Citrix Secure Access for Windows release notes

The Citrix Secure Access agent for Windows is now released on a standalone basis and is compatible with all Citrix ADC versions. The Citrix Secure Access agent version follows the format YY.MM Release.Build.

The release notes describe the new features, enhancements to the existing features, and fixed issues.

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

For detailed information on the supported features, see Citrix Gateway Product Documentation.

Note:

Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 21.9.1.2 and later contains the fix for https://support.citrix.com/article/CTX341455.

22.6.1.5 (17-June-2022)

What’s new

  • Login and logout script configuration

    The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

    Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client

    Registry values:

    • SecureAccessLogInScript type REG_SZ - path to login script
    • SecureAccessLogOutScript type REG_SZ - path to logout script

    [ACS-2776]

  • Windows Citrix Secure Access agent using Windows Filtering Platform (WFP)

    WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access agent using Windows Filtering Platform.

    [CGOP-19787]

  • FQDN based reverse split tunnel support

    WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. For more details on reverse split tunnel, see Split tunneling options.

    [CGOP-16849]

Fixed issues

  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI.

    [NSHELP-31357]

  • On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas.

    [NSHELP-31346]

  • Spoofed IP address is used even after the Citrix ADC intranet application configuration is changed from FQDN based to IP based application.

    [NSHELP-31236]

  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully.

    With this fix, the following registry value is introduced.

    \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds

    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

    [NSHELP-30189]

  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

    [NSHELP-31836]

  • Citrix Secure Access Agent for Windows does not tunnel new TCP connections to backend TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

    [ACS-2714]

22.3.1.5 (24-Mar-2022)

Fixed issues

  • The Windows EPA plug-in name is reverted to the Citrix Gateway EPA plug-in.

    [CGOP-21061]

Known issues

  • Citrix Secure Access Agent for Windows does not tunnel new TCP connections to backend TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

    [ACS-2714]

22.3.1.4 (10-Mar-2022)

What’s new

  • Enforce local LAN access to end users based on ADC configuration

    Admins can now restrict the end users to enable or disable the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, end users are restricted from using the local LAN access option on their client machines. If the end users must enable or disable the local LAN access, the admins must reconfigure the Local LAN Access option in the Citrix ADC appliance accordingly.

    To enable the FORCED option by using the GUI:

    1. Navigate to Citrix Gateway > Global Settings > Change Global Settings.
    2. Click the Client Experience tab and then click Advanced Settings.
    3. In Local LAN Access, select FORCED.

    To enable the FORCED option by using the CLI, run the following command:

     set vpn parameter -localLanAccess FORCED
     <!--NeedCopy-->
    

    [CGOP-19935]

  • Support for Windows server 2019 and 2022 in the EPA OS scan

    EPA OS scan now supports Windows server 2019 and 2022.

    You can select the new servers by using the GUI.

    1. Navigate to Citrix Gateway > Policies > Preauthentication.
    2. Create a new preauthentication policy or edit an existing policy.
    3. Click the OPSWAT EPA Editor link.
    4. In Expression Editor, select Windows > Windows Update and click the + icon.
    5. In OS Name, select the server as per your requirement.

    You can upgrade to the OPSWAT version 4.3.2744.0 to use the Windows server 2019 and 2022 in the EPA OS scan.

    [CGOP-20061]

  • New EPA scan classification types for missing security patches

    The following new classification types are added to the EPA scan for missing security patches. The EPA scan fails if the client has any of the following missing security patches.

    • Application
    • Connectors
    • CriticalUpdates
    • DefinitionUpdates
    • DeveloperKits
    • FeaturePacks
    • Guidance
    • SecurityUpdates
    • ServicePacks
    • Tools
    • UpdateRollups
    • Updates

    You can configure the classification types by using the GUI.

    1. Navigate to Citrix Gateway > Policies > Preauthentication.
    2. Create a new preauthentication policy or edit an existing policy.
    3. Click the ((OPSWAT EPA Editor)) link.
    4. In Expression Editor, select Windows > Windows Update.
    5. In Shouldn’t have missing patch of following windows update classification type, select the classification type for the missing security patches
    6. Click OK.

    You can upgrade to the OPSWAT version 4.3.2744.0 to use these options.

    Earlier, the EPA scans for missing security patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client.

    [CGOP-19465]

  • Support for multiple device certificates for EPA scan

    In the Always on VPN configuration, if multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows EPA scan successfully, then VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried.

    Earlier, if multiple valid certificates were configured, if the EPA scan failed for one certificate, the scan was not attempted on the other certificates.

    [CGOP-19782]

Fixed issues

  • If the clientCert parameter is set to ‘Optional’ in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.

    [NSHELP-30070]

  • Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

    [NSHELP-30236]

  • When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

    [NSHELP-30662]

  • DNS resolution to internal and external resources stops working over a prolonged VPN session.

    [NSHELP-30458]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [NSHELP-29675]

  • Registry EPA check for the “==” and “!=” operator fails for some registry entries.

    [NSHELP-29582]

22.2.1.103 (17-Feb-2022)

Fixed issues

  • Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:

    1. For the VPN plug-in upgrade, end users must connect using the VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
    2. For the EPA only use case, the end users will not have the VPN client to connect to the gateway. In this case, perform the following:

      1. Connect to the gateway using a browser.
      2. Wait for the download page to appear and download the nsepa_setup.exe.
      3. After downloading, close the browser and install the nsepa_setup.exe file.
      4. Restart the client.

    [NSHELP-30641]

21.12.1.4 (17-Dec-2021)

What’s new

  • Rebranding changes

    Citrix Gateway plug-in for Windows is rebranded to Citrix Secure Access agent.

    [ACS-2044]

  • Support for TCP/HTTP(S) private applications

    Citrix Secure Access agent now supports TCP/HTTP(S) private applications for remote users through the Citrix Workspace Secure Access service.

    [ACS-870]

  • Additional language support

    Windows VPN and EPA plug-ins for Citrix Gateway now support the following languages:

    • Korean
    • Russian
    • Chinese (Traditional)

    [CGOP-17721]

  • Citrix Secure Access support for Windows 11

    Citrix Secure Access agent is now supported for Windows 11.

    [CGOP-18923]

  • Automatic transfer logon when the user is logging in from the same machine and Always on is configured

    Automatic login transfer now occurs without any user intervention when Always on is configured and the user is logging in from the same machine. Previously, when the client (user) had to relogin in the scenarios such as system restart or network connectivity issues, a pop-up message appeared. The user had to confirm the transfer login. With this enhancement, the pop-up window is disabled.

    [CGOP-14616]

  • Deriving Citrix Virtual Adapter default gateway IP address from the Citrix ADC provided net mask

    Citrix Virtual Adapter default gateway IP address is now derived from the Citrix ADC provided net mask.

    [CGOP-18487]

Fixed issues

  • Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

    [NSHELP-26779]

  • When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

    [NSHELP-29371]

21.9.100.1 (30-Dec-2021)

What’s new

  • Citrix Secure Access support for Windows 11

    Citrix Secure Access agent is now supported for Windows 11.

    [CGOP-18923]

Fixed issues

  • Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

    [NSHELP-26779]

  • When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

    [NSHELP-29371]

21.9.1.2 (04-Oct-2021)

Fixed issues

  • Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

    [NSHELP-28848]

  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [NSHELP-28404]

  • The Windows plug-in might crash during authentication.

    [NSHELP-28394]

  • In Always On service mode, the VPN plug-in for Windows fails to establish the user tunnel automatically after the users log on to their Windows machines.

    [NSHELP-27944]

  • After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address.

    [NSHELP-27850]

V21.7.1.1 (27-Aug-2021)

What’s new

  • New MAC address scan

    Support is added for newer MAC address scans.

    [CGOP-16842]

  • EPA scan to check for Windows OS and its build version

    Added EPA scan to check for Windows OS and its build version.

    [CGOP-15770]

  • EPA scan to check for a particular value’s existence

    A new method in the registry EPA scan now checks for a particular value’s existence.

    [CGOP-10123]

Fixed issues

  • If there is a JavaScript error during login because of a network error, subsequent login attempts fail with the same JavaScript error.

    [NSHELP-27912]

  • The EPA scan fails for McAfee antivirus last update time check.

    [NSHELP-26973]

  • Sometimes, users lose internet access after a VPN tunnel is established.

    [NSHELP-26779]

  • A script error for the VPN plug-in might be displayed during nFactor authentication.

    [NSHELP-26775]

  • If there is a network disruption, UDP traffic flow that started before the network disruption does not drop for up to 5 minutes.

    [NSHELP-26577]

  • You might experience a delay in the starting of the VPN tunnel if the DNS registration takes a longer time than expected.

    [NSHELP-26066]

V21.3.1.2 (31-Mar-2021)

What’s new

  • Upgraded EPA libraries

    The EPA libraries are upgraded to support the latest version of the software applications used in EPA scans.

    [NSHELP-26274]

  • Citrix Gateway virtual adapter comaptibility

    The Citrix Gateway virtual adapter is now compatible with Hyper-V and Microsoft Wi-Fi direct virtual adapters (used with printers).

    [NSHELP-26366]

Fixed issues

  • The Windows VPN gateway plug-in blocks use of “CTRL + P” and “CTRL + O” over the VPN tunnel.

    [NSHELP-26602]

  • The Citrix Gateway plug-in for Windows responds only with an Intranet IP address registered in the Active Directory when a "nslookup" action is requested for the machine name.

    [NSHELP-26563]

  • The IIP registration and deregistration fails intermittently if the split DNS is set as “Local” or “Both.”

    [NSHELP-26483]

  • Auto logon to Windows VPN gateway plug-in fails if Always On is configured.

    [NSHELP-26297]

  • The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.

    [NSHELP-25684]

  • The Windows VPN gateway plug-in maintains the existing proxy exception list even if the list overflows because of the browser limit on the Internet Explorer proxy exception list.

    [NSHELP-25578]

  • The Windows VPN gateway plug-in fails to restore the proxy settings when the VPN client is logged off in Always On mode.

    [NSHELP-25537]

  • The VPN plug-in for Windows does not establish the tunnel after logging on to Windows, if the following conditions are met:

    • Citrix Gateway appliance is configured for the Always On feature.
    • The appliance is configured for certificate based authentication with two factor authentication “off.”

    [NSHELP-23584]

Citrix Secure Access for Windows release notes