Juniper Networks Secure Access Release Notes

Transcription

1 Juniper Networks Secure Access Release Notes Junos Pulse Secure Access Service Version 7.3R9 Build # This is an incremental release notes describing the changes made from 7.3R1 release to 7.3R9. The 7.3R1 GA release notes still apply except for the changes mentioned in this document. Please refer to 7.3R1 GA release notes for the complete version. Contents Noteworthy Changes... 2 NSM Schema Publication for 7.3R General NSM Limitations... 2 Best Practices for FIPS Devices... 2 Known Issues/Limitations Fixed in 7.3R9 Release... 2 Known Issues/Limitations Fixed in 7.3R8 Release... 4 Known Issues/Limitations Fixed in 7.3R7 Release... 5 Known Issues/Limitations Fixed in 7.3R6 Release... 6 Known Issues/Limitations Not Fixed in 7.3R5 Release... 7 Known Issues/Limitations Fixed in 7.3R5 Release... 7 Known Issues/Limitations Not Fixed in 7.3R4 Release... 9 Known Issues/Limitations Fixed in 7.3R4 Release... 9 Known Issues/Limitations Fixed in 7.3R3 Release Known Issues/Limitations Fixed in 7.3R2 Release... 13

2 Noteworthy Changes Default ESAP Starting from 7.3R1, the default ESAP has been changed to ESAP Upon upgrade, if the active ESAP version on the SA is lower than then will become the active version. NSM Schema Publication for 7.3R9 The NSM schema for this software version will NOT be published. General NSM Limitations If there is a mismatch between software-catalog build version and release build version on the device, upgrading the device using NSM will not work. For example, 6.5R3 schema was published using build (software catalog version), but subsequently, 6.5R3.1 was released with build In this case, NSM will not recognize build as a valid upgradable release. However, if device is manually upgraded to build 15255, since there were no additional schema changes, the device should still be manageable via NSM (523868). Best Practices for FIPS Devices The following does not apply to configs exported from 6.5R5 and beyond: 1. Do not import a previously exported system config since it might contain a corrupted FIPS keystore database. If you must import an older system config, the option Import Device Certificate(s) must be unchecked when importing. 2. After upgrading to 6.5R2 it is strongly recommended that the system config be exported to take a back up of FIPS keystore database. The newly created system config will contain a clean FIPS keystore database 3. After upgrading to 6.5R2, in case the admin console reports a FIPS disassociated state, go into serial console and reload the FIPS keystore database (Option 9 -> Sub-option 1). Known Issues/Limitations Fixed in 7.3R9 Release 1. aaa-client-cert - Error occurs during the launch of Network Connect when certificate restrictions are used in the realm. (922623) 2. clustering-active-passive Reserved IP addresses such as are assigned to Network Connect clients. (904919) 3. cs-jsam-other - Java7 update 45 displays a warning that the Juniper application will be blocked in the future because the JAR manifest file does not contain the permissions attribute. (931822) 4. cs-nc-enduser - Certificate checks in realms with variable certattr.altname.ipaddress populates IPAddress in reverse order for Network Connect adapter. (916625)

3 5. cs-nc-enduser - Warning messages come up stating that JAR file manifest does not contain the permissions attribute when using Java7 update 45 on Mac OS. (932519) 6. cs-nc-enduser - Installation of Network Connect on Linux pops up a yellow warning message when using Java 1.7 Update 45. (933673) 7. cs-nc-other - Due to changes in the JDK, Network Connect stand-alone client upgrade fails on Mac OS. (914556) 8. cs-nc-other - IVS-based server-side configuration of proxy PAC file does not work properly. (915303) 9. endpointintegrity-ees Bookmarks page fails to load after EES check completes.(926262) 10. endpointintegrity-install - Java 7 update 45 displays an error regarding missing manifest. (933792) 11. endpointintegrity-shavlik - Host Checker goes into a loop when patch assessment policy checks are configured. (912188) 12. juns-ax-java-installer - Java 7 update 45 displays a security warning with the application name as "Unknown" when launching Juniper components via Java. (931408) 13. meeting-series-enduser - Secure Meeting/Pulse Collaboration does not properly display UAC elevation prompt. (889815,934428) 14. pulse-hostchecker - Host Checker with Junos Pulse fails file check if %USERPROFILE% variable is used. (906623) 15. sysmgmt-xmlexportimport - XML export fails on virtual appliance SA with traffic segregation enabled. (886094) 16. system-other - Search for userids in the active users tab in the admin UI is case-sensitive. (921186) 17. web-admin - Rewriting of the location object fails in some instances. (910193) 18. web-other - Add support to the following date time format in cookie expires header expires=friday, 08-Jan-99 13:00:00 GMT; expires=sun, 07 Jun :02:03 GMT; expires=thu Feb 3 17:03:55 GMT 1994; expires=thu Feb 3 00:00: GMT; expires= t11:00:11; expires=friday, 08-Jan-99; expires=sun, 07 JUN 2000 (892822) 19. web-other - Java manifest file incompatible with security checks with Java 7 update 45. (933138)

4 20. web-supportedapps - Lotus Connection 3.0 gives Javascript error when user clicks "Latest entries" under Apps tab. (908664) 21. asg-web-supportedapps Multiple file upload to Sharepoint site through rewriter is not working. (913330) 22. win-term-svcs-enduser - When using Java to launch the Windows Terminal Services access mechanism on a client that is running Java7 update 45, user will see a warning message. (932422) Known Issues/Limitations Fixed in 7.3R8 Release 1. aaa-admin - Invalid auth server entries may not be removed correctly during upgrade. ( ) 2. cachecleaner-end-user - Cache Cleaner deletes explorer.exe and other critical system files when a registry entry is empty (910987) 3. cs-wsam-admin - WSAM is not resolving destination by FQDN when IVE domain list contains 2 domain names, separated with comma and space (906620) 4. endpointintegrity-ees - EES does not install through the Pulse interface on Spanish XP (864153) 5. endpointintegrity-install - All Host Checker components are digitally signed. (900882) 6. ifmap-client - Juniper Network Secure Access Federation Client sends session data without IP address to Federation Server when there is a cluster failover, or restart of services or changing of roles association for export policy. (855219) 7. logging-filter - User Access Log filter query returns an error when more than 4 IDs are queried. (890693) 8. pulse-other - Tunnel set up in pulse fails with large sign-in notification. (868563) 9. pulse-other - RADIUS challenge message is not getting displayed in Pulse UI when RADIUS is used for secondary authentication. (895219) 10. pulse-proxy - With Split tunneling enabled, Pulse fails to create a merged proxy.pac if client pac is present and server proxy is not present. (898657) 11. system-other - The dsagentd process crashes when the SA receives an invalid DNS response. (917969) 12. web-other - Mobile UI pages are hard to read and webpage footers are not positioned correctly. (840501)

5 13. web-other - Un-Rewriting of Post body is failing when post data contains a normal http( s) link followed by a rewitten link (896197) 14. web-selective-rewrite - Client side rewriting is failing for a specific scenario where function name starts with top (909229) 15. web-supportedapps - Lotus Connection 3.0 gives javascript error when user clicks Add entry field in My Activities. (909024) 16. win-term-svcs-other - Users cannot use multiple monitors with Citrix Listed Applications due to the Citrix Desktop Viewer toolbar being enabled. (897134) Known Issues/Limitations Fixed in 7.3R7 Release 1. aaa-saml - ios users are unable to perform SAML SSO t o backend resource through the rewriter. (879397) 2. cs-nc-enduser - Some of the Network Connect components need to be digitally signed. (867098) 3. cs-nc-ike IKEv2 response packets that are duplicates from the originating client are now ignored if previously handled. (865071) 4. cs-nc-other - If one or more sign-in URLs are configured with GINA and GINA is not configured for the default sign-in URL, an attempt to bring up an Network Connect -GINA tunnel fails if there was a reconnect in the previous Network Connect -GINA tunnel instance. (880539) 5. endpointintegrity-others - Virus definition check failing for certain Anti-Virus products even if the endpoint has virus definition files that are up to date. (833417) 6. logging-admin - If detailed rules are modified in the SAM, File and Web resource policies, the changes to the resource policies are not logged in the admin access logs. (876448) 7. ui-enduser - On mobile devices, browsing toolbar displays Juniper Networks logo instead of the custom logo that is uploaded by the SA admin. (876199) 8. web-other - Observed a memory leak in the TNCS process when processing certificates with "subject alternative names". (846344) 9. web-other - When prelude is added in a CDATA section, a nested CDATA is created when accessed through the rewriter and subsequently breaks XML pages. (886156)

6 10. win-term-svcs-xml-import-export - XML import of terminal-services policy blocks access until 'Save Changes' is clicked in the Terminal Services resource configuration page of the Admin UI. (871892) Known Issues/Limitations Fixed in 7.3R6 Release 1. cifs-other - There is memory leak when uploading files on windows share. (867996) 2. clustering-install-upgrade - A factory reset SA is unable to join a cluster via console configuration. (836546) 3. cs-jsam-enduser - On launching or exiting JSAM, users get a "Block potentially unsafe components from being run" security warning message from Java7 Update 21. (878390) 4. cs-nc-enduser - Windows 8 Professional users, intermittently experience "nc.apps.windows.23712" error while launching Network Connect. (842932) 5. cs-nc-enduser - Network Connect diagnostic tool incorrectly reports that the tunnel is up even when the tunnel is down. (855458) 6. cs-nc-other - When an A/P VIP cluster failover occurs, Network Connect sometimes connects in SSL rather than ESP. (862864) 7. endpointintegrity-custom-check - On Mac OS X, Host Checker Process rule evaluation fails if full process path is configured (874606) 8. endpointintegrity-custom-check - Host Checker file check process on Windows 64-bit platforms always look for the files in the <%ProgramFiles(x86)%> directory. (874824) 9. endpointintegrity-install - On launching any client components users get a "Block potentially unsafe component from being run" security warning message from Java7 Update 21 and Java6 Update 45. (880320) 10. fips-other - Client certificate authentication fails with keys larger than 2048 bit on FIPS appliances. (865199) 11. juns-ax-java-installer - On launching any client component users get a "Block potentially unsafe components from being run" security warning message from Java7 Update 21 and Java6 Update 45. (877058) 12. sysmgmt-mgmtport - Virtual SA does not send AAA traffic out of the Management Interface for Pulse client when the option Send AAA traffic via Management interface is enabled. (873149)

7 13. sysmgmt-other - In an active/passive cluster, VIP failover will not occur if the active node file system is loaded as read-only. To prevent this, the file system state is monitored and the NIC will be brought down when the file system is loaded as read-only. (863757) 14. system-debugging - On an SA700 if a VLAN interface is enabled the system commands ARP, NSLookup and Traceroute that are run from the external port use the internal port instead. (859581) 15. system-other - Under heavy load, the SA enters an unrecoverable state. (862107) 16. system-other - SA device intermittently generating radius core dumps. (875244) 17. system-webserver - web server process snapshots may be created on SA6500FIPS units when authorization only URLs are configured. (845866) 18. web-other - Javascript error is observed in Internet Explorer 9 if the IVE Toolbar with iframe is enabled. (859988) 19. web-other - When using authorization only URLs, the backend server hostname is truncated when using a non-standard port. (869204) 20. web-other - Client side rewriter issue with URLs containing query parameters. (881861) 21. web-selective-rewrite - Custom application yields errors via rewrite. (864233) 22. win-term-svcs-other - When using multi-valued attributes for a RDP bookmark, the values are not received correctly to create unique bookmarks (553348) 23. win-term-svcs-other - Random disconnects using Citrix Terminal Services (CTS) with weak wireless connection on Windows 8. (879345) Known Issues/Limitations Not Fixed in 7.3R5 Release 1. asg-ifmap-client - Pulse SAM session not listed on Exported sessions page when the realm option, Enable Session Sharing is enabled. (874288) Known Issues/Limitations Fixed in 7.3R5 Release 1. aaa-client-cert - SA is not able to send LDAP traffic to LDAP-CDP server through a port other than the default port 389. (857691)

8 2. aaa-saml - If SAML IDP metadata is fetched from a remote location then the operation fails. (844230, ) 3. aaa-sign-in-pages - On the iphone, the username and password fields are invisible on the secondary login page. (827376) 4. clustering-active-passive - Cannot assign previously used A/P cluster VIP IP address as Virtual Port IP after deleting the cluster. (862628) 5. cs-nc-install-upgrade - With Network Connect client check option enabled, users are unable to install/start NC. (866688) 6. endpointintegrity-custom-check - Host Check policy for Custom:File fails when multiple MD5 checksums are listed. (857365) 7. endpointintegrity-others - The SA home page will get stuck and does not load user home-page, when Host Checker is launched through the Firefox browser 19.x. (865613) 8. endpointintegrity-svw - Secure Virtual Workspace session closes right after launching if the interval to perform Host Checker check is set to 0 in "Perform Check every " field. (830172) 9. ifmap-client - During an IF-MAP Server cluster VIP fail over event, the SSL VPN will remove Network Connect session from IF-MAP server cluster. Junos Pulse users are unaffected. (868082) 10. log-upload-java-client - With Java 6 update 39 and greater, JSAM window does not close when the session ends. (860840) 11. pulse-connmgr - Pulse on Mac OS X fails to connect to sign-in page if Safari browser is configured to use a Proxy Auto-Config (PAC) file. (743840) 12. pulse-other - Pulse does not follow IC's IPSec setting for UDP encapsulation. (847251) 13. pulse-proxy - On some clients there is a delay between launch of Pulse and traffic going through channel. (855362) 14. sysmgmt-dmi-agent - The user role options for terminal services profile is not set if the profile is created through DMI. (842374) 15. system-network - Debug logs shows User error message when the user logs into the SA using IPV6 address (830841) 16. web-other - Sametime IM with inotes FP1 integration will not work through core access. (821438)

9 17. web-other - A custom web-based application failed to render properly in IE 9. (838202) 18. web-other Splunk dashboard does not load properly via rewriter. (852702) 19. web-other - Certain attribute functions are not getting rewritten. (852843) 20. web-supportedapps Windows 8 users are unable to save files to SharePoint portal via Web access. (783399) 21. win-term-svcs-enduser - Windows Terminal Services client on a Windows 8 frequently reconnects over wireless network. (842547) Known Issues/Limitations Not Fixed in 7.3R4 Release 1. For IKEv2 connections in a network environment with high latency and significant packet drops, IKEv2 VPN connection might be closed at the IVE side, if packet retransmission times out. (856329) Known Issues/Limitations Fixed in 7.3R4 Release 1. aaa-active-directory - When IVE computer name is deleted in the AD server, IVE doesn't do a successful domain join later but test configuration works fine. (839310) 2. aaa-ldap - Cgi-server crashes in some corner case with iplanet LDAP Server where user attempt to change his password fails due to a password policy other than the default password policy("cn=password Policy,cn=config") in iplanet Server. (845370) 3. aaa-other - Log messages do not follow the uniform way of printing user name. (812629) 4. cifs-bookmarks - User cannot access the second bookmark after importing XML config in certain scenarios. (839489) 5. cs-nc-i18n - Username field string for Credential Provider is incorrect for Japanese language machines. (828187) 6. cs-nc-ike - IVE may send Malformed ISAKMP packets in an environment with high latency and packet loss with IKEv2 connection. (797140) 7. cs-nc-install-upgrade - The versioninfo.ini file for Network Connect is not copied during the upgrade process. (799743)

10 8. cs-wsam-admin - Delete confirmation message displays a different WSAM allowed server(s) entry other than the one you have selected to delete. (833643) 9. cs-wsam-dmi-config - Incorrect SAM ACL created when WSAM policy is pushed using netconf. (840066) 10. endpointintegrity-custom-check - Host Checker is not able to detect the system level processes enabled with MD5 checksum for Mac OS. (837319) 11. endpointintegrity-loginflow When clicking Try Again on Host Checker (agentless) remediation page, Host Checker launches multiple times, and finally displays the message " Host Checker did not get installed properly..." (786704) 12. endpointintegrity-others - AV, Firewall and AS policies fail on the machines without the latest Microsoft runtime libraries installed. (839392) 13. endpointintegrity-shavlik - Shavlik remediation failed to deploy the patches on Windows client. (835724) 14. endpointintegrity-svw - Host Checker check keeps loading inside SVW with Kaspersky InternetSecurity (795731) 15. fips-other - While accessing FIPS Clustered SA through hostname, the user is presented with the self signed device certificate despite of renewed device certificate. (845446) 16. juns-other - Host Checker prevents Network Connect from closing when the session is terminated via web on Mac OS (830445) 17. juns-other Host Checker fails to reinstall and launch when JuniperSetupDLL.dll is not present in the system. (837482) 18. juns-other - In IE 9, user login page hangs during Host check as the "pleasewait.js" is fetched from the browser cache instead of using the one sent by SA when the SA is upgraded to a higher build. (838625) 19. juns-other - Query parameter is missing for "Pleasewait.js" when user logs out of SA. (856050) 20. logging-filter - User access logs couldn't filter a Korean letter for both role and realm name. (839315) 21. meeting-series-other - An gateway doing MIME verification may reject the Junos Pulse Collaboration invitation due to invalid MIME parsing. (843617) 22. pulse-connstore - Pulse connections sets are not getting properly updated on the client. (835361)

11 23. pulse-dsagentd - In some rare instances, Pulse server side process crashes during re-keying of Pulse ESP sessions. (843922) 24. pulse-dsagentd - When Host Checker inactivity times out and the user falls to remediation role, SA still allows access to the resource configured for user role. (849209) 25. pulse-hostchecker - Machine certificate policies might fail during evaluation, if the client machine has more than one certificate installed that matches the policy configured on SA. (837149) 26. pulse-ive-cm - Pulse users gets disconnected after 5 minutes of inactivity in some networks. (853631) 27. pulse-mobile-vpn - Custom text in French for Signing-in-Page doesn't show up in French but appears in English on ios and Android browsers. (832562) 28. sysmgmt-netconf - Using DMI netconf command line, "<\get-active-users>" command doesn't populate the Network Connect details. (838888) 29. system-digital-cert - Import fails for device certificate missing CN attribute. (840940) 30. system-kernel - Web server crashes during heavy Authorization only traffic. (839628) 31. system-other - Data URI schemes don't get rewritten properly, causing high CPU utilization on SA. (825068) 32. uac-other - MSCHAPv2 auth fails until "Test Configuration" for particular AD auth Server is finished. (818555) 33. uac-sbr - SBR debug logs with level 20 and RADIUS troubleshooting logs displays clear -text user account password. (841319) 34. web-other - Rewriter fails to load a page containing both javascript and vbscript. (830599) 35. web-other - The editor and toolbar options are not displaying on the web page Dojo toolkit via rewriting. (843076) 36. web-ptp-other - Authorization only proxy server crashes when the backend server is not reachable under heavy load. (849951) 37. web-selective-rewrite - The IVE is not rewriting the one URL of back-end server, so that background of the web page is not visible via rewrite. (848637)

12 38. win-term-svcs-other - On Windows7 client with IE9 64 bit browser, users are not able to access Citrix Listed Xenapp5 through SA. (828666) Known Issues/Limitations Fixed in 7.3R3 Release 1. aaa-active-directory - In some circumstances, switching from BDC to PDC may be delayed. (814169) 2. aaa-client-cert ios users must choose the certificate a second time after providing user credentials when certificate authentication is used. (802157) 3. aaa-sign-in-pages - Siteminder injected header is not sent to back-end server from IVE when using Authorization-only Sign-in policy. (832388) 4. cifs-enduser - Users fail to delete a file with Japanese filename via Core file share from ios Safari client. (832577) 5. endpointintegrity-others Host Checker keeps downloading manifest.xml and hfnetchk6b.xml when Windows username has an ' (apostrophe) in it. (804270) 6. endpointintegrity-others - Host Checker fails when using Root certificate having German umlaut. (816415) 7. meeting-series-other - Check Meeting Compatibility gives error saying "Your system is incompatible with Junos Pulse Collaboration" even though Java is present. ( ) 8. msp-ivs - Root sign in page provided when accessing SA via virtual port assigned to IVS. (830297) 9. pulse-certificates - When existing Server Certificates are removed from the active list following an upgrade, Connection Set certificates loaded for the Pulse client may be affected. (798637) 10. pulse-connmgr - When the Junos Pulse default connection is to a Pulse Secure Access server and the user logs off the Pulse Secure Access server from a browser, the default connection remains connected. (516180) 11. pulse-connmgr - If the SA is heavily loaded, Pulse users are randomly getting disconnected. (831242) 12. pulse-other - Pulse fails to connect to SA when Role level certificate restriction is present. (833272) 13. vdi-other - Processes can crash when user enables very low periodic snapshot interval. (809973)

13 14. web-active-x - User is unable to send attachments in inotes FP2. (831990) 15. web-other - Rewriting of empty URL to avoid security warning is preventing the page to be rendered properly (821421) 16. web-other - In certain cases ( for example links starting with Javascript: ), client side rewriting of GetAttribute JavaScript function calls fails to remove escape characters. (832726) 17. web-other - Users get Javascript error while accessing customer application. (835408) 18. web-ptp-other - When using PTP, customer's cookie parameter "IDSID" value is getting written to IVE session cookie "DSID" value and causing the session to end. (823560) Known Issues/Limitations Fixed in 7.3R2 Release 1. aaa-active-directory - If AD server has more than 1000 groups and Group Search with LDAP is enabled then groups listed after the first 1000 groups are not retrieved by the IVE. (812311) 2. aaa-other - Unix file bookmarks show garbled characters for Japanese language. (696806) 3. aaa-other - Associated sessions with a single user record are not cleared when admin does Delete All Sessions from admin page. (801500) 4. aaa-other - If the total number of active IVS users is greater than the allotted number of minimum users for the root IVS, root users cannot complete authentication. (821155) 5. aaa-saml - The user doesn't logout of an SA automatically when the same user logs out of another SA, where the user has already logged into two SAs configured as SP and PingFedera te configured as IDP with Single Logout option enabled. (810967) 6. aaa-saml - Certificate selection was not being honored with SAML Peer SP configuration based on Metadata when manual certificate selection option is enabled. (820549) 7. cifs-other - No error message or warning is thrown when a file larger than 2GB is downloaded through file browsing. (784865) 8. -other - When using the proxy functionality for IMAP/POP/SMTP traffic, the DNS resolution for the servers is done at the time of the in itial connection. The DNS data is not refreshed during the proxy session. (809600)

14 9. endpointintegrity-esap - When uploading an ESAP package to a 4-node cluster, the ESAP package may not get copied to all nodes in the cluster causing some users may not be able to authenticate. (779118) 10. endpointintegrity-liveupdate - In a clustered environment, the Auto-update virus signatures list occasionally fails to download thereby causing all users to fail the Host Check. (733352) 11. endpointintegrity-others If the client machine is in a time zone for which Daylight saving is effective and if the "Adjust clock for Day light Savings" option is enabled then checking for latest Virus Definition might fail, even if the latest updates are installed. (808018) 12. endpointintegrity-others - When a Mac client resumes from sleep, Host checker s CPU usage increases significantly. (822138) 13. logging-admin - User access log fails to show bytes sent/received for Pulse in standard view. (813840) 14. pulse-hostchecker - Finding delay in Host Checker due to Shavlik dlls, even when patch assessment is not required. (795901) 15. pulse-hostchecker - If Cache Cleaner is enforced on the IVE and if the versions of Pulse and IVE are different then Pulse is unable to connect to the IVE. (811597) 16. pulse-hostchecker - When Pulse is launched through browser in proxy auth scenario, Host Checker fails to download files for ESAP, Shavlik and EES if they are required to complete the TNC handshake. (815046) 17. pulse-sa-nc-am - Pulse session start and end scripts are copied to C:\Windows\Temp instead of the user's temp folder. (817082) 18. pulse-soft-token - Junos Pulse client does not handle New PIN mode with Blackshield Cryptocard. (815692) 19. system-other - If a license increment request fails, it is logged every 17 mins on the Enterprise license server and on the IVE with a log severity level of MAJOR. (800699) 20. system-other - ivedisknearlyfull SNMP trap being erroneously sent if archiving takes longer than 30 minutes. (815915) 21. web-other - In some cases of XML data chunks, XML garbage is not handled properly. (722277) 22. web-other - The "edit" button on the portal page on a Japanese ipad is vertical rather than horizontal. (798473)

15 23. web-other - The add and delete buttons on the portal page on a Japanese ipad are vertical rather than horizontal. (798504) 24. web-other - Oracle JDE Enterprise One application when accessed through IVE is calling a function detectclose() which is closing the previous window when a new window is opened. (802412) 25. web-other - Certain types of Javascript content greater than 14 K in length are not being rewritten correctly. (803749) 26. web-other - Javascript error in rewriting the SAP portal page. (820388) 27. web-sso - Rewriter server crashes intermittently during Web SSO. (797257) 28. web-sso - SSO with SAML 2.0 with SA as IdP and using Artifact does not work (810583) 29. web-sso - SA Kerberos SSO requests are not falling back when the KDC is down. (813216) 30. win-term-svcs-other - Under peak load, WSAM, Windows Terminal Services, Citrix Terminal Services users experience slow response times if RADIUS accounting is enabled for this traffic. (787199) 31. win-term-svcs-other - The Hob applet used in the "Premier Java RDP applet" has been upgraded to version (813806) 32. win-term-svcs-other - Clicking the Restore Window/Maximize Window buttons in the Premier Java RDP client window on Mac OS X 10.7/10.8 can cause a crash. (814936)