authentication server and customer service telephone number.

    Briefly, to create a Responder configuration for this scenario, first create each error message and place that error message on a web server. The web server should not be located on the same physical server as the authentication server, and preferably not on the same subnet. If you have multiple regional data centers that host separate authentication servers, it is advisable to locate each error response in a different data center than hosts the authentication server that it is used for, so that local power outages or Internet connectivity problems do not affect the web server that hosts the error messages. Then, on the ADC, do the following steps:

    1) Create one load balancing virtual server for each error message.

    2) Create a policy for each error message that selects the requests that should receive this error message if authentication fails, and bind each policy to the appropriate load balancing virtual server.

    3) Create a responder action for each error message that contains an HTTP 307 Redirect that points to the URL of the customized error message.

    4) Create a responder policy for each error message that selects connections that should receive that error message, and bind that policy to the appropriate responder actions. You must craft a rule for the responder policy that selects connections that meet the appropriate criteria. For example, if you want connections that originate in the USA and that fail authentication to receive this error message, the rule could identify the region by source IP, and the authentication failure by error message.

    5) Bind each responder policy to the correct virtual server, as shown below.

    > bind lb vserver <vServerName> -policyName <policyName> -priority 1 -gotoPriorityExpression END

    For detailed instructions on how to set up a responder configuration of this type by using the command line, see the following article on the Citrix Customer Support web site:

    http://support.citrix.com/article/CTX129108

    [From Build 50.10] [#414985]

AppFlow

  • Indication for End of Transaction

    A transaction flag now indicates, to external collectors, whether the transaction was successfully completed or was aborted.

    [From Build 50.10] [#252000]

  • The process of collecting the load time and render time of web pages has been simplified by including the clientSideMeasurements parameter as part of the add appflow action command.

    On the command line interface, enable this option by running the following command:

    > add appflow action <name> -clientSideMeasurements ENABLED

    For details about configuring an AppFlow action, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-ag-appflow-config-actn-tsk.html.

    [From Build 50.10] [#434577]

  • NetScaler ADC now exports AppFlow records to a set of collectors if the transaction responses are served from the NetScaler cache.

    [From Build 50.10] [#423567]

  • NetScaler ADC now supports the session reliability feature, so that sessions that are monitored by the ADC for ICA traffic can seamlessly reconnect even after a network disruption. This feature keeps sessions active even if network connectivity is interrupted, and to indicate that connectivity is lost, the user's device display freezes and the cursor changes to a spinning hourglass until connectivity resumes. The user can resume interacting with the application once the network connection is restored.

    Note: Make sure to enable the session reliability feature on XenApp or XenDesktop for NetScaler ADC to support this feature.

    [From Build 54.9] [#388563, 417260, 438710, 488206]

Cisco RISE Integration

  • Configuring RISE with NetScaler ADC and Cisco Nexus 7000 Switches.

    You can now use Remote Integrated Service Engine (RISE) technology to integrate a NetScaler ADC and a Cisco Nexus 7000 Series switch. This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.

    With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus 7000 series switch. The key functionalities of the RISE architecture include:

    - Plug and play auto-provisioning. RISE provides a plug and play auto-provisioning feature. When you directly connect the NetScaler ADC to the Cisco Nexus 7000 series switch, auto-discovery commences.

    - Discovery and bootstrapping. The discovery and bootstrap mechanism enables the Cisco Nexus 7000 Series switch to communicate with the NetScaler ADC by exchanging information to set up a RISE channel, which transmits control and data packets.

    - Health Monitoring. The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.

    - Automatic Policy Based Routing (APBR). Automatic Policy Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.

    [From Build 50.10] [#413833]

Cluster

  • A NetScaler cluster can now be configured to run with less than (n/2 + 1) number of nodes online. To do this, while creating a cluster instance, you must set the "quorumType" parameter to none as shown here:

    > add cluster instance <clid> -quorumType None

    [From Build 50.10] [#407139]

  • Layer2 Mode Support in a Cluster

    You can now use the Layer2 mode in a NetScaler cluster. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-l2-mode-con.html.

    [From Build 50.10] [#441320]

  • VRID/VRRP is now supported on a NetScaler cluster.

    [From Build 50.10] [#407100]

  • Link Redundancy Support in a Cluster

    The NetScaler cluster now provides link redundancy with LACP. For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-traf-dist-link-redundancy-con.html.

    [From Build 50.10] [#415116]

  • Spotted VIP for NetScaler Gateway clusters. Spotted VIP functionality has been expanded to enable clustering for NetScaler Gateway.

    [From Build 50.10] [#317314]

  • You can now add a failover interface set (FIS) on the nodes of a NetScaler cluster. On the cluster IP address, specify the ID of the cluster node on which the FIS must be added as follows:

    > add fis <name> -ownerNode <nodeId>

    Note:

    - The FIS name for each cluster node must be unique.

    - A cluster LA channel can be added to a FIS. You must make sure that the cluster LA channel has a local interface as a member interface.

    [From Build 50.10] [#430035]

  • Traffic domains are now supported on a NetScaler cluster.

    [From Build 50.10] [#415065]

  • Net profiles are now supported on a NetScaler cluster. You can bind spotted IP addresses to a net profile which can then be bound to spotted load balancing virtual server or service (defined using a node group) with the following recommendations:

    - If the "strict" parameter of the node group is "Yes", the net profile must contain a minimum of one IP address from each node of the node group member.

    - If the "strict" parameter of the node group is "No", the net profile must include at least one IP address from each of the cluster nodes.

    - If the above recommendations are not followed, the net profile configurations will not be honored and the USIP/USNIP settings will be used.

    [From Build 50.10] [#416827]

  • MPTCP is now supported on a NetScaler cluster.

    [From Build 50.10] [#423654]

  • From NetScaler 10.5 Build 52.11, the cluster feature is licensed with the Platinum and Enterprise licenses. In earlier releases, the cluster feature was licensed by a separate cluster license file.

    Note:

    - If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.

    - When you configure a new cluster in Build 52.11 and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.

    [From Build 52.11] [#486259]

  • GSLB support in a Cluster

    Global server load balancing can now be configured on a NetScaler cluster. To do this, you must log on to the cluster IP address to define the GSLB entities and then bind these entities to a a single member cluster node group.

    For detailed information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-cluster-gslb-con.html.

    [From Build 52.11] [#326601]

Compression

  • Specifying a Vary Header Value

    When using HTTP compression, you can explicitly specify a "vary" header value for compressed responses. Prior to this enhancement, the vary header was implied to be "Accept-Encoding, User-Agent".

    To specify the customized vary header globally:

    > set cmp parameter -addVaryHeader ENABLED -varyHeaderValue <string>

    To specify the customized vary header for a specific compression action:

    > add cmp action <name> <cmpType> -addVaryHeader ENABLED -varyHeaderValue <string>

    [From Build 50.10] [#346214]

Configuration Utility

  • The NetScaler graphical user interface (GUI) has been enhanced to provide a better user interaction experience. It now provides you with a workflow-based experience, which guides you through the entire configuration. The configuration settings have been classified as basic and advanced for some features. The NetScaler ADC configuration utility and NetScaler Gateway configuration utility has also been reimplemented in HTML. As a result of these enhancements, the GUI does not display pop-up dialog boxes for most features and you no longer need Java Runtime Environment (JRE) to access these features through the GUI.

    For more information, see http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-5-map/ns-rn-changes-gui-10-5-con.html

    [From Build 50.10] [#251336, 251607, 251645, 251760, 251797, 257879, 257949, 261240, 261339, 285382]

  • Distinguish between Commands Executed from Different NetScaler Interfaces

    The NetScaler now keeps track of the interfaces through which operations are executed. You can view this information in syslogs (in the NetScaler GUI, navigate to Configuration > System > Auditing > Audit Messages > Syslog messages) or in the ns.log (located at the /var/log/ directory) file.

    For example, operations that are performed through the API are flagged as "API CMD_EXECUTED".

    [From Build 50.10] [#361917]

Content Accelerator

  • Content accelerator is a NetScaler feature that you can use in a Citrix ByteMobile T1100 deployment, to store data on a Citrix ByteMobile T2100 appliance. This saves bandwidth and provides faster response times, because the NetScaler does not have to connect to the server for repeated requests of the same data.

    For more information, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-content-accl-con.html.

    [From Build 50.10] [#427565]

Content Switching

  • Content Switching Support for Diameter

    The NetScaler ADC now supports content switching for the Diameter protocol. A number of expressions have been added, and you can use them to examine the header and the attribute-value pairs (AVPs) in a Diameter packet. On the basis of that information, you can forward the request to the selected load balancing virtual server.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-diameter-for-cs-tsk.html.

    [From Build 50.10] [#413072]

  • When you create a content switching virtual server, NetScaler now supports using DNS TCP as the protocol used by the virtual server.

    [From Build 50.10] [#365650]

  • Multiple Port Content Switching Support for HTTP and SSL Virtual Servers

    You can now configure the NetScaler ADC so that HTTP and SSL content switching virtual servers listen on multiple ports without having to configure separate virtual servers. This feature is especially useful if you want to base a content switching decision on a part of the URL and other L7 parameters. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as *. As a result, the configuration size is also reduced.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-cs-customizing-multiport-http-ssl-tsk.html

    [From Build 50.10] [#386601]

  • Multiple Port Content Switching Support for SSL_TCP Virtual Servers

    You can now configure the NetScaler ADC so that SSL_TCP content switching virtual servers listen on multiple ports without having to configure separate virtual servers. Instead of configuring multiple virtual servers with the same IP address and different ports, you can now configure one IP address and specify the port as * . As a result, the configuration size is also reduced.

    [From Build 50.10] [#450367]

DNS

  • Enabling or Disabling the Recursion Available Flag

    A new parameter -RecursionAvailabe (YES|NO) is introduced in load balancing virtual server (for DNS and DNS_TCP types). The option by default has a value of NO. When you use the load balancing virtual server to load balance recursive resolvers, you can turn this option to YES. This will cause NetScaler to respond with RA bit set on all responses.

    [From Build 50.10] [#403114, 248936, 269857, 388338]

  • NAPTR DNS Record

    NetScaler ADC supports DNS NAPTR (Naming Address Pointer) record type. NAPTR records are generic DNS record type, but are commonly used in internet telephony for service discovery. They therefore enable clients to discover which server the request should go to for a particular service and which protocol to use to connect to the server.

    NetScaler ADCs support NAPTR in two modes: ADNS mode and proxy mode. You can create a NAPTR record using both, command line interface and the NetScaler Configuration Utility.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-crt-naptr-rec-tsk.html

    [From Build 50.10] [#413773]

  • CNAME Record Caching

    NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html

    [From Build 50.10] [#422509]

  • AA bit set for response from NetScaler Cache

    In the previous releases, for NODATA responses with AA bit, NetScaler would ignore AA bit (authoritative bit) while caching. For such DNS queries NetScaler would reply with NODATA response from cache without setting the AA bit. The behavior has been enhanced with current release. NetScaler will respond with the AA bit for negative cached responses just as it does for positive cache responses.

    [From Build 50.10] [#285009]

DataStream

  • Support for Database Specific Load Balancing for MySQL

    Database specific load balancing is now supported for MySQL databases. If a database is available on multiple servers but is online on only some of these servers, the client request is forwarded to the server on which the database is online. Enable the DBSLB option when you create a load balancing virtual server. To store the database list on the NetScaler ADC, while creating a MYSQL-ECV monitor, enable storeDB.

    [From Build 50.10] [#418490]

  • Support for Fallback to NTLM Authentication

    Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.

    [From Build 50.10] [#382693]

  • Support for SQL Server High-Availability (HA) Group Deployment

    The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html

    [From Build 50.10] [#415485]

  • Support for Transparent Deployment Mode in MySQL

    You can now configure the NetScaler ADC to operate transparently between MySQL clients and servers, and to only log or analyze details of all client-server transactions. Transparent mode is designed so that the ADC only forwards MySQL requests to the server, and then relays the server's responses to the clients. As the requests and responses pass through the ADC, the ADC logs information gathered from them, as specified by the audit logging or AppFlow configuration, or collects statistics, as specified by the Action Analytics configuration. You do not have to add database users to the ADC.

    [From Build 50.10] [#410824]

  • Any NetScaler MPX or VPX appliance subject to a limit on the number of DataStream transactions per second will no longer be restricted by license or platform model number.

    [From Build 52.11] [#479490]

GSLB

  • GSLB Auto Sync Enhanced to to Sync Static Proximity Database

    GSLB autosync has been enhanced to synchronize global server load balancing (GSLB) static proximity databases. When autosync is triggered on the master site, first the static proximity database is synchronized followed by the synchronization of configuration.

    For more information see, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-gslb-synchro-static-proximity-db.html

    [From Build 50.10] [#286236]

  • Viewing the configuration details of the entities bound to a GSLB domain

    You can now view the configuration details of the entities bound to a GSLB domain. The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain. To view the details, you can use either the command line or the configuration utility.

    For more information, see http://docs.citrix.com/en-us/netscaler/10-5/ns-tmg-wrapper-10-con/netscaler-gslb-gen-wrapper-10-con/ns-gslb-config-con/ns-gslb-bind-dom-vsvr-tsk.html.

    [From Build 56.22] [#343525]

Integrated Caching

  • Increased Metadata Cache Capacity

    The number of cached objects that the cache memory can store has now been increased.

    [From Build 50.10] [#417677]

  • Cache Object Persistence in a High Availability Setup

    When integrated caching is used in a high availability setup, in addition to storing the cached objects on the primary appliance, the objects are also stored on the secondary appliance. This reduces bandwidth usage as cached objects are not lost during failover and the request can then be served directly from the cache of the secondary appliance.

    To enable this functionality globally, execute the following command:

    > set cache parameter -enableHaObjPersist Yes

    To enable this functionality on a specific content group, execute the following command:

    > set cache contentGroup <name> -persistHA Yes

    [From Build 50.10] [#329012]

Load Balancing

  • Rate Limiting Support for Diameter

    You can now configure rate limiting for diameter messages. In the following example, NetScaler limits the rate to 100 messages per second and sends UNABLE_TO_DELIVER if the rate exceeds that limit.

    > add ns limitidentifier rslm1 -threshold 100 -timeSlice 1000 -mode REQUEST_RATE -limittype bursty

    > add responder action rsact1 respondwith "DIAMETER.NEW_ERROR_ANSWER + DIAMETER.NEW_AVP(263, DIAMETER.REQ.SESSION_ID.VALUE) + DIAMETER.NEW_AVP_UNSIGNED32(268, 3002)"

    > add responder policy rspol1 "SYS.CHECK_LIMIT("rslm1")" rsact1

    [From Build 50.10] [#399053]

  • Increased Limits on the Number of Service Groups

    You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.

    [From Build 50.10] [#406355]

  • Support for Jumbo Frames in RADIUS

    The NetScaler ADC now supports RADIUS jumbo frames.

    For more information on jumbo frames, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.

    [From Build 50.10] [#429415]

  • Monitors for XenMobile Device Manger (XDM) and XenMobile Device Connector (XNC)

    NetScaler allows a user to create monitors to check the status of the XenMobile Device Manager (XDM) and XenMobile NetScaler Connector (XNC) servers. The citrix-xdm monitor is used to monitor the XDM server while the citrix-xnc-ecv monitor is used to monitor the XNC server. You can add these monitors by using the add lb monitor command from the command-line interface or by using the GUI.

    * The XDM monitor uses the username, password, and site path strings to probe the XDM server.

    * The XNC monitor uses the username, password, send, and recv strings to probe the XNC monitor.

    [From Build 50.10] [#402361]

NITRO API

  • Uploading and Retrieving Files for NetScaler SDX Using NITRO

    NetScaler SDX operations such as configuring SSL certificates requires the input files to be available locally on the appliance. NITRO allows you to perform file operations such as uploading file to the SDX, retrieving a list of files and the file content from the SDX, and also delete files from the SDX. These operations can be performed for files of type: cert,key, software images etc.

    [From Build 50.10] [#408441]

  • Python SDK for NetScaler SDX and NetScaler Insight Center NITRO

    NITRO now provides Python SDKs for configuring the NetScaler SDX appliance and the NetScaler Insight Center appliance. The SDKs can be downloaded from the Downloads page of the appliance's configuration utility.

    [From Build 50.10] [#451606]

  • Uploading and Retrieving Files for NetScaler Using NITRO

    NetScaler operations such as configuring SSL certificates requires the input files to be available locally on the NetScaler appliance. NITRO allows you to perform file operations such as uploading file to the NetScaler, retrieving a list of files and the file content from the NetScaler, and also delete files from the NetScaler. These operations can be performed for files of type: txt, cert, req, xml, and key.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-main-api-10-5-map/ns-nitro-rest-file-ops-ref.html.

    [From Build 50.10] [#262824, 257935, 259969]

  • Python SDK for NetScaler NITRO

    NITRO now provides a Python SDK for configuring the NetScaler appliance. The SDK can be downloaded from the Downloads page of the NetScaler appliance's configuration utility.

    [From Build 50.10] [#425725]

  • Viewing the Statistics of Services and Service Groups that are Bound to a Load Balancing Virtual Server

    You can now view the statistics of services and service groups that are bound to a load balancing virtual server by using the following URL:

    http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>?statbindings=yes

    You cannot view these details by using the "http://<netscaler-ip-address>/nitro/v1/stat/lbvserver/<name>" URL which only gives the statistics of the load balancing virtual server.

    [From Build 58.11] [#241950, 244603, 523907, 534804, 538057]

NetScaler Gateway

  • Tranferring ICA Proxy Sessions Between Devices

    If you configure a SmartAccess virtual server, when users log on from multiple devices, you can transfer the ICA Proxy session to another device and restrict users to one Universal license. For example, if users log on by using Citrix Receiver on their computer and then log on again from a mobile device, this consumes two NetScaler Gateway Universal licenses and creates two sessions for one user. You can prevent the two sessions by enabling the setting ICA Proxy Session Migration on the virtual server. When you enable this setting, the user session transfers to the new device and uses one Universal license.

    To enable session transfer

    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.

    2. In the details pane, select a SmartAccess virtual server and then click Open.

    3. Select ICA Proxy Session Migration and then click OK.

    [From Build 50.10] [#428669, 436370]

  • RADIUS accounting.

    RADIUS accounting functionality has been added to RADIUS authentication.

    [From Build 50.10] [#388723]

  • Advanced endpoint analysis

    NetScaler Gateway contains built-in scans for a wide variety of applications and services with the Endpoint Analysis Plug-in for Windows- based computers and Mac OS X computers. Additionally, the expression editor for advanced endpoint analysis has been implemented in HTML within the configuration utility.

    [From Build 50.10] [#417360]

  • NetScaler Gateway supports network traffic through a forward proxy between the appliance and servers in the internal network when users log on by using clientless access and when Secure Browse is enabled on the Security tab in a session profile.

    [From Build 54.9] [#451933, 455617, 470014]

  • NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.

    [From Build 54.9] [#518414]

  • Upgrade EPA (Endpoint Analysis) libraries in NetScaler Gateway

    The Endpoint Analysis feature enables administrators to analyze and make client connection choices based on client endpoint settings for plug-in sessions connecting through the NetScaler Gateway. Previously, NetScaler Gateway administrators had to manually upload a new EPA library using the command line in order to upgrade the EPA libraries in NetScaler Gateway. This task required administrators to manually extract the file on the NetScaler and then copy the extracted files to appropriate directories. NetScaler Gateway 10.5.52.1115.e presents a one-click interface for upgrading EPA libraries without upgrading or rebooting the system.

    [From Build 54.9] [#504584]

  • NetScaler Gateway now supports Windows 10 clients.

    [From Build 59.13] [#579428]

NetScaler Insight Center

  • You can now customize NetScaler Insight Center reports to display the metrics that you want, and you can specify bar graphs or line graphs.

    To make these changes, open the drop-down list next to the percentage icon in the top-right corner of the dashboard.

    [From Build 50.10] [#427187]

  • Cache Redirection Insight Support

    NetScaler Insight Center now analyzes the traffic flowing through NetScaler ADC to cache servers and origin servers, and provides useful information about the cache performance, such as:

    - Bandwidth saved while serving requests from the cache server instead of the origin server.

    - Bandwidth consumed when requests bypassed the cache server and were served from the origin server.

    - Number of times a URL was accessed from the cache server instead of the origin server.

    For details on Cache Redirection Insight, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-webinsight-cache.html.

    [From Build 50.10] [#409842]

  • HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.

    [From Build 50.10] [#392016]

  • Geo Map Support

    The NetScaler Insight Center geo maps feature displays the usage of web applications across different geographical locations on a map. Administrators can use this

    information to understand the trends in application usage and for capacity planning.

    Geo maps provide information that answers questions such as the following:

    -Which region has the highest number of clients accessing an application?

    -Which region has the highest response time?

    -Which region is consuming the most bandwidth?

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-usecase-geo-maps.html

    [From Build 50.10] [#322120]

  • The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.

    [From Build 50.10] [#418196]

  • In the dashboard, you can now select and rearrange the columns displayed in the tables. These changes persist across user sessions.

    [From Build 50.10] [#423451]

  • NetScaler Insight Center now saves the following data for a specific time period before it is purged:

    * 30 second data - Saves for 6 minutes

    * 5 minute data - Saves for 65 minutes

    * Hourly data - Saves for 25 hours

    * Daily data - Saves for 31 days

    [From Build 50.10] [#404805]

  • Even if Appflow is disabled for a virtual server, you can clear the configuration in the NetScaler Insight Center by selecting Clear AppFlow Configurations from the Action list.

    [From Build 50.10] [#399329]

  • HDX Insight Center reports now support the following metrics:

    -Client side zero window size event: This counter indicates how many times the client advertised a zero TCP window.

    -Server side zero window size event: This counter indicates how many times the server advertised a zero TCP window.

    -Client side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the client-side connection.

    -Server side fast RTO: This counter indicates how many times the retransmit timeout was invoked on the server-side connection.

    [From Build 50.10] [#424355]

  • The active sessions data on the dashboard now include the following metrics:

    Client IP: IP address of the client

    Server IP: IP address of the server

    NetScaler IP: NetScaler IP address

    [From Build 50.10] [#427504]

  • Data Record Log Settings

    NetScaler Insight Center now supports data record logs, which provide detailed information about AppFlow records that NetScaler Insight Center collects from NetScaler ADCs.

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html

    [From Build 50.10] [#421777]

  • You can now configure the ICA session timeout value for inactive sessions on the NetScaler Insight Center configuration tab.

    For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-ica-session-timeout-tsk.html

    [From Build 50.10] [#431957]

  • Hop Diagram Support

    The HDX Insight reports now support hop diagrams, which provide complete details about the client, NetScaler ADC, and server in an active session.

    To display the hop diagram, on the dashboard tab, navigate to HDX Insight > Users >, click on a user name and, in the Current Application Sessions table, click on the session diagram icon.

    [From Build 50.10] [#443824]

  • EUEM Session Data on HDX Insight Reports

    HDX Insight reports now displays EUEM session data, which indicates the availability of EUEM data when an EUEM channel is established between the client and the server.

    [From Build 50.10] [#367114]

  • The database cache functionality of NetScaler Insight Center stores database content locally in the cache and serves the content to users without accessing the database server.

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cache-settings.html.

    [From Build 50.10] [#456295]

  • Managing Session Timeout Period

    You can now configure the timeout period for how long a user or a group can remain in an idle state before being terminated.

    Enable this option while configuring user accounts or user groups.

    For more details on configuring a user account or a group account, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-user.html or http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-add-group.html.

    [From Build 50.10] [#452424]

  • On the dashboard, if you move the columns in a table and refresh the page, the column ordering is sometimes reset to default.

    [From Build 50.10] [#414155]

  • If the length of URLs displayed in the Web Insight reports is very long, you can enable the trim URL functionality to remove the query string from the URL.

    For details about configuring this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-url-parameter-settings.html

    [From Build 50.10] [#463741]

  • Exporting Reports

    You can now save the Web Insight reports or HDX Insight reports in PDF, JPEG or PNG format on your local computer. You can also schedule the export of the reports to specified email addresses at various intervals.

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-export-report-con.html.

    [From Build 50.10] [#320860]

  • HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP.

    [From Build 50.10] [#398322]

  • For debugging an issue, the technical support bundle that you generate to send to the technical support team now automatically includes NetScaler ADC data along with the NetScaler Insight Center data.

    You can also choose to include the debug logs and data distribution logs.

    [From Build 50.10] [#474070]

  • The GUI displays a real-time graphical representation of the CPU, memory, and disk resources used by the NetScaler Insight Center virtual appliance.

    To display additional details, on the Configuration tab, navigate to NetScaler Insight Center and click Statistics.

    [From Build 50.10] [#474067]

  • Data record logs provide detailed information about appflow records that NetScaler Insight Center collects from NetScaler ADCs.

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-data-record-log-settings.html.

    [From Build 50.10] [#471025]

  • NetScaler Insight Center can now dynamically set the threshold value for the maximum number of hits on each URL. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html

    NetScaler Insight Center now facilitates efficient querying of its database.

    For details on enabling this functionality, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-index-settings.html

    You can now enable NetScaler Insight Center to periodically remove the out-of-date content from its database. For details, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-change-db-cleanup-settings.html

    [From Build 50.10] [#479004]

  • Authentication and Authorization Support.

    Authentication with the NetScaler Insight Center virtual appliance can be local or external. With external authentication, NetScaler Insight Center grants user access on the basis of the response from an external server. It supports the following external authentication protocols:

    -Remote Authentication Dial In User Service (RADIUS)

    -Terminal Access Controller Access-Control System (TACACS)

    -Lightweight Directory Access Protocol (LDAP)

    Authorization through the NetScaler Insight Center virtual appliance is local. The virtual appliance supports two levels of authorization. Users with superuser privileges are allowed to perform any action. Users with readonly privileges are allowed to perform only read operations. The authorization of SSH users requires superuser privileges. Users with readonly privileges cannot log on through SSH.

    For more information see, http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-configuring-authentication-authorization-settings.html

    [From Build 50.10] [#412466]

  • NetScaler Insight Center adaptive threshold functionality dynamically sets the threshold value for the maximum number of hits on each URL.

    For more information, see http://support.citrix.com/proddocs/topic/ni-10-5-map/ni-manage-threshold-tsk.html

    [From Build 50.10] [#378995]

  • NetScaler Insight Center now supports monitoring of CloudBridge 2000, 3000, 4000, and 5000 appliances. It analyzes the ICA traffic flowing through the CloudBridge appliances and generates HDX Insight performance reports. With this feature, datacenter administrators can gather information about traffic flowing between XenApp/XenDesktop clients and XenApp/XenDesktop servers.

    [From Build 51.10] [#430880]

  • NetScaler Insight Center now displays reports for multi-stream ICA connections. All statistics that are maintained and reported for single-stream ICA connections are also displayed for multi-stream ICA connections.

    [From Build 52.11] [#478744]

  • You can now install NetScaler Insight Center on Microsoft Hyper-V version 6.2.

    [From Build 52.11] [#463402]

  • NetScaler Insight Center now displays the session reconnect count and the Automatic Client Reconnection (ACR) count for ICA traffic flowing through NetScaler ADCs.

    These values are displayed only if the session reliability feature is enabled on XenApp or XenDesktop.

    [From Build 54.9] [#504955]

  • If you do not want the URL reports to be displayed on the Web Insight node of the dashboard, you can now disable the URL data collection settings.

    To modify the setting, on the Configuration tab, navigate to System, and in the right-pane, from the System Settings group, click Change URL Data Collection Settings.

    [From Build 54.9] [#522345]

  • NetScaler Insight Center now displays reports for NetScaler Gateway appliances deployed in a double-hop mode.

    [From Build 54.9] [#481300, 482071, 487985]

  • You can now limit the number of days for which the generated reports can persist in the database, after which the reports are permanently deleted.

    To change the value, on the Configuration tab, click System and in the right-pane from the System Settings group, click Limit Data Duration Persistency.

    [From Build 54.9] [#521503]

  • NetScaler Insight Center now supports monitoring NetScaler appliances deployed in LAN user mode. The dashboard now displays the following user access types, depending on the NetScaler deployment:

    - Remote user: User connected to XenApp or XenDesktop server through a NetScaler Gateway.

    - Transparent mode user: User connected to XenApp or XenDesktop server directly, with no intervening virtual server.

    - LAN user: Internal user connected to XenApp or XenDesktop server directly, without configuring the routing rules on a NetScaler ADC.

    [From Build 56.22] [#490147, 482900]

NetScaler SDX Appliance

  • Console Access for NetScaler SDX Appliance

    You can access the console of NetScaler instances, the Management Service, XenServer, and third party VMs from the Management Service interface. This is particularly helpful in debugging and troubleshooting the instances hosted on the NetScaler SDX appliance when the instance is not reachable over the network.

    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-console-access-con.html

    [From Build 50.10] [#246263]

  • Provisioning support even when none of data ports are connected

    When deployments are being set up, usually the interfaces are not connected. Management Service now allows provisioning of NetScaler instances on SDX with data ports as management interface even if they are down.

    [From Build 50.10] [#437980]

  • SSL certificates and keys for NetScaler instances

    Enhanced usability achieved by providing separate view for SSL certificates and keys for NetScaler instances. A new node, SSL Certificate Files, on the Management Service interface allows you to upload and manage the SSL certificates and corresponding public and private key pairs that can be installed on NetScaler instances.

    Management Service certificates can be managed from Configuration > Management Service > SSL Certificates Files and NetScaler certificates can be managed from "Configuration > NetScaler > SSL Certificate Files.

    [From Build 50.10] [#437973]

  • The Call Home feature monitors your NetScaler instances for common error conditions.

    You can now configure, enable or disable the Call Home feature on NetScaler instances

    from the Management Service user interface.

    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-call-home-support-con.html

    [From Build 50.10] [#430105]

  • Monitoring and Managing Real-Time Status of Entities Configured on NetScaler Devices

    You can use NetScaler SDX to monitor and manage the states of virtual servers, services, service groups, and servers across the NetScaler virtual appliances hosted on SDX. You can monitor values, such as the health of a virtual server and the time elapsed since the last state change of a service or service group. This gives you visibility into the real-time status of the entities and makes management of these entities easy when you have a large number of entities configured on your NetScaler devices.

    [From Build 50.10] [#247823, 291022]

  • Improved Dashboard

    NetScaler SDX provides an improved Dashboard. The new Dashboard provides a compact and a better view of key parameters. The fields that are displayed in the Dashboard are not user configurable.

    [From Build 50.10] [#437995]

  • No change in state of shut down NetScaler instance through appliance reboot

    If any of the NetScaler VPX instances are in shutdown state, and an appliance reboot is carried out then the instances which were in the shut down state continue to be in the same state through the reboot process.

    [From Build 50.10] [#437979, 412103]

  • Monitoring and Managing Events Generated on NetScaler Instances

    The Events feature to monitor and manage the events generated on the NetScaler instances. The Management Service identifies events in real time, thereby helping you address issues immediately and keep the NetScaler instances running effectively. You can also configure event rules to filter the events generated and get notified to take actions on the filtered list of events.

    [From Build 50.10] [#247820]

  • Authentication and Authorization Enhancements

    With this release, the following authentication and authorization capabilities are supported for the Management Service on NetScaler SDX appliance:

    - External authentication support for for the Management Service using RADIUS, TACACS,

    or LDAP servers.

    - Group extraction capability for LDAP and RADIUS authentication types.

    - Authentication and authorization for requests through SSH. However, the authorization of

    SSH users is limited to super-user privileges only.

    - Audit logs for RADIUS and TACACS servers. You can enable audit logs by checking the

    Accounting option while adding the RADIUS or TACACS server to the Management Service.

    [From Build 50.10] [#399086]

  • CLI Support for NetScaler SDX Appliance

    You can now use the command line interface to perform operations on the Management Service. Add, Set, Delete, Do and Save commands are supported through command-line interface.

    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-cli-support-svm-con.html

    [From Build 50.10] [#257899]

  • LACP Statistics

    You can now view the real time status and stats for the LACP channels configured on the SDX appliance from the Management Service. If you have added an LACP channel, you can view the LACP details by clicking on Configuration > System > Channels > LACP Details.

    [From Build 50.10] [#394210]

  • Management Service Statistics

    A new gadget, Management Service Statistics has been introduced on the Dashboard to help you monitor the statistics such as Memory, CPU, and Disk usage, of Management Service on NetScaler SDX appliance.

    [From Build 50.10] [#400698]

  • Provisioning Palo Alto VM-Series Instances on a NetScaler SDX Appliance

    Palo Alto Networks VM-Series on Citrix NetScaler SDX enables consolidation of best-in-class security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix NetScaler SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.

    You can provision, monitor, manage, and troubleshoot an instance from the Management Service.

    Note: The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance.

    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-paloalto-con.html

    [From Build 50.10] [#357214]

  • Security Enhancements on NetScaler SDX Appliance

    NetScaler SDX appliance now supports a configuring a password policy and a user-lockout policy to provide security against hackers and password-cracking software.

    The password policy enforces a user-specified minimum length and a minimum level of complexity. The password must have at least one uppercase, one lowercase, one numeric, and one special character. The user-lockout policy disables a user-account if an incorrect password is entered a specified number of times.

    You can specify the time period (user lockout interval) for how long the user account remains disabled, after which the user account is enabled automatically.

    Note: User lockout is disabled by default

    [From Build 50.10] [#353854]

  • Change Management

    You can now schedule Management Service to run NeSclaer configuration difference against a template and show appropriate reporting. Further, you can use the report on the Change Management page of Management Service to view whether there is any difference between the saved configuration and the running configuration of any instance. You can click on the chart to further drill down and view the list of instances, their running configuration, saved configuration, history of configuration changes, any difference between the configurations before and after an upgrade, and any difference between the running configurations and the configuration of the associated audit templates.

    [From Build 50.10] [#418165]

  • Wizard for Initial Configuration Setting in Management Service

    You can use the Setup Wizard to complete all the first time configurations in a single flow. The wizard helps you in configuring network configuration details, system settings, changing the default administrative password, and manage and update licenses.

    For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-initial-setup-wizard-con.html

    [From Build 50.10] [#384569]

  • New inline wizard for provisioning NetScaler instances with simplified networking configuration steps

    You can now use the new inline wizard to provision NetScaler instances from the Management Service. The networking configuration portion of the provisioning workflow has been simplified and streamlined for ease of use. To use the inline wizard, click Configuration > NetScaler > Instances and click Add to add a new instance or Edit to modify a highlighted instance.

    [From Build 50.10] [#391749]

  • XenServer IP Address Support in Network Configuration Utility

    Now you can use the network configuration utility to assign both the Management Service IP address as well as the XenServer IP address on a new appliance.

    [From Build 50.10] [#437974]

  • When system sends any e-mail notification, it will contain host name along with IP address as sender.

    [From Build 51.10] [#464856]

  • You do not require a separate license file to set up a cluster on an SDX appliance. Clustering support will be provided with a valid SDX Platform License.

    [From Build 52.11] [#492668]

  • Jumbo Frame is supported on all data interfaces and channels on NetScaler SDX. Management interfaces are not included. For configuring Jumbo Frame, user has to change the MTU of channel or Interface from the Management Service. All the NetScaler virtual machines sharing this port will get the effective MTU. For third party virtual machines, user has to change the MTU explicitly from the virtual machine to make it effective.

    [From Build 53.9] [#482191, 434401, 460917]

  • NetScaler SDX supports provisioning and managing a new guest VM CA Access Gateway. For more information, see http://support.citrix.com/proddocs/topic/sdx-administration-10-5-map/sdx-ag-third-party-ca-siteminder-con.html

    [From Build 53.9] [#462651]

  • Management Service now supports Trend Micro InterScan Web Security Virtual Appliance guest VM. Navigate to TrendMicro IWSVA under the Configuration tab.

    [From Build 55.8] [#498282]

  • New kernel packages have been added to support software RAID on the following new platforms:

    -14000 10G series models

    -14000 40G Series models

    -25000 40G series models

    Note: These packages are not supported on older platforms.

    [From Build 62.9] [#552047]

  • The 10.5 62.x SDX platform release now supports the following SDX appliances: SDX 14000, SDX 14000-40G, and SDX 25000-40G.

    The SDX platform release consists of two separate images, one for SVM and one for the SDX platform. When upgrading to this platform release from an earlier release, upgrade the two images in the order suggested above.

    Also, NetScaler VPX instances based on release 10.5 62.9 can be used on SDX 14xxx/25000 series appliances running either 10.5 62.x or an earlier version of the platform software.

    Note: NetScaler VPX is not part of SDX platform release, and it can be based on any NetScaler release version / build that supports SDX 14xxx/25xxx series.

    [From Build 62.9] [#616616, 626463]

  • Previously, SDX platform components were distributed separately: 1. XenServer image with kernel packages, 2) hotfixes, and 3) supplemental pack.

    To simplify installation, facilitate meeting all the platform requirements, and streamline the order in which the components are installed, all the components are now in one image, called the SDX Platform image.

    Note: The XenServer component is based on XenServer-6.1, so devices using XenServer-6.0 are upgraded to XenServer-6.1 when you upgrade to this build.

    [From Build 62.9] [#630447]

NetScaler VPX Appliance

  • The NetScaler VPX appliance is now supported on VMware ESX server version 6.0.

    [From Build 59.13] [#592395]

Networking

  • Increased Number of Interfaces for Link Aggregation Channels

    You can now bind up to 16 interfaces to a link aggregation channel. The channel can be either static or LACP.

    [From Build 50.10] [#437366, 389319]

  • IPv6 Forwarding Session Rules

    Now, you can create forwarding session rules for IPv6 traffic. By default, the NetScaler appliance does not create session entries for traffic that it only forwards (L3 mode). For a case in which a client request that the appliance forwards to a server results in a response that has to return by the same path, you can create a forwarding-session rule. A forwarding-session rule creates forwardingsession entries for traffic that originates from or is destined for a particular network and is forwarded by the NetScaler appliance.

    When configuring an IPv6 forwarding-session rule, you can specify either an IPv6 prefix or an ACL6 as the condition for identifying IPv6 traffic for which the forwarding-session entry to be created:

    - Using an IPv6 prefix . When you specify an IPv6 prefix, the appliance creates forwarding sessions for those IPv6 traffic that are sourced from networks that matches the IPv6 prefix.

    - Using an ACL6 rule . When you use an ACL6 rule, the appliance creates forwarding sessions for those IPv6 traffic that match the conditions specified in the ACL6 rule.

    Note: When the appliance is configured as a high availability node, Connection Failover for synchronizing IPv6 forwarding session entries with the secondary node is not supported.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-interfaces-confrng-fwd-sessions-tsk.html.

    [From Build 50.10] [#251234]

  • VMAC Based Traffic Domains

    You can now associate a traffic domain with a VMAC address instead of with VLANs. The NetScaler ADC then sends the traffic domain's VMAC address in all responses to ARP queries for network entities in that domain. As a result, the ADC can segregate subsequent incoming traffic for different traffic domains on the basis of the destination MAC address. The NetScaler ADC identifies traffic for a traffic domain if it is destined to the same VMAC address that is associated with the traffic domain.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-vmac-traffic-domain-intro-tsk.html.

    [From Build 50.10] [#425108]

  • Support for VXLANs

    Now the NetScaler ADC supports Virtual eXtensiable Local Area Network (VXLANs). A VXLAN is an overlay solution that creates layer 2 overlay networks over layer 3 infrastructure by encapsulating Layer-2 frames in UDP packets. Each VXLAN is identified by a unique 24-bit identifier called the VXLAN Network Identifier (VNI). Only network devices within the same VXLAN can communicate with each other.

    [From Build 50.10] [#366992]

  • The ZebOS dynamic routing software package has been upgraded to version 7.10.2.

    [From Build 50.10] [#435000]

  • ZebOS API Access

    With a new configuration object, router DynamicRouting, you can use NITRO APIs to configure dynamic routing protocols on a NetScaler appliance.

    [From Build 50.10] [#229714, 222015, 406589]

  • Netprofile Support for Link Load Balancing Configurations

    You can now associate a netprofile with a link load balancing configuration. The NetScaler ADC then uses one of the IP addresses in the netprofile as the source address for outbound traffic related to the link load balancing configuration.

    A netprofile can include a NetScaler owned IP address or an IP set, which is a set of NetScaler owned IP addresses. You can associate a netprofile with link load balancing virtual servers as well as with the bound services. A netprofile associated with a link load balancing virtual server always take precedence over netprofiles associated with the bound services.

    For more information on netprofiles, http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-lb-clienttraffic-usespecifiedsrcip-tsk.html.

    [From Build 50.10] [#356081]

  • Support for Inter Traffic Domain Entity Bindings

    You can now bind services in one traffic domain to a virtual server in another traffic domain. All the services to be bound to a virtual server in a different traffic domain must reside in the same traffic domain.

    There is no command or parameter introduced for this support. You configure this support by using the existing bind lb vserver command or the related configuration utility procedure. This capability can facilitate interaction between different traffic domains. In an enterprise, servers can be grouped in different traffic domains. Virtual servers are created in a traffic domain that faces the internet. A virtual server from this traffic domain can be configured to load balance servers in another traffic domain. This virtual server receives connection requests from the Internet to be forwarded to the bound servers.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-supp-traff-enty-tsk.html.

    [From Build 50.10] [#405295]

  • NetScaler MPX appliances support receiving and transmitting jumbo frames containing up to 9216 bytes of IP data. Jumbo frames can transfer large files more efficiently than it is possible with the standard IP MTU size of 1500 bytes.

    A NetScaler MPX appliance can use jumbo frames in the following deployment scenarios:

    - Jumbo to Jumbo. The appliance receives data as jumbo frames and sends it as jumbo frames.

    - Non-Jumbo to Jumbo. The appliance receives data as regular frames and sends it as jumbo frames.

    - Jumbo to Non-Jumbo. The appliance receives data as jumbo frames and sends it as regular frames.

    The NetScaler appliance supports jumbo frames in a load balancing configuration for the following protocols:

    - TCP

    - Any protocol over TCP (for example, HTTP)

    - SIP

    - Radius

    -TFTP

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-jf-overview-con.html.

    [From Build 50.10] [#407504, 244274, 336389, 407861]

  • Configuring Link Redundancy by using LACP channels

    Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.

    The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.

    The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.

    For example, set channel la/1 -lrMinThroughput 2000

    Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.

    Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.

    For example, set channel la/1 throughput 2000 -lrMinThroughput 2000

    HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.

    HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-lr-lacp-tsk.html.

    [From Build 50.10] [#346763]

  • A parameter Source IP Persistency has been introduced in RNAT rules and Netprofiles:

    Source IP Persistency for RNAT Sessions

    The source IP persistency of a RNAT rule enables the NetScaler ADC to use the same NAT IP address for all RNAT sessions initiated from a particular server.

    Source IP Persistency for NetProfiles

    The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client.

    [From Build 50.10] [#437359]

  • The NetScaler ADC now supports the industry standard (EEE 802.1AB) Link Layer Discovery Protocol (LLDP). LLDP is a layer 2 protocol that enables the NetScaler ADC to advertise its identity and capabilities to the directly connected devices, and also learn the identity and capabilities of these neighbour devices.

    Using LLDP, the NetScaler ADC transmits and receives information in the form of LLDP messages known as LLDP packet data units (LLDPDUs). An LLDPDU is a sequence of type, length, value (TLV) information elements. Each TLV holds a specific type of information about the device that transmits the LLDPDU. The NetScaler ADC sends the following TLVs in each LLDPDU:

    * Chassis ID

    * Port ID

    * Time-to-live value

    * System name

    * System description

    * Port description

    * System capabilities

    * Management address

    * Port VLAN ID

    * Link aggregation

    Note: You cannot specify the TLVs to be sent in LLDP messages.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-nw-config-llayer-dics-protocol-tsk.html.

    [From Build 50.10] [#235640]

  • vPath feature is available for all the NetScaler platforms from version 10.5 Build 52.11 onwards. To use this feature no special license file is required. For more information on vPath, see http://support.citrix.com/proddocs/topic/netscaler-vpx-10-5/ns-vpath-con.html

    [From Build 52.11] [#416393]

  • The CloudBridge connector feature now supports establishment of Phase-2/IPsec SA (Security Association) between a NetScaler ADC and AWS gateway when AWS sends traffic selectors with IP address 0.0.0.0.

    [From Build 53.9] [#482697]

Optimization

  • Front End Optimization Support

    The NetScaler ADC now supports the front end optimization feature, which reduces the load time and render time of web pages by simplifying and optimizing the content to be served to the client browser.

    This feature optimizes HTML content, and the cascading style sheets (CSS), JavaScript, and images that are embedded in the HTML content.

    For details, see http://support.citrix.com/proddocs/topic/ns-optimization-10-5-map/ns-feo-con.html.

    [From Build 50.10] [#292039, 392818, 449669, 450295]

Platform

  • Release 10.5 51.x is now supported on the MPX 22040/22060/22080/22100/22120 platform, but a LOM firmware upgrade is required.

    [From Build 51.10] [#471641, 471642, 472044]

  • The MPX 25100T and MPX 25160T platforms are now supported in this release.

    [From Build 57.7] [#486703, 495591, 552218]

  • Support for New Hardware Platforms

    The T1120 and T1300-40G platforms with NIC firmware 4.53 are now supported in this release.

    Note: T1300-40G platform with NIC firmware 4.26 has backward compatibility.

    [From Build 63.8] [#593888]

  • New firmware version for SDX platforms

    NetScaler SDX provides the latest XL710 v5.04 firmware for the following platforms:

    * SDX Model: 14xxx 40G

    * SDX Model: 25xxx 40G

    The XL710 v5.04 firmware includes a tool to automatically upgrade the XL710 firmware from the previous version to v5.04.

    [From Build 64.9] [#620786]

Policies

  • Variable Support for Policies

    Policy variables are named objects that can hold one or more values that can be set and modified at runtime. The concept of variables is essentially the same as in programming languages. Variable values can be of two types:

    - ulong (a 64-bit unsigned integer, with values from 0 to 2^64-1)

    - text (a sequence of bytes with a configured maximum length).

    Additionally, there are two variable types:

    - Singletons variables hold one ulong or text value.

    - Maps hold one or more entries, each entry having a text key and a ulong or text value. The key can be used to find the value. In a map, more than one map entry may have the same value, but each map entry must have a different key.

    For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-pol-variable-con.html.

    [From Build 50.10] [#368447]

Responder

  • The Responder feature now supports the Diameter protocol.

    A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and send a response based on that information.

    [From Build 50.10] [#318387]

  • Embedded Expressions in Responder Responses

    You can now add Netscaler expressions with default syntax to HTML pages that are used with responder actions of the respondWithHtmlpage type. Any expression that is supported for use in a respondWith response can be used in a respondWithHTMLPage response. To embed expressions in HTML pages simply surround the expressions with "${" and "}". This functionality enables you to include information about the request that generated the Responder action in the response.

    [From Build 50.10] [#423928]

Rewrite

  • The Rewrite feature now supports the Diameter protocol.

    A number of NetScaler expressions have been added that enable the user to examine the header and the attribute-value pairs (AVPs) in a diameter packet. These expressions enable the user to look up AVPs by index, ID, or name, examine the information in the AVP, and replace/insert/delete AVPs if necessary.

    [From Build 50.10] [#318382]

SSL

  • SSL Renegotiation

    SSL renegotiation is now blocked by default. In earlier releases, the default setting was to allow SSL renegotiation.

    [From Build 50.10] [#481577]

  • Importing SSL Resources from Remote Hosts

    The NetScaler appliance now supports importing SSL resources, such as certificates, private keys, CRLs, and DH keys, from remote hosts even if FTP access to these hosts is not available. This is especially helpful in environments where shell access to the remote host is restricted.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-importing-ssl-files-from-remote-hosts-tsk.html

    [From Build 50.10] [#210405]

  • Creating an SSL Profile

    You can use an SSL profile to specify how a NetScaler appliance processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. Previously, you could specify only one set of global parameters. Now, you can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:

    -Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client. For example, an SSL virtual server.

    -Backend profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server. For example, an SSL service.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-profiles-tsk.html

    [From Build 50.10] [#401011, 321967]

  • SSL Certificate Chain

    As part of the SSL handshake, when a client requests a certificate, the NetScaler ADC presents a certificate and the chain of issuer certificates that are present on the ADC. An administrator can view the certificate chain for the certificates present on the ADC and install any missing certificates.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-display-cert-chain-tsk.html

    [From Build 50.10] [#437610]

  • Support for Common Name Check during Server Authentication

    In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group. The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other. If the common name is not checked, a certificate presented by either server is accepted if the IP address matches.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-common-name-for-cert-tsk.html

    [From Build 50.10] [#381821, 332628]

  • Sending an SSLv2 Compliant Client Hello Message

    As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message based on the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.

    [From Build 50.10] [#378806, 204465, 406907]

  • Support for ECDHE Ciphers

    The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances and the VPX virtual appliance now support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:

    - TLS1-ECDHE-RSA-RC4-SHA

    - TLS1-ECDHE-RSA-DES-CBC3-SHA

    - TLS1-ECDHE-RSA-AES128-SHA

    - TLS1-ECDHE-RSA-AES256-SHA

    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

    The following ECC curves are supported:

    - P_256

    - P_384

    - P_224

    - P_521

    By default all four curves are bound to an SSL virtual server.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-ecdhe-ciphers-tsk.html

    [From Build 50.10] [#329257, 198673, 401256]

  • Support for DTLS Protocol

    The NetScaler ADC now supports DTLS protocol to secure UDP traffic. The DTLS protocol (RFC 4347), can be used to secure UDP applications such as media streaming, VOIP, and online gaming for communication.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-ssl-config-dtls-server-tsk.html

    [From Build 50.10] [#400350]

  • Setting the Limit for Disabled SSL Chips

    You can now set a limit to the number of disabled SSL chips after which the appliance restarts.

    At the command prompt, type:

    > set ssl parameter -cryptodevDisableLimit <positive_integer>

    A chip is marked disabled after the third failed reinitialization attempt.

    [From Build 50.10] [#376153]

  • Display HSM Model Number

    The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.

    > sh fips

    FIPS HSM Info:

    HSM Label : NetScaler FIPS

    Initialization : FIPS-140-2 Level-2

    HSM Serial Number : 2.1G1037-IC000253

    HSM State : 2

    HSM Model : NITROX XL CN1620-NFBE

    Hardware Version : 2.0-G

    Firmware Version : 1.1

    Firmware Release Date : Jun04,2010

    Max FIPS Key Memory : 3996

    Free FIPS Key Memory : 3994

    Total SRAM Memory : 467348

    Free SRAM Memory : 62580

    Total Crypto Cores : 3

    Enabled Crypto Cores : 3

    Done

    [From Build 52.11] [#385499]

  • Support for additional ciphers with TLS protocol version 1.2

    Twelve new ciphers are supported with TLS protocol version 1.2 on all MPX platforms, and on SDX platforms if an SSL chip is assigned to the instance when you provision it.

    1) Cipher Name: TLS1.2-AES128-GCM-SHA256

    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(128) Mac=SHA-256

    2) Cipher Name: TLS1.2-AES256-GCM-SHA384

    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES-GCM(256) Mac=SHA-384

    3) Cipher Name: TLS1.2-DHE-RSA-AES128-GCM-SHA256

    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(128) Mac=SHA-256

    4) Cipher Name: TLS1.2-DHE-RSA-AES256-GCM-SHA384

    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES-GCM(256) Mac=SHA-384

    5) Cipher Name: TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(128) Mac=SHA-256

    6) Cipher Name: TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES-GCM(256) Mac=SHA-384

    7) Cipher Name: TLS1.2-ECDHE-RSA-AES-128-SHA256

    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(128) Mac=SHA-256

    8) Cipher Name: TLS1.2-ECDHE-RSA-AES-256-SHA384

    Description: TLSv1.2 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA-384

    9) Cipher Name: TLS1.2-AES-256-SHA256

    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA-256

    10) Cipher Name: TLS1.2-AES-128-SHA256

    Description: TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA-256

    11) Cipher Name: TLS1.2-DHE-RSA-AES-128-SHA256

    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA-256

    12) Cipher Name: TLS1.2-DHE-RSA-AES-256-SHA256

    Description: TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA-256

    [From Build 53.9] [#460472]

  • Support for TLS Protocol Version 1.1 and 1.2 on the NetScaler VPX Appliance

    The NetScaler VPX appliance now supports TLS protocol versions 1.1 and 1.2.

    [From Build 57.7] [#424463, 481970]

  • Stricter Control on Client Certificate Validation

    You can configure the SSL virtual server to accept only client certificates that are signed by a CA certificate bound to the virtual server. To do so, enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server.

    [From Build 57.7] [#533241]

  • Support for TLS_FALLBACK_SCSV signaling cipher suite value

    The NetScaler appliance now supports the TLS_FALLBACK_SCSV signaling cipher suite value. The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a "man in the middle attack." The server drops these handshakes.

    [From Build 57.7] [#509666]

  • Support for ECDHE Ciphers at the Back End

    The NetScaler appliance now supports the following ECDHE ciphers at the backend:

    - TLS1-ECDHE-RSA-RC4-SHA

    - TLS1-ECDHE-RSA-DES-CBC3-SHA

    - TLS1-ECDHE-RSA-AES128-SHA

    - TLS1-ECDHE-RSA-AES256-SHA

    Note: This feature is available only for NetScaler MPX platforms.

    [From Build 58.11] [#523464]

  • Support for TLS Protocol Version 1.1 and 1.2 on the backend on the NetScaler MPX and SDX Appliances

    The NetScaler MPX appliance now supports TLS protocol versions 1.1 and 1.2 on the backend. On an SDX appliance, TLSv1.1/1.2 is supported on the backend only if an SSL chip is assigned to the VPX instance.

    [From Build 59.13] [#494082, 566364]

System

  • TCP Timestamp based on RFC 1323

    The NetScaler now provides the TCP timestamp as detailed in RFC 1323. Using this timestamp, the NetScaler can provide the Round Trip Time Measurement (RTTM). For this option to work, at least one side of the connection (client or server) must support it.

    [From Build 50.10] [#204374, 249144, 317249, 401162]

  • SNMP V3 Support for Traps

    Trap class, destination along with version will now act as unique identifier for a trap destination. This will allow configuration of same destination with different versions. All commands will take version V2 as default value. Set and Unset commands can no longer change version.

    [From Build 50.10] [#416930]

  • From NetScaler 10.5 onwards, if the MSS value of the bound TCP profile is 0, the MSS value is derived from the interface (and if applicable, VLAN) MTUs.

    [From Build 50.10] [#422126, 425696]

  • NetScaler now supports BIC and CUBIC TCP congestion control algorithms.

    [From Build 50.10] [#406270]

  • SNMP Trap for Port Allocation Failures

    NetScaler ADC sends SNMP trap when port allocation fails on the NetScaler. The following SNMP OID is added: dstip (1.3.6.1.4.1.5951.1.1.0.143)

    [From Build 50.10] [#360334]

  • Differentiated services code point (DSCP) Support

    The NetScaler ADC can now retain and forward received DSCP code in end-point mode. This capability supports end-to-end quality of service (QOS) checks for load balanced traffic.

    [From Build 50.10] [#436946]

  • Explicit Congestion Notification (ECN)

    The NetScaler appliance now supports ECN, which sends notification of network congestion state to the sender and takes corrective measures for data congestion or data corruption. When ECN is enabled, the NetScaler automatically differentiates between corruption loss and congestion loss. The NetScaler implementation of ECN is RFC 3168 compliant.

    ECN must be enabled on the TCP profile to which you want it to apply.

    To enable ECN using the CLI:

    > add ns tcpProfile <name> -ecn ENABLED

    [From Build 50.10] [#249145]

  • Application Layer Protocol Negotiation (ALPN) Extension support

    The NetScaler now supports the APLN extension for negotiating the SPDY protocol over SSL/TLS. The use of ALPN provides higher rate of TPS performance on the NetScaler. APLN replaces the previous method of NPN (Next Protocol Negotiation).

    [From Build 50.10] [#430862]

  • When the configured external authentication server is not available, the NetScaler can be configured to allow local user access to perform administrative tasks. To enable this function, enable the "localAuth" parameter of the "set system parameter" command.

    [From Build 50.10] [#315474]

  • MPTCP Enhancements

    The NetScaler now supports the following MPTCP enhancements:

    - One RTT subflow setup

    - Long-lived MPTCP sessions

    - MPTCP fast open

    [From Build 50.10] [#435632]

  • SPDY v3 Support

    The NetScaler appliance now supports SPDY v3 with Application Layer Protocol Negotiation (ALPN).

    [From Build 50.10] [#329669]

  • NetScaler support for D-SACK AND F-RTO

    The NetScaler appliance can now detect spurious re-transmissions by using TCP duplicate selective acknowledgement (D-SACK) and Forward RTO-Recovery (F-RTO). In case of spurious re-transmissions, the congestion control configurations are reverted to their original state. The NetScaler implementation of D-SACK is RFC 2883 compliant and F-RTO is RFC 5682 compliant.

    D-SACK and F-RTO must be enabled on the TCP profile to which you want it to apply.

    To enable these settings by using the CLI:

    > add ns tcpProfile <name> -dsack ENABLED -frto ENABLED

    [From Build 50.10] [#439129]

  • Restrict Interface-level System Session Timeout

    The system session timeout for a specific NetScaler interface (GUI, CLI, API) is now restricted to the timeout value that the administrator has configured for the user that is accessing the interface. For example, let us consider an user "publicadmin" who has a timeout value of 20 minutes. Now, when accessing an interface, the user must specify a timeout value that is within 20 minutes.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/ns-sys-session-timeout-tsk.html.

    [From Build 50.10] [#405501, 439031]

Traffic Domain

  • You can now configure rate limiting for traffic domains. The following expression has been added to the NetScaler expressions language for identifying traffic associated with traffic domains.

    client.traffic_domain.id

    You can configure rate limiting for traffic associated with a particular traffic domain, a set of traffic domains, or all traffic domains.

    For more information, see http://support.citrix.com/proddocs/topic/ns-main-appexpert-10-5-map/ns-nw-ratelimit-td-con.html.

    [From Build 50.10] [#403748]

  • Features Supported in Traffic Domains

    The following NetScaler features are now supported in all traffic domains configured on a NetScaler appliance:

    * RNAT6

    * IPv4 and IPv6 Forwarding Sessions

    * NAT64

    * NAT46

    You can use the new Traffic Domain (TD) parameter to specify or identify a traffic domain in commands and GUI elements related to these features.

    For more information, see http://support.citrix.com/proddocs/topic/ns-system-10-5-map/nw-td-supportd-unsupportd-ns-featurs-con.html.

    [From Build 50.10] [#383056]

WIonNS

  • You can now optionally configure agCallbackURL from agURL. The agURL would represent the front end Access Gateway (AG) for the client. The agCallback is for communication between Web Interface (WI) and AG. Also, The agCallbackURL is an optional parameter. Use the following command to configure agCallbackURL:

    add wi site /Citrix/new http://agee.citrix.com http://sta.citrix.com -agCallbackUrl http://callback.citrix.com

    [From Build 57.7] [#508743]

Back to Top