What’s new

May 25, 2023

Support to create customized configurations through network function settings

You can create and edit customized configurations specific to your network needs for the following network functions:

• Content policies
• SSL settings
• Authentication
• Service profiles

With this feature, you can deploy the configuration changes across all the applications associated with a network function setting in one go. To create network function settings, navigate to Network Functions on the left pane. For more information, see Manage an application.

[ ADSS-9133 ]

March 29, 2023

Azure support for NetScaler App Delivery and Security service

NetScaler App Delivery and Security service now supports Azure. You can create Azure specific cloud access profiles and environments where you can provision the NetScaler App Delivery and Security service to deliver your applications. For more information, see Prepare Azure environment in NetScaler App Delivery and Security.

[ ADSS-15819 ]

March 16, 2023

Support to add an origin application server outside the AWS account

The NetScaler App Delivery and Security service allows you to add the origin application servers that are deployed outside the current AWS account. For example, when the origin application server is in a VPC belonging to another AWS account, a private data center, or in another cloud account.

To add origin application servers outside your AWS account, create specific subnets that the NetScaler App Delivery and Security service infra can use to reach the origin application servers. For this deployment to work, you must ensure network connectivity between the origin application servers and the app delivery infrastructure. The app delivery infrastructure must be able to send traffic to the origin application servers and also receive traffic from the origin application servers.

For more information, see Manage an environment.

[ ADSS-14043 ]

January 12, 2023

Support for Analyzer

The Analyzer feature allows you to visualize the concise configuration information of your application. This information helps you analyze the application’s status easily and also helps in troubleshooting.

To view the Analyzer, navigate to Applications and click the Analyzer icon on the Actions columns.

For more information, see Analyze the application configuration.

[ ADSS-14381 ]

Ability to view and change the status of back-end app servers

The NetScaler App Delivery and Security service allows you to view the status of the back-end app servers and their associated health checks. As an administrator, you can use this information for troubleshooting purposes.

You can also enable or disable the configured state of the back-end app server without redeploying the application. For example, consider a planned network maintenance activity that needs to disable a back-end app server. In such a scenario, you can disable the required server gracefully without redeploying the application. You can enable back the server after the maintenance activity is completed. For more information, see View and change the back-end app server status.

[ ADSS-13680 ]

New IAM permissions added to AWS cloud access profile

New IAM permissions are now added to the cloud access profile that connects to AWS. To synchronize your existing cloud access profile with the newly added IAM permissions, validate your cloud access profile. For information on how to validate the cloud access profile, see Validate cloud access profile.

[ ADSS-13726 ]

December 13, 2022

Set the rate limit type for your application

When you enable the rate limit protection for your application, you can now set the limit type in the rate limit policy. The limit type defines how the requests must spread over the specified time frame.

• Bursty: Use this limit type if your application traffic is sporadic. It is helpful if the load peaks anytime within the set time frame.
• Smooth: Use this limit type if your application traffic is consistent. It evenly spreads the load across each time slice of the set time frame.

[ ADSS-13733 ]

Rate limit policy supports sending the response 429

You can now configure a rate limit action to send a response with a status code 429. This code suggests that there are too many requests for the application.

When the incoming requests exceed the limit, this action displays the 429 code to a user.

[ ADSS-13730 ]

Enable bot TPS for your application

You can now enable bot TPS (Transactions Per Second) for your application as part of security protections. With this feature, you can detect the incoming bot traffic based on one of the following parameters:

• Number of transactions per second
• Surge in transactions (%) in the last 30 minutes

[ ADSS-12700 ]

Support to upload a configuration file while migrating the ADC configuration to the NetScaler App Delivery and Security service

You can now upload a source configuration file instead of manually typing or copy-pasting the commands. This option is specifically helpful when you have large configuration files.

[ ADSS-11881 ]

November 29, 2022

View Authoritative DNS analytics geo location heat map

You can now view the list of locations and a heatmap displaying the countries from where the clients are accessing the application.

[ ADSS-13905 ]

Verbose logging support

The NetScaler App Delivery and Security service supports collecting more information about the payload than what a regular log collects. It can collect verbose logs such as the log pattern, pattern payload, and HTTP header details. When you create a security protection for your application, set the Logging Settings to collect verbose logs.

The payload information gives you more context while troubleshooting issues. For example, if a violation is detected, you can look at the request that triggered the violation.

[ ADSS-10722 ]

View hits details for content policies and security protections

When you configure an application, and add content policies and security protections, you can now view analytics on the total hits received for:

• Bot policies
• Web App Firewall (WAF) policies
• Rewrite rules
• Responder rules

To view the hits details, navigate to Analytics and click Network Functions. For more information, see Network Functions.

[ ADSS-14855 ]

November 16, 2022

Enhancements to merge rewrite and responder rules in the content policy

The Content Transform feature in the NetScaler App Delivery and Security service is now renamed as Content Policies. To create a content policy, navigate to Applications > Content Policies and click Create. In the Create Content Policy page, you can now configure rewrite and responder rules on the same UI page. This enhancement provides an improved UI experience that is more user-friendly and futuristic.

For more information, see Add content policies.

Support for CDN in cloud region recommendation engine

You can now include Content Delivery Networks (CDN) for getting recommendations on best-performing sites for a multi-site application. Navigate to Multi-site Applications > Recommendations and select CDN from the Provider Types list.

For more information, see Cloud region recommendation engine.

October 27, 2022

Intent-based auto-blocking for command injection

You can now block a client that sends 20 or more security check violation requests within a 30 minutes duration. The newly introduced Block clients with 20 violations within 30 minutes option allows you to define the intent of auto-blocking malicious clients that are attempting command injection attacks. If the number of requests violating the security check received from a client increases to 20 or more in a 30-minute duration, the client is considered malicious.

For more information, see Command injection.

October 13, 2022

Rate limit policy enhancement

You can now limit the number of requests based on multiple conditions while creating a rate limit policy. The rate limit policy is applied to the traffic that matches the configured set of conditions. In addition to the existing conditions under the Limit Requests list, the following conditions are added under the Add Conditions option:

• HTTP Request URL
• HTTP Request URL Query
• HTTP Request URL Suffix
• HTTP Request Method
• Client IP Address
• HTTP Request Header
• HTTP Request Hostname
• HTTP Request Cookie

When the Add Conditions option is selected, the preceding list of conditions is displayed and the Limit Requests drop-down menu lists only the three basic options, For overall app, Per URL, and Per client IP.

For more information, see Rate limit.

Validate your Cloud Access Profile with more permissions

The existing Cloud Access Profile of the Autoscale group that connects to AWS needs additional permissions. Currently, NetScaler App Delivery and Security service invalidated the Cloud Access Profiles due to missing permissions. To validate IAM permissions, do the following:

1. Go to Environments > Cloud Access Profile.
2. Click the gear icon on a Cloud Access Profile and follow the instructions to validate permissions.

September 27, 2022

Authoritative DNS analytics

Authoritative DNS analytics enable you to monitor the performance of Authoritative DNS. You can view the total number of requests that are handled for a specific duration and also filter the number of requests based on certain categories. To view the authoritative DNS reports, navigate to Analytics and click the Authoritative DNS tab.

For more information, see Authoritative DNS analytics.

Fixes

ADSS-12650: You cannot edit the names of the multi-site application and the site in which the application is deployed.

September 14, 2022

OWASP Top 10 support

NetScaler App Delivery and Security service now supports security checks belonging to the 2017 and 2021 versions of OWASP Top 10. You can select the required version to enable all the security checks belonging to OWASP 2017 and 2021 under Deliver an application > Add Security Protection. For more information, see Add security protection.

August 30, 2022

Authoritative DNS

Authoritative DNS answers the incoming DNS queries from the configured DNS zones. It also manages your zones and makes routing decisions based on real-time service availability. It is highly available, with multiple anycast networks that allow you to run a robust and high-performance infrastructure.

With the authoritative DNS feature, you can create DNS zones and add DNS records in it as per your requirement. For more information, see Authoritative DNS.

Device fingerprint

The device fingerprint is the identity of a device based on the information collected about the software and hardware. The NetScaler App Delivery and Security service supports the device fingerprint technique. This technique detects if the incoming traffic is from a bot based on the device fingerprint. You can configure the NetScaler App Delivery and Security service to block requests that are detected as coming from a bot. For more information, see Device fingerprint.

July 27, 2022

Audit logging support when migrating an application from NetScaler to the NetScaler App Delivery and Security service

The NetScaler App Delivery and Security service supports migrating any existing audit related configurations when you migrate an application from NetScaler to the NetScaler App Delivery and Security service.

For more information, see Supported NetScaler features.

View and track the DNS query consumption details

You can now view and track your DNS query consumption details in the NetScaler App Delivery and Security service GUI. Navigate to the Usage dashboard to view the validity, capacity, and consumption details of the DNS queries for your Entitlements. For more information, see View Usage Dashboard.

Support for OR condition in Allow and Block list

You can now use OR condition while adding multiple conditions for a rule in Allow and Block list. A combination of AND condition and OR condition is not supported. Previously, only AND condition was supported.

For more information, see Allow and Block list.

July 13, 2022

Support for search bar in multisite analytics

In Multisite analytics, you can now use the search bar to filter applications based on the application names.

Self-healing capability for standalone IP-type EC2 instances

The NetScaler App Delivery and Security service now supports Self-healing capability for standalone IP-type EC2 instances in AWS. You can either detect or auto replace a slow server when the server is hosted as an EC2 instance with an IP address.

For more information, see Self-heal slow application server.

June 30, 2022

Stickiness IPv4 Mask

You can now define an IPv4 subnet mask to identify the client requests coming to the multi-site application and send the requests to the same site.

For more information, see Deliver a multi-site application.

Improvements to Web Insight

The self-heal slow application server capability in the NetScaler App Delivery and Security service detects a faulty server and takes remedial action. If you enable the Detect slow server and Auto-replace slow server options, and if the service identifies a faulty server, the service replaces the faulty server with a healthy server.

You can now view analytics in Web Insight whenever a faulty server is replaced.

In Analytics, click an application, and from Web Insight, click the Server Processing Time tab to get visibility on when a faulty server is replaced.

Integration with Splunk

You can now integrate NetScaler App Delivery and Security service with Splunk to view analytics for WAF and Bot violations in your Splunk dashboard. Splunk add-on enables you to:

• Combine all other external data sources
• Provide greater visibility of analytics in a centralized place

NetScaler App Delivery and Security service collects Bot and WAF events and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the WAF and Bot violations in the Splunk dashboard.

For more information, see Integration with Splunk.

SQL injection and cross-site scripting enhancements

You can now block a client that sends 20 or more security check violation requests within a 30 minutes duration.

The Block clients with 20 violations within 30 minutes check box is introduced under the SQL Injection and Cross-site scripting pages. For more information, see SQL injection and Cross-site scripting.

The NetScaler App Delivery and Security service logs malicious clients and you can view the details in the Network Function column of the Action History page. For more information, see Action History.

June 16, 2022

Search box on Multi-Site Applications Dashboard

A search box is introduced on the Multi-site Applications dashboard that helps you search for a multi-site application within the list of multi-site applications.

For more information, see Multi-site application summary.

Cloud region recommendation for existing multi-site applications

The NetScaler App Delivery and Security service now supports getting site recommendations for existing multi-site applications. Enter user location, traffic expected from each user location, and the cloud service provider for an application and get its corresponding recommendations. You can choose to exclude the existing sites from the recommendation calculations.

For more information, see Cloud region recommendation engine.

Service Profiles

You can now define the core settings of a service, such as load balancing, back-end SSL, and health check configuration under a service profile. While creating a service, you can associate this service profile with the service and inherit the preferred configurations.

In the NetScaler App Delivery and Security service GUI application creation workflow, service profile settings are available while creating services under the Service Profiles tab.

For more information, see Create service profiles.

June 03, 2022

Domain name uniqueness check for a user-defined (Route 53) multi-site application

The NetScaler App Delivery and Security service checks the uniqueness of the domain name for a user-defined (Route 53) multi-site application on the Application Details page where you enter the domain name. If the entered domain name exists in the hosted DNS zone, an error message is displayed on the same screen. Previously, the uniqueness check was done during deployment which is at the end of the multi-site application creation workflow.

With this enhancement, if necessary, you are notified to change the domain name early in the workflow rather than at the end.

Handling unsupported commands while migrating a configuration

Commands that are not applicable, not supported, or contain missing entities are clearly listed when a NetScaler configuration is migrated to the NetScaler App Delivery and Security service.

The NetScaler App Delivery and Security service also displays a suggested configuration after fixing the issues. You can choose to accept the suggested configuration or edit the commands manually.

New rules for content routes

The following rules are added while creating a content route for an endpoint:

Client TCP Address MSS - Identifies and returns the maximum segment size (MSS) in a TCP/IP packet. Client TCP Address Source Port - Identifies and returns the source port in a TCP/IP packet.

View Audit Log messages

You can now track the configuration activities in the NetScaler App Delivery and Security service from the Audit Log dashboard. In the left navigation pane, navigate to Audit Log.

Using the audit log dashboard, you can:

Track all events and activities for the environments. Manage and monitor the applications. Use the filters to search the audit log messages that enable you to narrow down and find the information in real-time. For more information, see View audit log.

Data leak prevention

The NetScaler App Delivery and Security service now supports the data leak prevention feature that avoids the leak of sensitive information, such as credit card numbers and social security numbers, to unauthorized recipients.

If your application has access to database servers that store user-specific sensitive information, the NetScaler App Delivery and Security service identifies if the responses coming from the database server contain any user-specific sensitive information. It also allows you to define one of the following actions to perform to avoid leakage of such information when a match is found:

Block: Based on the maximum match length configured, the NetScaler App Delivery and Security service blocks those many strings in the responses. For example, if the maximum length configured is 5 for credit cards, the NetScaler App Delivery and Security service blocks the last 5 strings of the credit card. Mask: The NetScaler App Delivery and Security service masks the safe object details with an X in the responses before processing it further. For example, if the maximum length configured is 5 for credit cards, the NetScaler App Delivery and Security service masks the last 5 strings of the credit card with an X. None: No action is taken on the response. The NetScaler App Delivery and Security service processes the responses as is without any changes. For more information on data leak prevention, see Data leak prevention.

Field format protection

The NetScaler App Delivery and Security service now supports the field format protection feature. This feature helps in reducing the risk of attacks caused by sending inappropriate data in web forms.

With this feature, the NetScaler App Delivery and Security service examines both the type and length of web form data and ensures that it is appropriate for the targeted field. If inappropriate web form data is found in a user request, you can configure the NetScaler App Delivery and Security service to block the request.

Support for role based access control in NetScaler App Delivery and Security service

NetScaler App Delivery and Security service provides role-based access control (RBAC) using which you can grant access permissions based on the roles of individual users within your organization. Only Citrix identity provider is supported in the NetScaler App Delivery and Security service currently. During the initial onboarding process, an administrator with full rights is created. This administrator can then invite other administrators to use the NetScaler App Delivery and Security service. The following custom roles are available:

AppAdministrator- This role has permissions to create and deploy applications.

AppOperator- This role has read-only permissions. The user can monitor an application, but not create or deploy an application.

InfraAdministrator- This role has permissions to create an environment and cloud access profiles in addition to creating and deploying applications.

Specify subnets to be used by the NetScaler App Delivery and Security service to reach your origin application servers

Typically, you configure your application servers security group to allow ingress traffic from all the IP addresses in the VPC. This works well by default because during environment creation in the NetScaler App Delivery and Security service, it creates new subnets in the VPC for provisioning the infra to reach your origin application servers. However, to increase security, you can restrict the IP addresses that the NetScaler App Delivery and Security service uses to connect to your application servers. You can do so during environment creation by specifying the subnets you created exclusively for the NetScaler App Delivery and Security service. Doing so, avoids creating default subnets, and the service provisions the infra in the specified subnets. Also, ensure that you change your application servers security group to allow ingress traffic from the subnets you have specified.

Auto-upgrade dashboard

The NetScaler App Delivery and Security service now supports the automatic upgrade of the environments. Navigate to Applications>Environments>Settings to view the Auto-upgrade dashboard. The dashboard displays the available upgrade slots for your environments and the one currently selected. Environment upgrade ensures that you retain access to the latest features and fixes offered by the service. For more information, see Manage an environment.

Support for client authentication

The SSL endpoints now support certificate-based client authentication in the NetScaler App Delivery and Security service.

Support for API definitions

The NetScaler App Delivery and Security service now supports API definitions. You can create an API definition by navigating to API Definitions > Add API. After the API definition is created, you can use it while configuring a new application, and also in application settings, such as, content routes for an end point, content transform, and security protection. The API resource paths are available as a filter condition.

View and track the Standalone entitlement consumption details

You can now view and track your standalone Advanced and Premium entitlement consumption details in the NetScaler App Delivery and Security service GUI. Navigate to the Usage dashboard to view the validity, capacity, and consumption details of the Premium and Advanced Entitlements. For more information, see Entitlements.

May 16, 2022

Replace request URL

The NetScaler App Delivery and Security service now supports replacing the request URL with the specified URL.

For example, consider that the HTTP client request is GET /pub/WWW/TheProject.html HTTP/1.1. If there is a requirement to redirect the client request to a different resource, you can replace the URL by configuring the Replace request URL action. This modifies the client request URL before sending it to the server as GET /pub/WWW/NewProject.html HTTP/1.1. For more information, see Add content transform.

Fixes

ADSS-11270: Redirect URL for Load Balancers supports only the following format: “protocol://abc.uvw.xyz/path”. For example, https://www.citrix.com/solutions/app-delivery-and-security/.

April 28, 2022

Check health status of classic apps

You can now check the health status of deployed classic apps. The health status displays the real-time health of your deployed apps for each application service in an availability zone. To view the health status of a deployed app, click the three dots in the Actions column of the Application dashboard and then click Health Status. For more information, see Deliver a classic application.

SAML based authentication support

Admins can now add SAML authentication to the apps. Only authenticated users are allowed to access specific services configured by the admin. For more information, see Configure authentication for the endpoints.

Fixes

ADSS-10117: You cannot increase the number of rows using pagination to see the environments after the tenth environment.

April 20, 2022

DNS fallback endpoint

The NetScaler App Delivery and Security service now supports adding a DNS fallback endpoint. The DNS fallback endpoint acts as a backup endpoint and responds to DNS queries when all sites associated with a multi-site application are in DOWN state.

April 13, 2022

Changes in the Add Site page of a multi-site application

The IPv4 Address or DNS Name and IPv6 Address or DNS Name fields in the multi-site application Add Site page are now combined in the DNS Name, IPv4, or IPv6 field.