Citrix Secure Access for Windows release notes

The Citrix Secure Access client for Windows is now released on a standalone basis and is compatible with all NetScaler versions. We recommend that you use the latest version of Citrix Secure Access client as it contains the latest fixes and enhancements.

The Citrix Secure Access client releases follow the format YY.MM.Release.Build.

The release notes describe the new features, enhancements to the existing features, and fixed issues.

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

For detailed information on the supported features, see NetScaler Gateway Product Documentation.

Notes:

• We recommend you to use Citrix Secure Access client for Windows version 24.6.1.18 or higher.

• Starting from the Citrix Secure Access version 24.11.x.x, Microsoft Edge WebView is enabled by default. To disable the Microsoft Edge WebView, contact Citrix Support.

• Citrix Secure Access for Windows 23.5.1.3 and later releases address the security vulnerabilities described in https://support.citrix.com/article/CTX561480/citrix-secure-access-client-for-windows-security-bulletin-for-cve202324491. We do not support Citrix Secure Access for Windows versions below 23.5.1.3.

24.10.1.5 (08-Nov-2024)

Fixed issues

• In Secure Private Access mode, hostname-based application access might fail when a device resumes from standby.

  [SPAHELP-355]

• When a device resumes from standby, the Citrix Secure Access client for Windows might occasionally take more than 60 seconds to activate and connect.

  [SPAHELP-350]

• The Citrix Secure Access client for Windows fail to establish a VPN connection to NetScaler Gateway when the Server Name Indication (SNI) is enabled.

  [NSHELP-38813]

• Users cannot establish a VPN connection due to SSL renegotiation failure when the session ticket parameter is enabled on NetScaler Gateway.

  [NSHELP-38793]

• Users cannot establish a VPN connection if there was a network failure during the previous logout process.

  [NSHELP-38791, NSHELP-38641]

• The nsRmSac.exe cleanup utility of the Citrix Secure Access client requires manual intervention to run on the end user’s device. For more information, see Completely skip the DNE installation.

  [NSHELP-38711]

• After logging out of the VPN, localhost communication might fail if one of the network adapters on the machine is using the loopback address as the DNS server. As a result, when users attempt to log back into the VPN through the browser, they might be prompted to download the EPA plug-in again (if EPA is configured as an authentication factor), even if it is already installed.

  [NSHELP-38427]

• The custom redirection might fail when the user logs into the NetScaler Gateway virtual server using the Citrix Secure Access client for Windows.

  [NSHELP-38382]

24.8.1.19 (10-Oct-2024)

Important update:

Citrix Secure Access version 24.8.1.19 replaces 24.8.1.15 and is now generally available.

What’s new

• Secure Private Access support for cloud-hosted multi-session VDI

  Citrix Secure Access client now supports the use of Secure Private Access to achieve zero trust access to corporate resources from cloud-hosted multi-session VDIs. Admin can enable this feature using the EnableMultiSessionFlow registry. For domain-joined machines, use both EnableMultiSessionFlow and AlwaysOnService registries. For more information, see NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-10642]

• Continuous device posture assessment for active Secure Private Access applications

  When you enable the Periodic scan setting in the Device Posture Service, EPA client scans the device every 30 minutes. If it detects a downgrade in posture status, it notifies the user and disconnects active Secure Private Access connections through the Citrix Secure Access client. For more information, see Periodic scanning of devices.

  [AAUTH-4910]

• Support to exclude DNS traffic by Citrix Secure Access

  You can now exclude DNS traffic from being intercepted by Citrix Secure Access client. For more information, see Exclude specific domain traffic from client interception.

  [CSACLIENTS-10347]

• Always On location detection support for Secure Private Access

  Citrix Secure Access for Windows supports the location detection feature for the Secure Private Access service. It connects the user’s machine to the VPN session if it is not in the corporate network and disconnects the user’s VPN session if the machine is in the corporate network. You must use the locationDetection registry and configure the DNS suffix on the Secure Private Access admin UI console to enable the location detection feature.

  For more information on using the registry, see NetScaler Gateway Windows VPN client registry keys.

  For more information on configuring the DNS suffix, see DNS suffixes to resolve FQDNs to IP addresses.

  [CSACLIENTS-8783]

• Auto log on support for Azure Entra ID

  Citrix Secure Access supports auto-logon for Azure AD joined machines and hybrid Azure AD joined machines using Primary Refresh Tokens (PRT) mechanism for both NetScaler Gateway and Secure Private Access. For more information, see Citrix Secure Access auto logon for Windows Azure AD joined machines.

  [CSACLIENTS-10595]

• Support to triage and troubleshoot enumeration failures

  Citrix Secure Access now supports triaging and troubleshooting enumeration failures using Citrix Monitor or Citrix Director, in Secure Private Access deployments. For more information, see Secure Private Access integration with Director (Preview).

  [CSACLIENTS-10751]

• Enhanced Windows Last Update scan

  The Windows Last Update scan now checks the Windows Updates installed through Windows Auto Upgrade service and also the updates installed via BigFix, Intune, and other third party tools. For more information, see Advanced Endpoint Analysis scans.

  [AAUTH-4876]

• Split DNS support for TCP-based DNS requests

  Citrix Secure Access supports split DNS for TCP based DNS requests, same as UDP based DNS requests. Admin can enable this feature using the EnableTCPDNS registry. For more information, see Session policies and NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-8142]

• Enhanced client certificate authentication

  During client certificate authentication, Citrix Secure Access automatically selects the client certificate based on the CA certificates configured on NetScaler Gateway. For more information, see Configuring Client Certificate Authentication.

  [CSACLIENTS-10592]

• Support for Citrix Secure Private Access for on-premises

  Citrix Secure Access now supports Citrix Secure Private Access for on-premises. For more information, see Citrix Secure Access client.

  [CSACLIENTS-10543]

Fixed issues

• Citrix Secure Access client does not display the correct error message on the Windows Credential Provider screen if the authentication fails due to an unreachable network.

  [SPAHELP-333]

• The Citrix Secure Access client UI fails to display the custom messages configured using the NetScaler Gateway RfWebUI portal theme.

  [NSHELP-38362]

• DNS traffic is dropped if the DNS suffix applied to the Citrix Virtual Adapter (connected to Citrix Secure Access) is truncated after 15 characters. This issue occurs because NetScaler Gateway treats the DNS suffix as a NetBIOS name.

  [NSHELP-37990]

• Citrix Secure Access client generates high DNS traffic when an user accesses multiple applications over the VPN tunnel.

  [NSHELP-37822]

24.6.1.18 (24-Jul-2024)

Important update:

Citrix Secure Access version 24.6.1.18 replaces 24.6.1.17 and is now generally available.

What’s new

• EPA scan to check Citrix Workspace app version

  Citrix Secure Access supports a new EPA scan “CWA Version”, that verifies the Citrix Workspace version on Windows machines. For details about the supported EPA scans, see Expression strings.

  [AAUTH-4870]

• Automatic single sign-on to Citrix Secure Access through Citrix Workspace app

  Citrix Workspace app offers a unified client management experience for Citrix Secure Access. When users log on to Citrix Workspace app, they are automatically signed on to Citrix Secure Access and can access TCP/UDP applications seamlessly without the need to manually configure and sign in to multiple client applications. For details, see Automatic single sign-on to Citrix Secure Access through Citrix Workspace app for Windows - Preview.

  [CSACLIENTS-6418]

• Tunnel exclusion support in Secure Private Access

  Citrix Secure Access can now exclude certain application traffic from being tunneled by using the registry, ExcludeDomainsFromTunnel.

  If example.com is an intranet domain that hosts multiple applications, and you want to exclude specific applications such as sshhost.example.com, rdphost.example.com, *.ftphost.example.com, you can use this registry.

  For details, see NetScaler Gateway Windows VPN client registry keys.

  [CSACLIENTS-8972]

• IP address spoofing for TCP-based DNS requests

  Citrix Secure Access supports IP address spoofing of TCP-based DNS requests in the following scenarios:

  • FQDN-based tunneling rules are configured on NetScaler Gateway.
  • FQDNs match the DNS suffixes in a Citrix Secure Private Access deployment.

  [CSACLIENTS-8328]

• Interoperability enhancements with third-party secure web gateway

  The User-Agent strings for Citrix Secure Access have been updated for enhanced interoperability with third party secure web gateways.

  [CSACLIENTS-8593]

• Support for Citrix Secure Private Access for on-premises

  Citrix Secure Access now supports Citrix Secure Private Access for on-premises.

  [CSACLIENTS-10543]

• Enhanced EPA scan encryption

  The security encryption of EPA scans is enhanced by the Elliptic Curve Diffie-Hellman (ECDH) keys.

  [CSACLIENTS-8308]

• Hash key for signature creation

  Admins can now use the SHA-384 hash key to create signatures for device certificate authentication.

  [CSACLIENTS-8296]

• Seamless connectivity during POP failure

  In a Secure Private Access deployment, VPN users are automatically reconnected to a different Point of Presence (POP) without manual intervention, when connectivity to the current POP fails.

  [CSACLIENTS-6396]

• Enhanced diagnostics

  The Citrix Secure Access diagnostics are enhanced with additional fields that can help troubleshoot access issues with TCP/UDP apps.

  [CSACLIENTS-8335]

Fixed issues

• DNS resolution fails on Windows 11 devices if the Windows Management Instrumentation Command-line (WMIC) feature is disabled.

  [NSHELP-37603]

• Citrix Secure Access blocks IPv6 traffic from being routed over a loopback interface if reverse split tunneling and intranet IP address are configured on NetScaler Gateway.

  [NSHELP-37096], [NSHELP-37534]

• Citrix Secure Access crashes if the IP address range of the intranet application is configured with a wildcard subnet mask.

  [NSHELP-37788]

• After an upgrade, users cannot connect to Microsoft applications if reverse split tunneling and intranet IP addresses are configured on NetScaler Gateway.

  [NSHELP-37876]

• When Citrix Secure Access client is configured with WFP, VPN connectivity is lost during an active session or when multiple logins and logouts happen.

  [NSHELP-37881]

• DNS resolution is delayed when applications on the client machine send A and AAAA record-type DNS queries.

  [NSHELP-38067]

• Kerberos authentication fails in a Citrix Secure Private Access deployment.

  [SPAHELP-286]

• In the Windows Filtering Platform (WFP) mode, application name of the intranet resource being accessed appears as N/A on the Secured Applications’ connections tab on the Citrix Secure Access UI.

  [CSACLIENTS-9664]

• In a Citrix Secure Private Access deployment, Citrix Secure Access client fails to switch from machine-level tunnel to user-level tunnel if Always On is configured.

  [CSACLIENTS-9604]

24.4.1.7 (30-Apr-2024)

Fixed issues

End-users cannot log on to Citrix Secure Access when autologon fails in the Microsoft Edge WebView mode.

[CSACLIENTS-10005]

DNS resolution fails for some backend resources when the AAAA record-type DNS queries are sent by the client application.

[SPAHELP-288], [CSACLIENTS-10460]

Citrix Secure Access might fail to establish new connections in the WFP driver mode if the client runs for several hours.

[NSHELP-37427], [NSHELP-37124], [SPAHELP-280]

Citrix Secure Access displays an EPA scan error message of a device certificate failure in a different language, although the language set is English.

[NSHELP-37477]

Internet and intranet connections might be lost after a prolonged VPN session if Always On VPN is configured in the WFP mode.

[NSHELP-37283]

EPA scan fails when the “filetime” parameter is configured.

[NSHELP-37564]

The MD5 checksum configuration of a file fails during an EPA scan.

[NSHELP-37491]

The Windows credential manager screen displays the Citrix Secure Access icon even though VPN is not in the Always On VPN mode.

[NSHELP-37205]

The Citrix Secure Access logs display the IP addresses in reverse order. For example, if a Microsoft Edge browser is connected to NetScaler (IP: 192.20.4.5:24), the log message appears as,

"Application msedge.exe has opened a connection to 5.4.20.192:24 |Making a connection to 5.4.20.192:24 by msedge.exe |"

[NSHELP-37314]

After an upgrade, when users click the Home page button on the Citrix Secure Access GUI, the home page URL fails to launch on the default browser.

[NSHELP-37659]

The device certificate check fails in a Citrix Secure Private Access deployment if the certificate is signed by an intermediate CA instead of the root CA.

[SPAHELP-287]

24.2.1.15 (04-Mar-2024)

What’s new

• Support for SNI

  In a Citrix Secure Private Access deployment, Citrix Secure Access client now supports the server name indication (SNI) extension on all the pre-authentication requests.

  [SPAHELP-236]

• Support for TLS 1.3

  Citrix Secure Access client now supports the TLS 1.3 protocol. TLS 1.3 is supported on the following platforms:

  • Windows 11 and later
  • Windows Server 2022 and later

  For details on how to configure TLS 1.3 on NetScaler, see Support for TLS 1.3 protocol.

  [CSACLIENTS-6106]

• Support for Windows OS details in the HTTP header

  Citrix Secure Access client now includes details of the Windows OS as part of the HTTP header (user-agent) string.

  [NSHELP-36732]

Fixed issues

• DNS resolution intermittently fails if IPv6 is enabled on the client network adapter.

  [NSHELP-35708]

• Users might not be able to log on to Citrix Secure Access client if there are simultaneous login attempts using autologon.

  [NSHELP-35768]

• Citrix Secure Access installation fails when Smart App Control is enabled on non-English client machines.

  [NSHELP-36126], [NSHELP-36907]

• Users cannot access some applications through VPN if Citrix Secure Access client is configured with the WFP driver. This issue occurs because of modifications to the firewall policies.

  [NSHELP-36254], [NSHELP-36312]

• A popup dialog appears during an EPA scan. However, when the user clicks OK, EPA scan works as usual. This issue occurs when the Swedish language is selected (Configuration > Language) on the Citrix Secure Access client UI.

  [NSHELP-36408]

• In an Always On VPN mode, the machine level tunnel fails to transfer the session when the user certificate authentication is configured on NetScaler Gateway.

  [NSHELP-36492]

• Access to the intranet resources intermittently fails when the Windows Filtering Platform (WFP) driver is enabled on Citrix Secure Access client.

  [NSHELP-36568]

• The Citrix Secure Access client UI page intermittently freezes when users click the Home button.

  [NSHELP-37046]

• Non-admin users cannot connect to the full VPN tunnel if the following conditions are met:

  • EPA is configured as a factor in an nFactor flow.
  • Edge WebView is enabled.
  • The control upgrade setting of Citrix EPA client is set to Always on NetScaler Gateway and there’s a mismatch in the Citrix EPA client versions between the client device and NetScaler.

  [NSHELP-37340]

• EPA device certificate scan fails if the client machine’s system certificate store contains only one device certificate.

  [NSHELP-37371]

• The login page of Citrix Secure Access client intermittently goes blank when connecting to Citrix Secure Private Access service.

  [SPAHELP-202]

• End-users might not be able to connect the client machines to the domain through VPN if Windows Server 2019 or later versions are used.

  [SPAHELP-219]

• When Citrix Device Posture service is enabled, unwanted entries appear in the Connection drop-down list of the Citrix Secure Access client UI.

  [SPAHELP-271]

• End-users cannot access the intranet resources if the single sign-on feature is enabled on Citrix Secure Access client.

  [CSACLIENTS-9940]

• Citrix Secure Access might crash due to memory corruption.

  [NSHELP-36993]

23.10.1.7 (29-Nov-2023)

What’s new

• Configure private port range for server initiated connections

  You can now configure a private port ranging from 49152 to 64535 for server-initiated connections. Configuring private ports avoids conflicts that might arise when you use ports to create sockets between Citrix Secure Access client and third party apps on the client machines. You can configure the private ports by using the “SicBeginPort” Windows VPN registry. Alternatively, you can configure the private port range by using a VPN plug-in customization JSON file on NetScaler.

  For more information, see Configure server-initiated connections and NetScaler Gateway Windows VPN client registry keys.

  [NSHELP-36627]

• Kerberos authentication support for seamless autologon

  Citrix Secure Access client now uses the Kerberos authentication method for autologon. As part of this support, a VPN client registry key “EnableKerberosAuth” is introduced. As a pre-requisite, admins must configure Kerberos authentication on NetScaler and on their client machines. End users must install Microsoft Edge WebView on their machines to enable the Kerberos authentication method. For more information, see Autologon with Kerberos authentication.

  [CSACLIENTS-3128]

• Auto assign of spoof IP address range

  Citrix Secure Access client can now detect and apply a new spoof IP address range if there is a conflict between the admin-configured spoof IP address range and the IP-based applications or the end-user’s network.

  [CSACLIENTS-6132]

• Microsoft notifications

  The Citrix Secure Access client notifications now appear as Microsoft notifications on the Notifications panel of your Windows machine.

  [CSACLIENTS-6136]

• Improved log collection

  The Verbose log level is now used as the default debug logging level for an enhanced log collection and troubleshooting. For more information about logging, see Configure logging by using the client user interface.

  [CSACLIENTS-8151]

Fixed issues

Citrix Secure Access client remains in the “Connecting” state if the machine tunnel of the Always On service fails to detect the client device location.

[CSACLIENTS-1174]

The transfer logon feature fails to work when Microsoft Edge WebView is enabled in Citrix Secure Access client.

[CSACLIENTS-6655]

In the Always On service mode, Citrix Secure Access client fails to establish a machine-level tunnel with NetScaler Gateway if the device certificate-based classic authentication policies are bound to a VPN virtual server.

[NSHELP-33766]

Incoming and outgoing Webex calls fail when users are connected to the VPN. This issue occurs when the Windows filtering platform (WFP) driver is enabled on Citrix Secure Access client instead of the Deterministic network enhancer (DNE) driver.

[NSHELP-34651]

Citrix Secure Access client crashes if the following conditions are met:

• Connections are switched when SAML policies are bound to a VPN virtual server.
• Internet Explorer WebView support is enabled.

[NSHELP-35366]

The Citrix Secure Access client UI displays the Connect button during autologon. This issue occurs if the UserCert authentication method is used to connect to VPN.

[NSHELP-36134]

The local LAN access feature fails to work with Citrix Secure Access client if a machine-level tunnel is configured.

With this release, the local LAN access feature can be set with a machine-level tunnel configuration. To achieve this, you must configure the local LAN access parameter to FORCED when using the machine tunnel mode. For more details, see Enforce local LAN access to end users based on ADC configuration.

[NSHELP-36214]

When a client machine wakes up from sleep mode multiple times, Citrix Secure Access client fails to establish a VPN connection with the intranet applications.

[NSHELP-36221]

23.8.1.11 (19-Oct-2023)

Fixed issues

The epaPackage.exe file might fail to download if forward proxy support is configured on NetScaler Gateway.

[CSACLIENTS-6917]

The Citrix EPA client installation fails for non-admin users with restricted access to C drive.

[NSHELP-36590]

23.8.1.5 (09-Aug-2023)

Fixed issues

Kerberos SSO fails for applications when connected over Citrix Secure Private Access service.

[CSACLIENTS-912]

Application access with Citrix Secure Private Access service fails intermittently. This issue occurs when Citrix Secure Access client shares an incorrect destination IP address for TCP or UDP traffic.

[CSACLIENTS-1151, CSACLIENTS-6326]

Citrix Secure Access client fails to launch applications intermittently because of a DNS caching issue.

[CSACLIENTS-1170]

Citrix Secure Access client fails to apply a DNS suffix to Citrix Virtual Adapter. This issue occurs when Citrix Virtual Adapter fails to authenticate with Active Directory.

[NSHELP-33817]

Citrix Secure Access client crashes if the following conditions are met:

• NetScaler Gateway virtual server contains a client certificate as a factor for nFactor authentication.
• Microsoft Edge WebView support is enabled.

[CSACLIENTS-6171]

When connected to VPN, you might not be able to access back-end resources after you apply Microsoft KB5028166.

[NSHELP-35909]

Citrix Secure Access client intermittently fails to download the configurations from NetScaler Gateway when the portal customization exceeds the allowed limit.

[NSHELP-35971]

Known issues

The transfer logon feature fails to work with Citrix Secure Access client. This issue occurs when Microsoft Edge WebView is enabled.

Workaround: Log on using a web browser to transfer the session.

23.7.1.1 (14-Jul-2023)

Fixed issues

In some cases, after an upgrade to the release version 23.x.x.x, traffic fails to pass through the VPN tunnel, resulting in blocking of VPN access when an Intranet IP range is configured on NetScaler. This happens when cross profile firewall rule is not applied to VPN applications.

[NSHELP-35766]

23.5.1.3 (02-Jun-2023)

Fixed issues

The Always On service crashes when the improved log collection is enabled using the “useNewLogger” registry under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client.

[CGOP-24462]

23.4.1.5 (14-Apr-2023)

What’s new

• Microsoft Edge WebView support

  Microsoft Edge WebView support on Citrix Secure Access client for Windows introduces an enhanced end user experience. This feature is disabled, by default. For details, see Microsoft Edge WebView support for Windows Citrix Secure Access.

  [CGOP-22245]

• Adding DNS suffixes to resolve FQDNs to IP addresses

  Admins can now add suffixes to the applications at the operating system level. This helps Citrix Secure Access clients to resolve a non-fully qualified domain name during name resolution.

  Admins can also configure applications using the IP addresses (IP CIDR/IP range) so that the end users can access the applications using the corresponding FQDNs. For details see, DNS suffixes to resolve FQDNs to IP addresses.

  [ACS-2490]

• Improved log collection

  The logging feature for the Windows Secure Access client is now improved for log collection and debugging. The following changes are made to the logging feature.

  • Enable users to change the maximum log file size to a value less than 600 MB.
  • Enable users to update the number of log files to less than 5.
  • Increase the log levels to three for the new logging feature.

  With these changes, admins and end-users can collect logs from the current session and past sessions. Previously, collection of logs was limited to the current sessions only. For details see, Improved log collection for Windows client.

  Note:

  To enable debug logging, select Logging > Verbose from the Select Log Level drop-down list. Prior to the Citrix Secure Access client for Windows 23.4.1.5 release, debug logging could be enabled using the Configuration > Enable debug logging check-box.

  [CGOP-23537]

• Support for sending events to Citrix Analytics service

  Citrix Secure Access client for Windows now supports sending events such as session creation, session termination, and app connection to Citrix Analytics service. These events are then logged in Citrix Secure Private Access dashboard.

  [SPA-2197]

Fixed issues

• Citrix Secure Access client single sign-on authentication with Citrix Workspace app to cloud endpoint fails for Unicode users.

  [CGOP-22334]

• Access to the resources fails when host name-based applications are configured along with DNS suffix in Citrix Secure Private Access.

  [SPA-4430]

• Always-On VPN connection fails intermittently on startup due to gateway virtual server reachability issue.

  [NSHELP-33500]

• Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client.

  [NSHELP-34334]

• Citrix Secure Access client fails to load the authentication schema leading to login failure in Citrix Secure Private Access service.

  [SPAHELP-98]

23.1.1.11 (20-Feb-2023)

This release addresses issues that help to improve the overall performance and stability of Citrix Secure Private Access service.

23.1.1.8 (08-Feb-2023)

Fixed issues

• DNS resolution failures occur as the Citrix Secure Access fails to prioritize IPv4 packets over IPv6 packets.

  [NSHELP-33617]

• The OS filtering rules are captured when the Citrix Secure Access client is running in Windows Filtering Platform (WFP) mode.

  [NSHELP-33715]

• Spoofed IP address is used for IP-based intranet applications when the Citrix Secure Access client runs on Citrix Deterministic Network Enhancer (DNE) mode.

  [NSHELP-33722]

• When using the Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected.

  [NSHELP-32978]

• Endpoint analysis (EPA) scan for OS version check fails on Windows 10 and Windows 11 Enterprise multi-session desktops.

  [NSHELP-33534]

• Windows client supports 64 KB configuration file size, by default, and this restricts the users to add more entries in the configuration file. This size can be increased by setting the ConfigSize registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The ConfigSize registry key type is REG_DWORD and key data is <Bytes size>. If the configuration file size is larger than the default value (64 KB), then the ConfigSize registry value must be set to 5 x 64 KB (after converting to bytes) for every addition of 64 KB. For example, if you are adding additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.

  [SPA-2865]

• On VPN logoff, DNS suffix list entries in SearchList registry are rewritten in a reverse order separated by one or more commas.

  [NSHELP-33671]

• Proxy authentication fails when the NetScaler appliance completes an EPA scan for antivirus.

  [NSHELP-30876]

• If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.

  [NSHELP-33457]

22.10.1.9 (08-Nov-2022)

What’s new

• EPA support for connection proxy type site persistence in GSLB

  Windows EPA scan now supports connection proxy type site persistence in GSLB when the scan is initiated from a browser. Previously, EPA scan for Windows did not support connection proxy persistence type for browser initiated EPA scan.

  [CGOP-21545]

• Seamless single sign-on for Workspace URL (Cloud only)

  Citrix Secure Access client now supports single sign-on for Workspace URL (cloud only) if the user has already logged on via the Citrix Workspace app. For more details, see Single sign-on support for the Workspace URL for users logged in via Citrix Workspace app.

  [ACS-2427]

• Manage Citrix Secure Access client and/or EPA plug-in version via Citrix Workspace App (Cloud only)

  Citrix Workspace app now has the capability to download and install the latest version of Citrix Secure Access and/or EPA plug-in via the Global App Configuration Service. For more details, see Global App Configuration Service.

  [ACS-2426]

• Debug logging control enhancement

  Debug logging control for Citrix Secure Access client is now independent of NetScaler Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.

  [NSHELP-31968]

• Support for Private Network Access preflight requests

  Citrix Secure Access Client for Windows now supports Private Network Access preflight requests issued by the Chrome browser when accessing private network resources from public websites.

  [CGOP-20544]

Fixed issues

• The Citrix Secure Access client, version 21.7.1.1 and later, fails to upgrade to later versions for users with no administrative privileges.

  This is applicable only if the Citrix Secure Access client upgrade is done from a NetScaler appliance. For details, see Upgrade/downgrade issue on Citrix Secure Access client.

  [NSHELP-32793]

• Users cannot log on to VPN because of intermittent EPA failures.

  [NSHELP-32138]

• Sometimes, the Citrix Secure Access client in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode.

  [NSHELP-30110]

• In Always on service mode, user tunnel tries to start even if only machine tunnel is configured.

  [NSHELP-31467]

• The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser.

  [NSHELP-31894]

• Customized EPA failure log message is not displayed on the NetScaler Gateway portal, instead the message “internal error” is displayed.

  [NSHELP-31434]

• When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

  [NSHELP-32510]

• On some client machines, the Citrix Secure Access client fails to detect the proxy setting and this results in logon failure.

  [SPAHELP-73]

Known issues

• Windows Update check-based EPA scan does not work on the Windows 11 22H2 version. For details, see EPA Check failing for Windows11 22H2.

  [NSHELP-33068]

22.6.1.5 (17-June-2022)

What’s new

• Login and logout script configuration

  The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

  Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client

  Registry values:

  • SecureAccessLogInScript type REG_SZ - path to login script
  • SecureAccessLogOutScript type REG_SZ - path to logout script

  [ACS-2776]

• Windows Citrix Secure Access client using Windows Filtering Platform (WFP)

  WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access client using Windows Filtering Platform.

  [CGOP-19787]

• FQDN based reverse split tunnel support

  WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. For more details on reverse split tunnel, see Split tunneling options.

  [CGOP-16849]

Fixed issues

• Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI.

  [NSHELP-31357]

• On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas.

  [NSHELP-31346]

• Spoofed IP address is used even after the NetScaler intranet application configuration is changed from FQDN based to IP based application.

  [NSHELP-31236]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully.

  With this fix, the following registry value is introduced.

  \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds

  Type: DWORD

  By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

  [NSHELP-30189]

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [NSHELP-31836]

• Citrix Secure Access client for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.5 (24-Mar-2022)

Fixed issues

• The Windows EPA plug-in name is reverted to the NetScaler Gateway EPA plug-in.

  [CGOP-21061]

Known issues

• Citrix Secure Access client for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Citrix Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.4 (10-Mar-2022)

What’s new

• Enforce local LAN access to end users based on ADC configuration

  Admins can restrict the end users from disabling the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, the local LAN access is always enabled for end users on the client machines. End users cannot disable the local LAN settings using the Citrix Secure Access client UI. If admins want to provide an option to enable or disable local LAN access to the end user, they must re-configure the Local LAN access parameter to ON.

  To enable the FORCED option by using the GUI:

  1. Navigate to NetScaler Gateway > Global Settings > Change Global Settings.
  2. Click the Client Experience tab and then click Advanced Settings.
  3. In Local LAN Access, select FORCED.

  To enable the FORCED option by using the CLI, run the following command:

   set vpn parameter -localLanAccess FORCED
   <!--NeedCopy-->
  

  [CGOP-19935]

• Support for Windows server 2019 and 2022 in the EPA OS scan

  EPA OS scan now supports Windows server 2019 and 2022.

  You can select the new servers by using the GUI.

  1. Navigate to NetScaler Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the OPSWAT EPA Editor link.
  4. In Expression Editor, select Windows > Windows Update and click the + icon.
  5. In OS Name, select the server as per your requirement.

  You can upgrade to the OPSWAT version 4.3.2744.0 to use the Windows server 2019 and 2022 in the EPA OS scan.

  [CGOP-20061]

• New EPA scan classification types for missing security patches

  The following new classification types are added to the EPA scan for missing security patches. The EPA scan fails if the client has any of the following missing security patches.

  • Application
  • Connectors
  • CriticalUpdates
  • DefinitionUpdates
  • DeveloperKits
  • FeaturePacks
  • Guidance
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates

  You can configure the classification types by using the GUI.

  1. Navigate to NetScaler Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the ((OPSWAT EPA Editor)) link.
  4. In Expression Editor, select Windows > Windows Update.
  5. In Shouldn’t have missing patch of following windows update classification type, select the classification type for the missing security patches
  6. Click OK.

  You can upgrade to the OPSWAT version 4.3.2744.0 to use these options.

  • For details about the Windows server update services classification GUIDs, see https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ff357803(v=vs.85)
  • For the description of the Microsoft software updates terminology, see https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates

  Earlier, the EPA scans for missing security patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client.

  [CGOP-19465]

• Support for multiple device certificates for EPA scan

  In the Always on VPN configuration, if multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows EPA scan successfully, then VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried.

  Earlier, if multiple valid certificates were configured, if the EPA scan failed for one certificate, the scan was not attempted on the other certificates.

  [CGOP-19782]

Fixed issues

• If the clientCert parameter is set to ‘Optional’ in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.

  [NSHELP-30070]

• Users cannot connect to the NetScaler Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

  [NSHELP-30236]

• When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

  [NSHELP-30662]

• DNS resolution to internal and external resources stops working over a prolonged VPN session.

  [NSHELP-30458]

• The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

  [NSHELP-29675]

• Registry EPA check for the “==” and “!=” operator fails for some registry entries.

  [NSHELP-29582]

22.2.1.103 (17-Feb-2022)

Fixed issues

• Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:

  1. For the VPN plug-in upgrade, end users must connect using the VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.

  2. For the EPA only use case, the end users will not have the VPN client to connect to the gateway. In this case, perform the following:

     1. Connect to the gateway using a browser.
     2. Wait for the download page to appear and download the nsepa_setup.exe.
     3. After downloading, close the browser and install the nsepa_setup.exe file.
     4. Restart the client.

  [NSHELP-30641]

21.12.1.4 (17-Dec-2021)

What’s new

• Rebranding changes

  NetScaler Gateway plug-in for Windows is rebranded to Citrix Secure Access client.

  [ACS-2044]

• Support for TCP/HTTP(S) private applications

  Citrix Secure Access client now supports TCP/HTTP(S) private applications for remote users through the Citrix Workspace Secure Access service.

  [ACS-870]

• Additional language support

  Windows VPN and EPA plug-ins for NetScaler Gateway now support the following languages:

  • Korean
  • Russian
  • Chinese (Traditional)

  [CGOP-17721]

• Citrix Secure Access support for Windows 11

  Citrix Secure Access client is now supported for Windows 11.

  [CGOP-18923]

• Automatic transfer logon when the user is logging in from the same machine and Always on is configured

  Automatic login transfer now occurs without any user intervention when Always on is configured and the user is logging in from the same machine. Previously, when the client (user) had to relogin in the scenarios such as system restart or network connectivity issues, a pop-up message appeared. The user had to confirm the transfer login. With this enhancement, the pop-up window is disabled.

  [CGOP-14616]

• Deriving Citrix Virtual Adapter default gateway IP address from the NetScaler provided net mask

  Citrix Virtual Adapter default gateway IP address is now derived from the NetScaler provided net mask.

  [CGOP-18487]

Fixed issues

• Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

  [NSHELP-26779]

• When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

  [NSHELP-29371]

21.9.100.1 (30-Dec-2021)

What’s new

• Citrix Secure Access support for Windows 11

  Citrix Secure Access client is now supported for Windows 11.

  [CGOP-18923]

Fixed issues

• Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

  [NSHELP-26779]

• When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

  [NSHELP-29371]

21.9.1.2 (04-Oct-2021)

Fixed issues

• Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

  [NSHELP-28848]

• Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.

  [NSHELP-28404]

• The Windows plug-in might crash during authentication.

  [NSHELP-28394]

• In Always On service mode, the VPN plug-in for Windows fails to establish the user tunnel automatically after the users log on to their Windows machines.

  [NSHELP-27944]

• After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address.

  [NSHELP-27850]

V21.7.1.1 (27-Aug-2021)

What’s new

• New MAC address scan

  Support is added for newer MAC address scans.

  [CGOP-16842]

• EPA scan to check for Windows OS and its build version

  Added EPA scan to check for Windows OS and its build version.

  [CGOP-15770]

• EPA scan to check for a particular value’s existence

  A new method in the registry EPA scan now checks for a particular value’s existence.

  [CGOP-10123]

Fixed issues

• If there is a JavaScript error during login because of a network error, subsequent login attempts fail with the same JavaScript error.

  [NSHELP-27912]

• The EPA scan fails for McAfee antivirus last update time check.

  [NSHELP-26973]

• Sometimes, users lose internet access after a VPN tunnel is established.

  [NSHELP-26779]

• A script error for the VPN plug-in might be displayed during nFactor authentication.

  [NSHELP-26775]

• If there is a network disruption, UDP traffic flow that started before the network disruption does not drop for up to 5 minutes.

  [NSHELP-26577]

• You might experience a delay in the starting of the VPN tunnel if the DNS registration takes a longer time than expected.

  [NSHELP-26066]

V21.3.1.2 (31-Mar-2021)

What’s new

• Upgraded EPA libraries

  The EPA libraries are upgraded to support the latest version of the software applications used in EPA scans.

  [NSHELP-26274]

• NetScaler Gateway virtual adapter comaptibility

  The NetScaler Gateway virtual adapter is now compatible with Hyper-V and Microsoft Wi-Fi direct virtual adapters (used with printers).

  [NSHELP-26366]

Fixed issues

• The Windows VPN gateway plug-in blocks use of “CTRL + P” and “CTRL + O” over the VPN tunnel.

  [NSHELP-26602]

• The NetScaler Gateway plug-in for Windows responds only with an Intranet IP address registered in the Active Directory when a "nslookup" action is requested for the machine name.

  [NSHELP-26563]

• The IIP registration and deregistration fails intermittently if the split DNS is set as “Local” or “Both.”

  [NSHELP-26483]

• Auto logon to Windows VPN gateway plug-in fails if Always On is configured.

  [NSHELP-26297]

• The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.

  [NSHELP-25684]

• The Windows VPN gateway plug-in maintains the existing proxy exception list even if the list overflows because of the browser limit on the Internet Explorer proxy exception list.

  [NSHELP-25578]

• The Windows VPN gateway plug-in fails to restore the proxy settings when the VPN client is logged off in Always On mode.

  [NSHELP-25537]

• The VPN plug-in for Windows does not establish the tunnel after logging on to Windows, if the following conditions are met:

  • NetScaler Gateway appliance is configured for the Always On feature.
  • The appliance is configured for certificate based authentication with two factor authentication “off.”

  [NSHELP-23584]