v4.2.1 Hotfix For Citrix Access Gateway
Friday, 24 February 2006 by Michel Roth
There's a new hotfix available for the Citrix Access Gateway that fixes quite a lot of issues:

• The Access Gateway experiences interoperability problems with some RADIUS servers because it sends the NAS-IP-ADDRESS as 0.0.0.0. The Access Gateway now sends the IP address configured for Interface 0 on the General Networking tab to the RADIUS server. (bz2212)

• If more than 20 host names are configured in the preauthentication policy, the net6helper Active-X control fails, causing Internet Explorer to close. The content in the policy is checked to make sure there is enough space before filling the buffer. (bz2251)

• If a file rule for end point resources is created and if the check boxes Require SSL Client Certificates and Enable Portal Page Authentication are selected on the Global Policies tab, the net6help Active-X control fails, causing Internet Explorer to close. (bz2322)

• The DNS suffix size was limited to 127 characters. The suffix list size is now doubled to 254 characters. (bz2324)

• The Secure Access Client displays an error message that some intermediate certificates are invalid. The server’s certificate chain could not reliably revalidate the intermediate certificates because it cannot be retrieved for the SSL session object. In this release, the certificate is not revalidated when the server’s certificate chain is using an OpenSSL session. (bz2435)

• When an authorization request is made using LDAP, and the LDAP environment performs LDAP referrals, the SSL daemon on the Access Gateway resets. End users are disconnected from the Access Gateway and the SSL daemon is reset. (bz2517)

• IP pooling does not allocate the number of IP addresses correctly. For example, if there are two IP pools, the first with a range of 192.168.2.1 through 192.168.2.5, the second IP pool cannot start with 192.168.2.6. The second IP pool has to start at 192.168.2.7. With this release, this is fixed. (bz2521)

• The Access Gateway automatic update process removes the Advanced Access Control logon point, causing the Advanced Access Control to stop functioning. With this release, the Access Gateway resets the desktop Web address when the client upgrades. (bz2560)

• When an HTTP host header is missing, it causes the server process to experience a fatal error if this is the first request made to the Access Gateway as part of a new Advanced Access Control session. Host headers are required for HTTP 1.1 requests (see RFC 2616) and the connection is responded to with an HTTP 400 request. Host headers are not required for HTTP 1.0 connections. Connections of this type are handled correctly, which can include Web browsers connecting through a proxy server. (bz2599)

Internet Explorer stops functioning when logging onto the Access Gateway using Advanced Access Control. The LogonPoint page is returned to the user when an error occurs. (bz2684)

Download the v4.2.1 hotfix for the Citrix Access Gateway here.

Related Items:

Clientless Failover Functionality: Citrix Access Gateway and Advanced Access Control (11 May 2006)
Citrix Access Gateway With Advanced Access Control Vulnerabilities (15 November 2006)
Citrix Access Gateway Advanced Access Control Authentication Bypass (18 September 2006)
Citrix Access Gateway Unspecified Information Disclosure Vulnerability (29 January 2007)
Access Gateway Traffic Flow Diagram (13 September 2006)
Using WI 4.2 With Access Gateway Adv.Edition 4.2 (18 May 2006)
ICA 10.1 Client Adds Support for Client Certificates (3 October 2007)
Configuring Remote Access Using Temporary Certificates In Citrix Access Essentials (14 December 2006)
Certificate Conversion Tool For Secure Gateway Migrations (24 July 2006)
Citrix Announces Access Gateway Enterprise Edition (14 February 2006)
Comments (0)
Show/Hide comment form