Stonesoft SSL VPN. Release Notes for Version 1.5.3

Stonesoft SSL VPN Release Notes for Version 1.5.3 Created: December 1, 2011

Table of Contents What s New... 3 New Features... 3 Enhancements... 3 Fixes... 3 System Requirements... 4 Stonesoft Appliances... 4 Build Version... 4 Product Binary Checksums... 4 Compatibility... 4 Browser and Client OS Compatibility... 4 Directory Services... 5 Upgrade Instructions... 6 Upgrade from Previous Versions... 6 Known Issues... 7

What s New New Features The new features introduced in Stonesoft SSL VPN version 1.5.3 are described in the table below. The following table lists the features briefly. Please consult the product documentation for more details. Feature New OpenDJ option as Directory Service Description Stonesoft SSL VPN 1.5.3 includes a new Directory Service based on OpenDJ technology. This option is active by default only for new installations. Upgrade from previous versions keeps the existing configuration. To switch the Directory Service database from the existing configuration to the new option, please refer to the Stonesoft SSL VPN Administrator's Guide. Enhancements The enhancements introduced in Stonesoft SSL VPN version 1.5.3 are described in the table below. The following table lists the features briefly. Please consult the product documentation for more details. Feature Access Client for Linux supports IP Address Pool Description Access Client for Linux now includes support for IP Address Pool functionality with the ability to create reverse connections to the client by using the IP address from the IP Address Pool. Fixes Problems described in the table below have been fixed since Stonesoft SSL VPN version 1.5.1. A workaround solution is presented for earlier versions where available. Synopsis Adding a new Tunnel Set resets all other open tunnels (client side) (#74453) Closing a connection from Access Client for Linux does not close currently open connections (#74085) Location DN information in Directory Service configuration is not updated with values entered in Show Tree window (#67959) Access Client crashes if no DNS is defined on client (#71988) Access Client crashes when using 6 dynamic tunnels simultaneously (#72306) Heavy traffic load and absolute timeout expiration cause the Access Point to exhaust the memory (#74561) Tunnel resources cannot have comma-separated port numbers (#74847) Description After modifying and publishing a configuration for a Tunnel Set on the SSL VPN gateway, refreshing the client browser closes all active connections. Because of a difference in design between the Access Client for Windows and the Access Client for Linux, selecting Close Connection from status monitoring in the Access Client for Linux causes only new connections to be stopped. Any existing connections remain active until finished. When you configure a Directory Service, the value that you selected with the "Show Tree" functionality is not displayed in Location DN text box. The Access Client crashes if no DNS is defined on the client operating system. The Access Client crashes when 6 dynamic tunnels are configured and used simultaneously on the client operating system. When the SSL VPN system is under heavy traffic load, the expiration of the absolute timeout value causes the Access Point to rapidly exhaust the memory. When a Tunnel Resource is configured, it is not possible to list multiple TCP or UDP ports by separating them with a comma (for example, 22,23,25). Workaround for previous versions Reopen the connections since the tunnels are still valid. Define the DNS in the TCP/IP settings of the client. Increase the absolute timeout value. Define each port in a separate Tunnel Resource. For example: Tunnel Res. 1: port TCP 22 Tunnel Res. 2: port TCP 23 Tunnel Res. 3: port TCP 25 3 Stonesoft SSL VPN Release Notes for version 1.5.3

System Requirements Stonesoft Appliances Stonesoft SSL VPN version 1.5.3 is supported on all Stonesoft SSL VPN appliances and on Stonesoft SSL VPN Virtual Appliances. Build Version The Stonesoft SSL VPN version 1.5.3 build version is 1551. Product Binary Checksums sslgw_engine_1.5.3.1551_i386.zip MD5SUM 951d27ad2cd83b6704a8e70f46a3ecf2 SHA1SUM d46a792f96f39837bed476b3935b2daf01fa76dc sslgw_engine_1.5.3.1551_vmwarefw-esx.zip MD5SUM df4552e4166882c0148d7c8e70837208 SHA1SUM 3897a5817a4452bc715e674bbcad2d6f35bd1d5f Compatibility Browser and Client OS Compatibility Stonesoft SSL VPN version 1.5.3 administration requires the use of a workstation with a TCP/IP network configured and a Web browser installed. To use the Application Portal, the connecting client must have TCP/IP configured and a Web browser installed. To use Tunnel Resources, such as client/server TCP/UDP-based applications, the connecting client must have TCP/IP configured and a Web browser compatible with Java or ActiveX technologies installed. To use the Stonesoft Web authentication method, the client must support Java technology to display the clickable webpad. To use the Stonesoft MobileID (Synchronized or Challenge) authentication method, the client must have MobileID software installed and seeded. For the full platform compatibility matrix for the functionalities described above, please see Technical Note 5566. 4 Stonesoft SSL VPN Release Notes for version 1.5.3

Directory Services User information can be stored in an internal user directory, or one of the following external directory services can be used: Microsoft Active Directory 2003 Microsoft Active Directory 2008 Novell edirectory OpenLDAP Sun Java System Directory Server Oracle Internet Directory (authentication only) Tivoli Directory Server (authentication only) IBM RACF LDAP (authentication only) OpenDS 2.x OpenDJ NOTE An external directory service is required for a mirrored pair configuration. For additional information, please refer to the Stonesoft SSL VPN Administrator s Guide. Additionally, when using the Access Client on Windows Vista or Windows 7, the following requirements apply: Requirement Access Client on Microsoft Windows Vista and 7 requires administrator rights Stonesoft ActiveX Client Loader requirements Drive letter mapping in Windows Vista Java Runtime Environment Details The Access Client requires administrator rights to run properly on Windows Vista and Windows 7 the first time it is installed. It auto-upgrades afterwards. To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add the Access Point server HTTPS address to the list of trusted sites in Internet Explorer. A single drive letter (for example, F :) cannot be used as a startup command in Windows Vista and Windows 7. All commands must be executed using runas to elevate to administrator mode since the mapping is done in administrator mode, and F: is not a valid executable. Use the following startup command instead: explorer /root, F: This works on both Windows XP and Windows Vista/Windows 7. To run the Stonesoft Java Access Client, use Sun Java 1.6 Update 2 or later. 5 Stonesoft SSL VPN Release Notes for version 1.5.3

Upgrade Instructions When upgrading mirrored systems, see the upgrade instructions in the SSL VPN Administrator's Guide, which is available from http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/ It is recommended to publish the configuration after a successful upgrade. Upgrade from Previous Versions Stonesoft SSL VPN is upgraded from 1.4.x to 1.5.3 through the Web Console or by using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the Stonesoft SSL VPN Administrator interface and publish the updated configuration if the Publish button is highlighted. Direct upgrade from other versions to Stonesoft SSL VPN 1.5.3 has not been tested although it may work. NOTE Starting from version 1.4.0, using Stonesoft SSL VPN with the Stonesoft Management Center requires a valid SSL VPN 1.4 license to be imported in the Stonesoft Management Center. A Stonesoft SSL VPN engine version 1.4.0 or higher is counted as one unit in the Stonesoft Management Center when the SSL VPN engine is managed by the Stonesoft Management Center. Virtual Stonesoft SSL VPN appliances are not counted as managed units in the Stonesoft Management Center. For additional information on Stonesoft SSL VPN licensing, please refer to the Stonesoft Price List. 6 Stonesoft SSL VPN Release Notes for version 1.5.3

Known Issues The current known issues of Stonesoft SSL VPN version 1.5.3 are described in the table below. For an updated list of known issues, consult our Web site at http://www.stonesoft.com/en/support/index.html/. Synopsis Description Workaround Stonesoft SSL VPN Breaks Browser Domain- Based Security Model - Refs:CVE-2009-2631, CERT VU#261869 (#55542) In a mirrored configuration, OATH database must be configured as an external database (#50490) Client Firewall does not work on Windows Vista clients (#40657) Configuring Directory Service as Microsoft Active Directory and setting RootDN with a container class object is not accepted (#50034) Use of IP pool address with Active FTP does not work on a Vista system (#50028) Trace removal with Windows 7 64-bit fails to execute (#58781) MobileID for Java displays buttons in black with Java 7x86 (#74264) Stonesoft SSL VPN breaks the browser domainbased security model. The vulnerability lies in the architecture of the SSL VPN solution. As a result of the vulnerability, all resources under a single SSL VPN domain may potentially steal or modify each other's active web content, such as web cookies. In a mirrored configuration with OATH activated, adding a secondary Authentication Service causes the following error message: "To validate if OATH is used on the configured Authentication Service-node (i.e. tokens are imported), it has to be started. A system with more than one Authentication Service-node cannot use a local database; it would result in data inconsistency." When a Client Firewall is configured for a resource, the Access Client stops working on Windows Vista. This is a Microsoft Active Directory specific problem. An Organizational Unit is not an allowed child object of the class "containers" within the Active Directory default schema. "ou=accounts,..." is an Organizational Unit. Hence "ou=accounts" cannot be added to "cn=users,..." since "cn=users,..." is a container (objectclass=container,objectcategory="cn=containe r,cn=schema,cn=configuration,..." RootDN should start with an Organizational Unit (OU="...",...). Using an SSL VPN resource for active FTP with an IP address pool from a Windows Vista machine fails when the server starts the transfer. The problem is caused by the IP address used in the PORT command, which is not the same as the IP address assigned from the IP address pool. Trace removal fails on clients running on Windows 7 64-bit. If Java 7x86 is installed on Windows 7 X64 or XP 32bit SP3 (and potentially other versions), the MobileID for Java application is displayed with black buttons, making the application difficult to use. Recommended Actions: Deploy only trusted resources to the SSL VPN portal. Resources with significantly different security zones, such as resources hosted by different companies, should be deployed using Pooled DNS Mapping or Reserved DNS Mapping. Untrusted resources should not be deployed to the SSL VPN portal at all. If these types of resources are needed, they should be deployed as External Sites so that the SSL VPN portal gives a direct link to the resource, instead of making the client route the traffic to the resource through the SSL VPN portal. Please consult the Stonesoft SSL VPN Administrator's Guide for further information about deploying Pooled DNS Mapping, Reserved DNS Mapping, or defining External Sites. Configure OATH in the SSL VPN Administrator (through Manage System - OATH Configuration - Database Connection) to point to an external URL (for example: jdbc:hsqldb:hsql://10.0.215.40:9001/:shutdown=tru e) Alternatively, you can disable OATH in the Web Console. Add the following three "Outgoing" rules for the Client Firewall: W.X.Y.Z-W.X.Y.Z 443 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 UDP Any Accept where W.X.Y.Z is the IP address of your access point. If using multiple access points, add a corresponding rule for each. In the SSL VPN Administration interface, configure RootDN to set the Organizational Unit as not part of a container. For example, OU=Accounts,DC=DOMAIN,DC=COM or OU=Accounts,OU=SSLVPN,DC=DOMAIN,DC=C OM Use passive FTP or an FTP program that allows setting the client IP address to be used for the PORT command. Downgrade the Java Runtime Engine to version 6. 7 Stonesoft SSL VPN Release Notes for version 1.5.3

Assessment plugin to check MAC address of network interfaces is broken (#76392) Defining a Tunnel resource with an Access rule that has Windows as Device Type does not work in Windows (#75996) Assessment plugin to check MAC address of network interfaces does not work. Because device definition string becomes too long if Device Type is Windows, defining a Tunnel resource with an Access rule that has Windows as the Device Type does not work on the Windows platform. 8 Stonesoft SSL VPN Release Notes for version 1.5.3

Copyright and Disclaimer 2000 2011 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and Stonesoft are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the Stonesoft clustering technology-as well as other technologies included in Stonesoft-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 4767 11 Fax +358 9 4767 1349 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 866 869 4075 Fax +1 770 668 1131 Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.