Unified Security Gateway ™ 5.1 Release Notes
September, 2012
This document contains information on the new features in this release and Known Issues and Limitations, and supplements the documentation included with the product. For the most recent updates to this information, please refer to the latest USG Release Notes located at the following download site: https://members.actiance.com
Contents ó What’s New in USG 5.1 ó Key Features in USG 5.0.4 ó Key Features in USG 5.0.3 QFE ó Key Features in USG 5.0.2 ó Key Features in USG 5.0.1 ó Key Features in USG 5.0 ó Key Features in USG 4.2 ó Key Features in USG 4.1.1 SP ó Key Features in USG 4.1.1 ó Key Features in USG 4.1 ó Key Features in USG 4.0 ó Support Issues Fixed in USG 5.1 ó Support Issues Fixed in USG 5.0.4 ó Support Issues Fixed in USG 5.0.3 ó Support Issues Fixed in USG 5.0 ó Support Issues Fixed in USG 4.2 ó Support Issues Fixed in USG 4.1.1 SP ó Support Issues Fixed in USG 4.0 ó Known Issues and Limitations
Actiance Proprietary and Confidential Page 1 of 42 Unified Security Gateway Release Notes
What’s New in USG 5.1 Release Date: September, 2012
ó Transcripts cleanup: Consistency in the rendering the transcript format.
ó IIROC template: Out of the box IIROC policy template for compliance.
ó New role: A new role, AdminLite, is available for accessing the Configuration tab.
ó Transcript export options: SFTP support for exporting transcripts.
ó Enhancement: WebProxy certificate upload/download enhancement in a cluster setup
Key Features in USG 5.0.4 Release Date: July, 2012
ó Direct support upgrade from USG 5.0 9071 to USG 5.0.4
ó New Features:
° Administrative Roles download CSV ° Audit logs ° Password Policy ° Upstream Proxy support ó Socialite Enable Merges:
° Access to Unauthorized User Report for Reporter, Group reporter, System Administrator Roles: Reporter role now has visibility to all reports including the reports that are currently visible under Configurations tab. The respective admin can download the same from the UI by clicking the Download button from the Unauthorized User reports in the Reports tab. ° Moderation Support for LinkedIn Group Post/Comments: The security appliance supports Moderation feature for LinkedIn Group Posts/Comments. ° When approval fails from end-user due to invalid fields, an option is available to delete that particular post as the user cannot approve that. Upon clicking the Remove button against an approved post, the approved count goes down, rejected count goes up and reject list displays the post as "Removed by Owner". ° Socialite Enhancement – Report: Socialite-Employee Buddy Mapping Report under Default Report in Reports tab displays the report of the users and the buddies mapped to them for all the three social networking sites. System Administrator, Reporter and Group Reporter can view these reports. ° Archival of Grade field in Education under Edit Profile: The Grade field in Education under LinkedIn Edit Profile can be moderated and archived.
Actiance Proprietary and Confidential Page 2 of 42 Unified Security Gateway Release Notes
° You can download logs for all the security appliances in cluster from single security appliance’s UI. A separate section is added under Configuration» Runtime Logging » Runtime Monitoring. It has options to capture logs, text dumps, Squid and PCAP on both the security appliances by starting the monitoring in one. The captured data can be sent to an FTP server after stopping the runtime monitoring in the security appliance. ° Four canned reports are added in flex reporting. These are: o Socialite-Posts per day Per Social Network o Socialite-Usage per user group per week o Socialite-Post per Social Network per week o Socialite-Posts per user per week System Administrator, Reporter and Group Reporter have access to those reports. ° When a message gets deleted based on lexicon match in Fan page, transcript has a written indication whether that highlighted message got deleted in Facebook. The following system alert message is displayed: System alert: This post has been deleted. ° The security appliance has the ability to specify room names while exporting the API transcripts. The room names for API transcript that need to be exported can be specified under ‘Transcript Export Settings’ section in the Configuration tab.
Key Features in USG 5.0.3 QFE Release Date: April, 2012
• Socialite Enable Merges: ° New Archival Changes o The security appliance now has revamped transcript names for Proxy Archival transcripts. o The security appliance now supports API Archival of Facebook Fan Page Profile. • New Features in Exporter: o In Exporter for Social Networking Transcripts page, a new filter, Transcripts Capture Via is provided to export the transcripts captured via Proxy and Transcripts captured via API separately. o In Exporter for Social Networking Transcripts, under Format Settings, added a new feature E-mail Format allows exporting the LinkedIn and Facebook messages in 1-on-1 Email format. • New Option in Manual Export of Moderator Events o The Save as CSV option is available on top in the Moderator Events Page to export Moderator Events in a CSV format. • Socialite Enable merges till April 1st week release • Application Tree Optimization • Facebook Offline Archival for a new feature - Messages • Latest RPM update for CentOS 5.1 • Support issues fixed: o The security appliance can access the Unix File Systems o The security appliance can access some JSP files from absolute path
Actiance Proprietary and Confidential Page 3 of 42 Unified Security Gateway Release Notes
o Role based access fix for the security appliance
Key Features in USG 5.0.2 Release Date: January, 2011
• Socialite Enable Merges ° New Moderation Feature: The security appliance can now Moderate posted Retweets for Twitter ° New Archival Features & modifications: o The security appliance can now store the following: • Deleted Updates and Comments for Facebook • Deleted Tweets and Retweets for Twitter • Deleted Comments for LinkedIn ° For Facebook and LinkedIn, Reviewers can now fetch the complete Transcript context, including all the Reviewer’s comments for a given transcript. The security appliance archives: o any parent post on which Reviewer comments are made o visible comments made by Reviewer prior to the latest posted comments. ° For Twitter, Reviewers can now archive the complete Transcript context. o the context of Twitter replies is now archived in the security appliance. o the parent tweet (with Twitter username) to which the reply was sent is now seen in Transcripts. ° New feature in “Alert/Logging/Export Setting o Group reviewer can now receive notification about pending moderator events at a set frequency ° The Security appliance now supports Usage Control for Web 2.0 (MySpace) at a Group and at an Employee level.
Key Features in USG 5.0.1 Release Date: December, 2011
ó Socialite Archival and Moderation fixes when Blue Coat is used as a proxy
ó New Open SSL Intermediate CA Certificate
ó New Moderation Features: The security appliance can now store and moderate:
ó Post comments for LinkedIn
ó Status update with Link for Facebook
ó New Exporter Filters: In the Exporter for Social Networks section, under Exporter filters, two new filters are added:
ó Conversation Type
ó Moderation Action
Actiance Proprietary and Confidential Page 4 of 42 Unified Security Gateway Release Notes
Key Features in USG 5.0 Release Date: June, 2011
ó Support for LinkedIn Offline Archival
ó Support for Twitter Offline Archival
ó Support for LinkedIn Profile Alert and Monitoring feature
ó Support for LinkedIn Profile Intercept feature
ó Added Default Action For New Usage Control
ó New Socialite Canned Reports
Key Features in USG 4.2 Release Date: January, 2011
ó Support for offline page archival. USG now supports offline page archival for Facebook pages like User Profile, Fan Page and Group Page.
ó Support for Windows 2008 Active Directory.
ó Support for FTP export in Onbox Squid access/cache logs.
ó Archival support for photo uploads in Facebook. This feature archives all the photos that are uploaded on Facebook.
ó Enhanced user experience during the cluster upgrade process. The new user experience is available for cluster-upgrades post USG 4.2 releases.
ó Updated security vulnerability patches.
ó Software Development Kit (SDK) updates for Actiance Webfiltering URL DB (version 2).
ó Support for “transparent socnet buddyname mapping”. This feature is SaaS specific and is implemented for social networking websites like Facebook and LinkedIn.
ó Merging of USG 4.1.1 QFE fixes.
ó Enhanced support for existing applications.
ó Support for several new applications.
ó Company name change.
Key Features in USG 4.1.1 SP Release Date: October, 2010
ó Support for several new applications.
Actiance Proprietary and Confidential Page 5 of 42 Unified Security Gateway Release Notes
ó Enhanced support for few existing applications.
ó Support for On-box proxy Self Signed Certificate.
ó Support for Early Response Fix from User Interface. This is required for both On-box Proxy and ISA Proxy (when used as HTTP Proxy).
ó Support for Manual Mapping and Unmapping of the SocNet Buddies.
ó FDCA Enhancement.
ó The earlier Social Networking tab is now called Socialite. The Authentication Servlet Banner (displayed in the end user browser having the Socialite name and Logo Customization).
Key Features in USG 4.1.1 Release Date: September 06, 2010
ó Support for ISA proxy deployment.
ó Support for Safe Search on Google, Yahoo and Bing search engines.
ó Support for Onbox Squid caching to improve performance.
ó Support for controlling policy conflict between URLs falling under Applications and Web Filtering components.
ó Support for new report, Web Usage Report by Employee under Summary tab.
ó Updated Security Vulnerability patches.
ó Enhanced support for few existing applications.
Key Features in USG 4.1 Release Date: June 29, 2010
ó Support for Onbox Squid proxy deployment.
ó Support for Group Reviewer role to manage transcripts and moderated events of a particular group.
ó Support for Remote Group Reviewer role to manage transcripts and moderated events in a SaaS deployment.
ó Support for several new applications.
ó Enhanced support for few existing applications.
ó Enhanced support for OCS connector.
Actiance Proprietary and Confidential Page 6 of 42 Unified Security Gateway Release Notes
ó Additional support for archiving the content of different pages of Facebook, Twitter, and LinkedIn.
ó Support for add-on license for Onbox Squid with Web Proxy.
Key Features in USG 4.0 Release Date: June 09, 2010
ó Support for granular feature access control for Social Networking sites such as Facebook, Twitter, and LinkedIn.
ó Support for several new applications
ó Enhanced support for few existing applications
ó Support for enhanced license that has a separate Social Networking Moderation or Compliance license.
ó Support for archiving the content of different pages of Facebook, Twitter, and LinkedIn.
ó Support for moderating posts of different pages of Facebook, Twitter, and LinkedIn.
Support Issues Fixed in USG 5.1 ó Issues related to update firmware from version 5.0.4 9526 to 5.0.4 9528USG [Issue #: 39027]
ó LDAP related configuration changes. [Issue #: 38868]
Support Issues Fixed in USG 5.0.4 ó USG allows to download PDF files above 1 MB.
[Issue #: 36677]
ó Filter Update page does not freeze the USG UI even when the Malware Scheduler logs are too big.
[Issue #: 37096]
ó Page Policy can be archived for Personal Pages for LinkedIn and Twitter if the association is done for the user group.
[Issue #: 37971]
Support Issues Fixed in USG 5.0.3 ó When access to the Management Interface is contained in a closed environment like VLAN, all end user notifications is displayed through Proxy Interface IP/hostname.
Actiance Proprietary and Confidential Page 7 of 42 Unified Security Gateway Release Notes
[Issue #: 36325]
ó USG now allows CSV import of lexicons for IM with Enablement and Enforcement licenses only.
[Issue #: 36388]
ó Fixed the issue for firmware upgrade to modify both primary and secondary squid files.
[Issue #: 36038]
ó USG captures the reviewer comments for the exported transcripts in XML format.
[Issue #: 33381]
ó Fix provided for USG to monitoring social media traffic.
[Issue #: 34812]
ó USG now saves all configuration settings performed in the Filter Update page.
[Issue #: 31326]
ó For reviewer comments to appear in XML format enable the “exporter.xml.format.include.reviewcomments” server property.
ó The employee’s SocNet Profile Name will now display as Screen Name in all versions of socnet moderated transcripts that are exported.
ó CSV Export option is now available for manually exporting moderated transcripts.
To view special characters and foreign languages in the CSV export, the encoding format for Microsoft Excel must be UTF-8. You can also open the content of a CSV file using a text editor such as Notepad.
Support Issues Fixed in USG 5.0 Release Date: June, 2011
ó For Facebook Fan Pages, all moderated messages are getting posted with the UserName, instead of being posted with the Fanpage name.
[Issue #: 31861]
Support Issues Fixed in USG 4.2 Release Date: January 25, 2011
ó The URL, www. iniciativamexico.org is being whitelisted by USG. The below error message is displayed:
Actiance Proprietary and Confidential Page 8 of 42 Unified Security Gateway Release Notes
ó “Enter valid domain name”
[Issue #: 28784]
ó Due to configuration mismatch in syslogs, crashing of dissectors is reported in USG. [Issue #: 287845 ]
ó In Socialite, whenever an IMProxy is not licensed, the buddyname unmapping feature is automatically disabled. [Issue #: 30617]
ó In the LDAP settings page, enabling the Kerberos Authentication reports an error. [Issue #: 30071]
Support Issues Fixed in USG 4.1.1 SP Release Date: November 08, 2010
ó The "Customized Policy History" needs to be displayed in a reverse chronological order. [Issue #: 29217 ]
ó Usability Issue: When the Usage Control is blocked in Facebook and after seeing the Block Page, if the user clicks the Back button, the browser does not display the previous allowed page. [Issue #:29151]
ó Moderator: Any customization at the Group Level for inherited moderation and archiving policies is also reflected in the Default Group. [Issue #:27364]
ó Any customization at the Employee Level for the inherited content scan policy gets reflected in the Default policy. [Issue #:25245]
ó Need to support Proxy Authentication for the users imported having the “SAMAccountName” attribute enabled. [Issue #:29357]
ó Under Usage Control, if Linkedin Groups are blocked, then all features under Groups (for example, My Groups, Following, Group Directory, Create a group) should also be blocked. [Issue #:27767]
ó USG Dissector employs a default MySQL port instead of a non-default configured port. [Issue #:29193]
Support Issues Fixed in USG 4.0 ó UI popup indicating interruption of proxy users (IM and HTTP) when service restarts. [Issue #: 26309]
ó The security appliance stops responding and reports "Unexpected exception: GC overhead limit exceeded" in system logs. [Issue #: 22268]
ó Customized display pictures of WLM 2009 client users are not displayed to other MSN users with whom they are chatting. [Issue #: 25320]
Actiance Proprietary and Confidential Page 9 of 42 Unified Security Gateway Release Notes
ó The security appliance should enable the system administrator to add e-mail address during installation. [Issue #: 14906]
ó USG 2.2 Backup filename issue. [Issue #: 25769]
ó Filter update screen does not display properly at 1650x1050 screen resolution. [Issue #: 22123]
ó Ability to exclude report content in e-mail for SMTP exports. 21300]
Known Issues and Limitations
Installation / Deployment
ó After successfully upgrading to USG 5.0.2 Build, the Filter Build bundled in update this package will get installed. It is observed that if a filter build, say with (x+n) version, is installed before upgrade, then after the upgrade it will be changed to the (x) version. [Issue #: 35723]
ó In the Applications Controls page, the Previously Saved and the Parent Group options are non-functional. [Issue #: 35716]
ó Upon enabling the WCCP and the SSL termination (with Intermediate signed certificate configuration), SSL pages cannot be accessed. The below error message is displayed.
Error: “Internet Explorer cannot display the webpage.”
After upgrading from USG 4.2.1 to USG 5.0 release, the FINRA lexicon contains only the keywords that were populated before the upgrade and does not contain any new keyword. [Issue #: 31854]
ó Consider a scenario:
° WCCP is enabled in a VAP group having multiple VAPs ° A Squid NTLM authentication is configured to the above group
In such a scenario, any attempt to access HTTP traffic, and thereby verify authentication of users, results in an error. Error message "Cache Access Denied" is displayed.
[Issue #: 31711]
ó An iterative system behavior is observed whenever a browser is configured as an explicit proxy to access https traffic [Issue #: 30543]
ó If you are using MS SQL version 2000 or lower as the external database, you cannot upgrade to USG 3.0.
Workaround : Migrate to MS SQL version 2005 and then upgrade USG to version 3.0. ó Changes in behavior after upgrading from USG 1.0.1 (Build 7829):
Actiance Proprietary and Confidential Page 10 of 42 Unified Security Gateway Release Notes
o In the following reports, the appliance displays 'Unknown' in the IP Address column for the data retained from the earlier build: ñ Combined Usage Report ñ Bytes Transferred by Interval Report [Issue #: 17748, 17749]
ó If two separate custom policy violation notification URLs were specified for Malware and Web Filtering, only the URL that was specified for Web Filtering is retained. [Issue #: 18381]
ó The Report Format Show All Transcripts is not available while performing an IM Transcript search with the criterion: 'All Employees'. The option has been removed as a search operation of this nature can be highly resource intensive in large enterprises and has the potential to degrade the performance of the security appliance. [Issue #: 18125]
ó When a non-existing IP address is assigned for eth1 in a 3-port configuration, the appliance does not revert to a 2-port configuration. [Issue #: 14342]
ó After upgrading the firmware from build 7829 to USG 1.2 of the security appliance, the default permission of the following application products appears as ‘block’ instead of ‘allow’:
o Hopster and Tor (in the Anonymizer category) o GotoMyPC and SoftEther (in the Remote Administration Tool category) o TTT (in the Anonymizer category)
This happens due to the following reasons: o In build 7829, these products were categorized as P2P and had the default permission set to ‘block’. o In USG 1.2, the categorization of these products changed to Greynets. o The default permissions in USG 1.2 inherit the ones configured in build 7829.
[Issue #: 17961]
ó When you upgrade the firmware from USG 3.1 (having FT-2046) to 4.1, and then to 4.1.1, the filter update version degrades from the latest build 2046 to the build 2044. [Issue #: 29379]
ó When you upgrade USG 4.1.1 to USG 4.1.1 SP (build 8745), you will not be able to log in the Public IM Networks through Proxy for a period of one hour approximately. This issue is observed only for USG configured for external MSSQL/MYSQL of low-end configuration machines or remotely located machines. [Issue #: 29901]
ó Microsoft Office Communications Server System Buddy does not function after the firmware of the security appliance is upgraded from build 7829 to USG 1.2.
Workaround: To ensure that the Microsoft Office Communications Server System Buddy can log on:
Actiance Proprietary and Confidential Page 11 of 42 Unified Security Gateway Release Notes
° Go to Configuration > IM Network Settings > Enterprise Networks > Microsoft Office Communications Server. ° Enter the sign-in address in the System Buddy Sign-in Address text box.
[Issue #: 18091] ó When you upgrade from build 7836, the NTLM authentication check box on the Authentication Settings page is cleared automatically. However, the appliance continues to use the authentication method successfully. [Issue #18864]
ó In the VMWare installation of appliance, you cannot configure the port speeds of the virtual interfaces such as eth0 and eth1. [Issue #: 21971]
ó In the VMWare installation of the appliance, the employee-level Applications tab takes up to 1 minute to respond. [Issue # 23358]
ó Firmware update fails if the database name includes space characters. [Issue #: 23598]
ó While upgrading from USG 2.2 to USG 3.0, you may encounter warnings in the J2SSH console. This does not adversely affect the upgrade process in any way. [Issue #: 24753]
ó After upgrading to USG 3.0, the File Transfer polices that were customized for groups before the upgrade inherit the ILP settings of the default group. [Issue #: 25615]
Licensing
ó User’s passby access is blocked when their authentication cache expires after the license overrun grace period, and the user count has exceeded 105%. This occurs when the appliance is used in one of the following ways:
° Full License with authentication On. ° Base License with authentication Off.
Workaround : In both the above cases, users who are within the 105% limit will be allowed access if they are authenticated using the Proxy port until a valid license is applied. [Issue #: 15143]
ó After the grace period of the user license expires, the appliance does not record an IP address as unlicensed if the IM network access permission is set to block. [Issue #: 17390]
ó The Email version of the System Information report does not include the number and usage of proxy licenses. [Issue #: 25357]
ó After the license and the license renewal grace period expire, web filtering policies are not applied and web traffic is not monitored. [Issue #: 23488]
Actiance Proprietary and Confidential Page 12 of 42 Unified Security Gateway Release Notes
User Interface
ó A failure condition is encountered in the security appliance while uploading the proxy configuration with a SSL termination. This is observed when the SSL termination with an intermediate certificate is disabled. [Issue #: 34971]
ó If the SSL termination is disabled in the security appliance, it is observed that the Upstream Rules based on the Destination and Packet header does not get applied for SSL pages. [Issue #: 38193]
ó Consider a scenario where Youtube Add To Favorites feature is blocked in the security appliance. In such scenario:
° Log in to Youtube as an end-user. ° Navigate to Youtube > Select a video >Click Add To >Favorite ° In the case, two block message are displayed instead of one block message [Issue #: 35617] ó In Youtube, when Flag a comment for Spam and the Vote Up /Down a comment features are blocked, appropriate block (error) messages are not shown to end-user. [Issue #: 35608]
ó In MySpace, few navigation paths for Like and Status update doesn't show a proper block message. This system behavior is noticed even when the policy is getting triggered. This behavior is due to technical limitation. [Issue #: 35330]
ó When a Group reviewer has multiple groups, each containing pending moderated events, the number of pending events of only one group is notified. [Issue #: 35422]
ó Moderator Notification is wrongly sent to a deleted Group Reviewer. [Issue #: 35437]
ó [Moderator Notification] After approving pending moderated events, though the pending count is lesser than the threshold, a moderator notification is sent to the end-user. [Issue #: 35411]
ó Since the Load Icon is displayed right at the page bottom, it is not easily visible. [Issue #: 35714]
ó Any lexicon keyword which ends with. (dot) does not get highlighted in the generated transcript. However, moderation of these lexicons and content scan happens as expected. [Issue #: 32220]
ó If offline transcripts are created for a network with a timezone and you change the timezone after few days then system.log file will display an exception. [Issue#: 31887]
ó [Upgrade] After upgrading to USG 4.1.1, the previous On-box proxy port setting (as configured earlier in USG 4.1) is not retained. The HTTP Proxy functionality (after the upgrade) fails because the port 3128 is not opened. [Issue #: 28914, 29799]
Workaround : Navigate to Configuration > Web Proxy Configuration > General Settings and modify the port as per USG 4.1 port configuration and save the settings.
ó When you rollback from USG 4.1.1 to USG 4.1 release, with the On-box proxy port setting being other than 3128, then the On-box proxy functionality (HTTP Proxy) does not
Actiance Proprietary and Confidential Page 13 of 42 Unified Security Gateway Release Notes
work. This is because the security appliance fails to open the port 3128. [Issue #: 29071]
Workaround : After the rollback, navigate to Configuration > Web Proxy Configuration > General Settings and assign the On-box proxy port to 3128.
ó After upgrading to USG 4.1.1, if LDAP users are imported using the attribute - sam.account.name , then the authentication fails. [Issue #: 29801]
Workaround : Before importing Samaccount usernames, navigate to https://usgip:8443/aeigs/editServerProps.do and modify sam.account.names.enabled attribute to the “true” value.
ó When a Squid SSL self signed certificate is created with a CN value. And when this certificate is uploaded in the Mozilla browser. The browser displays the Untrusted Certificate Warning message when you access any https website. [Issue #: 29515]
ó In Mozilla, uploading the squid.conf and smb.conf files to squid through user interface fails. [Issue #: 28218]
ó In Mozilla, uploading the SSL certificate fails. [Issue #:28238]
ó When a Squid SSL self signed certificate is created with CN value as only "*" and the certificate is downloaded and uploaded in any browsers, the browser displays the Untrusted Certificate Warning message when you access any https website. [Issue #:29529]
ó The administrative user interface does not display an error message when an invalid PCAP file is uploaded on to the appliance. However, errors are reported in the USG_system.log file. [Issue #: 14677]
ó When the appliance is switched from a 3-port deployment to a 2-port one, the IP address assigned to eth1 is not released. Hence, eth2 cannot be assigned the IP address that was assigned to eth1.
Workaround : Before changing the deployment, release the IP address assigned to eth1 by assigning the default IP address (192.168.1.2) to the port. [Issue #: 14563] ó The User Interface shows that the Secure Computing license has expired even after a new, valid license is uploaded after the expiry of the previous one. [Issue #: 15074]
Workaround : After uploading the new license, log out of the appliance and log on again. ó Employee registration page will not be displayed for the users trying to register using Lotus Notes Web browser.
Workaround : Employees need to use Internet Explorer browser for registration. [Issue #: 16895]
ó The Employee Registration page is not displayed for unmapped Apple iChat users. [Issue #: 23540]
ó The administrative user interface does not display the IP Address and CIDR values configured for filtering Network Activity Log on the Runtime Logging page. [Issue #: 20892]
Actiance Proprietary and Confidential Page 14 of 42 Unified Security Gateway Release Notes
ó The number of buddies listed against the IM Buddy (Past 24hrs) field on the Reporter’s or a Group Reporter’s Dashboard is not accurate. [Issue #: 25464]
ó The Web Users column of the Top 10 Users (Past 24 hrs) report on the Reporter’s or a Group Reporter’s Dashboard displays duplicate records for each employee record. [Issue #: 25468]
ó The Group Reporter’s default Dashboard view appears truncated when it is accessed using Internet Explorer version 8.0. However, the Dashboard works as expected in earlier versions of Internet Explorer. [Issue #: 25481]
ó When the pods on the Dashboard that contain user-defined reports are minimized and maximized, they do not display any data.
Workaround : Reload the Dashboard to view the data on the pods.
[Issue #: 25511]
ó When an employee is deleted from a group the name of which contains the character “%”, the Groups & Employees page appears blank. The log file also shows an exception. [Issue #: 25536]
ó The appliance displays a Server Error page when the only directory that is configured is deleted from the LDAP settings page.
Workaround : Instead of deleting the directory, the directory must be disabled. [Issue #: 25586]
ó If the Group Reporter belongs to a group which has multi-byte characters in its name, the Welcome pod on the dashboard is not displayed. [Issue #: 25368]
ó The administrative user interface becomes unresponsive when an Email address with a top-level domain (TLD) of more than 20 characters is specified on the SMTP Settings page or the New Employee page. [Issue #: 21904]
ó When some actions are blocked under Moderation and Archiving policy, the Applications Reports display source IP as 0.0.0.0 for SaaS. [Issue #: 28071]
ó If “certnew.p7b” file is created with Key algorithm selected as “DSA- 1024” and Signature algorithm as “SHAI”, then uploading the certificate file to on board Squid SSL Termination does not work. [Issue #: 28321]
ó When Authentication rule for on board Squid is created with Destination as “Any”, the Destination Type, Destination, and Custom Type columns for that rule are empty after saving the rule. [Issue #: 28242]
ó When an ICAP rule for Source IP is created having Request as Forward and Response as Donot Forward, access to any website matching a lexicon is blocked. [Issue #: 28280]
ó When a Request MIME Type NTLM Rule is created with Authenticate set to Yes, a NTLM pop-up is displayed while uploading a photo. [Issue #: 28258]
ó When ISA proxy is used, streaming videos are not seen even when no File Transfer policies are configured. [Issue #: 29006]
Actiance Proprietary and Confidential Page 15 of 42 Unified Security Gateway Release Notes
ó Workaround: If you are using are ISA Proxy with Itiby Filter contact Actiance Customer Support to understand the workaround.
ó Rollback from USG 4.1.1 to USG 4.1 8656 with swupdate account shows some errors but rollback is successful. [Issue #: 29158]
ó (On board Squid)When an authentication rule is created either to authenticate or not for Request Mime Type, then the rule works as expected for the created Request Mime type. But the rule also gets applied to any other Mime type rules starting with a similar definition. [Issue #: 28348]
ó (On board Squid) If any authentication rule or Icap rule is deleted after creation, then the same rule cannot be generated again. [Issue #: 28762]
Actiance Proprietary and Confidential Page 16 of 42 Unified Security Gateway Release Notes
Social Networking
ó Any keywords with a white-space get posted without blocking or moderation. This behavior is noted in all three social networking websites namely Twitter, LinkedIn and Facebook. [Issue #:27189]
ó Facebook Unlike and Facebook Remove Comment are not blocked in Passby mode. [Issue #: 29304]
ó Updating status in Linkedin, uploading photos in Facebook and posting link to Facebook network as Send Message are not blocked in the Passby mode. [Issue #:29279]
ó Blocking Facebook PostPhotoWall and on uploading the photo, half way through the process, upload process hangs without any block page. [Issue #:29117]
ó When the Facebook RecordVideo is blocked, and upon recording the video no block page is displayed but an error message is displayed for the user to login back to Facebook. [Issue #: 29118]
ó If Moderation and archiving policy is created for home page with action as block for any Socnet then Appliance blocks Socnet’s default page also [Issue #: 28065]
ó The username validation is case sensitive while logging into social networks. [Issue #: 27836]
ó Moderation disclaimer message continues to stay on the Twitter page and until user reloads the Twitter page. [Issue #: 27409]
ó Moderator Facebook takes up to two days to allow the application posts onto Facebook network, once post message request per Facebook buddy name per day limit is reached. [Issue #: 27810 ]
ó When status update is posted in Firefox browser (version 1.0) with Red hat Linux, the UI displays HTML/java script coding instead of moderation popup message. [Issue #:27535]
ó Clicking a social networking transcript, navigates the control to the Transcript tab page that shows a “Service Error” message and also an ArrayIndexOutOfBound exception is logged in system. log for Facebook network. [Issue #: 27638 ]
ó Refreshing the User Activity Transcript throws ArrayIndexOutOfBound exception for Linkedin networks. [Issue # 27707].
ó When an appliance with internal database (USG2) joins the cluster of another appliance in external database (USG1) then USG2 loses its data and data pertaining to only USG1 is displayed. [Issue #: 27454]
ó Auth Servlet page is not displayed properly with Internet Explorer 6. [Issue #: 27805]
ó Moderation e-mail asking user to authorize does not contain buddy name. Hence, when user has multiple buddy names the information is not clear as to which SocNet buddy needs to be authorized. [Issue #: 28000]
Actiance Proprietary and Confidential Page 17 of 42 Unified Security Gateway Release Notes
ó Socnet Policies are not applied for IP-based group created with authentication. [Issue #: 27657 ]
ó Manual mapping of socnet buddynames to an employee fails. [Issue #: 28579 ]
ó Even after blocking, the block page does not get displayed for Twitter follow and Twitter Unfollow options. [Issue #:29780]
ó If twitter’s feature such as (Profile, Direct Message and so on) is altered from “Blocked to Allowed”, then the security appliance still blocks these features when you attempt to use them.
Workaround : Delete the browser cache and then use twitter’s feature which was previously “Blocked” and now “Allowed” in the security appliance. [Issue #: 29765] ó Any user friendly error message is not displayed when Twitter External Widgets are blocked and the tweet button is clicked. [Issue #: 29240]
ó When you use List feature on in Home page generates no transcript. [Issue #: 27576]
ó In SaaS deployment, when Moderator and Archiving policy is created with store and block enabled, the sender column of the transcripts displays [email protected]. The number 3 is the employeeId and 0.0.0.0 is the IP address. [Issue #: 28084]
ó Duplicate content is generated in corresponding transcripts when you access Followers page or Following page more than once. [Issue #: 28067]
ó When the "Twitter Send Message (Direct)" is blocked, if you click "Message" in friend's profile in the Twitter UI, Save dialog box is displayed instead of the block page. [Issue #: 29479]
ó When a message is sent from an External Profile Account to an already Authorized Buddy Fan Page, that particular message does not get archived. [Issue #: 37016]
ó It is observed that the forwarded messages do not get archived. This issue is not observed if a new message is created while forwarding. [Issue #: 36986]
ó Messages sent to Personal Email IDs get archived but the list of Participants is not displayed. [Issue #: 36995]
ó It is observed that the message which is sent along with an attachment or a video capture does not get archived. [Issue #: 36969]
ó Chat messages sent by a Group to its members do not get archived. [Issue #: 37019]
ó At the Blue Coat [ ICAP], offline authorization for Facebook fails due to error - Request Error (invalid_request). [Issue #: 36865]
ó If a moderation and archiving policy is created for Facebook with the Photo Upload feature enabled. In the above scenario, whenever employees perform a photo upload activity, then an ICAP Protocol error is occasionally noticed. [Issue #: 27479]
Actiance Proprietary and Confidential Page 18 of 42 Unified Security Gateway Release Notes
ó The data fetch operation fails due to some unsupported fields in Facebook APIs. [Issue #: 30635]
ó Consider a scenario where:
° a Group page is owned by two users, say user A and user B.
° user B, a non-employee, is also being added as an owner of this page.
In the above scenario, it is observed that, even when user B has revoked the Group Page Ownership from the actual owner [user A], transcripts is getting created in USG. [Issue #:30391]
ó In Facebook’s Group > Post Comments section, if a user comments by posting a URL link, no transcript data is generated. The PHP script associated with the transcript fails to fetch the required data. [Issue #:30174, 30171]
ó An error message is displayed if you attempt to delete a post/message from the transcript data, for those, which have already been deleted from Facebook pages like Fan, Group or User Profile. [Issue #:30168, 30173]
ó Comments made on older posts for sections like User Profile, Fan or Group Resources , are not being moderated. [Issue #:30165 and 30780]
ó In Facebook’s Fan Resource > Photos page, for a parent post, both manual and auto delete functionality is not working. A similar behavior is also observed for the Fan Resource > Events page. However, comments posted in these sections are being successfully deleted. [Issue #:30164, 30161]
ó All events that are posted under the Group > Wall page is not being archived for moderation. [Issue #:30154]
ó For the Fanpage > Link section, any links that are being posted as comments are not being archived for moderation. [Issue #:30152]
ó After blocking from usage control, Facebook’s Create Profile page does not display any blocking message. [Issue #:29376]
ó After an authentication time expiry, even for a mapped Facebook buddy, the system displays the “auth servlet”, along with the authorization link. [Issue #:27373]
ó Arrangement of posts/comments in the Events section is not being performed in an orderly manner. [Issue #:30489]
ó Upon enabling options like the Enforce Time Quota or the Coach , the SafeSearch functionality reports an error. [Issue #:29110]
ó Instead of the Social Networking policy typ e, the Policy Object for Moderation is currently being controlled by the Policy Type Web. [Issue #:27753]
ó Chat is not blocked in passby mode. [Issue #: 29137]
Actiance Proprietary and Confidential Page 19 of 42 Unified Security Gateway Release Notes
ó Posting links from homepage and Profile wall is not blocked in passby mode. [Issue #: 29133]
ó Facebook Like is not blocked in passby mode. [Issue #: 29131]
ó Facebook Wall Comment is not blocked in passby mode. [Issue #: 29130]
ó When the Facebook products such as Links, Photos, and Applications are blocked and Okay button on the block popup is clicked, the page navigates to the Profiles page. [Issue 29014]
ó Approving already rejected posts shows error in the user interface, posts are posted successfully to Facebook but Review state is displayed as "Rejected" in Transcripts. [Issue 28422]
ó Blocking of the Facebook chat application is inconsistent. [Issue 28330]
ó Approving message fails with error "Error finding the requested story (Error Code: 100)". [Issue 27974]
ó When you are using bluecoat as a proxy server, visiting Notes creates transcripts with incorrect buddy names. [Issue #: 28090]
ó When you are using bluecoat as a proxy server, the transcripts for Messages page displays incorrect buddy name. [Issue #: 27887]
ó Facebook search block under Usage Control fails, if the search has been used prior to the block. Using Facebook search creates cache of the browser information. [Issue #: 28091]
ó Sometimes posting a message does not get posted on but displays an error message. [Issue #: 28078]
ó When a note includes an image, text after the image is not parsed. [Issue #: 27153]
ó Approval of Facebook message from Moderator fails when buddy changes the password. [Issue #: 27426]
ó When used with Firefox V-1.0 OS - RHEL (ES release 4), t he Moderator Event transcript of a Status Update message displays a ‘+’ symbol if there is space between two words. [Issue #: 27536]
ó You can access the Facebook Request feature, even when the Facebook Request under Feature Access Control of Facebook is blocked. [Issue #: 29814]
ó It is observed that few lexicon keywords (both FINRA and user-created), are not getting highlighted in the transcript fields like Associations and Honors, Interest and Groups in the LinkedIn’s Edit Profile page. These fields are getting moderated and are displayed as flagged under the Event Pending Moderation transcripts. [Issue #: 32268]
ó Moderation bar is visible in the LinkedIn log in page. Ideally, post login, the moderation bar should be visible. [Issue #: 32214]
ó Complete Home Page data is getting appended in the same Home Page transcripts on multiple visits of LinkedIn Home Page. [Issue #:27664]
Actiance Proprietary and Confidential Page 20 of 42 Unified Security Gateway Release Notes
ó Approved message is not displayed on the Home page for some LinkedIn buddies. However, they are displayed on profile page. [Issue #: 27954]
ó If M&A policy is created for LinkedIn "group discussion post" and if you post a message exceeding the maximum allowed limit under group discussion page. Then LinkedIn UI displays an error message and does not allow posting the message. However, transcript is created with all the information and includes all characters even if the message is more the allowed limit. [Issue #: 29683]
ó While creating groups in LinkedIn, if any error message is displays due to a wrong entry, you will not be allowed to create the group. However, transcript is created for the newly entered group name. [Issue #: 29677]
ó USG archives the contents from all the text fields of LinkedIn even when – the contents exceed the maximum character length, or contains invalid characters, or when mandatory fields are empty. [Issue #: 29531]
ó In case of Windows 7 or windows XP, if you try to post a message for a blocked post control in LinkedIn using Internet Explorer version 8.0, system will display Runtime error message. [Issue #: 29876]
ó When a message having more than one buddy in the “To” field is read from the Inbox, the transcript that is generated does not display the Buddy IDs. [Issue #: 32361]
Malware
ó When unregistered users try to access a URL blocked under malware or Web filtering policies and global authentication option for unregistered users is disabled:
° the system allows access for the first time, even when the policy is set to block the URL. ° for all subsequent attempts, the system blocks the URL based on the policy.
[Issue #: 18046]
Web Filtering
ó Single-Sign on was not functional, unexpectedly, for desktops in the corporate domain authentication are initiated by the USG squid [Issue #: 28699] .
ó When Static Manual Routing is configured, Squid NTLM Auth is not functional unless Squid services are restarted [Issue #: 28335]
During upgrade from appliance 2.0 to 3.0, the appliance repeatedly crashes.
Workaround : Select Actiance Web Filtering (Version 2) in the web UI under Configuration > Web Filtering Vendor and Licensing option. [Issue #: 25815]
ó The friendly notification page is not sent to the Web browsers connecting through the ISA proxy when users attempt to access URLs belonging to a Coached or Blocked category. As a result, the users will not be able to visit a coached web site. [Issue #: 12982]
Actiance Proprietary and Confidential Page 21 of 42 Unified Security Gateway Release Notes
ó Since TCP redirects cannot be sent over SSL, the appliance does not display the 'coach' page or the 'block' page to users when they access SSL-based Web sites. [Issue #: 14520]
ó The system applies the File Type policies, Black List and White List rules to all URL access attempts on the enterprise network even if 'No Web Filtering' option is chosen on the Web Filtering Vendor and Licensing page. [Issue #: 14645]
ó The system does not report the IP address of the source machine when a White List rule, defined based on a source IP address, is triggered. [Issue #: 14654]
ó After you provide a license key for using a different Web filtering database, the current database gets disabled on the Web Filtering Vendor and Licensing page. However, the URLs are categorized according to the new database only after you explicitly select it on the Web Filtering Vendor and Licensing page. [Issue #: 14777]
ó The system does not monitor or categorize URLs during the download of the SurfControl Web filtering database. However, the URLs are categorized as 'Unknown' and the respective policies are applied during the download of the SmartFilter database. [Issue #: 14790]
ó Web filtering reports do not display data corresponding to unmapped employees:
° for Whitelist and Blacklist. ° for Hits in the Custom Reports even though the number of Hits is accurately reported.
Workaround : Use the criterion "Detail list of hits by Employee ID" to get the data on unmapped employees. [Issue #: 14465] ó In SmartReporter, you will not be able to view the following information of the URL access logs that were exported in the Squid SFV4 Native or Squid Native format:
° User name of the employee ° Name of the category to which the accessed URL belongs. Instead, category ID is displayed in the logs. ° HTTP status codes
[Issue #: 13720]
ó End-users cannot respond to the Web Filtering policy notification pages, which appear without scrollbars in the web browser.
Workaround : To proceed, the end-user needs to perform the following steps: ° Click and drag the notification message to view the Yes and No buttons on the page. ° Click Yes or No button as appropriate.
[Issue #: 14129]
ó Occasionally, the security appliance displays browse time incorrectly in Web Filtering reports. [Issue #: 20517]
Actiance Proprietary and Confidential Page 22 of 42 Unified Security Gateway Release Notes
ó Occasionally, websites that belong to the Intranet of your organization are categorized incorrectly in the Web Filtering reports. [Issue #: 20737]
ó If an updated version becomes available while downloading Actiance Web Filtering Database Version 2 for the first time, the database will not be successfully downloaded.
Workaround : Restart the security appliance and try to download the database. If you are not able to download the database successfully using this workaround, contact Actiance support. [Issue #: 19686] ó Occasionally, you may observe that the web pages do not get loaded completely. This problem occurs if the appliance blocks the categories to which the files required for rendering the pages belong. [Issue#:20702]
ó Blacklist, block, coach, and quota notification pages do not display the ports accessed by users although port-based Web Filtering policies are configured. [23450]
ó Reports do not display the HTTPS ports accessed although HTTPS port-based Web Filtering policies are configured. [Issue#:23451]
ó Actiance Web Filtering database (Version 2) download fails while using HTTP-Basic and NTLM authentication if the password contains special characters. [Issue #: 23475]
ó The appliance does not report byte count for URLs accurately. [Issue #: 23413]
ó When the name of a Custom Category includes multi-byte characters, the notification pages sent to the users do not display the category name correctly. [Issue #: 23379]
ó The appliance cannot categorize URLs containing multi-byte characters into a Custom Category. [Issue #: 23387]
ó Names of Custom Categories with multi-byte characters are not displayed correctly on the administrative user interface. [Issue #: 23514]
ó Web Filtering categories that are coached are not listed on the Policy Summary page. [Issue #: 25149]
ó When a URL and a port number combination are added to the Black List, users are blocked from accessing the specific URL even when the port number is not used. [Issue #: 25483]
ó The appliance does not prevent the user from importing invalid CSV files and file types on the Custom Category configuration page. [Issue #: 23386]
ó The appliance does not categorize URLs with port numbers into Custom Category. [Issue #: 23472]
ó Even though a web filtering category is disabled, the appliance applies the web content scan and file transfer policies that are created based on the category. [Issue #: 25019]
HTTP Proxy and Content Scanning
ó Whenever keywords are imported through a CSV file, it is observed that these keywords are not getting highlighted in the transcripts. However, the system behavior is normal for
Actiance Proprietary and Confidential Page 23 of 42 Unified Security Gateway Release Notes
moderation and archival functionalities. [Issue #: 32317]
Workaround: Navigate to Default Group Policy> IM > ILP/Restricted Phrases and enable the imported keyword.
ó When the USG is not configured with any Content Scan or File transfer policies and using ISA Itiby in HTTP Proxy mode, the browsers are timed out when downloading files (For example: 4 MB). [Issue #: 29233]
Workaround : If you are using are ISA Proxy with Itiby Filter contact Actiance Customer Support to understand the workaround.
ó Content Scan reports don’t not show file name header when HTTP content is scanned. [Issue#:25688]
ó When a backup of the appliance's configuration is restored, the customized web content scan policies are not restored. [Issue #: 25689]
ó The appliance does not send an Email notification when content scanned files are automatically purged. [Issue #: 25451]
ó When Content Scanning policies are configured to store, alert, block, and block unsupported or encrypted files, although the files are blocked, the appliance does not:
° Store the files.
° Send Email notifications. [Issue #: 25533]
ó When Content Scanning policies to store, alert, and block unsupported files are violated, the reports display invalid Policy IDs. [Issue #: 25534]
ó When Content Scanning policies are configured to block unsupported files, MS Office 2007 files are blocked. [Issue #: 25546].
ó Policy conflict resolution does not function correctly when an employee belongs to two groups and the Content Scan policies of the groups have the following conflicts:
° The "Distinct" option is chosen in the Lexicons section of one policy.
° Different options are chosen in the Actions section of each policy. [Issue #: 25594]
ó When the appliance is deployed with an HTTP proxy server, the users may experience delay while downloading files that are larger than 1 MB. The users' computers may hang if they try to download multiple large files simultaneously. [Issue #: 25626]
ó After the appliance blocks a Facebook message that violates the Content Scanning policy, all subsequent messages sent by the Facebook user are blocked. [Issue #: 25247]
ó The appliance does not apply Content Scanning policies if keywords include white spaces. [Issue #: 24505]
ó The appliance does not apply Content Scanning policies on instant messaging over IM Portals. [Issue #: 24669]
Actiance Proprietary and Confidential Page 24 of 42 Unified Security Gateway Release Notes
ó When the appliance is deployed in the HTTP proxy mode, users do not receive disclaimer messages. [Issue #: 24743]
ó The appliance does not apply the Content Scanning policy when both the URL category and URLs are added manually to the same policy.
Workaround : Add URLs and URL categories into different Content Scanning policies.
[Issue #: 24976]
ó When the appliance is deployed in the HTTP proxy mode, it does not send policy violation notifications to the syslog server. [Issue #: 25003]
ó When a web file transfer policy is configured to block files that are larger than 1 MB, the appliance does not display the policy violation notification to users when they violate the policy. [Issue #: 25101]
ó When the appliance is deployed with Blue Coat proxy server, the users will experience delay while accessing SSL web sites. Occasionally, the web browser may also time-out. [Issue #: 25647]
IM
ó AIM client version 6.0.28.1 is blocked when:
° AIM network is allowed under the Default Policy. ° Policies are enforced in the Passby Mode.
The client is allowed when the appliance is set to Discovery in the Passby mode. [Issue #: 12660] ó In an IM conversation involving only two Sametime 7.5 clients, emoticons are not delivered or audited by the appliance. [Issue #: 12659]
ó On Sametime 7.5, an unmapped buddy name and an external user exchanging data using the “capture part of screen” feature do not receive the system message for permission denied even if the "Allow Peer-to-Peer (P2P) Client Connections via Accessible IM Networks" permission under File Transfer Privileges page is set to NO.
ó On Sametime7.5, the system message for permission denied is not displayed in the conversation window when:
° "Allow Peer-to-Peer (P2P) Client Connections via Accessible IM Networks" permission under File Transfer Privileges page is set to NO. ° An unmapped buddy name and an external user exchange data using the “capture part of screen” feature. [Issue #: 12658] ó Conversation transcript display invalid characters such as "&# 160;" for blank messages sent on Sametime 7.5. [Issue #: 11894]
ó When the appliance is deployed in the stealth mode, conversations between LCS buddies managed by Chinese wall policies are not audited correctly:
° A blank conversation is audited with the start and end time stamps. ° System messages are not audited. [Issue #: 12926]
Actiance Proprietary and Confidential Page 25 of 42 Unified Security Gateway Release Notes
ó URLs sent over the AIM client in the format www.example.com are blocked although they are allowed using the "Block all incoming URLs Except" option. [Issue #: 12662]
ó When a file transfer between two LCS users exceeds the allowed file size limit, the system audits the system message configured for Permission denied. [Issue #: 12899]
ó When the appliance is deployed in the Passby mode, messages exchanged between MSN buddies are audited as P2P in the reports. [Issue #: 13456]
ó When the chinese wall policy is configured using the setting “Can communicate with all groups EXCEPT” for Sametime 7.5 users, the appliance allows conversations between all groups. [Issue #: 13621]
ó When the chinese wall policy is configured using the setting “Can communicate ONLY with these groups” for Sametime 7.5 users, the appliance blocks conversations between them. [Issue #: 13622]
ó All messages exchanged by Sametime clients in the Sametime Meeting Center are audited twice in the system. [Issue #: 13656]
ó In the Proxy mode, the appliance does not block access to games over Yahoo! 8.x clients when the "Allow Peer-to-Peer (P2P) Client Connections" setting is configured to NO. [Issue #: 11511, 11767]
ó In the Enforcement mode, the appliance does not block file transfers and P2P traffic on the GoogleTalk network. [Issue #: 11793]
ó The authentication URL for registering unmapped buddy names is not hyperlinked on AIM Pro client version 1.3.0. [Issue #: 13528]
ó Email alerts on the use of restricted phrases by employees are not sent to the reviewer’s email address even though the SMTP settings and the reviewer’s email addresses are configured in the system.
Workaround : Specify the reviewer’s email address on the Restricted Phrases page [Issue #: 13583] ó When the appliance is deployed in the Passby mode, the message counts for IM clients are not reported accurately. [Issue #: 14321]
ó The appliance creates more than two transcripts for each voice conversation over Google Talk. [Issue #: 14207]
ó Occasionally, the appliance creates multiple transcripts for conversations over MSN messenger 7.0 if any files were transferred during the conversation. In such cases, you will observe that the appliance creates:
° One transcript for the conversation until the file transfer was initiated. The transcript indicates that the conversation has ended even though the file was transferred successfully and messaging continued after the file transfer in the same IM session.
Actiance Proprietary and Confidential Page 26 of 42 Unified Security Gateway Release Notes
° Another transcript containing details of the file that was transferred and the messages that were exchanged after the file transfer.
[Issue #: 14059] ó When access to Google Talk client is blocked, each logon attempt to the client is reported as four different events in the IM reports. [Issue #: 12722]
ó If employees are allowed to view their personal reports, they can successfully log on to the appliance even if it is not deployed in the Proxy mode. [Issue #: 14608]
ó The 'View Personal Reports' settings in the IM tab » General Settings tab of the unmapped group policy are not applicable to the group. [Issue #: 14716]
ó The appliance does not monitor, block, report, or log Jabber IM traffic events over port 5223. [Issue #: 14780]
ó Although the employee records are disabled, the Domain Controller successfully authenticates the employees if their records exist in the system. [Issue #: 14805]
ó Files sent over an IM network are not successfully transferred when you edit the domain name(s) associated with the following file transfer policies:
° Allow incoming from all domains except... ° Block incoming from all domains except... ° Allow outgoing to all domains except... ° Block outgoing to all domains except... When some Web filtering categories containing URLs used by MSN are blocked, the employees cannot successfully log on to the MSN network. [Issue #: 12964]
ó When you delete an existing LDAP-based group and add it again with the same name and employee search criteria, the group does not get listed on the Policy Groups page. However, the employee accounts are retrieved successfully from the LDAP server and listed on the Employees page. [Issue #: 13626]
ó After searching for a transcript using advanced search criteria, you will observe that:
° The first time you want to revise the criteria on the search results page, the system provides the advanced search options. ° For all subsequent revisions of criteria, the system provides only the basic search options.
[Issue #: 12814] ó You may observe that an employee is prompted to create a new account through the My Profile page even if the account already exists in the system. This occurs when the user name format specified by the employees during NTLM authentication is different from the one associated with their records in the system.
In such cases, the settings specified on the My Profile page are not saved by the system. However, the buddy name will be successfully mapped to the employee record in the system. [Issue #: 15132] ó When a file is opened or downloaded from the transcripts, the spaces in a file name are replaced with ‘+’ character. [Issue #: 16141]
Actiance Proprietary and Confidential Page 27 of 42 Unified Security Gateway Release Notes
ó The system does not audit the audio or video conference invitation message sent over an n-way chat on the OCS network. Also, the conference event is not graphically represented in the transcript. [Issue #: 16000]
ó On the OCS network, the system reports the status of participants as online for conversations involving failed audio and video events although the IM session is closed. [Issue #: 15971]
ó When the inter-group communication is blocked between two groups, the system does not audit the blocked message. However, the system message for blocked conversation gets audited in the transcript. [Issue #: 15963]
ó The appliance does not audit the system message when a restricted phrase with block incoming permission applied to a group is sent over IM conversation that involves the group. [Issue #: 15946]
ó In an n-way chat on the OCS network, the system message for a blocked restricted phrase is audited only for one participant. [Issue #: 15944]
ó When file transfers are blocked in IM conversations over the OCS network, the sender’s transcript contains only the system message for the blocked event. [Issue #: 15914]
ó The audio or video invitation sent over the OCS network gets audited twice in the system. [Issue #: 15910]
ó The system does not block Day zero URLs sent over the LCS network immediately. However, the URLs are blocked after the LCS connector refresh interval or when a new session is initiated between the users. [Issue #: 15721]
ó The system does not manage background images (IMVironment) over Yahoo! network.
Workaround : Set the Peer-to-Peer permission under File Transfer Privileges to 'No' to block the background image feature. With this setting, however, the system will block all the IM client features that use Peer-to-Peer connection.
[Issue #: 15856] ó Occasionally, the LCS connector fails to start when the LCS service is restarted. [Issue #: 16967]
Workaround : Manually restart the USG LCS connector service. ó The system does not manage photo sharing in IM conversations over Yahoo! network. [Issue #: 17231]
ó When custom emoticons are exchanged over the MSN network:
° The appliance does not block the emoticons even though the permission is set to block ° The keyboard shortcuts related to the emoticons are delivered to the recipient ° The policy violation notification is sent to the recipient ° The policy violation notification is recorded in the conversation transcript
[Issue #: 17215]
Actiance Proprietary and Confidential Page 28 of 42 Unified Security Gateway Release Notes
ó When an external Yahoo! user communicates with an internal LCS user connected through the appliance, the system records the conversation in multiple transcripts. [Issue #: 16772]
ó For audio and video sessions over AIM 6.5 or later, the system audits irrelevant messages along with the conversation messages. [Issue #: 16825]
ó Although URLs are matched, the associated policy is not applied when “?” is used as a wild card character in URL patterns configured for the following options:
° Block all outgoing URLs EXCEPT option. URLs allowed using this policy are blocked by the system. ° Allow all incoming URLs EXCEPT option. URLs blocked using these policies are not blocked by the system.
For example, allow or block policies are not applied for URLs that are specified in the pattern: www.xyz.??? or www.????.com
Workaround: Use the wild card character ‘*” in URL patterns (for example: www.xyz.*, www.*.com) [Issue #: 16723] ó IM conversations involving an MSN user and a Yahoo user are not routed locally although the appliance is configured to do so. [Issue #: 16689]
ó When users log on to the LCS network using Microsoft office communicator (MOC) client and Windows Messenger client (version 5.1.0639), the first message sent by the former gets audited twice by the appliance. However the appliance audits the messages correctly when the Windows messenger user initiates the conversation with MOC user. [Issue #: 16598]
ó In LCS conversations involving Microsoft Office Communicator (MOC) and Windows Messenger users:
° The Windows Messenger user does not receive the privacy disclaimer if the conversation was initiated by an MOC user. But when the Windows Messenger user replies to the message, the MOC user receives the privacy disclaimer. ° Both the users receive the privacy disclaimer when the conversation is initiated by the Windows Messenger user.
[Issue #: 16596] ó In an N-way chat between three or more OCS client users, the appliance records the status of the participant who initiated the chat as online, even if the participant has signed-out. [Issue #: 16199]
ó When a blocked file type is sent repeatedly in an IM conversation over the Sametime network using client version 7.5, the sender:
° receives the policy violation message only once ° receives a chat invitation
However, the system blocks the file and the transcripts display the following message after the chat invitation message:
"Topic: File Transfer Meeting Message: Please receive this file transfer"
Actiance Proprietary and Confidential Page 29 of 42 Unified Security Gateway Release Notes
[Issue #: 16004] ó When LCS or OCS users send restricted phrases or URLs blocked for both incoming and outgoing messages, the policy violation message displayed by the system buddy will be incorrect. However, the appliance audits the correct message in the transcripts. [Issue #: 15981, 15994]
ó Occasionally, you may observe that the layout of reports is inconsistent in Mozilla Firefox.
Workaround : Clear the browser cache and access the reports again. [Issue #: 18307] ó Custom emoticons and screen shots sent in conversations over the following networks are saved in the transcripts only if the Store Transferred Files option is enabled:
° MSN ° Sametime
[Issue #: 18315] ó When static manual routing is used, file transfers over AIM 6.5 fail if one of the participants is not connected through the appliance. [Issue #: 18097]
ó When restricted phrases are sent repeatedly in quick succession in an N-way chat using OCS clients, the appliance audits them only once. [Issue #: 15993]
ó When an infected file is blocked, the System Buddy does not send the disclaimer message to LCS/OCS client users. However, the conversation transcript includes the appropriate disclaimer message. [Issue #: 15982]
ó In an N-way chat using LCS IM clients, the appliance audits both incoming and outgoing policy description messages in any of the following events:
° When the user sends a restricted phrase that is blocked for both incoming and outgoing messages ° When the user sends URLs that are blocked for both incoming and outgoing messages ° Anomalous contact list behavior (Day-Zero Worm) that is blocked for both incoming and outgoing messages
[Issue #: 15935] ó When an LCS user participating in an audio conversation engages in video transfer in the same conversation window, the appliance:
° Creates two separate transcripts to audit the events. ° Does not audit the message “Conversation ended” in transcripts created before the video transfer, even after users log out from their IM clients. ° Shows the buddies as online even after they have logged out from their IM clients.
[Issue #: 15921] ó The appliance does not block voice chat over Sametime client version 7.5 even if it is configured to do so. Also, when voice chat is allowed, the security appliance creates five transcripts with the recipient’s name missing in the fifth one. [Issue #: 15905]
Actiance Proprietary and Confidential Page 30 of 42 Unified Security Gateway Release Notes
ó When Kerberos authentication is enabled, the buddy name registration URL does not appear as a hyperlink in AIM 5.9 clients.
Workaround : The users must copy the URL that is displayed in the client window and paste it in a browser to access the buddy name registration page.
[Issue: 17292] ó The appliance does not display the System Buddy’s disclaimer message to the LCS or OCS users when:
° A virus-infected file gets blocked during the conversation ° The anti-virus server is unavailable
However, the appliance audits the appropriate disclaimer message in the transcripts.
[Issue: 15982] ó The appliance does not manage voice chat on MSN client versions 8.1 and 8.5. [Issue #: 15758]
ó A non-employee, who is not in the buddy list of an employee’s Yahoo client, does not receive a privacy disclaimer when:
° the IM conversation is initiated by the employee. ° the Show Privacy Disclaimer option is set to No in the global policy
[Issue #: 15666] ó The appliance does not provide IM compliance for Yahoo IM client version 9.0.0.797 Beta since the client:
° Bypasses DNS routing ° Cannot use the appliance as a SOCKS proxy
[Issue #: 15523]
ó When the security appliance is deployed in the passby mode, log on attempts made by MSN 8.1 client users fail if they belong to a group that has:
° all URLs blocked ° all IM networks allowed
Workaround : Allow the following categories of URLs for all the users: ° unknown ° computing&internet ° chat ° infrastructure
[Issue #: 17333] ó If the Use Collaboration permission is denied and a user sends a message using the Handwriting feature of MSN (7.0 or later), the appliance audits the conversations as follows:
Actiance Proprietary and Confidential Page 31 of 42 Unified Security Gateway Release Notes
° Permission denied message is audited in the transcript that corresponds to the user who tried to send the message. ° An invalid message is audited (thrice) in the transcript that corresponds to the other participant. ° Conversation Ended message is audited in the transcripts of both the participants as soon as the feature is used. The appliance creates new transcripts for the remaining conversation by the participants. [Issue #: 15763] ó The appliance does not audit the policy violation messages in the transcripts of conversations involving OCS users in an N-way chat if they send:
° A restricted phrase that is configured to be blocked for incoming messages ° A Day Zero Worm URL that is configured to be blocked for incoming messages ° An application URL that is blocked by the appliance [Issue #: 15934]
ó The security appliance does not manage the following features on the Yahoo IM network:
° Nudge ° Audibles
[Issue #: 17255]
ó When users enable the Real-Time IM or the Direct IM (Picture Sharing) option in AIM 6.8.x clients, the appliance does not:
° Apply any of the IM compliance policies. ° Audit the messages that are sent after enabling the feature.
[Issue #: 18647, 18648] ó When users enable the Direct IM (Picture Sharing) option in AIM 6.5.9.1 clients, the appliance does not:
° Apply any of the IM compliance policies. ° Audit the messages that are sent after enabling the feature in the transcripts.
[Issue #: 18648] ó The appliance does not manage voice chat over Yahoo! IM clients. [Issue #: 15735]
ó When sign-on permission is denied, BlackBerry users do not receive the appropriate disclaimer while attempting to log on to the Sametime network. [Issue #: 20107]
ó When the appliance is deployed with a BlackBerry Enterprise Server, the first log-on attempt made by the first BlackBerry Enterprise Messenger user fails. However, subsequent attempts made by the same user and the first attempt made by other users are successful. [Issue #: 20105]
ó In the passby mode, IM conversations of GoogleTalk users who are already logged on cannot be blocked using a Policy Object. [Issue #: 20099]
ó The appliance does not block access to the AIM network through AIM Pro clients when secure connections are used. [Issue #: 20909]
Actiance Proprietary and Confidential Page 32 of 42 Unified Security Gateway Release Notes
ó When the appliance is deployed in the Enforcement mode, audio and video sessions using MSN messenger 8.1 IM clients are not detected. [Issue #: 20096]
ó When the appliance is deployed in the Enforcement mode, AOL users are automatically logged out from the client when they:
° violate a file transfer policy. ° engage in a blocked P2P event (audio, video, or games). [Issue #: 20634] ó When a user logs in to the MSN client through Trillian and converses with a buddy on the network, the appliance reports the IM activity as P2P events. [Issue#:20696]
ó If P2P is blocked over MSN, the appliance blocks file transfers over the network and reports such events twice: as P2P and File Transfer events. [Issue #: 20409]
ó The appliance does not detect the video communication on AOL clients. [Issue #: 20885]
ó When a virus-infected file is blocked in an IM conversation over WLM 2009, the user will not be able to send any other file during the conversation. However, the user can continue sending instant messages in the same session.
Workaround : The user must log out and log in to the WLM client to be able to transfer files successfully.
[Issue #: 25944] ó WLM 2009 does not login in pass by mode when the internet explorer browsers are configured for Onbox squid. [Issue #: 28423]
ó PIM users do not receive notifications from the system buddy when they send a restricted phrase to an OCS user if the connector is installed on an OCS Edge Server. [Issue#:20959]
ó When employees initiate a conversation with external OCS federated users, permissions set in the Default Group policy are applied to the federated users. [Issue#: 21093]
ó The appliance does not detect or block video over Yahoo client 9.0.0.2133. [Issue#: 21800]
ó The permission denied disclaimer is shown three times for each attempt to transfer video using Yahoo client version 9.0.0.2123. [Issue#: 22587]
ó Occasionally, the OCS Group Chat client does not display policy messages sent by the System Buddy. [Issue #: 24327]
ó When the appliance is deployed with Sametime RTC Gateway Connector, AIM and GoogleTalk users connecting through the proxy port receive duplicate disclaimer messages from the Sametime buddy. [Issue #: 24405]
ó When the appliance is deployed with Sametime RTC Gateway Connector, any URL sent by an AIM user is transferred over twice to the Sametime buddy. [Issue #: 24410]
ó When a user, who is being managed by the appliance, sends a file over Yahoo! to a buddy who is not managed by the appliance:
° The sender sees a message that indicates that the file is transferred successfully.
Actiance Proprietary and Confidential Page 33 of 42 Unified Security Gateway Release Notes
° The receiver does not receive the file and gets an error message [Issue #: 25665] ó When the appliance is deployed to manage communication over the MSN network, users may not be able to sign on to the network using MSN 7.0 clients. [Issue #: 25632]
ó In SameTime Meeting Room conversations, the messages are echoed back to the sender and are not delivered to the recipients. Users cannot also transfer files during the meeting. [Issue #: 25490]
ó When the appliance is configured to use the Sophos antivirus engine, SameTime users do not receive appropriate disclaimer messages while transferring virus-infected files. [Issue #: 25503]
ó In Windows Live Messenger 2009, when custom emoticons are blocked, the keyboard shortcut assigned to the emoticon is sent to the recipient. The transcripts also display the shortcut. [Issue #: 25542]
ó The appliance blocks Photo Sharing over Windows Live Messenger 2009 although the corresponding permission is set to “Yes”. Conversation transcripts also do not include the Photo Sharing event. [Issue #: 25548]
ó Ink messages sent over Windows Live Messenger 2009 are delivered to the recipients although the corresponding permission is set to "No". [Issue #: 25549]
ó MSN Photo Swap is blocked although the corresponding permission is set to “Yes”. The conversation transcripts audit the event as game play invitation. [Issue #: 25550]
ó Games for Windows Live Messenger 2009 are blocked although the corresponding permission is set to "Yes". [Issue #: 25551]
ó All the disclaimer messages configured for Windows Live Messenger 2009 events are included against every blocked event listed in the conversation transcript. [Issue #: 25552]
ó The IM: Currently Online report does not display the Sign-On IP address for OCS clients connecting through the OCS Edge connector. [Issue #: 25584]
ó When the OCS Connector is deployed in the Master-Slave mode, a few SIP messages are audited in transcript when file transfers are attempted by:
° One user connected through the master connector. ° Another user connected through the slave connector. [Issue #: 25614]
ó The appliance does not detect P2P events and file transfers over AIM 7.0.11.2 clients when it is deployed in the enforcement mode to manage IM traffic. This issue will be fixed in the upcoming filter update. [Issue #: 25658]
ó When Bluecoat proxy is configured as HTTP Proxy in USG, the following issues were observed:
° Yahoo file transfer does not work in the IM Proxy mode when the permission is set to “allow”. ° Yahoo file transfer does not get detected in the IM Passby mode.
Actiance Proprietary and Confidential Page 34 of 42 Unified Security Gateway Release Notes
° Yahoo version 8.1 webcam window initially displays the status that it is waiting for connection and later on goes into the idle state. The webcam request or invitation is also not sent to the external user. ° Windows Live Messenger games with IM Passby and IM Proxy are detected but some error is encountered although the permission for games is set to “Yes”. [Issue #: 25585, 25627] ó When File Transfer is blocked in Sametime meeting rooms, the policy violation notification is not sent to the users during the first file transfer event. However, the file transfer is blocked by the appliance. During subsequent attempts to transfer files, the users receive the policy violation notification. [Issue #: 22634]
ó The appliance does not apply the Allow/Block File Type settings in the File Transfer Privileges tab for file transfers during a break out session in a Sametime Meeting Room. [Issue #:22640]
P2P
ó The system reports Share, a P2P application, under the Winny protocol. [Issue #: 13303]
ó The appliance does not detect or block the Imesh P2P client. [Issue #: 13097]
ó When unmapped buddies log on to IBM Lotus Sametime clients, the system does not display the Authentication URL in the conversation window. This occurs due to a limitation of IBM Lotus Sametime protocol, which prevents out-of-band messages. [Issue #: 11890]
ó The appliance does not block P2P connections (Audio and Video) over the AIM 6.0.28.1 client. Also, the file transfer and P2P connection attempts are not reported or logged by the system. [Issue #: 14565]
ó The appliance does not block P2P connections between ICQ 6.0 clients. [Issue #: 14519]
ó The byte count displayed in the P2P Usage and Real-Time Monitoring reports will be inaccurate when the appliance is configured to allow access only to encrypted or UDP- based P2P protocols, such as Skype and BitTorrent. [Issue #: 18247]
ó Occasionally, when access to P2P applications are blocked, the category indicated on the user notification page refers to an application category. Access to the indicated application category may not be blocked using an application policy.
For example, if Skype is blocked and user’s access www.skype.com, the notification page indicates that this URL belongs to the category VoIP, which is an application category. [Issue #: 19170] ó The appliance does not block P2P over Windows Live Messenger 2009 Beta. [Issue #: 19635]
ó The appliance does not block Warez V 3.2.0 beta. [Issue#: 20898]
ó The appliance does not block the BitComet client version 1.05. [Issue #: 21085]
Actiance Proprietary and Confidential Page 35 of 42 Unified Security Gateway Release Notes
Applications
ó The security appliance does not manage VNC on your enterprise network. [Issue #: 19752]
Real-Time Graphs and Reports
ó Download of reports from the Configuration tab in CSV format fails in case of IE8. The following error message is displayed:
The requested site is unavailable or cannot find
[Issue #: 38272]
ó IM Proxy Reports take 60-70 seconds to fetch results while retrieving a large amount of data such as seven million transcripts or four million messages. [Issue #: 14000]
ó The system generates four reports for every blocked Sign On attempt on the GoogleTalk network. [Issue #: 12722]
ó When the employees log on to the AIM network through the AIM 6.0.28.1 client, their buddy names are not reported in the IM policy reports. Also, the logon attempts are not logged in the USG_monitor.log file. [Issue #: 14571]
ó Even though the Web filtering categories are disabled, the appliance reports URL access attempts under Web Filtering if:
° The accessed URL belongs to any malware category ° The accessed URL is included in Black List, White List, or a File Type policy ° The accessed URL belongs to an IM portal
[Issue #: 14560] ó Buddy names and message counts are not reported for MySpaceIM client. [Issue #: 16789]
ó Buddy names are not reported for AIM client version 6.5.9.1. [Issue #: 16788]
ó The system does not generate group-specific custom IM, P2P, Malware, or Webfiltering reports for IP based groups. [Issue #: 15625]
ó The appliance does not display multi-byte characters when reports are exported in PDF format. [Issue #: 16961]
ó The IM Sign On Report does not display the version number of the following IM clients:
° AIM Pro ° LCS and OCS
[Issue #: 16608, 16133] ó The appliance does not display the version number of all the detected Skype clients in the P2P Policy Report . [Issue #: 18349]
Actiance Proprietary and Confidential Page 36 of 42 Unified Security Gateway Release Notes
ó When a report containing Custom Categories, the names of which include multi-byte characters, are exported to a CSV file, the file displays invalid characters instead of the category names. [Issue #: 23486]
ó When you generate Passby reports that include the Infection Type column, the reports display infection type as Infection/Phone Home for IM, P2P, and applications. [Issue #: 23772]
ó When you generate a Passby Activity by Detail report, the Version column appears blank. [Issue #: 23835]
ó The date format configured on the System Preferences page is not used in the Reporting Wizard or saved reports on the Dashboard. [Issue #: 25344]
ó In reports that are exported or printed from the Reports Wizard, the sort order is lost when IPaddress, string values, or tree views are used for sorting. [Issue #: 25515]
ó In the PDF format of the exported Weekly Combined Usage Report, group names, Total Bytes, Total Message/Hits, and Total Timespent details may get overlapped. This issue occurs if these strings are long. [Issue #: 25669]
ó Intranet sites may get categorized as 'Unknown' in the reports when the appliance is deployed with a HTTP proxy server. [Issue #: 24446]
ó After upgrading from USG version 2.3 to 3.0, you cannot generate a pivoted report on network usage with TimeSpent as the Measure if both the following conditions are true:
° The appliance is deployed as an IM proxy ° The appliance computes the time spent value as null [Issue #: 25745] ó Timezones displayed in the canned reports are inconsistent. For example, timezone in the IM: Currently Online report is IST whereas is the timezone in the IM Sign-on report is GMT. [Issue #: 25738]
ó In the canned IM: SignOn Report , you cannot drill-down to detailed reports of active IM users. [Issue #: 25737]
ó In the Web Content and File Scanning reports that are saved on the Dashboard, you will observe that:
° Rule IDs, Content, and Filenames are not linked to their respective details. ° Invalid number is suffixed to Yes or No in the Content column. ° Invalid number is displayed in the Filename column. These numbers are suffixed to the filename or if the filename is not applicable, only the number is displayed in the column.
These issues do not occur in Web Content and File Scanning reports that are accessed from the Reports tab.
[Issue #: 25724, 25725, 25726] ó If group names containing multi-byte characters are included while creating reports using the Reporting Wizard, the report is not generated. [Issue #: 25369]
Actiance Proprietary and Confidential Page 37 of 42 Unified Security Gateway Release Notes
ó When the name of a custom category is modified, the change is not reflected in the reports that are already saved. [Issue #: 25636]
ó Reports cannot be generated using the Reporting Wizard when the name of a Custom Category contains multi-byte characters. [Issue #: 25014]
ó Occasionally, you may observe that the number of records in summary and drill-down reports differ from each other. This occurs if security appliances push data into Actiance Insight between hourly data rollup intervals. [Issue#: 23969]
ó When you click 'Yes' in the Content column of the web content and file scanning reports, you may see the log in page of the appliance's user interface along with other HTTP content. [Issue#: 25202]
ó You may not be able to access drill-down reports using the canned reports that are saved on the Dashboard. [Issue #: 25751]
ó When a drill-down report is accessed from a summary report on Passby activity by category and product, you will observe that the data displayed in the two reports differ from each other. The mismatch in data is because the appliance displays the rolled up data in the summary reports. [Issue #: 25231]
ó In the Policy Violation reports, the appliance does not report the virus infected files sent by an IM user who is external to the enterprise network. [Issue #: 22077]
ó Occasionally, employees cannot access their Hotmail accounts through Windows Live Messenger even if they click ‘Yes’ on the quota page. [Issue #: 20648]
ó IM compliance policies configured in a Policy Object will be effective only if they are customized for the Policy Object. [Issue #: 20746]
ó Employees can remain logged in to the IM clients and receive messages from their external buddies even after the allotted IM conversation time expires. [Issue #: 20027]
ó After you change the time duration and number of sessions allotted for any employee for IM, the employee must re-log-in to the IM clients to take the changes into effect. [Issue #: 20632]
ó When malware is not blocked and time-based quota is applied to the Web Filtering categories, employees receive a quota notification web page while accessing any malware sites. [Issue #: 19925]
ó Policy conflict resolution is incorrectly applied to employees who belong to both static and IP-based groups when:
° A Policy Object is applied to both the groups ° A Policy Object is applied to the IP-based group
[Issue #: 20849] ó Occasionally, employees cannot access their Yahoo! Mail account even if they click “Yes” on the quota notification page. [Issue#: 20363]
ó When a custom policy violation notification URL is configured, the quota notification page is not displayed. [Issue#: 23172]
Actiance Proprietary and Confidential Page 38 of 42 Unified Security Gateway Release Notes
ó After upgrading from USG 2.2 to USG 3.0, the customized application policies do not function properly. [Issue#: 25397]
Workaround :
° Access each customized application tab.
° Remove the customization and save the policy.
° Customize the application again with intended policy.
ó The appliance does not resolve policy conflicts between IP-based group and normal groups/employees if authentication is enabled for the IP-based group. [Issue #: 24842, 25621]
External Database
ó After upgrading from version 2.2 to 3.0 and changing the database to an external My SQL server, you cannot roll back to earlier settings configured on the appliance. Contact Actiance support for assistance. [Issue#:25670]
ó When MySQL server is used as an external database, the Group Reporter's Dashboard takes more than 10 minutes to load. [Issue #: 25694]
Miscellaneous
ó When the upstream proxy group name is updated, it is observed that the cache_peer of the corresponding group gets commented out in the squid.conf.
Workaround : Save the group again to uncomment the updated group in the cache_peer.
[Issue #: 38307] ó Group Reporter is unable to execute the SFSR report that is the ‘Employee Buddy Mapping Report’. [Issue #: 37810]
ó USG Help and Product information can be accessed by hitting URLs. [Issue #: 38008]
ó USG Management UI can be accessed from a desktop or a local machine that goes through proxy in which ‘bypass proxy server for local address’ option is unchecked in the browser. [Issue #: 38103]
ó Upstream Rules based on Destination and packet header is not applicable to SSL pages when SSL termination is disabled in USG. [Issue #: 38193]
ó Upstream proxy rules get triggered based on priority of the load balance option that is configured for the particular proxy group and are not based on the order of forward proxy rules. [Issue #: 38192]
ó When all the proxies in the group are down with SSL termination disabled, irrelevant error message is displayed. [Issue #: 38216]
Actiance Proprietary and Confidential Page 39 of 42 Unified Security Gateway Release Notes
ó When squid is configured as upstream proxy, you may observe 404 response code for certain requests in the USG squid access log. [Issue #: 38104]
ó You may observe script error pop-up message, while:
° Checking or Un-checking products in Internet Explorer ° Continuously expanding the categories to view in Application tree using Mozilla Firefox
[Issue #: 36961] ó The ISA Proxy service central processor usage is 90% with fewer loads. [Issue #: 28945]
ó When the appliance is configured to use Transparent NTLM or Redirect authentication and the browser is configured to connect through ISA proxy:
° URLs cannot be accessed ° Authentication prompt does not appear.
[Issue #: 12827] ó The system cannot connect to Microsoft Active Directory when the LDAP server settings are configured for Kerberos authentication. [Issue #: 11752]
ó Users managed by chinese wall policies receive chat room invitations and are able to join chat rooms. Also, after such users join, all users in the chat room are prevented from exchanging messages. [Issue #: 13275]
ó When LDAP is configured with 'Directory Domain (DNS)', you may observe some delay while:
° importing users ° importing or synchronizing groups
The delay occurs as the system attempts to connect to each server that corresponds to the Base DN until a successful connection is created. [Issue #: 13462] ó The system does not save or apply the changes to the port speed of the eth1 port when the speed is changed from 'Auto' to 10FullDuplex, 10HalfDuplex, 1000FullDuplex, or 1000HalfDuplex. You will observe that the port speed is indicated as:
° 'Auto' on the user interface ° 'Unknown' on the appliance's console when changed to 10FullDuplex or 10HalfDuplex.
[Issue #: 14539] ó Information about the firmware or filter updates is not logged in the syslog. [Issue #: 15118]
ó Occasionally, you may observe that the import of nested groups may take a longer time. This delay occurs when the appliance is unable to resolve a domain that is configured as a referral to another domain on the network. [Issue #: 17927]
ó When Kerberos authentication is enabled on the security appliance and a guest or an unauthenticated user tries to access an HTTPS site:
Actiance Proprietary and Confidential Page 40 of 42 Unified Security Gateway Release Notes
° The user is not authenticated using Kerberos. ° The unmapped group policy is applied.
Workaround : Enable NTLM authentication in addition to Kerberos authentication. [Issue #: 17306] ó The system displays an improper message when the end user clicks the Kerberos based login button in a web browser which is not configured for Kerberos authentication. [Issue #: 18559]
ó If firmware upgrade fails on any of the clustered appliances due to network connectivity issues, you can retry upgrading the firmware only after performing the following steps:
° Roll back the changes on the appliance on which the upgrade failed.
° Roll back the changes on the appliances on which the upgrade was successful.
° If you have taken a backup of the external database before the upgrade, restore the database backup. [Issue #: 16978]
ó Occasionally, the security appliance does not connect to the external database although the test connection was successful.
Workaround: Clear the password cache in the browser.
[Issue #18411] ó Group names that contain special characters such as '(' and ')’ do not get synchronized successfully with Lotus Domino Directory or Sun One Directory. Such groups:
° will get deleted if an auto-sync is run.
° cannot be chosen for manual synchronization.
[Issue #18749] ó A group in the Lotus Domino or Sun One Directory will not be successfully imported into the appliance even if one employee's name contains special characters such as '+' and '#'. Although the name of the group is displayed on the Policy Groups page, the group will not contain any employees.
[Issue #18746] ó After performing a firmware upgrade from a previous version, the name of the Web Filtering database vendor appears as blank on the About page. [Issue #19477]
ó When the filter update fails, occasionally the appliance does not:
° Manage access to applications and enforce policies on the enterprise network. ° Display IM, P2P, Web Filtering, applications, and malware categories on the user interface.
[Issue #20275]
Workaround : Perform a filter update again without restarting the appliance.
Actiance Proprietary and Confidential Page 41 of 42 Unified Security Gateway Release Notes
ó Occasionally, when the appliance is configured to use only FDCA authentication, the Unmapped Group policy is not applied to domain users. This problem occurs if the users' details are not updated in the appliance due to low authentication frequency.
Workaround : Set Authentication Frequency to a value lower than that of the interval at which the appliance obtains updates from FDCA (Update Time Interval). [Issue#: 21083] ó The security appliance does not perform a filter update while you upgrade the firmware to build 8173 from build 8166, although there is an update available. [Issue #: 20948]
ó When the appliance is configured to connect through an HTTPS corporate proxy, the appliance connects over HTTP to obtain firmware and filter updates. [Issue #: 23023]
ó Self-signed certificates generated using DSA-1024 and SHA1 are reported as invalid signatures by Mozilla 3.0 and 3.0.12 versions. [Issue #: 22541]
ó When you click Save after adding SNMP trap settings on the Configuration tab > SNMP Settings page, the appliance does not save the changes.
Workaround : After adding a new SNMP manager, click Add and then click Save.
[Issue#: 22233] ó When you visit a group for the first time, transcript created does not contain the Group ID until you provide your email id. Once your membership is accepted, Group ID is visible as normal. [Issue#: 29694]
ó When FDCA/Stale policy and Interactive Authentication are configured, if FDCA authentication fails due to any reason, Interactive Authentication is applied instead of the Stale Policy. [Issue#: 26475]
Documentation
ó Unified Security Gateway Planning and Implementation Guide: Take a printout and read this document to plan your deployment and understand how to use the product.
ó Unified Security Gateway System Administrator's Guide: Take a printout and read this document to understand how to use the product.
ó Unified Security Gateway LDAP Integration Guide: Take a printout and read this document to understand how to integrate a corporate LDAP directory with the appliance.
ó Unified Security Gateway Release Notes
Visit https://members.actiance.com for the latest versions of the Administrator's Guide and the Release Notes .
Actiance Proprietary and Confidential Page 42 of 42 Unified Security Gateway Release Notes