Release Notes for Version

Release Notes for Version 1.5.207

Created: March 9, 2015

Table of Contents

What’s New ... 3

Fixes ... 3

System Requirements... 3

Stonesoft Appliances ... 3

Build Version ... 4

Product Binary Checksums ... 4

Compatibility ... 5

Browser and Client OS Compatibility ... 5

Directory Services ... 5

Upgrade Instructions ... 6

Upgrade from Previous Version ... 6

Upgrade from Prior Versions ... 6

Known Issues ... 7

3 Stonesoft SSL VPN Release Notes for Version 1.5.207

What’s New

Fixes

Problems described in the table below have been fixed since Stonesoft SSL VPN version 1.5.206.

A workaround solution is presented for earlier versions where available.

Synopsis Description Workaround for Previous

Versions Tunnel set redirection URL

does not work on MacOS and Linux clients

Redirection URL configured in tunnel set settings works with Windows clients, but not on MacOS or Linux clients.

Open the URL manually after opening on tunnel.

SSL VPN process may leak memory

The statmond process may start leaking memory, which will lead to a situation where all memory is exhausted and the engine will stop working.

Monitor memory and swap usage. Excess memory used by statmond can be cleared by stopping and starting it:

msvc -d statmond msvc -u statmond

Restarting the process will not affect running client sessions.

Routing configuration might fail if alias interfaces are configured

If an appliance is configured using an alias interface (ethX:Y), configured routes might not be applied at restart.

None

Windows Access Client fails to start on 32-bit Windows

Using tunnel resources does not work on 32-bit Windows operating systems. Windows Access Client fails to start.

Hotfix is available from McAfee Support.

Adding back-end attributes to web resource host

configuration results in error

Administrators are not able to add back-end attributes to a web resource host. The following error is shown: "Unable to resolve expression

'localizedType'".

None

System Requirements

Stonesoft Appliances

Stonesoft SSL VPN version 1.5.207 is supported on all Stonesoft SSL VPN appliances and on Stonesoft SSL VPN Virtual Appliances.

Installation of 32-bit and 64-bit engine software, or upgrade to 64-bit engine software is supported only on the following SSL VPN appliances:

• SSL-1035

• SSL-1302

• SSL-3201

• SSL-3202

For older appliance models, use 32-bit engine software.

Mirrored configurations between 32-bit and 64-bit engines are not supported.

Build Version

The Stonesoft SSL VPN 1.5.207 build version is 2025.

Product Binary Checksums

32-bit engine

sslgw_engine_1.5.207.2025_i386.zip

MD5SUM 9413904c2035a0a254bdd3e392ec4228c923572d SHA1SUM 2918e51d57748365dd2db42c4d954a8b

64-bit engine

sslgw_engine_1.5.207.2025_x86-64.zip

MD5SUM sh82000d1ee676a02e5fc6f67dd82035ed SHA1SUM 8a542ba9fad2de56fc412019755cce4f9dd9d4e4 sslgw_engine_1.5.207.2025_vmwarefw-esx.zip

MD5SUM 9efaa3da68e12cbe6d8849ba38b2ed9d

SHA1SUM c1779d4c451931dc91960cc45b4d9b3758115828

5 Stonesoft SSL VPN Release Notes for Version 1.5.207

Compatibility

Browser and Client OS Compatibility

Administration of Stonesoft SSL VPN version 1.5.207 requires the use of a workstation with a TCP/IP network configured and a web browser installed.

To use the Application Portal, the connecting client must have TCP/IP configured and a web browser installed.

To use Tunnel Resources, such as client/server TCP/UDP-based applications, the connecting client must have TCP/IP configured and a web browser compatible with Java or ActiveX technologies installed.

To use the Stonesoft Web authentication method, the client must support Java technology to display the clickable webpad.

To use the Stonesoft MobileID (Synchronized or Challenge) authentication method, the client must have MobileID software installed and seeded.

For the full platform compatibility matrix for the functionalities described above, see Technical Note

#5566.

Directory Services

User information can be stored in an internal user directory, or one of the following external directory services can be used:

• Microsoft Active Directory 2003

• Microsoft Active Directory 2008

• Novell eDirectory

• OpenLDAP

• Sun Java System Directory Server

• Oracle Internet Directory (authentication only)

• Tivoli Directory Server (authentication only)

• IBM RACF LDAP (authentication only)

• OpenDS 2.x

• OpenDJ

NOTE – You must use an external Directory Service or the new OpenDJ Directory Service for a mirrored pair configuration. For additional information, please refer to the SSL VPN

Administrator’s Guide.

Additionally, when using the Access Client on Windows Vista, Windows 7, or Windows 8, the following requirements apply:

Requirement Description

Access Client on Microsoft Windows Vista, Windows 7, and Windows 8 requires administrator rights

The Access Client requires administrator rights the first time it is used on Windows Vista, Windows 7, and Windows 8. The Access Client automatically upgrades afterwards.

Alternatively, you can use remote software distribution or installation systems and the provided Access Client MSI package.

Stonesoft ActiveX Client Loader requirements

To run the ActiveX Access Client loader successfully with Windows Vista UAC, you must add the HTTPS address of the Access Point server to the list of trusted sites in Internet Explorer.

Drive letter mapping in Windows Vista, Windows 7, and Windows 8

A single drive letter (for example, F:) cannot be used as a startup command in Windows Vista, Windows 7, and Windows 8.

All commands must be executed using “runas” to elevate to administrator mode, because the mapping is done in administrator mode, and “F:” is not a valid executable.

Use the following startup command instead:

explorer /root, F:

This command works on Windows XP, Windows Vista, Windows 7, and Windows 8.

Java Runtime Environment To run the Stonesoft Java Access Client, use Sun Java 1.6 Update 2 or higher.

When using the Access Client on Linux, the following requirements apply:

Requirement Description

Access Client on Linux and Mac OS platforms does not connect to a SSL VPN Access Point without a trusted certificate to validate the gateway certificate on the client

The Linux and Mac OS Access Clients can be downloaded through a Java Loader or an essp:// protocol handler in the browser. Before resources can be used, the client must verify the SSL VPN gateway certificate using the public certificate of the signer. One of the following files must be present:

$HOME/.sg-sslvpn-client/trust.pem

$HOME/.sg-sslvpn-client/server.pem

If the SSL VPN gateway uses a self-signed certificate, the trust.pem file should include the self-signed certificate. Otherwise, the public CA certificate that issued the gateway certificate.

Alternatively, only the server certificate can be placed in file server.pem.

Upgrade Instructions

When upgrading mirrored systems, see the upgrade instructions in the SSL VPN Administrator's Guide, which is available at http://www.stonesoft.com/en/customer_care/documentation/current/.

It is recommended that you publish the configuration after a successful upgrade.

Upgrade from Previous Version

Stonesoft SSL VPN is upgraded from 1.5.x to 1.5.207 through the Web Console or using the Remote Upgrade functionality in the Stonesoft Management Center. After the upgrade, log in to the SSL VPN Administrator and publish the updated configuration if the Publish button is highlighted.

Upgrade from Prior Versions

Stonesoft SSL VPN is upgraded from 1.4.x to 1.5.207 through the Web Console or using the Remote

7 Stonesoft SSL VPN Release Notes for Version 1.5.207

Known Issues

The current known issues of Stonesoft SSL VPN version 1.5.207 are described in the table below.

For an updated list of known issues, see http://stonesoft.com/en/customer_care/kb/.

Synopsis Description Workaround

After upgrade, application portal displays an error. (#112839)

After upgrade, clients accessing portal will see error message "403 access denied - 1022333 128-bit encryption required".

Set following ciphers active in access point cipher suite list and publish configuration:

RSA_AES_128_CBC_SHA RSA_RC4_128_SHA

Stonesoft SSL VPN Breaks Browser Domain-Based Security Model - Refs:CVE-2009-2631, CERT VU#261869 (#55542)

Stonesoft SSL VPN breaks the browser domain- based security model. The vulnerability lies in the architecture of the SSL VPN solution. As a result of the vulnerability, all resources under a single SSL VPN domain may potentially steal or modify each other's active web content, such as web cookies.

Recommended Actions:

Deploy only trusted resources to the SSL VPN portal. Resources with significantly different security zones, such as resources hosted by different companies, should be deployed using Pooled DNS Mapping or Reserved DNS Mapping.

Untrusted resources should not be deployed to the SSL VPN portal at all.

If these types of resources are needed, they should be deployed as External Sites so that the SSL VPN portal gives a direct link to the resource, instead of making the client route the traffic to the resource through the SSL VPN portal.

See the Stonesoft SSL VPN Administrator's Guide for further information on deploying Pooled DNS Mapping, Reserved DNS Mapping, or defining External Sites.

In a mirrored configuration, OATH database must be configured as an external database (#50490)

In a mirrored configuration with OATH activated, adding a secondary Authentication Service causes the following error message:

"To validate if OATH is used on the configured Authentication Service-node (i.e. tokens are imported), it has to be started. A system with more than one Authentication Service-node cannot use a local database; it would result in data

inconsistency."

Configure OATH in the SSL VPN Administrator (select Manage System >

OATH Configuration > Configure Database Connection) to point to an external URL.

For example, enter the following URL in the Database Connectivity Properties:

jdbc:hsqldb:hsql://10.0.215.40:9001/:shut down=true

Alternatively, you can disable OATH in the Web Console.

Use of IP pool address with active FTP does not work in Windows Vista (#50028)

Using an SSL VPN resource for active FTP with an IP address pool from a Windows Vista machine fails when the server starts the transfer.

The problem is caused by the IP address used in the PORT command, which is not the same as the IP address assigned from the IP address pool.

Use passive FTP or an FTP program that allows setting the client IP address to be used for the PORT command.

Customized icons uploaded using the Browse function do not appear in icon library (#64916)

Customized icons that have been uploaded to custom-files/wwwroot/wa/img/icons using the Browse function in the Administrator Interface do not appear in the icon library.

Upload the customized icons for each

resource on the resource definition page.

Access Client for Mac does not work on Snow Leopard (10.6.x) if firewall is enabled (#82978)

Having the Mac OS X firewall enabled on a computer running Mac OS X Snow Leopard (10.6.x) prevents the Access Client from working correctly.

Temporarily disable the firewall on Mac OS X when using the Access Client with Stonesoft SSL VPN.

Tunnel Set Advanced Settings for Local Lookup do not work on Mac and Linux clients (#67796)

When configuring a Tunnel Set, Local Lookup entries configured in the Advanced Settings are not taken into consideration on Mac and Linux clients.

Use DNS redirection to an internal DNS server to resolve the names for protected resources.

Missing plugin error with Mountain Lion in Mac OS X (#89317)

With Mountain Lion in Mac OS X, the following update uninstalls the Java plugin under Safari and the Java properties of application/utilities:

http://support.apple.com/kb/HT5493

Select a Tunnel Resource in the Application Portal and click "missing plugin".

OpenLDAP database does not support 64-bit mode (#89618)

The OpenLDAP database does not support 64-bit mode. When upgrading from a 32-bit version (for example, SSL VPN 1.5.101) to a 64-bit version (for example, SSL VPN 1.5.200), the OpenLDAP database can no longer be used.

Contact Stonesoft Support for a workaround.

File Share SSO does not work with Windows 2008 R2 (#85565)

Due to a change in authentication techniques when accessing a File Share in Windows 2008 R2, it is not possible to use Single Sign-On to access File Shares located on a back-end resource.

None

Stonesoft Corporation Itälahdenkatu 22A FI-00210 Helsinki Finland

Tel. +358 9 476 711 Fax +358 9 4767 1349

Stonesoft Inc.

1050 Crown Pointe Parkway Suite 900

Atlanta, GA 30338 USA

Tel. +1 770 668 1125 Fax +1 770 668 1131

Copyright 2015 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Copyright and Disclaimer

© 2000—2015 Stonesoft Corporation. All rights reserved.

These materials, Stonesoft products, and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation.

Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein.

THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

Trademarks and Patents

Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-Link

technology, Multi-Link VPN, and the Stonesoft clustering technology-as well as other technologies included in Stonesoft-are

protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered

trademarks are property of their respective owners.