Product Documentation

What's New?

Mar 30, 2016

The enhancement and changes released in Build 65.31.

Admin Partitions

  • GSLB Support in Admin Partitions

    The NetScaler appliance now supports the GSLB feature in admin partitions. You can now deploy, with an admin partition, applications that need the GSLB feature to distribute traffic across globally located datacenters.

    [#436582, 405290, 504574, 506221]

  • AAA-TM Support in Admin Partitions

    The NetScaler appliance now supports the AAA-TM feature in admin partitions. You can now deploy, with an admin partition, enterprise applications that require authenticated access.

    [#481384]

  • Stateful Connection Failover/Mirroring Support in Admin Partitions

    The NetScaler appliance now supports stateful connection mirroring in admin partitions. You can now deploy TCP-based applications in an admin partition, so that failure of one NetScaler appliance does not make the application unavailable.

    Note: The application must be deployed in a NetScaler high availability (HA) setup, and connection mirroring must be configured for the application.

    [#599629]

Application Firewall

  • NetScaler now supports the IP Reputation feature, which is useful in identifying an IP address that is sending unwanted requests. You can use the IP reputation list to preemptively reject requests that are coming from an IP with a bad reputation. NetScaler uses WebRoot as the service provider for the dynamically generated malicious IP database and the metadata for those IPs. The IP Reputation feature can be configured by using PI Expressions in a policy. For example, you can configure an application firewall policy using expressions such as: CLIENT.IP.SRC.IPREP_IS_MALICIOUS.

    [#580866]

CallHome

  • You can now configure the time interval for "Hard Disk Drive error" and "Compact Flash error" SNMP traps in a NetScaler appliance.

    [#568435]

Load Balancing

  • GSLB Powered Zone Preference

    In a distributed XenApp/XenDesktop deployment, StoreFront might not select an optimal datacenter when multiple equivalent resources are available from multiple datacenters. In such cases, StoreFront randomly selects a datacenter. It can send the request to any of the XenApp/XenDesktop servers in any datacenter, regardless of proximity to the client making the request.

    With this enhancement, the client IP address is examined when an HTTP request arrives at the NetScaler Gateway appliance, and the real client IP address is used to create the datacenter preference list that is forwarded to StoreFront. If the NetScaler appliance is configured to insert the zone preference header, StoreFront 3.5 or later can use the information provided by the appliance to reorder the list of delivery controllers and connect to an optimal delivery controller in the same zone as the client. StoreFront selects the optimal gateway VPN virtual server for the selected datacenter zone, adds this information to the ICA file with appropriate IP addresses, and sends it to the client. Storefront then tries to launch applications hosted on the preferred datacenter's delivery controllers before trying to contact equivalent controllers in other datacenters.

    For more information about this enhancement, see http://docs.citrix.com/content/dam/docs/en-us/netscaler/11/downloads/global-server-load-balancing-powered-zone-preference.pdf.

    [#571032]

NetScaler Insight Center

  • Viewing the GET or POST requests

    The NetScaler Insight Center now displays the GET or POST requests that are sent by the client to a domain. To view the GET or POST requests, navigate to Domains > URLs > Clients > Http Request Method, or to Domains > URLs > Http Request Method > Clients.

    [#620323]

  • Gateway Insight

    Gateway Insight provides visibility into the failures encountered by all users, regardless of the access mode, at the time of logging on to NetScaler Gateway. You can view a list of all available users, number of active users, number of active sessions, and bytes and licenses used by all users at any given time. You can view the end-point analysis (EPA), authentication, single sign-on (SSO), and application launch failures for a user. You can also view the details of active and terminated sessions for a user.

    Gateway Insight also provides visibility into the reasons for application launch failure for virtual applications. This enhances your ability to troubleshoot any kind of logon or application launch failure issues. You can view the number of applications launched, number of total and active sessions, and the number of total bytes and bandwidth consumed by the applications. You can view details of users, sessions, bandwidth, and launch errors for an application.

    You can view the number of gateways, number of active sessions, and the total bytes and bandwidth used by all gateways associated with a NetScaler Gateway appliance at any given time. You can view the EPA, authentication, SSO, and application-launch failures for a gateway. You can also view the details of all users associated with a gateway, and their logon activity.

    To enable Gateway Insight for your NetScaler Gateway appliance, you must first add the NetScaler Gateway appliance to NetScaler Insight Center. You must then enable AppFlow for the virtual server representing the VPN application in NetScaler Insight Center.

    Navigation: Dashboard > Gateway Insight

    [#547839, 519787]

  • The following thin clients now support HDX Insight:

    -WYSE Windows based thin clients

    -WYSE Linux based thin clients

    -WYSE ThinOS based thin clients

    -10Zig Ubuntu based thin clients

    [#614892]

  • Security Insight

    Web and web service applications that are exposed to the Internet have become increasingly vulnerable to attacks. To protect applications from attack, you require visibility into the nature and extent of past, present, and impending threats, real-time actionable data on attacks, and recommendations on countermeasures. Security Insight provides a single-pane solution to help you assess your application security status and take corrective actions to secure your applications.

    Security insight is included in NetScaler Insight Center, and it periodically generates reports based on your Application Firewall and NetScaler system security configurations. The reports include the following information for each application:

    -Threat index. A single-digit rating system that indicates the criticality of attacks on the application, regardless of whether or not the application is protected by a NetScaler appliance. The more critical the attacks on an application, the higher the threat index for that application.

    -Safety index. A single-digit rating system that indicates how securely you have configured the NetScaler devices to protect applications from external threats and vulnerabilities. The lower the security risks for an application, the higher the safety index.

    -Actionable Information. Information that you need to lower the threat index and increase the safety index, which significantly improves application security. For example, you can review information about violations, existing and missing security configurations in Application Firewall and NetScaler security features, the rate at which the applications are being attacked, and so on.

    [#587137]

Networking

  • Stateful Connection Failover Support for RNAT

    Connection failover helps prevent disruption of access to applications deployed in a distributed environment. The NetScaler appliance now supports stateful connection failover for connections related to RNAT rules in a NetScaler High Availability (HA) setup.

    In an HA setup, connection failover (or connection mirroring) refers to the process of keeping an established TCP or UDP connection active when a failover occurs. The primary appliance sends messages to the secondary appliance to synchronize current information about the RNAT connections. The secondary appliance uses this connection information only in the event of a failover. When a failover occurs, the new primary NetScaler appliance has information about the connections established before the failover and hence continues to serve those connections even after the failover. From the client's perspective this failover is transparent. During the transition period, the client and server may experience a brief disruption and retransmissions.

    Connection failover can be enabled per RNAT rule. For enabling connection failover on an RNAT rule, you enable the connFailover (Connection Failover) parameter of that specific RNAT rule by using either NetScaler command line or configuration utility. Also, you must disable the tcpproxy (TCP Proxy) parameter globally for all RNAT rules in order for connection failover to work properly for TCP connections.

    [#457167]

Platform

  • M4 EC2 Instance Support on Amazon AWS

    In the Amazon AWS cloud, a NetScaler AMI can now be launched as an M4 EC2 instance. Some of the features of M4 EC2 instance type are:

    * 2.4 GHz Intel Xeon E5-2676 v3 (Haswell) processors

    * EBS-optimized by default at no additional cost

    * Balance of compute, memory, and network resources

    Note: A NetScaler AMI running as an M4 EC2 instance supports all M4 EC2 features except the enhanced networking features. For more information about M4 EC2 instance types, see https://aws.amazon.com/ec2/instance-types/.

    [#618107]

SSL

  • Using the SSL Chip Utilization Percentage Counter for Capacity Planning on MPX Appliances that use N3 Chips

    Knowing the percentage utilization of all the SSL chips in an appliance over a period of time helps in capacity planning. The counter increments every 7 seconds and therefore provides real-time data, which can help you predict when an appliance is likely to reach capacity.

    Note: This feature is available on only the MPX appliances that use N3 chips, which include MPX 11515/11520/11530/11540/11542 and MPX 220140/22060/22080/22100/22120/24100/24150 appliances.

    Some models of MPX 14020/14030/14040/14060/14080/14100 and MPX 25100/25160/25200, which use N3 chips, also support this feature.

    [#416807, 197702]

  • The NetScaler VPX appliance now supports TLS protocol versions 1.1 and 1.2 on the back end.

    [#543526, 579749, 619662]

  • New Client Authentication Counters for SSL Virtual Servers

    Two counters have been added to the output of the "stat ssl vserver" command as follows:

    1. ssl_ctx_tot_clientAuth_success?Tracks the number of successful client authentications for each SSL virtual server.

    2. ssl_ctx_tot_clientAuth_failures?Tracks the number of failed client authentications for each SSL virtual server.

    [#492684]

  • The NetScaler VPX appliance now supports AES-GCM/SHA2 ciphers on the front end.

    [#498207]

  • The NetScaler appliance now supports the following "signature algorithms" extensions in the back end client hello message:

    - RSA-MD5

    - RSA-SHA1

    - RSA-SHA256

    [#600155, 601059]

System

  • You can now enable auto-bootstrapping on a NetScaler VPX or NetScaler 1000v instance running on Hyper-V, by attaching a DVD ROM with an appropriate ISO file to the instance before booting it up.

    [#578451]