Citrix Secure Access for Windows release note

The Citrix Secure Access client for Windows is now released on a standalone basis and is compatible with all NetScaler versions. We recommend that you use the latest version of Citrix Secure Access client as it contains the latest fixes and enhancements.

The Citrix Secure Access client releases follow the format YY.MM.Release.Build.

The release notes describe the new features, enhancements to the existing features, and fixed issues.

What is ’s ’s new: The new feature and enhancement available in the current release .

fix issue: The issues that are fixed in the current release.

For detailed information on the supported features, see NetScaler Gateway Product Documentation.

note :

24.10.1.5 (08-Nov-2024)

fix issue

• InSecure Private Access mode, hostname-based application access might fail when a device resumes from standby.

  [SPAHELP-355]

• When a device resumes from standby, the Citrix Secure Access client for Windows might occasionally take more than 60 seconds to activate and connect.

  [SPAHELP-350]

• The Citrix Secure Access client for Windows fail to establish a VPN connection to NetScaler Gateway when the Server Name Indication (SNI) is enabled.

  [NSHELP-38813]

• Users cannot establish a VPN connection due to SSL renegotiation failure when the session ticket parameter is enabled on NetScaler Gateway.

  [NSHELP-38793]

• Users cannot establish a VPN connection if there was a network failure during the previous logout process.

  [NSHELP-38791, NSHELP-38641]

• The nsRmSac.exe cleanup utility of the Citrix Secure Access client requires manual intervention to run on the end user’s device. For more information, see Completely skip the DNE installation.

  [NSHELP-38711]

• After logging out of the VPN, localhost communication might fail if one of the network adapters on the machine is using the loopback address as the DNS server. As a result, when users attempt to log back into the VPN through the browser, they might be prompted to download the EPA plug-in again (if EPA is configured as an authentication factor), even if it is already installed.

  [ NSHELP-38427 ]

• The custom redirection might fail when the user logs into the NetScaler Gateway virtual server using the Citrix Secure Access client for Windows.

  [NSHELP-38382]

24.8.1.19 (10-Oct-2024)

Important update:

Citrix Secure Access version is replaces 24.8.1.19 replace 24.8.1.15 and is now generally available .

What is ’s ’s new

• Secure Private Access support for cloud-hosted multi-session VDI

  Citrix Secure Access client now supports the use of Secure Private Access to achieve zero trust access to corporate resources from cloud-hosted multi-session VDIs. Admin can enable this feature using the EnableMultiSessionFlow registry . For domain – join machine , use bothEnableMultiSessionFlow and alwaysonservice registries. For more information, see NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-10642]

• Continuous device posture assessment for active Secure Private Access applications

  When you enable the Periodic scan setting in the Device Posture Service, EPA client scans the device every 30 minutes. If it detects a downgrade in posture status, it notifies the user and disconnects active Secure Private Access connections through the Citrix Secure Access client. For more information, see Periodic scanning of devices.

  [ AAUTH-4910 ]

• Support to exclude DNS traffic by Citrix Secure Access

  You can now exclude DNS traffic from being intercepted by Citrix Secure Access client. For more information, see Exclude specific domain traffic from client interception.

  [CSACLIENTS-10347]

• Always On location detection support for Secure Private Access

  Citrix Secure Access for Windows supports the location detection feature for the Secure Private Access service. It connects the user’s machine to the VPN session if it is not in the corporate network and disconnects the user’s VPN session if the machine is in the corporate network. You must use the locationDetection registry and configure the DNS suffix on the Secure Private Access admin UI console to enable the location detection feature.

  For more information on using the registry, see NetScaler Gateway Windows VPN client registry keys.

  For more information on configuring the DNS suffix, see DNS suffixes to resolve FQDNs to IP addresses.

  [CSACLIENTS-8783]

• Auto log on support for Azure Entra ID

  Citrix Secure Access supports auto-logon for Azure AD joined machines and hybrid Azure AD joined machines using Primary Refresh Tokens (PRT) mechanism for both NetScaler Gateway and Secure Private Access. For more information, see Citrix Secure Access auto logon for Windows Azure AD joined machines.

  [CSACLIENTS-10595]

• support to triage and troubleshoot enumeration failure

  Citrix Secure Access now supports triaging and troubleshooting enumeration failures using Citrix Monitor or Citrix Director, in Secure Private Access deployments. For more information, see Secure Private Access integration with Director (Preview).

  [CSACLIENTS-10751]

• Enhanced Windows Last Update scan

  The Windows Last Update scan is checks now check the Windows Updates instal through Windows Auto Upgrade service and also the update instal via BigFix , Intune , and other third party tool . For more information , see Advanced Endpoint Analysis scan .

  [AAUTH-4876]

• Split DNS support for TCP-based DNS requests

  Citrix Secure Access supports split DNS for TCP based DNS requests, same as UDP based DNS requests. Admin can enable this feature using the EnableTCPDNS registry. For more information, see Session policies and NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-8142]

• Enhanced client certificate authentication

  During client certificate authentication, Citrix Secure Access automatically selects the client certificate based on the CA certificates configured on NetScaler Gateway. For more information, see Configuring Client Certificate Authentication.

  [CSACLIENTS-10592]

• support for Citrix Secure Private Access for on – premise

  Citrix Secure Access now supports Citrix Secure Private Access for on-premises. For more information, see Citrix Secure Access client.

  [CSACLIENTS-10543]

fix issue

• Citrix Secure Access client does not display the correct error message on the Windows Credential Provider screen if the authentication fails due to an unreachable network.

  [SPAHELP-333]

• The Citrix Secure Access client UI fails to display the custom messages configured using the NetScaler Gateway RfWebUI portal theme.

  [ NSHELP-38362 ]

• DNS traffic is drop if the DNS suffix apply to the Citrix Virtual Adapter ( connect to Citrix Secure Access ) is truncate after 15 character . This issue is occurs occur because NetScaler Gateway treat the dns suffix as a NetBIOS name .

  [NSHELP-37990]

• Citrix Secure Access client generates high DNS traffic when an user accesses multiple applications over the VPN tunnel.

  [NSHELP-37822]

24.6.1.18 ( 24 – Jul-2024 )

Important update:

Citrix Secure Access version 24.6.1.18 replaces 24.6.1.17 and is now generally available.

What is ’s ’s new

• EPA is scan scan to check Citrix Workspace app version

  Citrix Secure Access supports a new EPA scan “CWA Version”, that verifies the Citrix Workspace version on Windows machines. For details about the supported EPA scans, see Expression strings.

  [ aauth-4870 ]

• Automatic single sign-on to Citrix Secure Access through Citrix Workspace app

  Citrix Workspace app offers a unified client management experience for Citrix Secure Access. When users log on to Citrix Workspace app, they are automatically signed on to Citrix Secure Access and can access TCP/UDP applications seamlessly without the need to manually configure and sign in to multiple client applications. For details, see Automatic single sign-on to Citrix Secure Access through Citrix Workspace app for Windows – Preview.

  [CSACLIENTS-6418]

• Tunnel exclusion support in Secure Private Access

  Citrix Secure Access is exclude can now exclude certain application traffic from being tunnel by using the registry ,ExcludeDomainsFromTunnel.

  If example.com is an intranet domain that hosts multiple applications, and you want to exclude specific applications such as sshhost.example.com, rdphost.example.com, * .ftphost.example.com, you can use this registry.

  For details, see NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-8972]

• IP address spoof for TCP – base dns request

  Citrix Secure Access supports IP address spoofing of TCP-based DNS requests in the following scenarios:

  • FQDN-based tunneling rules are configured on NetScaler Gateway.
  • FQDNs match the DNS suffixes in a Citrix Secure Private Access deployment.

  [CSACLIENTS-8328]

• interoperability enhancement with third – party secure web gateway

  The User – Agent string for Citrix Secure Access have been update for enhanced interoperability with third party secure web gateway .

  [ CSACLIENTS-8593 ]

• support for Citrix Secure Private Access for on – premise

  Citrix Secure Access now supports Citrix Secure Private Access for on-premises.

  [CSACLIENTS-10543]

• Enhanced EPA scan encryption

  The security encryption of EPA scans is enhanced by the Elliptic Curve Diffie-Hellman (ECDH) keys.

  [CSACLIENTS-8308]

• hash key for signature creation

  Admins can now use the SHA-384 hash key to create signatures for device certificate authentication.

  [CSACLIENTS-8296]

• Seamless connectivity during POP failure

  Ina Secure Private Access deployment, VPN users are automatically reconnected to a different Point of Presence (POP) without manual intervention, when connectivity to the current POP fails.

  [ CSACLIENTS-6396 ]

• Enhanced diagnostics

  The Citrix Secure Access diagnostics are enhanced with additional fields that can help troubleshoot access issues with TCP/UDP apps.

  [CSACLIENTS-8335]

fix issue

• DNS resolution is fails fail on Windows 11 device if the Windows Management Instrumentation Command – line ( WMIC ) feature is disabled .

  [ NSHELP-37603 ]

• Citrix Secure Access blocks IPv6 traffic from being routed over a loopback interface if reverse split tunneling and intranet IP address are configured on NetScaler Gateway.

  [NSHELP-37096], [NSHELP-37534]

• Citrix Secure Access is crashes crash if the IP address range of the intranet application is configure with a wildcard subnet mask .

  [ NSHELP-37788 ]

• After an upgrade, users cannot connect to Microsoft applications if reverse split tunneling and intranet IP addresses are configured on NetScaler Gateway.

  [NSHELP-37876]

• When Citrix Secure Access client is configure with WFP , VPN connectivity is lose during an active session or when multiple login and logout happen .

  [NSHELP-37881]

• DNS resolution is delayed when applications on the client machine send A and AAAA record-type DNS queries.

  [NSHELP-38067]

• Kerberos authentication fails in a Citrix Secure Private Access deployment.

  [SPAHELP-286]

• Inthe Windows Filtering Platform (WFP) mode, application name of the intranet resource being accessed appears as N / A on the Secured Applications’ connections tab on the Citrix Secure Access UI.

  [CSACLIENTS-9664]

• Ina Citrix Secure Private Access deployment, Citrix Secure Access client fails to switch from machine-level tunnel to user-level tunnel if Always On is configured.

  [CSACLIENTS-9604]

24.4.1.7 (30-Apr-2024)

fix issue

End-users cannot log on to Citrix Secure Access when autologon fails in the Microsoft Edge WebView mode.

[CSACLIENTS-10005]

DNS resolution fails for some backend resources when the AAAA record-type DNS queries are sent by the client application.

[SPAHELP-288], [CSACLIENTS-10460]

Citrix Secure Access is fail might fail to establish new connection in the WFP driver mode if the client run for several hour .

[NSHELP-37427], [NSHELP-37124], [SPAHELP-280]

Citrix Secure Access displays an EPA scan error message of a device certificate failure in a different language, although the language set is English.

[NSHELP-37477]

Internet and intranet connections might be lost after a prolonged VPN session if Always On VPN is configured in the WFP mode.

[NSHELP-37283]

EPA scan fails when the “filetime” parameter is configured.

[ NSHELP-37564 ]

The MD5 checksum configuration is fails of a file fail during an EPA scan .

[NSHELP-37491]

The Windows credential manager screen is displays display the Citrix Secure Access icon even though VPN is not in the Always On vpn mode .

[NSHELP-37205]

The Citrix Secure Access logs display the IP addresses in reverse order. For example, if a Microsoft Edge browser is connected to NetScaler (IP: 192.20.4.5:24), the log message appears as,

"Application msedge.exe has opened a connection to 5.4.20.192:24 |Making a connection to 5.4.20.192:24 by msedge.exe |"

[NSHELP-37314]

After an upgrade, when users click the Home page button on the Citrix Secure Access GUI, the home page URL fails to launch on the default browser.

[NSHELP-37659]

The device certificate check fails in a Citrix Secure Private Access deployment if the certificate is signed by an intermediate CA instead of the root CA.

[SPAHELP-287]

24.2.1.15 ( 04 – mar-2024 )

What is ’s ’s new

• Support for SNI

  Ina Citrix Secure Private Access deployment , Citrix Secure Access client is supports now support the server name indication ( SNI ) extension on all the pre – authentication request .

  [ SPAHELP-236 ]

• Support for TLS 1.3

  Citrix Secure Access client now supports the TLS 1.3 protocol. TLS 1.3 is supported on the following platforms:

  • Windows 11 and later
  • Windows Server 2022 and later

  For details on how to configure TLS 1.3 on NetScaler, see Support for TLS 1.3 protocol.

  [CSACLIENTS-6106]

• Support for Windows OS details in the HTTP header

  Citrix Secure Access client now includes details of the Windows OS as part of the HTTP header (user-agent) string.

  [NSHELP-36732]

fix issue

• DNS resolution intermittently fails if IPv6 is enabled on the client network adapter.

  [ NSHELP-35708 ]

• Users is be might not be able to log on to Citrix Secure Access client if there are simultaneous login attempt using autologon .

  [ NSHELP-35768 ]

• Citrix Secure Access installation fails when Smart App Control is enabled on non-English client machines.

  [NSHELP-36126], [NSHELP-36907]

• Users cannot access some applications through VPN if Citrix Secure Access client is configured with the WFP driver. This issue occurs because of modifications to the firewall policies.

  [NSHELP-36254], [NSHELP-36312]

• A popup dialog is appears appear during an EPA scan . However , when the user click OK , EPA scan is works work as usual . This issue is occurs occur when the swedish language is select (Configuration > Language) on the Citrix Secure Access client UI.

  [ NSHELP-36408 ]

• Inan Always On VPN mode, the machine level tunnel fails to transfer the session when the user certificate authentication is configured on NetScaler Gateway.

  [NSHELP-36492]

• Access to the intranet resources intermittently fails when the Windows Filtering Platform (WFP) driver is enabled on Citrix Secure Access client.

  [NSHELP-36568]

• The Citrix Secure Access client UI page is freezes intermittently freeze when user click the Home button .

  [NSHELP-37046]

• Non-admin users cannot connect to the full VPN tunnel if the following conditions are met:

  • EPA is configured as a factor in an nFactor flow.
  • Edge WebView is enable .
  • The control upgrade setting of Citrix EPA client is set to Always on NetScaler Gateway and there’s a mismatch in the Citrix EPA client versions between the client device and NetScaler.

  [ NSHELP-37340 ]

• EPA device certificate scan is fails fail   if the client machine ’s system certificate store contain only one device certificate .

  [NSHELP-37371]

• The login page of Citrix Secure Access client intermittently goes blank when connecting to Citrix Secure Private Access service.

  [SPAHELP-202]

• End-users might not be able to connect the client machines to the domain through VPN if Windows Server 2019 or later versions are used.

  [ SPAHELP-219 ]

• When Citrix Device Posture service is enabled, unwanted entries appear in the Connection drop-down list of the Citrix Secure Access client UI.

  [ SPAHELP-271 ]

• End-users cannot access the intranet resources if the single sign-on feature is enabled on Citrix Secure Access client.

  [ CSACLIENTS-9940 ]

• Citrix Secure Access might crash due to memory corruption.

  [NSHELP-36993]

23.10.1.7 ( 29 – nov-2023 )

What is ’s ’s new

• Configure private port range for server initiated connections

  You can now configure a private port ranging from 49152 to 64535 for server-initiated connections. Configuring private ports avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. You can configure the private ports by using the “SicBeginPort” Windows VPN registry. Alternatively, you can configure the private port range by using a VPN plug-in customization JSON file on NetScaler.

  For more information , see Configure server – initiate connection and NetScaler Gateway Windows VPN client registry key .

  [NSHELP-36627]

• kerbero authentication support for seamless autologon

  Citrix Secure Access client now uses the Kerberos authentication method for autologon. As part of this support, a VPN client registry key “EnableKerberosAuth” is introduced. As a pre-requisite, admins must configure Kerberos authentication on NetScaler and on their client machines. End users must install Microsoft Edge WebView on their machines to enable the Kerberos authentication method. For more information, see Autologon with Kerberos authentication.

  [CSACLIENTS-3128]

• Auto assign of spoof IP address range

  Citrix Secure Access client can now detect and apply a new spoof IP address range if there is a conflict between the admin-configured spoof IP address range and the IP-based applications or the end-user’s network.

  [ CSACLIENTS-6132 ]

• Microsoft notifications

  The Citrix Secure Access client notifications is appear now appear as Microsoft notification on the Notifications panel of your Windows machine .

  [CSACLIENTS-6136]

• improve log collection

  The Verbose log level is now used as the default debug logging level for an enhanced log collection and troubleshooting. For more information about logging, see Configure logging by using the client user interface.

  [CSACLIENTS-8151]

fix issue

Citrix Secure Access client remains in the “Connecting” state if the machine tunnel of the Always On service fails to detect the client device location.

[CSACLIENTS-1174]

The transfer logon feature fails to work when Microsoft Edge WebView is enabled in Citrix Secure Access client.

[CSACLIENTS-6655]

Inthe Always On service mode, Citrix Secure Access client fails to establish a machine-level tunnel with NetScaler Gateway if the device certificate-based classic authentication policies are bound to a VPN virtual server.

[ NSHELP-33766 ]

Incoming and outgoing Webex calls fail when users are connected to the VPN. This issue occurs when the Windows filtering platform (WFP) driver is enabled on Citrix Secure Access client instead of the Deterministic network enhancer (DNE) driver.

[NSHELP-34651]

Citrix Secure Access client crashes if the following conditions are met:

• Connections are switched when SAML policies are bound to a VPN virtual server.
• Internet Explorer WebView support is enabled.

[NSHELP-35366]

The Citrix Secure Access client UI displays the Connect button during autologon. This issue occurs if the UserCert authentication method is used to connect to VPN.

[NSHELP-36134]

The local LAN access feature fails to work with Citrix Secure Access client if a machine-level tunnel is configured.

With this release, the local LAN access feature can be set with a machine-level tunnel configuration. To achieve this, you must configure the local LAN access parameter to FORCED when using the machine tunnel mode. For more details, see Enforce local LAN access to end users based on ADC configuration.

[NSHELP-36214]

When a client machine wakes up from sleep mode multiple times, Citrix Secure Access client fails to establish a VPN connection with the intranet applications.

[ NSHELP-36221 ]

23.8.1.11 ( 19 – Oct-2023 )

fix issue

The epaPackage.exe file might fail to download if forward proxy support is configured on NetScaler Gateway.

[CSACLIENTS-6917]

The Citrix EPA client installation fails for non-admin users with restricted access to C drive.

[NSHELP-36590]

23.8.1.5 (09-Aug-2023)

fix issue

Kerberos SSO is fails fail for application when connect over Citrix Secure Private Access service .

[CSACLIENTS-912]

application access is fails with Citrix Secure Private Access service fail intermittently . This issue is occurs occur when Citrix Secure Access client share an incorrect destination ip address for TCP or udp traffic .

[CSACLIENTS-1151, CSACLIENTS-6326]

Citrix Secure Access client fails to launch applications intermittently because of a DNS caching issue.

[ CSACLIENTS-1170 ]

Citrix Secure Access client fails to apply a DNS suffix to Citrix Virtual Adapter. This issue occurs when Citrix Virtual Adapter fails to authenticate with Active Directory.

[NSHELP-33817]

Citrix Secure Access client crashes if the following conditions are met:

• NetScaler Gateway virtual server contains a client certificate as a factor for nFactor authentication.
• Microsoft Edge WebView support is enabled.

[CSACLIENTS-6171]

When connected to VPN, you might not be able to access back-end resources after you apply Microsoft KB5028166.

[NSHELP-35909]

Citrix Secure Access client intermittently fails to download the configurations from NetScaler Gateway when the portal customization exceeds the allowed limit.

[NSHELP-35971]

know issue

The transfer logon feature fails to work with Citrix Secure Access client. This issue occurs when Microsoft Edge WebView is enable .

workaround : log on using a web browser to transfer the session .

23.7.1.1 (14-Jul-2023)

fix issue

Insome cases, after an upgrade to the release version 23.x.x.x, traffic fails to pass through the VPN tunnel, resulting in blocking of VPN access when an Intranet IP range is configured on NetScaler. This happens when cross profile firewall rule is not applied to VPN applications.

[NSHELP-35766]

23.5.1.3 (02-Jun-2023)

fix issue

The Always On service crashes when the improved log collection is enabled using the “useNewLogger” registry under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

[ CGOP-24462 ]

23.4.1.5 ( 14 – Apr-2023 )

What is ’s ’s new

• Microsoft Edge WebView support

  Microsoft Edge WebView support is introduces on Citrix Secure Access client for Windows introduce an enhance end user experience . This feature is disable , by default . For detail , see Microsoft   Edge   WebView support for Windows Citrix Secure Access .

  [CGOP-22245]

• Adding DNS suffixes to resolve FQDNs to IP addresses

  Admins can now add suffixes to the applications at the operating system level. This helps Citrix Secure Access clients to resolve a non-fully qualified domain name during name resolution.

  Admins is configure can also configure application using the IP address ( IP CIDR / ip range ) so that the end user can access the application using the corresponding FQDNs . For detail see , DNS suffix to resolve fqdn to IP address .

  [ACS-2490]

• improve log collection

  The logging feature for the Windows Secure Access client is now improve for log collection and debugging . The follow change are made to the logging feature .

  • enable user to change the maximum log file size to a value less than 600 MB .
  • Enable users to update the number of log files to less than 5.
  • Increase the log levels to three for the new logging feature.

  With these changes, admins and end-users can collect logs from thecurrent session and past sessions. Previously, collection of logs was limited to the current sessions only. For details see, improve log collection for Windows client.

  Note:

  To enable debug logging, select Logging > Verbose from theSelect Log Level drop-down list. Prior to the Citrix Secure Access client for Windows 23.4.1.5 release, debug logging could be enabled using the Configuration > Enable debug logging check-box.

  [ CGOP-23537 ]

• Support for sending events to Citrix Analytics service

  Citrix Secure Access client for Windows now supports sending events such as session creation, session termination, and app connection to Citrix Analytics service. These events are then logged in Citrix Secure Private Access dashboard.

  [SPA-2197]

fix issue

• Citrix Secure Access client single sign-on authentication with Citrix Workspace app to cloud endpoint fails for Unicode users.

  [CGOP-22334]

• Access to the resources fails when host name-based applications are configured along with DNS suffix in Citrix Secure Private Access.

  [SPA-4430]

• Always-On VPN connection fails intermittently on startup due to gateway virtual server reachability issue.

  [NSHELP-33500]

• Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client.

  [ nshelp-34334 ]

• Citrix Secure Access client is fails fail to load the authentication schema lead to login failure in Citrix Secure Private Access service .

  [SPAHELP-98]

23.1.1.11 (20-Feb-2023)

This release is addresses address issue that help to improve the overall performance and stability of Citrix Secure Private Access service .

23.1.1.8 (08-Feb-2023)

fix issue

• DNS resolution failures occur as the Citrix Secure Access fails to prioritize IPv4 packets over IPv6 packets.

  [NSHELP-33617]

• The os filtering rule are capture when the Citrix Secure Access client is run in Windows Filtering Platform ( WFP ) mode .

  [NSHELP-33715]

• Spoofed IP address is used for IP-based intranet applications when the Citrix Secure Access client runs on Citrix Deterministic Network Enhancer (DNE) mode.

  [NSHELP-33722]

• When using the Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected.

  [ NSHELP-32978 ]

• endpoint analysis is fails ( EPA ) scan for OS version check fail on Windows 10 and Windows 11 Enterprise multi – session desktop .

  [ NSHELP-33534 ]

• Windows client supports 64 KB configuration file size, by default, and this restricts the users to add more entries in the configuration file. This size can be increased by setting the ConfigSize registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The ConfigSize registry key type is is isreg_dword and key data is <Bytes size>. If the configuration file size is large than the default value ( 64 KB ) , then the ConfigSize registry value must be set to 5 x 64 KB ( after convert to byte ) for every addition of 64 KB . For example , if you are add additional 64 KB , then you is set must set the registry value to 64 x 1024 x 5 = 327680 . similarly , if you are add 128 KB , then you is set must set the registry value to 64 x 1024 x ( 5 + 5 ) = 655360 .

  [SPA-2865]

• On VPN logoff, DNS suffix list entries in SearchList registry are rewritten in a reverse order separated by one or more commas.

  [ NSHELP-33671 ]

• Proxy authentication fails when the NetScaler appliance completes an EPA scan for antivirus.

  [NSHELP-30876]

• If the Citrix Secure Access relate registry value are great than 1500 character , then the log collector is fails fail to gather the error log .

  [NSHELP-33457]

22.10.1.9 (08-Nov-2022)

What is ’s ’s new

• EPA support for connection proxy type site persistence in GSLB

  Windows EPA scan now supports connection proxy type site persistence in GSLB when the scan is initiated from a browser. Previously, EPA scan for Windows did not support connection proxy persistence type for browser initiated EPA scan.

  [ CGOP-21545 ]

• Seamless single sign-on for Workspace URL (Cloud only)

  Citrix Secure Access client now supports single sign-on for Workspace URL (cloud only) if the user has already logged on via the Citrix Workspace app. For more details, see Single sign-on support for the Workspace URL for users logged in via Citrix Workspace app.

  [ ACS-2427 ]

• Manage Citrix Secure Access client and/or EPA plug-in version via Citrix Workspace App (Cloud only)

  Citrix Workspace app now has the capability to download and install the latest version of Citrix Secure Access and/or EPA plug-in via the Global App Configuration Service. For more details, see Global App Configuration Service.

  [ACS-2426]

• Debug logging control enhancement

  Debug logging control for Citrix Secure Access client is now independent of NetScaler Gateway and it can be enabled or disabled from theplug-in UI for both machine and user tunnel.

  [ NSHELP-31968 ]

• Support for Private Network Access preflight requests

  Citrix Secure Access Client is supports for Windows now support Private Network Access preflight request issue by the Chrome browser when access private network resource from public website .

  [CGOP-20544]

fix issue

• The Citrix Secure Access client, version 21.7.1.1 and later, fails to upgrade to later versions for users with no administrative privileges.

  This is applicable only if the Citrix Secure Access client upgrade is done from a NetScaler appliance. For details, see Upgrade/downgrade issue on Citrix Secure Access client.

  [NSHELP-32793]

• Users cannot log on to VPN because of intermittent EPA failures.

  [ NSHELP-32138 ]

• Sometimes, the Citrix Secure Access client in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode.

  [NSHELP-30110]

• InAlways on service mode, user tunnel tries to start even if only machine tunnel is configured.

  [NSHELP-31467]

• The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser.

  [NSHELP-31894]

• Customized EPA failure log message is not display on the NetScaler Gateway portal , instead the message “ internal error ” is display .

  [NSHELP-31434]

• When user click the Home Page tab on the Citrix Secure Access screen for Windows , the page is displays display the connection refuse error .

  [NSHELP-32510]

• On some client machines, the Citrix Secure Access client fails to detect the proxy setting and this results in logon failure.

  [ SPAHELP-73 ]

know issue

22.6.1.5 (17-June-2022)

What is ’s ’s new

• Login and logout script configuration

  The Citrix Secure Access client accesses the login and logout script configuration from thefollowing registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

  Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client

  Registry values:

  • SecureAccessLogInScript type REG_SZ – path to login script
  • SecureAccessLogOutScript type reg_sz – path to logout script

  [ACS-2776]

• Windows Citrix Secure Access client using Windows Filtering Platform (WFP)

  WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access client using Windows Filtering Platform.

  [CGOP-19787]

• FQDN based reverse split tunnel support

  WFP driver is enables now enable support for fqdn base reverse split tunneling . It is not support with the DNE driver . For more detail on reverse split tunnel , see Split tunneling option .

  [CGOP-16849]

fix issue

• Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI.

  [ NSHELP-31357 ]

• On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas.

  [NSHELP-31346]

• spoofed IP address is used even after the NetScaler intranet application configuration is change from FQDN base to IP base application .

  [NSHELP-31236]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully.

  With this fix, the following registry value is introduced.

  \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds

  Type: DWORD

  By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

  [NSHELP-30189]

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [NSHELP-31836]

• Citrix Secure Access client for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ ACS-2714 ]

22.3.1.5 (24-Mar-2022)

fix issue

know issue

22.3.1.4 (10-Mar-2022)

What is ’s ’s new

• Enforce local LAN access to end users based on ADC configuration

  Admins can restrict the end users from disabling the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, the local LAN access is always enabled for end users on the client machines. End users cannot disable the local LAN settings using the Citrix Secure Access client UI. If admins want to provide an option to enable or disable local LAN access to the end user, they must re-configure the Local LAN access parameter to ON.

  To enable the FORCED option by using the GUI:

  1. Navigate to NetScaler Gateway > Global Settings > Change Global Settings.
  2. Click the Client Experience tab and then click advanced setting.
  3. InLocal LAN Access, select FORCED.

  To enable the FORCED option by using the CLI, run the following command:

   set vpn parameter -localLanAccess FORCED
   <!--NeedCopy-->
  

  [CGOP-19935]

• Support for Windows server 2019 and 2022 in the EPA OS scan

  EPA OS scan now supports Windows server 2019 and 2022.

  You can select the new servers by using the GUI.

  1. Navigate to NetScaler Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the OPSWAT EPA Editor link.
  4. InExpression Editor, select Windows > Windows Update and click the+ icon.
  5. InOS Name, select the server as per your requirement.

  You can upgrade to the OPSWAT version 4.3.2744.0 to use the Windows server 2019 and 2022 in the EPA OS scan.

  [CGOP-20061]

• New EPA scan classification types for missing security patches

  The follow new classification type are add to the EPA scan for miss security patch . The EPA scan is fails fail if the client has any of the follow miss security patch .

  • Application
  • Connectors
  • criticalupdate
  • definitionupdate
  • DeveloperKits
  • featurepack
  • Guidance
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates

  You can configure the classification types by using the GUI.

  1. Navigate to NetScaler Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. click the ( ( OPSWAT EPA Editor ) ) link .
  4. InExpression Editor, select Windows > Windows Update.
  5. InShouldn’t have missing patch of following windows update classification type, select the classification type for the missing security patch
  6. Click OK.

  You is upgrade can upgrade to the OPSWAT version 4.3.2744.0 to use these option .

  Earlier, the EPA scans for missing security patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client.

  [CGOP-19465]

• support for multiple device certificate for EPA scan

  Inthe Always on VPN configuration, if multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows EPA scan successfully, then VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried.

  Earlier, if multiple valid certificates were configured, if the EPA scan failed for one certificate, the scan was not attempted on the other certificates.

  [CGOP-19782]

fix issue

• If the clientCert parameter is set to ‘Optional’ in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.

  [NSHELP-30070]

• Users cannot connect to the NetScaler Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

  [ NSHELP-30236 ]

• When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

  [ NSHELP-30662 ]

• DNS resolution to internal and external resources stops working over a prolonged VPN session.

  [NSHELP-30458]

• The Windows VPN client does not honor the ‘SSL close notify’ alert from theserver and sends the transfer login request on the same connection.

  [NSHELP-29675]

• Registry EPA check for the “==” and “!=” operator fails for some registry entries.

  [NSHELP-29582]

22.2.1.103 ( 17 – feb-2022 )

fix issue

21.12.1.4 ( 17 – dec-2021 )

What is ’s ’s new

• Rebranding changes

  NetScaler Gateway plug-in for Windows is rebranded to Citrix Secure Access client.

  [ACS-2044]

• Support for TCP/HTTP(S) private applications

  Citrix Secure Access client is supports now support TCP / HTTP(S ) private application for remote user through the Citrix Workspace Secure Access service .

  [ACS-870]

• additional language support

  Windows VPN and EPA plug-ins for NetScaler Gateway now support the following languages:

  • korean
  • Russian
  • Chinese (Traditional)

  [CGOP-17721]

• Citrix Secure Access support for Windows 11

  Citrix Secure Access client is now supported for Windows 11.

  [ CGOP-18923 ]

• Automatic transfer logon when the user is logging in from thesame machine and Always on is configured

  Automatic login transfer now occurs without any user intervention when Always on is configured and the user is logging in from thesame machine. Previously, when the client (user) had to relogin in the scenarios such as system restart or network connectivity issues, a pop-up message appeared. The user had to confirm the transfer login. With this enhancement, the pop-up window is disabled.

  [CGOP-14616]

• Deriving Citrix Virtual Adapter default gateway IP address from theNetScaler provided net mask

  Citrix Virtual Adapter default gateway IP address is now derived from theNetScaler provided net mask.

  [ CGOP-18487 ]

fix issue

• Sometimes , users is lose lose internet access after a VPN tunnel is establish in split tunnel ON mode . Citrix virtual adapter ’s erroneous default route is causes cause this network issue .

  [ NSHELP-26779 ]

• When split tunnel is set to “ reverse , ” dns resolution is fails for the intranet domain fail .

  [ NSHELP-29371 ]

21.9.100.1 (30-Dec-2021)

What is ’s ’s new

fix issue

• Sometimes , users is lose lose internet access after a VPN tunnel is establish in split tunnel ON mode . Citrix virtual adapter ’s erroneous default route is causes cause this network issue .

  [ NSHELP-26779 ]

• When split tunnel is set to “ reverse , ” dns resolution is fails for the intranet domain fail .

  [ NSHELP-29371 ]

21.9.1.2 (04-Oct-2021)

fix issue

• Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

  [NSHELP-28848]

• Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.

  [ nshelp-28404 ]

• The Windows plug – in is crash might crash during authentication .

  [NSHELP-28394]

• InAlways On service mode, the VPN plug-in for Windows fails to establish the user tunnel automatically after the users log on to their Windows machines.

  [NSHELP-27944]

• After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address.

  [NSHELP-27850]

V21.7.1.1 (27-Aug-2021)

What is ’s ’s new

• New MAC address scan

  Support is added for newer MAC address scans.

  [CGOP-16842]

• EPA scan to check for Windows OS and its build version

  Added EPA scan to check for Windows OS and its build version.

  [CGOP-15770]

• EPA scan to check for a particular value’s existence

  A new method in the registry EPA scan now checks for a particular value’s existence.

  [ CGOP-10123 ]

fix issue

• If there is a JavaScript error during login because of a network error, subsequent login attempts fail with the same JavaScript error.

  [NSHELP-27912]

• The EPA scan fails for McAfee antivirus last update time check.

  [NSHELP-26973]

• Sometimes, users lose internet access after a VPN tunnel is established.

  [ NSHELP-26779 ]

• A script error for the VPN plug-in might be displayed during nFactor authentication.

  [NSHELP-26775]

• If there is a network disruption, UDP traffic flow that started before the network disruption does not drop for up to 5 minutes.

  [ NSHELP-26577 ]

• You might experience a delay in the starting of the VPN tunnel if the DNS registration takes a longer time than expected.

  [ NSHELP-26066 ]

V21.3.1.2 (31-Mar-2021)

What is ’s ’s new

• Upgraded EPA libraries

  The EPA libraries are upgraded to support the latest version of the software applications used in EPA scans.

  [ NSHELP-26274 ]

• NetScaler Gateway virtual adapter comaptibility

  The NetScaler Gateway virtual adapter is now compatible with Hyper-V and Microsoft Wi-Fi direct virtual adapters (used with printers).

  [NSHELP-26366]

fix issue

• The Windows VPN gateway plug-in blocks use of “CTRL + P” and “CTRL + O” over the VPN tunnel.

  [NSHELP-26602]

• The NetScaler Gateway plug-in for Windows responds only with an Intranet IP address registered in the Active Directory when a "nslookup" action is requested for the machine name.

  [NSHELP-26563]

• The IIP registration and deregistration fails intermittently if the split DNS is set as “Local” or “Both.”

  [NSHELP-26483]

• auto logon to Windows VPN gateway plug – in fail if Always On is configure .

  [NSHELP-26297]

• The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.

  [ NSHELP-25684 ]

• The Windows VPN gateway plug-in maintains the existing proxy exception list even if the list overflows because of the browser limit on the Internet Explorer proxy exception list.

  [ NSHELP-25578 ]

• The Windows VPN gateway plug-in fails to restore the proxy settings when the VPN client is logged off in Always On mode.

  [NSHELP-25537]

• The VPN plug-in for Windows does not establish the tunnel after logging on to Windows, if the following conditions are met:

  • NetScaler Gateway appliance is configured for the Always On feature.
  • The appliance is configured for certificate based authentication with two factor authentication “off.”

  [NSHELP-23584]

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from theEnglish original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

DIESER DIENST KANN ÜBERSETZUNGEN ENTHALTEN, DIE VON GOOGLE BEREITGESTELLT WERDEN. GOOGLE LEHNT JEDE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG IN BEZUG AUF DIE ÜBERSETZUNGEN AB, EINSCHLIESSLICH JEGLICHER GEWÄHRLEISTUNG DER GENAUIGKEIT, ZUVERLÄSSIGKEIT UND JEGLICHER STILLSCHWEIGENDEN GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER.

CE SERVICE PEUT CONTENIR DES TRADUCTIONS FOURNIES PAR GOOGLE. GOOGLE EXCLUT TOUTE GARANTIE RELATIVE AUX TRADUCTIONS, EXPRESSE OU IMPLICITE, Y COMPRIS TOUTE GARANTIE D’EXACTITUDE, DE FIABILITÉ ET TOUTE GARANTIE IMPLICITE DE QUALITÉ MARCHANDE, D’ADÉQUATION À UN USAGE PARTICULIER ET D’ABSENCE DE CONTREFAÇON.

ESTE SERVICIO PUEDE CONTENER TRADUCCIONES CON TECNOLOGÍA DE GOOGLE. GOOGLE RENUNCIA A TODAS LAS GARANTÍAS RELACIONADAS CON LAS TRADUCCIONES, TANTO IMPLÍCITAS COMO EXPLÍCITAS, INCLUIDAS LAS GARANTÍAS DE EXACTITUD, FIABILIDAD Y OTRAS GARANTÍAS IMPLÍCITAS DE COMERCIABILIDAD, IDONEIDAD PARA UN FIN EN PARTICULAR Y AUSENCIA DE INFRACCIÓN DE DERECHOS.

本服务可能包含由 Google 提供技术支持的翻译。Google 对这些翻译内容不做任何明示或暗示的保证，包括对准确性、可靠性的任何保证以及对适销性、特定用途的适用性和非侵权性的任何暗示保证。

このサービスには、Google が提供する翻訳が含まれている可能性があります。Google is は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません 。

ESTE SERVIÇO PODE CONTER TRADUÇÕES FORNECIDAS PELO GOOGLE. O GOOGLE SE EXIME DE TODAS AS GARANTIAS RELACIONADAS COM AS TRADUÇÕES, EXPRESSAS OU IMPLÍCITAS, INCLUINDO QUALQUER GARANTIA DE PRECISÃO, CONFIABILIDADE E QUALQUER GARANTIA IMPLÍCITA DE COMERCIALIZAÇÃO, ADEQUAÇÃO A UM PROPÓSITO ESPECÍFICO E NÃO INFRAÇÃO.