Release Notes

The Citrix Gateway service release to cloud release notes describe the new features, enhancements to existing features, fixed issues, and known issues available in a service release. The release notes include one or more of the following sections:

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

Known issues: The issues that exist in the current release and their workarounds, wherever applicable.

V10.5 (June 09, 2021)

What’s new

  • Route table to define the rules to route the app traffic

Admins can now use the route table to define the rules to route the app traffic directly to the internet or through the Citrix Gateway Connector. The admins can define the route type for the apps as External, Internal, Internal-Bypass Proxy, or External via Gateway Connector depending on how they want to define the traffic flow.

[ACS-243, ACS-167]

V10.4 (May 22, 2021)

What’s new

  • Contextual access to Enterprise Web and SaaS applications

    The Citrix Secure Workspace Access service contextual access feature offers a comprehensive zero-trust access approach that delivers secure access to the applications. Contextual access enables admins to provide granular level access to the apps that users can access based on the context. The term “context” here refers to users, user groups, and the platform (mobile device or a desktop computer) from which the user is accessing the application.


  • Rebranding of Citrix Gateway Connector user interface

    The Citrix Cloud Gateway Connector user interface is rebranded as per the Citrix branding guidelines.


V10.2 (May 01, 2021)

What’s new

  • Deletion of customer data from the Citrix Secure Workspace Access service datastore

    Customer data, including backups, is deleted from the Citrix Secure Workspace Access service datastore after 90 days of service entitlement expiry.


  • Simplified steps to federate a domain from Azure AD to Citrix Workspace

    The steps to federate a domain from Azure AD to Citrix Workspace app is now simplified for faster onboarding in Citrix Workspace. Domain federation can now be performed in the Citrix Gateway service user interface, from the Single sign on page.


  • Enhancement to the Connectivity Test tool

    The Connectivity Test tool in Citrix Gateway Connector is enhanced to handle timeout errors and to generate the necessary logs.


Fixed issues

  • Access to Enterprise web apps fail if the plus ( + ) character is used to replace whitespace in query parameters.


  • Existing and new Enterprise Web apps cannot be assigned to the resource location if the resource location name is modified. With this fix, you can rename the resource locations of the existing and new Enterprise Web apps from the Citrix Gateway Service if you have modified from the resource location name from the Citrix Cloud home page.


V9.6 (March 15, 2021)

What’s new

  • Platform enhancements

    Various platform enhancements are made to increase reliability in propagating customer’s admin configurations to the Citrix Gateway Connectors.


  • Improved web apps performance

    The web apps performance when the web applications are accessed from the system browser using clientless VPN has been improved.


  • Enabling Citrix Gateway Connector to use TLS1.2 Grade A or above cipher suites

    The Citrix Gateway Connector now uses TLS1.2 with Grade A or above cipher suites to connect to Citrix Cloud service and other back end servers.


Fixed issues

  • Adding an Enterprise web app or a SaaS app with numbers in the FQDN fails. For example, fails.


  • Sometimes, if Enhanced Security is enabled for an application, the watermark on an application displays the name as “Anonymous” instead of the user’s display name.


  • If a SaaS app or an Enterprise web app name contains a period “.” in the name, the name gets truncated after the period “.” on saving the configuration.


V9.3 (January 20, 2021)

Fixed issues

  • When adding an enterprise Web app, the App Connectivity page does not open.


  • An error message appears when you change the authentication type from Don’t use SSO to SAML. This error message appears when you try to edit an app after you click the Finish button.


  • The SAML single sign-on option is grayed out for some SaaS applications that are created without using the template.


  • When adding an Enterprise Web app, an alert symbol appears even after the gateway connector detection is complete.


V8.4 (November 11, 2020)

What’s new

  • Renaming of Citrix Access Control service

    The Access Control service is now renamed as Secure Workspace Access.


V8.2 (October 15, 2020)

What’s new

  • Enhanced security option to launch SaaS and Enterprise Web apps within Secure Browser service

    Admins can now use the enhanced security option, Select Launch application always in Citrix Secure Browser service to always launch an application in the Secure Browser service regardless of other enhanced security settings.


V7.6 (October 8, 2020)

What’s new

  • Configure session timeouts for the Citrix Secure Workspace Access browser extension

    Admins can now configure session timeouts for the Citrix Secure Workspace Access browser extension. Admins can configure this setting from the Manage tab in the Citrix Gateway service user interface.


  • RBAC control on Citrix Secure Workspace Access browser extension admin settings

    RBAC control is now enforced on Citrix Secure Workspace Access browser extension admin settings.


V7.5 (September 24, 2020)

What’s new

  • Enable VPN-less access to Enterprise Web apps through a local browser

    You can now use the Citrix Secure Workspace Access browser extension to enable VPN-less access to Enterprise Web apps through a local browser. The Citrix Secure Workspace Access browser extension is supported on both Google Chrome and Microsoft Edge browsers.


V7.1 (July 7, 2020)

What’s new

  • Validate Kerberos configuration on Citrix Gateway Connector

    You can now use the Test button in the Single sign on section to validate the Kerberos configuration.


V6.6 (June 19, 2020)

What’s new

  • Read-only access to admins of the Citrix Gateway service and Citrix Secure Workspace Access service

    Security admin teams using the Citrix Gateway service can now provide granular controls, such as read-only access to admins of the Citrix Gateway service and Citrix Secure Workspace Access service.

    • Admins with read-only access to the Citrix Gateway service have access to only view the app details.
    • Admins with read-only access to the Citrix Secure Workspace Access service can only view the content access settings.


V6.3 (May 8, 2020)

What’s new

  • New troubleshooting tools in Citrix Gateway Connector 13.0

    • Network tracing: You can now use the Trace feature to troubleshoot Citrix Gateway Connector registration issues. You can download the trace files and share it with the administrators for troubleshooting. For details, see Troubleshoot Citrix Gateway Connector registration issues.


    • Connectivity tests: You can now use the Connectivity Test feature to confirm that there are no errors in the Gateway Connector configuration and the Gateway Connector is able to connect to the URLs. For details, see Log on and set up the Citrix Gateway Connector.


V3.5 (August 19, 2019)

Known issues

  • Launching an Enterprise Web app for an NTLM authentication enabled resource from Citrix Workspace fails if both of the following conditions are met:
    • Customer’s data center has a proxy server and that proxy server is configured on the Gateway Connector
    • Web App is configured with no SSO (Don’t use SSO)


    • Publish the Web app as a Basic SSO app or
    • Do not have a proxy server configured on Gateway Connector


  • If there are SSL intercepting devices in the on-premises data center where the Citrix Gateway Connector must be deployed, the connector registration does not succeed if SSL interception is enabled for the following FQDNs.

    • *
    • *
    • *
    • *
    • *
    • *
    • *

    The SSL interception must be disabled for these FQDNs for successful connector registration.


  • Download logs option is available in Gateway Connector from version 401.251. If you are on an earlier version of the connector and you upgrade the connector to version 401.251, you cannot download the logs even though the Download Logs link is available.



Fixed issues

  • Edits made in the Access Control page are not propagated to the database because the failed jobs were retried incorrectly. [NGSWS-7733]


Fixed issues

  • If a customer’s data center has an authentication-enabled proxy server configured for Gateway Connector, the connector fails to register itself with Citrix Cloud. [NGSWS-7231]

  • When adding an Enterprise Web app, if the FQDN contains an underscore ( _ ) in the domain name, an error is displayed. [NGSWS-7033]

  • If the SSO type for a SaaS app is changed from Don’t use SSO to SAML, the configuration change fails. [NGSWS-7466]


What’s new

  • Kerberos authentication support for Citrix Gateway Connector to outbound proxy [NGSWS-6410]

    Kerberos authentication is now supported for the traffic from Citrix Gateway Connector to the outbound proxy. Gateway Connector uses the configured proxy credentials to authenticate to the outbound proxy.

Fixed issues

  • In rare cases, web filtering UI configuration changes do not take effect to the tenant traffic. [NGSWS-7147]

  • Memory leaks on ICA service nodes, resulting in a high memory usage. [NGSWS-7014]

  • Application fails to launch because the Citrix Gateway service node does not send the X-NGS-Session-Id header as part of the policy document retrieval request to the CVMs. [NGSWS-6963]

  • Authentication and app enumeration on the Citrix Gateway service fail if the token size for authentication exceeds 64 KB. [NGSWS-5932]


What’s new

  • Web/SaaS apps traffic can now be routed via a corporate-network-hosted Gateway-Connector thus avoiding two factor authentication. If a customer has published a SaaS app that is hosted outside the corporate network, support is now added to authenticate traffic for that app to go through an on-premises Gateway Connector.

    For example, consider that a customer has an Okta protected SaaS app (like Workday). The customer might want that even though the actual Workday data traffic is not routed via the Citrix Gateway service, the authentication traffic to the Okta server is routed through the Citrix Gateway service via an on-premises Gateway Connector. This helps a customer to avoid a second factor authentication from the Okta server as the user is connecting to the Okta server from within the corporate network.


  • Disabling Filtering Website Lists and Website Categorization. Filtering Website Lists and Website Categorization can be disabled if the admin chooses not to apply these functionalities for a specific customer.


  • Automatic geo routing for secure browser service redirects. Automatic geo routing is now enabled for secure browser service redirects.

    [ NGSWS-6926]

Fixed issues

  • Web app launch fails for a customer when the value of the CustomerId is in the camel case.


  • Connection to a Secure Mail server is not possible with FQDN. If the customer configuration has FQDN configured for the mail server, then the connection fails.


  • App launch fails after the Gateway Service session times out. The end user must relogin to access the apps.


  • When renaming a SaaS app, the name changes in the GUI but does not change in the Workspace app. Similarly, when changing or adding an icon of certain SaaS apps and Web apps, the icon updates in the GUI but is not propagated to the Workspace app.


  • If Enhanced Security is enabled on a Web app (hosted inside the corporate network) and if that app is launched from a native browser, then the app launch is redirected to the secure browser service because the native browser cannot enforce enhanced security policies.


  • An app fails to launch if the app FQDN is in the camel case.


  • Deleted applications still show up in the cloud library.


  • When there is an outbound proxy configured for Gateway Connector and if the proxy has authentication enabled, Gateway Connector cannot perform authentication with the proxy server.


  • In race conditions, app configuration does not get propagated intermittently. [NGSWS-4958]

  • App launch fails intermittently with a “Failed to fetch Policy Document.” error.


  • Deleted apps still show up in the Workspace app.


  • Gateway Service supports form response sizes up to 32k for Web applications with form based SSO which is not sufficient for certain applications. With this fix, Gateway ServiceNow supports form response sizes of up to 64k for Web Applications with form based SSO type.



What’s new

  • “Detect” button is added in the “Add a Gateway Connector” page. The Detect button is used to refresh the list of connectors, allowing the newly added connector to reflect in the Web app connectivity section.


  • A new category “Malicious and Dangerous” is added in the “Access Control Web Filtering” categories. A new category named Malicious and Dangerous in the Access Control Web Filtering categories is added under the Malware and Spam group.


Fixed issues

  • Sometimes, the Gateway Connector crashes when multiple threads access the same resource.


  • Sometimes, delete operation using an administrator credential for a Web or SaaS application that does not have subscribed users or groups fails.


  • Configurations for the Citrix Gateway Connector are lost upon editing Form based SSO parameters.


  • Add another app option does not work when you access the option navigating as follows, Edit app > Overview > Add another app.


  • A newly added connector takes too long to show up in the UI.


  • Outbound connections from a connector fail when the connector uses the external FQDN value for the connection via an outbound proxy.

    [NGSWS-6451, NGSWS-6431]

  • Sometimes, app enumeration fails for a customer when the value of the CC-Customer-Id field has letters in lower case and in upper case.


  • Upon launching an application in a Secure Browser session, the display message incorrectly shows “Connecting to [application id]” instead of “Connecting to “[application name].”


  • Athena tokens which exceed 64k bytes in size upon decompressing is not supported.