Release Notes for Version 1.5.207

Similar documents
StoneGate IPsec VPN Client Release Notes for Version 4.3.0

StoneGate SSL VPN Technical Note Adding Bundled Certificates

Remote Firewall Deployment

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

StoneGate SSL VPN Technical Note Setting Up BankID

Using Microsoft Active Directory Server and IAS Authentication

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

VPNC Interoperability Profile

StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

StoneGate SSL VPN Technical Note Setting Up Sygate On-Demand

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

ADMINISTRATOR S GUIDE

Integrated Citrix Servers

Installation Guide Supplement

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

DameWare Server. Administrator Guide

VPN CLIENT ADMINISTRATOR S GUIDE

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

GTA SSL Client & Browser Configuration

2 Downloading Access Manager 3.1 SP4 IR1

StoneGate SSL VPN Technical Note Setting up ActiveSync

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

version 1.0 Installation Guide

Remote Filtering Software

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

VMware vcenter Support Assistant 5.1.1

Web Security Firewall Setup. Administrator Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

VPN CLIENT USER S GUIDE

SMC INSTALLATION GUIDE

VERITAS Backup Exec TM 10.0 for Windows Servers

v Installation Guide for Websense Enterprise v Embedded on Cisco Content Engine with ACNS v.5.4

FortiClient SSL VPN Client User s Guide

Apache Server Implementation Guide

IDENTIKEY Appliance Administrator Guide

2X SecureRemoteDesktop. Version 1.1

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

GUIDE for Authentication

OnCommand Performance Manager 1.1

Interworks. Interworks Cloud Platform Installation Guide

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Clientless SSL VPN Users

Setup Guide Access Manager Appliance 3.2 SP3

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

Introduction to Mobile Access Gateway Installation

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Sametime Version 9. Integration Guide. Integrating Sametime 9 with Domino 9, inotes 9, Connections 4.5, and WebSphere Portal

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

An Oracle White Paper October Frequently Asked Questions for Oracle Forms 11g

Remote Filtering Software

How to Create a Basic VPN Connection in Panda GateDefender eseries

SSL VPN User Guide Access Manager 3.1 SP5 January 2013

FileMaker Server 13. Getting Started Guide

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

Acronis and Acronis Secure Zone are registered trademarks of Acronis International GmbH.

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

McAfee SMC Installation Guide 5.7. Security Management Center

StoneGate Administrator's Guide SSL VPN 1.1

TRITON - Web Security Help

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

Dell One Identity Cloud Access Manager Installation Guide

Installing and Configuring vcenter Support Assistant

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Citrix MetaFrame Presentation Server 3.0 and Microsoft Windows Server 2003 Value Add Feature Guide

Setup Guide Access Manager 3.2 SP3

Networking Best Practices Guide. Version 6.5

Installation Guide. Squid Web Proxy Cache. Websense Enterprise Websense Web Security Suite. v for use with

Oracle Virtual Desktop Infrastructure. VDI Demo (Microsoft Remote Desktop Services) for Version 3.2

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Installing and Configuring vcloud Connector

Kerio VPN Client. User Guide. Kerio Technologies

AccuTerm 7 Cloud Edition Connection Designer Help. Copyright Zumasys, Inc.

2X Cloud Portal v10.5

Strong Authentication for Microsoft SharePoint

NetSpective Global Proxy Configuration Guide

CA Nimsoft Unified Management Portal

IBM Remote Lab Platform Citrix Setup Guide

XenClient Enterprise Synchronizer Installation Guide

BlackBerry Enterprise Service 10. Version: Configuration Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

NetIQ Identity Manager Setup Guide

Application Note. Gemalto s SA Server and OpenLDAP

Enterprise Vault Installing and Configuring

Citrix Access Gateway Plug-in for Windows User Guide

BlackBerry Enterprise Server Express for Microsoft Exchange

Enterprise Self Service Quick start Guide

Identikey Server Windows Installation Guide 3.1

Symantec AntiVirus Corporate Edition Patch Update

Transcription:

Release Notes for Version 1.5.207 Created: March 9, 2015

Table of Contents What s New... 3 Fixes... 3 System Requirements... 3 Stonesoft Appliances... 3 Build Version... 4 Product Binary Checksums... 4 Compatibility... 5 Browser and Client OS Compatibility... 5 Directory Services... 5 Upgrade Instructions... 6 Upgrade from Previous Version... 6 Upgrade from Prior Versions... 6 Known Issues... 7

What s New Fixes Problems described in the table below have been fixed since Stonesoft SSL VPN version 1.5.206. A workaround solution is presented for earlier versions where available. Synopsis Tunnel set redirection URL does not work on MacOS and Linux clients SSL VPN process may leak memory Routing configuration might fail if alias interfaces are configured Windows Access Client fails to start on 32-bit Windows Adding back-end attributes to web resource host configuration results in error Description Redirection URL configured in tunnel set settings works with Windows clients, but not on MacOS or Linux clients. The statmond process may start leaking memory, which will lead to a situation where all memory is exhausted and the engine will stop working. If an appliance is configured using an alias interface (ethx:y), configured routes might not be applied at restart. Using tunnel resources does not work on 32-bit Windows operating systems. Windows Access Client fails to start. Administrators are not able to add back-end attributes to a web resource host. The following error is shown: "Unable to resolve expression 'localizedtype'". Workaround for Previous Versions Open the URL manually after opening on tunnel. Monitor memory and swap usage. Excess memory used by statmond can be cleared by stopping and starting it: msvc -d statmond msvc -u statmond Restarting the process will not affect running client sessions. None Hotfix is available from McAfee Support. None System Requirements Stonesoft Appliances Stonesoft SSL VPN version 1.5.207 is supported on all Stonesoft SSL VPN appliances and on Stonesoft SSL VPN Virtual Appliances. Installation of 32-bit and 64-bit engine software, or upgrade to 64-bit engine software is supported only on the following SSL VPN appliances: SSL-1035 SSL-1302 SSL-3201 SSL-3202 For older appliance models, use 32-bit engine software. Mirrored configurations between 32-bit and 64-bit engines are not supported. 3 Stonesoft SSL VPN Release Notes for Version 1.5.207

Build Version The Stonesoft SSL VPN 1.5.207 build version is 2025. Product Binary Checksums 32-bit engine sslgw_engine_1.5.207.2025_i386.zip MD5SUM 9413904c2035a0a254bdd3e392ec4228c923572d SHA1SUM 2918e51d57748365dd2db42c4d954a8b 64-bit engine sslgw_engine_1.5.207.2025_x86-64.zip MD5SUM sh82000d1ee676a02e5fc6f67dd82035ed SHA1SUM 8a542ba9fad2de56fc412019755cce4f9dd9d4e4 sslgw_engine_1.5.207.2025_vmwarefw-esx.zip MD5SUM 9efaa3da68e12cbe6d8849ba38b2ed9d SHA1SUM c1779d4c451931dc91960cc45b4d9b3758115828 4 Stonesoft SSL VPN Release Notes for Version 1.5.207

Compatibility Browser and Client OS Compatibility Administration of Stonesoft SSL VPN version 1.5.207 requires the use of a workstation with a TCP/IP network configured and a web browser installed. To use the Application Portal, the connecting client must have TCP/IP configured and a web browser installed. To use Tunnel Resources, such as client/server TCP/UDP-based applications, the connecting client must have TCP/IP configured and a web browser compatible with Java or ActiveX technologies installed. To use the Stonesoft Web authentication method, the client must support Java technology to display the clickable webpad. To use the Stonesoft MobileID (Synchronized or Challenge) authentication method, the client must have MobileID software installed and seeded. For the full platform compatibility matrix for the functionalities described above, see Technical Note #5566. Directory Services User information can be stored in an internal user directory, or one of the following external directory services can be used: Microsoft Active Directory 2003 Microsoft Active Directory 2008 Novell edirectory OpenLDAP Sun Java System Directory Server Oracle Internet Directory (authentication only) Tivoli Directory Server (authentication only) IBM RACF LDAP (authentication only) OpenDS 2.x OpenDJ NOTE You must use an external Directory Service or the new OpenDJ Directory Service for a mirrored pair configuration. For additional information, please refer to the SSL VPN Administrator s Guide. 5 Stonesoft SSL VPN Release Notes for Version 1.5.207

Additionally, when using the Access Client on Windows Vista, Windows 7, or Windows 8, the following requirements apply: Requirement Access Client on Microsoft Windows Vista, Windows 7, and Windows 8 requires administrator rights Stonesoft ActiveX Client Loader requirements Drive letter mapping in Windows Vista, Windows 7, and Windows 8 Java Runtime Environment Description The Access Client requires administrator rights the first time it is used on Windows Vista, Windows 7, and Windows 8. The Access Client automatically upgrades afterwards. Alternatively, you can use remote software distribution or installation systems and the provided Access Client MSI package. To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add the HTTPS address of the Access Point server to the list of trusted sites in Internet Explorer. A single drive letter (for example, F:) cannot be used as a startup command in Windows Vista, Windows 7, and Windows 8. All commands must be executed using runas to elevate to administrator mode, because the mapping is done in administrator mode, and F: is not a valid executable. Use the following startup command instead: explorer /root, F: This command works on Windows XP, Windows Vista, Windows 7, and Windows 8. To run the Stonesoft Java Access Client, use Sun Java 1.6 Update 2 or higher. When using the Access Client on Linux, the following requirements apply: Requirement Access Client on Linux and Mac OS platforms does not connect to a SSL VPN Access Point without a trusted certificate to validate the gateway certificate on the client Description The Linux and Mac OS Access Clients can be downloaded through a Java Loader or an essp:// protocol handler in the browser. Before resources can be used, the client must verify the SSL VPN gateway certificate using the public certificate of the signer. One of the following files must be present: $HOME/.sg-sslvpn-client/trust.pem $HOME/.sg-sslvpn-client/server.pem If the SSL VPN gateway uses a self-signed certificate, the trust.pem file should include the self-signed certificate. Otherwise, the public CA certificate that issued the gateway certificate. Alternatively, only the server certificate can be placed in file server.pem. Upgrade Instructions When upgrading mirrored systems, see the upgrade instructions in the SSL VPN Administrator's Guide, which is available at http://www.stonesoft.com/en/customer_care/documentation/current/. It is recommended that you publish the configuration after a successful upgrade. Upgrade from Previous Version Stonesoft SSL VPN is upgraded from 1.5.x to 1.5.207 through the Web Console or using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the SSL VPN Administrator and publish the updated configuration if the Publish button is highlighted. Upgrade from Prior Versions Stonesoft SSL VPN is upgraded from 1.4.x to 1.5.207 through the Web Console or using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the SSL VPN Administrator interface and publish the updated configuration if the Publish button is highlighted. Direct upgrade from other versions to Stonesoft SSL VPN 1.5.207 has not been tested, but may work. 6 Stonesoft SSL VPN Release Notes for Version 1.5.207

Known Issues The current known issues of Stonesoft SSL VPN version 1.5.207 are described in the table below. For an updated list of known issues, see http://stonesoft.com/en/customer_care/kb/. Synopsis Description Workaround After upgrade, application portal displays an error. (#112839) Stonesoft SSL VPN Breaks Browser Domain-Based Security Model - Refs:CVE-2009-2631, CERT VU#261869 (#55542) In a mirrored configuration, OATH database must be configured as an external database (#50490) Use of IP pool address with active FTP does not work in Windows Vista (#50028) Customized icons uploaded using the Browse function do not appear in icon library (#64916) After upgrade, clients accessing portal will see error message "403 access denied - 1022333 128-bit encryption required". Stonesoft SSL VPN breaks the browser domainbased security model. The vulnerability lies in the architecture of the SSL VPN solution. As a result of the vulnerability, all resources under a single SSL VPN domain may potentially steal or modify each other's active web content, such as web cookies. In a mirrored configuration with OATH activated, adding a secondary Authentication Service causes the following error message: "To validate if OATH is used on the configured Authentication Service-node (i.e. tokens are imported), it has to be started. A system with more than one Authentication Service-node cannot use a local database; it would result in data inconsistency." Using an SSL VPN resource for active FTP with an IP address pool from a Windows Vista machine fails when the server starts the transfer. The problem is caused by the IP address used in the PORT command, which is not the same as the IP address assigned from the IP address pool. Customized icons that have been uploaded to custom-files/wwwroot/wa/img/icons using the Browse function in the Administrator Interface do not appear in the icon library. Set following ciphers active in access point cipher suite list and publish configuration: RSA_AES_128_CBC_SHA RSA_RC4_128_SHA Recommended Actions: Deploy only trusted resources to the SSL VPN portal. Resources with significantly different security zones, such as resources hosted by different companies, should be deployed using Pooled DNS Mapping or Reserved DNS Mapping. Untrusted resources should not be deployed to the SSL VPN portal at all. If these types of resources are needed, they should be deployed as External Sites so that the SSL VPN portal gives a direct link to the resource, instead of making the client route the traffic to the resource through the SSL VPN portal. See the Stonesoft SSL VPN Administrator's Guide for further information on deploying Pooled DNS Mapping, Reserved DNS Mapping, or defining External Sites. Configure OATH in the SSL VPN Administrator (select Manage System > OATH Configuration > Configure Database Connection) to point to an external URL. For example, enter the following URL in the Database Connectivity Properties: jdbc:hsqldb:hsql://10.0.215.40:9001/:shut down=true Alternatively, you can disable OATH in the Web Console. Use passive FTP or an FTP program that allows setting the client IP address to be used for the PORT command. Upload the customized icons for each resource on the resource definition page. 7 Stonesoft SSL VPN Release Notes for Version 1.5.207

Access Client for Mac does not work on Snow Leopard (10.6.x) if firewall is enabled (#82978) Tunnel Set Advanced Settings for Local Lookup do not work on Mac and Linux clients (#67796) Missing plugin error with Mountain Lion in Mac OS X (#89317) OpenLDAP database does not support 64-bit mode (#89618) File Share SSO does not work with Windows 2008 R2 (#85565) Having the Mac OS X firewall enabled on a computer running Mac OS X Snow Leopard (10.6.x) prevents the Access Client from working correctly. When configuring a Tunnel Set, Local Lookup entries configured in the Advanced Settings are not taken into consideration on Mac and Linux clients. With Mountain Lion in Mac OS X, the following update uninstalls the Java plugin under Safari and the Java properties of application/utilities: http://support.apple.com/kb/ht5493 The OpenLDAP database does not support 64-bit mode. When upgrading from a 32-bit version (for example, SSL VPN 1.5.101) to a 64-bit version (for example, SSL VPN 1.5.200), the OpenLDAP database can no longer be used. Due to a change in authentication techniques when accessing a File Share in Windows 2008 R2, it is not possible to use Single Sign-On to access File Shares located on a back-end resource. Temporarily disable the firewall on Mac OS X when using the Access Client with Stonesoft SSL VPN. Use DNS redirection to an internal DNS server to resolve the names for protected resources. Select a Tunnel Resource in the Application Portal and click "missing plugin". Contact Stonesoft Support for a workaround. None 8 Stonesoft SSL VPN Release Notes for Version 1.5.207

Copyright and Disclaimer 2000 2015 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the Stonesoft clustering technology-as well as other technologies included in Stonesoft-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1349 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131 Copyright 2015 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information