Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick ('s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

I'm just going through a proof of concept at a client's site for an AG+AAC Implementation and I was looking at bringing the AG up to 4.2.2 as I heard there were a few critical patches, and interestingly enough the link to 4.2.2 from CTX108902 ends up pointing at a 4.2.3 Download??

BTW - Don't forget to remove your existing Admin Tool and then download and install from fresh after upgrading the CAG!
(But you knew that didn't you?  ;-)

The 4.2.2 lists these Known Issues and Issues Fixed:

Known Issue(s) in this Release

    • User names that are configured on the Access Gateway are case-sensitive.

    • If a user is not logged on as an administrator on a computer running Windows 2000 Professional, the Secure Access Client must be installed locally on the client computer and then started using the Web address of https://FQDN/citrixsaclient.exe, where FQDN is the address of the Access Gateway. The ActiveX applet does not have the rights to download the file to the normal file location. This does not happen on computers that are running Windows Server 2003 or Windows XP.

    • If a user who is not logged on as an administrator connects using the Secure Access Client, applications such as Microsoft Outlook might occasionally lose the network connection.

    • Dialup users do not receive WINS server assignments. To fix the problem, manually set the internal WINS address or use a Microsoft DNS server to set the domain to perform WINS lookups.(bz947)

Issue(s) Resolved in this Hotfix

    1. The Access Gateway could experience a condition that causes the appliance to appear to be in a hung state when multiple servers running the Secure Ticket Authority (STA) are configured. (BUG23100)

Symptoms of this issue include:

      • CPU utilization reaching near 100%

      • Errors in the STA server log(s).

    Applying this fix remedies the problem by ensuring that STA ticket renewal requests are sent to the session’s original STA.

    2. A rare condition could occur where a file or a record would be improperly encoded causing the appliance to suspend processing. (BUG23099)

    Symptoms of this issue include the following:

      • New connections are not accepted

      • User sessions are suspend

      • Error messages that say destroy_session notification received

    3. The Access Gateway experiences interoperability problems with some RADIUS servers because it sends the NAS-IP-ADDRESS as The Access Gateway now sends the IP address configured for Interface 0 on the General Networking tab to the RADIUS server. (bz2212)

    4. If more than 20 host names are configured in the preauthentication policy, the net6helper Active-X control fails, causing Internet Explorer to close. The content in the policy is checked to make sure there is enough space before filling the buffer. (bz2251)

    5. If a file rule for end point resources is created and if the check boxes Require SSL Client Certificates and Enable Portal Page Authentication are selected on the Global Policies tab, the net6help Active-X control fails, causing Internet Explorer to close. (bz2322)

    6. The DNS suffix size was limited to 127 characters. The suffix list size is now doubled to 254 characters. (bz2324)

    7. The Secure Access Client displays an error message that some intermediate certificates are invalid. The server’s certificate chain could not reliably revalidate the intermediate certificates because it cannot be retrieved for the SSL session object. In this release, the certificate is not revalidated when the server’s certificate chain is using an OpenSSL session. (bz2435)

    8. When an authorization request is made using LDAP, and the LDAP environment performs LDAP referrals, the SSL daemon on the Access Gateway resets. End users are disconnected from the Access Gateway and the SSL daemon is reset. (bz2517)

    9. IP pooling does not allocate the number of IP addresses correctly. For example, if there are two IP pools, the first with a range of through, the second IP pool cannot start with The second IP pool has to start at With this release, this is fixed. (bz2521)

    10. The Access Gateway automatic update process removes the Advanced Access Control logon point, causing the Advanced Access Control to stop functioning. With this release, the Access Gateway resets the desktop Web address when the client upgrades. (bz2560)

    11. When an HTTP host header is missing, it causes the server process to experience a fatal error if this is the first request made to the Access Gateway as part of a new Advanced Access Control session. Host headers are required for HTTP 1.1 requests (see RFC 2616) and the connection is responded to with an HTTP 400 request.
    Host headers are not required for HTTP 1.0 connections. Connections of this type are handled correctly, which can include Web browsers connecting through a proxy server. (bz2599)

    12. Internet Explorer stops functioning when logging onto the Access Gateway using Advanced Access Control. The LogonPoint page is returned to the user when an error occurs. (bz2684)

The 4.2.3 lists these Known Issues and Issues Fixed:

Known Issue(s) in this Release

    · When a user session is terminated, the session log fills ups (TT23539)

    · Domain logon scripts are slow to launch (TT23509)

    · The Access Gateway fails after manually synchronizing with a Network Time Protocol server (TT23690)

    · Secure Access Client transmitts UDP packets to the Access Gateway during the VPN connection (TT23723)

    Issue(s) Resolved in this Hotfix

  1. When publishing settings to multiple AccessGateway appliances, the failover settings, syslog settings, and certificates were also published. With this release, failover servers, syslog settings, and certificates are no longer published to all appliances in the cluster. (TT23073)
  2. Users that have German characters ((umlaut characters - ä, ë, ö, ü, and so on) in the password could not connect to the portal page. (TT23210)
  3. When the client hosting desktop sharing ends the session, other clients appeared to remain in the session. When the hosting client ends the desktop sharing session, sessions on other client computers are also disconnected. (TT23680)
  4. Sharing the desktop from the same client more than eight times results in a sharing failure. (TT23683)
  5. When more than 90 network policies were sent to the client, policies over 90 were truncated. (TT23287)
  6. The Secure Access Client was downloading each time the user connected. (TT23513)
  7. The server running Advanced Access Control failed with renewing STA/AS tickets. (TT23706)
  8. When the Access Gateway is configured to required SSL client certificates, and the root certificates must check the Certificate Revocation List (CRL), connection to the Web Interface fails. (TT22956)
  9. The Access Gateway cannot validate the remote certificate chain if MD2 was used in signing the certificate. (TT23499)
  10. Connections to a second HTTP-based CDP fails if a first CDP is down. (TT23149)
  11. If an FQDN became invalid for any reason, it remains invalid until the DNS cache was refreshed. In this release, only valid FQDNs are cached. (TT23116)
  12. End users experienced incorrect RADIUS authorization failures when logging on to the Access Gateway and RADIUS groups were not retrieved for users who are part of an associated group(s) on the RADIUS server. This fix does not involve any change in the configuration on the Access Gateway or RADIUS server. (TT23269)
  13. When the Secure Access Client is first installed, a Network Driver Interface Specification (NDIS) driver is installed, which disables the network adapter momentarily. The Secure Access Client does a pre-authentication check against the Access Gateway. If the network adapter was still disabled, the connection failed. The Secure Access Client now waits for the network adapter to come back up before doing the pre-authentication check. (TT23328)
  14. When a user is logged onto the Access Gateway, is using tabbed browsing from the Internet Explorer 6 MSN toolbar, logs onto an Advanced Access Control logon point, and is using RSA for authentication, the user gets a "page not found error."(TT23689
  15. Clients cannot log off when connected using a Web browser. (TT23123)
  16. Session reliability sessions are dropped when the Secure Ticket Authority (STA) is restarted. (TT23204)
  17. If an LDAP password has the UTF-8 characters, such as ä, ë, ö, ü, Ä, Ë, Ö, Ü 2, and the Access Gateway is configured to redirect client connections to the Web Interface using single sign-on with the altered login.cs file (obtained from the Citrix support Web site), the logon failed. A new login.cs file has been posted to the Citrix Support Web site. Download and install the new login.cs following the instructions in the Knowledge Center article. For more information, see article CTX106202 at (TT23250)
  18. The Web Interface displays applications for users who previously logged off. When a user logs off from the Web Interface, and a new user logs on from the same machine, the applications for the first user are displayed. (TT23601)
  19. When logging off from the Web Interface, Access Gateway cookies are cleared and Web Interface cookies are expired. (TT23123)
  20. When users are connected using desktop sharing, the desktop screen freezes, but users continue to have mouse and keyboard activity. (TT23311)
Posted on Tuesday, August 1, 2006 12:58 PM Citrix , IT Management , Security | Back to top

Comments on this post: Citrix Access Gateway 4.2.3 Update released? Have a careful look at "CTX108902 v4.2.2 Hotfix for Citrix Access Gateway"

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Dave Caddick | Powered by: