Release Notes. SonicWALL Aventail E-Class SRA EX-Series v10.5.0
|
|
|
- Osborn Cummings
- 8 years ago
- Views:
Transcription
1 Secure Remote Access Platform Compatibility The SonicWALL Aventail E-Class SRA EX-Series release is supported on the following SonicWALL appliances: SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-750 On 64-bit Windows Vista and Windows 7 systems, this release has been tested on and supports 32-bit Internet Explorer 7 and 8. Upgrading from Earlier Versions If you are upgrading a SonicWALL Aventail E-Class SRA EX-Series appliance to version from an earlier release, be sure to consult the upgrade instructions in the SonicWALL Aventail Upgrade Guide for detailed information. You ll find a copy of this document on the MySonicWALL Web site ( Release Caveats Before migration or upgrade to the SonicWALL Aventail release, disable Aventail Cache Control and Aventail Secure Desktop for all End Point Control Zones. SonicWALL Aventail does not include Aventail Cache Cleaner (ACC), Symantec Secure Desktop (SSD, formerly named Aventail Secure Desktop), or Symantec OnDemand Protection. The ACC and SSD features will be supported in an upcoming release. The SonicWALL Aventail release does not support client certificate based authentication for Apple iphone OS. Java 1.6 update 14 or higher is recommended for use with SonicWALL Aventail Internet Explorer 6 is deprecated for SonicWALL Aventail and higher. What s New in this Release? This version of the Aventail SonicWALL E-Class SRA EX-Series software includes the following new and enhanced features: Firefox 3.5 support: Full support for Mozilla Firefox 3.5. Internet Explorer 8 support: Full support for Microsoft Internet Explorer 8. Safari 4.0 support: Initial support for Apple Safari 4.0. Mac OS X Snow Leopard support: Initial support for Mac OS X Snow Leopard (10.6) from Apple. Windows 7 support: Initial support for Microsoft Windows 7. Vista SP2 support: Full support for Microsoft Vista SP2. Release Notes
2 Vista 64-bit support: Full support for Microsoft Vista 64-bit. Apple iphone support: ActiveSync support to Exchange for Apple iphone users. Zero-client Web access capabilities extended: Port mapped and host name mapped Web access support modern Web applications such as AJAX without installation of a client agent. Persistent desktop device identity: Limits the set of devices that any given user may use to access protected resources. UDP tunnel mode: Use of Encapsulating Security Payload (ESP) improves the performance of UDP streaming applications like VoIP. Control session termination for tunnel clients: Improves security and license usage by providing an option to terminate OnDemand Tunnel or Connect Tunnel sessions when the credentials for the community expire. The client is notified and, for Connect Tunnel, has the option to start a new session. Intermediate CA support: Certificate authority management is now more flexible with support for wildcard server and client certificates signed by intermediate certificate authorities. Option to disable authorization checks: Prevents authorization check errors due to querying directory servers for group information. Enforce single user name in chained authentication: Improves security. The administrator has the option of requiring that the same user identifier is used for each step of chained authentication. Enhanced terminal services and Citrix shortcut configuration options: New Web client options for administrator include the ability to choose whether to allow copy and paste, user screen size control, and other options set during shortcut creation. A new check box for terminal services shortcuts allows the option of automatically reconnecting when the session is interrupted. WorkPlace users can control screen resolution when accessing shortcuts. AMC navigation improvements for resources and rules: Filtering drop boxes on a number of AMC pages provide for more efficient searching. Simplified OPSWAT configuration in AMC: A new Any product from this vendor check box is available for antivirus, antispyware, and personal firewall program vendors in Windows device profiles during End Point Control configuration. Selecting this option allows the administrator to create a profile that does not require updating every time the vendor releases a new version. When this option is selected, the administrator can still specify additional criteria, such as signatures updated, file system scanned, and real-time protection enabled, as long as all the versions of all the products in the list support that functionality. Deployment of EPC using browser on Windows Mobile: End Point Control can be performed on mobile devices without requiring Connect Mobile installation. The device must be running Windows Mobile 6.1, 6.0, or 5.0 with the corresponding version of Pocket Internet Explorer. No configuration or separate device profile is necessary in the AMC. When logging into a community that requires EPC, the user is prompted to install or upgrade the Aventail Interrogator client. Interrogator communicates the EPC classification of the device to the appliance. Suspend and resume a Spike License: Instead of having a fixed expiration date once it is activated, a Spike License can now be suspended and later resumed. Once it is activated, you will see the total number of allowed users, the activation date, and the number of days remaining on the license. A Spike License enables you to temporarily increase the number of remote users you can support. 2
3 Known Issues This section describes known issues for this release. The five-digit numbers in brackets are internal tracking IDs. The issues are organized into the following categories: Platform/Operating System... 3 Connect Tunnel... 4 OnDemand Tunnel... 6 Aventail WorkPlace... 6 OnDemand Proxy... 8 End Point Control... 8 Web Translation... 9 AMC Configuration... 9 Documentation... 9 Platform/Operating System Important! Before rebooting an EX7000 or EX6000 appliance, remove any USB devices [76435] Remove any USB devices from the appliance before you reboot it. If a USB device is plugged in to your appliance when it is rebooted, the appliance tries to use it as a boot device. As a result, the boot information stored in the BIOS on the appliance is overwritten, and the EX7000 or EX6000 becomes unusable. Access to WorkPlace fails with Java 6 updates 1 through 6 [74025] Access to Aventail WorkPlace fails if the end point device is installed with any of a series of updates to Java 6 from Sun Microsystems: update 1 through 6, inclusive. If one of these updates is installed the appliance can no longer properly detect the Web browser's proxy information. Java 6 update 7 and later works correctly; Java 5 is also supported. Network shares are not accessible using a virtual IP address [63391] If you run the Connect Tunnel Vista client in split tunnel mode (where traffic bound for resources defined in AMC is redirected through the tunnel), you will see an error when you try to access to SMB (Server Message Block) shares. Microsoft has a hotfix for this issue: In split tunnel mode, file shares are not always redirected to the appliance [63383] In split tunnel mode, traffic bound for resources defined on the appliance is redirected through the tunnel, and all other traffic is routed as normal. With Connect tunnel on a Vista computer and an appliance in split tunnel mode, file share access which uses the SMB protocol may not be redirected properly if there is a conflicting resource on both the remote and local networks. For example, if Connect tunnel is started on a network at /24 and there is a resource at , a user who is trying to access a share on a remote network at may get connected to on the local network instead. On the Vista operating system, SMB does not use the appliance's routing table directly, but issues connects on different interfaces simultaneously: whichever connect succeeds first is the one that is subsequently used (even if the routing table on the appliance prescribes something else). In this example, if the /24 interface connects first, then access to the resource at will not be redirected. 3
4 IE7 fails to use Translated Web when ActiveX and Java are disabled [63132] If ActiveX and Java are both disabled on a client computer running Vista, the user will see a script error and be unable to access WorkPlace. (Normally, WorkPlace would revert to Translated Web mode.) This error occurs only if Java is installed, but disabled. Outlook Web Access Exchange 2003 & 2007: Cannot attach image files [63087] If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client computer running Vista, you may be unable to attach an image file to a message if your browser is in protected mode. You have two options to address this issue: either add Outlook Web Access to your list of trusted sites, or turn off protected mode. Outlook Web Access Exchange 2003: Not able to type in new mail window [63044] If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client computer running Vista, you may be unable to compose a message. Refer to the following Microsoft knowledgebase article for instructions on installing a patch on your Microsoft Exchange Server 2003 that addresses this issue: Network shares are not accessible using a virtual IP address [62932] If you run either of the tunnel clients in split tunnel mode (where traffic bound for resources defined in AMC is redirected through the tunnel), you will not have access to network file shares if you are running the Microsoft Vista operating system. WorkPlace client provisioning fails with IE7 on Vista because Protected Mode is disabled [62578] If IE7 is launched by right-clicking the IE icon and selecting Run as administrator, or if the browser is launched with administrative privileges from another application (which is what happens during client provisioning), Protected Mode is disabled. The result is that Aventail Access Manager is successfully installed, but the client is not. Windows XP SP2 users must install the KB update from Microsoft [61746] Connect Tunnel On a computer that is running Microsoft Windows XP SP2, programs that connect to IP addresses that are in the loopback address range may not work as expected. For example, you may receive an error message that says that you cannot establish a connection. The OnDemand access agent is in this category: it uses the local loopback address ( ) to redirect and secure traffic through the appliance. Customers should install this patch from the Microsoft site: Mac Connect Tunnel fails to determine outbound proxy settings when it is already launched [84422] In Mac clients, the System proxy configuration information is detected only when Connect Tunnel is started. If the proxy information is modified when Connect Tunnel is already running, the changes will not be reflected, and Connect Tunnel will not prompt for authentication and will not establish the connection. To avoid this issue, close and relaunch the Connect Tunnel application after modifying the proxy information. 4
![Outlook Web Access Exchange 2003 & 2007: Cannot attach image files [63087] If you are using Windows Internet Explorer 7.](/docs-images/41/17177446/images/page_4.jpg "0 and Microsoft OWA Exchange 2003 on a client computer running Vista, you may be unable to attach an image file to a message if your browser is in protected mode.")
5 No error is displayed when connecting to 32-bit Connect Tunnel client on a 64-bit machine [83801] If the 32-bit Connect Tunnel client is installed on a system running Mac OS X Snow Leopard (10.6) and the system is rebooted in 64-bit mode, Connect Tunnel fails without an error message when launched. To avoid this issue, use the 64-bit Connect Tunnel client on machines running 64-bit Mac OS X Snow Leopard. License limit error message is misleading [77107] After the number of users logging in to the appliance reaches the licensed limit, the following error message is displayed during subsequent login attempts: VPN Connection Failed. Access denied. The required system capabilities are not present, enabled, or current. At issue is the license count on the appliance, not the system capabilities of the client device. Redirect all mode and an internal proxy server [63247] In redirect all mode, appliance traffic is redirected through the VPN tunnel regardless of how resources are defined in AMC. In this mode you can also configure traffic bound for the Internet to be redirected through an internal proxy server when the VPN connection is active. Windows Connect tunnel traffic that should not be proxied must be explicitly excluded. On the Network Tunnel Client Settings page in AMC, type the host names, IP addresses, or domain names of any resources that you do not want redirected through the proxy server. Tunnel clients unable to reconnect over an access point that requires authentication [61730] On a Macintosh device, the VPN tunnel cannot be re-established when you switch to a network that requires authentication. For example, if a user is connected to the appliance using a wired connection and changes to a wireless access point that requires authentication, the previous connection cannot be re-established; the user must manually log in to the appliance. Internet is accessible using Firefox in redirect all mode if proxy settings are configured on both IE/Firefox browsers [61605] When configuring the tunnel clients, you must specify a redirection mode, which determines how client traffic is redirected to the appliance. In redirect all mode, traffic is redirected through the tunnel regardless of how resources are defined in AMC. This works in Internet Explorer, which honors the device's Windows Proxy Settings. Mozilla Firefox, on the other hand, ignores the interface-specific proxy settings and just sends all traffic out the proxy server. Connect tunnel v fails after upgrade to Vista operating system [61229] If a user has installed Connect tunnel v8.9.0 on Windows XP/SP2, and then upgrades the operating system to Windows Vista, Connect tunnel will not run. Manually uninstall Connect tunnel and then re-install it after you ve upgraded to Windows Vista. Desktop icon for Connect tunnel in WorkPlace not present for all Linux users [61167] When you provision Connect tunnel from WorkPlace and the user downloads and installs the client, an icon is normally created on the user s desktop. If the client device is a computer running a Linux operating system and a different person logs in to it, no desktop icon for Connect tunnel will be visible. One workaround is to bring up the command window (press ALT+F2), and then type the path to the Connect tunnel program. Alternatively, you could create an icon on the desktop for the Connect tunnel program. In Redhat or Fedora, for example, you would right-click on the desktop and select Create Launcher, and then browse to the Connect tunnel application. 5
6 Using dial-up and remote proxy for the connection to the Internet [61056] If you use a dial-up connection to the Internet, and the community to which you are assigned is configured for remote proxy, Internet browsing may not traverse the remote proxy (this applies regardless of whether the remote proxy was configured manually or using a.pac file). In Connect tunnel, make sure the dial-up connection is specified on the Properties page: select the Establish this connection first check box and specify a connection in the drop-down list. (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.) Cannot access the appliance if specified proxy server is unavailable [60912] If Internet Explorer is configured to use an outbound HTTP proxy server, Connect tunnel will attempt to access the appliance using that proxy server. If the proxy is available, the client connection will succeed. However, if the proxy server is unavailable, the client will not fall back to sending traffic through the default route, causing the connection to the appliance to fail. Remove the proxy setting from the browser. Cannot access the appliance using the FQDN/VIP for a WorkPlace site [59902] OnDemand Tunnel If the Connect tunnel client is configured by an administrator or user to access the appliance using the FQDN or virtual IP address for a custom WorkPlace site, it displays the message "The device is not in a valid state to perform this request." If you access protected resources directly using Connect tunnel, without using WorkPlace, this is not an issue. Configure the client to access the appliance using the FQDN or IP address contained in the appliance's main certificate. OnDemand installation and upgrades must be done in connection with a single appliance [71411] When OnDemand Tunnel is installed for the first time, the installation must be performed by an administrator. A subsequent upgrade can be performed by a non-administrator user, but in the current release it must be upgraded from a single appliance. Trend Micro Mobile Security real-time scanning prevents Connect Mobile installation [60183] Aventail WorkPlace Trend Micro Mobile Security performs automatic, real-time scanning and virus detection on handhelds. If real-time scanning is enabled, installing or uninstalling Connect Mobile will fail. Disable real-time scanning before installing or uninstalling Connect Mobile. WorkPlace zone classification fails for Mac or Windows clients after upgrading to v [84299] Occurs when the device profile does not migrate correctly when upgrading from a release, such as , with basic EPC (no support for OPSWAT) to which supports Advanced EPC (OPSWAT). To work around this issue, create a new device profile for the Mac or Windows client in AMC and create a corresponding zone and realm, and then log in to WorkPlace from the client. 6
7 Clicking OK in the file size exceeded window closes the window without returning to the folder [83150] Occurs when a user is logged into WorkPlace using Internet Explorer 8, and attempts to upload a file exceeding the size limit. When the user clicks OK, the warning window sometimes closes without returning the user to the folder containing the file to upload. To work around this issue, use another type of browser or a different version of Internet Explorer. Shortcuts using the XXX_USERNAME_XXX resource variable do not work correctly in v10.0 [70396] If you have a WorkPlace network shortcut referencing a resource that contains the username variable available in firmware versions prior to v10.0 (for example, \\example\users\xxx_username_xxx), it will not work correctly in v10.0. To work around this issue, edit the resource definition and replace XXX_Username_XXX with the new v10.0 built-in variable for user name ({Session.userName}). WorkPlace home page appears when the browser is refreshed [63243] If you refresh your browser in WorkPlace you should see the confirm logoff page. If you are running Mozilla Firefox , or Safari on a Macintosh operating system, you will instead see the WorkPlace home page. DNS servers that resolve only internal addresses cause login delays [62767] During login, the Aventail appliance does a DNS lookup on IP addresses and subnets to determine whether a hostname matches (for example) an item in an access list rule. If your DNS server is not configured to resolve any external addresses, just internal ones, the login will succeed but can take a couple of minutes. Cannot cancel installation of Aventail Access Manager [61369] During installation of Aventail Access Manager (the provisioning and EPC component for Windows), a file download dialog opens. If the user clicks Cancel in this dialog box, the Aventail Access Manager Web page does not display any navigation buttons. Certificate authentication process stalls during login to WorkPlace [61269] When you connect to WorkPlace using Internet Explorer on a PDA that is running Windows Mobile 5, and you attempt to log in to a realm that requires a client certificate, the session appears to stall. Click the Next button. Unable to access Web resources on Firefox browser with proxy server [60138] Neither OnDemand proxy (in dynamic mode) nor OnDemand tunnel is able to modify proxy settings in Firefox. As a result, Firefox tries to access WorkPlace links directly through its original proxy, which fails because the links are no longer translated. 7
8 OnDemand Proxy To activate OnDemand Proxy, cache setting for JVM must be selected [70079, 70080] If both ActiveX and UAC (User Account Control) are disabled on a client computer running Vista SP1, OnDemand Proxy can be installed but fails to activate unless Java is configured to keep a cache of temporary files on the local computer. To change the cache setting, go to Control Panel and select Java >Temporary Internet Files >Settings >Keep temporary files on my computer. OnDemand Proxy must be reinstalled if users upgrade from Vista to Vista SP1 [68628] OnDemand proxy users who upgrade from Vista to Vista SP1 will see an error when they try to access WorkPlace. OnDemand proxy users who want to upgrade from Vista to Vista SP1 must uninstall their current copy of OnDemand proxy. Uninstalling OnDemand proxy can be done before or after the upgrade to Vista SP1; reinstalling OnDemand should be done after the Vista upgrade. OnDemand proxy may not redirect all connections when DNS fails [60633] End Point Control The first time a user installs OnDemand proxy, connections to unqualified names that are fewer than 16 characters in length are not redirected if DNS cannot resolve them. DNS might be unable to resolve them if, for example, no DNS suffix is configured on the system. When DNS fails, WINS or WINS Broadcast is used, but WINS cannot perform name resolution until the system has been rebooted. The equipment ID in a device profile is case sensitive [82465] The zone classification fails, which prevents the user from logging in from a machine whose equipment ID matches the ID in the device profile. Occurs when the equipment ID was typed using lower case letters when creating the device profile. To work around this issue, use capital letters when entering the equipment ID into the device profile. Zone classification fails when a device profile combines equipment ID and user attributes [81851] The "Match profile if user has no registered devices" check box does not apply to a user with no registered devices if the device profile includes a hard coded device ID or d with other variables or attributes. As long as the device profile has the hard coded device ID, such a user will not be classified into the defined zone. To work around this issue so that the checkbox applies to all users, change the device profile so that it does not include a device ID. Zone classification fails with certificate device profile on Linux and Mac [69625] Import a root certificate to the appliance and create a Standard zone that requires as part of a device's profile on either the Mac OS or Linux platform. Even if the client certificate is imported, the client is relegated to the Default zone rather than the Standard zone you created. The zone classification fails because the appliance is not yet integrated with the certificate store for the operating system or the browser. 8
9 Device profile specifying a client certificate in the machine store fails for non-privileged user [61578] Web Translation A Windows device profile can be set up that checks for the presence of a certain client certificate on a user's device in either the machine or user store. However, on an end point device running Windows Vista, the machine store cannot be opened for a user who does not have Windows administrator rights. The search for the client certificate therefore fails and the user is classified into whatever you have configured as the fallback zone (a Quarantine zone or the Default zone). Edited layout is not reflected on DWA home page after saving the selected layout [83358] Occurs when Domino Web Access is configured as a host name mapped or port mapped resource and is accessed from WorkPlace using a Translated realm with IE7 on a Vista SP2 64 bit machine. After selecting Edit Layout on the DWA home page, then selecting an available layout and clicking Save & Close, the selected layout is not reflected on the DWA home page. The selected layout is reflected if you click the Refresh button on the DWA home page after saving the layout. Using the Windows Explorer style view on SharePoint causes a long delay and then fails [60916] AMC Configuration Occurs when Explorer View is clicked to view a document library on a backend SharePoint server (2003/2007) while logged in through the EX-Series appliance.this is a known limitation due to SharePoint use of built-in URLs with proprietary components. Use other views that provide tables and columns. User sessions showing incorrect access request details [73936] If you upgrade your appliance and immediately begin using it, the access requests on the Session Details page incorrectly indicate that some requests are being denied (for example, the rule summary might read as follows: "Access to this destination has been rejected by an implicit deny all rule at the end of the Access Control list"). To work around this issue, apply at least one other change after you upgrade and the appliance restarts. Applying an additional change in AMC populates the database with policy IDs. Searching for user/groups is limited to 1,000 or 1,500 entries [61955] Documentation A search for users or groups on an external directory that results in more than 1,000 matches (on a Windows 2000 server) or 1,500 matches (on a Windows 2003 server) will display no results in AMC. AMC Online Help and Admin Guide contain references to ACC, SSD, and Symantec [86110] Although the Aventail Cache Control (ACC), Symantec Secure Desktop (SSD), and Symantec On-Demand Protection features are not available in the release, references to these features appear in the documentation and online help. 9
10 Fixes Incorporated in This Release Issues fixed in this release The following known issues from earlier versions of the appliance are fixed in this release. The numbers refer to internal SonicWALL Aventail tracking IDs. AMC / Platform / Operating System Problems with accounting information in the AMC User Sessions page for Average Data and Total Data columns CVE SSL/TLS MITM attack through renegotiation - AMC changes CVE SSL/TLS MITM attack through renegotiation After upgrade to , memory use is constantly increasing, resulting in appliance lockup Disabled realms do not display correctly in Safari and Chrome In AMC, default style and layout section is blurred on Realms page When adding a new user via the community page, the user does not show up after saving the new user entry One Time Password fails to work with secondary address attribute Multi-valued attribute value gets appended for single result output Unable to add resource variable with delimiter configured A blue dot is not shown under Used column for Network Explorer shortcut in Shortcuts page in AMC Filtering logic on WorkPlace shortcuts in AMC does not make sense Active Connections for User Session is always empty In AMC, session list and session details page inconsistently report ESP tunnel mode When using tunnel, access requests display only port number in AMC Active connection list shows garbage instead of destinations Unable to specify ICMP and TCP in same policy rule AMC summary shows TLS and SSLv3 protocol when only TLS protocol is enabled In the access_servers.log file, the hostname field for all appliances shows node1 (or ' node2 in the case of a secondary unit in a High Availability configuration) instead of the actual hostname of the appliance WorkPlace displays wrong error message, The credentials provided were invalid", when license count is exceeded When enabling One Time Password for an LDAP authentication server, the From address is always 'otp@mailserverdomain.com' Changing the name of the zone definition does not reflect in the End Point Control Restrictions page Nessus reports weak SSL ciphers for AMC in security scan User sessions Ended Time always equals the start time plus credential lifetime Remove support for SODP OEM (ACC/SSD/SODP) AMC allows credential lifetime to be set to 0 minutes, causing unexpected error messages from WorkPlace and Connect Tunnel when you attempt to log in User sessions list is empty when users are logged in RSA certification: Remove references to ACE. 10
11 78241 Session termination is not handled correctly for Connect Tunnel when group affinity is enabled, causing a user to be unable to log back in for 40 minutes after logging out when the Maximum Concurrent Sessions setting is set to RSA authentication fails after upgrading the appliance to version If credential lifetime is set to greater than 99 days, you get an error that your session has been idle for too long Apply for FIPS Certification Policy server core dumps frequently and uses an excessive number of file descriptors Boot order problems after USB interactions When specifying a custom host and domain name for a WorkPlace site, you cannot use an IP address different than the virtual IP Usability enhancement: direct access to community access methods from realm page LCD panel allows the IP address to be set to / Time zone GMT -02:00 is not available in the management console. API Services The api_server holds connection to policyserver open for 20 minutes, increasing time for policyserver to remove licensed user session Logout from client does not clean up licenses on the server. Authentication Domain field under Custom prompt section is not editable LDAP connections that get terminated externally (dropped by firewall or NAT) can remain in connection pool causing disruption of services Chained authentication using Active Directory Tree and RSA Ace server does not authenticate valid login credentials when the Combine authentication prompts on one screen option is selected PKI authentication fails with the error "Unable to authorize request: Incomplete " if group affinity is enabled RSA authentication prompts are returned from the Authentication Manager server via the Authentication API. In "user selectable PIN mode" the user interface should allow the user to make a choice between creating a PIN or having one generated. AMC only asks the user to create a PIN Aventail prompts for authentication again when cancelled at the Challenge response window Enforce single user name in stacked authentication. Certificates Operating system configuration contains expired CA certificates CRL fails to work for subordinate CA's when the Validate Entire Chain option is selected Support Intermediate CA s When user certificate contains comma, extraweb_access.log escapes it twice. 11
12 Connect Tunnel Mac/Linux Mac/Linux Connect Tunnel client does not validate certificate hostname when verifying certificate LINUX 64-bit: Connect tunnel installation failed Mac/Linux: Connect tunnel username and password fields are not visible if the Authentication server is set up with a lengthy custom message Mac/Linux: Post-connection scripts with Connect Tunnel fail Mac Connect Tunnel fails to determine Outbound proxy settings when it is already launched Junk characters found in Japanese Mac/Linux Connect Tunnel help file Linux: When Connect Tunnel is disconnected from tray icon, login window does not prompt for authentication again Linux: While Connect Tunnel is trying to connect to fallback server, login window prompts for authentication if credentials are different, but then Connect Tunnel fails to connect to fallback server if correct credentials are entered Linux: Desktop icon disappears after Connect Tunnel upgrade Mac: Provision x64 Universal binary on Mac OS X 10.6 (Snow Leopard) and later releases Mac/Linux CT: Improper message shown by Connect Tunnel when using revoked Client Certificate Mac/Linux CT: Connect Tunnel is connected automatically if null authentication is configured Mac/Linux CT: UI does not display appropriate warning message in certificate dialog Linux CT: No error message is displayed when Connect Tunnel is launched without certificate Mac: Certificate is verified as self signed and throws an error: A secure connection with the server could not be established Applnc should be accessible by name/ip in Redirect All mode even if remote DNS does not resolve Applnc name (remediation page not displayed for Connect Tunnel users) Linux CT: Configuration editor always polls remote VPN appliance when selecting new configuration settings Mac/Linux CT: Client prompts user to accept validly signed appliance certificate Mac: Connect Tunnel Client uses 100% of CPU Mac: Connect Tunnel does not inform Mac user when connection has been dropped or when it needs to resume its connection Mac: Error dialog is not displayed for invalid proxy credentials. 12
13 Connect Tunnel Windows Japanese Connect Tunnel does not auto-upgrade from to An improper error message is displayed when installing 32-bit Connect Tunnel Service on Windows 64-bit. No error message is displayed when installing 64-bit CTS on Windows 32-bit No notification seen when install Connect Tunnel on the wrong (32-bit or 64-bit) architecture Japanese Connect Tunnel client does not display certificate when View is selected, and for Refresh it overlaps when using PKI authentication Windows login can be bypassed on Vista/XP laptops with Network login and Connect Tunnel connection Connect Tunnel drivers should be certified with Microsoft Hardware Compatible Logo on all supported Windows OS Domain name beginning with a number causes Connect Tunnel to fail Connect Tunnel Extensibility Toolkit changes for new features in DNS suffix searchlist is replaced when connected with Connect Tunnel client Need a way to diable DDNS in non-nat mode via Connect Tunnel (Windows/Mac/Linux) Connect tunnel does not behave as expected while using icon=disable parameter Connect Tunnel displays wrong prompt message when AD-Subdomains are configured as authentication server Connect Tunnel installation failed on Vista machine Connect Tunnel username and password fields are greyed out if the Authentication server is set up with a lengthy custom message Cannot disconnect Connect Tunnel or cancel disconnected tray icon after a drop in Internet access or, when access returns, after connecting again with a new instance of Connect Tunnel System Standby or Sleep is not working when the Connect Tunnel Client is attempting to reconnect after network disconnect Auto-upgrade of Connect Tunnel failed on 64-bit Windows Vista SP Issues observed when disconnecting Connect Tunnel/On Demand Tunnel Remediation page not displayed for Connect Tunnel users Undefined subnet route gets added while connecting through Connect Tunnel Connect Tunnel stops sending data over tunnel Ngvpnmgr.exe crashes on Windows XP using Connect Tunnel client Logo Certification: Need Windows Logo Kit Verification on Windows XP SP3 (32bit), Windows Vista SP1 (32/64bit) Terminate Session at AMC does not close Connect Tunnel properly User session on Connect Tunnel terminates while the user is executing a program in debug mode via telnet to a backend server Connect Tunnel Extensibility toolkit changes for x Explorer.exe crashes on Windows Vista and XP3 using Connect Tunnel Explorer.exe crashes waiting for the Passcode Accepted message to go away If Connect Tunnel/On Demand Tunnel do not shut down cleanly, DNS backup lists do not get restored properly Connect Tunnel does not work on 64-bit Vista Quality of Voice for Shoretel softphone drops when accessed through Connect Tunnel. 13
14 End Point Control OPSWAT upgrade fails on Linux and MAC to Zone classification fails with OPSWAT Need to upgrade OPSWAT (Windows) to latest version (3.4.4) for client libraries and AMC EPItergattor log file is being created outside the Aventail directory on mobile devices Need to upgrade OPSWAT (Mac/Linux) to latest version (3.4.4) for client libraries and AMC Need OPSWAT support for Windows Equipment ID is Case Sensitive Uninstalling Aventail Access Manager and OnDemand Tunnel does not remove all EPC-related folders. GMS / ViewPoint Integration ViewPoint: Appliance is not getting acquired on ViewPoint server. Licensing License Expiry warning message is not shown in slave node when spike license is expiring New log data should be written to ctrl-service.log even when logs are rotated off, but it is logged in the rotated file, ctrl-service.log.1. On Demand Tunnel Provisioning and activation failed during On Demand Tunnel Upgrade on Vista 64-bit SP Windows installer error is displayed when On Demand Tunnel is launched in non-admin mode on Windows XP SP On Demand Tunnel failed to activate on 32-bit and 64-bit Windows Safari hangs on a Mac OS X Snow Leopard system when Connect Tunnel is running The word "Reinstall" is truncated on Connect Tunnel installation window on WorkPlace on Japanese Linux and Mac Unable to establish session with Connect Tunnel and On Demand Tunnel Connect Tunnel installation and On Demand Tunnel activation failed on Mac Mac Unable to launch Connect Tunnel On Demand Tunnel status not displayed properly for the first time when accessing WorkPlace on x64 Vista SP1 with UAC off. Provisioning Aventail Access Manager size is not displayed in the Installed Programs List in the Control Panel Aventail Access Manager prompts users to install every time they login to WorkPlace after installing the clt-hotfix in There is a redundant word on the installation page for Japanese Aventail Access Manager Need support for Windows An error is displayed while uninstalling Aventail Access Manager from a non-admin account Unable to uninstall Aventail Access Manager from non-admin account Need support for Internet Explorer 8. 14
15 Terminal Services / RDP / Citrix Need support for Citrix Online Plugin (new name for ICA client) Nordic characters do not work on a Mac when using RDP to connect to a Windows 2003 server RDP window is not resized according to the screen resolution on Mac Need to show progress bar when launching RDP in full screen mode Need support Citrix XenApp server Secure the dynamically created portmap so that only webifiers can connect to it Need to show progress bar for Citrix client installation RDP configuration option enhancements. Upgrade / Migration The factory_reset_tool boots to the fsl-app-cdr prompt rather than the fresh login prompt for the new image after upgrading from to firmware Trying to add a bookmark on an upgraded appliance fails to add to database and also deletes old bookmarks Disallow upgrade to from versions less than Need to prevent upgrades/installs on EX1500. VPN ACL rules for backconnect fails for community checks Tunnel sessions are always limited to credential lifetime Tunnel resumption fails and Connect Tunnel disconnects and prompts the user for credentials Backend resources are not accessible using On Demand Tunnel enabled realm Backend resources are not accessible using Connect Tunnel and On Demand Tunnel Support credential expiration for tunnel agents EVPN and team credential lifetime. Web Translation Support activesync policies on Exchange 2007 SP Dtree.js script does not work through translation Novell GroupWise Webmail 6.5 does not work via Web translation after upgrade to Default WorkPlace site is not using configured style (theme) or realm prompt settings Part of the message is not localized on IE8 on log off page Windows Firewall is blocking EWPCA agent in WorkPlace Web application is inaccessible through translation DWA-8.x: Edited layout is not reflected on DWA home page Representation of file type changes when upload Word and Excel files on Livelink server Need a way to prevent Host/Port Map resources from staying open when closing main WorkPlace browser window Unable to actuate reports on BEA Web Logic server through translation Domino Web Access 8.x does not work when using Web Translation. Requests from the appliance to the Domino server have the /go alias appended twice to the URL Information logged for invalid SSL request attempts is missing compared to v Outlook Web Access 2007 throws error when launched from WorkPlace. 15
16 78355 Users are not redirected to authentication page after entering incorrect password 3 times when using Entrust No error message is shown when logging into WorkPlace for which license has expired OWA Webmail takes approximately 7 minutes longer to load via translation Errors in javascript.regexps or custom.regexps results in Apache2 not starting, throwing obscure error message DWA: Enabling Instant Message displays a warning Unable to save the changed To Do entries DWA: Editing the welcome layout displays an error Follow me in help pages does not work for DWA DWA: Unable to perform Actions on meeting invitations When logged in to Domino Web Access, clicking Send for a message with an attachment displays an error indicating that the file could not be uploaded. Web translation on the appliance make the ActiveX control that uploads attachments incorrectly resolve the file's address Microsoft CRM application fails to display customer feedback report via Web translation Cannot use 'Explorer View' in Sharepoint document library. WorkPlace On Vista SP1 64-bit, Connect Tunnel installation from WorkPlace is silent when On Demand Tunnel already present Japanese translation of Open a file?" is split into 2 lines Linguistic inconsistency on WFA when accessing WorkPlace on Japanese Vista 64-bit with Internet Explorer Need to align information on details page when accessing WorkPlace on Japanese Vista 64-bit with Internet Explorer Need to provide a space in between version and status information on details page when accessing WorkPlace on Japanese Vista 64-bit with Internet Explorer User interface issue on details page on Windows XP with Firefox 3.5 or Internet Explorer 8 if On Demand Tunnel fails Files are not getting sorted correctly based on date when accessing WorkPlace on Japanese Vista 64-bit with Firefox 3.5 or Internet Explorer Error occurred on renaming a folder without specifying any name Include Windows 7 and Mac OS X 10.6 as supported platforms in the Connect Tunnel installation page File exceed warning window on WorkPlace is getting closed intermittently clicking on OK Problems with Mac OS X 10.6 with Safari and JavaScript On Mac OS X, WorkPlace hangs at preparing Java components and classifying zone Filesize, Bytes & Version are displayed as blank when trying to install Connect Tunnel on Mac OS X. 16
17 Technical Documentation and the Knowledge Portal Technical documentation is available on the SonicWALL Technical Documentation Online Library: Check the SonicWALL Customer Support Knowledge Portal, available when you log in to MySonicWALL, for information and hotfixes that are relevant to your appliance. Last updated: 12/7/
