Release Notes for Build 36.27 of Citrix ADC 13.0 Release
May 29, 2019|Release notes version: 2.0
This release notes document describes the enhancements and changes and specifies the issues that exist, for the Citrix ADC release 13.0 Build 36.27.
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the Citrix ADC team.
Additional Changes/Fixes Available in Versions
Version 2.0
- Known Issues: NSNET-10133, NSSSL-6630
What's New?
The enhancements and changes that are available in Build 36.27.
Admin Partition
- Save configuration of all admin partitions from the default partitionAdministrators can now save the configuration of all the admin partitions at once from the default partition. This can be achieved by the following command:save ns config -allPreviously, administrators were unable to save the configuration of all the admin partitions from default partition.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/admin-partition/admin-partition-access-and-configure.html#save-configuration-of-all-admin-partitions-from-the-default-partition.[# NSUI-606]
Authentication, authorization, and auditing
- Configuring the expressions to check for the user associated groupCitrix ADC appliance now provides an option for the user to check the following possibilities:- Check if the current user belongs to any of the mentioned group.- Check if the current user is a member of all the groups.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-authntcn-advanced-tsk.html#configuring-the-expressions-to-check-for-the-user-associated-group.[# NSAUTH-1043]
- Name-value attribute support for TACACS authenticationYou can now configure TACACS authentication attributes with unique names along with values. The names are configured in the TACACS action parameter and the values are obtained by querying for the names. By specifying the name attribute value, admins can easily search for the attribute value associated with the attribute name. Also, admins no longer have to remember the attribute by its value alone.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk.html#name-value-attribute-support-for-tacacs-authentication.[# NSAUTH-13]
- Configuring the No_Auth policy to bypass certain trafficYou can now configure No_Auth policy to bypass certain traffic from authentication when 401-based authentication is enabled on traffic management virtual server. For such traffic, you must bind a “no-authentication” policy.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/ns-aaa-how-it-works-con.html#configuring-the-no_auth-policy-to-bypass-certain-traffic.[# NSAUTH-17]
- ADFS Proxy Integration Protocol complianceNote: This feature is under technical preview.Citrix ADC appliance now has a native proxy server that can leverage ADFS Proxy Integration Protocol (ADFSPIP) to establish trust between the proxy server and the ADFS farm.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/adfspip-compliance.html.[# NSAUTH-27]
- Simplified nFactor configuration using the nFactor VisualizerThe nFactor configuration through GUI is now simplified by using the nFactor Visualizer. The nFactor Visualizer helps admins add multiple factors without losing track of each factor and displays the group of factors that are built in the flow in one place. Admins can also add the failure path by creating a separate path. After creating the flow, admins have to bind the nFactor flow to an authentication virtual server.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/multi-factor-nfactor-authentication/nfactor-authentication-simplification.html.[# NSAUTH-29]
- Support to retrieve current login attempts for a userCitrix ADC appliance provides an option to retrieve the value of current login attempts for a given user by a new expression “aaa.user.login_attempts”. The expression takes either one argument (username) or no argument. If there is no argument, the expression fetches the username from the aaa_session or aaa_info.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk.html#support-to-retrieve-current-login-attempts-for-a-user.[# NSAUTH-3063]
- Push notification for OTPCitrix Gateway supports push notifications for OTP. Users do not have to manually enter the OTP received on their registered devices to log in to Citrix Gateway. Admins can configure Citrix Gateway such that login notifications are sent to users’ registered devices using push notification services. When users receive the notification, they have to simply tap Allow on the notification to log in to Citrix Gateway. When gateway receives acknowledgment from the user, it identifies source of the request, and sends response to that browser connection.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/push-notification-otp.html.[# NSAUTH-32, CGOP-10186]
- Configuring the number of end-user devices for receiving OTP notificationsAdministrators can now configure the number of devices that an end user can register to receive OTP notification or authentication.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/native-otp-authentication.html#configuring-the-number-of-end-user-devices-for-receiving-otp-notifications.[# NSAUTH-364]
- Name-value attribute support for SAML authenticationYou can now configure SAML authentication attributes with unique names along with values. The names are configured in the SAML action parameter and the values are obtained by querying for the names. By specifying the name attribute value, admins can easily search for the attribute value associated with the attribute name. Also, admins no longer have to remember the attribute by its value alone.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication.html#name-value-attribute-support-for-saml-authentication.[# NSHELP-7615, NSAUTH-13]
- Support for artifact binding in SAML IdPCitrix ADC appliance configured as SAML Identity Provider (IdP) now supports artifact binding. The artifact binding enhances the security of SAML IdP and restricts the malicious users from inspecting the assertion.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-idp.html#support-for-artifact-binding-in-saml-idp.[# NSHELP-8524]
- Increase of SessionIndex size in SAML SPThe SessionIndex size of a SAML Service Provider (SP) is now increased to 96 bytes.Previously, the default maximum size of SessionIndex was 63 bytes.https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/saml-authentication/citrix-adc-saml-sp.html#increase-of-sessionindex-size-in-saml-sp.[# NSHELP-8534]
Citrix ADC BLX
- Citrix ADC BLXCitrix ADC BLX appliance is a new software form-factor of Citrix ADC. It is designed to run natively on bare-metal-Linux on commercial off-the-shelf servers (COTS).Following are the benefits of using a Citrix ADC BLX appliance:- Cloud-ready. Citrix ADC BLX provides day-zero support for running on cloud. Citrix ADC BLX appliances do not require any certifications to run on cloud because they run as a software application on Linux virtual machines provisioned on the cloud.- Easy-management. Standard tools available as part of the Linux operating system can be used to easily monitor and manage Citrix ADC BLX appliances. Citrix ADC BLX appliances can be easily plugged with an existing orchestration setup.- Seamless third-party tools integration. Open source tools (for example, monitoring, debugging, and logging) supported for Linux environment can be seamlessly integrated with Citrix ADC BLX appliances. There is no need to develop separate plug-ins for each integration.- Coexistence of other applications. Because Citrix ADC BLX appliances run as a software application, other Linux applications can also run on the same host.For more information, see https://docs.citrix.com/en-us/citrix-adc-blx/.[# NSNET-2283]
Citrix ADC CPX
- Support for lighter version of Citrix ADC CPXWith this release, a lighter version of Citrix ADC CPX is available which consumes lesser runtime memory. This lighter version of Citrix ADC CPX is a configurable option during deployment. The lighter version of Citrix ADC CPX can be deployed as a sidecar in service-mesh deployments.[# NSBASE-7922]
- Support for high availability on Citrix ADC CPXHigh availability is now supported on Citrix ADC CPX. A high availability deployment protects a system from unplanned down time and ensures business continuity in the event of a failure. In a high availability deployment, if the primary Citrix ADC CPX fails the secondary Citrix ADC CPX immediately takes over to ensure that services are not disrupted.[# NSNET-5937]
Citrix ADC Extensions
- Citrix ADC extension support on Citrix ADC CPXCitrix ADC extensions are now supported on Citrix ADC CPX.[# NSEXT-28]
- support for new callback handlersCitrix ADC extensions support new callback handlers client.init() and server.init(), that are called at the connection establishment time.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-extensions/citrix-adc-protocol-extensions/use-cases.html.[# NSEXT-333]
- INET API supportINET APIs are now added to work on IP addresses.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-extensions/api-reference.html.[# NSEXT-341]
Citrix ADC GUI
- Support for partition and cluster-based custom reportsCitrix ADC GUI now displays only the custom reports created in the current viewing partition or in the cluster.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/admin-partition/admin-partition-access-and-configure.html#support-for-partition-and-cluster-based-custom-reports.[# NSHELP-18841]
- Warning message for VLANs that do not have an IP address or interface bindingsThe Citrix ADC GUI now displays a warning message when a VLAN is created without IP address or interface bindings.[# NSUI-1180]
Citrix ADC SDX appliance
- Always-on connectivity between an SDX appliance and its VPX instancesNow the SDX appliance supports an independent internal network between the SDX Management Service and the VPX instances running on the SDX appliance. Such a network is reliable and provides an always-on connectivity. Previously, the connection between the two entities was outside the VPX network, making it difficult for Management Service to communicate to the VPX instances. You can enable the internal network while provisioning the VPX instance. For more information, see the "Add a Citrix ADC instance" section in https://docs.citrix.com/en-us/sdx/13/provision-netscaler-instances.html[# NSSVM-2128]
Citrix ADC VPX appliance
- Support for AWS Enhanced Networking with Elastic Network AdapterCoupled with AWS Elastic Network Adapter (ENA), Enhanced Networking provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies.After you have created a Citrix ADC VPX instance on AWS, you can configure the virtual appliance to use Enhanced Networking with AWS ENA, by using AWS CLI.Note that this feature is available only on M4.16xLarge instance.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/vpx-enhanced-networking-with-aws-ena.html[# NSPLAT-7658]
- Support for Amazon CloudWatch serviceYou can use the Amazon CloudWatch service to monitor a set of Citrix ADC VPX metrics such as CPU and memory utilization, and throughput. CloudWatch monitors resources and applications that run on AWS, in real time. You can access the Amazon CloudWatch dashboard by using the AWS Management console. For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/vpx-aws-ha.html[# NSPLAT-8555]
- Support for Citrix hypervisor 7.5 and 7.6Citrix ADC VPX instances now support Citrix hypervisor 7.5 and 7.6. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/supported-hypervisors-features-limitations.html[# NSPLAT-8606]
- Support for Hyper-v versions 2016 R2 and 2019Citrix ADC VPX instances now support now support Hyper-v versions 2016 R2 and 2019. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/supported-hypervisors-features-limitations.html[# NSPLAT-8608]
- Support for Ubuntu 18.04 and RHEL 7.6Citrix ADC VPX instances now support Ubuntu 18.04 and RHEL 7.6. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/supported-hypervisors-features-limitations.html[# NSPLAT-8609]
- Support for RHVCitrix ADC VPX instances now support RedHat Virtualization(RHV) 4.2. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/supported-hypervisors-features-limitations.html[# NSPLAT-8651]
Citrix Gateway
- Advanced policy support for Enterprise bookmarksEnterprise bookmarks (VPN URL) can now be configured as an advanced policy.For more information, see https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/advanced-policy-support-for-enterprise-bookmarks.html.[# CGOP-10121]
- Support for FQDN based rules for split tunnelingWindows VPN plug-in now supports FQDN based rules for split tunneling.For more information, see https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/configure-plugin-connections/ng-plugin-config-network-resources-con/ng-plugin-intranet-app-windows-tsk.html.[# CGOP-6432]
- Telemetry capabilities for Windows VPN plug-in and EPA plug-inWindows VPN plug-in and EPA plug-ins collect telemetry data for various operations.For more information, see https://docs.citrix.com/en-us/citrix-gateway/13/vpn-user-config/configure-plugin-connections/ng-plugin-config-network-resources-con/ng-plugin-intranet-app-windows-tsk.html.[# CGOP-7610]
- Support for hostname (FQDN) based rules for split tunnelingWindows VPN plug-in now supports hostname based rules for split tunneling.[# CGOP-9613]
- Configure the filename for RDP apps in a Citrix ADC appliance.Upon downloading an RDP app the app can be stored locally with the configured filename.For more information, see https://docs.citrix.com/en-us/citrix-gateway/13/rdp-proxy/configure-filename-for-rdp-apps.html.[# NSHELP-8743]
- Displaying the nth factor at which failure occurred in Citrix Gateway Insight authentication failure reportThe Citrix Gateway Insight authentication failure report now displays the nth factor at which the failure occurred. Previously, the report displayed the stage (primary, secondary, or both) at which the authentication failure occurred.For more information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/analytics/gateway-insight.html.[# NSINSIGHT-1807]
Clustering
- SNMP clear trap support for cluster eventsSNMP now sends a clear trap to clear all the SYNC failure and PROP failure related SNMP traps after successful “clusterSyncSuccess” scenarios.[# NSHELP-16595]
- Backup and restore the cluster LA on Citrix ADC MPXYou can now backup and restore the cluster setup of LA on Citrix ADC MPX. The cluster LA MAC address is independent of the physical interface MAC address of the cluster nodes and can change after the backup and restore process.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/clustering/cluster-traffic-distribution/cluster-link-aggregation.html#backup-and-restore-support-of-cluster-la-on-citrix-adc-mpx.[# NSPLAT-7748]
Content Inspection
- Constructing dynamic ICAP requestCitrix ADC appliance can now generate a dynamic ICAP request. This is done by configuring a new parameter "insertHTTPReqest" in the ICAP profile. When you configure this parameter, the appliance extracts the HTTP request in the form of an HTTP expression. The appliance then evaluates and encapsulates the evaluated expression in the form of an ICAP request to the ICAP server. This dynamic generation of ICAP request is useful when a content inspection action or an ICAP callout is sent from a request that does not have an HTTP header. For example, the SSL module needs to fetch the remote content at the SSL handshake time, or if the application is a non-HTTP request.Example:-insertHTTPRequest q{HTTP.REQ.METHOD + " " + HTTP.REQ.URL + " HTTP/1.1" + "Host: " + HTTP.REQ.HOSTNAME + ""}For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/icap-for-remote-content-inspection.html[# NSBASE-2820]
- ICAP response header based Policy ExpressionCitrix ADC appliance now supports a new policy expression ICAP.RES to be used in content inspection callout return expression. This expression evaluates the ICAP response similar to HTTP.RES expression in an HTTP_CALLOUT.For Example:-resultExpr icap.res.header(“X-URL-Category”)For more information, https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/icap-for-remote-content-inspection.html[# NSBASE-2831]
- Support for NoInspection actionThe Citrix ADC appliance now supports NoInspection action when executing a content inspection action. When this action is executed, the appliance does not forward incoming and outgoing data to the inspection device but bypasses content inspection action for the matched policy or traffic.[# NSBASE-6556]
- Policy expression based Content Inspection log generationThe Content Inspection log stream records or the SYSLOG logs can be generated dynamically using the ICAP.RES based policy expression on the ICAP response. A new parameter has been added in the ICAP profile to configure the policy expression to generate the dynamic log records.For example, the following configuration sends the complete ICAP response to the log stream client or the SYSLOG server on receiving the ICAP response:add audit message action icap_log_expr INFORMATIONAL icap.res.full_headeradd ns icapProfile reqmod-icap-profile -uri ReqMODE -Mode REQMOD -logAction icap_log_exprFor more information, https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/icap-for-remote-content-inspection.html[# NSBASE-6638]
Content Switching
- Persistence support for content switching virtual serverApplications are moving from monolithic architectures toward microservices architecture. Different versions of the same application can co-exist in microservices architecture. Citrix ADC appliance must support continuous deployment of applications. This is usually achieved by platforms that perform Canary deployments (such as Spinnaker). Content switching is used to select the load balancing virtual server serving various versions of an application. Citrix ADC appliance must maintain persistence across multiple load balancing groups behind a content switching virtual server. Persistence for content switching virtual server enables seamless transition of clients from one version to another.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-switching/persistence-support.html.[# NSLB-357]
- Backup persistence support for content switching virtual serverYou can now configure the content switching virtual server to use source IP persistence type as the backup persistence type when the cookie persistence type fails. You can also set a timeout value for backup persistence. This is useful for canary deployments in microservices architecture.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-switching/persistence-support.html.[# NSLB-4267]
GSLB
- GSLB configuration sync on slave sites is not triggered when there is an MEP UP event for a siteIn a GSLB setup, configuration synchronization is no longer dependent on the MEP state. The configuration change is synced as long as there is connectivity to the remote sites irrespective of the MEP state.[# NSLB-4493]
HDX Insight
- Support to disable HDX insights for non-NSAP HDX session.In a Citrix ADC appliance, you can now disable HDX Insight for the non-NSAP HDX sessions.For more information, see https://docs.citrix.com/en-us/citrix-gateway/13/hdx-enlightened-data-transport-support/configuring-citrix-gateway.html.[# NSINSIGHT-1861]
Licensing
- Increase bandwidth with burst licensingNow you can use burst licensing through Citrix ADM to increase bandwidth. Burst licensing is a special program that provides extra bandwidth or instance licenses to the pooled capacity. For virtual CPU subscription, it adds virtual CPU licenses. When your base subscription limit is reached, you can use readily available licenses without having to procure a brand new license. These burst licenses are charged based on your actual usage per month. The burst licensing program is available only for selected customers on a need basis.[# NSCONFIG-1006]
Load Balancing
- DNS autoscale support in a cluster deploymentDNS autoscale is now available in a cluster deployment.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-manage-large-scale-deployment/autoscale-dns-service-group.html.[# NSLB-4093]
- Translating destination IP address and port number of requests on cache redirection virtual server to origin IP addressYou can now configure the forward proxy cache redirection virtual server on the Citrix ADC appliance to translate the destination IP address of the request landing on the cache redirection virtual server to the origin server IP address. This translation occurs irrespective of whether the request is sent to the cached servers or the origin server.For more information, https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-cache-redirection-gen-wrapper-10-con/translate-destination-ip-address-to-origin-ip-address.html.[# NSLB-4536]
NITRO
- Support of Idempotency for macro NITRO APIsMACRO APIs now supports Idempotency for non-binding resources. An Idempotent query parameter has been introduced in MACRO API POST requests.[# NSCONFIG-655]
Networking
- Protocol name in the show command output for ACLs and PBRsThe output of the show command for ACLs, ACL6s, PBRs, and PBR6s now displays the name of the configured protocol instead of the protocol number.For more information on ACLs and ACL6s, see https://docs.citrix.com/en-us/citrix-adc/13/networking/access-control-lists-acls.html.For more information on PBRs and PBR6s, see https://docs.citrix.com/en-us/citrix-adc/13/networking/ip-routing/configuring-policy-based-routes.html[# NSHELP-15824]
- Deprecated and new config operations for IPv4 RNAT rulesExisting config operations for IPV4 RNAT ( set, unset, and clear RNAT) have been deprecated. Instead, the following new operations have been introduced: add, set, bind, remove, unbind, and unset. These new set of RNAT operations are consistent with the set of operations for other features.Citrix recommends that you do not use the deprecated RNAT operations through the command line interface, GUI, or NITRO APIs. However, to ease the transition to new alternatives, some of the deprecated commands are usable for a limited time and will be removed in future releases. Citrix ADC appliance internally converts the deprecated RNAT operations to the equivalent new RNAT operations during an upgrade to 13.0 release or whenever you use the deprecated operations.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.[# NSNET-5592, NSNET-7480]
- Support for VLAN as next hop in static routesYou can now specify a VLAN as next hop for a static route. Before specifying a VLAN as next hop, the VLAN must be bound to at least one interface. The Citrix ADC appliance routes packets, matching a static route with VLAN as next hop, through one of the interfaces bound to the VLAN.Note: This feature is supported only for Citrix ADC CPX appliances.For more information on Citrix ADC CPX, see https://docs.citrix.com/en-us/citrix-adc-cpx/13/configure-cpx.html.[# NSNET-7453]
Optimization
- Support for Integrated Caching in CPX platformIntegrated Caching feature is now supported on Citrix ADC CPX platform.[# NSCACHE-54]
Policies
- Support for minimum and maximum functions in an advanced policy expressionTwo new functions are added to advanced policy expressions.1. (<expression1>.max(<expression2>) - returns the maximum of the two values.2. (<expression1>.min(<expression2>) - returns the minimum of the two values.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/policies-and-expressions/adv-policy-expressions-getting-started/character-sets-in-expressions.htmlThe functions can be used with the following data types.- number- double- unsigned long- textNote: For text, the function handles both case sensitive and case insensitive comparisons, and ASCII and UTF-8 codes.[# NSPOLICY-1596]
- Executing assignment action immediately after policy evaluationIn a Citrix ADC appliance, an assignment action bound to a policy is triggered immediately when the policy rule evaluates to true. The action updates the value to the variable which can be used in subsequent policy rule evaluations. This way, the same variable can be updated and used for subsequent policy evaluations within the same feature. Previously, the appliance executed assignment actions only after evaluating all of the policies in the feature and when the policies of the associated assignment actions evaluated to true. Therefore, the variable value set by the assignment action could not be used in the subsequent policy rule evaluations within the feature.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/variables/configuring-using-variables.html.[# NSPOLICY-2964]
SSL
- Support for CHACHA20_POLY1305 ciphers on Citrix ADC appliancesCHACHA20_POLY1305 ciphers are now supported on the following Citrix ADC appliances:- N3-based MPX and SDX appliances- VPX appliances- Intel Coleto SSL chip based appliancesFor more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances.html.[# NSSSL-2031]
- Support for RC4 cipher in Citrix ADC softwareRC4 continues to be supported in Citrix ADC software on N3-based Citrix ADC hardware appliances. But now the RC4 encryption, including the handshake, is done in software. Earlier, it was done in hardware. However, this cipher is not included in the default cipher group.Citrix recommends that you do not use this cipher, because it is considered insecure and deprecated by RFC 7465. Processing of the RC4 cipher in software causes a decrease in performance compared to systems that use previous firmware revisions.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ciphers-available-on-the-citrix-ADC-appliances.html.[# NSSSL-2930]
- Default cipher groups for DTLS virtual servers and services on Citrix ADC and Citrix ADC FIPS appliancesNew cipher groups are now available for DTLS virtual servers and services on the Citrix ADC platform. DEFAULT_DTLS and DEFAULT_DTLS_BACKEND groups contain the default ciphers supported on DTLS virtual servers (frontend) and DTLS services (backend) respectively. DTLS_FIPS group contains the ciphers supported on DTLS services and virtual servers on Citrix ADC FIPS appliances.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/support-for-dtls-protocol.html.[# NSSSL-555, NSSSL-1920]
- TLSv1.3 and 0-RTT attack protectionTLSv1.3-enabled virtual servers now provide improved protection against replay attacks on 0-RTT early data by using "Client Hello Recording" as described in RFC 8446 section 8.2. This mechanism ensures that at most one copy of an early application request can reach the backend application server even if replayed copies are sent simultaneously, and even if copies are processed by different nodes in an ADC cluster.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/tls13-protocol-support.html.[# NSSSL-563]
- Support for Azure Key VaultThe Citrix ADC appliance now supports Azure Key Vault to store private keys for cloud and on premises deployments. This is particularly beneficial for cloud deployments to achieve FIPS 140-2 level 2 compliance and have a centralized storage and management of private keys. With this enhancement, you don’t have to store and manage keys in different locations when you have Citrix ADC appliances deployed across multiple data centers and cloud providers. The feature works seamlessly in on premise ADC deployments as well.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/support-for-azure-key-vault.html.[# NSSSL-574]
- Support to ignore the common name if subject alternate name (SAN) is present in SSL certificateThe Citrix ADC appliance now conforms to the RFC specification related to common name in a certificate as defined in https://tools.ietf.org/html/rfc6125#section-6.4.4. A new parameter “ndcppComplianceCertCheck” is added.When the appliance acts as a client (back-end connection), the common name is ignored during certificate verification if both of the following conditions are met:- “ndcppComplianceCertCheck” parameter is set to YES (Default is NO).- SAN is present in the certificate.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html.[# NSSSL-597]
- Support for SafeNet version 7.2.2The Citrix ADC appliance is now integrated with SafeNet Client version 7.2.0-220 to support SafeNet LunaSA HSM version 7.2.0-220.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/support-for-gemalto-safenet-network-hardware-security-module.html.[# NSSSL-6348]
- Support for dynamic SNI on the back endThe Citrix ADC appliance now supports dynamic Server Name Indication (SNI) on the back end. You don’t need to specify a common name in the back-end SSL service, service group, or profile. The common name in the Client Hello message is forwarded to the back-end SSL server.Important: Ensure the following conditions are met for dynamic SNI to be effective on the back end:- Enable SNI on the front end.- Bind the correct SNI certificate to the SSL virtual server.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html#support-for-sni-on-the-back-end-service.[# NSSSL-6371]
- Support for optional client certificate verification with policy based client authenticationYou can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#client-certificate-verification-with-policy-based-client-authentication.[# NSSSL-690]
- View the details of an SSL key using the GUIA new button “View” is added to the SSL keys tab. Navigate to Traffic Management > SSL > SSL Files. In the Keys tab, select a key and click View. The details of the key are displayed.[# NSUI-11582]
- View the details of an SSL certificate signing request (CSR) using the GUIA new button “View” is added to the SSL CSRs tab. Navigate to Traffic Management > SSL > SSL Files. In the CSRs tab, select a file and click View. The details of the CSR are displayed.[# NSUI-11585]
- View the details of an SSL certificate using the GUIA new button “View” is added to the SSL Certificates tab. Navigate to Traffic Management > SSL > SSL Files. In the Certificates tab, select a file and click View. The details of the certificate are displayed.[# NSUI-11588]
- Support for optional client certificate verification with policy based client authenticationYou can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#client-certificate-verification-with-policy-based-client-authentication.[# NSUI-12690]
SSL Forward Proxy
- Citrix Secure Web Gateway features available in Citrix ADC Premium EditionCitrix Secure Web Gateway is now available as a feature with the Citrix ADC Premium edition license. The feature is called SSL forward proxy. With this feature, you can intercept encrypted outbound traffic. Optionally, you can send this traffic in plain text to different third party devices for inspection and also use the URL filtering and categorization subscription service.To configure SSL forward proxy, navigate to Security > SSL Forward Proxy. In Getting Started, click SSL Forward Proxy Wizard.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/forward-proxy.html.[# NSBASE-5177]
Security
- Content Inspection Callout (CI_CALLOUT)Citrix ADC appliance now uses a Content Inspection callout (CI_CALLOUT) to send the ICAP request to an ICAP server when certain criteria need to be met during policy evaluation. For example, a CI callout is sent when the policy expression needs to receive the URL category information for the origin URL from the external URL category server using the ICAP request. The original request or response flow would then be blocked on asynchronous PI expression until the CI_CALLOUT is restored.The CI callout can be invoked by including SYS.CI_CALLOUT(<CI Callout Name>) in the policy expression.Example:add contentInspection callout cic -type ICAP -profileName reqmod-icap-profile -serverName icap-server -returnType TEXT -resultExpr icap.res.header(“X-URL-Category”)add responder policy url_category_responder_policy "sys.ci_callout(cic).contains(\"Malware\")" RESET[# NSBASE-2840]
- Integrating Citrix ADC with passive security devices (Intrusion Detection System)A Citrix ADC appliance is now integrated with passive security devices such as Intrusion Detection System (IDS). These passive devices logs, scan for vulnerabilities, trigger alerts and generate reports. If Citrix ADC appliance is integrated with multiple passive devices, the appliance can load balance by cloning traffic at the virtual server level.Following are some of the benefits of integrating Citrix ADC with passive security devices:1. Inspecting encrypted traffic – Most security devices bypass encrypted traffic, thereby leaving servers vulnerable to attacks. A Citrix ADC appliance can decrypt the traffic and send it to passive devices for enhancing customer’s network security.2. Offloading IDS devices from TLS/SSL processing – TLS/SSL processing is expensive and it results in high system CPU in intrusion detection devices if they decrypt the traffic. As encrypted traffic is growing at a fast pace, these systems fail to decrypt and inspect encrypted traffic. Citrix ADC helps in offloading traffic to passive devices from TLS/SSL processing. This way of offloading data results in a passive device supporting a high volume of traffic inspection.3. Load balancing multiple devices – The Citrix ADC appliance load balances multiple passive security devices when there is a high volume of traffic by cloning traffic at the virtual server level.4. Replicating traffic to passive devices – The traffic flowing into the appliance can be replicated to other passive devices for generating compliance reports. For example, few government agencies mandate every transaction to be logged in some passive devices.5. Fanning out traffic to multiple devices – Few users prefer to fan out or replicate incoming traffic into multiple passive devices.6. Smart selection of traffic – Every packet flowing into the appliance might not need to be content inspected, for example, download of text files. The user can configure the Citrix ADC appliance to select specific traffic (for example .exe files) for inspection and send the traffic to devices for processing data.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/intrusion-detection-system-ids.html[# NSBASE-5176]
System
- Tail Loss Probe algorithmA Citrix ADC appliance now uses a Tail Loss Probe (TLP) algorithm to recover lost segments at the tail end of a transaction. The TLP algorithm reduces tail latency especially in short web transactions and converts retransmission timeouts (RTO) occurring because of a tail loss into fast recovery.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/TCP_Congestion_Control_and_Optimization_General.html.[# NSBASE-251]
- Support for Proxy protocolA Citrix ADC appliance now uses Proxy protocol for safely transporting connection information from client to server across all appliance in the proxy layer. The appliance adds a proxy protocol header that inserts the client connection details and forwards it to other appliances and then to the back-end server. Following are some of the usage scenarios for a Proxy protocol in a Citrix ADC appliance.• Learn original client IP address• Select a language for a website• Blacklist selected IP addresses• Log and collect statisticsFor more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/proxy-protocol.html[# NSBASE-4984]
- Support for parsing 64 custom HTTP headersThe system limit for a maximum number of HTTP headers is now set to 64 custom headers. Previously, the limit was set to 16 custom headers.[# NSBASE-6691]
- Global control for content inspection loggingYou can now enable the audit log feature to log content inspection events on a Citrix ADC appliance at the global level.[# NSBASE-7470]
- Configuring HTTP profile to drop TRACE or TRACK invalid requests.The HTTP profile now has a new option, “Mark TRACE Requests as Invalid” to mark TRACE and TRACK requests as invalid. When you enable this option along with a dropInvalidReqs option on the virtual IP address, you can reset a client sending TRACE or TRACK requests to a Citrix ADC appliance.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/http-configurations.html[# NSHELP-10987]
- In Service Software Upgrade support for high availability for performing zero-downtime upgradeDuring an upgrade process in a high availability setup, at some point, both nodes run different software builds. These two builds can have the same or different internal high availability version numbers.If both the builds have different high availability version numbers, connection failover (even if it is enabled) for existing data connections is not supported. In other words, all existing data connections are lost, which leads to downtime.To address this issue, In Service Software Upgrade (ISSU) has been introduced for high availability set-ups. ISSU introduces a migration functionality, which replaces the force failover operation step in the upgrade process. The migration functionality takes care of honoring the existing connections and includes the force failover operation.After migration operation is performed, the new primary node always receives traffic (request and response) related to the existing connections but steers them to the old primary node. The old primary node processes the data traffic and then sends them directly to the destination.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/upgrade-downgrade-citrix-adc-appliance/issu-high-availability.html.[# NSNET-7502]
- View Citrix ADC time zone and NTP server IP address on FTU screenYou can now configure the time zone and the NTP server IP address required for clock synchronization through the first-time-user (FTU) screen on the Citrix ADC GUI.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/basic-operations/configuring-clock-sychronization.html.[# NSUI-11641]
Telco
- SIP and RTSP ALG support for clusterCitrix ADC appliance now supports Session Initiation Protocol (SIP) and Real Time Streaming Protocol (RTSP) ALG in a cluster deployment.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/sip-protocol-alg.html and https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/rtsp-protocol-alg.html.[# NSLB-77]
- Support for load-balancing of LSN logs across IPFIX collectorsThe Citrix ADC appliance now supports load-balancing ( based on source IP address) of LSN (CGNAT) messages across IPFIX collectors.[# NSNET-2884]
- Support for setting time-out for Large Scale NAT portsFor large scale NAT configurations, support has been added for setting a time-out for sessions for specific ports.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-support-for-telecom-service-providers/lsn-introduction/configuration-steps-lsn.html.[# NSNET-3791]
- Support for disabling logging of session deletionFor dynamic large scale NAT configurations, support has been added to disable or enable logging of session deletion. This option is helpful in significantly reducing the volume of logs.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html.[# NSNET-8237]
Web Citrix Web App Firewall
- New option to limit post body bytes inspected by signatureAfter you upgrade your appliance to Citrix ADC version 13.0, you can now see a new profile option, "Signature Post Body Limit (Bytes)" with a default value of 8192 bytes. Your appliance upgrade will set the option to the default value. You can change this option to limit the request payload (in bytes) inspected for signatures with the location specified as 'HTTP_POST_BODY'.Previously, Web Citrix Web App Firewall had no option to limit payload inspection and keep CPU under check.Navigation: Configuration > Security > Citrix Web App Firewall > Profiles > Profile Settings.[# NSWAF-2887]
Known Issues
The issues that exist in Build 36.27.
Analytics
- If you enable appflow and select logstream as the transport mode, the server processing time and the server network latency values may appear same.[# NSHELP-19306]
Authentication, authorization, and auditing
- A Citrix ADC appliance might crash upon updating the user data certificate by using “update ssl certkey” command.Workaround: Admin has to unbind the user data certificate, update the certificate, and then bind the certificate again.[# NSAUTH-5554]
- The accessing of nFactor flow and binding or unbinding of nFactor flow to authentication virtual server is possible only from the nFactor Flows page. You cannot bind or unbind the nFactor Flows from the authentication virtual server page.[# NSAUTH-5914]
- ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command."show adfsproxyprofile <profile name>"Work Around: Connect to the primary active Citrix ADC in the cluster and issue "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.[# NSAUTH-5916]
- The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[# NSAUTH-6106]
Citrix ADC BLX
- On a Citrix ADC BLX appliance deployed in shared mode, Citrix ADC GUI and NITRO service become unavailable if you change the BLX management HTTP port (mghttpport) or HTTPS port(mghttpport) by using Citrix ADC command line utility ( cli_script.sh set ns param).[# NSNET-10005]
- On a Citrix ADC BLX appliance, you cannot bind interface 0/1 to a VLAN because this interface is used for internal communication between the BLX appliance and Linux host applications.[# NSNET-10014]
- On a Linux host, you cannot change some of the interface features on the Linux host subinterface.Because of this limitation, with Citrix ADC BLX appliance in dedicated mode, you might observe TCP retransmissions over a Linux host subinterface that is specified as a dedicated interface in the BLX configuration file (blx.conf)Workaround: Run the following command on the main interface out of which the subinterface is created, and then restart the BLX appliance:ethtool -K <main-interface> gro off gso off rx off tx off[# NSNET-10059]
- On a Citrix ADC BLX appliance deployed in dedicated mode might crash if you enable dynamic routing on 192.0.0.1 IP address.[# NSNET-9973]
Citrix ADC SDX appliance
- On SDX 15000 50G appliances, there might be packet loss on 50G data ports.[# NSHELP-19492]
- Health Monitoring alarm misrepresents PSU numbering. When power supply cable is disconnected from PSU #1, then health monitoring sends an incorrect alarm that PSU #2 has failed.[# NSPLAT-4985]
- On SDX 8200/8400/8600 platforms, the SDX appliance hangs on the Citrix Hypervisor console if the SDX appliance or the VPX instances running on it are restarted multiple times. When the appliance hangs, the message “INFO: rcu_sched detected stalls on CPUs/tasks,” appears.Workaround:- Restart the SDX appliance by pressing the NMI button at the back.- From the LOM GUI, use NMI to restart the appliance.- Use LOM to restart the SDX appliance.[# NSPLAT-9155]
- On SDX 26000 and SDX 15000 platforms, management access through SSH to DOM0 might stop when the following conditions are met:- More than one VPX instance is restarted simultaneously.- 100 GE or 50 GE interfaces are assigned to the VPX instances.Workaround: Restart the SDX appliance[# NSPLAT-9185]
Citrix ADC VPX appliance
- In a Citrix ADC cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.Workaround:Set the -cpuyield parameter on individual nodes by logging on to each node and adding one of the following commands to the /nsconfig/nsbefore.sh file:sysctl netscaler.ns_vpx_halt sysctl netscaler.ns_vpx_halt_method=0By default, this command specifies method=1, which reserves all CPU resources for the VM to which they have been allocated. To allow allocated but unused CPU resources to be used by another VM, specify method=0.[# NSPLAT-2156]
Cloudbridge connector
- Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.[# NSUI-13024]
Clustering
- In a Citrix ADC cluster setup, you cannot upgrade the cluster to release 13.0 build 36.27 from releases 12.1 build 48.13 or earlier.Workaround:You must first upgrade the cluster setup to release 12.1 build 49.37 or later, and then upgrade the setup to release 13.0 build 36.27.[# NSNET-10133]
GUI
- Using the GUI, you cannot modify or unset the TTL or the name server of a binding once a domain based service (DBS) server is bound to a service group and the server names are resolved.[# NSUI-13060]
Gateway Insight
- The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.[# NSINSIGHT-924]
Load Balancing
- Path monitoring for autoscale servicegroups is not supported in a cluster deployment.[# NSLB-4660]
Citrix ADC SDX appliance
- The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:ERROR: Operation timed outERROR: Communication error with the packet engine[# NSNET-4312]
Networking
- If a Citrix ADC appliance has data sessions from a client, and if you add a virtual server with the same IP address as that of the client, flushing the client's sessions might result in the appliance to become unresponsive.[# NSHELP-255]
SSL
- A Citrix ADC MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.[# NSHELP-14133]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[# NSSSL-4427]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.ERROR: crl refresh disabled[# NSSSL-6106]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[# NSSSL-6213]
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[# NSSSL-6478]
- Update command is not available for the following add commands:- add azure application- add azure keyvault- add ssl certkey with hsmkey option[# NSSSL-6484, NSSSL-6379, NSSSL-6380]
- TLS and DTLS handshakes with RSA based key exchange fail on the front end of N3-based Citrix ADC MPX and SDX appliances when the following conditions are met.1. TLS handshake fails when the TLS Client Hello message contains TLSv1.2 as the protocol version, but TLSv1.2 is disabled on the Citrix ADC appliance. Therefore, the appliance negotiates a lower version (TLSv1.1, TLSv1.0, or SSLv3.0)2. DTLS handshake fails when the DTLS Client Hello message contains DTLSv1.2 as the protocol version, but the Citrix ADC appliance negotiates DTLSv1.0.Use the ‘show hardware’ command to identify whether your appliance has N3 chips.[# NSSSL-6630]
- The TLS 1.3 server sends an "internal_error" alert and breaks the connection if all of the following conditions are met:- TLS 1.3 is negotiated for a connection.- An SSL policy action is configured that causes the server to request a certificate from the client.- The client's response is received for the post-handshake certificate request.[# NSSSL-793]
- When TLS 1.3 is negotiated for a connection, policy rules that inspect TLS data received from the client (for example, rules that make use of "add ssl policy pol1 -rule client.ssl...") do not trigger the configured action. In addition, SSL policies that use the SSL control actions (for example, DOCLIENTAUTH or NOCLIENTAUTH) do not trigger the configured action when TLS 1.3 is negotiated.[# NSSSL-869]
System
- During a Clear Config, the metricscollector application running on a Citrix ADC appliance does not respond but it might be restarted by the PITBOSS module.[# NSBASE-7846]
- A Citrix ADC appliance might generate a false SNMP SYN flood entity trap if some internal connections cause a mismatch between the number of TCP SYN received and the number of TCP connections established.[# NSHELP-18671]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[# NSPOLICY-1267]
URL Filtering
- If a client terminates the TCP connection after the SNI is extracted from the Client Hello message, but before the policy is evaluated, the domain is visible as clear text and not as ILLEGAL in the AppFlow record.[# NSSWG-901]
Web Citrix Web App Firewall
- A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.[# NSHELP-18863]
Limitations
The list of limitations available in Build 36.27.
Citrix ADC SDX appliance
- Direct upgrade from version 10.5 to 13.0 is not supported. You must first upgrade from 10.5 to 11.0 or 11.1 or 12.0 or12.1, and then upgrade to SDX 13.0.[# NSPLAT-9445]