NetScaler Times newsletter for Week 25 - 2025
SDX8900 support with XS8!
Hello Everyone
It’s Andrew with the latest edition of the NetScaler Times, an update to keep you up-to-date on all things NetScaler-related! The idea is to pull together events, firmware releases, support articles, and anything else I think is relevant into a single email, as email is the future!
0. Update! XenServer 8 support on the NetScaler SDX 8900 appliance
The single bundle image upgrade from XenServer 7.1 to XenServer 8 is now supported on the NetScaler SDX 8900 appliance.
For more information, see SDX XenServer 8 upgrade.
1. The latest firmware builds.
Below are the details for the various builds, which can help you plan for new releases in your environment. This support document has more information on the different release cycles.
NetScaler has multiple form factors to support different environments. It is built on a single operating system with a software-based architecture, so its behavior will be the same regardless of whether it is used as hardware, a virtual machine, bare metal, or a container. Pick one that works for your environment and needs.
Latest Build Versions:
Here is a timeline for the 14.1 and 13.1 builds to show where they are within their respective release lifecycle.
Here are all the firmware builds in a table:
Notes about Builds:
The above is a summary taken from the NetScaler Section here.
For 13.1 FIPS & NDcPP builds: On the downloads page, there are two places to get the 13.1 NDcPP build. The FIPS build is dual-certified now and slightly newer than the NDcPP-only build. It's one to watch if you use those builds.
FIPS FAQ - NetScaler FIPS FAQ - Link
NetScaler 14.1-47.46 Build Release.
26 new features:
Enhancements to Next-Gen API functionality
The following enhancements have been made to the Next-Gen API:
The addition of a `health_checks` key within the `servers` section of the application health API response, enabling more granular health check data for each...
Next-Gen API supports enabling or disabling APIs for specific application subcomponents
The Next-Gen API now supports enabling or disabling APIs for specific subcomponents of your application, such as frontends, listeners, backends, and servers, offering greater flexibility. Previously, you could only enable or disable APIs at the application...
Support for IPv6 traffic in Content Inspection with IPS
NetScaler Content Inspection feature with Intrusion Prevention System (IPS) integration now supports IPv6 traffic.
Note: If an intermediary device is positioned between NetScaler and the inline device, ensure that it is capable of handling and forwarding IPv6 traffic.
NSB tracing support in NetScaler
The NetScaler Packet Buffer (NSB) tracing feature is a diagnostic tool that helps NetScaler support engineers and developers to troubleshoot packet memory corruption issues on NetScaler appliances. This feature streamlines the debugging process by removing the need to deploy a custom debug image in customer...
Enhanced cache memory management with LRU eviction
This feature improves cache memory management by introducing an optimized Least Recently Used (LRU) algorithm, offering administrators greater control and flexibility. Key benefits include:
Ensures efficient use of cache memory by evicting the least accessed...
Encrypted Client Hello (ECH) support
NetScaler now provides support for Encrypted Client Hello (ECH) on the front end. ECH is a privacy-enhancing extension to the TLS 1.3 protocol. Traditionally, Server Name Indication (SNI), which reveals the website you are connecting to, is sent unencrypted during the initial TLS handshake. This allows network observers to track your...
Support for DTLS v1.2 protocol on the back end of NetScaler VPX, SDX, and MPX
DTLS 1.2 protocol is now supported on the back end of the following NetScaler appliances:
NetScaler VPX
NetScaler MPX/SDX (Intel...
View the runtime content of NetScaler variables
This feature enables NetScaler administrators to directly view the runtime content of variables across all nodes and packet engines without requiring additional configuration. This feature improves visibility and simplifies the troubleshooting process. Previously, manually configuring production systems to access runtime variables was...
Hostname isolation support on NetScaler BLX
NetScaler BLX now supports hostname isolation. The "set ns hostname" command no longer modifies the underlying Linux operating system hostname. Previously, this command modified both the BLX and the Linux operating system hostnames. This update separates the BLX application and the host operating system,...
Support for NetScaler VPX on Citrix hypervisor/XenServer with AMD processors
NetScaler VPX now supports deployments on Citrix hypervisor/XenServer running on AMD processors. This enhancement offers expanded hardware compatibility and seamless performance for efficient traffic management and load balancing across AMD platforms.
Web App Firewall protection for NetScaler GUI endpoints
You can now protect your NetScaler GUI endpoints against malicious attacks by configuring Web App Firewall protection. When Web App Firewall protection is enabled, NetScaler uses the built-in profile ns-mgmt-gui-default-appfw-profile and the associated API specification file ns-mgmt-gui-spec to protect the NetScaler...
Support for NetScaler MPX disk encryption through NetScaler Console
Disk encryption is essential for securing sensitive data stored on a storage disk. It ensures that even if the physical storage device is compromised, the data remains inaccessible. For NetScaler MPX, disk encryption provides an additional layer of security, especially for critical directories such as /var/core, /var/crash, /var/log, /var/nslog,...
PHP version upgraded to 8.1.31
The PHP version is upgraded to 8.1.31 due to vulnerabilities observed in 8.1.29
Increased password length for SNMPv3 authentication and privacy mechanisms
NetScaler now supports increased password lengths, up to 63 characters, for SNMPv3 authentication (`Auth`) and privacy (`Priv`) mechanisms. Previously, the maximum password length was limited to 31 characters. This enhancement strengthens the security of SNMPv3 communications on NetScaler by supporting longer and more...
Force completion of ISSU migration
During In Service Software Upgrade (ISSU), NetScaler waits for existing connections to naturally close before completing the migration. However, some connections may be long-lived and prevent the migration from proceeding to completion....
Traffic Domain support resumed - WooHoo!
NetScaler has resumed support for the Traffic Domain feature starting from NetScaler release 14.1-47.x. Traffic Domain support was temporarily paused in earlier NetScaler releases and included a deprecation notice. That notice has now been removed to reflect the current status.
DTLS 1.2 support on NetScaler Gateway
NetScaler Gateway now supports the DTLS 1.2 protocol, the latest security standard, to improve security and protection for back-end connections. You can configure NetScaler Gateway to use DTLS 1.2 to secure the connection between NetScaler Gateway and...
Support for SmartControl for Secure HDX
You can now configure SmartControl in NetScaler Gateway when Secure HDX is enabled. For more information on configuring Secure HDX on NetScaler Gateway, see Secure HDX (Preview).
Enhanced DNS resolution with TCP support
NetScaler has enhanced its DNS resolution capabilities by adding support for DNS over TCP. Previously, it only used UDP that is fast but has difficulties with larger responses. By incorporating TCP, NetScaler can now effectively handle bigger DNS responses. This enhancement is beneficial for DNS Security Extensions...
Support for strong mapping certificates in Intune NAC integration with NetScaler Gateway
Support for strong mapping certificates is now introduced for Intune NAC integration. This enhancement enables NetScaler Gateway to extract and validate the `IntuneDevcieId` from the client certificate even with the new Microsoft's updated Subject Alternative Name (SAN) URI format in the strong mapping...
Support for Google reCaptcha v3
NetScaler now supports Google reCaptcha v3 in nFactor authentication. Google reCaptcha v3 offers an advanced authentication method that assesses login requests without requiring user interaction. It assigns a score between 0.0 and 1.0 to each request, with higher scores suggesting safer requests. NetScaler can then use this score to...
Support for protected user authentication
You can now configure user authentication for LDAP users belonging to the Protected Users" group in the Active...
Export audit logs in JSON format to Splunk HEC by using syslogaction
Starting with NetScaler release 14.1-47.x, you have a simplified and flexible way to export audit logs in JSON format directly to Splunk's HTTP Event Collector (HEC). The configuration to export audit logs is now available...
Export metrics for configured entities
You can now fine-tune your metrics export by selecting specific entities like virtual servers, services, and service groups associated with a metrics profile in NetScaler. In prior releases, exporting metrics meant getting data for all the entities associated with a metrics profile, without the option for a more granular...
Removal of DEBUG log level from local syslog
Starting with NetScaler release 14.1-47.x, the DEBUG log level is removed from the local syslog and is no longer included in the ALL option. To enable DEBUG explicitly, use the following hidden CLI option:
set syslogparams -loglevel -debug [enable | disable]Enabling the DEBUG log level is not persistent across reboots, and therefore the setting is lost after a system...
The full release notes are here
2. Latest NetScaler Security updates
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-5491 and CVE-2024-5492.
CTX Number: CTX677944
Article Type: Security Bulletin
Created Date: 9/Jul/2024
Last Modified Date: 12/Mar/2025
Severity: High
This was a security article released last year, it was updated on 12th March. More here
NetScaler WAF Signatures Update v153 was updated on the 6th June.
New signature rules are generated for the vulnerabilities identified in the week 2025-06-02. You can download and configure these signature rules to protect your appliance from security vulnerable attacks.
Link to details.