June 30, 2022
Stickiness IPv4 Mask
You can now define an IPv4 subnet mask to identify the client requests coming to the multi-site application and send the requests to the same site.
For more information, see Deliver a multi-site application.
Improvements to Web Insight
The self-heal slow application server capability in the CADS service detects a faulty server and takes remedial action. If you enable the Detect slow server and Auto-replace slow server options, and if the service identifies a faulty server, the service replaces the faulty server with a healthy server.
You can now view analytics in Web Insight whenever a faulty server is replaced.
In Analytics, click an application, and from Web Insight, click the Server Processing Time tab to get visibility on when a faulty server is replaced.
Integration with Splunk
You can now integrate CADS service with Splunk to view analytics for WAF and Bot violations in your Splunk dashboard. Splunk add-on enables you to:
- Combine all other external data sources
- Provide greater visibility of analytics in a centralized place
CADS service collects Bot and WAF events and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the WAF and Bot violations in the Splunk dashboard.
For more information, see Integration with Splunk.
SQL injection and cross-site scripting enhancements
You can now block a client that sends 20 or more security check violation requests within a 30 minutes duration.
The Block clients with 20 violations within 30 minutes check box is introduced under the SQL Injection and Cross-site scripting pages. For more information, see SQL injection and Cross-site scripting.
The CADS service logs malicious clients and you can view the details in the Network Function column of the Action History page. For more information, see Action History.
June 16, 2022
Search box on Multi-Site Applications Dashboard
A search box is introduced on the Multi-site Applications dashboard that helps you search for a multi-site application within the list of multi-site applications.
For more information, see Multi-site application summary.
Cloud region recommendation for existing multi-site applications
The CADS service now supports getting site recommendations for existing multi-site applications. Enter user location, traffic expected from each user location, and the cloud service provider for an application and get its corresponding recommendations. You can choose to exclude the existing sites from the recommendation calculations.
For more information, see Cloud region recommendation engine.
You can now define the core settings of a service, such as load balancing, back-end SSL, and health check configuration under a service profile. While creating a service, you can associate this service profile with the service and inherit the preferred configurations.
In the CADS service GUI application creation workflow, service profile settings are available while creating services under the Service Profiles tab.
For more information, see Create service profiles.
June 03, 2022
Domain name uniqueness check for a user-defined (Route 53) multi-site application
The CADS service checks the uniqueness of the domain name for a user-defined (Route 53) multi-site application on the Application Details page where you enter the domain name. If the entered domain name exists in the hosted DNS zone, an error message is displayed on the same screen. Previously, the uniqueness check was done during deployment which is at the end of the multi-site application creation workflow.
With this enhancement, if necessary, you are notified to change the domain name early in the workflow rather than at the end.
Handling unsupported commands while migrating a configuration
Commands that are not applicable, not supported, or contain missing entities are clearly listed when a Citrix ADC configuration is migrated to the Citrix App Delivery and Security service.
The CADS service also displays a suggested configuration after fixing the issues. You can choose to accept the suggested configuration or edit the commands manually.
New rules for content routes
The following rules are added while creating a content route for an endpoint:
Client TCP Address MSS - Identifies and returns the maximum segment size (MSS) in a TCP/IP packet. Client TCP Address Source Port - Identifies and returns the source port in a TCP/IP packet.
View Audit Log messages
You can now track the configuration activities in the CADS service from the Audit Log dashboard. In the left navigation pane, navigate to Audit Log.
Using the audit log dashboard, you can:
Track all events and activities for the Citrix environments. Manage and monitor the applications. Use the filters to search the audit log messages that enable you to narrow down and find the information in real-time. For more information, see View audit log.
Data leak prevention
The CADS service now supports the data leak prevention feature that avoids the leak of sensitive information, such as credit card numbers and social security numbers, to unauthorized recipients.
If your application has access to database servers that store user-specific sensitive information, the CADS service identifies if the responses coming from the database server contain any user-specific sensitive information. It also allows you to define one of the following actions to perform to avoid leakage of such information when a match is found:
Block: Based on the maximum match length configured, the CADS service blocks those many strings in the responses. For example, if the maximum length configured is 5 for credit cards, the CADS service blocks the last 5 strings of the credit card. Mask: The CADS service masks the safe object details with an X in the responses before processing it further. For example, if the maximum length configured is 5 for credit cards, the CADS service masks the last 5 strings of the credit card with an X. None: No action is taken on the response. The CADS service processes the responses as is without any changes. For more information on data leak prevention, see Data leak prevention.
Field format protection
The CADS service now supports the field format protection feature. This feature helps in reducing the risk of attacks caused by sending inappropriate data in web forms.
With this feature, the CADS service examines both the type and length of web form data and ensures that it is appropriate for the targeted field. If inappropriate web form data is found in a user request, you can configure the CADS service to block the request.
Support for role based access control in CADS service
CADS service provides role-based access control (RBAC) using which you can grant access permissions based on the roles of individual users within your organization. Only Citrix identity provider is supported in the CADS service currently. During the initial onboarding process, an administrator with full rights is created. This administrator can then invite other administrators to use the CADS service. The following custom roles are available:
AppAdministrator- This role has permissions to create and deploy applications.
AppOperator- This role has read-only permissions. The user can monitor an application, but not create or deploy an application.
InfraAdministrator- This role has permissions to create an environment and cloud access profiles in addition to creating and deploying applications.
Specify subnets to be used by the CADS service to reach your origin application servers
Typically, you configure your application servers security group to allow ingress traffic from all the IP addresses in the VPC. This works well by default because during environment creation in the CADS service, it creates new subnets in the VPC for provisioning the infra to reach your origin application servers. However, to increase security, you can restrict the IP addresses that the CADS service uses to connect to your application servers. You can do so during environment creation by specifying the subnets you created exclusively for the CADS service. Doing so, avoids creating default subnets, and the service provisions the infra in the specified subnets. Also, ensure that you change your application servers security group to allow ingress traffic from the subnets you have specified.
The CADS service now supports the automatic upgrade of the Citrix environments. Navigate to Applications>Environments>Settings to view the Auto-upgrade dashboard. The dashboard displays the available upgrade slots for your environments and the one currently selected. Environment upgrade ensures that you retain access to the latest features and fixes offered by the service. For more information, see Manage an environment.
Support for client authentication
The SSL endpoints now support certificate-based client authentication in the Citrix App Delivery and Security service.
Support for API definitions
The CADS service now supports API definitions. You can create an API definition by navigating to API Definitions > Add API. After the API definition is created, you can use it while configuring a new application, and also in application settings, such as, content routes for an end point, content transform, and security protection. The API resource paths are available as a filter condition.
View and track the Standalone entitlement consumption details
You can now view and track your standalone Advanced and Premium entitlement consumption details in the Citrix App Delivery and Security service GUI. Navigate to the Usage dashboard to view the validity, capacity and consumption details of the Premium and Advanced Entitlements. For more information, see Entitlements.
May 16, 2022
Replace request URL
The CADS service now supports replacing the request URL with the specified URL.
For example, consider that the HTTP client request is GET /pub/WWW/TheProject.html HTTP/1.1. If there is a requirement to redirect the client request to a different resource, you can replace the URL by configuring the Replace request URL action. This modifies the client request URL before sending it to the server as GET /pub/WWW/NewProject.html HTTP/1.1. For more information, see Add content transform.
ADSS-11270: Redirect URL for Load Balancers supports only the following format: “protocol://abc.uvw.xyz/path”. For example, https://www.citrix.com/solutions/app-delivery-and-security/.
April 28, 2022
Check health status of classic apps
You can now check the health status of deployed classic apps. The health status displays the real-time health of your deployed apps for each application service in an availability zone. To view the health status of a deployed app, click the three dots in the Actions column of the Application dashboard and then click Health Status. For more information, see Deliver a classic application.
SAML based authentication support
Admins can now add SAML authentication to the apps. Only authenticated users are allowed to access specific services configured by the admin. For more information, see Configure authentication for the endpoints.
ADSS-10117: You cannot increase the number of rows using pagination to see the environments after the tenth environment.
April 20, 2022
DNS fallback endpoint
The CADS service now supports adding a DNS fallback endpoint. The DNS fallback endpoint acts as a backup endpoint and responds to DNS queries when all sites associated with a multi-site application are in DOWN state.
April 13, 2022
Changes in the Add Site page of a multi-site application
The IPv4 Address or DNS Name and IPv6 Address or DNS Name fields in the multi-site application Add Site page are now combined in the DNS Name, IPv4, or IPv6 field.