Product Documentation

Known Issues

Jul 14, 2015

The following is a list of known issues in this release. Read the list carefully before installing the product.

  • A seamless Single Sign-On (SSO) to the same URL domain fails when a plug-in is launched in native mode.
    [# 544325]
  • When set in the Authentication Profile of a load balancing virtual server that is behind a Unified Gateway, the Authentication Domain parameter will cause single sign-on to fail when the authentication is performed by a traffic manager in a different traffic domain.
    [# 574194]
  • Sometimes the homepage shows up blank on chrome browser. Refreshing the page solves the issue.
    [# 574173]
  • When a VPN works as a SAML SP in a two-factor case, and if the Get /vpn/index after /cgi/samlauth comes to the same core, NetScaler resends the SAML Auth request.
    Intermittent issues appear in multi-core systems. It works normally if both requests go to different cores.
    [# 576414]
  • The NetScaler Gateway URL cannot be added to a Store with Receiver for Windows if only the SHA 384 cipher is enabled in the Receiver OS.
    [# 571340]
  • In the EULA and native client, the French characters, ‘œ’ and ‘Œ’, do not render properly.
    [# 571674]
  • In a double hop setup, when SSL relay is enabled for XenApp and XenDesktop, the XenApp or XenDesktop resource launch fails. The builds affected: 10.1-118.X to 10.5-55.8.
    [# 550877]
  • Smart Control does not work for applications that have SSL relay enabled on the server with few ICAPOLICY rules.
    [# 570437]
  • Customized pages are not loaded successfully in Internet Explorer. This is a known limitation of the browser. To get the customized page in IE, open developer tools by pressing F12. Browse to the NetScaler Gateway URL, and access the customized WebFront site. Customized pages are successfully loaded in Chrome.
    [# 570161]
  • When accessing SharePoint 2007 through Clientless VPN, the VPN session terminates, and some URL requests are not rewritten in Clientless VPN mode.
    [# 567887]
  • When exiting Receiver for Windows, the NetScaler Gateway plug-in exits also even when icon decoupling is enabled.
    [# 566871]
  • If a user adds multiple personal bookmarks with the same URL or fileshare address, but each bookmark has a different name, then deleting one bookmark will delete all of bookmarks with the same address.
    [# 558903]
  • The NetScaler Gateway client plug-ins will not decouple immediately for previously installed clients after the 'Show VPN Plugin-in icon with Receiver' option is enabled. Users needs to exit the plugin process and restart to complete the decoupling.
    [# 558799]
  • Web applications do not show the complete name of the bookmark. The VPN URL supports 32 characters, but the portal homepage only supports 8~11 characters.
    [# 572731]
  • Currently, the EULA feature in portal does not work for certificate authorization. It only works for authentication. EULA works fine in other scenarios.
    [# 556111]
  • When customizing a portal theme according to previous processes, for example using the command "vpn parameter UITHEME CUSTOM", the administrator needs to copy the CSS files in the NetScaler shell. Because of the design changes for Portal customization in NetScaler Gateway 11.0, copying the CSS files is required. Complete the steps described in the documentation page at:

http://docs.citrix.com/en-us/netscaler-gateway/10-5/ng-connect-users-wrapper-con/ng-connect-users-cr-integration-con/ng-connect-custom-theme-page-tsk.html

The following changes to the steps are needed:

After step 3,

4) At command prompt, type "cd /var/netscaler/logon/themes/ "

If you want to customize the Greenbubble theme, then

"cp -r Greenbubble Custom"

Or if you want to customize the Default theme, then

"cp -r Default Custom"

Now, you can make changes to files under "/var/netscaler/logon/themes/Custom"

Make edits to css/base.css

Copy a custom logo to the /var/ns_gui_custom/ns_gui/vpn/media folder

Make changes to labels in files present in resources/ directory. These correspond to different languages.

Note: You can use WinSCP to transfer the files.

If changes to html pages or javascript files are also needed, then edits in "/var/ns_gui_custom/ns_gui/" would be needed.

After all changes are done to files in "/var/ns_gui_custom/ns_gui"

At command prompt, type

"tar -cvzf /var/ns_gui_custom/customtheme.tar.gz /var/ns_gui_custom/ns_gui/*"

5. Use the configuration utility to switch to the custom theme.

The previous Step 5 is not required in NetScaler Gateway 11.0. Once changes are made to one appliance, they propagate to all appliances in HA or cluster configurations.

[# 556317]

  • When authprofile and authentication are configured to enable load balancing, the NetScaler appliance displays the /VPN/ Index page when it should display the HTTP Error 401- unauthorized access message. This happens intermittently when forms authentication enabled load balancing is modified for 401 authentication.
    [# 575652]
  • An internet connection is required for publisher verification for the NetScaler Gateway plug-in for Windows. If not connected to the internet when downloading the plug-in from the NetScaler Gateway, the error 'Publisher AGEE_setup.exec couldn't be verified' is seen.
    [# 553463, 558963]
  • The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.
    [# 511757]
  • If two-factor authentication is configured with client certificates and LDAP and if 'Deny SSL Renegotiation' is set to 'All', user connections fail. The 'Deny SSL Renegotiation' parameter must be set to 'No'.
    To configure Deny SSL Renegotiation
    1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Traffic Management and then expand SSL.
    2. In the details pane, under Settings, click 'Change advanced SSL settings'.
    3. Select 'No' for 'Deny SSL Renegotiation' and then click OK.
    [# 480009]
  • A selected certificate does not get saved when SSL renegotiation with two-factor authentication is enabled. The certificate does get saved when certificate authentication is enabled.
    [# 574649]
  • Audio over UDP is not supported with ICA sessiontimeout enabled or with Smart Control.
    [# 572850]
  • On Android 4.4.2. devices, after frequent network changes, the VPN session may disconnect. Until the device is rebooted, a new VPN session can not be established. Upgrading the Android version resolves the problem.
    [# 575105]
  • If an invalid certificate is selected as part of login, when certificate Authentication is optional, and two factor authentication is ON, the login fails as expected. But an app saves the certificate, though login failed. The user has to manually delete the saved certificate from the EditConnection Page to retry with a valid/no certificate.
    [# 575047]
  • Android devices prior to version 5.0, SSL renegotiation fails when TLS1.2 is enabled.
    [# 574640]
  • After login is successful from browser, the VIP URL changes to "localvip:8080".
    [# 576221]
  • The Client and EPA Plug-ins don't work with the latest Chrome versions as support for NPAPI is disabled by default. The support will be deprecated entirely in Chrome version 45 in September 2015.
    From Chrome version 42, all NPAPI plugins will appear as if they are not installed. This will affect customers upgrading from 10.5 to 11.0. This is also applicable to customers who upgrade from 11.0 Beta builds and later Release builds. Affected customers will see a download prompt even though the VPN or EPA plugin is installed.
    Work Around:
    There is no work around to enable NPAPI for Chrome on Linux.
    Users need to use a browser which allows NPAPI (e.g. Firefox).
    More about NPAPI deprecation in Chrome browsers can be found at: https://support.google.com/chrome/answer/6213033?hl=en
    [# 574355]
  • The plug-in crashes when VPN logout is performed from browser.
    [# 576215]
  • An unintentional automatic Linux exit happens under the following conditions:
    * The NetScaler appliance is configured for dual, certificate authentication and LDAP authentication.
    * The subject field of the client certificate doesn’t contain an email attribute value.
    [# 571281]
  • During login, the icon present in the dock is changed to the previous version's icon. After the login process is finished, the icon changes to the new icon.
    Workaround: Quit the plugin and restart it. The new icon shows normally during the login process.
    [# 574428]
  • The NetScaler appliance is not able to connect a Mac computer to the VPN if only SSLv2 is enabled.
    [# 574149]
  • The NetScaler Gateway Client icon in Launchpad is not updated with the new client installation. Launchpad continues to show the previous Black Lock icon even though the new Blue Lock icon is shown elsewhere in the Finder. This happens because the Finder caches application icons and their aliases. As a result, the Launcher does not update the alias icon when the application's icon has been changed.
    Workaround - Clear the Finder's icon cache using following article's instructions: http://apple.stackexchange.com/questions/151549/symbolic-link-icons-dont-update (requires reboot) OR modify the application aliias name in /Applications/Citrix by adding few spaces (minimum two).
    [# 573907]
  • The Mac OS Endpoint Analysis (EPA) client only supports TLS1.0 and thus cannot perform EPA if the server has only TLS1.1/1.2 enabled.
    There is no workaround for this problem, but a customer can still perform EPA with the Mac VPN plugin. EPA from a browser will not be available if TLS1.0 is not enabled.
    [# 572969]
  • When you navigate to Settings > Options > Account in an Outlook Web Access browser, the account information does not appear. This issue occurs on IE 10 and IE 11 browsers.
    [# 571714]
  • On the Unified Gateway Dashboard, the ICA sessions counter increases when a Full VPN session is established. Although the ICA sessions counter is not configured to collect ICA data, the ICA sessions counter increases.
    [# 573301]
  • When the HTTP/2 Protocol is used to access the VPN with external authentication, the transaction will not go through. Ensure HTTP/2 is disabled in nshttp_default_strict_profile.
    [# 574742]
  • Endpoint analysis (EPA) does not start a security scan on the user’s device, and the VPN session does not launch with the proxy configured on a Chrome browser.
    [# 575527]
  • If StoreFront has been configured as WIHome parameter, then accessing the Store Apps in Applications tab in the homepage over Full vpn mode with Windows does not work and an error message "Cannot complete your request" is returned.
    [# 575993]
  • After setting a netprofile to the virtual server, unbind and rebind the SSL cert-key pair bound to the virtual server to connect with DTLS. If this is not done, the DTLS connection handshake between the client and the NetScaler Gateway appliance fails. After rebinding the SSL certkey pair, the handshake is accepted and the netprofile is honored.
    [# 555018]
  • Applicable only for Mac and Linux VPN clients
    Chrome is phasing out NPAPI support. From Chrome version 42+ all NPAPI plugins will appear as if they are not installed. This will affect all existing customers. Affected customers will see a download prompt even though the VPN plugin is installed.
    Workaround: Google has announced that Chrome will stop supporting NPAPI completely in version 45.
    Until then, you can enable NPAPI as follows:
    1) In the Chrome URL bar, type:
    Chrome://flags
    2) Enable the "Enable NPAPI" option.
    3) Restart Chrome.
    For more information about NPAPI deprecation, see https://support.google.com/chrome/answer/6213033?hl=en
    [# 572447, 574353, 575609]
  • When using the Smart Control configuration, the ICASESSIONTIMEOUT feature is always enabled. There is not an option to disable it.
    [# 572386]
  • The Unified Gateway wizard does not support the creation of two Intranet Application type seamless SSO URLs using same LB with different site relative string.
    [# 576055]
  • Two NSC_AAAC cookies are seen when a request is sent by a Client to the VIP. The value is the same for both cookies. One cookie is for FQDN; the other cookie is for the domain.
    Two NSC_AAAC cookies are no longer seen after the version 11.0 beta.
    [# 540590, 539586]
  • When Unified Gateway is deployed with seamless SSO enabled for virtual server authentication, then the authentication servers and policy realms bound at the authentication virtual server will be ignored. Instead, those authentication policies at Gateway are utilized for authentication. Authentication policies at the authentication virtual server are used when step-up authentication is configured using authentication profiles. Increasing the authentication profile's "authentication level" is the method used to step-up authentication.
    [# 540526]
  • Certificate based authentication fails for devices running Android versions before 5.0. This is applicable if only TLSv1.2 is enabled on server.
    [# 572098]
  • When the maxAAAUsers parameter is UNSET on a VPN virtual server, NetScaler Gateway does not update the value to previously set value. Due to this, numbers of users allowed on a vpn virtual server cannot be increased by applying an UNSET operation. Administrators need to configure a SET operation as a workaround.
    For example, if the administrator configures 10 as the maxAAAUsers value, then issues a SET operation for 5, if he issues another UNSET, the number of allowed users does not go back to 10 users.
    [# 576063]