StoneGate SSL VPN Release Notes for Version 1.2.1 Created: February 25, 2009
Table of Contents What s New... 3 System Requirements... 4 Build Version... 4 Product Binary Checksums... 4 Compatibility... 5 Upgrade Instructions... 7 Known Issues... 9
What s New Fixes Problems described in the table below have been fixed since StoneGate SSL VPN v1.2.0. A workaround solution is presented for earlier versions where available. Synopsis Assessment plugins are now included (#32617) Using internal LDAP for user storage may fill the file system (#41322) Creating backup may fail because of insufficient disk space (#44655) Internal LDAP generates error messages when it is not used (#45926) Administration service may not start in slow systems (#46113) SSL VPN may not allow enough concurrent connections (#47035) Cannot change password with sgreconfigure if password contains special characters (#47087) Description Some assessment plugins have been missing from the system. Plugins "Antivirus", "Sygate On Demand", "Mac", and "SecurityCenter" are now included by default. Using internal LDAP for user storage in a large system or in any system for a long time may fill the /data partition in the file system with OpenLDAP log files. Creating a backup with the command "sg-backup --includespool" may fail if the log spool has a lot of log files. When internal LDAP is not used for directory or user storage services, the slapd process generates error messages in SSL VPN logs. This does not affect SSL VPN usage. If the system is slow, the timeout for waiting for the Administration service to start may be too short. This prevents logging into the StoneGate SSL VPN Administrator (the connection is refused). If users open a lot of connections to different resources, SSL VPN may not allow enough concurrent connections. The users may see error messages like "1031603 Proxy error: Could not connect to host "Resource name". errno: 24, HttpBrowser info=1032209". Changing the Web Console password with sg-reconfigure fails if the password contains special characters. Workaround for previous versions Use external user storage as recommended. Ignore the error messages. 3 StoneGate SSL VPN Release Notes for version 1.2.1
System Requirements StoneGate Appliances StoneGate SSL VPN v1.2.1 is supported on the StoneGate SSL-400, SSL-2000, and SSL-6000 appliances. Administration Requirements StoneGate SSL VPN v1.2.1 administration requires the use of a workstation with a TCP/IP network configured and a Web browser installed. The supported Web browsers are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 7.0 Safari 1.3.2 (Mac OS X 10.3.9) Safari 2.0.4 (Mac OS X 10.4.7) Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10 Build Version Web Browser The StoneGate SSL VPN v1.2.1 build version is 1218. Product Binary Checksums sslgw_engine_1.2.1.1218 _i386.iso MD5SUM 2eabb5cb0de46bb977b30f4cc52d4b77 SHA1SUM 8ca05d8ae8f436ed53e1b07353451efcaad9755a sslgw_engine_1.2.1.1218_i386.zip MD5SUM 3ad5b96c0fde39ce10b53de43a0c8859 SHA1SUM e9e66ac996a05da7f0b041dbbbc6714f7db31c76 4 StoneGate SSL VPN Release Notes for version 1.2.1
Compatibility Directory Services User information can be stored in an internal user directory, or one of the following external directory services can be used: Microsoft Active Directory 2003 Novell edirectory OpenLDAP Sun Java System Directory Server Oracle Internet Directory (authentication only) Tivoli Directory Server (authentication only) IBM RACF LDAP (authentication only) Note! When using mirrored pair configuration, external directory service is a requirement. Application Portal The supported Web browsers for the StoneGate Application Portal are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 7.0 Safari 1.3.2 (Mac OS X 10.3.9) Safari 2.0.4 (Mac OS X 10.4.7) Mozilla Firefox 1.5 Mozilla Firefox 1.5 Mozilla Firefox 1.5 Web Browser Access Client The runtime requirements for the StoneGate Access Client are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Red Hat Enterprise Linux 5.0 Runtime Requirements Sun Java Runtime Environment 1.1.8 or later, or ActiveX Client Sun Java Runtime Environment 1.1.8 or later Sun Java Runtime Environment 1.1.8 or later 5 StoneGate SSL VPN Release Notes for version 1.2.1
SUSE Linux Enterprise Server 10 Sun Java Runtime Environment 1.1.8 or later Additionally, when using the Access Client on Windows Vista, the following requirements apply: Requirement Access Client on Microsoft Windows Vista requires administrator rights StoneGate ActiveX Client Loader requirements Drive letter mapping in Windows Vista Remove AES cipher suites from Access Point configuration Java Runtime Environment Details The Access Client requires administrator rights to run properly on Windows Vista. To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add the Access Point server https address to the list of trusted sites in Internet Explorer. A single drive letter (for example, F:) cannot be used as a startup command in Windows Vista. All commands must be executed using runas to elevate to administrator mode since the mapping is done in administrator mode, and F: is not a valid executable. Use the following startup command instead: explorer /root, F: This works on both Windows XP and Windows Vista. The AES ciphers in Vista are not compatible with the SSL engine used in Access Point. You must remove the AES ciphers from Cipher Suites for your Access Point under Manage Global Access Point Settings. Remove the following ciphers: RSA_AES_128_CBC_SHA and RSA_AES_256_CBC_SHA. To run the PortWise Java Access Client, use Sun Java 1.6 Update 2 or later. 6 StoneGate SSL VPN Release Notes for version 1.2.1
Upgrade Instructions StoneGate SSL VPN version 1.2.1 requires an updated license to use the new features if you are upgrading from a version prior to 1.1.0. Customers with a valid support and maintenance contract can get the updated license from https://my.stonesoft.com/managelicense.do. When upgrading mirrored systems, refer also to upgrade instructions in SSL VPN Administrator's Guide, which is available from http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/. Upgrade from previous version Upgrading the StoneGate SSL VPN from version 1.2.0 to 1.2.1 is normally done through the Web Console Remote Upgrade functionality. After upgrade, log on to the StoneGate SSL VPN Administrator interface and accept the modified configuration in the dialog that is presented and then publish the updated configuration. Upgrade from version 1.1.1 Upgrading the StoneGate SSL VPN from version 1.1.1 to 1.2.1 is normally done through the Web Console Remote Upgrade functionality. After upgrade, log on to the StoneGate SSL VPN Administrator interface and accept the modified configuration in the dialog that is presented and then publish the updated configuration. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to 1.2.1, set the Syslog Log Level Filter to Info for all services and log types in Monitor System -> Logging. Save and publish the configuration. Upgrade from version 1.1.0 Upgrading the StoneGate SSL VPN from version 1.1.0 to 1.2.1 is normally done through the Web Console Remote Upgrade functionality. After the upgrade from the Web Console is done, follow these steps to trigger new key generation for fixing issue #40399: 1. Log on to the appliance command line from serial console or through SSH. 2. Issue the following commands to trigger new key generation on next reboot: rm /data/webmin/etc/miniserv.pem rm /data/config/ssh/* rm /data/config/tls/* sg-admin reencrypt sg-admin certgen # Give this command only if internal certificate is used for Access Point sg-admin -upgrade 3. Reboot the appliance with command reboot. 4. Enter the Administration web interface and select Accept modified configuration to re-sign the configuration. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to1.2.1, set the Syslog Log Level Filter to Info for all services and set the log types in Monitor System to Logging. Save and publish the configuration. 7 StoneGate SSL VPN Release Notes for version 1.2.1
Upgrade from earlier versions If you are using an SSL VPN version earlier than 1.0.2, first upgrade to version 1.0.2. Refer to the version 1.0.2 Release Notes for upgrade instructions. Upgrade from SSL VPN version 1.0.2 to version 1.2.1 must be done manually: 1. Download SSL VPN version 1.2.1 CD.iso image from https://my.stonesoft.com/download.do and prepare a bootable CD from this image. 2. Make a backup of the existing installation using sg-backup command and copy the backup to another computer. 3. If you are using appliance model SSL-400 or SSL-2000, attach an external CD-ROM drive with USB connector to the appliance s USB port. 4. Boot from installation CD and perform a full installation, overwriting existing partitions. 5. Copy the backup back to an appliance and restore previous configuration using sg-restore command. 6. To trigger new key generation for fixing issue #40399, issue the following commands: rm /data/webmin/etc/miniserv.pem rm /data/config/ssh/* rm /data/config/tls/* sg-admin reencrypt sg-admin certgen # Give this command only if internal certificate is used for Access Point 7. Upgrade the configuration using sg-admin upgrade command. 8. Reboot the appliance with command reboot. 9. Enter the Administration web interface and select Accept modified configuration to re-sign the configuration. Detailed upgrade instructions are available in the latest StoneGate SSL VPN 1.1 Administrator s Guide available at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/index.html. Note, that SSL VPN 1.1 Administrator s Guide does not contain step 6 on the list above, which is needed to trigger the fix for issue #40399. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to1.2.1, set the Syslog Log Level Filter to Info for all services and set the log types in Monitor System to Logging. Save and publish the configuration. 8 StoneGate SSL VPN Release Notes for version 1.2.1
Known Issues The current known issues of StoneGate SSL VPN v1.2.1 are described in the table below. For an updated list of known issues, consult our Web site at http://www.stonesoft.com/en/support/index.html/. Synopsis Description Workaround Connections cannot be opened back to the client Windows Vista and Firefox Client firewall does not work on Windows Vista clients (#40657) Virtual IP addresses are not configured on the client. This prevents the connections from being opened from the internal server back to the client. Due to compatibility issues between Windows Vista, Firefox, and the Java plug-in for Firefox in Windows Vista, the Access Client may experience intermittent problems running tunnel sets. When the client firewall is configured for a resource, the Access Client stops working on Windows Vista. Add the following three Outgoing rules to the Client Firewall rules: W.X.Y.Z-W.X.Y.Z 443 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 UDP Any Accept Where W.X.Y.Z is the IP address of your Access Point. If using multiple Access Points, add a corresponding rule for each. 9 StoneGate SSL VPN Release Notes for version 1.2.1
Copyright and Disclaimer 2000 2009 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGateare protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change.