Citrix Secure Access for Windows release notes

The Citrix Secure Access agent for Windows is now released on a standalone basis and is compatible with all Citrix ADC versions. The Citrix Secure Access agent version follows the format YY.MM Release.Build.

The release notes describe the new features, enhancements to the existing features, and fixed issues.

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

For detailed information on the supported features, see Citrix Gateway Product Documentation.

Note:

Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 21.9.1.2 and later contains the fix for https://support.citrix.com/article/CTX341455.

23.1.1.11 (20-Feb-2023)

This release addresses issues that help to improve the overall performance and stability of Secure Private Access service.

23.1.1.8 (08-Feb-2023)

Fixed issues

• DNS resolution failures occur as the Citrix Secure Access fails to prioritize IPv4 packets over IPv6 packets.

  [NSHELP-33617]

• The OS filtering rules are captured when the Citrix Secure Access agent is running in Windows Filtering Platform (WFP) mode.

  [NSHELP-33715]

• Spoofed IP address is used for IP-based intranet applications when the Citrix Secure Access agent runs on Citrix Deterministic Network Enhancer (DNE) mode.

  [NSHELP-33722]

• When using the Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected.

  [NSHELP-32978]

• Endpoint analysis (EPA) scan for OS version check fails on Windows 10 and Windows 11 Enterprise multi-session desktops.

  [NSHELP-33534]

• Windows client supports 64 KB configuration file size, by default, and this restricts the users to add more entries in the configuration file. This size can be increased by setting the ConfigSize registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client. The ConfigSize registry key type is REG_DWORD and key data is <Bytes size>. If the configuration file size is larger than the default value (64 KB), then the ConfigSize registry value must be set to 5 x 64 KB (after converting to bytes) for every addition of 64 KB. For example, if you are adding additional 64 KB, then you must set the registry value to 64 x 1024 x 5 = 327680. Similarly, if you are adding 128 KB, then you must set the registry value to 64 x 1024 x (5+5) = 655360.

  [SPA-2865]

• On VPN logoff, DNS suffix list entries in SearchList registry are rewritten in a reverse order separated by one or more commas.

  [NSHELP-33671]

• Proxy authentication fails when the Citrix ADC appliance completes an EPA scan for antivirus.

  [NSHELP-30876]

• If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.

  [NSHELP-33457]

22.10.1.9 (08-Nov-2022)

What’s new

• EPA support for connection proxy type site persistence in GSLB

  Windows EPA scan now supports connection proxy type site persistence in GSLB when the scan is initiated from a browser. Previously, EPA scan for Windows did not support connection proxy persistence type for browser initiated EPA scan.

  [CGOP-21545]

• Seamless single sign-on for Workspace URL (Cloud only)

  Citrix Secure Access client now supports single sign-on for Workspace URL (cloud only) if the user has already logged on via the Citrix Workspace app. For more details, see Single sign-on support for the Workspace URL for users logged in via Citrix Workspace app.

  [ACS-2427]

• Manage Citrix Secure Access client and/or EPA plug-in version via Citrix Workspace App (Cloud only)

  Citrix Workspace app now has the capability to download and install the latest version of Citrix Secure Access and/or EPA plug-in via the Global App Configuration Service. For more details, see Global App Configuration Service.

  [ACS-2426]

• Debug logging control enhancement

  Debug logging control for Citrix Secure Access client is now independent of Citrix Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.

  [NSHELP-31968]

• Support for Private Network Access preflight requests

  Citrix Secure Access Client for Windows now supports Private Network Access preflight requests issued by the Chrome browser when accessing private network resources from public websites.

  [CGOP-20544]

Fixed issues

• The Citrix Secure Access client, version 21.7.1.1 and later, fails to upgrade to later versions for users with no administrative privileges.

  This is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance. For details, see Upgrade/downgrade issue on Citrix Secure Access agent.

  [NSHELP-32793]

• Users cannot log on to VPN because of intermittent EPA failures.

  [NSHELP-32138]

• Sometimes, the Citrix Secure Access agent in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode.

  [NSHELP-30110]

• In Always on service mode, user tunnel tries to start even if only machine tunnel is configured.

  [NSHELP-31467]

• The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser.

  [NSHELP-31894]

• Customized EPA failure log message is not displayed on the Citrix Gateway portal, instead the message “internal error” is displayed.

  [NSHELP-31434]

• When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

  [NSHELP-32510]

• On some client machines, the Citrix Secure Access client fails to detect the proxy setting and this results in logon failure.

  [SPAHELP-73]

Known issues

• Windows Update check-based EPA scan does not work on the Windows 11 22H2 version. For details, see EPA Check failing for Windows11 22H2.

  [NSHELP-33068]

22.6.1.5 (17-June-2022)

What’s new

• Login and logout script configuration

  The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

  Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client

  Registry values:

  • SecureAccessLogInScript type REG_SZ - path to login script
  • SecureAccessLogOutScript type REG_SZ - path to logout script

  [ACS-2776]

• Windows Citrix Secure Access agent using Windows Filtering Platform (WFP)

  WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access agent using Windows Filtering Platform.

  [CGOP-19787]

• FQDN based reverse split tunnel support

  WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. For more details on reverse split tunnel, see Split tunneling options.

  [CGOP-16849]

Fixed issues

• Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI.

  [NSHELP-31357]

• On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas.

  [NSHELP-31346]

• Spoofed IP address is used even after the Citrix ADC intranet application configuration is changed from FQDN based to IP based application.

  [NSHELP-31236]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully.

  With this fix, the following registry value is introduced.

  \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds

  Type: DWORD

  By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

  [NSHELP-30189]

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [NSHELP-31836]

• Citrix Secure Access Agent for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.5 (24-Mar-2022)

Fixed issues

• The Windows EPA plug-in name is reverted to the Citrix Gateway EPA plug-in.

  [CGOP-21061]

Known issues

• Citrix Secure Access Agent for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.4 (10-Mar-2022)

What’s new

• Enforce local LAN access to end users based on ADC configuration

  Admins can now restrict the end users to enable or disable the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, end users are restricted from using the local LAN access option on their client machines. If the end users must enable or disable the local LAN access, the admins must reconfigure the Local LAN Access option in the Citrix ADC appliance accordingly.

  To enable the FORCED option by using the GUI:

  1. Navigate to Citrix Gateway > Global Settings > Change Global Settings.
  2. Click the Client Experience tab and then click Advanced Settings.
  3. In Local LAN Access, select FORCED.

  To enable the FORCED option by using the CLI, run the following command:

   set vpn parameter -localLanAccess FORCED
   <!--NeedCopy-->
  

  [CGOP-19935]

• Support for Windows server 2019 and 2022 in the EPA OS scan

  EPA OS scan now supports Windows server 2019 and 2022.

  You can select the new servers by using the GUI.

  1. Navigate to Citrix Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the OPSWAT EPA Editor link.
  4. In Expression Editor, select Windows > Windows Update and click the + icon.
  5. In OS Name, select the server as per your requirement.

  You can upgrade to the OPSWAT version 4.3.2744.0 to use the Windows server 2019 and 2022 in the EPA OS scan.

  [CGOP-20061]

• New EPA scan classification types for missing security patches

  The following new classification types are added to the EPA scan for missing security patches. The EPA scan fails if the client has any of the following missing security patches.

  • Application
  • Connectors
  • CriticalUpdates
  • DefinitionUpdates
  • DeveloperKits
  • FeaturePacks
  • Guidance
  • SecurityUpdates
  • ServicePacks
  • Tools
  • UpdateRollups
  • Updates

  You can configure the classification types by using the GUI.

  1. Navigate to Citrix Gateway > Policies > Preauthentication.
  2. Create a new preauthentication policy or edit an existing policy.
  3. Click the ((OPSWAT EPA Editor)) link.
  4. In Expression Editor, select Windows > Windows Update.
  5. In Shouldn’t have missing patch of following windows update classification type, select the classification type for the missing security patches
  6. Click OK.

  You can upgrade to the OPSWAT version 4.3.2744.0 to use these options.

  • For details about the Windows server update services classification GUIDs, see https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ff357803(v=vs.85)
  • For the description of the Microsoft software updates terminology, see https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates

  Earlier, the EPA scans for missing security patches were done on the severity levels; Critical, Important, Moderate, and Low on the Windows client.

  [CGOP-19465]

• Support for multiple device certificates for EPA scan

  In the Always on VPN configuration, if multiple device certificates are configured, the certificate with the longest expiry date is tried for the VPN connection. If this certificate allows EPA scan successfully, then VPN connection is established. If this certificate fails in the scan process, the next certificate is used. This process continues until all the certificates are tried.

  Earlier, if multiple valid certificates were configured, if the EPA scan failed for one certificate, the scan was not attempted on the other certificates.

  [CGOP-19782]

Fixed issues

• If the clientCert parameter is set to ‘Optional’ in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.

  [NSHELP-30070]

• Users cannot connect to the Citrix Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

  [NSHELP-30236]

• When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.

  [NSHELP-30662]

• DNS resolution to internal and external resources stops working over a prolonged VPN session.

  [NSHELP-30458]

• The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

  [NSHELP-29675]

• Registry EPA check for the “==” and “!=” operator fails for some registry entries.

  [NSHELP-29582]

22.2.1.103 (17-Feb-2022)

Fixed issues

• Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:

  1. For the VPN plug-in upgrade, end users must connect using the VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.

  2. For the EPA only use case, the end users will not have the VPN client to connect to the gateway. In this case, perform the following:

     1. Connect to the gateway using a browser.
     2. Wait for the download page to appear and download the nsepa_setup.exe.
     3. After downloading, close the browser and install the nsepa_setup.exe file.
     4. Restart the client.

  [NSHELP-30641]

21.12.1.4 (17-Dec-2021)

What’s new

• Rebranding changes

  Citrix Gateway plug-in for Windows is rebranded to Citrix Secure Access agent.

  [ACS-2044]

• Support for TCP/HTTP(S) private applications

  Citrix Secure Access agent now supports TCP/HTTP(S) private applications for remote users through the Citrix Workspace Secure Access service.

  [ACS-870]

• Additional language support

  Windows VPN and EPA plug-ins for Citrix Gateway now support the following languages:

  • Korean
  • Russian
  • Chinese (Traditional)

  [CGOP-17721]

• Citrix Secure Access support for Windows 11

  Citrix Secure Access agent is now supported for Windows 11.

  [CGOP-18923]

• Automatic transfer logon when the user is logging in from the same machine and Always on is configured

  Automatic login transfer now occurs without any user intervention when Always on is configured and the user is logging in from the same machine. Previously, when the client (user) had to relogin in the scenarios such as system restart or network connectivity issues, a pop-up message appeared. The user had to confirm the transfer login. With this enhancement, the pop-up window is disabled.

  [CGOP-14616]

• Deriving Citrix Virtual Adapter default gateway IP address from the Citrix ADC provided net mask

  Citrix Virtual Adapter default gateway IP address is now derived from the Citrix ADC provided net mask.

  [CGOP-18487]

Fixed issues

• Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

  [NSHELP-26779]

• When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

  [NSHELP-29371]

21.9.100.1 (30-Dec-2021)

What’s new

• Citrix Secure Access support for Windows 11

  Citrix Secure Access agent is now supported for Windows 11.

  [CGOP-18923]

Fixed issues

• Sometimes, users lose internet access after a VPN tunnel is established in split tunnel ON mode. Citrix Virtual adapter’s erroneous default route causes this network issue.

  [NSHELP-26779]

• When split tunnel is set to “Reverse,” DNS resolution for the intranet domains fails.

  [NSHELP-29371]

21.9.1.2 (04-Oct-2021)

Fixed issues

• Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

  [NSHELP-28848]

• Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

  [NSHELP-28404]

• The Windows plug-in might crash during authentication.

  [NSHELP-28394]

• In Always On service mode, the VPN plug-in for Windows fails to establish the user tunnel automatically after the users log on to their Windows machines.

  [NSHELP-27944]

• After the tunnel establishment, instead of adding DNS server routes with the previous gateway IP address, the Windows plug-in adds the routes with the default gateway address.

  [NSHELP-27850]

V21.7.1.1 (27-Aug-2021)

What’s new

• New MAC address scan

  Support is added for newer MAC address scans.

  [CGOP-16842]

• EPA scan to check for Windows OS and its build version

  Added EPA scan to check for Windows OS and its build version.

  [CGOP-15770]

• EPA scan to check for a particular value’s existence

  A new method in the registry EPA scan now checks for a particular value’s existence.

  [CGOP-10123]

Fixed issues

• If there is a JavaScript error during login because of a network error, subsequent login attempts fail with the same JavaScript error.

  [NSHELP-27912]

• The EPA scan fails for McAfee antivirus last update time check.

  [NSHELP-26973]

• Sometimes, users lose internet access after a VPN tunnel is established.

  [NSHELP-26779]

• A script error for the VPN plug-in might be displayed during nFactor authentication.

  [NSHELP-26775]

• If there is a network disruption, UDP traffic flow that started before the network disruption does not drop for up to 5 minutes.

  [NSHELP-26577]

• You might experience a delay in the starting of the VPN tunnel if the DNS registration takes a longer time than expected.

  [NSHELP-26066]

V21.3.1.2 (31-Mar-2021)

What’s new

• Upgraded EPA libraries

  The EPA libraries are upgraded to support the latest version of the software applications used in EPA scans.

  [NSHELP-26274]

• Citrix Gateway virtual adapter comaptibility

  The Citrix Gateway virtual adapter is now compatible with Hyper-V and Microsoft Wi-Fi direct virtual adapters (used with printers).

  [NSHELP-26366]

Fixed issues

• The Windows VPN gateway plug-in blocks use of “CTRL + P” and “CTRL + O” over the VPN tunnel.

  [NSHELP-26602]

• The Citrix Gateway plug-in for Windows responds only with an Intranet IP address registered in the Active Directory when a "nslookup" action is requested for the machine name.

  [NSHELP-26563]

• The IIP registration and deregistration fails intermittently if the split DNS is set as “Local” or “Both.”

  [NSHELP-26483]

• Auto logon to Windows VPN gateway plug-in fails if Always On is configured.

  [NSHELP-26297]

• The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.

  [NSHELP-25684]

• The Windows VPN gateway plug-in maintains the existing proxy exception list even if the list overflows because of the browser limit on the Internet Explorer proxy exception list.

  [NSHELP-25578]

• The Windows VPN gateway plug-in fails to restore the proxy settings when the VPN client is logged off in Always On mode.

  [NSHELP-25537]

• The VPN plug-in for Windows does not establish the tunnel after logging on to Windows, if the following conditions are met:

  • Citrix Gateway appliance is configured for the Always On feature.
  • The appliance is configured for certificate based authentication with two factor authentication “off.”

  [NSHELP-23584]