Release notes
Important:
Starting from the Citrix Secure Access client for Windows release 25.2.1.18, you can ensure compatibility with the third-party software performing DLL injection from directories other than
C:\WindowsorC:\Program Files. Configure the third-party software to exclude the nsload.exe process. Alternatively, configure theExternalTrustedSignersregistry with the signer name of the injected DLL. For more information, see Login failure due to third-party software.
The Citrix Secure Access client for Windows is now released on a standalone basis and is compatible with all NetScaler versions. We recommend that you use the latest version of Citrix Secure Access client as it contains the latest fixes and enhancements.
The Citrix Secure Access client releases follow the format YY.MM.Release.Build.
The release notes describe the new features, enhancements to the existing features, and fixed issues.
What’s new: The new features and enhancements available in the current release.
Fixed issues: The issues that are fixed in the current release.
For detailed information on the supported features, see NetScaler Gateway Product Documentation.
Note:
The Citrix Secure Access client for Windows release 25.5.1.15 addresses the security vulnerabilities described in https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694724. We recommend you to use the Citrix Secure Access client for Windows version 25.5.1.15.
25.9.1.5 (30-Sep-2025)
Important update:
- Citrix Secure Access version 25.9.1.5 replaces 25.9.1.4 and is now generally available.
Fixed issues
- 
    Connections to DNS servers and gateway IP addresses might fail if a non-standard DNS port (other than 53) is used. [CSACLIENTS-15404] 
- 
    In Citrix Secure Private Access hybrid deployments, Citrix Monitor overrides the update frequency configured by the administrator with default values. [CSACLIENTS-15441] 
- 
    In Citrix Secure Private Access hybrid deployments, Citrix Monitor shows incorrect immediate hop details. [CSACLIENTS-15100] 
- 
    The Citrix Secure Access client does not log out when the smart card is removed, even with the Logout On Smart Card Removal setting enabled on the VPN virtual server. [NSHELP-40615] 
- 
    The Citrix Secure Access client might crash while capturing diagnostic logs in Citrix Secure Private Access deployments. [CSACLIENTS-15376] 
- 
    The connection to the NetScaler Gateway virtual server might fail if a non-standard port (other than 443) is used. This issue occurs when the Citrix Secure Access client operates in Microsoft Edge WebView mode. [NSHELP-40594] 
- 
    After upgrading to version 25.5.1.15, the Citrix Secure Access client fails to launch. This issue occurs due to a failure in the initialization of dependent third-party libraries. [NSHELP-40516] 
- 
    The Citrix Secure Access client intermittently crashes during login while operating in Secure Private Access mode. [CSACLIENTS-15560] 
- 
    Users are repeatedly prompted for domain credentials after upgrading the Citrix Secure Access client to version 25.5.1.15 or later. This issue occurs when Windows domain join fails due to an error in DNS resolution. [NSHELP-40730] 
- 
    When connected in WFP mode, the Citrix Secure Access client crashes intermittently while tunneling TCP DNS traffic. [CSACLIENTS-15440] 
- 
    The Citrix Secure Access client fails to launch due to a case-sensitive path validation. [NSHELP-40819] 
25.7.1.11 (13-Aug-2025)
What’s new
- 
    ARM64 support for the Citrix Secure Access client The Citrix Secure Access application now supports ARM64 Windows devices. The installer automatically detects the system architecture and installs the appropriate ARM64 version. This allows users on the ARM64 Windows devices to access NetScaler Gateway and Citrix Secure Private Access. [CSACLIENTS-13377] 
- 
    Enhanced DNS suffix handling for applications in Citrix Secure Private Access Enhanced DNS suffix handling now ensures that only application domains that match the configured suffixes are securely tunneled through Citrix Secure Private Access, allowing other domains to access the internet directly. [CSACLIENTS-14669] 
Fixed issues
- 
    Users might experience intermittent auto-login failures in the Citrix Secure Access client when Windows Hello-based authentication is enabled on their devices. Users must manually launch the Citrix Secure Access client to establish connection to NetScaler Gateway. [SPAHELP-528] 
- 
    The Citrix Secure Access client fails to launch the login script intermittently when the IPv6 DNS server is active on the end-user device. [SPAHELP-521] 
- 
    Citrix Secure Access client users might experience connection delays of up to 30 seconds when accessing intranet applications. This issue occurs after a period of inactivity or hibernation. [SPAHELP-518] 
- 
    The Citrix Secure Access client might fail to auto-login on a Windows 11 version 24H2 machine when operating in Always On or Always On service mode. To fix this issue, admins must create the following registry entry: - 
        REG_PATH: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client 
- 
        REG_TYPE: DWORD 
- 
        REG_NAME: EnableCsaAutoLaunch 
- 
        REG_VALUE: 1 
 [SPAHELP-511] 
- 
        
- 
    The Citrix Secure Access client might fail to establish a VPN connection when a device resumes from standby. This issue occurs when a Hyper-V virtual switch is used as the primary external interface on the end-user device. [SPAHELP-451] 
- 
    The EPA periodic scan fails when the Citrix Secure Access client operates in WFP mode. [NSHELP-40557] 
- 
    Even with an active VPN connection, users might lose access to intranet applications due to DNS resolution failure. This failure occurs because the Citrix Secure Access client enforces the nsapimgr -ys enable_vpn_dnstruncate_fix=1setting, even when it is disabled on NetScaler Gateway.[NSHELP-40413] 
- 
    When connected in WFP mode, the TCP connection download throughput over the tunnel is lower compared to DNE mode. [NSHELP-40363] 
- 
    The Status menu incorrectly displays that the VPN is connected, even when the end-user machine is already connected to the corporate network. This issue occurs when the Citrix Secure Access client operates in Always On service mode with location detection enabled. [NSHELP-40336] 
- 
    The Citrix Secure Access client fails to log in on a Windows 11 machine when the proxy server is configured using a script PAC file. [NSHELP-40331] 
- 
    The Citrix Secure Access client users experience intermittent login failures. This issue occurs in GSLB deployments when Always On strict mode is enabled. [NSHELP-40274] 
- 
    Auto-login might fail in the Citrix Secure Access client when Microsoft Edge WebView is enabled and a login schema other than “singleauth.xml” is configured on NetScaler Gateway. [NSHELP-40272] 
- 
    Auto-login for classic authentication fails in the Citrix Secure Access client versions 24.11.1.17 and later because the default Microsoft Edge WebView does not support classic authentication. With this fix, the Citrix Secure Access client allows reverting the default WebView to Internet Explorer WebView, which supports classic authentication. For more information, see Auto-login failure in the Citrix Secure Access client version 24.11.1.17 and above. [NSHELP-40164] 
- 
    The Citrix Secure Access client users might experience failed intranet application access due to DNS resolution errors. This issue occurs when both of the following conditions are met: - 
        Local LAN access is enabled in the Citrix Secure Access client. 
- 
        The DNS server’s IP address is within the LAN subnet. 
 [NSHELP-39741] 
- 
        
- 
    The Citrix Secure Access client crashes intermittently when the tunnel is active. [SPAHELP-529] 
25.5.1.15 (17-Jun-2025)
Fixed issues
- 
    Users might experience disruptions while accessing the applications if the DNS server is also used for other functionalities like Dynamic Host Configuration Protocol (DHCP) or traffic monitoring. [NSHELP-39427] 
- 
    The TLS handshake between the Citrix Secure Access client and NetScaler Gateway might fail, leading to VPN disconnection. This issue occurs when client certificate configuration on NetScaler Gateway is set to Optional and the client machine does not have a user certificate. [NSHELP-39865] 
- 
    The Citrix Secure Access client launches automatically upon Windows Hello login despite disabling the Open homepage automatically checkbox in the Configuration menu of the Citrix Secure Access client. [NSHELP-40033] 
- 
    Users experience a loss of access to both intranet and internet resources, with only the connection to the virtual server or NetScaler Gateway remaining intact. This issue occurs when both of the following conditions are met: - 
        The user’s device is connected to the intranet. 
- 
        The Citrix Secure Access client is operating in Always On strict mode with WFP mode enabled. 
 [NSHELP-39996] 
- 
        
- 
    The Citrix Secure Access client crashes intermittently during the Dynamic DNS (DDNS) registration of the assigned IIP address. [NSHELP-40120] 
- 
    Intermittent DNS failures occur in the Citrix Secure Access client when reverse split tunneling is enabled. For more information, see Reverse split tunneling of non-configured domains. [NSHELP-40102] 
25.4.1.9 (08-May-2025)
What’s new
- 
    Support for multi-workspace URLs The Citrix Secure Access client now supports the multi-workspace URL feature for Secure Private Access service deployments. [CSACLIENTS-13276] 
Fixed issues
- 
    Auto-login to the Citrix Secure Access client might fail if the user name or password for LDAP authentication contains special characters. [NSHELP-39664] 
- 
    Auto-login to the Citrix Secure Access client with Edge WebView fails when advanced authentication is configured using the default login schema that has the logon button ID set to “Logon”. [NSHELP-39607] 
- 
    Auto-login to the Citrix Secure Access client might fail when the end user’s device is running in Always On strict mode, that is, Always On is set to 2. Include the loopback address 127.0.0.1; loopbackin theAlwaysOnAllowlistto enable auto-login in Always On strict mode.[NSHELP-39428] 
- 
    The device certificate scan might fail when the EPA client is installed and run in standalone mode. [NSHELP-39167] 
- 
    With the Device posture service enabled, users might be prompted to run the EPA client each time they connect to a Citrix Workspace™ URL using the Citrix Secure Access client. [CSACLIENTS-14191] 
- 
    The automatic update of the Citrix Secure Access client might not function without a system restart after configuring the EnableAutoUpdate registry to enable auto-update functionality. [CSACLIENTS-14127] 
25.2.1.18 (09-Apr-2025)
What’s new
- 
    Single sign-on support with Windows Hello based login The Citrix Secure Access client now supports single sign-on in Always On mode when Windows Hello-based login is enabled on the end user’s device, in both Citrix Secure Private Access and NetScaler Gateway deployments. [CSACLIENTS-13223] 
- 
    Support for hostname-based application access over UDP in Secure Private Access The Citrix Secure Access client now supports hostname-based application access over UDP within a machine-level tunnel, when operating in Secure Private Access mode. [CSACLIENTS-13215] 
- 
    Support for hostname-based application access with DTLS enabled The Citrix Secure Access client now supports IP address spoofing for TCP and UDP-based DNS requests, enabling hostname-based application access when DTLS is configured in NetScaler Gateway. [CSACLIENTS-9797] 
- 
    Enhanced plug-in upgrade behavior in the EPA client The EPA client now prevents prompts for downgrading to a lower version when a higher version of the EPA client is detected on the end-user device. This functionality is applicable irrespective of the Windows EPA Plugin Upgrade configuration (Always, Essential, or Never) in NetScaler Gateway. This enhancement ensures that the end-user device always runs the latest version of the EPA client, maintaining security and stability. [AAUTH-6718] 
Fixed issues
- 
    In an on-premises deployment, the Citrix Secure Access client might fail to establish a VPN connection when two-factor authentication is enabled. [NSHELP-39382] 
- 
    In an on-premises deployment, DNS resolution for hostname-based access might return a single IP address in response to the DNS query sent to NetScaler Gateway for resolution. This issue occurs even if the DNS can resolve to multiple IP addresses. [NSHELP-39332] 
- 
    When the machine-level tunnel is enabled on the Citrix Secure Access client, the connection to the NetScaler Gateway virtual server might fail if a non-standard port (other than 443) is used. [NSHELP-39331] 
- 
    DNS resolution might fail when the Citrix Secure Access client tries to connect to an intranet IP address. This issue occurs if the DNS server is not configured on the NetScaler Gateway virtual adapter. [NSHELP-39300] 
- 
    The Citrix Secure Access client in machine tunnel mode might fail to transfer the logon to another session when multiple sessions are available for transfer. [NSHELP-39279] 
- 
    Auto log in to the Citrix Secure Access client might fail when Local Security Authority is enabled. [NSHELP-39199] 
- 
    The user tunnel establishment is delayed when Always On strict mode is enabled. [NSHELP-39033] 
- 
    The nglauncher of the EPA client might crash, and the device posture check might fail if the default language setting on the end-user machine includes non-English characters, such as å or ø. [AAUTHHELP-108] 
- 
    End users may lose access to intranet applications after a few hours of usage if the tunneling connection limit is reached, even though the actual number of connections is lower. [NSHELP-39814] 
25.1.1.27 (21-Mar-2025)
Important update:
Citrix Secure Access version 25.1.1.27 replaces 25.1.1.11 and is now generally available.
Starting from the Citrix Secure Access version 25.1.1.27, Windows Filtering Platform (WFP) is enabled by default.
Fixed issues
- 
    When a device resumes from standby, internet and intranet access through the Citrix Secure Access client might fail in Always On mode (when machine-level tunnel is in use). [NSHELP-39435] 
- 
    The Citrix Secure Access client might fail to establish a connection to a UDP application when multiple host names resolve to the same IP address in Secure Private Access mode. [SPAHELP-415] 
- 
    The Citrix Secure Access client does not automatically re-establish the VPN connection after a session is terminated due to inactivity. This issue occurs when the Server Idle Session Timeout is configured in Citrix Secure Private Access on Always On mode. [SPAHELP-413] 
- 
    The device certificate scan might fail when the EPA client is installed and run in standalone mode. [NSHELP-39167] 
- 
    The Always On VPN before Windows Logon configuration in the Citrix Secure Access client might fail to establish a VPN connection if client certificate-based authentication is configured. [NSHELP-39141] 
- 
    The end users are prompted to download the plug-in even if the correct version of Citrix EPA is already installed. This issue occurs in the following conditions: - 
        The HttpOnly cookie is enabled. 
- 
        The windowsEPAPluginUpgrade parameter is set to Always. 
 [AAUTH-6503] 
- 
        
24.11.1.17 (19-Dec-2024)
Important update:
Starting from the Citrix Secure Access version 24.11.1.17, Microsoft Edge WebView is enabled by default. To disable the Microsoft Edge WebView, contact Citrix Support. For more information, see Microsoft Edge WebView support for Windows Citrix Secure Access.
What’s new
- 
    Support for contextual access feature in Secure Private Access The Citrix Secure Access client supports the contextual access feature that enables an admin to enforce ZTNA policies dynamically based on the user context like network location, geo location, and device posture. Admin can enable this feature using the EnableContextualAccessregistry or by contacting Citrix Support. For more information, see NetScaler Gateway Windows VPN client registry keys.[CSACLIENTS-11429] 
- 
    Citrix Secure Access client installer included in the VDA meta installer The Citrix Secure Access client installer is now integrated with the VDA meta installer in Citrix Virtual Apps and Desktops 7 2411. This enhancement allows the admin to install the Citrix Secure Access client for Windows as part of the VDA installation process. For more information, see the Install VDA documentation. [CSACLIENTS-11234] 
- 
    Enhanced Windows Last Update scan to support category-wise scans The Windows Last Update scan output includes category-wise list of Security updates, Critical updates, Definition updates, and Update rollups. Previously, the Windows Last Update scan included only the generic updates. For more information, see Windows Last Update Scan. [AAUTH-5528] 
- 
    Enhanced troubleshooting with multi-session VDA The Citrix Secure Access client now supports notifications for each user in a multi-session VDA environment. For admins, events from multi-session VDA are available in DaaS Monitor. [CSACLIENTS-11449] 
- 
    Auto login support with Windows Hello based login The Citrix Secure Access client now supports automatic launch and login when Windows Hello based login is enabled on the end user’s device. [CSACLIENTS-12330] 
- 
    Automatic update support for the Citrix Secure Access client The Citrix Secure Access client can now automatically update the Windows client to the latest available version. This feature is not enabled by default. The admin can enable this feature and choose which machines must automatically get updates for either the early access build or the production build using the registries EnableAutoUpdateandIsAutoUpdateControlledViaAdmin. For more information, see NetScaler Gateway Windows VPN client registry keys.Note: Because the automatic update feature is introduced in the Citrix Secure Access client for Windows version 24.11.1.17, administrators can use this feature in the subsequent releases. 
Fixed issues
- 
    The Microsoft Edge WebView might fail to load while logging in to the Citrix Secure Access client for Windows. The error message “Your machine doesn’t have Microsoft Edge runtime installed” might appear even though it is already installed. [SPAHELP-352] 
- 
    The Citrix Secure Access client on Windows 11 machine fails to establish a DTLS connection to NetScaler Gateway. [NSHELP-38800] 
24.10.1.5 (08-Nov-2024)
Fixed issues
- 
    In Secure Private Access mode, hostname-based application access might fail when a device resumes from standby. [SPAHELP-355] 
- 
    When a device resumes from standby, the Citrix Secure Access client for Windows might occasionally take more than 60 seconds to activate and connect. [SPAHELP-350] 
- 
    The Citrix Secure Access client for Windows fail to establish a VPN connection to NetScaler Gateway when the Server Name Indication (SNI) is enabled. [NSHELP-38813] 
- 
    Users cannot establish a VPN connection due to SSL renegotiation failure when the session ticket parameter is enabled on NetScaler Gateway. [NSHELP-38793] 
- 
    Users cannot establish a VPN connection if there was a network failure during the previous logout process. [NSHELP-38791, NSHELP-38641] 
- 
    The nsRmSac.execleanup utility of the Citrix Secure Access client requires manual intervention to run on the end user’s device. For more information, see Completely skip the DNE installation.[NSHELP-38711] 
- 
    After logging out of the VPN, localhost communication might fail if one of the network adapters on the machine is using the loopback address as the DNS server. As a result, when users attempt to log back into the VPN through the browser, they might be prompted to download the EPA plug-in again (if EPA is configured as an authentication factor), even if it is already installed. [NSHELP-38427] 
- 
    The custom redirection might fail when the user logs into the NetScaler® Gateway virtual server using the Citrix Secure Access client for Windows. [NSHELP-38382] 
24.8.1.19 (10-Oct-2024)
Important update:
Citrix Secure Access version 24.8.1.19 replaces 24.8.1.15 and is now generally available.
What’s new
- 
    Secure Private Access support for cloud-hosted multi-session VDI Citrix Secure Access client now supports the use of Secure Private Access to achieve zero trust access to corporate resources from cloud-hosted multi-session VDIs. Admin can enable this feature using the EnableMultiSessionFlowregistry. For domain-joined machines, use bothEnableMultiSessionFlowandAlwaysOnServiceregistries. For more information, see NetScaler Gateway Windows VPN client registry keys.[CSACLIENTS-10642] 
- 
    Continuous device posture assessment for active Secure Private Access applications When you enable the Periodic scan setting in the Device Posture Service, EPA client scans the device every 30 minutes. If it detects a downgrade in posture status, it notifies the user and disconnects active Secure Private Access connections through the Citrix Secure Access client. For more information, see Periodic scanning of devices. [AAUTH-4910] 
- 
    Support to exclude DNS traffic by Citrix Secure Access You can now exclude DNS traffic from being intercepted by Citrix Secure Access client. For more information, see Exclude specific domain traffic from client interception. [CSACLIENTS-10347] 
- 
    Always On location detection support for Secure Private Access Citrix Secure Access for Windows supports the location detection feature for the Secure Private Access service. It connects the user’s machine to the VPN session if it is not in the corporate network and disconnects the user’s VPN session if the machine is in the corporate network. You must use the locationDetection registry and configure the DNS suffix on the Secure Private Access admin UI console to enable the location detection feature. For more information on using the registry, see NetScaler Gateway Windows VPN client registry keys. For more information on configuring the DNS suffix, see DNS suffixes to resolve FQDNs to IP addresses. [CSACLIENTS-8783] 
- 
    Auto log on support for Azure Entra ID Citrix Secure Access supports auto-logon for Azure AD joined machines and hybrid Azure AD joined machines using Primary Refresh Tokens (PRT) mechanism for both NetScaler Gateway and Secure Private Access. For more information, see Citrix Secure Access auto logon for Windows Azure AD joined machines. [CSACLIENTS-10595] 
- 
    Support to triage and troubleshoot enumeration failures Citrix Secure Access now supports triaging and troubleshooting enumeration failures using Citrix Monitor or Citrix Director, in Secure Private Access deployments. For more information, see Secure Private Access integration with Director (Preview). [CSACLIENTS-10751] 
- 
    Enhanced Windows Last Update scan The Windows Last Update scan now checks the Windows Updates installed through Windows Auto Upgrade service and also the updates installed via BigFix, Intune, and other third party tools. For more information, see Advanced Endpoint Analysis scans. [AAUTH-4876] 
- 
    Split DNS support for TCP-based DNS requests Citrix Secure Access supports split DNS for TCP based DNS requests, same as UDP based DNS requests. Admin can enable this feature using the EnableTCPDNSregistry. For more information, see Session policies and NetScaler Gateway Windows VPN client registry keys.[CSACLIENTS-8142] 
- 
    Enhanced client certificate authentication During client certificate authentication, Citrix Secure Access automatically selects the client certificate based on the CA certificates configured on NetScaler Gateway. For more information, see Configuring Client Certificate Authentication. [CSACLIENTS-10592] 
- 
    Support for Citrix Secure Private Access™ for on-premises Citrix Secure Access now supports Citrix Secure Private Access for on-premises. For more information, see Citrix Secure Access client. [CSACLIENTS-10543] 
Fixed issues
- 
    Citrix Secure Access client does not display the correct error message on the Windows Credential Provider screen if the authentication fails due to an unreachable network. [SPAHELP-333] 
- 
    The Citrix Secure Access client UI fails to display the custom messages configured using the NetScaler Gateway RfWebUI portal theme. [NSHELP-38362] 
- 
    DNS traffic is dropped if the DNS suffix applied to the Citrix Virtual Adapter (connected to Citrix Secure Access) is truncated after 15 characters. This issue occurs because NetScaler Gateway treats the DNS suffix as a NetBIOS name. [NSHELP-37990] 
- 
    Citrix Secure Access client generates high DNS traffic when an user accesses multiple applications over the VPN tunnel. [NSHELP-37822] 
24.6.1.18 (24-Jul-2024)
Important update:
Citrix Secure Access version 24.6.1.18 replaces 24.6.1.17 and is now generally available.
What’s new
- 
    EPA scan to check Citrix Workspace app version Citrix Secure Access supports a new EPA scan “CWA Version”, that verifies the Citrix Workspace version on Windows machines. For details about the supported EPA scans, see Expression strings. [AAUTH-4870] 
- 
    Automatic single sign-on to Citrix Secure Access through Citrix Workspace app Citrix Workspace app offers a unified client management experience for Citrix Secure Access. When users log on to Citrix Workspace app, they are automatically signed on to Citrix Secure Access and can access TCP/UDP applications seamlessly without the need to manually configure and sign in to multiple client applications. For details, see Automatic single sign-on to Citrix Secure Access through Citrix Workspace app for Windows - Preview. [CSACLIENTS-6418] 
- 
    Tunnel exclusion support in Secure Private Access Citrix Secure Access can now exclude certain application traffic from being tunneled by using the registry, ExcludeDomainsFromTunnel.If example.comis an intranet domain that hosts multiple applications, and you want to exclude specific applications such assshhost.example.com,rdphost.example.com,*.ftphost.example.com, you can use this registry.For details, see NetScaler Gateway Windows VPN client registry keys. [CSACLIENTS-8972] 
- 
    IP address spoofing for TCP-based DNS requests Citrix Secure Access supports IP address spoofing of TCP-based DNS requests in the following scenarios: - FQDN-based tunneling rules are configured on NetScaler Gateway.
- FQDNs match the DNS suffixes in a Citrix Secure Private Access deployment.
 [CSACLIENTS-8328] 
- 
    Interoperability enhancements with third-party secure web gateway The User-Agent strings for Citrix Secure Access have been updated for enhanced interoperability with third party secure web gateways. [CSACLIENTS-8593] 
- 
    Support for Citrix Secure Private Access for on-premises Citrix Secure Access now supports Citrix Secure Private Access for on-premises. [CSACLIENTS-10543] 
- 
    Enhanced EPA scan encryption The security encryption of EPA scans is enhanced by the Elliptic Curve Diffie-Hellman (ECDH) keys. [CSACLIENTS-8308] 
- 
    Hash key for signature creation Admins can now use the SHA-384 hash key to create signatures for device certificate authentication. [CSACLIENTS-8296] 
- 
    Seamless connectivity during POP failure In a Secure Private Access deployment, VPN users are automatically reconnected to a different Point of Presence (POP) without manual intervention, when connectivity to the current POP fails. [CSACLIENTS-6396] 
- 
    Enhanced diagnostics The Citrix Secure Access diagnostics are enhanced with additional fields that can help troubleshoot access issues with TCP/UDP apps. [CSACLIENTS-8335] 
Fixed issues
- 
    DNS resolution fails on Windows 11 devices if the Windows Management Instrumentation Command-line (WMIC) feature is disabled. [NSHELP-37603] 
- 
    Citrix Secure Access blocks IPv6 traffic from being routed over a loopback interface if reverse split tunneling and intranet IP address are configured on NetScaler Gateway. [NSHELP-37096], [NSHELP-37534] 
- 
    Citrix Secure Access crashes if the IP address range of the intranet application is configured with a wildcard subnet mask. [NSHELP-37788] 
- 
    After an upgrade, users cannot connect to Microsoft applications if reverse split tunneling and intranet IP addresses are configured on NetScaler Gateway. [NSHELP-37876] 
- 
    When Citrix Secure Access client is configured with WFP, VPN connectivity is lost during an active session or when multiple logins and logouts happen. [NSHELP-37881] 
- 
    DNS resolution is delayed when applications on the client machine send AandAAAArecord-type DNS queries.[NSHELP-38067] 
- 
    Kerberos authentication fails in a Citrix Secure Private Access deployment. [SPAHELP-286] 
- 
    In the Windows Filtering Platform (WFP) mode, application name of the intranet resource being accessed appears as N/A on the Secured Applications’ connections tab on the Citrix Secure Access UI. [CSACLIENTS-9664] 
- 
    In a Citrix Secure Private Access deployment, Citrix Secure Access client fails to switch from machine-level tunnel to user-level tunnel if Always On is configured. [CSACLIENTS-9604] 
24.4.1.7 (30-Apr-2024)
Fixed issues
End-users cannot log on to Citrix Secure Access when autologon fails in the Microsoft Edge WebView mode.
[CSACLIENTS-10005]
DNS resolution fails for some backend resources when the AAAA record-type DNS queries are sent by the client application.
[SPAHELP-288], [CSACLIENTS-10460]
Citrix Secure Access might fail to establish new connections in the WFP driver mode if the client runs for several hours.
[NSHELP-37427], [NSHELP-37124], [SPAHELP-280]
Citrix Secure Access displays an EPA scan error message of a device certificate failure in a different language, although the language set is English.
[NSHELP-37477]
Internet and intranet connections might be lost after a prolonged VPN session if Always On VPN is configured in the WFP mode.
[NSHELP-37283]
EPA scan fails when the “filetime” parameter is configured.
[NSHELP-37564]
The MD5 checksum configuration of a file fails during an EPA scan.
[NSHELP-37491]
The Windows credential manager screen displays the Citrix Secure Access icon even though VPN is not in the Always On VPN mode.
[NSHELP-37205]
The Citrix Secure Access logs display the IP addresses in reverse order. For example, if a Microsoft Edge browser is connected to NetScaler (IP: 192.20.4.5:24), the log message appears as,
"Application msedge.exe has opened a connection to 5.4.20.192:24 |Making a connection to 5.4.20.192:24 by msedge.exe |"
[NSHELP-37314]
After an upgrade, when users click the Home page button on the Citrix Secure Access GUI, the home page URL fails to launch on the default browser.
[NSHELP-37659]
The device certificate check fails in a Citrix Secure Private Access deployment if the certificate is signed by an intermediate CA instead of the root CA.
[SPAHELP-287]
24.2.1.15 (04-Mar-2024)
What’s new
- 
    Support for SNI In a Citrix Secure Private Access deployment, Citrix Secure Access client now supports the server name indication (SNI) extension on all the pre-authentication requests. [SPAHELP-236] 
- 
    Support for TLS 1.3 Citrix Secure Access client now supports the TLS 1.3 protocol. TLS 1.3 is supported on the following platforms: - Windows 11 and later
- Windows Server 2022 and later
 For details on how to configure TLS 1.3 on NetScaler, see Support for TLS 1.3 protocol. [CSACLIENTS-6106] 
- 
    Support for Windows OS details in the HTTP header Citrix Secure Access client now includes details of the Windows OS as part of the HTTP header (user-agent) string. [NSHELP-36732] 
Fixed issues
- 
    DNS resolution intermittently fails if IPv6 is enabled on the client network adapter. [NSHELP-35708] 
- 
    Users might not be able to log on to Citrix Secure Access client if there are simultaneous login attempts using autologon. [NSHELP-35768] 
- 
    Citrix Secure Access installation fails when Smart App Control is enabled on non-English client machines. [NSHELP-36126], [NSHELP-36907] 
- 
    Users cannot access some applications through VPN if Citrix Secure Access client is configured with the WFP driver. This issue occurs because of modifications to the firewall policies. [NSHELP-36254], [NSHELP-36312] 
- 
    A popup dialog appears during an EPA scan. However, when the user clicks OK, EPA scan works as usual. This issue occurs when the Swedish language is selected (Configuration > Language) on the Citrix Secure Access client UI. [NSHELP-36408] 
- 
    In an Always On VPN mode, the machine level tunnel fails to transfer the session when the user certificate authentication is configured on NetScaler Gateway. [NSHELP-36492] 
- 
    Access to the intranet resources intermittently fails when the Windows Filtering Platform (WFP) driver is enabled on Citrix Secure Access client. [NSHELP-36568] 
- 
    The Citrix Secure Access client UI page intermittently freezes when users click the Home button. [NSHELP-37046] 
- 
    Non-admin users cannot connect to the full VPN tunnel if the following conditions are met: - EPA is configured as a factor in an nFactor flow.
- Edge WebView is enabled.
- The control upgrade setting of Citrix EPA client is set to Always on NetScaler Gateway and there’s a mismatch in the Citrix EPA client versions between the client device and NetScaler.
 [NSHELP-37340] 
- 
    EPA device certificate scan fails if the client machine’s system certificate store contains only one device certificate. [NSHELP-37371] 
- 
    The login page of Citrix Secure Access client intermittently goes blank when connecting to Citrix Secure Private Access service. [SPAHELP-202] 
- 
    End-users might not be able to connect the client machines to the domain through VPN if Windows Server 2019 or later versions are used. [SPAHELP-219] 
- 
    When Citrix Device Posture service is enabled, unwanted entries appear in the Connection drop-down list of the Citrix Secure Access client UI. [SPAHELP-271] 
- 
    End-users cannot access the intranet resources if the single sign-on feature is enabled on Citrix Secure Access client. [CSACLIENTS-9940] 
- 
    Citrix Secure Access might crash due to memory corruption. [NSHELP-36993] 
23.10.1.7 (29-Nov-2023)
What’s new
- 
    Configure private port range for server initiated connections You can now configure a private port ranging from 49152 to 64535 for server-initiated connections. Configuring private ports avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. You can configure the private ports by using the “SicBeginPort” Windows VPN registry. Alternatively, you can configure the private port range by using a VPN plug-in customization JSON file on NetScaler. For more information, see Configure server-initiated connections and NetScaler Gateway Windows VPN client registry keys. [NSHELP-36627] 
- 
    Kerberos authentication support for seamless autologon Citrix Secure Access client now uses the Kerberos authentication method for autologon. As part of this support, a VPN client registry key “EnableKerberosAuth” is introduced. As a pre-requisite, admins must configure Kerberos authentication on NetScaler and on their client machines. End users must install Microsoft Edge WebView on their machines to enable the Kerberos authentication method. For more information, see Autologon with Kerberos authentication. [CSACLIENTS-3128] 
- 
    Auto assign of spoof IP address range Citrix Secure Access client can now detect and apply a new spoof IP address range if there is a conflict between the admin-configured spoof IP address range and the IP-based applications or the end-user’s network. [CSACLIENTS-6132] 
- 
    Microsoft notifications The Citrix Secure Access client notifications now appear as Microsoft notifications on the Notifications panel of your Windows machine. [CSACLIENTS-6136] 
- 
    Improved log collection The Verbose log level is now used as the default debug logging level for an enhanced log collection and troubleshooting. For more information about logging, see Configure logging by using the Citrix Secure Access client UI. [CSACLIENTS-8151] 
Fixed issues
Citrix Secure Access client remains in the “Connecting” state if the machine tunnel of the Always On service fails to detect the client device location.
[CSACLIENTS-1174]
The transfer logon feature fails to work when Microsoft Edge WebView is enabled in Citrix Secure Access client.
[CSACLIENTS-6655]
In the Always On service mode, Citrix Secure Access client fails to establish a machine-level tunnel with NetScaler Gateway if the device certificate-based classic authentication policies are bound to a VPN virtual server.
[NSHELP-33766]
Incoming and outgoing Webex calls fail when users are connected to the VPN. This issue occurs when the Windows filtering platform (WFP) driver is enabled on Citrix Secure Access client instead of the Deterministic network enhancer (DNE) driver.
[NSHELP-34651]
Citrix Secure Access client crashes if the following conditions are met:
- Connections are switched when SAML policies are bound to a VPN virtual server.
- Internet Explorer WebView support is enabled.
[NSHELP-35366]
The Citrix Secure Access client UI displays the Connect button during autologon. This issue occurs if the UserCert authentication method is used to connect to VPN.
[NSHELP-36134]
The local LAN access feature fails to work with Citrix Secure Access client if a machine-level tunnel is configured.
With this release, the local LAN access feature can be set with a machine-level tunnel configuration. To achieve this, you must configure the local LAN access parameter to FORCED when using the machine tunnel mode. For more details, see Enforce local LAN access to end users based on ADC configuration.
[NSHELP-36214]
When a client machine wakes up from sleep mode multiple times, Citrix Secure Access client fails to establish a VPN connection with the intranet applications.
[NSHELP-36221]
23.8.1.11 (19-Oct-2023)
Fixed issues
The epaPackage.exe file might fail to download if forward proxy support is configured on NetScaler Gateway.
[CSACLIENTS-6917]
The Citrix EPA client installation fails for non-admin users with restricted access to C drive.
[NSHELP-36590]
23.8.1.5 (09-Aug-2023)
Fixed issues
Kerberos SSO fails for applications when connected over Citrix Secure Private Access service.
[CSACLIENTS-912]
Application access with Citrix Secure Private Access service fails intermittently. This issue occurs when Citrix Secure Access client shares an incorrect destination IP address for TCP or UDP traffic.
[CSACLIENTS-1151, CSACLIENTS-6326]
Citrix Secure Access client fails to launch applications intermittently because of a DNS caching issue.
[CSACLIENTS-1170]
Citrix Secure Access client fails to apply a DNS suffix to Citrix Virtual Adapter. This issue occurs when Citrix Virtual Adapter fails to authenticate with Active Directory.
[NSHELP-33817]
Citrix Secure Access client crashes if the following conditions are met:
- NetScaler Gateway virtual server contains a client certificate as a factor for nFactor authentication.
- Microsoft Edge WebView support is enabled.
[CSACLIENTS-6171]
When connected to VPN, you might not be able to access back-end resources after you apply Microsoft KB5028166.
[NSHELP-35909]
Citrix Secure Access client intermittently fails to download the configurations from NetScaler Gateway when the portal customization exceeds the allowed limit.
[NSHELP-35971]
Known issues
The transfer logon feature fails to work with Citrix Secure Access client. This issue occurs when Microsoft Edge WebView is enabled.
Workaround: Log on using a web browser to transfer the session.
23.7.1.1 (14-Jul-2023)
Fixed issues
In some cases, after an upgrade to the release version 23.x.x.x, traffic fails to pass through the VPN tunnel, resulting in blocking of VPN access when an Intranet IP range is configured on NetScaler. This happens when cross profile firewall rule is not applied to VPN applications.
[NSHELP-35766]
23.5.1.3 (02-Jun-2023)
Fixed issues
The Always On service crashes when the improved log collection is enabled using the “useNewLogger” registry under  HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.
[CGOP-24462]
23.4.1.5 (14-Apr-2023)
What’s new
- 
    Microsoft Edge WebView support Microsoft Edge WebView support on Citrix Secure Access client for Windows introduces an enhanced end user experience. This feature is disabled, by default. For details, see Microsoft Edge WebView support for Windows Citrix Secure Access. [CGOP-22245] 
- 
    Adding DNS suffixes to resolve FQDNs to IP addresses Admins can now add suffixes to the applications at the operating system level. This helps Citrix Secure Access clients to resolve a non-fully qualified domain name during name resolution. Admins can also configure applications using the IP addresses (IP CIDR/IP range) so that the end users can access the applications using the corresponding FQDNs. For details see, DNS suffixes to resolve FQDNs to IP addresses. [ACS-2490] 
- 
    Improved log collection The logging feature for the Windows Secure Access client is now improved for log collection and debugging. The following changes are made to the logging feature. - Enable users to change the maximum log file size to a value less than 600 MB.
- Enable users to update the number of log files to less than 5.
- Increase the log levels to three for the new logging feature.
 With these changes, admins and end-users can collect logs from the current session and past sessions. Previously, collection of logs was limited to the current sessions only. For details see, Improved log collection for Windows client. Note: To enable debug logging, select Logging > Verbose from the Select Log Level drop-down list. Prior to the Citrix Secure Access client for Windows 23.4.1.5 release, debug logging could be enabled using the Configuration > Enable debug logging check-box. [CGOP-23537] 
- 
    Support for sending events to Citrix Analytics service Citrix Secure Access client for Windows now supports sending events such as session creation, session termination, and app connection to Citrix Analytics service. These events are then logged in Citrix Secure Private Access dashboard. [SPA-2197] 
Fixed issues
- 
    Citrix Secure Access client single sign-on authentication with Citrix Workspace app to cloud endpoint fails for Unicode users. [CGOP-22334] 
- 
    Access to the resources fails when host name-based applications are configured along with DNS suffix in Citrix Secure Private Access. [SPA-4430] 
- 
    Always-On VPN connection fails intermittently on startup due to gateway virtual server reachability issue. [NSHELP-33500] 
- 
    Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client. [NSHELP-34334] 
- 
    Citrix Secure Access client fails to load the authentication schema leading to login failure in Citrix Secure Private Access service. [SPAHELP-98] 
23.1.1.11 (20-Feb-2023)
This release addresses issues that help to improve the overall performance and stability of Citrix Secure Private Access service.
23.1.1.8 (08-Feb-2023)
Fixed issues
- 
    DNS resolution failures occur as the Citrix Secure Access fails to prioritize IPv4 packets over IPv6 packets. [NSHELP-33617] 
- 
    The OS filtering rules are captured when the Citrix Secure Access client is running in Windows Filtering Platform (WFP) mode. [NSHELP-33715] 
- 
    Spoofed IP address is used for IP-based intranet applications when the Citrix Secure Access client runs on Citrix Deterministic Network Enhancer (DNE) mode. [NSHELP-33722] 
- 
    When using the Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected. [NSHELP-32978] 
- 
    Endpoint analysis (EPA) scan for OS version check fails on Windows 10 and Windows 11 Enterprise multi-session desktops. [NSHELP-33534] 
- 
    Windows client supports 64 KB configuration file size, by default, and this restricts the users to add more entries in the configuration file. This size can be increased by setting the ConfigSizeregistry value in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. TheConfigSizeregistry key type isREG_DWORDand key data is<Bytes size>. If the configuration file size is larger than the default value (64 KB), then the ConfigSize registry value must be set to 5 x 64 KB (after converting to bytes) for every addition of 64 KB. For example, if you are adding additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.[SPA-2865] 
- 
    On VPN logoff, DNS suffix list entries in SearchList registry are rewritten in a reverse order separated by one or more commas. [NSHELP-33671] 
- 
    Proxy authentication fails when the NetScaler appliance completes an EPA scan for antivirus. [NSHELP-30876] 
- 
    If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs. [NSHELP-33457] 
22.10.1.9 (08-Nov-2022)
What’s new
- 
    EPA support for connection proxy type site persistence in GSLB Windows EPA scan now supports connection proxy type site persistence in GSLB when the scan is initiated from a browser. Previously, EPA scan for Windows did not support connection proxy persistence type for browser initiated EPA scan. [CGOP-21545] 
- 
    Seamless single sign-on for Workspace URL (Cloud only) Citrix Secure Access client now supports single sign-on for Workspace URL (cloud only) if the user has already logged on via the Citrix Workspace app. For more details, see Single sign-on support for the Workspace URL for users logged in via Citrix Workspace app. [ACS-2427] 
- 
    Manage Citrix Secure Access client and/or EPA plug-in version via Citrix Workspace App (Cloud only) Citrix Workspace app now has the capability to download and install the latest version of Citrix Secure Access and/or EPA plug-in via the Global App Configuration Service. For more details, see Global App Configuration Service. [ACS-2426] 
- 
    Debug logging control enhancement Debug logging control for Citrix Secure Access client is now independent of NetScaler Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel. [NSHELP-31968] 
- 
    Support for Private Network Access preflight requests Citrix Secure Access Client for Windows now supports Private Network Access preflight requests issued by the Chrome browser when accessing private network resources from public websites. [CGOP-20544] 
Fixed issues
- 
    The Citrix Secure Access client, version 21.7.1.1 and later, fails to upgrade to later versions for users with no administrative privileges. This is applicable only if the Citrix Secure Access client upgrade is done from a NetScaler appliance. [NSHELP-32793] 
- 
    Users cannot log on to VPN because of intermittent EPA failures. [NSHELP-32138] 
- 
    Sometimes, the Citrix Secure Access client in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode. [NSHELP-30110] 
- 
    In Always on service mode, user tunnel tries to start even if only machine tunnel is configured. [NSHELP-31467] 
- 
    The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser. [NSHELP-31894] 
- 
    Customized EPA failure log message is not displayed on the NetScaler Gateway portal, instead the message “internal error” is displayed. [NSHELP-31434] 
- 
    When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error. [NSHELP-32510] 
- 
    On some client machines, the Citrix Secure Access client fails to detect the proxy setting and this results in logon failure. [SPAHELP-73] 
Known issues
- 
    Windows Update check-based EPA scan does not work on the Windows 11 22H2 version. [NSHELP-33068] 
22.6.1.5 (17-June-2022)
What’s new
- 
    Login and logout script configuration The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service. Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client Registry values: - SecureAccessLogInScript type REG_SZ - path to login script
- SecureAccessLogOutScript type REG_SZ - path to logout script
 [ACS-2776] 
- 
    Windows Citrix Secure Access client using Windows Filtering Platform (WFP) WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access client using Windows Filtering Platform. [CGOP-19787] 
- 
    FQDN based reverse split tunnel support WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. For more details on reverse split tunnel, see Split tunneling options. [CGOP-16849] 
Fixed issues
- 
    Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI. [NSHELP-31357] 
- 
    On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas. [NSHELP-31346] 
- 
    Spoofed IP address is used even after the NetScaler intranet application configuration is changed from FQDN based to IP based application. [NSHELP-31236] 
- 
    The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. With this fix, the following registry value is introduced. \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds Type: DWORD By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully). [NSHELP-30189] 
- 
    AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes. [NSHELP-31836] 
- 
    Citrix Secure Access client for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections. [ACS-2714] 
22.3.1.5 (24-Mar-2022)
Fixed issues
- 
    The Windows EPA plug-in name is reverted to the NetScaler Gateway EPA plug-in. [CGOP-21061] 
Known issues
- 
    Citrix Secure Access client for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections. [ACS-2714] 
22.3.1.4 (10-Mar-2022)
What’s new
- 
    Enforce local LAN access to end users based on ADC configuration Admins can restrict the end users from disabling the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, the local LAN access is always enabled for end users on the client machines. End users cannot disable the local LAN settings using the Citrix Secure Access client UI. If admins want to provide an option to enable or disable local LAN access to the end user, they must re-configure the Local LAN access parameter to ON. To enable the FORCED option by using the GUI: - Navigate to NetScaler Gateway > Global Settings > Change Global Settings.
- Click the Client Experience tab and then click Advanced Settings.
- In Local LAN Access, select FORCED.
 To enable the FORCED option by using the CLI, run the following command: set vpn parameter -localLanAccess FORCED <!--NeedCopy-->[CGOP-19935] 
- 
    Support for Windows server 2019 and 2022 in the EPA OS scan EPA OS scan now supports Windows server 2019 and 2022. You can select the new servers by using the GUI. - Navigate to NetScaler Gateway > Policies > Preauthentication.
- Create a new preauthentication policy or edit an existing policy.
- Click the OPSWAT EPA Editor link.
- In Expression Editor, select Windows > Windows Update and click the + icon.
- In OS Name, select the server as per your requirement.
 You can upgrade to the OPSWAT version 4.3.2744.0 to use the Windows server 2019 and 2022 in the EPA OS scan. [CGOP-20061] 
- 
    New EPA scan classification types for missing security patches The following new classification types are added to the EPA scan for missing security patches. The EPA scan fails if the client has any of the following missing security patches. - Application
- Connectors
- CriticalUpdates
- DefinitionUpdates
- DeveloperKits
- FeaturePacks
- Guidance
- SecurityUpdates
- ServicePacks
- Tools
- UpdateRollups
- Updates
 You can configure the classification types by using the GUI. - Navigate to NetScaler Gateway > Policies > Preauthentication.
- Create a new preauthentication policy or edit an existing policy.
- Click the ((OPSWAT EPA Editor)) link.
- In Expression Editor, select Windows > Windows Update.
- In Shouldn’t have missing patch of following windows update classification type, select the classification type for the missing security patches
- Click OK.
 You can upgrade to the OPSWAT version 4.3.2744.0 to use these options. - For details about the Windows server update services classification GUIDs, see https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ff357803(v=vs.85)
- For the description of the Microsoft software updates terminology, see https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates
 Earlier, the EPA scans for missing security patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client. [CGOP-19465] 
- 
    Support for multiple device certificates for EPA scan In the Always on VPN configuration, if multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows EPA scan successfully, then VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried. Earlier, if multiple valid certificates were configured, if the EPA scan failed for one certificate, the scan was not attempted on the other certificates. [CGOP-19782] 
Fixed issues
- 
    If the clientCert parameter is set to ‘Optional’ in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card. [NSHELP-30070] 
- 
    Users cannot connect to the NetScaler Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`. [NSHELP-30236] 
- 
    When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file. [NSHELP-30662] 
- 
    DNS resolution to internal and external resources stops working over a prolonged VPN session. [NSHELP-30458] 
- 
    The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection. [NSHELP-29675] 
- 
    Registry EPA check for the “==” and “!=” operator fails for some registry entries. [NSHELP-29582] 
22.2.1.103 (17-Feb-2022)
Fixed issues
- 
    Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following: - For the VPN plug-in upgrade, end users must connect using the VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
- 
        For the EPA only use case, the end users will not have the VPN client to connect to the gateway. In this case, perform the following: - Connect to the gateway using a browser.
- Wait for the download page to appear and download the nsepa_setup.exe.
- After downloading, close the browser and install the nsepa_setup.exe file.
- Restart the client.
 
 [NSHELP-30641] 
21.12.1.4 (17-Dec-2021)
What’s new
- 
    Rebranding changes NetScaler Gateway plug-in for Windows is rebranded to Citrix Secure Access client. [ACS-2044] 
- 
    Support for TCP/HTTP(S) private applications Citrix Secure Access client now supports TCP/HTTP(S) private applications for remote users through the Citrix Workspace Secure Access service. [ACS-870] 
- 
    Additional language support Windows VPN and EPA plug-ins for NetScaler Gateway now support the following languages: - Korean
- Russian
- Chinese (Traditional)
 [CGOP-17721] 
- 
    Citrix Secure Access support for Windows 11 Citrix Secure Access client is now supported for Windows 11. [CGOP-18923] 
- 
    Automatic transfer logon when the user is logging in from the same machine and Always on is configured Automatic login transfer now occurs without any user intervention when Always on is configured and the user is logging in from the same machine. Previously, when the client (user) had to relogin in the scenarios such as system restart or network connectivity issues, a pop-up message appeared. The user had to confirm the transfer login. With this enhancement, the pop-up window is disabled. [CGOP-14616] 
- 
    Deriving Citrix Virtual Adapter default gateway IP address from the NetScaler provided net mask Citrix Virtual Adapter default gateway IP address is now derived from the NetScaler provided net mask. [CGOP-18487] 
Fixed issues
- 
    Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue. [NSHELP-26779] 
- 
    When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails. [NSHELP-29371] 
21.9.100.1 (30-Dec-2021)
What’s new
- 
    Citrix Secure Access support for Windows 11 Citrix Secure Access client is now supported for Windows 11. [CGOP-18923] 
Fixed issues
- 
    Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue. [NSHELP-26779] 
- 
    When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails. [NSHELP-29371] 
21.9.1.2 (04-Oct-2021)
Fixed issues
- 
    Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection. [NSHELP-28848] 
- 
    Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set. [NSHELP-28404] 
- 
    The Windows plug-in might crash during authentication. [NSHELP-28394] 
- 
    In Always On service mode, the VPN plug-in for Windows fails to establish the user tunnel automatically after the users log on to their Windows machines. [NSHELP-27944] 
- 
    After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address. [NSHELP-27850] 
V21.7.1.1 (27-Aug-2021)
What’s new
- 
    New MAC address scan Support is added for newer MAC address scans. [CGOP-16842] 
- 
    EPA scan to check for Windows OS and its build version Added EPA scan to check for Windows OS and its build version. [CGOP-15770] 
- 
    EPA scan to check for a particular value’s existence A new method in the registry EPA scan now checks for a particular value’s existence. [CGOP-10123] 
Fixed issues
- 
    If there is a JavaScript error during login because of a network error, subsequent login attempts fail with the same JavaScript error. [NSHELP-27912] 
- 
    The EPA scan fails for McAfee antivirus last update time check. [NSHELP-26973] 
- 
    Sometimes, users lose internet access after a VPN tunnel is established. [NSHELP-26779] 
- 
    A script error for the VPN plug-in might be displayed during nFactor authentication. [NSHELP-26775] 
- 
    If there is a network disruption, UDP traffic flow that started before the network disruption does not drop for up to 5 minutes. [NSHELP-26577] 
- 
    You might experience a delay in the starting of the VPN tunnel if the DNS registration takes a longer time than expected. [NSHELP-26066] 
V21.3.1.2 (31-Mar-2021)
What’s new
- 
    Upgraded EPA libraries The EPA libraries are upgraded to support the latest version of the software applications used in EPA scans. [NSHELP-26274] 
- 
    NetScaler Gateway virtual adapter comaptibility The NetScaler Gateway virtual adapter is now compatible with Hyper-V and Microsoft Wi-Fi direct virtual adapters (used with printers). [NSHELP-26366] 
Fixed issues
- 
    The Windows VPN gateway plug-in blocks use of “CTRL + P” and “CTRL + O” over the VPN tunnel. [NSHELP-26602] 
- 
    The NetScaler Gateway plug-in for Windows responds only with an Intranet IP address registered in the Active Directory when a "nslookup"action is requested for the machine name.[NSHELP-26563] 
- 
    The IIP registration and deregistration fails intermittently if the split DNS is set as “Local” or “Both.” [NSHELP-26483] 
- 
    Auto logon to Windows VPN gateway plug-in fails if Always On is configured. [NSHELP-26297] 
- 
    The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution. [NSHELP-25684] 
- 
    The Windows VPN gateway plug-in maintains the existing proxy exception list even if the list overflows because of the browser limit on the Internet Explorer proxy exception list. [NSHELP-25578] 
- 
    The Windows VPN gateway plug-in fails to restore the proxy settings when the VPN client is logged off in Always On mode. [NSHELP-25537] 
- 
    The VPN plug-in for Windows does not establish the tunnel after logging on to Windows, if the following conditions are met: - NetScaler Gateway appliance is configured for the Always On feature.
- The appliance is configured for certificate based authentication with two factor authentication “off.”
 [NSHELP-23584] 
In this article
- 25.9.1.5 (30-Sep-2025)
- 25.7.1.11 (13-Aug-2025)
- 25.5.1.15 (17-Jun-2025)
- 25.4.1.9 (08-May-2025)
- 25.2.1.18 (09-Apr-2025)
- 25.1.1.27 (21-Mar-2025)
- 24.11.1.17 (19-Dec-2024)
- 24.10.1.5 (08-Nov-2024)
- 24.8.1.19 (10-Oct-2024)
- 24.6.1.18 (24-Jul-2024)
- 24.4.1.7 (30-Apr-2024)
- 24.2.1.15 (04-Mar-2024)
- 23.10.1.7 (29-Nov-2023)
- 23.8.1.11 (19-Oct-2023)
- 23.8.1.5 (09-Aug-2023)
- 23.7.1.1 (14-Jul-2023)
- 23.5.1.3 (02-Jun-2023)
- 23.4.1.5 (14-Apr-2023)
- 23.1.1.11 (20-Feb-2023)
- 23.1.1.8 (08-Feb-2023)
- 22.10.1.9 (08-Nov-2022)
- 22.6.1.5 (17-June-2022)
- 22.3.1.5 (24-Mar-2022)
- 22.3.1.4 (10-Mar-2022)
- 22.2.1.103 (17-Feb-2022)
- 21.12.1.4 (17-Dec-2021)
- 21.9.100.1 (30-Dec-2021)
- 21.9.1.2 (04-Oct-2021)
- V21.7.1.1 (27-Aug-2021)
- V21.3.1.2 (31-Mar-2021)