AppGate 11.0 RELEASE NOTES

Transcription

1 Changes in 11.0 AppGate 11.0 RELEASE NOTES 1. New packet filter engine. The server-side IP tunneling packet filter engine has been rewritten from scratch, reducing memory usage drastically and improving throughput, especially when many users are logged in at once and using complex rulesets. 2. New branding, icons and look-and-feel. The client download pages, the SSL portal, the client, and the console have a brand new look. There is also a new set of icons available to use in roles and services. Old icons continue to work as before. 3. New IP tunneling driver for Windows clients. The tap driver has been replaced and the service updated. Supports Windows New IP tunneling driver for OSX. The service will now use the built-in utun driver on OSX. Supports Yosemite. 5. OSX client now has a bundled JRE. The installable client on OSX now includes its own Java that is used only by the client, just like the installable client on Windows. Now it is no longer necessary to install Java on OSX to be able to use the client. 6. Security improvements in SSL portal. Improved the list of default encryption ciphers to use in the SSL portal. Removed SSL v2 and v3 support, added TLS 1.1 and 1.2 support. The generated self-signed certificate now uses a stronger signing algorithm. 7. Upgraded third party libraries in server and client. Upgraded OpenSSL to 0.9.8zb, FIPS module to 1.2.4, OpenSSH to 5.3, bash to 4.0pl44, zlib to 1.2.8, apache to , and MindTerm to System can now have more connected satellites. The limit of 20 connected satellites has been removed. 9. Microsoft Office applications can now edit documents through the SSL portal. This is possible through the new setting ag_ssld.permanent_cookie which, if set to 1, makes the session identification cookie a permanent cookie. This in turn makes the cookie shared between Internet Explorer and Microsoft Office applications. Therefore, it is now possible to browse Sharepoint in IE and open documents directly in Office, without saving on the local hard drive inbetween. Note that this comes with a security tradeoff, since the cookie survives quitting the browser. Closing the browser window will not log you out automatically. Therefore, if using this setting, it is important to consider reducing the inactivity timeout for the SSL portal, so that the session times out soon even if the browser is closed. 10. Support for negative nets in web access components and port forwards. It is now possible to use the keyword not in web access components and port forwards (IP access components in the case of no IP tunneling), in order to allow access to a network or domain, but exclude a subnet or subdomain, or individual destinations. It can be used with domain names, wildcard domain names, IP subnets and IP addresses. When more than one entry matches the destination, the most specific entry is used. 11. SSH server checks presence of clients more often. Previously the SSH server sent heartbeat packets to the clients every five minutes at inactivity, to check for answers. The interval has been reduced to one minute, so that the server detects roaming clients faster. The detection time adds to the effective maximum roaming time, so it was not possible to achieve a short maximum roaming time. 1

2 12. New ag_stated_query command. The ag_stated_query command, which prints a list of active sessions, can now print a customizable CSV table, which is suitable for scripting. It can also print the number of sessions, and search for a session by username. The default behavior is as before. Run ag_stated_query -h for more information. Fixed bugs in Hosts File Writer installation through the Software Requierement component. Using the Software Requirement compontent to distribute the Hosts File Writer to clients now works as it should. 2. Cluster upgrade window in console fixed. For a cluster with three or more nodes, the upgrade progress would only be displayed for the first two nodes. The others would appear frozen. This did not affect the upgrade function itself, but in the console it would look like the upgrade did not happen on all nodes. 3. Proper shutdown of SSL daemon when the SSL license expires. When the SSL license expired, the SSL daemon would stop, but the rest of the system would wrongly expect it to be running and flag this as an error. 4. Client download of check.exe binary could sometimes fail. The client will automatically download the check.exe binary if needed, but there was a race condition which could make the needed directory not created in time. 5. "Bad packet length" error fixed. Under some conditions, when a client was trying to resume a session that has already expired, the logs would contain dozens of "Bad packet length" error messages. This message was a false alarm and the conditions that created it has been mitigated. 6. Client screen lock feature was broken. When the natcrypto module was replaced with the now more efficient Java crypto, the screen lock feature stopped working. This is now fixed. 7. State daemon did not reload configuration when satellite settings were modified. The state daemon needed a reload of the configuration to become aware of that certain satellite configuration options had been changed. 8. Client dock icon on OSX was wrong. The "Java coffee cup" icon was displayed instead of the client icon. 9. File access over SSL could corrupt large files. Downloading large files over the SSL File access could result in file corruption. The other modes of file access were not affected, only the SSL mode. 10. Web access connection timeout. The webproxy could end up in a loop when handling chunked encoding, causing connection timeouts. 11. Some web access configurations were broken on OSX and Linux. Some simple web access configurations would not work on OSX and Linux, but on Windows only. 12. SSL portal session timeout did not work. Settting the session timeout to 0 in the SSL portal will now properly disable the timeout. 13. Updated detection of Windows version. The client will now properly detect Windows 8.1 and Windows On a busy system, a user could get a non-working session when logging in. If users were logging in and out very frequently, it could happen that an IP address from the IP tunneling pool was recycled - left by a logged out session and given to a new session - before the IP tunneling daemon had properly cleaned out the old session. In that case, cleaning out the old session resulted in the new session being cleaned out as well. The symptom of this was "Got request to enable for non-existing session" events in the log. 2

3 15. Solaris bug could cause IP tunneling traffic to stop. In very busy systems, IP tunneling could stop working in one or more sessions at once, at random times. There was no error message, but packets would not be delivered from the client to the server end, or be delivered extremely slowly. We isolated the issue to the localhost TCP connection between the SSH daemon and the IP tunneling daemon, and the issue looks like a known Solaris bug. We have changed the transport mechanism to a Unix domain socket. 16. Fixed console error when enabling certificate authentication. Enabling certificate authentication for the first time on a server would cause a "Failed to reload daemon" error message to pop up. 17. Limited admins could not edit some fields of local users. As a limited administrator, you were unable to change the "IP-tunneling addr" and "Mobile phone #" fields. You were able to set the "Distinguished name" field for Certificate authentication once, but changing it would create a duplicate database entry. 18. IPSEC clients caused wrong numbers in statistics log events. The IP tunneling daemon regularly creates an "ag_galed statistics" log event, with current usage statistics for IP tunneling. One of these numbers is the current total count of components in all sessions. Since the statistics were not reported correctly for IPSEC sessions, having IPSEC sessions in the system could cause a negative number to be printed. 19. The ag_webproxy daemon crashed on empty cookie flag in response header. The ag_webproxy daemon, which handles traffic for web access components, crashed when parsing a cookie in the response header from an application server, if the header was malformed so that the cookie contained an empty string as flag. 20. Could not use web access components to different ports on same application server. When having web access components to two different ports on a destination server in your role, where one of the ports was 80, those components could get mixed up in ag_webproxy, so that it was not possible to use the first and then use the second, you would still be using the first. 21. HEAD requests were not supported in SSL portal. When browsing through the SSL portal, if the browser sent an HTTP HEAD request, ag_webproxy waited for a response body which never came, so in effect it would appear unresponsive until the web application closed the connection, which could take a few minutes. 22. Hosts file entry could get corrupted on Windows. When logging in to the AppGate server from a Windows machine, when using either the IP Tunneling Driver or Hosts File Writer, if the last line in the hosts file was not terminated, that line became corrupted. 23. IP tunneling log events could get corrupted on the server. When selecting Log all connections in an IP access component, the ag_galed daemon records a log event beginning with open connection to for each new TCP or UDP connection. However, since version there has been a bug, so that the log ID could (in rare cases) become corrupted, which means that the events would seem to belong to another session, or a nonexistent session. 24. Cloning access rules did not work. Since version 10.2, the ability to clone an access rule from the AppGate Console was broken. 25. Limited administrators got wrong context menu in Local Accounts panel. When using the AppGate Console with only limited administrator rights, navigating to the Local Accounts panel and right-clicking on a user, the wrong context menu would show up. As a result, it was not possible to clone users. 26. The SSL session daemon could crash on Radius authentication. Since version 10.2, a Radius server could trigger a null-pointer bug in our Radius library, which would cause the SSL session daemon, ag_ssld, to crash. 3

4 27. Disabled incoming NTP queries in order to mitigate CVE The AppGate server was, at least partially, vulnerable to a denial-of-service attack, which would make two NTP servers busy talking to each other. 28. Changing log destination required a restart of the logging daemon. Changing the remote logging destination did not have any effect before the logging daemon ag_logd was restarted. Now it has. 29. The -iscomputermemberofdomain test did not work on Windows 8. The -iscomputermemberofdomain option to the client check binary check.exe had stopped working in Windows 8, due to changed naming conventions. 30. The New folder button was broken in File Access in the SSL portal. When browsing a file share through a File Access component in the SSL portal, there is a button called New folder, which was broken. 31. Icons for roles were not displayed correctly in the client. In AppGate Client, when selecting a role, the default icon was shown for every role, since 10.2, even if a different icon was assigned to the role. 32. Fixed null-pointer crash in ag_sieve. The daemon which updates the server's firewall rules, ag_sieve, could crash because a null pointer was not handled properly. 33. The Java Web Start client crashed on some Linux distributions. AppGate Client crashed during login on some Linux distributions, if launched through Java Web Start. This has been fixed by disabling the native crypto library and relying on Java code for cryptographic operations. 34. Access to satellites was not set up automatically. When changing through which network interfaces satellites can be reached, the server's firewall rules were not regenerated automatically, therefore it was sometimes necessary to restart the ag_stated daemon for the changes to be picked up. 35. Branding for MAP did not scale well. The default branding logo for Mobile Access Protect was hardcoded to support specific screen sizes, and therefore did not scale well on all screen sizes. 36. Crash in ag_radiusd and sshd when using Radius. A bug was introduced in 10.2, which could cause the daemons ag_radiusd and sshd to crash, even later in a session, if a user logged in using a Radius method. 37. Fixed deadlock in ag_galed. The IP tunneling daemon ag_galed has been given an overhaul, which has fixed a bug which has existed since version , where the daemon could become unresponsive and had to be restarted. Also, download speed through IP tunneling has been improved in situations with multiple sessions downloading. 38. AppGate Console became unresponsive when fetching a long list of active sessions. When opening Active Sessions in AppGate Console, the application would appear frozen for some time, if the number of active sessions was high, such as AppGate Console will now show a progress indicator when fetching the list. 39. AppGate Console filtered Local Accounts incorrectly. In the Local Accounts panel in AppGate Console, it is possible to filter the list of accounts, for instance by enabled authentication method. When selecting Authentication and Password as filter, the list displayed was wrong. 40. AppGate Console lacked phone number in Local Accounts. In version 10.2, support for SMS-based provisioning of mobile client settings was removed. Unfortunately, the mobile phone number field for a local account was removed along with the Provision button. The phone number field has other uses as well, so it was reintroduced in the GUI. The phone numbers were not removed from the database, so they should be preserved since before a 10.2 upgrade. 4

5 Removed features 1. Support for Windows XP removed. The AppGate client/server system no longer supports Windows XP. 2. Solaris clients removed. Clients for Solaris are no longer provided. Upgrading to 11.0 from earlier versions Only servers running version or later can be upgraded to Machines running earlier versions must first be upgraded to or later. The upgrade requires a reboot of the system in order to activate the upgrade. 5