Citrix Secure Access for Windows release notes

The Citrix Secure Access agent for Windows is now released on a standalone basis and is compatible with all Citrix ADC versions. The Citrix Secure Access agent version follows the format YY.MM Release.Build.

The release notes describe the new features, enhancements to the existing features, and fixed issues.

What’s new: The new features and enhancements available in the current release.

Fixed issues: The issues that are fixed in the current release.

For detailed information on the supported features, see Citrix Gateway Product Documentation.

Note:

Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 21.9.1.2 and later contains the fix for https://support.citrix.com/article/CTX341455.

22.10.1.9 (08-Nov-2022)

What’s new

• EPA support for connection proxy type site persistence in GSLB

  Windows EPA scan now supports connection proxy type site persistence in GSLB when the scan is initiated from a browser. Previously, EPA scan for Windows did not support connection proxy persistence type for browser initiated EPA scan.

  [CGOP-21545]

• Seamless single sign-on for Workspace URL (Cloud only)

  Citrix Secure Access client now supports single sign-on for Workspace URL (cloud only) if the user has already logged on via the Citrix Workspace app.

  [ACS-2427]

• Manage Citrix Secure Access client and/or EPA plug-in version via Citrix Workspace App (Cloud only)

  Citrix Workspace app now has the capability to download and install the latest version of Citrix Secure Access and/or EPA plug-in via the Global App Configuration Service. For more details, see Global App Configuration Service.

  [ACS-2426]

• Debug logging control enhancement

  Debug logging control for Citrix Secure Access client is now independent of Citrix Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.

  [NSHELP-31968]

• Support for Private Network Access preflight requests

  Citrix Secure Access Client for Windows now supports Private Network Access preflight requests issued by the Chrome browser when accessing private network resources from public websites.

  [CGOP-20544]

Fixed issues

• The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges.

  This is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.

  [NSHELP-32793]

• Users cannot log on to VPN because of intermittent EPA failures.

  [NSHELP-32138]

• Sometimes, the Citrix Secure Access agent in machine tunnel only mode does not establish the machine tunnel automatically after the machine wakes up from sleep mode.

  [NSHELP-30110]

• In Always on service mode, user tunnel tries to start even if only machine tunnel is configured.

  [NSHELP-31467]

• The Home Page link on the Citrix Secure Access UI does not work if Microsoft Edge is the default browser.

  [NSHELP-31894]

• Customized EPA failure log message is not displayed on the Citrix Gateway portal, instead the message “internal error” is displayed.

  [NSHELP-31434]

• When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

  [NSHELP-32510]

• On some client machines, the Citrix Secure Access client fails to detect the proxy setting and this results in logon failure.

  [SPAHELP-73]

Known issues

• Windows Update check-based EPA scan does not work on the Windows 11 22H2 version. For details, see EPA Check failing for Windows11 22H2.

  [NSHELP-33068]

22.6.1.5 (17-June-2022)

What’s new

• Login and logout script configuration

  The Citrix Secure Access client accesses the login and logout script configuration from the following registries when the Citrix Secure Access client connects to the Citrix Secure Private Access cloud service.

  Registry path: HKEY_LOCAL_MACHINE>SOFTWARE>Citrix > Secure Access Client

  Registry values:

  • SecureAccessLogInScript type REG_SZ - path to login script
  • SecureAccessLogOutScript type REG_SZ - path to logout script

  [ACS-2776]

• Windows Citrix Secure Access agent using Windows Filtering Platform (WFP)

  WFP is a set of API and system services that provide a platform for creating network filtering application. WFP is designed to replace previous packet filtering technologies, the Network Driver Interface Specification (NDIS) filter which was used with the DNE driver. For details, see Windows Citrix Secure Access agent using Windows Filtering Platform.

  [CGOP-19787]

• FQDN based reverse split tunnel support

  WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. For more details on reverse split tunnel, see Split tunneling options.

  [CGOP-16849]

Fixed issues

• Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always On service mode. The machine tunnel does not transition to the user tunnel and the message Connecting is displayed in the VPN plug-in UI.

  [NSHELP-31357]

• On VPN logoff, the DNS suffix list entries in SearchList (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client) registry are rewritten in reverse order separated by one or more commas.

  [NSHELP-31346]

• Spoofed IP address is used even after the Citrix ADC intranet application configuration is changed from FQDN based to IP based application.

  [NSHELP-31236]

• The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully.

  With this fix, the following registry value is introduced.

  \HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds

  Type: DWORD

  By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

  [NSHELP-30189]

• AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

  [NSHELP-31836]

• Citrix Secure Access Agent for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.5 (24-Mar-2022)

Fixed issues

• The Windows EPA plug-in name is reverted to the Citrix Gateway EPA plug-in.

  [CGOP-21061]

Known issues

• Citrix Secure Access Agent for Windows does not tunnel new TCP connections to the back-end TCP server if the already connected Secure Private Access service region becomes unreachable. However, this does not affect the on-premises gateway connections.

  [ACS-2714]

22.3.1.4 (10-Mar-2022)

What’s new

• Enforce local LAN access to end users based on ADC configuration

  Admins can now restrict the end users to enable or disable the local LAN access option on their client machines. A new option, FORCED is added to the existing Local LAN Access parameter values. When the Local LAN Access value is set to FORCED, end users are restricted from using the local LAN access option on their client machines. If the end users must enable or disable the local LAN access, the admins must reconfigure the Local LAN Access option in the Citrix ADC appliance accordingly.

  To enable the FORCED option by using the GUI:

  1. Navigate to Citrix Gateway > Global Settings > Change Global Settings.
  2. Click the Client Experience tab and then click Advanced Settings.
  3. In Local LAN Access, select FORCED.

  To enable the FORCED option by using the CLI, run the following command:

   set vpn parameter -localLanAccess FORCED
   <!--NeedCopy-->