AppGate RELEASE NOTES

Transcription

1 Fixed bugs in AppGate RELEASE NOTES 1. On a busy system, a user could get a non-working session when logging in. If users were logging in and out very frequently, it could happen that an IP address from the IP tunneling pool was recycled - left by a logged out session and given to a new session - before the IP tunneling daemon had properly cleaned out the old session. In that case, cleaning out the old session resulted in the new session being cleaned out as well. The symptom of this was "Got request to enable for non-existing session" events in the log. 2. Solaris bug could cause IP tunneling traffic to stop. In very busy systems, IP tunneling could stop working in one or more sessions at once, at random times. There was no error message, but packets would not be delivered from the client to the server end, or be delivered extremely slowly. We isolated the issue to the localhost TCP connection between the SSH daemon and the IP tunneling daemon, and the issue looks like a known Solaris bug. We have changed the transport mechanism to a Unix domain socket. 3. Fixed console error when enabling certificate authentication. Enabling certificate authentication for the first time on a server would cause a "Failed to reload daemon" error message to pop up. 4. Limited admins could not edit some fields of local users. As a limited administrator, you were unable to change the "IP-tunneling addr" and "Mobile phone #" fields. You were able to set the "Distinguished name" field for Certificate authentication once, but changing it would create a duplicate database entry. 5. IPSEC clients caused wrong numbers in statistics log events. The IP tunneling daemon regularly creates an "ag_galed statistics" log event, with current usage statistics for IP tunneling. One of these numbers is the current total count of components in all sessions. Since the statistics were not reported correctly for IPSEC sessions, having IPSEC sessions in the system could cause a negative number to be printed. Changes in Microsoft Office applications can now edit documents through the SSL portal. This is possible through the new setting ag_ssld.permanent_cookie which, if set to 1, makes the session identification cookie a permanent cookie. This in turn makes the cookie shared between Internet Explorer and Microsoft Office applications. Therefore, it is now possible to browse Sharepoint in IE and open documents directly in Office, without saving on the local hard drive inbetween. Note that this comes with a security tradeoff, since the cookie survives quitting the browser. Closing the browser window will not log you out automatically. Therefore, if using this setting, it is important to consider reducing the inactivity timeout for the SSL portal, so that the session times out soon even if the browser is closed. 2. Support for negative nets in web access components and port forwards. It is now possible to use the keyword not in web access components and port forwards (IP access components in the case of no IP tunneling), in order to allow access to a network or domain, but exclude a subnet or subdomain, or individual destinations. It can be used with domain names, wildcard domain names, IP subnets and IP addresses. When more than one entry matches the destination, the most specific entry is used. 3. SSH server checks presence of clients more often. Previously the SSH server sent heartbeat packets to the clients every five minutes at inactivity, to check for answers. The interval has been reduced to one minute, so that the server detects roaming clients faster. The detection time adds 1

2 to the effective maximum roaming time, so it was not possible to achieve a short maximum roaming time. 4. Updated web material for MAP. A default start page for Mobile Access Protect, the secure mobile browser, has been added to the server. An ios profile which disables the ability to take screenshots on ipad and iphone has also been added, and the launch page for mobile clients has been updated with links to the Apple App Store and Google Play Store. 5. Use installed client and console rather than Java Web Start on OS X. The link to launch the client from the built-in web page of the server now instead starts a download of the installable AppGate Client. This is because of changes in the default security policy in OS X. Our recommendation is to use the installable versions of AppGate Client and AppGate Console, instead of the Java Web Start versions, on OS X. 6. Installed client and console on OS X no longer requires Java 6. The installable AppGate Client and AppGate Console on OS X now uses Java 7 or 8 instead of 6. This means that users no longer need to have both Java 6 and Java 7 installed. 7. Support for Windows 8.1. The IP Tunneling Driver now supports Windows Access on Demand (AoD) no longer available on OS X.. This is because of changes in the default security policy in OS X. Fixed bugs in The ag_webproxy daemon crashed on empty cookie flag in response header. The ag_webproxy daemon, which handles traffic for web access components, crashed when parsing a cookie in the response header from an application server, if the header was malformed so that the cookie contained an empty string as flag. 2. Could not use web access components to different ports on same application server. When having web access components to two different ports on a destination server in your role, where one of the ports was 80, those components could get mixed up in ag_webproxy, so that it was not possible to use the first and then use the second, you would still be using the first. 3. HEAD requests were not supported in SSL portal. When browsing through the SSL portal, if the browser sent an HTTP HEAD request, ag_webproxy waited for a response body which never came, so in effect it would appear unresponsive until the web application closed the connection, which could take a few minutes. 4. Hosts file entry could get corrupted on Windows. When logging in to the AppGate server from a Windows machine, when using either the IP Tunneling Driver or Hosts File Writer, if the last line in the hosts file was not terminated, that line became corrupted. 5. IP tunneling log events could get corrupted on the server. When selecting Log all connections in an IP access component, the ag_galed daemon records a log event beginning with open connection to for each new TCP or UDP connection. However, since version there has been a bug, so that the log ID could (in rare cases) become corrupted, which means that the events would seem to belong to another session, or a nonexistent session. 6. Cloning access rules did not work. Since version 10.2, the ability to clone an access rule from the AppGate Console was broken. 7. Limited administrators got wrong context menu in Local Accounts panel. When using the AppGate Console with only limited administrator rights, navigating to the Local Accounts panel and right-clicking on a user, the wrong context menu would show up. As a result, it was not possible to clone users. 2

3 8. The SSL session daemon could crash on Radius authentication. Since version 10.2, a Radius server could trigger a null-pointer bug in our Radius library, which would cause the SSL session daemon, ag_ssld, to crash. 9. Disabled incoming NTP queries in order to mitigate CVE The AppGate server was, at least partially, vulnerable to a denial-of-service attack, which would make two NTP servers busy talking to each other. 10. Changing log destination required a restart of the logging daemon. Changing the remote logging destination did not have any effect before the logging daemon ag_logd was restarted. Now it has. 11. The -iscomputermemberofdomain test did not work on Windows 8. The -iscomputermemberofdomain option to the client check binary check.exe had stopped working in Windows 8, due to changed naming conventions. 12. The New folder button was broken in File Access in the SSL portal. When browsing a file share through a File Access component in the SSL portal, there is a button called New folder, which was broken. 13. Icons for roles were not displayed correctly in the client. In AppGate Client, when selecting a role, the default icon was shown for every role, since 10.2, even if a different icon was assigned to the role. 14. Fixed null-pointer crash in ag_sieve. The daemon which updates the server's firewall rules, ag_sieve, could crash because a null pointer was not handled properly. 15. The Java Web Start client crashed on some Linux distributions. AppGate Client crashed during login on some Linux distributions, if launched through Java Web Start. This has been fixed by disabling the native crypto library and relying on Java code for cryptographic operations. 16. The Java Web Start client triggered a warning at launch. When using Oracle Java 7u45 or higher, the Java environment would show a warning when launching the AppGate Client over Java Web Start, stating that it is missing a Permissions attribute. This has now been fixed. 17. Access to satellites was not set up automatically. When changing through which network interfaces satellites can be reached, the server's firewall rules were not regenerated automatically, therefore it was sometimes necessary to restart the ag_stated daemon for the changes to be picked up. 18. Branding for MAP did not scale well. The default branding logo for Mobile Access Protect was hardcoded to support specific screen sizes, and therefore did not scale well on all screen sizes. Changes in New ag_stated_query command. The ag_stated_query command, which prints a list of active sessions, can now print a customizable CSV table, which is suitable for scripting. It can also print the number of sessions, and search for a session by username. The default behavior is as before. Run ag_stated_query -h for more information. Fixed bugs in Crash in ag_radiusd and sshd when using Radius. A bug was introduced in 10.2, which could cause the daemons ag_radiusd and sshd to crash, even later in a session, if a user logged in using a Radius method. 2. Upgrade to 10.2 could fail if using satellites. In version , the internal format of direct access rules for satellites was changed, but the 10.2 upgrade assumed that the old format was 3

4 used. As a consequence, the upgrade to 10.2 of a or later system which had satellites could fail. 3. Fixed deadlock in ag_galed. The IP tunneling daemon ag_galed has been given an overhaul, which has fixed a bug which has existed since version , where the daemon could become unresponsive and had to be restarted. Also, download speed through IP tunneling has been improved in situations with multiple sessions downloading. 4. AppGate Console became unresponsive when fetching a long list of active sessions. When opening Active Sessions in AppGate Console, the application would appear frozen for some time, if the number of active sessions was high, such as AppGate Console will now show a progress indicator when fetching the list. 5. AppGate Console filtered Local Accounts incorrectly. In the Local Accounts panel in AppGate Console, it is possible to filter the list of accounts, for instance by enabled authentication method. When selecting Authentication and Password as filter, the list displayed was wrong. 6. AppGate Console lacked phone number in Local Accounts. In version 10.2, support for SMS-based provisioning of mobile client settings was removed. Unfortunately, the mobile phone number field for a local account was removed along with the Provision button. The phone number field has other uses as well, so it was reintroduced in the GUI. The phone numbers were not removed from the database, so they should be preserved since before a 10.2 upgrade. 7. Fixed memory leak in ag_sdbadmind. The ag_sdbadmind daemon, which handles administration of the database, had a memory leak, so it would consume more memory for every change that was made in the database, and not release it. 8. Passwords in ag_ssld debug log. The ag_ssld daemon, which handles the SSL front-end, would save passwords of SSL Access users in the log, if run in debug mode. 9. Crash in ag_stated_query command. The ag_stated_query command, which prints a list of active sessions, could crash on a system that has been upgraded from or earlier. Changes in 10.2 General changes 1. Software Requirement. It is now possible to automate the installation of client software such as the Hosts File Writer or IP Tunneling Driver. This is done through a new component called Software Requirement. 2. Negative nets. It is now possible to specify a destination host, or range of hosts, that should be blocked in an access component. An example is a rule that would allow the client to access the whole internet through the AppGate server but exclude all internal networks. 3. Access on Demand. It is now possible to use HTTP URL:s to internal resources on the outside of the AppGate system, through a set of features called Access on Demand. Opening such an URL will actually launch the AppGate client, which, after authenticating the user, will open the page or file originally referred to. 4. Hosts Entry. The new Hosts Entry component can be used to add custom entries to the client system's hosts file, without the need to have an access component associated with the entry. 5. Radius as account source. Support for Radius as account source has been improved, with support for mapping roles and attributes from Radius. 4

5 Changes in the AppGate Console and Server 1. Supplementary group search base. It is now possible to supplement the LDAP/AD group search with an expression. This can be useful if the LDAP/AD contains a large number of groups that are irrelevant for the AppGate system. 2. General file editing in the AppGate Console. Using a configuration option, it is now possible to specify files that should be editable directly in the AppGate Console. This is useful to accomplish custom configuration of text files such as scripts on the AppGate server. 3. Improved logging performance. Intensive logging in a cluster could previously drain overall system performance. The logging daemon has been redesigned, using an in-memory database engine, to be less of a system bottleneck. 4. Access Rules logging. The system will now log all Access rules that are evaluated for a session and what values they are evaluated to. 5. Restore backup but keep network configuration. When restoring a backup file, AppGate Console will now always offer to keep the current network configuration. 6. Deep search in Console. AppGate Console will now also search the content of objects when using the Search functionality. 7. Deep copy in Console. Cloning a database object in AppGate Console now makes deep copies of roles, services and folders. The effect is the same as using the Copy and Paste features. 8. Stop authentication on Radius Reject. Optional support for the behavior suggested by RFC 5080, that a Radius Reject message from the Radius server means that the authentication process cannot continue. 9. Attribute scripts can set any attributes. Previously, attribute scripts were only allowed to set attributes with the prefix script. This limitation has been lifted. 10. Roles summary panel keeps search results. The Roles summary panel in AppGate Console will now maintain search results between visits during a session. 11. Less waiting during upgrade. There is now a Reboot when done checkbox in the Software Update dialog in AppGate Console. Using this, it is no longer necessary to press Reboot midway through the process. 12. Changed logging of Web Access components. In the AppGate Console panel for a Web Access component, Log first request has been changed to Log nothing. This means that the two logging alternatives for Web Access are now none and all (i.e. log all requests). The default is none. An upgrade will change all components with first to none. 13. Improved custom login prompt. The client configuration value gui_extraprompts can now have a Yes-or-No radio button as input. 14. Role membership attribute. The new attribute login.role_membership is a commaseparated list of roles that the user is a member of, independent of whether access rules allow the user access to these roles in the session. 15. Improved plain SSH interface. Curses features have been removed from the text-based interface for generic SSH clients, the interface is now purely based on ASCII. This fixes lack of scrollback and support for nonstandard terminal resolutions, and improves scriptability. 16. Statistics logged by IP tunneling daemon. The IP tunneling daemon ag_galed is now logging detailed traffic and resource statistics regularly. 5

6 Changes in the AppGate Client Removed features 1. Attributes from Java properties. AppGate Client is now able to set AppGate attributes from Java properties. For instance, defining jnlp.agattr.foo=bar in the jnlp file that the client is launched from, causes client.foo=bar to be defined in the session. 2. PKCS11 support on Mac OS X. Support for PKCS11 library loading on Mac OS X (10.5 or later) was added. 3. Improved client credential handling. On Windows and Mac OS X, AppGate Client can now optionally store credentials using the Windows Credential Manager and Mac OS X Key Chain. To enable this feature, set the client configuration value ag_storessocreds to yes. 4. IP tunneling on Windows 7 and 8. The IP Tunneling Driver is now WHQL signed for Windows 7 and 8, for the x86 and x64 architectures. 5. Attribute to indicate multi-user client. The attribute client.mud is set if the client is running as the AppGate Client for Citrix and Terminal Servers. 6. New behavior when client already running. When starting a second instance on Windows, AppGate Client will exit as before, but try to bring the first instance to front instead of popping up an error message. 7. Updated Mac OS X installation package format. MacOSX packages are now signed "flatfiles". The minimum supported version is 10.5 "Leopard", and the maximum support version is 10.8 "Mountain Lion". 8. Improved port forwards on Mac OS X. The " x trick" for port forwards is now available on Mac OS X too. 9. Accessibility. The client has been designed to be accessible so that a disabled user can navigate the GUI, either by keyboard only or with a screen reader. 1. Support for the Sparc platform removed. AppGate Security Server no longer runs on Sparc hardware. 2. Support for the PowerPC platform removed. AppGate Client for Mac OS X no longer runs on PowerPC hardware. Fixed bugs in Fixed bug which would block new connections. A bug in ag_sieve could cause it to crash, making sshd and ag_httpd unable to accept new connections. 2. Fixed issues in the IP tunneling daemon. The IP tunneling daemon ag_galed had memory leaks and stability bugs which are now fixed. 3. Fixed issues in the file distribution daemon. The file distribution daemon ag_distd, which distributes files across a cluster, could leak file descriptors, making a restart of the daemon necessary, and leak temporary files, wasting hard drive space. 4. Fixed Windows 8 support. Both AppGate Client and Server would fail to recognize Windows Fixed Kerberos support with recent Windows server. Made Kerberos keytab generation work against a Windows 2008 R2 domain server. 6

7 6. Added large icons for Windows 7. AppGate Client now features high-resolution icons for Windows 7 and other recent operating systems. 7. Fixed issue with IP Tunneling on Lion. The IP Tunneling Driver on Mac OS X did not detect Lion properly. 8. Fixed issue with IP Tunneling on Windows 7. On Windows 7, the IP Tunneling Driver would add a redundant extra route for each route added. Fixed by using a different next hop than self. 9. Fixed issue with IP Tunneling on Windows. Fixed "Maximum number of tunneling instances has been reached" bug on Windows in IP Tunneling Driver. 10. Support all combinations of platform wildcards. In an Access Rule or Client Command, it is possible to filter on a range of platforms by using wildcards in the platform identifier triplet. However, all combinations of wildcards and non-wildcards were not supported. 11. Fixed issue with cookies and Web Access. The ag_webproxy daemon responsible for surfing through a Web Access previously truncated cookies containing whitespace. This caused problems with OWA. 12. Restart SSL daemon when changing certificate. The SSL daemon was previously not restarted when changing certificate, a manual restart or reboot was required. 13. Fixed opening Office files through File Access. Recent versions of Microsoft Office may lock opened files, which would cause AppGate Client to complain about being unable to upload the file, when it was opened by double-clicking on a document in the File Access window. The new behavior is to warn the user once, then ignore these errors and upload when possible. 14. Fixed crash in SSL daemon during authentication. The SSL daemon could crash during user authentication if a wrong password was entered several times. 15. Support for more than one wildcard per host interval. Due to a bug in ag_stated, only one wildcard destination per component was supported, and anything after the wildcard destination was ignored. 16. Do not cache Pinsafe image. The Swivel Pinsafe authentication image was cached by AppGate Client, making it necessary to restart the client when entering the wrong response. 17. Fixed empty "Why" string. The "Why" string displayed by AppGate Console for a cluster in Yellow or Red state could be empty in some situations. 18. Fixed the "Bad mask length '/24'" error. AppGate Console could pop up an error saying "Bad mask length '/24'" without actual cause. 19. Fixed meaning of "Log server" setting. The per-node "Log server" checkbox did not do what was intended. 20. Fixed "Connection table full" error. Increased the maximum number of simultaneous connections in the daemon serving static web pages, ag_httpd. The "connection table full" error should now be a rare event. 21. Major rework of direct access rules for satellites. These did not work properly before. 22. Fixed creation of desktop shortcut. When AppGate Client was started using Java Web Start, creation of a desktop shortcut sometimes failed. 23. Fixed opening web page through client command. The client command agstart url... did not work in installed Mac OS X and Linux clients. 24. Allow L2TP SEQ fields. Allow SEQ fields in L2TP data message (Android 3.x uses this). 7

8 25. Trim client property values. Trailing spaces in property values caused problems in AppGate Client. All property values are now trimmed. 26. Fixed problem with very large roles. Fixed problem with very large roles in database engine. 27. Fixed reading USB ID. Fixed problem in check.exe with reading things like USB ids from WMI. 28. Native crypto library crashed on (Open)SuSE. AppGate Client will not use native crypto library on (Open)SuSE since it seems to crash when Sun Java is used. 29. Fixed issue with unresolved attribute in component. Fixed issue causing internal error 15 in ag_stated if attribute was non existing in a host interval. 30. Detect misaligned subnet address. AppGate Console will now display an error if an n.n.n.n/mask subnet address is not correctly aligned. 31. Fixed issue with File Transfer. Workaround for potential Java bug in File Transfer in AppGate Console related to the user.home property. 32. Fixed issue with ag_userd_ldap_test. The ag_userd_ldap_test command could fail to deduce role mapping. 33. Fixed issue with Backup and Restore. AppGate Console will show an error if file is missing during a Restore operation. 34. Whitespace was allowed in short hostname. AppGate Console allowed whitespace in short hostname. 35. Fixed issue with Net Groups. AppGate Console will now strip away newlines from netgroup when saving. 36. Could not copy Web Access. It was not possible to use Copy to clipboard on a Web Access component where Proxy password was defined. 37. Fixed ICMP log message. An endian bug reversed the IP addresses printed by ag_galed when logging ICMP packets. 38. Attribute values set by script were truncated. Attribute values set by script were truncated at approximately 1000 characters. 39. Fixed information leakage in AppGate Client. Fixed potential minor information leakage in AppGate Client. Upgrading to from earlier versions Only servers running version 9.0 or later can be upgraded to Machines running earlier versions must first be upgraded to 9.0 or later. The upgrade can be applied without disturbing users who are using the system but the system must later be rebooted in order to activate the upgrade. Upgrading a cluster running 9.1 to There is a bug in the AppGate Console version 9.1 (up to and including 9.1.6) which sometimes makes the console only show upgrade progress data from one node in the cluster. The work around is relatively simple. Before upgrading log on to any node in the cluster and run: secmsg_query grep ag_mgmtd 8

9 Then look for the line which shows where ag_mgmtd is registered (not the standby lines). This line should also show which node in the cluster the daemon is registered on. Make sure the console is logged in to this node of the cluster before applying the upgrade. Upgrading a cluster running 9.0 or There is a bug in the AppGate Console for 9.0 and which must be taken into account when upgrading a cluster. The upgrade will apply without problem, but the reboot button in the upgrade status window will only reboot one of the systems. The workaround is simple: 1. Do not use the reboot button on the upgrade status screen. Instead just close it once the upgrade is complete. 2. Go to the file system manager panel. There should be a new clone where the upgrade has been applied. Press the button in the boot column to make this clone the next booted clone. Do not press the reboot now button in the dialog which pops up (this is also broken). 3. Go to the top node in the admin tree where there is a shutdown button. Use this to reboot the entire cluster. 9