Citrix NetScaler Application Switch

Transcription

1 Citrix NetScaler Application Switch Release Notes Release 6.1 Citrix Systems, Inc.

2 CITRIX SYSTEMS, INC., ALL RIGHTS RESERVED. NO PART OF THIS DOCU- MENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMA- TION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC. ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE AC- CURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IM- PLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITH- OUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Citrix NetScaler Application Delivery System. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures: Move the NetScaler equipment to one side or the other of your equipment. Move the NetScaler equipment farther away from your equipment. Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product. BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus

3 Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders. Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 Carnegie Mellon University. All rights reserved. Copyright David L. Mills 1993, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Copyright Jean-loup Gailly and Mark Adler. Copyright 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright 1982, 1985, 1986, , 1993 Regents of the University of California. All rights reserved. Copyright 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright UNIX System Laboratories, Inc. Copyright 2001 Mark R V Murray. Copyright Eric Young. Copyright 1995,1996,1997,1998. Lars Fenneberg. Copyright Livingston Enterprises, Inc. Copyright 1992, 1993, 1994, The Regents of the University of Michigan and Merit Network, Inc. Copyright , RSA Data Security, Inc. Created Copyright 1998 Juniper Networks, Inc. All rights reserved. Copyright 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright The Open LDAP Foundation. All Rights Reserved. Copyright 1999 Andrzej Bialecki. All rights reserved. Copyright 2000 The Apache Software Foundation. All rights reserved. Copyright (C) Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) University of Cambridge. All rights reserved. Copyright (c) David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, Bill Paul. All rights reserved. Copyright (c) Matt Thomas. All rights reserved. Copyright 2000 Jason L. Wright. Copyright 2000 Theo de Raadt. Copyright 2001 Patrik Lindergren. All rights reserved. Part No. NS-RN Last Updated: December 2005

4

5 Contents Chapter 1 - Enhancements Installation and Configuration Enhancements Default IP Address Configuration Utility Enhancements Load Balancing Wizard SSL FIPS Wizard Look and Feel Improvements Shortcut Menus Keyboard Shortcuts Text Field Validation IP Address Field Validation Context Sensitive Help Dashboard Enhancements Enhanced Monitoring Capabilities Intuitive User Interface Accessibility Enhancements Load Balancing Enhancements Monitoring Weights Dynamic Spillover Range Entities Least Response Time Based on Monitoring (LRTM) Source IP Destination IP Hash LB Method Connection Failover HTTP Inline Monitors User Monitors HTTP Session Cookie Enhancement Networking Enhancements Enhanced ACL Support Support for High Availability Over Routed Networks Loopback Driver Support Default Router Enhancement Support for Traceroute and Ping Support for Bridge Aging TTL Decrementing Release Notes i

6 Contents 1.6 SSL Enhancements Certificate Update on the Fly Client Certificate Authentication Header Insertion CRL Update Over HTTP Port Rewrite for SSL Redirect Behavior of SSL Vserver and Service State SSL Syslog Enhancement SSL VPN Client Enhancements Legal Information in the About Page Response Performance Time Measurement Tool VPN Client Side Compression Trace Information Client Side Audit Automatic Version Upgrade/Downgrade Registry Checks Through Client Security Check Microsoft Windows Service Pack Check Inverse Split Tunneling Intranet IP Address Run Scripts Upon Login Or Logout Kill Existing Connections Cached DNS Entry Expiry Display Names of Tunneled Applications Global Server Load Balancing Enhancements Dynamic Weight-based GSLB Site Persistence Using HTTP Redirect Integrated Cache Enhancements FlashCache Expire at Last Byte Dynamic Learning Through MinHit DNS Integration Cache Forward Proxy System Monitoring Enhancements Chapter 2 - Changes and Recommendations Notable Changes Configuration Utility SSL Networking Global Server Load Balancing Limitations Cache Redirection ii Release Notes

7 Contents Compression Configuration Utility Global Server Load Balancing Networking SSL SSL VPN System Monitoring Integrated Cache Web Logging XML API Chapter 3 - Known Problems and Workarounds Release Notes iii

8 Contents iv Release Notes

9 Enhancements This section describes these new features in the 6.1 release. Installation and Configuration Enhancements Configuration Utility Enhancements Dashboard Enhancements Load Balancing Enhancements Networking Enhancements SSL Enhancements SSL VPN Client Enhancements Global Server Load Balancing Enhancements Integrated Cache Enhancements System Monitoring Enhancements 1.1 Installation and Configuration Enhancements Default IP Address The system is configured with a default IP address and associated netmask for management access. The default IP is and the netmask is This default IP address is used whenever a user-configured value for the system's IP address (NSIP) is absent. 1.2 Configuration Utility Enhancements Load Balancing Wizard The Configuration Utility has been enhanced with a wizard for Load Balancing. The Load Balancing wizard allows the user to configure a basic setup by adding any number of services and a vserver and binding the services to the vserver. The user can also use the wizard to configure a basic SSL setup by adding any number of services and an SSL vserver. The user can then bind the services and SSL certificates to the SSL vserver. Release Notes 1-1

10 Enhancements SSL FIPS Wizard The Configuration Utility has been enhanced with a FIPS Wizard. This wizard allows the user to set up a basic FIPS configuration Look and Feel Improvements Alternate rows have background color in all tables Column headers indicate rows that can be sorted Mandatory fields indicated with a * (asterisk) on all panes and windows. The status of an entity is indicated with an icon Shortcut Menus The Configuration Utility provides several shortcut menus that can be accesses by right-clicking the appropriate sections of the interface Keyboard Shortcuts Keyboard shortcuts can be used for different actions Text Field Validation Text fields on the Configuration Utility do not allow more than the specified number of characters. Integer fields do not allow values that are greater than the specified maximum value for the field and reject non-numeric characters IP Address Field Validation The Configuration Utility allows only valid IP addresses to be entered in the IP address fields Context Sensitive Help The user can access context-sensitive help by clicking the help buttons on the dialog boxes and panes. The user can also access the context-sensitive help by clicking the Help option in the Application Menu or by pressing F Dashboard Enhancements Enhanced Monitoring Capabilities New Counters and Groups All the statistical counters, displayed by the CLI, are now displayed on the Dashboard. These counters have been organized into logical groups. As a 1-2 Release Notes

11 Enhancements result, several new counters have been added to the existing groups and the other counters have been added to new groups. In addition, these counters have been categorized into logical sub groups. The new groups that have been added can be classified as: Device-related groups - Independent services, and VLAN. System protocol groups - UDP, IP, ICMP, and SNMP. Feature groups - Audit, AAA, HTTP compression, and HA. Others - DNS, ACL, and Bridge New Events New events have been added for Integrated Cache, Interfaces etc Custom Charts The user can create custom charts to plot one or more statistical counters. These counters can belong to one or more groups. The custom charts can be launched from multiple points on the Dashboard Relational Monitoring of Statistical Counters Several predefined comparative charts have been added under each group. These charts facilitate relational monitoring by plotting two or more statistical counters on a single chart. In addition, the user can also use tables and charts for groups like Load Balancing, Content Switching, Interfaces, etc to compare the relevant statistical counters. As a result, the user can directly compare the performance of configured entities such as vservers, services, etc Intuitive User Interface All the predefined comparative charts and groups can be directly accessed and displayed with a single mouse click. Tabs on the Group Monitoring pane allow the user to easily navigate to the summary, detail, and chart views corresponding to the counters in a group. In addition, system logs can now be viewed on an independent window by clicking the System Log pane. The log entries are color coded to indicate the type of log entry Accessibility Enhancements The cursor changes shape to indicate that a particular region supports single mouse click. Using the single mouse click, users can perform several tasks such as: Viewing custom charts and legends Changing counters Release Notes 1-3

12 Enhancements Plotting CPU utilization, Memory utilization and Throughput charts Displaying tear-away windows for certain tables and charts Other significant improvements are: Menu options in some selected charts and tables Enhanced right-click menu options for charts Look & Feel and Logout options in the application menu Tool tips now reflect the value of the counter and the timestamp 1.4 Load Balancing Enhancements Monitoring Weights The monitoring functionality has been enhanced to support monitor weights. The user can now assign weights to a monitor. A service, with multiple monitors bound to it, will be marked as UP only when the sum of the weights of the monitors is greater than or equal to a threshold set on it Dynamic Spillover The spillover functionality had been enhanced to support dynamic spillover. Dynamic Spillover depends on the Max Client setting of the services bound to the vserver. If the number of client connections at the vserver exceeds the sum of the Max Client values on all the active services, all additional connections are diverted to the backup vserver Range Entities This enhancement allows the user to add a range of vservers and services and bind them. The vservers and services get created with consecutive names and IP addresses Least Response Time Based on Monitoring (LRTM) This new Load Balancing (LB) method uses the existing monitoring infrastructure. To use this LB method, the user needs to bind application-specific monitors to the service. In addition, the user needs to ensure that the LRTM is enabled on the monitors. The vserver uses the response times of the probes, generated by the LRTM monitors, to make LB decisions. The response time is the difference between 'response received time' and the 'probe sent out time'. 1-4 Release Notes

13 Enhancements Source IP Destination IP Hash LB Method When configured with this load balancing method, the system selects the service based on the hashed value of the source IP and the destination IP addresses in the IP header Connection Failover Connection failover allows a TCP connection, established through a primary node, to remain active after failover. By default, two systems that comprise an HA pair do not exchange any information pertaining to existing packet flows HTTP Inline Monitors HTTP Inline monitors track the health of backend servers by analyzing their responses to HTTP requests from clients. They do not send probes, instead, they look for specific HTTP response codes in traffic originating from the backend servers. If the response code is received a preconfigured number of times, the inbound monitor either changes the state of the monitor or logs the event. These monitors support 16 different ranges of response codes. The user can also configure the inline monitor to track the event without taking any action User Monitors These monitors extend the scope of existing monitors in that the user can write custom scripts to track the health of applications that are not natively supported by the system. At any instance of time, the number monitors executing in non-kas (Keepalive Scripting) mode is determined by the max client setting of the internal dispatcher. For the KAS mode, the maximum number of scripts is 30. In addition, if the USER monitor probe times out during high CPU usage, the state of the service remains unchanged HTTP Session Cookie Enhancement Server information in persistence HTTP session cookies, inserted by the Citrix NetScaler system, is now hidden. 1.5 Networking Enhancements Enhanced ACL Support The ACL infrastructure had been enhanced as follows: User-defined priorities for ACLs Disallow multiple ACL's with same parameters Release Notes 1-5

14 Enhancements Support for operators such as == and!= Clearing of existing sessions when ACLs are applied Comparison of the last 4 bytes of the source MAC address Support for High Availability Over Routed Networks The High Availability (HA) functionality has been enhanced to support deployments where the primary and the secondary reside on different subnets. To deploy HA in this manner, the user needs to enable the INC mode on the primary and secondary nodes Loopback Driver Support The user can now view the details about the loopback interface via the CLI and Configuration Utility. To view the details of the loopback interface via the CLI, the user needs to execute the show interface command. To view the details of the loopback interface via the Configuration Utility, the user need to click the Network -> Interfaces node in the Navigation pane. The details are displayed under the Interfaces tab Default Router Enhancement The default router can now belong to any subnet Support for Traceroute and Ping The Traceroute and Ping commands have been added to the CLI. As a result, the user can now execute these commands from the CLI prompt without having to go to the Shell prompt Support for Bridge Aging The user can now view and configure the aging time for bridge table entries. The limits are 60 seconds (minimum) and 300 seconds (maximum) TTL Decrementing The system now decrements the TTL of an IP packet before forwarding it. 1.6 SSL Enhancements Certificate Update on the Fly SSL Certificates bound to a virtual server can now be updated on the fly without the need for unbinding the existing certificate. This is done to avoid down- 1-6 Release Notes

15 Enhancements time faced during the time required to unbind the existing certificate and bind the new certificate Client Certificate Authentication Header Insertion This feature is used to provide back-end Web applications with information on the outcome of the client authentication process. This can be used for redirection, access control, etc. If optional client authentication is enabled, the system will insert a default header string in the HTTP requests going to the Web server. This string will indicate the outcome of the client authentication process. The data insertion in the header is done by default and no separate configuration is required other than enabling client authentication on the SSL vserver CRL Update Over HTTP Certificate revocation lists (CRLs) can be updated on the system from some Web location by providing the system with the complete URL or the IP address and port of the location where the CRL file is present. The system will fetch the CRL and update its database Port Rewrite for SSL Redirect The SSL Redirect feature has been enhanced to redirect clients based on the port on which the request was received Behavior of SSL Vserver and Service State SSL vservers and services will remain in the DOWN state until a certificate is bound to them and the SSL feature is enabled SSL Syslog Enhancement All the SSL handshake successes and failures are logged by the syslog server. 1.7 SSL VPN Client Enhancements Legal Information in the About Page On the About pane in the Configuration dialog box of the Secure Remote Access window, legal information and usage of product are displayed along with the product version information. Release Notes 1-7

16 Enhancements Response Performance Time Measurement Tool This tool has been incorporated in the SSL VPN Secure Remote Access window and displays the percentage increase in performance of the SSL VPN while accessing intranet resources VPN Client Side Compression The VPN client can compress data to be sent through the VPN tunnel using the gzip/deflate methods Trace Information For easy debugging, the trace information (function name, file name, and line number) is logged if the VPN client crashes Client Side Audit The VPN client can be set to record 4 different levels of detail in the client side log: Windows system level application event recording Application audit level and error message recording Statistic counters level recording Detailed debug message recording Automatic Version Upgrade/Downgrade When the VPN plug-in detects a version mismatch, it automatically upgrades/ downgrades itself to the current version. This upgrade/downgrade is possible for users with or without administrative privileges. However, the VPN client must first be installed by a user with administrative privileges on the client system Registry Checks Through Client Security Check The VPN client supports checking for the existence and the value of various registry entries using client security strings. The client security string format for this check is: "reg_<frequency>_<full key name>_<registry entry name>_<value>" Some examples: 1-8 Release Notes

17 Enhancements "reg_0_hkey_local_machine\\\\software\\\\sophos\\\\sweepnt_version_3.9.0" Will check if the "Version" entry under hklm\software\sophos\sweepnt\ has the value "3.9.0" "reg_0_hkey_local_machine\\\\software\\\\sophos\\\\sweepnt_version" Will check for the existence of a registry value called "Version" under hklm\software\sophos\sweepnt\ And "reg_0_hkey_local_machine\\\\software\\\\sophos\\\\sweepnt" Will check for the existence of the registry key "hklm\software\sophos\sweepnt" Microsoft Windows Service Pack Check The VPN client supports checking for the existence and value of a Microsoft Windows service pack on the client system by using client security strings. The client security string syntax for checking existence of a service pack is: "os_<frequency>_<operating system name>_sp<service pack number>" For example: set vpn parameter -clientsecurity "os_0_winxp_sp2" Optionally the string can contain a "." followed by a minor sp version number, for example "os_0_winxp_sp_2.1" Inverse Split Tunneling The VPN client will route traffic through the VPN tunnel when the destination IP address is NOT in one of the configured routing networks. This setting is the exact opposite of Split Tunneling set to ON Intranet IP Address The VPN client returns an intranet IP Address when Split Tunneling is OFF Run Scripts Upon Login Or Logout The system can run a configured script on the VPN client's system upon login or logout. The name and optionally the location of the script on the client sys- Release Notes 1-9

18 Enhancements tem should be specified on the system. The script name will be passed to the client along with the rest of the /cfg information. Note: The script should exist on the VPN client system Kill Existing Connections When kill connections is set to ON, all existing connections on the VPN client system are killed. Only UDP connections are not terminated. This can be set using the command set vpn parameter -kill connections ON Cached DNS Entry Expiry All VPN client side cached DNS entries will expire in 6 minutes Display Names of Tunneled Applications In the Configuration dialog box of the Secure Remote Access window, the names of the tunneled applications are displayed along with their application details. 1.8 Global Server Load Balancing Enhancements Dynamic Weight-based GSLB This enhancement allows the system to make GSLB decisions based on dynamically calculated weights. The weight of a vserver can be based on either one of the following factors: Number of services bound to the vserver Individual weights of the services bound to the vserver The user can configure the factor on which the calculation of weights is based Site Persistence Using HTTP Redirect This enhancement allows the system to maintain site persistence using cookies. In the GSLB environment, a client request resolves to a particular system. This system then inserts a cookie in the response header. If the client sends a request after the browser cache expires, the request might resolve to another system. This system then uses the cookie to redirect the client request to the original system that inserted the cookie in the response header Release Notes

19 Enhancements 1.9 Integrated Cache Enhancements FlashCache Flash Cache is another means of avoiding Flash Crowds. When enabled, this feature causes Integrated Cache to queue all concurrent requests and allows only one request to reach the server. The response from the server is then fanned out across all the queued requests Expire at Last Byte This enhancement causes Integrated Cache to expire an object as soon as it has been downloaded. This causes the object to remain fresh only during the period that it was accessed Dynamic Learning Through MinHit This enhancement causes Integrated Cache to store an object only after it has been accessed a minimum number of times DNS Integration When configured with this option, Integrated Cache matches the URL, host name, host port, and the TCP port in the incoming HTTP request against the corresponding values of the cached object. The host name is then used to perform a DNS lookup. The destination server's IP address is then compared against the set of addresses returned by the DNS lookup. The cached object is served only if the destination server's IP address matches the IP address represented by the host name in the client request Cache Forward Proxy This enhancement allows the user to specify the IP address and port of the cache forward proxy. If the system either functions as a forward proxy or sits between the client and the forward proxy, the destination IP address in the client s request is always that of the forward proxy. As a result, objects are never cached. Specifying the IP address and port of the forward proxy ensures that the responses are cached System Monitoring Enhancements The stat command group has been introduced in this release. These commands display the statistical counters pertaining to the various command groups such as TCP, UDP, HTTP, etc. For details, refer to the Command Reference Guide. Release Notes 1-11

20 Enhancements 1-12 Release Notes

21 Changes and Recommendations 2.1 Notable Changes Configuration Utility As of the 6.0 release, the Configuration Utility requires JRE version 1.4.2_04 or higher for standard operation. DNS vservers, configured using the SSL VPN Wizard of the 6.0 release, will now appear under the SSL VPN -> Global Settings ->Advanced node SSL The SSL v2 protocol is disabled by default. All the front-end SSL vservers and services will have the new DEFAULT cipher suite bound to them. All the back-end services and HTTPS monitors will have the new ALL cipher suite bound to them. SSL v2 Redirect and Cipher Redirect are enabled by default on the front-end SSL services Networking The USNIP mode is enabled by default Global Server Load Balancing A GSLB local service can be added only after an LB vserver is added. Similarly, the local GSLB service can be removed only after removing the LB vserver. 2.2 Limitations Cache Redirection [12058] SSL-based tunneling through the forward proxy is allowed only when the destination port is Compression [19487] The system does not support more than 3000 Compression/Filter policies. Release Notes 2-1

22 Changes and Recommendations Configuration Utility [18447] The Configuration Utility does not support the addition of multiple subnets for dynamic routing. [20371] The configured vservers are not visible to the user despite the presence of a command policy that allows the user to view the same Global Server Load Balancing Dynamic weight based GSLB is not supported for CSW vservers Networking [20045] ACLs cannot block broadcast traffic SSL [19096] When a cipher ORD operation is performed on a non existing cipher/group, all the existing ciphers in the vserver list are cleared SSL VPN [15207] HTTP connections are not supported when the USIP mode is enabled. [16292] Large files cannot be transferred using File Transfer Application via the SSL VPN on the Mac OS. [17124] SSL browser requests through SSL VPN Java client currently does not support HTTPS access to non-443 ports (e.g. URLs such as foo.com:444 accessed via Safari Browser). [17227] When the SSL VPN gateway is configured with an outbound Forward Proxy, Single Sign On(SSO) to the Forward Proxy is supported as long as Forward Proxy and the SSL VPN gateway authenticate against the same Authentication server/system. It is required that the Forward Proxy and the SSL VPN gateway(configured with this Outbound Forward Proxy) authenticate against the same Authentication server/system. [18779] Sometimes, even with the right credentials, a Failed in getting shared folders (NT_STATUS_ACCESS_DENIED) error is displayed when the user tries to access a network share. [19073] When the system is configured with mandatory client certificate based authentication, there is a problem with the agent automatic upgrade process. After upgrading itself, the agent is unable to get the certificate from the browser. This situation happens only in the click-less automatic upgrade. If the user does a manual upgrade, it works fine. 2-2 Release Notes

23 Changes and Recommendations [19184] For high rates of logins to the SSL VPN ( logins/sec), new SSL VPN sessions are not created. [19232] The Single Sign On (SSO) feature is not supported for Java-based SSL VPN client. [19318] Under certain conditions, the 3001 error is displayed when the user logs on to the SSL VPN using a Web browser window that was opened by the previous SSL VPN session. [19364] The SSL VPN agent does not retrieve the configured forward proxy information from Web browsers other than Internet Explorer. [19452] Binding a non existing cipher or cipher group to an SSL vserver on a FIPS system enables all the FIPS/non-FIPS (not certified by NIST) ciphers on the system. [19540] SSLv2 Client Authentication does not work for most of the browsers on different platforms. [19653] The file transfer upload page works incorrectly under certain conditions when no file is specified. [19655] The file transfer upload page works incorrectly under certain conditions and is not able to connect to subdirectories in a network share. [19882] On the file transfer page, after the user logs on to a valid network share, if the user types the correct address on the folder listed with a mix of uppercase and lowercase alphabets, each combination is displayed as a separate directory. [20141] The 'HTTP 1.1/Internal Server Error' is seen under certain conditions upon logging in to the SSL VPN from a tabbed browser if it is configured to open every new page in a new tab. [20287] The SSL VPN session is not terminated on the Mac OS x if the plug-in window without clicking the 'logout' button. [20800] HTTP/HTTPS proxies do not revert back to the original settings once the Java applet exits on Mac OS X clients. [20934] When the login API is used to login to the SSL VPN with NTLM authentication and ISA forward proxy, and incorrect credentials are supplied, the agent should prompt the user for the correct credentials, but it does not. This affects only NTLM authentication with ISA proxy and only when the user supplies incorrect credentials to the API. [20959] The client provides an API for logging into SSL VPN. This API takes an inbound forward proxy IP as one of its parameters. If an invalid proxy IP is supplied to the login function the first time, that and consecutive login calls will fail even if the correct IP is given the next time. [21049] Under certain conditions, users without administrative privileges are unable to access intranet resources when connected to the SSL VPN. Release Notes 2-3

24 Changes and Recommendations [21089] When the client security string on the system has been changed in between consecutive logins from "NOT (av_0_<someavsoftwarethatexistsonclientmachine>)" to "NOT (os_0_<osthatexistsonclientmachine>)", the agent client displays the wrong error message the second time. The user is shown the same error message as the first time instead of an updated error message. This will not happen if the agent is re-started before the next login, and it will not happen with the plug-in. [21059] On the Mac operating system, the Web browser is not loaded with the homepage contents although the Java client seems to install successfully. [14214] When a user account is deleted, the bookmarks corresponding to the user account are not cleaned up System Monitoring [18469] Under certain conditions, the system does not forward the PMTU related ICMP Error messages. As a result, the connection times out. [19082] Incorrect platform recognition for boxes claimed as 'production' causing incorrect interface naming. The -Logfile option of the stat command does not work Integrated Cache [18825] Executing the "set cache parameter -memlimit 0" command and then rebooting resets memlimit to the default value Web Logging [20563] Under certain conditions, the NSWL Windows client does not reconnect to the system and hence does not log transactions XML API [15027] The show service command throws a segmentation fault when the number of services is very high. 2-4 Release Notes

25 Known Problems and Workarounds The following table lists all of the known problems in the software release 6.1 and their workarounds where applicable. Component Issue ID Issue Description Workaround Configuration Utility Configuration Utility The Configuration Utility behaves in an unpredictable manner when two instances of the utility are used to control the same system When the user tries to change the format of a certificate from PEM to DER or DER to PEM, a FIPS error message is displayed. Use two separate instances of the Web browser. Perform the following procedure: Remove the existing certkey. Add the new certkey. Bind it to the required vservers. GSLB Under certain conditions, the GSLB configuration upgrade from release 5.2 or 6.0 fails. Networking When the enable ns feature ospf command is executed, the existing VTYSH configuration sessions are locked. Online Help For computers running Windows XP with the SP2 security patch installed, the online help is blocked by Internet Explorer. Change the name of the vserver that is causing the duplicate persistence ID. Quit the existing VTYSH session and start a fresh one. Disable the pop-up blocker on Internet Explorer for the system. Release Notes 3-1

26 Known Problems and Workarounds Component Issue ID Issue Description Workaround SSL VPN Under certain conditions, basic tunneling to intranet resources does not work on a Windows XP client with the SP2 security patch installed if split tunneling is disabled and kill connections is enabled. SSL VPN Under certain conditions, the 3001 error is displayed when the user logs on to the SSL VPN using a Web browser window that was opened by another SSL VPN plug-in. SSL VPN When the user logs on and activates the SSL VPN agent from a tab in a tabbed browser, the entire window is closed and not just the tab. SSL VPN Under certain conditions, the SSL VPN agent does not get activated and displays the ' failed to download configuration' error. SSL VPN SSL VPN does not work together with the Symantec client firewall. SSL VPN The ActiveX plug-in goes into a "Disconnected!" state when the user switches network interfaces. SSL VPN The system does not establish VPN sessions for user IDs that are longer than 31 characters. Either use '-SplitTunnel ON' OR use '-SplitTunnel OFF and -KillConnections OFF'. Close the existing Web browser windows and then open a new Web browser window to log on. Setting autocleanup of cookies/cache also ensures that this does not happen. Open a new browser window to launch the SSL VPN portal, instead of launching portal from a tab. Log off and then log on again. Disable the Symantec client firewall. Log out of the SSL VPN and login again. Do not create user names that are longer than 31 characters. 3-2 Release Notes

27 Known Problems and Workarounds Component Issue ID Issue Description Workaround System Under some circumstances, when connecting a Citrix NetScaler 7000 system to a Cisco 3560 GIG switch, if the ports on the switch and 7000 system are hard-coded to 100/full, the link may fail to come up. Set the ports on both devices to autonegotiate. System Under certain conditions, the CLI fails after a few minutes. Disconnect and then log on again. Release Notes 3-3