StoneGate SSL VPN Release Notes for Version 1.3.0 Created: June 12, 2009
Table of Contents What s New... 3 System Requirements... 4 Build Version... 4 Product Binary Checksums... 4 Compatibility... 5 Upgrade Instructions... 7 Known Issues... 9
What s New Features New features that have been introduced in StoneGate SSL VPN v1.3.0 are described in the table below. The following table lists the features briefly. Please consult the product documentation for more details. Feature Remote Upgrade Support Support for Microsoft Outlook Anywhere Extended SSO Support Windows Security Center Traffic Recording Advanced Password Policies Contextual Session Control Description It is now possible to update SSL VPN Gateways through the StoneGate Management Client. With SSL VPN 1.3, end users can synchronize their Microsoft Outlook e-mail, calendar, and contacts without any need to install an Access client. By securing the RPC communication with SSL, the SSL VPN 1.3 provides end users seamless, quick, and secure access to their e- mail, without the hassle of distributing, installing, and maintaining a third party VPN. From version 1.3, SSL VPN supports strong authentication with single sign-on for Telnet and SSH connections. In addition, StoneGate SSL VPN provides SSO for a wide range of applications, such as Windows Fileshare, Microsoft Terminal Server, Citrix Web Interface, Microsoft Sharepoint Portal, and Outlook Web Access. Using a plug-in, the Windows Security Center can be used to determine the security status of the client device before allowing access. The plug-in is included in the installation package. SSL VPN 1.3 Traffic Recording enables you to record any transaction between a user and the target system. SSL VPN 1.3 enables administrators to configure more advanced password policies to restrict how passwords are set and reset, for example, to disallow specific combinations of characters in a password. The growing adoption of intranet security domains calls for a new view on session time-outs that caters for users connecting in different contexts, such as from their assigned desktop or a guest desktop. Fixes Problems described in the table below have been fixed since StoneGate SSL VPN v1.2.1. A workaround solution is presented for earlier versions where available. Synopsis Windows Vista incompatibility with Access Client (#44943) Upgrade problem with SSL VPN appliances that have fiber interfaces (#47567) sginfo command also collects backup (#47695) Importing backup through Web Console not possible before creating backup Description When a resource that uses the SSL VPN Access Client is accessed from a Windows Vista machine, the whole machine may hang. Upgrading SSL-2000 or SSL-6000 appliances that have fiber interfaces may result in a change in interface mapping order. Running the sginfo command also includes a backup in the resulting sginfo file. Starting from 1.3.0, a backup is only included in the sginfo file if the following option is given with the sginfo command: --with-backup Importing a backup through the Web Console is not possible on a new system before at least one backup has been generated. The following error message is shown: "'/spool/backups/' does not exist, no backups were done yet on this host" Workaround for previous versions n/a n/a n/a Generate a backup and then import the backup needed. 3 StoneGate SSL VPN Release Notes for version 1.3.0
System Requirements StoneGate Appliances StoneGate SSL VPN v1.3.0 is supported on the StoneGate SSL-400, SSL-1030, SSL-2000, and SSL-6000 appliances. Administration Requirements StoneGate SSL VPN v1.3.0 administration requires the use of a workstation with a TCP/IP network configured and a Web browser installed. The supported Web browsers are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 7.0 Safari 1.3.2 (Mac OS X 10.3.9) Safari 2.0.4 (Mac OS X 10.4.7) Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10 Build Version Web Browser The StoneGate SSL VPN v1.3.0 build version is 1313. Product Binary Checksums sslgw_engine_1.3.0.1313 _i386.iso MD5SUM 94010a57f89ef87fd1a734d8e047b7c0 SHA1SUM 403a9abb8521639163b46017c28b19c6f3198a90 sslgw_engine_1.3.0.1313_i386.zip MD5SUM bcc2b3280dde182fae1212443e112a68 SHA1SUM 41120182f2f94c8da6cabfb8fb450408628522dc 4 StoneGate SSL VPN Release Notes for version 1.3.0
Compatibility Directory Services User information can be stored in an internal user directory, or one of the following external directory services can be used: Microsoft Active Directory 2003 Novell edirectory OpenLDAP Sun Java System Directory Server Oracle Internet Directory (authentication only) Tivoli Directory Server (authentication only) IBM RACF LDAP (authentication only) Note! When using mirrored pair configuration, external directory service is required. Application Portal The supported Web browsers for the StoneGate Application Portal are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 7.0 Safari 1.3.2 (Mac OS X 10.3.9) Safari 2.0.4 (Mac OS X 10.4.7) Mozilla Firefox 1.5 Mozilla Firefox 1.5 Mozilla Firefox 1.5 Web Browser Access Client The runtime requirements for the StoneGate Access Client are listed in the table below: Operating System Microsoft Windows XP Home Edition (SP1, SP2) Microsoft Windows XP Professional (SP1, SP2) Microsoft Windows 2003 Server (SP2) Microsoft Windows Vista Enterprise Microsoft Windows Vista Business Microsoft Windows Vista Home Premium Apple Mac OS X 10.3.9 Apple Mac OS X 10.4 (Tiger) Red Hat Enterprise Linux 5.0 Runtime Requirements Sun Java Runtime Environment 1.1.8 or later, or ActiveX Client Sun Java Runtime Environment 1.1.8 or later Sun Java Runtime Environment 1.1.8 or later 5 StoneGate SSL VPN Release Notes for version 1.3.0
SUSE Linux Enterprise Server 10 Sun Java Runtime Environment 1.1.8 or later Additionally, when using the Access Client on Windows Vista, the following requirements apply: Requirement Access Client on Microsoft Windows Vista requires administrator rights StoneGate ActiveX Client Loader requirements Drive letter mapping in Windows Vista Remove AES cipher suites from Access Point configuration Java Runtime Environment Details The Access Client requires administrator rights to run properly on Windows Vista. To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add the Access Point server https address to the list of trusted sites in Internet Explorer. A single drive letter (for example, F:) cannot be used as a startup command in Windows Vista. All commands must be executed using runas to elevate to administrator mode since the mapping is done in administrator mode, and F: is not a valid executable. Use the following startup command instead: explorer /root, F: This works on both Windows XP and Windows Vista. The AES ciphers in Vista are not compatible with the SSL engine used in Access Point. You must remove the AES ciphers from Cipher Suites for your Access Point under Manage Global Access Point Settings. Remove the following ciphers: RSA_AES_128_CBC_SHA and RSA_AES_256_CBC_SHA. To run the PortWise Java Access Client, use Sun Java 1.6 Update 2 or later. 6 StoneGate SSL VPN Release Notes for version 1.3.0
Upgrade Instructions StoneGate SSL VPN version 1.3.0 requires an updated license to use the new features if you are upgrading from a version prior to 1.1.0. Customers with a valid support and maintenance contract can get the updated license from https://my.stonesoft.com/managelicense.do. When upgrading mirrored systems, refer also to upgrade instructions in SSL VPN Administrator's Guide, which is available from http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/. Upgrade from previous version Upgrading the StoneGate SSL VPN from versions 1.2.0 and 1.2.1 to 1.3.0 is normally done through the Web Console Remote Upgrade functionality. After upgrade, log on to the StoneGate SSL VPN Administrator interface and accept the modified configuration in the dialog that is presented and then publish the updated configuration. Upgrade from version 1.1.1 Upgrading the StoneGate SSL VPN from version 1.1.1 to 1.2.1 is normally done through the Web Console Remote Upgrade functionality. After upgrade, log on to the StoneGate SSL VPN Administrator interface and accept the modified configuration in the dialog that is presented and then publish the updated configuration. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to 1.2.1, set the Syslog Log Level Filter to Info for all services and log types in Monitor System -> Logging. Save and publish the configuration. Upgrade from version 1.1.0 Upgrading the StoneGate SSL VPN from version 1.1.0 to 1.2.1 is normally done through the Web Console Remote Upgrade functionality. After the upgrade from the Web Console is done, follow these steps to trigger new key generation for fixing issue #40399: 1. Log on to the appliance command line from serial console or through SSH. 2. Issue the following commands to trigger new key generation on next reboot: rm /data/webmin/etc/miniserv.pem rm /data/config/ssh/* rm /data/config/tls/* sg-admin reencrypt sg-admin certgen # Give this command only if internal certificate is used for Access Point sg-admin -upgrade 3. Reboot the appliance with command reboot. 4. Enter the Administration web interface and select Accept modified configuration to re-sign the configuration. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to1.2.1, set the Syslog Log Level Filter to Info for all services and set the log types in Monitor System to Logging. Save and publish the configuration. 7 StoneGate SSL VPN Release Notes for version 1.3.0
Upgrade from earlier versions If you are using an SSL VPN version earlier than 1.0.2, first upgrade to version 1.0.2. Refer to the version 1.0.2 Release Notes for upgrade instructions. Upgrade from SSL VPN version 1.0.2 to version 1.2.1 must be done manually: 1. Download SSL VPN version 1.2.1 CD.iso image from https://my.stonesoft.com/download.do and prepare a bootable CD from this image. 2. Make a backup of the existing installation using sg-backup command and copy the backup to another computer. 3. If you are using appliance model SSL-400 or SSL-2000, attach an external CD-ROM drive with USB connector to the appliance s USB port. 4. Boot from installation CD and perform a full installation, overwriting existing partitions. 5. Copy the backup back to an appliance and restore previous configuration using sg-restore command. 6. To trigger new key generation for fixing issue #40399, issue the following commands: rm /data/webmin/etc/miniserv.pem rm /data/config/ssh/* rm /data/config/tls/* sg-admin reencrypt sg-admin certgen # Give this command only if internal certificate is used for Access Point 7. Upgrade the configuration using sg-admin upgrade command. 8. Reboot the appliance with command reboot. 9. Enter the Administration web interface and select Accept modified configuration to re-sign the configuration. Detailed upgrade instructions are available in the latest StoneGate SSL VPN 1.1 Administrator s Guide available at http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/index.html. Note, that SSL VPN 1.1 Administrator s Guide does not contain step 6 on the list above, which is needed to trigger the fix for issue #40399. Manual configuration is needed for the SSL VPN to be able to send logs to StoneGate Management Center (SMC). After upgrading to1.2.1, set the Syslog Log Level Filter to Info for all services and set the log types in Monitor System to Logging. Save and publish the configuration. 8 StoneGate SSL VPN Release Notes for version 1.3.0
Known Issues The current known issues of StoneGate SSL VPN v1.3.0 are described in the table below. For an updated list of known issues, consult our Web site at http://www.stonesoft.com/en/support/index.html/. Synopsis Description Workaround Connections cannot be opened back to the client Windows Vista and Firefox Client firewall does not work on Windows Vista clients (#40657) Virtual IP addresses are not configured on the client. This prevents the connections from being opened from the internal server back to the client. Due to compatibility issues between Windows Vista, Firefox, and the Java plug-in for Firefox in Windows Vista, the Access Client may experience intermittent problems running tunnel sets. When the client firewall is configured for a resource, the Access Client stops working on Windows Vista. N/A N/A Add the following three Outgoing rules to the Client Firewall rules: W.X.Y.Z-W.X.Y.Z 443 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 TCP Any Accept 127.0.0.1-127.0.0.1 1-65535 UDP Any Accept Where W.X.Y.Z is the IP address of your Access Point. If using multiple Access Points, add a corresponding rule for each. 9 StoneGate SSL VPN Release Notes for version 1.3.0
Copyright and Disclaimer 2000 2009 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGateare protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2009 Stonesoft Corporation. All rights reserved. All specifications are subject to change.