Citrix ADC 13.0 产品更新汇总

Release Notes for Citrix ADC 13.0-67.39 Release

The enhancements and changes that are available in Build 13.0-67.39.

Authentication, authorization, and auditing🚩

  • nFactor authentication support for Citrix Gateway with Standard license
    Citrix Gateway now supports nFactor authentication with Standard license.
    [ NSAUTH-6438 ]

Citrix Gateway

  • New Citrix logo is introduced.
    [ CGOP-14440 ]

Citrix Web App Firewall

  • All import objects name length and profile name length increased to 127 characters
    The Citrix Web App Firewall import objects name length and profile name length is now increased to a maximum limit of 127 characters. Previously, the name length was set only up to 32 characters.
    [ NSWAF-5992 ]
  • Dynamic profiling relaxation rule counter
    When the Citrix Web App Firewall detects a violation, the user has the ability to bypass the action using relaxation rules. To monitor these relaxations, you now have a relaxation hit counter. The counter tracks statistical details, such as the number of times a violation occurs on the appliance, the number of relaxation rules applied at the time of the violation, and the last applied timestamp.However, the new relaxation hit counter is available only for the following security checks.
    * Starturl
    * Denyurl
    * Cross-site Scripting
    * SQL Injection
    [ NSWAF-5842 ]
  • JSON command injection protection check
    The Citrix Web App Firewall profile is now enhanced with a new protection check for command injection attacks in JSON payload. When the command injection security check examines the JSON traffic and detects any malicious commands, the appliance blocks the request or performs the configured action.
    [ NSWAF-5837 ]
  • Bot trap URL randomization
    The Citrix Bot trap technique can now randomly or periodically insert a trap URL in the client response. The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as a bot and any subsequent request from the bot is blocked. The trap technique is effective in blocking attacks from bots.The Bot trap URL is auto-generated and you can configure the length and interval at which the URL needs to be updated. If the trap URL is configured in a profile, then you must insert only that URL.  Also, this technique allows you to insert the trap URL for every response of the top-visited websites or frequently visited websites by binding the website URLs in the profile.”
    [ NSWAF-5774 ]
  • SameSite cookie attribute for secure web communication
    With the recent browser upgrade, such as Google Chrome 80, there is a change in the default cross-domain behavior in cookies. As a result, the “SameSite” attribute is set as “None”, “Lax” or “Strict” and for Google Chrome browser, the default attribute value is set as “Lax.”In compliance with the browser’s new SameSite cookie policy, the Citrix Web App Firewall profile is enhanced to support the SameSite cookie attribute configuration.  You can now enable the SameSite cookie attribute and also set the attribute as any one of the following options.“SameSite=None”. Indicates the browser to use a cookie in cross-site context only on secure connections.“SameSite=Lax”. Indicates the browser to use a cookie for requests on the same domain and for cross-site only safe HTTP methods like GET request can use the cookie.“SameSite=Strict”. Indicates the cookie can be used only when the user is requesting for the domain explicitly.
    [ NSWAF-5468 ]


  • Support added for NET_ADMIN to run multi-core Citrix ADC CPX
    You can now use the –cap-add=NET_ADMIN option to run Citrix ADC CPX with both single core and multi-cores in bridge mode deployments.
    [ NSNET-16016 ]


  • Setting up a VPX high-availability pair with private IP addresses across different AWS zones
    You can now deploy a VPX high-availability pair on AWS using private IP addresses across different AWS zones.
    [ NSPLAT-14757 ]
  • VIP scaling support for Citrix ADC VPX instance on GCP
    Based on your requirement, you can now add multiple VIP (public IP) addresses on a Citrix ADC VPX instance deployed on GCP. This is supported on both standalone and high availability deployments. Previously, the maximum number of VIPs you were able to add depended on GCP networking limit.
    [ NSPLAT-14738 ]
  • Changes to the default admin password 
    If the password is set to the default admin (nsroot) password, users must change the password on the first login or while creating an instance, and then save the configuration. The password cannot be reset to the default admin password.
    This change is applicable to the following Citrix appliances:
    – VPX instances hosted on the Citrix ADC SDX appliance
    – Citrix ADC BLX appliance
    – Citrix VPX virtual appliances that are hosted on the following virtualization and cloud platforms:
    – Citrix Hypervisor
    – VMware ESX
    – Microsoft Hyper-V
    – Linux KVM
    – Amazon Web Services
    – Google Cloud Platform
    [ NSPLAT-14480 ]
  • Setting up a Citrix ADC VPX high-availability pair on GCP using forwarding rules
    You can now deploy a VPX high-availability pair on the Google Cloud Platform (GCP) using forwarding rules with target instances at the backend. Forwarding rules must be in the same region as the VPX instance and target instances must be in the same zone as the VPX instance. Upon failover, the forwarding rule target is updated to the secondary target instance for the traffic to resume.
    [ NSPLAT-14378 ]


  • Built-in HTTP profile for management access
    The Citrix ADC appliance now has a built-in HTTP profile, “nshttp_default_internal_apps” for management access. The profile is configured to block HTTP/0.9 requests and to drop invalid requests for management access. The profile settings are the same as the existing “nshttp_default_strict_validation” profile. However, it is advisable that you do not change the profile settings as done in the “nshttp_default_strict_validation” profile.
    [ NSBASE-10118 ]
  • Request-retry on TCP SYN connection establishment
    The request retry is applicable to one more error scenario. If a reset is received from the back-end server during TCP SYN establishment, the appliance does not keep retrying the same server until the client connection times out. Instead, based on re-load balancing, the appliance forwards the request to the next available back-end server.
    [ NSBASE-9610 ]
  • Support for gRPC response buffer time and size limitation
    In gRPC bridging scenario,  the Citrix ADC appliance buffers the gRPC response from the back-end server until the response trailer is received. This breaks bi-directional gRPC calls. Also, if the gRPC response is huge, it consumes a significant amount of memory to buffer the response completely. To resolve these issues, you can configure two new parameters, “grpcholdlimit” and/or ““grpcholdtimeout” in the HTTP profile. When configuring both or any one of the two parameters, the appliance stops buffering and starts forwarding the response even if any one of the buffer limit triggers (either the trailer is not received within the configured buffer size or if a configured timeout occurs).
    [ NSBASE-9466 ]

User Interface

  • Citrix logo change
    Citrix now has a new logo that reflects its brand transformation. The Citrix ADC and Citrix Gateway GUI now reflect the new Citrix logo.
    [ NSUI-16210 ]
  • Custom search functionality for bot signatures
    A custom search functionality is now available on the Citrix ADC Bot Signatures GUI page. You can use the search option to locate content in the signature file.
    [ NSUI-15992 ]
  • DSA keys are deprecated and are no longer supported on a Citrix ADC appliance.
    [ NSUI-14778 ]