Well, I guess that you’ve already read all the good things about the new capabilities of the newer Access Gateway plug-in, Receiver and Access Gateway Enterprise that together with StoreFront will add additional features and functions that haven’t existed before. It’s now built to work together with the Receiver on the Windows and Mac OS X platforms and promises a lot by various blog posts from Citrix and others (incl. myself).

Here is an example of what it can (should) do: What’s new with Access Gateway MAC Plug-in release 2.1.4

But is the Access Gateway Plug-in that great? Well, before you plan to implement version 2.1.4 on OS X and especially if you want to leverage the SSL VPN functionality and host checks (EPA) then read the Important notes and Known issues for this release:

Important Notes About This Release:

1. The Access Gateway Plug-in for Mac OS X Version 2.1.4 supports Citrix Receiver Version 11.7
2. Import the secure certificate for Access Gateway into the Keychain on the Mac OS X computer.
3. The Access Gateway Plug-in for Mac OS X Version 2.1.2 and earlier versions are not supported on Mac OS X Version 10.8.
4. Endpoint analysis scans for antivirus, personal firewalls, antispam, Internet security, and EPAFactory scans are not supported for Mac OS X.
5. Client certificate authentication is not supported for Mac OS X.

First of all I’d say that these notes are not that great if you ask me! Why do I have to add the cert into the Mac Keychain? Why doesn’t the plug-in support the more “advanced” host checks like personal firewalls, certificates etc.?

Wait, it get even worse!! And before you go to the whole list I’d highlight these top ones that I’m kind of surprised about:

• It doesn’t support LAN access
• Upgrading doesn’t work
• Doesn’t apply proxy settings configured in session profile
• It doesn’t support SAN certificates
• Users cannot start the Access Gateway plug-in if the Receiver is already started, you first have to shut down the Receiver

Here you see the full Known Issues list for this release:

1. When users disable wireless on a Mac OS X computer and connect by using a 3G card, the Access Gateway Plug-in does not upgrade automatically through Citrix Receiver. If users select Check for Updates to upgrade the plug-in, the upgrade fails and users receive the error message “Updates are currently not available.” [#45881]
2. If you run stress traffic for HTTP, HTTPS, and DNS simultaneously, the Access Gateway Plug-in fails. [#46348]
3. When users disable wireless on a Mac OS X computer and connect by using a Vodafone Mobile Broadband Model K3570-Z HSDPA USB 3G stick, the Access Gateway plug-in does not tunnel traffic. [#256441]
4. If you configure an endpoint analysis policy and also enable the client choices page and proxy servers in a session profile, occasionally a blank choices page appears after users log on. When you disable the choices page in the session profile, the choices page appears correctly. [#316331]
5. If users connect to Access Gateway with the Access Gateway Plug-in for Mac OS X and then run ping with a payload of 1450 bytes, the plug-in fails to receive the ICMP reply. [#321486]
6. When users log on with the Access Gateway Plug-in for Mac OS X and then use the command line to run traceroute, the route statistics do not appear. [#321490]
7. If users connect with the Access Gateway Plug-in by using a Sprint or TMobile 3G network card and attempt to run ICMP or HTTP instances for a long period of time, then the computer might stop responding and users receive the message “You need to restart your computer.” [#329944]
8. When users connect with the Access Gateway Plug-in for Mac OS X, the plug-in uses the remote split DNS option, regardless of what is configured on Access Gateway. When users connect, the local area network (LAN) DNS request may fail to resolve. [#331906]
9. When users connect to Access Gateway by using the Access Gateway Plug-in, if users attempt to open more than 256 files, Access Gateway stops tunneling network traffic. [#333167]
10. If you configure a traffic policy and enable GZIP and then run stress traffic with 5 gigabytes of data, after a period of time, SMB traffic transfers fail with SMB error -36. [#333350]
11. If you unbind the default TCP compression policy, connected users who attempt to access intranet web applications from the Access Interface, the web page downloads as binary files. Users need to disconnect and then connect again to view and download web applications. [#333752]
12. If users log on to the user device as an administrator and install the Access Gateway Plug-in, log off and then log on as a standard user to Access Gateway with a more recent version, the plug-in upgrades automatically. However, after the upgrade, the Access Gateway status or Dock icons do not appear. Users can determine if they are logged on by using the Activity Monitor or the log file cagplugin.log. [#334130]
13. If the user device does not have the correct root certificate in Keychain and the user selects Ignore secure certificate warnings in the Access Gateway Plug-in, when users log on to Access Gateway, the security certificate warning does not appear and users cannot log on. Users need to install the correct root certificate and then set the Certificate Trust level to Always Trust in Keychain. [#334213]
14. If you enable endpoint analysis scans on Access Gateway, when users try to log on by using a web browser, they are redirected to the web page “epa.html” and only the Skip option is available. Users then receive the error message “3006: The plugin failed to start.” Users must log on by using the Access Gateway Plug-in for Mac OS X instead of the web browser. [#334969]
15. If users upgrade the Access Gateway Plug-in for Mac OS X, the upgrade might not remove earlier versions completely. The computer might stop responding and users receive the message “You need to restart your computer.” Users need to restart their computer, remove the Access Gateway Plug-in from their computer and then install the new version. [#335879]
16. If you configure intranet IP addresses on Access Gateway, when users connect with the Access Gateway Plug-in for Mac OS X, the plug-in cannot establish a server-initiated connection. [#335896]
17. If you configure local DNS on Access Gateway, when users connect with the Access Gateway Plug-in for Mac OS X, the plug-in does not resolve local DNS queries and always performs remote DNS queries. [#335967]
18. If you configure proxy settings on the Client Experience > Advanced > Proxy tab, when users log on with the Access Gateway Plug-in for Mac OS X, the plug-in does not configure the proxy settings in the web browser on the user device. [#336001]
19. The Access Gateway Plug-in for Mac OS X does not support local LAN access. [#336704]
20. If you configure reverse split tunneling on Access Gateway, when users connect with the Access Gateway Plug-in for Mac OS X, the connection fails. Users receive an error message that the Access Gateway configuration is invalid. [#336707]
21. After installing Citrix Receiver on a user device, users cannot configure a Receiver account from an extranet site over a 3G network through either email-based discovery or by using an Access Gateway fully qualified domain name (FQDN). [#352717]
22. Users cannot upgrade automatically to the Access Gateway Plug-in for Mac, Version 2.1.4 on Mac OS X computers running versions 10.5 or 10.6. To stop the automatic upgrade of the plug-in on these Mac computers, you need to add the following rewrite policies in Access Gateway by using the command line:
    • Add rewrite action MacVersionChange replace_http_res “\”2.0.0 (100)\”"
    • Add rewrite policy MacVersionChange “HTTP.REQ.URL.CONTAINS(\”macversion.txt\”) && HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”Mac OS X 10_6\”)” MacVersionChange
    • bind rewrite global MacVersionChange 100 END -type RES_DEFAULT

    [#356943]

You can read the whole readme article here!

So what can you say…… I hope that Citrix improves their test and quality assurance processes….

//Richard