This version of the SonicWALL Aventail E-Class SRA EX-Series software includes numerous fixes, which are listed at the end of this document.

Secure Remote Access SonicWALL Aventail E-Class SRA EX-Series v10.0.7 Maintenance Platform Compatibility The SonicWALL Aventail E-Class SRA EX-Series version 10.0.7 release is supported on the following SonicWALL appliances: SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-750 Upgrading From Earlier Versions If you are upgrading a SonicWALL Aventail E-Class SRA EX-Series appliance to version 10.0.7 from an earlier release, be sure to consult the upgrade instructions in the SonicWALL Aventail Upgrade Guide for detailed information. You will find a copy of this document on the MySonicWALL Web site. What s New in This Release? This version of the SonicWALL Aventail E-Class SRA EX-Series software includes numerous fixes, which are listed at the end of this document. EX-1500 Support Discontinued The SonicWALL Aventail EX-1500 hardware platform has reached end of life and will no longer be supported in future firmware releases. OnDemand Dynamic Mode Support to be Discontinued The 10.5.X release series will be the last release to support OnDemand Dynamic Mode, which was a proxy based agent deployed through the WorkPlace portal. It is important to note that the OnDemand Proxy Agent had two configurations: Dynamic Mode and Mapped Mode. The Mapped Mode use case is still supported, and only Dynamic Mode support is being removed. We recommend customers who still have OnDemand Dynamic mode configured through the WorkPlace portal consider the OnDemand Tunnel agent as an alternative. The OnDemand Tunnel agent offers superior performance and platform coverage over OnDemand Dynamic mode and has identical installation requirements. Known Issues This section describes known issues for this release. The issues are organized into the following categories: Platform/Operating System... 2 AMC Configuration... 3 Connect Tunnel... 4 OnDemand Tunnel... 5 Aventail WorkPlace... 5 OnDemand Proxy... 7 End Point Control... 7 Aventail Cache Control / Symantec Secure Desktop... 9

Platform/Operating System Java is always reported as enabled with IE8 [80031] To provision the tunnel clients on a Windows computer, you must either be running ActiveX or have Java Runtime Environment (JRE) 1.5 (or later) installed: if ActiveX is disabled, Java is used, and if Java is not installed, the user should see an error message. But Internet Explorer 8 incorrectly reports that Java is enabled even if it is not installed on the computer, and agent provisioning fails in different ways, depending on your operating system. On Windows XP, the browser stops at the Loading agent stage, and on Windows Vista the browser stops when the yellow Information bar is displayed at the top of the Web page. The partial uninstall of E-Class SRA client components is not recommended [78673] When you uninstall the client components associated with the E-Class SRA EX-Series, make sure that you remove all of them before attempting to re-install. This issue was found on a Vista 32-bit operating system that did not have SP1 installed: when Aventail Access Manager (AAM) was uninstalled (without also uninstalling the OnDemand Tunnel client), attempting to re-install AAM failed. As a general rule, all components should be removed before re-installing. Important! Before rebooting an EX7000 or EX6000 appliance, remove any USB devices [76435] Remove any USB devices from the appliance before you reboot it. If a USB device is plugged in to your appliance when it is rebooted, the appliance tries to use it as a boot device. As a result, the boot information stored in the BIOS on the appliance is overwritten, and the EX7000 or EX6000 becomes unusable. Network shares are not accessible using a virtual IP address [63391] If you run the Connect Tunnel Vista client in split tunnel mode (where traffic bound for resources defined in AMC is redirected through the tunnel), you will see an error when you try to access to SMB (Server Message Block) shares. Microsoft has a hotfix for this issue: http://support.microsoft.com/kb/933468 In split tunnel mode, file shares are not always redirected to the appliance [63383] In split tunnel mode, traffic bound for resources defined on the appliance is redirected through the tunnel, and all other traffic is routed as normal. With Connect tunnel on a Vista computer and an appliance in split tunnel mode, file share access which uses the SMB protocol may not be redirected properly if there is a conflicting resource on both the remote and local networks. For example, if Connect tunnel is started on a network at 192.168.144.0/24 and there is a resource at 192.168.144.100, a user who is trying to access a share on a remote network at 192.168.144.100 may get connected to 192.168.144.100 on the local network instead. On the Vista operating system, SMB does not use the appliance's routing table directly, but issues connects on different interfaces simultaneously: whichever connect succeeds first is the one that is subsequently used (even if the routing table on the appliance prescribes something else). In this example, if the 192.168.144.0/24 interface connects first, then access to the resource at 192.168.144.100 will not be redirected. Driver warning dialog box during Connect tunnel installation [63154] On a computer running Vista SP1, a Windows Security alert box appears during installation of Connect tunnel, prompting the user to install the Aventail device software. (This is not an issue in the current release of Vista.) Users should click Install to continue Connect tunnel installation; they will not be reprompted. 2

IE7 fails to use Translated Web when ActiveX and Java are disabled [63132] If ActiveX and Java are both disabled on a client computer running Vista, the user will see a script error and be unable to access WorkPlace. (Normally, Workplace would revert to Translated Web mode.) This error occurs only if Java is installed, but disabled. Outlook Web Access Exchange 2003 & 2007: Cannot attach image files [63087] If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client computer running Vista, you may be unable to attach an image file to a message if your browser is in protected mode. You have two options to address this issue: either add Outlook Web Access to your list of trusted sites, or turn off protected mode. Outlook Web Access Exchange 2003: Not able to type in new mail window [63044] If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client computer running Vista, you may be unable to compose a message. Refer to the following Microsoft knowledgebase article for instructions on installing a patch on your Microsoft Exchange Server 2003 that addresses this issue: http://support.microsoft.com/?kbid=924334 WorkPlace client provisioning fails with IE7 on Vista because Protected Mode is disabled [62578] AMC Configuration If IE7 is launched by right-clicking the IE icon and selecting Run as administrator, or if the browser is launched with administrative privileges from another application (which is what happens during client provisioning), Protected Mode is disabled. The result is that Aventail Access Manager is successfully installed, but the client is not. An EOF exception occurs while trying to export a file from AMC [91808] When attempting to download a setup file for Connect Tunnel, Connect Tunnel Service, or Connect Mobile from AMC, an EOF exception with the message Caught exception while trying to export file is displayed in management.log and the connection is reset. The AMC Online Help page for Using Shortcuts has an unclear image [90772] The help page for Accessing Network Resources > Using Shortcuts has an unclear image of the WorkPlace page. View the WorkPlace page directly in another browser window. The Log Export feature in AMC times out before exporting large logs [78021] The log export feature in AMC only exports the log messages showing when the export feature is activated. This is because AMC times out before all the logs are exported. If you need to perform additional analysis of the log message data, or display the data differently, you can export selected data to comma-separated values (.csv) files for use by another application, such as Microsoft Excel. Searching for user/groups is limited to 1,000 or 1,500 entries [61955] A search for users or groups on an external directory that results in more than 1,000 matches (on a Windows 2000 server) or 1,500 matches (on a Windows 2003 server) will display no results in AMC. 3

Connect Tunnel No error is displayed when connecting to 32-bit Connect Tunnel client on a 64-bit machine [83801] If the 32-bit Connect Tunnel client is installed on a system running Mac OS X Snow Leopard (v10.6) and the system is rebooted in 64-bit mode, Connect Tunnel fails without an error message when launched. To avoid this issue, upgrade earlier versions of the client to the v10.0.3 or higher universal (64- bit and 32-bit) Connect Tunnel client for Mac OS X 10.6 and later on machines running 64-bit Mac OS X Snow Leopard. License limit error message is misleading [77107] After the number of users logging in to the appliance reaches the licensed limit, the following error message is displayed during subsequent login attempts: VPN Connection Failed. Access denied. The required system capabilities are not present, enabled, or current. At issue is the license count on the appliance, not the system capabilities of the client device. Redirect all mode and an internal proxy server [63247] In redirect all mode, appliance traffic is redirected through the VPN tunnel regardless of how resources are defined in AMC. In this mode you can also configure traffic bound for the Internet to be redirected through an internal proxy server when the VPN connection is active. Windows Connect tunnel traffic that should not be proxied must be explicitly excluded. On the Network Tunnel Client Settings page in AMC, type the host names, IP addresses, or domain names of any resources that you do not want redirected through the proxy server. A realm with international characters must be selected from the Browse Login Groups dialog box [61735] A realm that you create in AMC can be given a name that includes extended ASCII or doublebyte characters (for example, Berliner Bär ). When a user logs in to a WorkPlace realm that includes these characters, and then installs Connect tunnel, he or she will not be able to establish a VPN connection to the realm shown in the Properties dialog box. Users must follow these steps to work around this issue: 1. Make sure you are not yet connected to the VPN using Connect tunnel. 2. In the Aventail Connect login dialog box, click Properties. 3. Click the General tab, and then click Change. The Browse Login Groups dialog box appears and displays the list of login groups. 4. Select the name of the login group (in this case, Berliner Bär ). Tunnel clients unable to reconnect over an access point that requires authentication [61730] On a Macintosh device, the VPN tunnel cannot be re-established when you switch to a network that requires authentication. For example, if a user is connected to the appliance using a wired connection and changes to a wireless access point that requires authentication, the previous connection cannot be re-established; the user must manually log in to the appliance. Internet is accessible using Firefox in redirect all mode if proxy settings are configured on both IE/Firefox browsers [61605] When configuring the tunnel clients, you must specify a redirection mode, which determines how client traffic is redirected to the appliance. In redirect all mode, traffic is redirected through the tunnel regardless of how resources are defined in AMC. This works in Internet Explorer, which honors the device's Windows Proxy Settings. Mozilla Firefox, on the other hand, ignores the interface-specific proxy settings and just sends all traffic out the proxy server. 4

Connect tunnel v 8.9.0 fails after upgrade to Vista operating system [61229] If a user has installed Connect tunnel v8.9.0 on Windows XP/SP2, and then upgrades the operating system to Windows Vista, Connect tunnel will not run. Manually uninstall Connect tunnel and then re-install it after you have upgraded to Windows Vista. Desktop icon for Connect tunnel in WorkPlace not present for all Linux users [61167] When you provision Connect tunnel from WorkPlace and the user downloads and installs the client, an icon is created on the user s desktop. If the client device is running a Linux operating system and a different person logs in to it, no desktop icon for Connect tunnel will be visible. One workaround is to bring up the command window (press ALT+F2), and then type the path to the Connect tunnel program. Alternatively, you could create an icon on the desktop for the Connect tunnel program. In Redhat or Fedora, for example, you would right-click on the desktop and select Create Launcher, and then browse to the Connect tunnel application. Using dial-up and remote proxy for the connection to the Internet [61056] If you use a dial-up connection to the Internet, and the community to which you are assigned is configured for remote proxy, Internet browsing may not traverse the remote proxy (this applies regardless of whether the remote proxy was configured manually or using a.pac file). In Connect tunnel, make sure the dial-up connection is specified on the Properties page: select the Establish this connection first check box and specify a connection in the drop-down list. (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.) Cannot access the appliance if specified proxy server is unavailable [60912] OnDemand Tunnel If Internet Explorer is configured to use an outbound HTTP proxy server, Connect tunnel will attempt to access the appliance using that proxy server. If the proxy is available, the client connection will succeed. However, if the proxy server is unavailable, the client will not fall back to sending traffic through the default route, causing the connection to the appliance to fail. Remove the proxy setting from the browser. OnDemand installation and upgrades must be done in connection with a single appliance [71411] Aventail WorkPlace When OnDemand Tunnel is installed for the first time, the installation must be performed by an administrator. A subsequent upgrade can be performed by a non-administrator user, but in the current release it must be upgraded from a single appliance. Using IE8 to log in to different realms in succession fails [79815] If you log in to different realms, one after another, using Internet Explorer 8, you will reach a Login Denied page. This is because IE8 uses session merging, where session-related information (such as cookies) is shared across different IE8 browser windows. The browser cookie created by WorkPlace stores the username in the format <user>@<realm>; when you log in to the second realm, your username no longer matches the one stored in the cookie, and your login is denied. To work around this issue, select New Session from the File menu whenever you open a new session with IE8. 5

Native Citrix XenApp installation takes so long that cross-platform Java applet is used instead [76947] To enable users to access Citrix resources, you must configure the appliance with two Citrix agents: an ActiveX control that runs on Windows, and a cross-platform Java applet. The Citrix host can then be accessed through a shortcut in Aventail WorkPlace. When specifying the Windows agent, be sure to specify the.msi file for Citrix XenApp Web Plugin, instead of the native Citrix XenApp client. Both.msi installations support the full feature sets of XenApp server, but when Citrix XenApp is provisioned from WorkPlace, installation sometimes takes so long that the cross-platform Java applet is installed instead. Shortcuts using the XXX_USERNAME_XXX resource variable do not work correctly in v10.0 [70396] If you have a WorkPlace network shortcut referencing a resource that contains the username variable available in firmware versions prior to v10.0 (for example, \\example\users\xxx_username_xxx), it will not work correctly in v10.0. To work around this issue, edit the resource definition and replace XXX_Username_XXX with the new v10.0 built-in variable for user name ({Session.userName}). Domino Web Access: Mail with attachments cannot be sent [67040] If you log in to Domino Web Access and create a message that includes an attachment, clicking Send displays an error message indicating that the file could not be uploaded. Web translation on the appliance is making the ActiveX control that uploads attachments incorrectly resolve the file's address. This issue will be resolved in the next release. Until then you can use the following workaround: disable the DWA ActiveX control that uploads files so that the normal DHTML-based upload mechanism initiates the file upload and the attachment is sent. To disable the ActiveX control, click Manage add-ons in Internet Explorer (Tools > Internet Options > Programs). In the Show drop-down list, select Downloaded ActiveX Controls, and then select the Domino ActiveX control for uploading files. Click Disable, click OK, and then restart IE. WorkPlace home page appears when the browser is refreshed [63243] If you refresh your browser in WorkPlace you should see the confirm logoff page. If you are running Mozilla Firefox 2.0.0.3, or Safari on a Macintosh operating system, you will instead see the WorkPlace home page. DNS servers that resolve only internal addresses cause login delays [62767] During login, the Aventail appliance does a DNS lookup on IP addresses and subnets to determine whether a hostname matches (for example) an item in an access list rule. If your DNS server is not configured to resolve any external addresses, just internal ones, the login will succeed but can take a couple of minutes. Cannot cancel installation of Aventail Access Manager [61369] During installation of Aventail Access Manager (the provisioning and EPC component for Windows), a file download dialog opens. If the user clicks Cancel in this dialog box, the Aventail Access Manager Web page does not display any navigation buttons. Certificate authentication process stalls during login to WorkPlace [61269] When you connect to WorkPlace using Internet Explorer on a PDA that is running Windows Mobile 5, and you attempt to log in to a realm that requires a client certificate, the session appears to stall. Click the Next button. 6

Unable to access Web resources on Firefox browser with proxy server [60138] OnDemand Proxy Neither OnDemand proxy (in dynamic mode) nor OnDemand tunnel is able to modify proxy settings in Firefox. As a result, Firefox tries to access WorkPlace links directly through its original proxy, which fails because the links are no longer translated. To activate OnDemand Proxy, cache setting for JVM must be selected [70079, 70080] If both ActiveX and UAC (User Account Control) are disabled on a client computer running Vista SP1, OnDemand Proxy can be installed but fails to activate unless Java is configured to keep a cache of temporary files on the local computer. To change the cache setting, go to Control Panel and select Java >Temporary Internet Files >Settings >Keep temporary files on my computer. OnDemand proxy may not redirect all connections when DNS fails [60633] End Point Control The first time a user installs OnDemand proxy, connections to unqualified names that are fewer than 16 characters in length are not redirected if DNS (Domain Name Service) cannot resolve them. DNS might be unable to resolve them if, for example, no DNS suffix is configured on the system. When DNS fails, WINS or WINS Broadcast is used, but WINS cannot perform name resolution until the system has been rebooted. Firefox Browser fails to launch after launching Aventail Secure Desktop [91138] When launching Aventail Secure Desktop (ASD) from a Firefox browser with Google Desktop search installed, ASD successfully loads, but the Firefox browser is not opened and the user is not redirected to the Aventail WorkPlace. ASD will be running, and the user must manually exit from ASD. This issue was observed when running Windows XP SP3 and Firefox 3.5.9 when Google Desktop search is installed. The Aventail Secure Desktop background replaces the computer s normal background [91136] When switching desktops by double-clicking on the ASD system tray icon, the ASD s desktop background is still displayed instead of the computer s normal desktop. Even after ASD exits, the normal desktop s background image is not restored. Users still see ASD s desktop background image. Internet Explorer 7 displays a Windows rundll32 error on logout from EWPCA realm with ASD [91125] When a user with Windows Vista 32-bit and IE7 logs on to a Web Proxy (EWPCA) realm with ASD enabled, redirect.pac is not present under Tools -> Internet Options -> Connections -> LAN settings in the Secure Desktop IE7 browser, and the user cannot access any backend resources. The rundll error is displayed and the browser stops working. Use Internet Explorer 8 on any Windows 32-bit OS, or use IE7 on Windows XP 32-bit. Error message is displayed when switching from normal desktop to virtual desktop [91065] Intermittently, an error message is displayed when switching between normal desktop and virtual desktop. The error message states: Symantec On-Demand Protection cannot close all Internet Explorer windows and will not proceed. This issue was observed on a device running Windows Vista SP2. 7

Files can be copied from a network file share to the Secure Desktop [91002] Although an error dialog is displayed while copying files from a network file share to the Virtual Desktop, the files are still copied. Files should not be allowed to be copied in this case. Occurs on a realm with ASD enabled, when using a computer running Vista SP2. Aventail Cache Control (ACC) does not properly exit if Internet Explorer 8 windows are open [90972] ACC does not stop or properly exit after the user logs out from Aventail WorkPlace if there are any active Internet Explorer 8 windows open. Manually close all Internet Explorer 8 windows before exiting ACC. The "Close other browser windows at startup" option does not work for browser tabs [90952] This issue occurs when logging in to WorkPlace using ACC with the "Close other browser windows at startup" option enabled. If the user logs in to WorkPlace using a browser that has another tab open, then the other tabs are not closed. This issue has been observed when using Internet Explorer 8 or Firefox 3. CClient.exe fails to exit when Firefox windows are open while ACC is running [90905] While logged into WorkPlace in a Firefox browser and running ACC, if a user logs out of WorkPlace while another Firefox browser window is open, CClient.exe remains running. Manually close all open Firefox browser windows to make CClient.exe exit. Symantec Cache Cleaner fails to properly clear web browsing history [90309] The Symantec Cache Cleaner fails to clear the web browsing history if the web browser is already open when the Cache Cleaner is launched. The Cache Cleaner properly erases web browsing history if a new web browser window is opened after the Cache Cleaner is launched. This issue occurs when the Symantec Cache Cleaner is configured for session mode. Symantec Cache Cleaner erases all typed URLs from the URL history [90308] Upon exiting, the Symantec Cache Cleaner clears all typed URLs from the URL history if the web browser was already open when the Cache Cleaner was launched. The Cache Cleaner erases typed URL history for URLs that were typed before launching the Cache Cleaner as well as for URLs typed after launching it. It should only erase the URLs that were typed after launching it. This issue occurs when cleanup is configured for session modes in the Symantec Cache Cleaner. End Point Control (EPC) fails when using machine certificates and UAC is enabled [87797] The EPC check for machine certificate fails when Microsoft User Access Control (UAC) is enabled. EPC succeeds with machine certificate zone classification if UAC is disabled. This issue was observed on a computer running Windows 7. Disable UAC on the computer. Zone classification fails with certificate device profile on Linux and Mac [69625] Import a root certificate to the appliance and create a Standard zone that requires as part of a device's profile on either the Mac OS or Linux platform. Even if the client certificate is imported, the client is relegated to the Default zone rather than the Standard zone you created. The zone classification fails because the appliance is not yet integrated with the certificate store for the operating system or the browser. 8

Device profile specifying a client certificate in the machine store fails for non-privileged user [61578] A Windows device profile can be set up that checks for the presence of a certain client certificate on a user's device in either the machine or user store. However, on an end point device running Windows Vista, the machine store cannot be opened for a user who does not have Windows administrator rights. The search for the client certificate therefore fails and the user is classified into whatever you have configured as the fallback zone (a Quarantine zone or the Default zone). Aventail Cache Control / Symantec Secure Desktop Note: The name for the secure desktop feature, which is part of Advanced EPC, has been changed from Aventail Secure Desktop (ASD) to Symantec Secure Desktop (SSD). Users can access Internet from secure desktop after logging out of the WorkPlace session [92465] When a user is logged into WorkPlace using an Internet Explorer browser and is running SSD, and then clicks the WorkPlace Logout button, the secure desktop shutdown handler can show a request to install the ActiveX control. If the user does not accept, the handler falls back to Java in a few seconds, but if the user does not have Java installed then a confirmation dialog displays an OK button. If the user does not click OK, he is able to access the Internet from the secure desktop and can send out items saved in the secure desktop. This issue was observed on all supported Windows and Internet Explorer versions. ACC and ASD are not supported on 64-bit platforms [90989] ACC and ASD are not supported on the 64-bit versions of Windows Vista and Windows 7. When attempting to install ACC or ASD on a 64-bit platform, the following error message is displayed: "The configured data protection agents are not supported on this client platform." Vista SP1 and IE7: When ActiveX is disabled, SSD does not fail over to Java [77341] When a user has ActiveX disabled and then logs in to a realm that requires Symantec Secure Desktop, SSD should be able to run using a Java applet instead. On a computer running Vista SP1 and Internet Explorer 7, SSD does not fail over to Java and SSD displays an error message regarding browser settings. ACC is not supported on Mac OS X [76825, 76747, 69855] ACC (Aventail Cache Control) is not supported on any version of Mac OS X. ACC: Credentials not cleared with Firefox 3.0 [76823] If you are using Aventail Cache Control, and you log in to WorkPlace using Firefox 3.0, you are presented with some options regarding your password. If you select Remember password and continue with your session, your credentials are not cleared when you log out, even if you have Clean session items only or Clean all items selected in AMC. SSD: OnDemand Tunnel fails to load when two different browsers are used [76760, 76570] If your default browser is set to Mozilla Firefox, and then you log in to WorkPlace using a different browser, such as Internet Explorer, selecting a realm that provisions SSD and OnDemand will automatically bring up the default browser (in this case Mozilla Firefox). SSD does not launch correctly and an error is shown on the Details page in WorkPlace. It is best to set Internet Explorer as your default browser and not attempt a cross-browser loading of SSD. 9

Uninstalling ACC requires extra step [76584] When a user logs in to a WorkPlace on an appliance running v10.0.x, and the realm requires Aventail Cache Cleaner (ACC), Aventail Access Manager (AAM) correctly provisions ACC. If the user later uninstalls AAM and logs in to an appliance running version 10.0 or earlier of the firmware, the error message Unable to download configuration file! is displayed when he or she logs in again. The workaround is to delete the SodaAgent ActiveX file. The instructions are different depending on which version of IE you are using: IE6: delete the file from %windir%\downloaded Program Files IE7 and later: use Manage-addons on the browser s Tools menu to disable the add-on Password for network share is not cleared in ASD [66121] If an ASD (Aventail Secure Desktop) user enters the credentials necessary for going to a network share, the credentials are not cleared when he or she logs out of the virtual environment of ASD. Only rebooting the machine will clear the saved credentials. Microsoft Remote Assistance does not work with ASD [62903] Aventail Secure Desktop is incompatible with Remote Assistance, a Microsoft Windows technology that enables Windows XP users to help each other over the Internet. Users who are running ASD and try to open Remote Assistance will see an error message ( A Program Could not Start ). Inactivity timeout is reset when the client comes out of standby mode [61247] You can specify a timeout period for the data protection agents (Aventail Cache Control or Aventail Secure Desktop), after which inactive user connections are automatically terminated and data is removed from the client. Keep in mind that if the client comes out of standby mode before the timeout period has elapsed, the timer is reset. For example, if the timeout period is 10 minutes and the client is active again after 8 minutes of inactivity, the timer is reset to 0. 10

Fixes Incorporated in This Release This section contains a list of issues from earlier versions of the appliance firmware that are fixed in this release. The numbers refer to internal SonicWALL Aventail tracking IDs. See the following sections: Hotfixes... 11 Resolved Issues... 12 Hotfixes Every release incorporates any hotfixes that have been issued since the previous (major or maintenance) release. Version 10.0.7 incorporates the following hotfixes: Client: clt-hotfix-10_0_6-001 92430 Non-admin users cannot upgrade OnDemand Tunnel agents to version 10.0.4 or higher on Windows XP or Windows 7 after the appliance is upgraded from 10.0.3. 96569 The redirect.pac file does not overwrite the local proxy file setting in the IE browser on Windows 7 machines, and while using OnDemand proxy as the access method the user only gets Web access instead of Web and client/server access. Platform: pform-hotfix-10_0_6-001 95650 The accesschecks entries are not fully purged from the database, allowing more than 5 GB of data to accumulate per week. 96566 The appliance stops responding to pings from an SNMP server for a short period every morning, related to excessive data accumulation in a database. 97513 Japanese users accessing Outlook Web Access with translated access get the errors Invalid UTF-8 encoding in URL and Unable to parse internal URL. The problem occurs with Internet Explorer 6 and 8, and Firefox 3.5, but does not occur with IE7. 11

Resolved Issues This section contains a list of issues that are fixed in this release. AMC 97589 The Web Proxy service is shown as stopped in the AMC home page after an upgrade, and an error status is displayed on the Services page. 97017 The AMC console goes down intermittently and the management server must be restarted manually from an SSH console to access AMC again. 96676 The management server and policy server processes must be restarted after performing policy replication, or else users are prompted to re-authenticate when they attempt to login to WorkPlace. 95469 The AMC console becomes unresponsive after a short time and the management server must be restarted. End Point Control (EPC) 97456 EPC does not detect some Japanese client anti-virus software, including AVG Anti-Virus 2011 Free edition, Trend Micro Virus Buster Cloud 2011, Trend Micro Titanium Maximum Security, or Trend Micro Internet Security 17.50. Logging 97866 A database repair script fails in some instances with an error message from the MySQL repair stage about table names not being unique, and the tables are not repaired. User Database 96808 Database consistency problems sometimes occur, typically caused by replacing one node in a High Availability pair. When these problems are encountered, it requires either a reboot or manual intervention to reset some internal MySQL counters. 12

Technical Documentation and the Knowledge Portal Technical documentation is available on the SonicWALL Technical Documentation Online Library, under Support by Product at http://www.sonicwall.com/us/support.html. Check the SonicWALL Support Knowledge Base, available from http://www.sonicwall.com/us/support.html or when you log in to MySonicWALL, for information and hotfixes that are relevant to your appliance. Last updated: 6/13/2011 13