Release Notes for Version 1.5.101

Created: September 27, 2012

Table of Contents

What’s New ...... 3

Enhancements ...... 3

Fixes ...... 3

System Requirements ...... 4

Stonesoft Appliances ...... 4

Build Version ...... 4

Product Binary Checksums ...... 4

Compatibility ...... 5

Browser and Client OS Compatibility ...... 5

Directory Services ...... 5

Upgrade Instructions ...... 6

Upgrade from Previous Version ...... 6

Upgrade from Prior Versions ...... 6

Known Issues ...... 7

What’s New

Enhancements

The enhancements introduced in Stonesoft SSL VPN version 1.5.101 are described in the table below. The following table lists the features briefly. Please consult the product documentation for more details.

Enhancement Description It is now possible to modify In previous versions of the SSL VPN where OpenDJ was available as an internal directory OpenDJ Directory Service service, the OpenDJ password could only be changed on the command line. Now it is possible password from Web Console to change the password from the OpenDJ section of the Web Console. It is now possible to create The SSL VPN gateway is protected by a firewall instance activated by the sg-firewall custom protection rules in command that runs automatically at system startup. You can create additional custom firewall SSL VPN from Web Console rules from the Networking section of the Web Console. Simplified OpenDJ Administrator has now a simplified graphical interface to enable and disable OpenDJ Directory configuration to Service mirroring in Web Console, under OpenDJ section. enable/disable mirroring. Ability to configure default The sg-reconfigure initial configuration procedure allows you to set the IP address for the gateway address in initial default gateway of the primary Ethernet interface (eth0). This allows better connectivity to configuration procedure continue configuration in routed networks. The hashgen executable is included to simplify the generation of hash values with MD5 and G34911 algorithms for assessment purposes.

Usage: Hashgen utility for hash hashgen [-t HASH_TYPE] generation HASH_TYPE The type of hash to compute (gost, sha1 or md5). If this option is omitted the default hash type is md5 FILE_PATH The absolute path of the file, to be used for hash computation. Fixes

Problems described in the table below have been fixed since Stonesoft SSL VPN version 1.5.100. A workaround solution is presented for earlier versions where available.

Workaround for Previous Synopsis Description Versions When using an IP address pool, the netmask value Define a Virtual IP Address Pool range IP Address Pool Netmask is assigned to be class A if you use a 10.x.x.x IP from a network that is routable to the SSL cannot be configured address range or class C if you use a 192.168.x.x VPN and is not used in any tunnel set (#80811) address range. where Virtual IP-address is needed. Web Console System Information does not report The Web Console System Information reports None. correct information about incorrect values and percentages about filesystems. filesystems (#82548) When you create a backup through the Web Backup fails partially with Console and the spool filesystem is almost full, there Check that there is enough free space on misleading indication if not is no indication that there is not enough space to the spool filesystem before creating a enough space left on spool save the backup file. As a result, only a partial backup. filesystem (#82913) backup is made. The Web Console incorrectly indicates that the backup creation finished. If the use of a Tunnel Resource is allowed in the MacOS X Access Client Tunnel Set Access Rules but denied in the Tunnel crashes with certain Tunnel Resource Access Rules, the MacOS X Access Client None. Set configurations (#83249) crashes when a user tries to access the Tunnel Resource.

3 Stonesoft Management Center Release Notes for Version 1.5.101

Workaround for Previous Synopsis Description Versions When running the startup command of a Tunnel Selecting "Always trust Resource, the Windows Access Client prompts the command" in Windows user to accept the command to be run. Selecting None. Access Client causes crash "Always trust command" in the dialog and (#83397) proceeding causes the Access Client to crash. In the Terminal Services/Remote Windows Services Host configuration on the Windows 2008(R2) server, select "RDP Remote Desktop SSO does When a Tunnel Resource for Remote Desktop to a Security Layer" as the Security Layer not work in Windows Windows 2008/2008R2 system is configured with instead of "Negotiate" or "TLS/SSL". The 2008/2008R2 (#83623) SSO, Single Sign On is not performed. communication between RDP client and SSL VPN security gateway remains secured by the SSL tunnel.

System Requirements

Stonesoft Appliances

Stonesoft SSL VPN version 1.5.101 is supported on all Stonesoft SSL VPN appliances and on Stonesoft SSL VPN Virtual Appliances.

Build Version

The Stonesoft SSL VPN version 1.5.101 build version is 1569.

Product Binary Checksums sslgw_engine_1.5.101.1569_i386.zip MD5SUM f3658743eb32e2b7c4ea0201c7dcb8fa SHA1SUM 01ffd19a329164819130814344f86dd53d2696ed sslgw_engine_1.5.101.1569_vmwarefw-esx.zip MD5SUM 2bb20c9f5c713320c8863092c86203a2 SHA1SUM 46dc8e0f2b3474f511c81549026f06e6a818368b

4 Stonesoft Management Center Release Notes for Version 1.5.101

Compatibility

Browser and Client OS Compatibility

Stonesoft SSL VPN version 1.5.101 administration requires the use of a workstation with a TCP/IP network configured and a Web browser installed.

To use the Application Portal, the connecting client must have TCP/IP configured and a Web browser installed.

To use Tunnel Resources, such as client/server TCP/UDP-based applications, the connecting client must have TCP/IP configured and a Web browser compatible with Java or ActiveX technologies installed.

To use the Stonesoft Web authentication method, the client must support Java technology to display the clickable webpad.

To use the Stonesoft MobileID (Synchronized or Challenge) authentication method, the client must have MobileID software installed and seeded.

For the full platform compatibility matrix for the functionalities described above, please see Technical Note 5566. Directory Services

User information can be stored in an internal user directory, or one of the following external directory services can be used:

• Microsoft Active Directory 2003 • Microsoft Active Directory 2008 • Novell eDirectory • OpenLDAP • Sun Java System Directory Server • Oracle Internet Directory (authentication only) • Tivoli Directory Server (authentication only) • IBM RACF LDAP (authentication only) • OpenDS 2.x • OpenDJ

NOTE – You must use an external Directory Service or the new OpenDJ Directory Service for mirrored configurations. For additional information, please refer to the SSL VPN Administrator’s Guide.

5 Stonesoft Management Center Release Notes for Version 1.5.101

Additionally, when using the Access Client on Windows Vista or Windows 7, the following requirements apply:

Requirement Description Access Client on Microsoft The Access Client requires administrator rights to run properly on Windows Vista and Windows Vista and 7 requires Windows 7 the first time it is installed. It automatically upgrades afterwards. administrator rights

Stonesoft ActiveX Client To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add Loader requirements the Access Point server HTTPS address to the list of trusted sites in Internet Explorer.

A single drive letter (for example, F :) cannot be used as a startup command in Windows Vista and Windows 7. All commands must be executed using “runas” to elevate to administrator mode since the Drive letter mapping in mapping is done in administrator mode, and “F:” is not a valid executable. Windows Vista Use the following startup command instead: explorer /root, F:

This works on both Windows XP and Windows Vista/Windows 7.

Java Runtime Environment To run the Stonesoft Java Access Client, use Sun Java 1.6 Update 2 or later.

Upgrade Instructions

When upgrading mirrored systems, see the upgrade instructions in the SSL VPN Administrator's Guide, which is available from http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/current/

It is recommended to publish the configuration after a successful upgrade. Upgrade from Previous Version

Stonesoft SSL VPN is upgraded from 1.5.x to 1.5.101 through the Web Console or using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the SSL VPN Administrator interface and publish the updated configuration if the Publish button is highlighted. Upgrade from Prior Versions

Stonesoft SSL VPN is upgraded from 1.4.x to 1.5.101 through the Web Console or using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the SSL VPN Administrator interface and publish the updated configuration if the Publish button is highlighted.

Direct upgrade from other versions to Stonesoft SSL VPN 1.5.101 has not been tested although it may work.

6 Stonesoft Management Center Release Notes for Version 1.5.101

Known Issues

The current known issues of Stonesoft SSL VPN version 1.5.101 are described in the table below. For an updated list of known issues, consult our Web site at http://www.stonesoft.com/en/support/index.html/.

Synopsis Description Workaround Recommended Actions: Deploy only trusted resources to the SSL VPN portal. Resources with significantly different security zones, such as resources hosted by different companies, should be deployed using Pooled DNS Mapping or Reserved DNS Mapping. Stonesoft SSL VPN breaks the browser domain- Untrusted resources should not be based security model. The vulnerability lies in the Stonesoft SSL VPN Breaks deployed to the SSL VPN portal at all. architecture of the SSL VPN solution. As a result Browser Domain-Based Security If these types of resources are needed, of the vulnerability, all resources under a single Model - Refs:CVE-2009-2631, they should be deployed as External SSL VPN domain may potentially steal or modify CERT VU#261869 (#55542) Sites so that the SSL VPN portal gives a each other's active web content, such as web direct link to the resource, instead of cookies. making the client route the traffic to the resource through the SSL VPN portal. Please consult the Stonesoft SSL VPN Administrator's Guide for further information about deploying Pooled DNS Mapping, Reserved DNS Mapping, or defining External Sites. In a mirrored configuration with OATH activated, Configure OATH in the SSL VPN adding a secondary Authentication Service Administrator (through causes the following error message: Manage System - In a mirrored configuration, OATH "To validate if OATH is used on the configured OATH Configuration - Database ) to point to an external URL database must be configured as Authentication Service-node (i.e. tokens are Connection (for example: an external database (#50490) imported), it has to be started. A system with more jdbc:hsqldb:hsql://10.0.215.40:9001/:shut than one Authentication Service-node cannot use down=true) Alternatively, you can disable a local database; it would result in data OATH in the Web Console. inconsistency." This is a Microsoft Active Directory specific problem. An Organizational Unit is not an allowed child In the SSL VPN Administration interface, object of the class "containers" within the Active configure RootDN to set the Configuring Directory Service as Directory default schema. Organizational Unit as not part of a Microsoft Active Directory and "ou=accounts,..." is an Organizational Unit. container. setting RootDN with a container Hence "ou=accounts" cannot be added to For example, class object is not accepted "cn=Users,..." since "cn=Users,..." is a container OU=Accounts,DC=DOMAIN,DC=COM or (#50034) (objectclass=container,objectCategory="CN=Cont OU=Accounts,OU=SSLVPN,DC=DOMAI ainer,Cn=Schema,CN=Configuration,..." N,DC=COM RootDN should start with an Organizational Unit (OU="...",...). Using an SSL VPN resource for active FTP with an IP address pool from a Windows Vista machine Use of IP pool address with Use passive FTP or an FTP program that fails when the server starts the transfer. Active FTP does not work on a allows setting the client IP address to be The problem is caused by the IP address used in Vista system (#50028) used for the PORT command. the PORT command, which is not the same as the IP address assigned from the IP address pool.

7 Stonesoft Management Center Release Notes for Version 1.5.101

Customized icons that have been uploaded to Customized icons uploaded using custom-files/wwwroot/wa/img/icons using the Upload the customized icons for each the Browse function do not Browse function in the Administrator Interface do resource on the resource definition page. appear in icon library (#64916) not appear in the icon library. Having the Mac OS X firewall enabled on a Access Client for Mac does not Temporarily disable the firewall on Mac computer running Mac OS X Snow Leopard work on Snow Leopard (10.6.x) if OS X when using the Access Client with (10.6.x) prevents the Access Client from working firewall is enabled (#82978) Stonesoft SSL VPN. correctly. When configuring a Tunnel Set, Local Lookup Tunnel Set Advanced Settings for Use DNS redirection to an internal DNS entries configured in the Advanced Settings are Local Lookup do not work on Mac server to resolve the names for protected not taken into consideration on Mac and Linux and Linux clients (#67796) resources. clients.

8 Stonesoft Management Center Release Notes for Version 1.5.101

Copyright and Disclaimer

© 2000—2012 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

Trademarks and Patents

Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link technology, Multi-Link VPN, and the Stonesoft clustering technology-as well as other technologies included in Stonesoft-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners.

Stonesoft Corporation Stonesoft Inc.

Itälahdenkatu 22A 1050 Crown Pointe Parkway FI-00210 Helsinki Suite 900 Finland Atlanta, GA 30338 USA

Tel. +358 9 476 711 Tel. +1 770 668 1125 Fax +358 9 4767 1349 Fax +1 770 668 1131

Copyright 2012 Stonesoft Corporation. All rights reserved. All specifications are subject to change.