Juniper Networks Secure Access Release Notes

Transcription

1 Juniper Networks Secure Access Release Notes IVE Platform Version 7.2R8 Build #23551 This is an incremental release notes describing the changes made from 7.2R1.1 release to 7.2R8. The 7.2R1.1 GA release notes still apply except for the changes mentioned in this document. Please refer to 7.2R1.1 GA release notes for the complete version. Noteworthy Changes: 1. Dropped environment variables in Custom File Rules in Host Checker From 7.2 onwards, the following environment variables in Custom File rule for Macintosh in Host Checker are no longer supported, <%java.home%>, <%java.io.tmpdir%>, <%user.dir%> and <%user.home%>. If these environment variables are configured in the rules, during an upgrade to 7.2R6, the following changes are made: a. <%java.io.tmpdir%> to /tmp b. <%user.dir%> to <%HOME%> c. <%user.home%> to <%HOME%> If <%java.home%> env variable is configured, a message is logged with critical level in the event logs. The environment variable, <%USER%> can be used in the rules. This variable corresponds to the logged in user name on the client machine 2. Support of Mac OS X 10.8 and Safari 6 Support for Mac OS X 10.8 and Safari 6 has been added in SA 7.2R4. For information on the access mechanisms supported on this platform, please refer to the Supported Platforms document. For known issues, please read through this document. 3. Default ESAP In 7.2R4, the default ESAP has been changed from ESAP to ESAP Upon upgrade, if the ESAP version on the SA is lower than then will become the active version. 4. From 7.2R6 onwards, no more than 4 ESAP versions can be simultaneously stored on the SA. To upload a fifth ESAP, delete an existing ESAP version on the device. 5. Secure Meeting In 7.2R4, the meeting process will be proactively restarted weekly if there are no meetings on the device. This is to prevent the process from consuming too many resources. This change should have no impact on meeting users. 6. Compatibility issue due to User-Agent change in ios/android client 3.2 For ios and Android devices, if HC is configured on 7.2R2 or greater then Junos Pulse client versions 3.2 and greater are required for the connection to be successful. (776459) 7. Ace authentication library Starting with release 7.2R3, the RSA ACE authentication library that is responsible for communication with backend RSA ACE authentication servers has been upgraded. This upgrade will not result in any change in the behavior of existing or new ACE authentication server instances defined on the SSL VPN platform. (770003)

2 The NSM schema for this software version will not be published. General NSM Limitations 1. If there is a mismatch between software catalog build version and release build version on the device, upgrading the device using NSM will not work For example, 6.5R3 schema was published using build (software catalog version), but subsequently, 6.5R3.1 was released with build In this case, NSM will not recognize build as a valid upgradable release. However, if device is manually upgraded to build 15255, since there were no additional schema changes, the device should still be manageable via NSM. (523868) Best Practices for FIPS Devices The following does not apply to configs exported from 6.5R5 and beyond: 1. Do not import a previously exported system config since it might contain a corrupted FIPS keystore database. If you must import an older system config, the option Import Device Certificate(s) must be unchecked when importing. 2. After upgrading to 6.5R2 it is strongly recommended that the system config be exported to take a back up of FIPS keystore database. The newly created system config will contain a clean FIPS keystore database. 3. After upgrading to 6.5R2, in case the admin console reports a FIPS disassociated state, go into serial console and reload the FIPS keystore database (Option 9 -> Sub-option 1). Known Issues/Limitations in 7.2 Releases 1. pulse-hostchecker On a Mac OS X 10.8, when using Pulse through a client-side proxy, ESAP does not upgrade. (809568) 2. pulse-other - Unnecessary routes get added on the Mac with Safari 5.1 when split tunneling is disabled on SA and Pulse is launched. Also, the traffic doesn't pass through the proxy server when Pulse is launched. (821757) 3. endpointintegrity-svw - Host Checker AV policy with Kaspersky Internet Security doesn't work inside an SVW on a Win7 machine and works on a Windows XP with a workaround. The workaround is to launch the sign-inurl configured with AV Host Checker policy as Kaspersky Internet Security initially on the real desktop before launching in SVW. (PR ) Known Issues/Limitations Fixed in 7.2R8 Release 1. cifs-enduser - Failed to delete Japanese filename file via core file browsing from ios Safari client. (832577) 2. cs-nc-i18n - Username field string for Credential Provider is incorrect for Japanese language machines. (828187)

3 3. cs-wsam-admin - Delete confirmation message displays a different WSAM allowed server(s) entry than the one you have selected to delete. (833643) 4. cs-wsam-dmi-config - Incorrect SAM ACL created when WSAM policy is pushed using netconf. (840066) 5. endpointintegrity-custom-check - Host Checker is not able to detect the system level processes enabled with MD5 checksum for Mac OS. (837319) 6. endpointintegrity-others Host Checker keeps downloading manifest.xml and hfnetchk6b.xml when Windows username includes an ' (apostrophe). (804270) 7. endpointintegrity-others - Host Checker fails when using Root certificate having German umlaut. (816415) 8. endpointintegrity-others - AV, Firewall and Anti-Spyware policies fail on the machines that doesn't have latest Microsoft run-time libraries installed. (839392) 9. pulse-connmgr - If the SA is heavily loaded, Pulse users randomly get disconnected. (831242) 10. pulse-dsagentd - In some rare instances, Pulse server side process crashes during re-keying of Pulse ESP sessions. (843922) 11. pulse-hostchecker - Machine certificate policies might fail during evaluation if the client machine has more than one certificate installed that matches the policy configured on SA. (837149) 12. pulse-mobile-vpn - Custom text in French for Signing-in-Page doesn't show up in French but appears in English on ios and Android browsers. (832562) 13. sysmgmt-netconf - Using DMI netconf command line, "<\get-active-users>" command doesn't populate the Network Connect details. (838888) 14. web-active-x - User is unable to send attachments in inotes FP2 - Full mode. (831990) 15. web-other - Rewriter fails to load a page containing both JavaScript and vbscript. (830599) 16. web-other - Users get JavaScript error while access custom application. (835408) 17. web-ptp-other - ActiveSync/Authorization Only Access URL process crash under heavy load. (849951) Known Issues/Limitations Fixed in 7.2R7 Release 1. aaa-active-directory - AD authentication with "Group Search with LDAP" option is not working. (812311)

4 2. aaa-active-directory - In some circumstances, switch over from Backup DC to Primary DC may be delayed (814169) 3. aaa-client-cert - ipad/iphone users while getting authenticated using certificate authentication are prompted a second time to select the certificate after providing the user credentials (802157) 4. aaa-other - Unix file bookmarks show garbled characters for Japanese language (696806) 5. aaa-other - If the total number of active IVS users is greater than the allotted number of minimum users for the root IVS, root users cannot complete authentication. (821155) 6. endpointintegrity-liveupdate - In a clustered environment, the Auto-update virus signatures list occasionally fails to download thereby causing all users to fail the Host Check. (733352) 7. logging-admin - When viewing the user access log with standard view, the bytes sent/received is not recorded for Pulse. This is shown when using WELF (starting with 7.2R4). (813840) 8. pulse-soft-token - Junos Pulse client is showing 'PIN rejected. Please try again' for New PIN mode with a Blackshield Cryptocard. (815692) 9. system-network - Adding, disabling/enabling a VLAN causes Network Connect access to resources to fail until services are restarted manually. (828971) 10. system-other Change behavior of ELS client(license client) logging to change increment request failure from INFO to MAJOR and generate logs when repeated failures once every 10 minutes, so that SNMP (major) trap can be used to monitor via SNMP. (800699) 11. uac-other - "Save All Logs" didn't save logs when cluster is configured with different cockpit graph option setting between the nodes. (746839) 12. web-other - Javascript error in rewriting the SAP portal page. (820388) 13. web-other - Rewriting of empty url to avoid security warning is preventing the page to be rendered properly (821421) 14. web-other - Authorization only URL server code cleanup. (822311) 15. web-other - GetAttribute javascript function is failing in certain cases. (832726) 16. web-ptp-other - When using passthrough proxy, customer's cookie parameter "IDSID" value is getting written to IVE session cookie "DSID" value and causes the session to end. (823560)

5 Known Issues/Limitations Fixed in 7.2R6 Release 1. aaa-admin - Read only admin has write access to configuring clients under licensing. (740509) 2. aaa-saml - The user doesn't logout of an SA automatically when the same user logs out of another SA, where the user has already logged into two SAs configured as SP and PingFederate configured as IDP with Single Logout option enabled. (810967) 3. cifs-other - No error message or warning is thrown when a file bigger than 2GB is downloaded through file browsing. (784865) 4. clustering-active-passive - VIPs might failover in an A/P cluster. (808870) 5. -other - When using the proxy functionality for IMAP/POP/SMTP traffic, the DNS resolution for the servers is done at the time of the initial connection. The DNS data is not refreshed during the proxy session. (809600) 6. endpointintegrity-others - When a Mac client resumes from sleep, Host checker s CPU usage increases significantly. (822138) 7. meeting-series-enduser - In the Monthly view of recurring meetings, the day of the week that is displayed is wrong. (775882) 8. pulse-hostchecker - Pulse Desktop clients enforced with cache cleaner policy see an Authentication rejected error message while connecting to server. (811597) 9. pulse-sa-nc-am - Pulse session start and end scripts are copied to C:\Windows\Temp instead of the user's temp folder. (817082) 10. system-network - dsagentd service crashes when Pulse client is launched on an SA that has a large number of vlans and virtual ports configured. (788911) 11. system-other ivedisknearlyfull SNMP trap is sent when log archiving happening for a longer time is failing. (815915) 12. web-other In some cases of XML data chunks, XML garbage is not handled properly. (722277) 13. web-other - Content of the frame is not properly loaded through rewriter. (803749) 14. web-sso - If a user s session ends during an NTLM SSO transaction, the rewrite process crashes. (797257)

6 15. web-sso - SA Kerberos SSO requests experience a 9 minute delay if the KDC is down. (813216) 16. win-term-svcs-other - Unable to change an RDP session from full screen mode to window mode and then back to full screen mode with the Premier Java RDP client on a Mac OS X 10.7/10.8. (814936) Known Issues/Limitations Fixed in 7.2R5 Release 1. aaa-policies - User cannot add "detailed rules" policies to an existing Web/File/NC ACL. (756547) 2. aaa-radius - When Radius Defender is configured as a secondary auth server, Pulse user does not see the first challenge from Radius Defender when an invalid response is sent to the first challenge. (811459) 3. cs-nc-acls Network Connect does not connect to SA when IP address range is configured in Network Connect ACL. (815025) 4. cs-nc-other - UPN suffix user is not allowed to logon to the machine through GINA. (748288) 5. cs-nc-other - On Mac OS X 10.7 and 10.8, Pulse connections to SA do not work if a server-side proxy is configured. (779290) 6. endpointintegrity-opswat On a Mac OS X 10.7 and 10.8, when using the Host Checker client, OPSWAT-related policy checks are not supported if the SA is accessible only through a proxy. (808355) 7. endpointintegrity-opswat If the SA device has 4 ESAPs installed, then upon upgrade to 7.2R4 the default ESAP does not change. To use ESAP 2.1.9, manually import ESAP and activate it. (806959) 8. endpointintegrity-admin-ui - Admin UI doesn t accept a wildcard character (*) for a custom NETBIOS rule in a Host Checker policy. (797664) 9. endpointintegrity-custom-check Host checker fails if Windows username or application path has multi-byte characters. (807234) 10. endpointintegrity-esap - In some instances, when uploading an ESAP package, it isn t successfully copied across all nodes in a 4-node A/A cluster. (779118) 11. endpointintegrity-loginflow - In some instances, invalid role and realm values are displayed in the Host Checker policy evaluation data in the user access logs. (733553) 12. endpointintegrity-others - If the client machine s time zone observes Daylight Saving Time and if "Automatically adjust clock for Day light Savings" is enabled, HC policy checks based on latest AV signatures might fail even if the latest updates are present on the client. (808018)

7 13. fips-other - Certificate authentication does not work with Pulse on SA4000FIPS and SA6000FIPS devices. (704698) 14. juns-other - Pulse is unable to install when user profile and OS are on different partitions. (807278) 15. logging-admin - When a node joins a cluster, the new node doesn t respond to SNMP requests. (802581) 16. meeting-series-other - Junos Pulse Collaboration personal URLs with additional URLs are being truncated after eight characters. (802777) 17. pulse-mobile - When "Logo links to" in UI options is set to Bookmark page, floating toolbar logo does not link back to mobile web page. (793102) 18. pulse-secure-meeting - Meetings that are started in a non-root IVS are not reflected in the "Concurrent Meeting Graph" in the IVE dashboard. (804832) 19. pulse-vpnam - When the Pulse client can connect to the SA only through a proxy, there is a 1 minute delay for Pulse to start tunneling the traffic successfully. (808849) 20. sysmgmt-snmp Incorrect SNMP traps being sent for "Users" due to honoring Maximum Concurrent Users / Leased Count, Max Count in Licensing Server / Client environment. (779467) 21. sysmgmt-xmlexportimport - XML configuration import on MAG series fails when a static route is configured on the management port. (799060) 22. system-dspar - SA occasionally fails to archive logs. (791941) 23. web-ive-toolbar - A specific custom web application shows blank when the standard toolbar is used. (800659) 24. web-other - jquery Internet portal fails to load properly through the rewriter. (796234) 25. web-other - The "edit" button on the portal page on a Japanese ipad is vertical rather than horizontal. (798473) 26. web-other - The "add" and delete buttons on the portal page on a Japanese ipad are vertical rather than horizontal. (798504) 27. web-other - Oracle JDE Enterprise One application when accessed through IVE is calling a function detectclose() which is closing the previous window when a new window is opened. (802412) 28. web-other - Unable to login to Ajax site through the rewriter. (806592) 29. web-sso - SSO with SAML 2.0 with SA as IdP and using Artifact does not work. (810583)

8 30. win-term-svcs-other - Under peak load, WSAM, Windows Terminal Services, Citrix Terminal Services users experience slow response times if Radius accounting is enabled for this traffic. (787199) 31. pulse-installer - Setup client upgrade fails when MAC Lion (10.7) is upgraded to MAC Mountain Lion (10.8). (812909) 32. asg-aaa-xml-import-export - Import of XML configuration failed when system settings are selected during export. (802859) 33. endpointintegrity-remediation - The reason string on remediation page are not localized to the system language on the endpoint. (748317) 34. cs-jsam-enduser - JSAM is not creating a client side log on Windows 8 machines. (791557) 35. endpointintegrity-opswat - On Mac OSX, downgrade of ESAP is not happening while running host checker in agent less mode. (748231) 36. pulse-hostchecker - There is a delay in launching Host checker on a client for which patch assessment check has been performed earlier but the check has subsequently been disabled. (795901) 37. pulse-ive-cm - After the session timeout, Pulse waits for 10 seconds before attempting to reconnect, instead of attempting immediately. (801827) 38. asg-endpointintegrity-opswat- Hostchecker fails with no reason string for AV/FW policies on MAC endpoint over Proxy.(747434) 39. asg-pulse-sa-sam-am- Client connection is being dropped through Pulse SAM web traffic in high latency conditions.(787445) 40. asg-meeting-series-other - Meeting is not currently supported on an SA VM.(805886) Known Issues/Limitations Fixed in 7.2R4 Release 1. aaa-other Under Traffic Segregation configuration, if the management port is selected in the interface list in the Administrative Network with admin users not being added to this network and a network configuration change is made to cause the services to get restarted, the admin cannot login via the management port.(724769) 2. aaa-realms - After renaming an expression name (under Match expression) to a new name, the old name still exists. If an expression name is in use in a rule, it should not allow rename or delete of the rule. (790915) 3. cs-nc-enduser - Re-login with cached credentials for UPN name doesn t work with Credential Provider, when network is not available. (740780) 4. cs-nc-enduser - Text fields of a Standalone Mac NC client are transparent on certain versions of OS X. (745373) 5. cs-nc-enduser - NC mini browser: Logoff on Connect feature doesn t work. (786118)

9 6. cs-nc-enduser - When an NC tunnel associated to an IVS is torn down, the assigned tunnel IP for the NC user is not released. (786304) 7. endpointintegrity-loginflow - Periodic host checks fail on Mac machine if the Host Checker interval is configured for more than 10 minutes. (798757) 8. endpointintegrity-others - While accessing a sign in URL that is associated with an IVS, user receives the error "The page you requested could not be found" upon clicking the "click here" link to bypass Host checker. (769705) 9. endpointintegrity-others - When minimum version is selected, Host Check rule passes irrespective of the value in registry key. (790272) 10. endpointintegrity-opswat Pulse Host Checker can crash if the OPSWAT SDK upgrades while a policy enforcement check is occurring on the client. (795297) 11. meeting-series-enduser - There is intermittent loss of control for the non-host presenter when using Meeting/Junos Pulse Collaboration. (706680) 12. pulse-other ios/android Pulse user sessions are terminated if the connected realm and/or roles have Host Checker policies configured and the Host Checker interval is non-zero. (787172) 13. pulse-soft-token - Challenge from Radius server configured as secondary Auth server is not being displayed. (781730) 14. pulse-logging - User access log message should record the bytes sent/received for a connection. (788107) 15. system-licensing - There is a memory leak relating to SA license server and client communications. (791568) 16. system-other Certificate auth and SAML auth users that access OWA 2003 through the rewriter might see the browser looping through the same set of requests after the user s session times out. (747451) 17. web-ive-toolbar - Standard toolbar is appearing across the web page. (799108) 18. web-javascript Slowness seen when accessing OWA 2010 through the rewriter. (756940) 19. web-other - IVE deletes all tickets for realm, if a second website sends 401 even though TGS fetch is successful. (658520) 20. web-other - Rewrite server is crashing when parsing a malformed comment tag in HTML. (738196) 21. web-other ExtJs JavaScript lib/framework's setstyle function is not rewritten. (789723) Known Issues/Limitations Fixed in 7.2R3 Release 1. aaa-admin - Admin DN (LDAP Group Search) is truncated to 50 characters while configuring an AD/NT auth server. (778523) 2. aaa-client-cert - An error is logged in the user access logs on a successful certificate authentication when using bridged CAs. (755474) 3. clustering-other - There are extraneous debug log messages which reference non-existent VIPs. (753455) 4. cs-nc-enduser - NC users are connected via SSL instead of ESP after 16,383 NC tunnels. (787424)

10 5. cs-pulse-enduser Pulse users will not be able to access the backend resources after 16,383 ESP tunnels. (787424) 6. cs-nc-enduser - After IPSec re-key time, the ESP session of the NC tunnel falls back to SSL if data packets were sent the on the NCP control channel during the initial ESP tunnel establishment due to latency sensitivity. (787470) 7. cs-nc-other - Network Connect mini browser does not open in MAC operating system, if the user once enters blank value, hits enter and quits the application. (754101) 8. endpointintegrity-esap - In some scenarios client ESAP gets corrupted post Pulse upgrade. (788402) 9. endpointintegrity-opswat - HC Login for Pulse 3.0 takes longer time to evaluate policies. (790339) 10. endpointintegrity-others - Host Checker machine certificate check fails for IVS users when Root CA is not added to Root IVS. (756987) 11. meeting-series-mysecuremeeting - MyMeeting personal meeting URL does not resolve properly for usernames of greater than eight characters. (784051) 12. meeting-series-outlook - Secure Meeting Plug-in causes Outlook 2007 to crash when an existing mail is moved to calendar app. (775723) 13. pulse-mobile-hc - Web links within the custom text on a host checker remediation page do not work on Pulse IOS (775197) 14. pulse-other - Radius challenge (defender page) is not working with Pulse Client. (741055) 15. pulse-proxy - Junos Pulse client does not preserve the original proxy settings after sign out. (734384) 16. sysmgmt-xmlexportimport - XML Import fails to import WSAM policies in the User roles. (776047) 17. system-cache - There is a dsnetd failure associated with VIP changes on the SA4000. (739052) 18. system-i18n - Preference button for ipad in Japanese is too tall. (775954) 19. system-i18n - In the preferences page, the "delete session cookies" button size is too large. (775962) 20. system-i18n - incorrect translation message appeared when access IVE via JavaScript disabled browser. (779229) 21. system-webserver - Under certain conditions web server might assert because the socket descriptors were not cleaned up from the polling loop. (786982) 22. ui-admin - "Bookmarks: All" is directed only to the user profiles with Web enabled in Access Features. (752171) 23. userdata-sync-db - User record sync fails with an internal error and doesn't properly propagate records to other nodes when using a LAS server name with special characters. (771511) 24. web-other - Rewriting of frame fails in certain cases resulting in frame displayed as blank. (776650) 25. web-other - A specific jquery object attribute is not rewritten properly. (779337) 26. web-sso - Users are unable to login to a device that has ff Kerberos SSO policies if the primary AD server is down and the backup AD server is up. (778429) 27. win-term-svcs-other - User is unable to connect to WTS HOB applet from IVS with "Permission Denied" message logged in user access logs. (784645)

11 28. meeting-series-enduser - If Meeting client UI is minimized on WinXP machine, the 'Extend Meeting' pop up is not displayed on top. (742853) 29. cs-nc-other - When admin configures only top level bandwidth management policy (no NC bandwidth policy), bandwidth rules are not getting deleted during tunnel tear down. (770316) 30. pulse-other - User access logs for Pulse login on IVE do not contain the User-Agent string. (774593) 31. aaa-saml - Multiple hostnames in Assertion Consumer Service is not supported when SA is configured as SAML Service Provider. (782411) 32. web-html - Rendering Javascript loops infinitely when you compare window.location with window.document.location and accessed through rewriter. (785563) 33. pulse-hostchecker - dot1x authentication hangs if HC is enabled on a Win XP client. (781657) 34. asg-cs-jsam-enduser - JSAM is not able to modify hosts file when Java version 1.7.x is being used. (790767) Known Issues/Limitations in 7.2R2 Release 1. system-licensing - Concurrent user count is not getting incremented when meeting licenses are incremented on VA-SPE. (777037) 2. system-licensing - Autolease is turned on when permanent meeting or user licenses are installed on License Server. (777398) Known Issues/Limitations Fixed in 7.2R2 Release 1. aaa-admin - When adding a group to the server catalog from the IVE, the web interface will state "field is empty" for "Name" and "DN Type" fields, when no 'CN' value exists for the DN of the group in the LDAP server. (752370) 2. aaa-custom-sign-in - Line breaks in Pre-Signin Notification page do not appear when browsing SA from mobile device. (752245) 3. aaa-delegatedadmin - One-time password option in Radius authentication server configuration does not show the correct status when accessed using read only administrator role. (744206) 4. aaa-saml - Under SAML settings, if the validity is set to 9999, the validity of downloaded Metadata shows negative value and IVE is downloads the peer Metadata very frequently. (750861) 5. aaa-sign-in-pages - Welcome.cgi issues a 302 redirect with "Connection: Keep-Alive" but does not allow further requests on the connection. (575045) 6. clustering-active-passive - When multiple failover actions occur simultaneously, the cluster VIPs do not failover properly. (753624) 7. cs-nc-enduser - NClauncher certificate authentication fails when there are more than 4 client certificates using the same name. (727513)

12 8. cs-nc-enduser - In windows 7 French operating system, Network Connect fails to launch with error when Blue Coat http proxy authentication is enabled. (736814) 9. cs-nc-enduser - Network Connect standalone client fails to launch with script error "The value of the property "tryneoterisstartup" is null or undefined, not a function object" after upgrade to 7.1RX. (743265) 10. cs-nc-enduser - When using nclauncher with Smart card authentication, due to smart card handle not being closed, the user is prompted for login credentials when user attempts to launch NC tunnel again. (743500) 11. cs-nc-enduser - NC mini browser uses files in IE cache, if present, even if the files are modified at IVE. (746051) 12. cs-nc-other - NC authentication through GINA/CP is slow on a system heavily loaded with services. (700522) 13. cs-nc-other - NC client does not re-establish a connection when a Windows 7 machine comes back from sleep mode. (724349) 14. cs-nc-other - Viewing the physical memory through the Network Connect client on Windows 7 machines, the value is shown as negative/invalid. (730561) 15. cs-wsam-other - WSAM freezes when using Microsoft folder redirection. (593859) 16. endpointintegrity-others - Alias handle is not getting closed leading to leaking of handles of the process dshostchecker.exe inside SVW. (671869) 17. endpointintegrity-others - Rising Internet Security - HC policy gets passed for while looking for latest virus definition, even when client has got old definitions. (736056) 18. endpointintegrity-svw - F-secure Anti virus 9.20 version does not comply with the policy inside the SVW. The error Message inside the SVW is the following: "F-Secure Anti-Virus does not comply with policy. Compliance requires real time protection enabled and latest virus definition files." (597821) 19. logging-other - XML and GIF "file not found" messages are displayed in user logs with pre-installed HOB applet. (748885) 20. logging-syslog - When creating a custom filter using the quote (") character as a separator, this is sent to the syslog server as the HTML code "". (746694) 21. msp-ivs - DNS and WINS settings are removed from IVS after upgrade. (725972) 22. pulse-mobile-i18n - Long bookmark names that use double byte characters show up garbled in mobile device browsers. (740946) 23. pulse-proxy - PAC file greater than 64K is truncated to 20K when creating an instantproxy.pac while launching Pulse. (740399) 24. pulse-sa-nc-am - If a user tries to login on a new realm with multiple sessions disabled, the multiple user session warning may not display and prevent login. (731561) 25. pulse-soft-token - Pulse errors in New PIN mode for certain customer authentication server. (744212) 26. sysmgmt-config-import-export - Push config with a size of greater than 100 MB fails. (732386) 27. sysmgmt-snmp - When a MAG device joins a cluster it send spurious SNMP traps for ivefannotify. (742506)

13 28. sysmgmt-xmlexportimport - After doing an XML import of the local authentication server configuration on the root and virtual systems of an SA, it is seen that the user full name does not appear in the Full Name field of the user profile for the virtual system. It however appears for the root system. (740630) 29. system-monitoring-framework - When a user accesses a back-end SSL site with a "%" in the URL, the SNMP trap process restarts. (746281) 30. system-webserver - HTTP 1.1 connections to IVE do not work for specific application. (736990) 31. ui-enduser - For the 'welcome message' under 'personalized greeting' UI option, HTML tags display instead of being interpreted when logged in from iphone or Android. (739565) 32. web-html - Dynamic href links are not rewritten properly. (750640) 33. web-java-sun-jvm - There is a Java applet rewrite issue for a customer's in-house application. (738364) 34. web-javascript - Problem with rewriter failing to rewrite image link with special characters. (737823) 35. web-javascript - IVE is not able to load the dashboard screen of Splunk web application. (754687) 36. web-other - Problem rewriting xsl links resulting in the error "Error with IE transformation" while navigating through webpage. (721441) 37. web-other - Problem in rewriting the flash links which contains custom port number. (725430) 38. web-other - "The "browser request follow through" functionality doesn't work for host-based pass through proxy web applications." (725981) 39. web-other - Issue with rewriting Jar file references resulting in breaking Java applet function. (726998) 40. web-other - 'Connection: Keep-Alive' is missing in dsrecord.request.after header when HTTP1.1 is used. (732648) 41. web-other - Problem rewriting relative URL which contains hex-encoded character references. (733678) 42. web-other - Tabs inside SAP NetWeaver portal are not working due to incorrect rewriting. (735370) 43. web-other - Issue in the rewriter if an HTML tag contained more than 57 attributes. (738832) 44. web-other - MediWeb Application is not displaying correctly through the rewriter. (746388) 45. web-other - <a href="tel:" is not being handled correctly through the rewriter. (748924) 46. web-other - An error occurs when a.fdf file is rewritten. (749046) 47. web-other - Null pointer exception thrown while loading a rewritten page. (750152) 48. web-other - HP service manager web site login page displays blank page through the rewriter. (754558) 49. web-other - Null object exception/error is being received when trying to load custom web application. (754579) 50. web-other - Redirect to bookmark page with Apple ios breaks because welcome.cgi redirects to apple-touch icon-114x114.png. (755178) 51. web-other - MS Forecaster 7.0 application is not working through the rewriter. (755619) 52. web-other - Certain java contents of a page are not getting displayed for a custom web application due to an issue with rewriting. (756377)

14 53. web-policies - Web application containing Google maps does not work through rewriter. (747127) 54. web-ptp-other - Error in handling chunked HTTP data through rewriter. (736973) 55. web-selective-rewrite - Relative URL which contains chunked transfer encoding is not rewritten properly. (743726) 56. win-term-svcs-enduser - Citrix Listed Applications fails to work if the response from the Citrix server contains multiple AppData tags. (725680) 57. win-term-svcs-other - When a customer clicks on the help link inside the HOB applet, a message is displayed that the page cannot be found. (752936) 58. system-webserver - Request URLs that contain the string DSID without a corresponding DSID value are not supported. (705835)