===================================================== SSL 6.0.0.25 Released for QA on April 03, 2006 ===================================================== Fixes ----- NetDirect 6.0.0.24 fixes: - Case 060223-53103: NetDirect crashes on user's PC when UDP has been disabled. ===================================================== SSL 6.0.0.24 Released for QA on March 31, 2006 ===================================================== Fixes ----- NetDirect 6.0.0.24 fixes: - CR-Q01339911: NDIC - Shutdown PC when connected result in crash and memory dump. - CR-Q01343596: NDIC stores pwd in clear text. - CR-Q01341593: NDIC does not failover in the cluster environment; traffic can't be passed throu. - CR-Q01332521: WinFF non-admin - Error: Failed to run ND - ndwau/p mismatch. Mac and Linux NetDirect Sending correct disconnect message to server side resulting in ippool leases being correctly released. BBI fixes: - CR-Q01341802: "SSL-VPN: BBI - Validate DN in Cert settings still refers to deleted CT server". - Fix for the problem related to the display of Citrix and Wiper fields in the BBI. Set a default name for the IP pool if created e.g. due to that a NetDirect link is created and a IP pool is also created. Imported help texts from the command reference. ===================================================== SSL 6.0.0.23 Released for QA on March 28, 2006 ===================================================== Fixes ----- NetDirect 6.0.0.23 fixes: - CR-Q01336605: NDIC exit error: Socket opened to server signaled FD_CLOSE 0 Win32 Returned. - CR-Q01337628: WinFF NDCC - WSAWaitForMultipleEvents error: Index value is -1 - CR-Q01339078: NDIC on XP can't connect to the portal. - CR-Q01303198: NDIC does not update or report client version per PRD. Mac NetDirect Fixed handling of empty dns domain Correctly choosing the right NetInfo database dns key Fixed CR-Q01340332: IPSEC counters doubling when idle. Fixed CR- Q01337445: update ipsec counters, when "info" commands are issued from the CLI. Added Web page to support NDIC upgrade. Do stricter check for "Upgrade in progress" (to prevent e.g. /boot/{reboot,halt,repartition}). Postpone creation of "userdata" partition until first boot after factory install - doesn't work if final disk device != install disk device. ===================================================== SSL 6.0.0.22 Released for QA on March 22, 2006 ===================================================== Fixes ----- NetDirect 6.0.0.22 fixes: - CR Q1319596: Mobility on NetDirect: NetDirect exits while switching networks - CR Q1337268: WinFF NDCC -WSAWaitForMultipleEvents error: Index value is -1 Mac and Linux NetDirect - CR Q01326905 The handling of supported split tunneling modes have been changed. Linux Mac Disabled Y N Enabled Y Y Enabled_inverse N N Enabled_inverse_local Y Y For non supported modes, NetDirect falls back to enabled_inverse_local. Mac NetDirect - Fixed CR Q01331728 The DNS changes are now done in NetInfo database, making them available for all applications. BBI: - Fixed a bug in SSL Offload->Servers table page where only the first 25 rows were being displayed. - Corrected the diff message displayed when an Auto Connect Domain is deleted in VPN Gateways->Gateway Setup->IPsec->User Tunnel Profiles->Auto Connection page. Cluster Manager: - Fixed CR-Q01336251: SSLVPNClusterMgr - Unable to print Help System". Fixed CR-Q01332753: Group Auth with a Certificate User is not populating Macros. Default NetDirect license text added and license limit upped to 8192 bytes. Fixed CR-Q01335321: Don't require SOCKS client to provide hashed secret unless client cert was provided in original session (broke installed NetDirect when cert auth was configured). Changed error message at wrong admin or root pw for NetDirect to work on both Win and Linux. ===================================================== SSL 6.0.0.21 Released for QA on March 17, 2006 ===================================================== Fixes ----- NetDirect version 6.0.0.21 fixes: - Q01329970 - NDIC Show main Disconnect button is not clickable and not gray. - Q01326911 - NDIC address/name resolution is broken when refreshing the login service. - Fixes to the handling of the admin user name and pw to avoid problems with long user names/pws. - Fixed problem with unzipping NetDirect files when a NetDirect installation hadn't finished yet. Linux NetDirect - Fixed CR Q01326905 Traffic to local network is now sent through tunnel for split tunneling mode disabled. Linux and Mac NetDirect - Fixed CR Q01329913 If a dns backup file for some reason is not deleted when changing dns settings, it is removed before next time. NetDirect Applet - Fixed CR Q01329991 The applet detects that NetDirect is already running and prints such a message in the applet console. BBI fixes: - Provided user input validation for the VPN Gateways, Operation, Administration and Diagnostics menus as part of fix for the CR-Q01258881: "(DoS only) NSNAS Vulnerability Erlang Injection allow Buffer Overflow". Fixed CR-Q01331774: TG agent (IPSec) originated (i.e sent due to a timeout on the client side and that the TG agent had discovered that now the TG checks would pass) UDP packets was blocked by the iptables rules then the session was in a restricted TG mode (i.e. the client machine had failed the GC checks). Due to this the TG recheck could not be done before the NVG timedout (recheck time) and issued the recheck anyway (i.e. default 15 minutes). Fixed CR-Q01329016: Eliminate deadlock between ipsec and ipsec_aaa processes. Improved shutdown behaviour with many BO tunnels (shutdown only tunnels that aren't already down, ignore setup requests) - problem noted when verifying fix for Q01329016. Fixed CR-Q01319596: When doing more than one NetDirect reconnect within less than two minutes, the reconnect could fail (incorrect starttrace message "no ip" changed to "session setup failed"). Fixed CR-Q01329007: Did to much while setting the InnerTunIP address after receiving it from the IPpool for IPsec sessions. No need to update the iptables in this case. (the problem was that too many iptables rules were added for each session that made the iptables functions slow). Now the Netdirect administrator user name and password is encoded, i.e. it's not possible to view the source code in the browser any longer in order to get hold of the administrator user name and password. Fixed CR-Q01329877: Same IP are assigned to different users sessions through DHCP IP Pool. Added zero as Hardware Type for the DHCP Client-Identifier option (according to RFC 2132). ===================================================== SSL 6.0.0.20 Released for QA on March 13, 2006 ===================================================== Removed features ---------------- Backed out the fix for CR-Q01297451 (Installed Netdirect client working in combination with installed TunnelGuard agent) due to to long estimated QA time needed for this feature. Fixes ----- NetDirect 6.0.0.20 fixes: - CR-Q01298074: NDIC breaks after multiple logins without reboot. - CR-Q01324290: Win FF crash when non-admin enters bogus admin pw - additional fixes. - CR-Q01284429: NetDirect exits - one of the members of the MIB_IPFORWARDROW is invalid. - CR-Q01319596: Mobility on NetDirect: NetDirect exits while switching networks. Mac NetDirect - Added support for sudo in addition to su making it possible to use it on clients with the root account disabled. NetDirect Applet - Fixed CR Q01325683 NetDirect on Linux and Mac is now behaving the same way as NetDirect on Windows. If the license is not accepted it exits gracefully. Fixed CR-Q01024265: Empty variable bindings (i.e. the empty string) will not be displayed in /info/users. Thus, especially the tgFailureReason and tgFailureDetails variables will not be displayed if the TG checks were successfull. Also, fixed the display of HostIP that was added due to CR-Q01024265 for the 5.0 release. The HostIP was only displayed if some variable bindings existed which was not the correct implementation. Now, HostIP will always be displayed in /info/users (displaying the RIP of the NVG the user connected to). ===================================================== SSL 6.0.0.19 Released for QA on March 09, 2006 ===================================================== Enhancements ------------ Fixed CR-Q01297451: Installable NetDirect support TG. Now the installed Netdirect client works in combination with the installed TunnelGuard agent. Fixes ----- NetDirect 6.0.0.19 fixes: - CR-Q01322805: NDIC crashes when connect to NVG with netattr defined - CR-Q01324290: Win FF crash when non-admin enters bogus admin uname/pw - CR-Q01325812: NDIC user group does not log Error.log when ND group is disabled. - CR-Q01223860: Click ND from 5.5 portal if access 5.1.3.6 VPN - ND fails BBI fixes: - Provided user input validation for Certificates, SSL Offload, VPN Gateways -> Gateway Setup and Wholesecurity menus as part of fix for the CR-Q01258881 : "(DoS only) NSNAS Vulnerability Erlang Injection allow Buffer Overflow". - CR Q01324793 : "BBI: Configuration /cfg/vpn x/ippool x/name is missing" - Supported the commands: /cfg/vpn #/aaa/auth #/ldap/enashortgr /cfg/vpn #/aaa/auth #/ldap/groupsearc /cfg/vpn #/aaa/auth #/adv /validatedn /cfg/vpn #/aaa/auth #/adv /revcertdn /cfg/vpn #/aaa/auth #/ldap/activedirectory/pwdexppopu Cluster Manager: Delete user(s) functionality supported in User tab Fixed CR-Q01325837: Win FF ND FullAccess tab fails because of newly opened window. The wrong StartNetdirect function was called from the FullAccess applet. The function is now called StartFullAccessNetdirect. Fixed CR-Q01123899: Panther: CLI output of command should be consistant - LINKS . Now the CLI tab completion for links truncates at 20 characters instead of at 8 characters. Fixed CR-Q01325775: NDIC syslog message is logged as undefined - Method="undefined". Fixed Q01325115: Client certificates with Subject DN longer than 255 charac- ters didn't work for extended profiles or certificate authentication. Fixed broken Siteminder cookie login. Reintroduced validation checks for IPpool Name as this feature now is also implemented in the BBI. Fixed reference to pre-5.5 for /cfg/vpn/sslclient/oldclients Changed the default number of ssl and ipsec licenses to be 50 (instead of 10). Fixed crash encoding an AAA challenge response if a socks/netdirect user logged in and the Radius server replied with a challenge response Fixed problem that the Netdirect socks server did not adhere to the /cfg/vpn/adv/log settings. Don't enable NMI watchdog for debug-os boot. ===================================================== SSL 6.0.0.18 Released for QA on March 03, 2006 ===================================================== Enhancement ----------- Fixed CR-Q01318813: ER - Labels for IPPools. Added Name configurable to /cfg/vpn #/ippool #/name that will be used to help configure ippool references. Thus, the name will be given as a doc tab completion. During upgrade from previous versions the default name added will be "Pool_#". And, /cfg/vpn #/ippool will use the name as a possible value to select an IPpool. Also, added this possibillity (i.e. to enter the name if the prof) for /cfg/vpn #/ipsec/ikeprof /cfg/vpn #/ipsec/utunprof /cfg/vpn #/ipsec/botunprof and added doc tab completion where ike and/or utun profiles are referenced. Fixes ----- NetDirect Applet - Fixed issue where details and close buttons were disabled on a garbage collect if NetDirect had been started several times during the same browser session. Mac and Linux NetDirect - Fixed issue where split tunneling did not work in a one-armed setup. - Fixed CR Q01299948 Double free fixed. - Fixed CR Q01283371 Client exits if a heartbeat response was not received since last request. - Added functionality to monitor route table changes. If the route table is changed by someone else than NetDirect, NetDirect exits. BBI fixes - CR-Q01318333: BBI: cannot set the "User OID" value to a large value. - CR-Q01315399: "UI:TDI Minimum version shows 84213760" - CR-Q01314900: "NVG 6.0 BETA: SSL Offload Trace Traceroute" - CR-Q01302091: "SSL VPN 6.0 ER Alphanumeric sorting of lists in management pages" - Updated the help pages. - Updated the TG Admin jar. - Supported the new prompt for language code when exporting the language definition file. - Moved the Network Attributes section under the IP Pool menu to its General page instead of displaying it as a separate page. TunnelGuard - Fix to display transition TunnelGuard messages first time when user logs in. - CR-Q01317404: - CR-Q01321422: - CR-Q01317407: tg_change should not do anything for SSL-VPN case and is for NSNA Only. - Fix for CR: Q01273630. Applet build number 124 - Added versioning support for TunnelGuard Applet, current version 124 - Added support for page movement when moving between compliant and non-compliant state. Fixed CR-Q01304405: Enhanced error handling in CLI in case another CLI/BBI session has deleted the dynamic instance that are currently active in a CLI session. Now instead of Internal error we display a Bad key error in this case. Fixed CR-Q01321865: When logged into a tg enabled portal with ND links -- Wont install activeX. We need to start a new TG server session in case the page is reloaded. Fixed CR-Q01318726: When groupauth was defined for a cleartrust configuration that also was used to validate the Client Cert DN from a client certificate login, we got a Yaws error. This fix solves this by not trying to retrieve any groupinfo as configured for the Cleartrust setup when doing a client cert login. Note that groupinfo can still be retrieved by set it up in the client cert configuration. Fixed CR-Q01319432: OID values + special characters cause a YAWS error w/ revcertdn in place. Note: we don't support multi-valued RDN's, so this part of the CR will not be fixed. Fixed CR-Q01255547: SSL/VPN: Portal forwarder linksets does not warn user to install java. Fixed CR-Q01320408: Active alarms-Name: slave_not_starting while upgrading from 5.1.5 to 6.0.0.17 The yaws (slave) node is now ttempted to be started 10 times before giving up restarting the system node (it could happen that the system was running without the yaws node, i.e. could not handle any portal traffic). Fixed CR-Q01256888: BBI portal full access tab needs to be edited for ND client support. Added text explaining that the Net Direct installed client will be run if it is installed and Net Direct is enabled. Fixed CR-Q01319446: Upgrade from pre-5.0 versions failed. Fixed CR-Q01218797: (version check): 2.0.0.0 is newer than 1.1.1.1... A customer has reported an intermittent problem with SMB. This fix throws away any NetBIOS KEEP-ALIVE packet that may be picked up by the NVG while it is waiting for an outstanding SMB-call reply. Mark OS as invalid if installation failed. Require minimum version 5.1.5.4 when downgrading SSL. Added support to downgrade from post SSL-6.5 releases (run TG SRS rule transformations if downgrade from post 6.5. ===================================================== SSL 6.0.0.17 Released for QA on February 24, 2006 ===================================================== Fixes ----- NetDirect updated to 6.0.0.17 fixes: - CR-Q01299800: WinFF fails to connect because already running. Driver updated to not hang svchost process. - CR-Q01271365: NDIC and external authentication can fail. Still issue if more then one service on server. - CR-Q01303964: NetDirect does not return the address to the pool while NetDirect exits. Mac and Linux NetDirect - Fixed CR-Q01288715 Fixed issue when having two defined nbns (wins) servers Mac NetDirect Fixed issue where a split route to a network was considered a split route to a host. BBI fixes: - Supported the changes done for the Wholesecurity quick wizard as part of the fix for CR Q01311433. For the fix created a new service by name 'wholesecurity' with protocol tcp, port 443 and use it instead of using the "https" service. - Q01272750: "SSL-VPN: BBI needs to support Portal Custom Content Feature in v5.5 " - Q01297294:"CLI/BBI: info/botuns displays all enabled bots; should only show state 'up' " - Q01307009: "SSL-VPN: BBI should not require CT Auth server to create CT server AAA object" - Q01315381: "BBI: netattr configuration is not available for DHCP and RADIUS" Cluster Manager - Q01304415: (SSLVPNClusterMgr - "Delete" button should be available for "User" tab) Fixed CR-Q01307340: Deactivating Full Access now shuts down IPSec client. Final fix for CR-Q01299215: Reverse the meaning of revcertdn to make it agree with cleartrust.agent.reverse_certificate_dn in "normal" ClearTrust agent config. Fixed CR-Q01314347: .../auth #/adv/revcertdn should only be present for cert auth. Fixed CR-Q01315386: Cert authentication failed when anongroup was set. Also fixed the http logging (/cfg/vpn #/adv/log) to show accesses based on the anongroup ACL as 'NotLoggedIn' rather than 'User=""'. Fixed CR-Q01311433: Create new service for WholeSecurity instead of trying to reuse service named https. Fixed CR-Q01301133: Automatic CRL retrieval via LDAP does not work with anonymous bind. Added a new command 'cfg/cert #/revoke/automatic/anonymous' which is used to enable/disable anonymous bind. By keeping the authDN and passwd as it is, if anonymous bind is needed. Fixed CR-Q01072911: Move portal logout button to middle tabs. The alignment problem in the logout button, when the portal window is resized, is fixed. The button has not moved to the middle tabs. Fixed CR-Q01274871: FullAccess tab now falls back to NetDirect (if enabled) when other clients fail. Fixed CR-Q01294926: Applet now deletes FireDLL.dll from TEMP directory. Fixed stopping of Windows NetDirect on idle timeout or 'kick' - in many cases it would still try to reconnect. Fixed default values for TDI resp. LSP client versions to be 6.0.0.0 ===================================================== SSL 6.0.0.16 Released for QA on February 17, 2006 ===================================================== Fixes ----- Window NetDirect - CR Q01312676 Mobility on NetDirect fail on IE and Firefox - CR Q01258684 Win Firefox applet lingers with "ND started!". - CR Q01311189 Win FF nonAdmin user does not end when click stop NetDirect. - CR Q01311515 Win FF nonAdmin ND applet displays started when cancel. admin pw. - CR Q01311462 Win FF nonAdmin ND applet displays started when user name mismatch. - CR Q01255749 Win FF - portal ND can only be clicked once successfully. - CR Q01255739 Win FF ND applet doesn't close when NDIC is used. - CR Q01304238 WinFF cancel ND license banner error. - CR Q01281605 Win ND applet details doesn't increment KB and KB/s. - CR Q01281611 Win FF ND details are not displayed in the applet. Mac and Linux NetDirect - Fixed CR Q01304332 The communication error reported was not really an error. Improved performance. NetDirect Applet - Fixed CR Q01309381 The Gateway is not shown in details window - Fixed CR Q01258684, Q01311515, Q01311462, Q01281605, Q01281611 Enabled status interface for Windows platform - Fixed CR Q01311189, Q01255739 The applet window should now always be closed when stopping NetDirect, either from the applet or from the client. - Additional fix for CR Q01304233 License and banner text is now shown in a text area with 20 rows and 40 columns wide. - Non CR related fixes The confirmation box is not left above the applet during the wait for stopped status. Statistics figures are using one decimal overall. When stopping NetDirect, the close and details buttons are disabled. The details button is disabled until details are received. A "maximum close time" is added, shown by a counter when closing. BBI fixes: - CR Q01311391 : "BBI: WholeSecurity "logouturl" field needs to be added to the BBI ". - Replaced the new gray color buttons with the old blue color rounded buttons. Cluster manger: - Provided fix for the CR Q01303432 : "SSL-VPN Cluster Manager windows should be closed after timeout. Fixed CR-Q01309248: Due to bad selection of session timeout if the idle timeout was equally set at the VPN level and at the group level the session timeout was 0 and thus the aaa_server crashed at ipsec user login. Additional work for Q01282242: Fixed default value for DNS setting. Fixed CR-Q01306805: Now the download link for missing Java with TunnelGuard directs the user to http://www.java.com for SSL-VPN. Also enabled the status information displayed while TG applet verifies the user. Fixed CR-Q01142805: Feaure Request. Now the translated language definition file can be exported in addition to the predefined language definition template (5.0 branch) Additional fix for CR-Q01304233: License and banner text is now shown in a text area 40 characters wide and 20 rows high. Fixed CR-Q01310198: Now the netattr menu items will never be auto prompted for in the CLI at the time a new IP pool is created. Fixed CR-Q01240032 and CR-Q01147625: Now type errors using the CLI dictionary will be mapped to show the CLI dictionary value instead of the registry type value. Fixed CR-Q01281451: If the TTL is lesser than 3 minutes the logout warning window will check for idleness every 40s (instead of 60s) and not warn the user for the logout unless the user has been idle more than 45 seconds (i.e. no logout warning before 1 minute). This is in order to guard against false warnings in case only NetDirect is run through the portal. Added the command ldap/adv/exppwdpopup which makes it possible to turn off the password expiration warning pop-up window from appearing. Fixed CR-Q11255547: Portal forwarder linksets does not warn user to install Java. A warning is now displayed if there is no enabled or installed Java. Fixed broken keymap handling in Terminal Java Applet. ===================================================== SSL 6.0.0.15 Released for QA on February 16, 2006 ===================================================== Fixes ----- Fixed CR-Q01312488: Certificate authentication is broken (SSL and IPSec). ===================================================== SSL 6.0.0.14 Released for QA on February 13, 2006 ===================================================== Fixes ----- BBI fixes: - Fixed CR-Q01308225: "SSL-VPN:BBI specifies incorrect default port for ClearTrust Authorization Server" - Changed the button color (to #BBBBBB) according to the UI guidelines. - Changed all HREF= to href= as part of the fix for CR Q01303420 Mac and Linux NetDirect - CR-Q01306316 When an error occurs the NetDirect.log file is renamed to NetDirectError.log and left in /tmp. Port Forwarder API - CR-Q01305440 The port forwarder API (used by almost all port forwarders) is now setting up the authentication properly for portals with ssl disabled. Added the revcertdn command which takes on boolean values and enables/disables whether the Cert-DN string should be reversed before being sent to Cleartrust for validation. Fixed CR-Q01294926. Applet now removes the files it has downloaded. Fixed CR-Q01309110: NMI watchdog fix in 6.0.0.12 (for Q01273702) could cause watchdog to misfire during boot (happened always on 2424-SSL). Fixed CR-Q01244629-01: 100% CPU and 100% MEM usage. Imported an OTP fix from R10B-9 that solves this issue: OTP-5827: erlang:monitor(process, Pid) hanged if Pid referred to a process on a non-existing node with the same nodename as the nodename of node on which the call was made. This bug has now been fixed. This bug manifested itself in exactly the same way as our bug did; Program counter: 0x40320998 (gen:wait_resp_mon/3 + 108) CP: 0x403345fc (gen_server:call/3 + 76) arity = 0 0x900293b0 Return addr 0x403345FC (gen_server:call/3 + 76) y(0) 'a@ripa' y(1) infinity y(2) #Ref<0.0.64.203877> y(3) <0.20.0> 0x900293c4 Return addr 0x40311B2C (erlang:dmonitor_p/2 + 256) y(0) net_kernel y(1) {connect,normal,'a@ripa'} y(2) infinity y(3) Catch 0x403345FC (gen_server:call/3 + 76) 0x900293d8 Return addr 0x40311B64 (erlang:dmonitor_p/2 + 312) y(0) <0.37.0> 0x900293e0 Return addr 0x40311B64 (erlang:dmonitor_p/2 + 312) y(0) <0.37.0> 0x900293e8 Return addr 0x40311B64 (erlang:dmonitor_p/2 + 312) y(0) <0.37.0> 0x900293f0 Return addr 0x40311B64 (erlang:dmonitor_p/2 + 312) y(0) <0.37.0> .. ===================================================== SSL 6.0.0.13 Released for QA on February 09, 2006 ===================================================== Fixes ----- NetDirect: - Added escaping of predefined XML entities for NetDirect banner and license. Windows NetDirect updated to 6.0.0.13: - CR-Q01303609: Mac NetDirect link can only be clicked once - CR-Q01301257: NetDirect connection lost after opening new page - CR-Q01107486: NetDirect agent is closed by specific operation. - CR-Q01304231: The banner and license text can be 255 bytes. Will be larger in next build - CR-Q01298080: NetDirect installed client sessions not cleared after logout. - CR-Q01297452: Save settings check box added. - CR-Q01298074: NetDirect installable client breaks after mutiple logins without reboot - CR-Q01278570: NDDC - Configure /cfg/vpn x/sslclient/idlecheck true. NetDirect reconnects. - CR-Q01303643: SQA 6.0.0.12 ND WinXP SP2 IE causes reboot and memory dump. Mac NetDirect: - CR-Q01303609: Mac NetDirect link can only be clicked once. - CR-Q01303460: MAC ND - tun stays active when logout clicked in portal. - CR-Q01303580: MAC ND 'X' out the browser will not close tun - backend accessible unloadNetDirect now called correctly on MacOS (and for all browsers). Mac and Linux NetDirect: - Banner is now displayed after NetDirect has started ok. - CR Q01299948 Unable to reproduce but a couple of memory handling code segments that could potentially cause the problem was found and fixed. - Applet now handles hex representation of character entities. BBI fixes: - CR-Q01297189: "BBI&CLI: netDirect oslist using "integer" value = -1 for `all' is unconventional" Cluster Manager: - CR-Q01304328: "SSLVPNClusterMgr - Incorrect messages "Image update operation terminated". Fixed CR-Q01303698: Can import Local User Database with a WRONG Pass Phrase/key. Improved the exported format to be able to check that the correct password is given for the import. Note that it will not be possible to import a local database exported prior to upgrading to the version with the fix (this does also affect /cfg/gtfg if a local database was configured). Fixed CR-Q01256888: Text in Full Access tab has been changed to reflect that Full Access can be run with NetDirect. Fixed CR-Q01193743: Do idle time checking in AAA for ipsec too now that ipsec sessions are ticked (e.g. /info/idleusers will show them). Fixed CR-Q01286991: Now it is possible to configure default network attributes for DHCP and RADIUS type ippool's. Thus, if the RADIUS and/or DHCP server does not return any specific value for a certain network attribute the default configured at /cfg/vpn #/ippool #/netattr will be used. The netattr menu item is now enabled also for this type of IP pools. Fixed CR-Q01210814: Allow admin to setup a url to redirect user to on logout. This is used to stop the wholesecurity session protection agent. Fixed CR-Q01288821: If wholesecurity is enabled, don't display login page when user logs out. Fixed CR-Q01304405: The CLI session crashed if a user was deleted from another CLI/BBI session while the edit user CLI menu was accessed in this CLI (i.e this CLI session was still in a now deleted entry. Fixed CR-Q01304238: WinFF now displays "License Not Accepted" when applicable. Fixed CR-Q01304233: Scroll bars are added for large banner and license texts. Fixed CR-Q01297294: /info/botuns overhaul. Fixed CR-Q01270920: 'xnet is not defined' message when using IE 5.5. There is a setting in the CLI which governs if the NVG produces compressed content to the client or not. This is defaults to 'off'. When set to 'off', no compressed content is sent to the client browser. When set to 'on', the content from the intranet and from the NVG will be compressed if the client browser accepts compressed content. This change makes the NVG portal code take into account this setting when delivering the javascript file xnet.js to the client. Added newlines in slogan text for 'Tools->System Info' in the portal. Added a limit of 2048 characters for Netdirect banner resp. license text in CLI. Fixup Radius attributes: Now VendorID 0 can be used to mean std attribute everywhere. Corrected client side reverse rewrite to remove the document tag ',xct?' at the end of urls. This can be verified by putting the following html code on a web site and access it through the portal. Previous versions displayes test.js,xct1 now the correct value test.js is displayed. When running a HTTP proxy with HTTPS traffic we would end up with requests where a variable holding the path was NULL. This was not handled correctly, simpleproxy did a segmentation violation and got restarted. This has been corrected. ===================================================== SSL 6.0.0.12 Released for QA on February 02, 2006 ===================================================== Fixes ----- BBI fixes: - CR-Q01298697 : "Online help does not work on the ASA1000 card, unauthorized internal error". - CR Q01297035 : "BBI session timers don't accept 0 min and 0 sec if only hours set". - Restricted the username and password to 235 characters and validated the username and password so that no unexpected input is formed. Cluster Manager fixes: - Changes related to performance improvement. NetDirect: - License and banner are now displayed when starting client. Windows NetDirect: - Fixed CR-Q01271365: External authentication support in NDDC. - Fixed CR-Q01302268: NetDirect "Authentication Failed" after logout. - GUI enhancement for External authentication in NDDC. - Support for showing license text and banner from ndbanner and ndlicense CLI (and BBI) commands. Mac NetDirect: - Fixed issues regarding root password. Handling of cancel button and empty passwords did not work properly. Mac and Linux NetDirect: - Fixed CR Q01288715, CR Q01276931 NetDirect now supports the split tunneling modes disabled and enabled. If a non-supported mode is configured it falls back to disabled mode. - Fixed issue with client reporting "Connection not allowed" when it actually is. The message is also changed to "Connection not allowed! Probable reason: OS Type is not allowed or no free IP available in IP Pool" - Fixed CR Q01283371 Since mobility is not supported, NetDirect closes if IP address is renewed. - Fixed CR Q01299962: Timestamp added to "Renegotiate" log message. Fixed CR-Q01297188, CR-Q01297173 and CR-Q01297189: Changed the internal representation of the Netdirect, TDI and LSP clients allowed OS's to be an enum instead of integers in order to not be able to use integers in the CLI (and BBI), The integers was before mapped to symbolic names but it was still possible to use integers and that was confusing. The fix also handles upgrades from earlier 5.5 and 6.0 builds (but values will *not* be kept at downgrade!) Fixed CR-Q01273870: Win FFox - close portal and ND connection remains open. Fixed CR-Q01281609: Linux ND logout portal link fails if ND tunnel is up. Preliminary fix for Q01256692: Add hidden /cfg/sys/host #/interface #/mtu command to allow setting of the MTU. Fixed CR-Q01282350: Linux ND does not allow ND link to be clicked more than once. Fixed CR-Q01256888: Text in Full Access tab has been changed to reflect that Full Access can be run with NetDirect. Fixed CR-Q01273702: Bottom half check in NMI watchdog fired too quickly. Fixed group assignment (got only group == username) for "internal" CLI access on 2424-SSL/SVM-1000). Added /info/id command to show user name and groups for current user. LDAP Fix: When password expiry time left is less than 1 day, the display will show as "Password expires today". ===================================================== SSL 6.0.0.11 Released for QA on January 26, 2006 ===================================================== Fixes ----- NetDirect updated to 6.0.0.10 fixed: - Q01282947 --> SQA 5.5.0.20 NDIC - https prefix and FQDN's will fail if used as 'Destination:' - Q01256428 --> SQA 5.5.0.13 - upgrade prompt when early version NDDC connect to the portal. - Q01274083 --> NDIC will not connect if portal port differs from 443. - Q01268016 --> SQA 5.5.0.17 NDDC loaded in system tray doesn't allow portal ND link clicked. - Q01256444 --> SQA 5.5.0.13 NDDC support to connect to 5.1.x.x portal. - Copyright changed to 2004-06. Mac and Linux NetDirect: - Fixed CR Q01293693, Q01281612. NetClient_*.zip is removed when closing NetDirect. NetDirect.log is removed if no error occured when running NetDirect. NetDirect Applet: - Fixed CRs Q01281608, Q01281609, Q01273875 and Q01273870. All related to stopping NetDirect in different ways NetDirect WINDOWS IE: - JavaScript code to launch NetDirect changed for Internet Explorer. When in nonAdmin mode the same applet used in FireFox is used instead of the old applet. This means that the NetDirect ActiveX wont be installed in Internet Explorer for nonAdmin users. Fixed CR-Q01163667: ICMP service asked for port number while configuring in the cli /cfg/vpn#/aaa/service#/. Now the port number will be asked only for tcp and udp protocol (VPN 5-0). Fixed CR-Q01295758: Service-creating wizards are broken with no-port-for-icmp req. Fixed CR-Q01265036: On Linux FF - error handling when ND is already running. Fixed CR-Q01295784: Added question about IP pool network mask in the new wizard for ipsec. Updated time zone data from FC-4 update rpm tzdata-2005r-3.fc4.noarch (primarily US 2007 DST changes, also preliminary Canada ditto, plus various other updates). Enabled DMA for IDE disks. Turn off root idle timeout on CD install. Known Issues: ------------- When logging out from the portal under WINDOWS, NetDirect shows a message instead of just exiting silently. Will be fixed in next build. When running NetDirect on Firefox/JRE-1.5 under Linux and logging out from the portal, the applet does not terminate and the login page will not show up. Closing NetDirect prior to logging out works though. ===================================================== SSL 6.0.0.10 Released for QA on January 24, 2006 ===================================================== Fixes ----- BBI fixes: - CR Q01286242: "BBI: TG -- "details" parameter missing from BBI". - Supported the commands /cfg/vpn/sslclient/ndbanner and /cfg/vpn/sslclient/ndlicense - Removed support for the command /cfg/vpn/sslclient/ndxml according to CLI changes. - Updated the possible values for /cfg/vpn #/aaa/auth #/cleartrust/authtype command according to CLI changes. Cluster Manager fixes: - CR Q01285385: "(SSLVPNClusterMgr - Image should be able to be downloaded without Installed)" LDAP fixes: Password expiry information will be displayed at login to the portal, only when 5 days(or less) remains before the password expires. But sometimes when used with IE Cache Wiper, the password expiry alert seems to be blocked by the Cache Wiper. Mac and Linux NetDirect: - Better fix for CR Q01283504 The periodic check is removed. Instead the NetDirect client waits gracefully until detecting that the Applet is dead. - Fixed CR Q01281606 Received counters are now being updated. Mac NetDirect: - Fixed CR Q01255443 The user does no longer need to be root to run NetDirect. Enabling root and knowing the root password is still required though. NetDirect Applet: - Fixed CR Q01288618 Removed undefined error from java console. - Fixed CR Q01282205 An existing FireFoxInstaller.dll file does not prevent NetDirect from starting anymore. - Fixed CR Q01286621 The (expected) exception is not shown anymore Fixed CR-Q01282242: Added wizard for netdirect link creation. Fixed the import of wrong file size of sdconf.rec for RSA. Check for the sdconf.rec file size has been added. From the RSA Knowledgebase, the sdconf.rec file should always be 1024 bytes in all instances of ACE/Server 5.x and ACE/Agent 5.x. If in future RSA ACE Releases, the sdconf.rec file size changes, then this fix should be revisited. Fixed CR-Q01290075: Allow upto 1000 chars for Subject/Issuer DN in X-SSL header. ===================================================== SSL 6.0.0.5 Released for QA on January 19, 2006 ===================================================== Fixes ----- Fixed Q01292019: Netdirect did not start if TunnelGuard had been running at login. ===================================================== SSL 6.0.0.4 Released for QA on January 18, 2006 ===================================================== Fixes ----- Temporary fix for Q01291007: Back out the fix for Q01195775 (from 5.1.x). ===================================================== SSL 6.0.0.3 Released for QA on January 13, 2006 ===================================================== Fixes ----- SSL backend connections from SSI/AAA (e.g. WholeSecurity, LDAPS) didn't work if the vpn was bound to a backend interface (adv/interface != 0). Expected to fix remaining problem with Q01280890. Portal NetDirect caused popup "Failed to download NetDirect XML from VPN server". ===================================================== SSL 6.0.0.2 Released for QA on January 12, 2006 ===================================================== Fixes ----- Mac and Linux NetDirect - Fixed CR Q01286569 The correct binary is now installed The tun driver is not unloaded when NetDirect is stopped. - Fixed CR Q01283504 If the Applet dies, the NetDirect client dies also - Partially fixed CR Q01281612 The NetClient directory is also removed when browser is closed - Fixed CR Q01249887 The correct OS identifier is sent from the Mac NetDirect client Fixed Q01283706: Network attributes are sent to the NetDirect client also on reconnect. Fixed Q01286075: VPN-ID was off by 3 in Radius auth request. Fixed broken ftp links in the portal - bug introduced by incomplete fix for Q01195775 in 6.0.0.1 (from 5.1.x) Added the following CLI commands: /cfg/vpn #/sslclient/ndbanner /cfg/vpn #/sslclient/ndlicense Removed the /cfg/vpn #/sslclient/ndxml command that was not used. Fixed problem with the CLI dump command that produced an extra newline that made the entry be changed if used with paste (this refers to commands like /cfg/vpn/sslclient/ndbanner that ends input with ...) Changed /cfg/vpn #/aaa/auth #/cleartrust/authtype value ntlm to nt. Changed the default Authentication Port value for Cleartrust Auth servers to 5615. Corrected help text for Clear Trust connection mode setting. ClearTrust auth: Changed the order of the flags to ctagent call. This fixes the calls to auth_servers. BBI fixes: For SSL-VPN BBI Updated the Copyright information. Updated/Added help pages for the Authentication menu. Updated the OS lists in /cfg/vpn #/sslclient menu For Cluster Manager CR Q01275523 : "(SSLVPNClusterMgr - Normal user can't be added through user management)" CR Q01276751 : "(SSLVPNClusterMgr - No Status propagation for authentication failure)" Fixed CR-Q01251133: Removed the fname argument to upload_abort.yaws for XSS attacks Fixed CR-Q01251133: Fix for XSS (cross scripting) attack using the ts argument of upload_abort.yaws ===================================================== SSL 6.0.0.1 Released for QA on January 10, 2006 ===================================================== Fixes ----- NetDirect updated to 5.5.0.13 fixes: - Q01281437 --> Win NetDirect disconnects and reconnects frequently under no load - Q01281453 --> SQA 5.5.0.20 - NDIC Conection name required for clickable Connect button - Q01281613 --> SQA 5.5.0.20 LogFile rollover and date stamp needed for NetDirect.log - Q01273035 --> Mobility on NetDirect - NetDirect exits while switching wireless access point - Q01282947 --> SQA 5.5.0.20 NDIC - https prefix and FQDN's will fail if used as 'Destination:' - Q01274083 --> SQA 5.5.0.18 NDIC will not connect if portal port differs from 443. *Note* The ActiveX component is not updated, it is still 5.5.0.12 RSA ClearTrust auth fixes - need to get some more information from RSA, but the code seems to run now and can be tested. Mac and Linux NetDirect: - Fixed Q01276931: Client now asks for splittun settings - Large amount of Mac specific fixes. Still only runnable as root though. - Fixed Q01281613: Added rotation and timestamps to log. Log is also renamed from cl.log to NetDirect.log. If the log file is larger than 3MB when the client starts, a new file will be created and the old one renamed. Fixed Q01280890: WS: Internal Yaws Error returned on succesful scan Cluster Manager fixes: Q01276798: "SSLVPNClusterMgr - Ports Information "Mode" is always "full" " Q01276796: "SSLVPNClusterMgr - Ports Information "Speed" is always "0" " Updated certificates for signing of Java applets. Fixed Q01216792: Radius accounting includes Calling-Station-ID and Framed-IP-Address. Fixed problem whith creation of new windows from Javascript. The reason for the fix is described in Customer case: 051103-42537 Microstrategy fix of 2004-08-31 disabled ALL rewrite of client side javascripts. This fix now make client side rewrite work as before. Fixed Q01264690: PKI authentication loop if TG non-match and teardown action The user will now be redirected to the auto login page in case of TG failure and certificate login which will show the TG failure reason (just like the normal login page). Improved error handling for TG ipsec handler (if client closes socket just before the tg_server sends a message we produced a crash entry in the log that is not neccessary) Fixed Q01195775: The directory and file names are hex encoded so that Internet Explorer won't corrupt them. (from 5.1.x) Fixed Q01177838: French Apostrophe problem (from 5.1.x) Fixed Q01163667: ICMP service Asks for port number while configuring in the cli /cfg/vpn#/aaa/service# (from 5.1.x) Fixed Q01177727: English Message in French portal (from 5.1.x) Fixed Q01161886: SMB and FTP upload file name with special character fails.(eg: @#$%foo.txt). (from 5.1.x) Fixed Q01154557: Sub-CA Certificates authentication Fix (from 5.1.x) ===================================================== SSL 5.5.0.20 Released for QA on December 22, 2005 ===================================================== Fixes ----- NetDirect updated to 5.5.0.12 fixes: Q01274083 - SQA 5.5.0.18 NDIC will NOT connect if portal port differs from 443. [ Added an extra dialogue box to enter the Port number ] Q01274037 - NetDirect client continue connection while prompt not to. Q01268016 - SQA 5.5.0.17 NDDC loaded in system tray doesn't allow portal ND link clicked. [ Grey Icon while idle] Q01246860 - RADIUS IP Pool Secondary WINS Server can't be passed to NetDirect client [ Secondary WINS support ] Q01258872 and the remaining UDP reconnection problems have been solved. Mac NetDirect Client is now working as the Linux client using the same applet. NetDirect Applet - Fixed CR Q01255749 If the downloaded dlls are present, they will not be downloaded again. Fixed CR-Q01278939: Fixed intermittent parse error of interfaces while SNMP checking for link status change. Removed debug printout that crashed the erlerror disk_log handler while downloading a new software package using the BBI. Removed overall limit on # of BO tunnels (was 5000) per PLM decision. Removed unsupported OS types from respective client settings (added winnt for LSP). (CR Q01235265) Fixed problem creating SMB links in the CLI. Changed how the links are organized within the columns in a linkset. Now the links are distributed to the columns row by row. Before this was done on a fill column first basis that made it hard to understand how/in which order the links were distributed: Now, if 4 columns are configured and 7 (i.e. link 1-7) links exist in the linkset they will be distributed as: col1: 1, 5 col2: 2, 6 col3: 3, 7 col4: 4 Before the links were displayed as (due to calculations that found that it should be 1 link per column and the rest is in the last column): col1: 1 col2: 2 col3: 3 col4: 4, 5, 6, 7 Added Netdirect icon to the system tray for Unix client OSs Fixed bug with IP addresses not being returned to the pool on logout. Imported the help texts from command reference file as of Dec 15. Enhanced tab completion for the /cfg/sys/host and /cfg/sys/host/interface CLI commands (the IP address is used for completion). Fixed CR-Q01123899: Enhanced tab completion for the /cfg/vpn/linkset/link CLI command. The link text configurable is used for tab completion. If the link text is longer than 11 characters the first 8 chars is used postfixed with ... Fixed CR-Q01173628: Enhanced tab completion for the /cfg/vpn/aaa/network/subnet CLI command. Depending on how the subnet is configured either the name or a combination of host/mask is used. BBI fixes: Supported the /cfg/vpn #/aaa/wholesec/quick command. Checked-in the updated TG Admin Help files (Fix for Q01269012). Q01272750: "SSL-VPN: BBI needs to support Portal Custom Content Feature in v5.5" Supported the command '/info/ippool'. For Cluster Manager: Q01275905: "SSLVPNClusterMgr - Deletion of the images should be supported" Q01275474: "SSLVPNClusterMgr - Help infomration needed for Performance windows" ===================================================== SSL 5.5.0.19 Released for QA on December 15, 2005 ===================================================== Fixes ----- Windows NetDirect updated to 5.5.0.11 fixes: - Fix for NetDirect Mobility issue, reconnection over TCP works as it should. - Q01269392: Netdirect connection established without IP assigned - Q01269878: DNS and WINS are not passed to the NetDirect client through RADIUS - Q01258936: /cfg/vpn 1/sslclient/caching on will prevent NetDirect connection - Q01269859: NetDirect exit - Route addition failed with Invalid parameter - Q01273779: Mobility on NetDirect: Connection failed the second time of switch IP - Q01258885: Mobility on ND-icon become blue but connection can't pass traffic - Q01268069: SQA 5.5.0.17 - ND disconnects and reconnects to server but traffic fails to pass Linux NetDirect: - Fixed CR Q01265029 The applet message is now saying that root login failed. Clicking the NetDirect icon again without closing the applet presents the option to enter root password to the user. - Fixed CR-Q01274101 NetDirect now connects to the port defined in the cli. BBI fixes: Q01254957: "BBI: VPN Admin unable to launch TunnelGuard Applet" Q01272757: "SSLVPNClusterMgr - default password and difference should be provided" Q01275009: "SSLVPNClusterMgr - "Modifying login password for 'admin'" should be modified". Citrix Applet: Fixed NullPointerException when accessing Windows registry. Portforwarder API: Downloadable developer archive is now a zip file instead of tgz. Fixed Q01263974: MAC address changed when adding port to interface. Added TG failure details to be displayed with the wizard tg_failed linkset created by /cfg/vpn/aaa/tg/quick Added text conversion of credentials from portal for ldap auth, now converted to UTF-8. Fixed Q01274927: FullAccess tab link to www.java.com fails HTTP 404 Fixed so warning that password expires doesn t appear when never expire flag is set (ldap auth). Merged in fixes from NSNAS branch as of NSNAS-1.0.0.31. ===================================================== SSL 5.5.0.18 Released for QA on December 08, 2005 ===================================================== Fixes ----- Fixed CR-Q1268004: FireLock is set to avoid a double click on the NetDirect link opening two applet windows. The NULL and closed checks were not enough. NonAdmin Java window updated to only retry 4 times when activate NetDirect after it has tried to install the NetDirect ActiveX control. The portal is reloaded at every check which makes the warning that the CacheWiper is inactive appear four times if ActiveX controls are not allowed in IE. This should be fixed to work better. Even if the portal has to be reloaded the warning should only be displayed once, perhaps using a cookie. Fixed CR-Q01270471: Do not use SSL license as backup for IPsec license in case the HW limit is reached for the IPsec license. Fix for having non ascii password in ntlm. Fixed a problem not handling the control channel inbetween the aaa and the simpleproxy in case of an internal aaa_server restart. The simpleproxy logout function was not re-registered that much later could lead to a AAA sub-system hang (not accepting any new login attempts) or new restart (depening on how/when the issue appeared the type of error differed due to type of operation). BBI fixes: Q01262715 : "User license added via BBI is not additive" Q01259419 : "SSL VPN/BBI: Login session Time to Live seconds field has a "-1", should be "0" Windows NetDirect 5.5.0.10 fixes: - Q01268045 -- SQA 5.5.0.17 Select "NO" when prompted for security alert does not end progress - Q01269859 -- NetDirect exit - Route addition failed with Invalid parameter - Q01269878 -- DNS and WINS are not passed to the NetDirect client through RADIUS Linux NetDirect: - Fixed CR-Q01255846 A details button is added to the applet. By pressing it a new text area is visible, showing the status information. - Fixed CR-Q01265038 NetDirect now also works with os list set to only allow linux - Fixed CR-Q01265022 Existance of all needed files is checked before starting NetDirect. If any are missing a download is triggered. - Fixed CR-Q01265025 The portal session is no longer closed when stopping NetDirect - Bugfix The correct netmask is now set for the tun interface Outlook port forwarder Fixed issue where a misconfigured port forwarder resulted in an unsuccesful connect. The port forwarder did not handle this properly leaving it in a lingering state. The error is now caught leaving it up to the user to take proper action, i.e. close the port forwarder. Ref: CR-Q01256594. Cleaned upp the aaa_smb.erl code. Made each auth request to execute in one Erlang process. This should speed up authentication due to the increased concurrency and removal of potential bottlenecks. New layout when presenting portal errors using the portal lookandfeel. Updated portal help pages. ===================================================== SSL 5.5.0.17 Released for QA on December 01, 2005 ===================================================== Fixes: ------ NetDirect 5.5.0.9 fixes: - Banner dialog shows as the topmost window. - System IPconfig information displayed in the NetDirect log file. - Condition check has been added for Tap Adapter virual IP assignment confirmation. This version checks whether the IP is properly configured or not. - License text and Banner information issue have been solved in FireFox Browser supported DLL. - Client updated because the gateway configuration has been removed from the local ip pool network attribute settings. - Fixed CRs: Q01236264, 01227580, 01227617, 01227588 Note: No WINS server can be configured in the IPPool netattrs. Having one or two WINS servers set causes the wrong info to be sent to NetDirect. This will be fixed in the next build. IEWiper 5.5.0.8 fixes: - new Nortel logo BBI fixes: - The password for the command /cfg/vpn #/linkset #/link #/ftpproxy/ppass is now hidden, which was left out while providing fix for the CR Q01255753 : "SQA 5.5.0.13 - BBI - Password needed to be hidden in BBI - CLI CR Q01227480". - Supported the menu /cfg/vpn #/aaa/tg/ipsec. - Removed support for the following commands (according to CLI changes): /cfg/vpn/ippool/netattr/gateway /cfg/vpn/aaa/auth/radius/netattr/gatewayid /cfg/vpn/aaa/auth/radius/netattr/gatewaytype IPsec fixes: - Fixed Q01178892: IPsec connections drop when multiple users behind NAT. - Fixed problem similar to Q01178892 for BO tunnels with multiple local/ remote networks: Traffic could be sent using the wrong IPsec SA. - Fixed IPsec statistics for multiple users behind NAT, and for BO tunnels with multiple local/remote networks. - Added "collision" resolution, such that when two BO tunnel endpoints concurrently negotiate the same ISAKMP or QM SA, communication should proceed properly. The Nortel logo has been updated. Fixed CR-Q01264645: SimpleProxy rewriting contents of binary executable. Fixed CR-Q01258698: Added "... (comma separated):" to the command prompt in the same way as for other commands of the same type. Fixed CR-Q01265361: License count should never go negative (fixed a race condition). Fixed CR-Q01265206: If /cfg/vpn/aaa/group/restrict was set to something else than 0 login failed with a yaws error. Fixed CR-Q01209627: Now the IP pool is also validated against the VIPs of all configured VPNs. Also, the IP pool validation is enabled in the SSP case. Always send 0.0.0.0 as gateway address to the NetdirectClient and let the client setup the gateway to be the same as the assigned IP address (i.e. remove the IP + 1 thingie in the client) Fixed CR-Q01256594: Outlook specific registry changes was written incorrectly into the registry. Fixed bug where aaa/ldap attribute parsing was not case insensitive. Now it *is* case insensitive. Bug reported by Brad Black. ===================================================== SSL 5.5.0.16 Released for QA on November 28, 2005 ===================================================== Fixes: ------ NetDirect-for-Linux fixes: CR-Q01251273: NetDirect does not provide NBNS functionality. smb.conf is now updated with the defined wins (nbns) server. CR-Q01250697: Root user does not need to enter password when starting NetDirect. CR-Q01251129: NetDirect does not provide DNS related function resolv.conf is now updated with the definded dns information. Fixed seg fault when NetDirect was not enabled in the cli. Client is now working for kernel versions > 2.6.12 BBI fixes: CR-Q01255753: "SQA 5.5.0.13 - BBI - Password needed to be hidden in BBI - CLI CR Q01227480". CR Q01242258 : "BBI Cluster Mgr: link in the Help->About not valid". Updated the Help pages of the SSL Offload menu. Fixed CR-Q01255568: Secondary auth didn't work in combination with client cert login. Fixed CR-Q01258619: The '/cfg/vpn/aaa/filter/iewiper true' setting did not work to select a profile for a user. Fixed Q01242859: HTTP compression caused memory leak. Fixed CR-Q01257387: The following CLI commands are no longer accessible unless the administrator user is a member of the admin group, e.g. for the default oper user: /cfg/sys/dns /cfg/quick /cfg/test /cfg/lang/import /cfg/lang/export /cfg/lang/vlist /cfg/lang/del Fixed CR-Q01210814: Added '/cfg/vpn #/aaa/wholesec/quick' to make WholeSecurity configuration easier. Fixed Q01249382: Simpleproxy restarted after 497 days of uptime due to "broken" return value from times(). At startup of the SNMP agent dont open the UDP socket for the MIP before the MIP has been brought up (this had the effect that some startup traps, coldStart and ssi-mipishere, was not sent). Changed the recv.buffer size for trans2-next messages. Hopefully, this fixes the bug: Q01228370 - SMB not displaying complete contents of remote machine. Fixed problem with SHA used as authproto for SNMP requests/traps. Adopted the general portal layout on logout_warning window. ===================================================== SSL 5.5.0.15 Released for QA on November 21, 2005 ===================================================== Fixes: ------ Fixed CR-Q01257952, CR-Q01258043, CR-Q01257967 and CR-Q01257961 Fixed problem related to doing a DNS lookup for an IP address if the string given as argument already is an IP address. If the DNS server is configured to do recursive lookups but doesn't reach top DNS servers our call will timeout. And, as we already had given the IP address the lookup is not needed (even though the original behaviour is correct this is not suiteable to our system. Fixed Q01258394: IPsec cert login was broken due to addition of Cleartrust Cert-DN validation. Fixed CR-Q01255833: The gateway configuration has been removed from the local ippool network attribute settings and thus also from the RADIUS network attributes settings. And, the DHCP pool ignores gateway information received from the DHCP server. The gateway setting is removed as this was just used to get a dummy gateway configured for Netdirect on windows. Now, the gateway configured will always be the same address as the IP address recived from the pool. The gateway setting is removed as it was confusing for the admin user to configure and in order to streamline this with the IPsec client (sets the gateway to be the IP address of the interface as well). Removed CLI commands: /cfg/vpn/ippool/netattr/gateway /cfg/vpn/aaa/auth/radius/netattr/gatewayid /cfg/vpn/aaa/auth/radius/netattr/gatewaytype The /config/isd directory was not cleaned up if the IP address (of interface 1) was reconfigured for the master in a single master cluster setup. Delete user content when deleting vpn/domain; don't delete on IP/Type change. Adding LDAP group search functionality (a la iPlanet) + LDAP short group command for parsin groups like cn=XXX,cn=... into XXX. ===================================================== SSL 5.5.0.14 Released for QA on November 17, 2005 ===================================================== Fixes: ------ NetDirect version 5.5.0.8 fixes: CR-Q01235972: When NetDirect denied to start because of OS Banner is not shown and no reconnection attempts are made. If the admin user name is empty, a dialogue asks admin credentials. Secondary WINS Server Support added. BBI fixes: 1. Provided fix for the CRs Q01254951: "BBI: VPN Admin unable to add the DNS server for VPN" Q01254872: "BBI: SONMP should not be part of the VPN Admin BBI" Q01237000: "BBI: Cannot create IAUTO Link in 5.5.0.9 when FQDN is in the Link." Q01245760: "BBI: IP Pool needs to be configurable in VPN Admin BBI" Q01252380: "BBI: Left side menu selection remain old BBI style in Admin BBI" Q01246969: "SSL VPN BBI:Default color theme is not reverting back to proper aqua color theme". 2. In Cluster Manager, provided fix for the CRs Q01250261: "BBI: Exit out SSL-VPN Cluster Manager on Linux freezes the browser" Q01250267: "BBI: SSL VPN Cluster System should have the same look and feel from regular BBI" Upgraded Erlang/OTP from R10B-4 to R10B-8 due to memory leak found by SNAS project. For fixes in OTP please refer to the following README files. The applications used on the target machines are: - erts - kernel - stdlib - mnesia - sasl - crypto - ssl - asn1 - snmp - compiler http://www.erlang.org/download/otp_src_R10B-8.readme http://www.erlang.org/download/otp_src_R10B-7.readme http://www.erlang.org/download/otp_src_R10B-6.readme http://www.erlang.org/download/otp_src_R10B-5.readme Fixed CR-Q01256093: Buffer overflow in BBI with username longer than 9232 chars. Added CLI banner text for unsupported software (for QA/Beta builds) Fixed CR-Q01253144: Added infinity choice to the /cfg/vpn/aaa/sessionttl prompt and added possibility to configure infinity at group level. A NetDirect link will automatically be added to the portal when when configuring Netdirect in the /cfg/test wizard. Fixed CR-Q01173644: Port range should not accept the backward range such as 89-80for /cfg/vpn/aaa/service command. Removed old NetDirect session/route at reconnect (for CR-Q01207091) Removed debug message "cli_debug_open... NNNN" ===================================================== SSL 5.5.0.13 Released for QA on November 11, 2005 ===================================================== Fixes: ------ BBI fixes: 1. Provided fix for the following CRs Q01239744:"BBI:"0" should not be the option in IP Pool-Default IP Pool" Q01246844:"BBI:Access Lists page needs to display what the content of the rule is" Q01246694:"BBI:Cannot make changes via in SSL Offload > Servers > SSL, changes t..." Q01246829:"BBI:Cant modify a users group when there are "too many users" I have 1500 u..." Q01234937:"BBI:Not able to change certadmin user's password via the GUI; cli ok" Q01203038:"BBI, Apply Pending Configuration change warnings, should be removed after apply" Q01250267:"BBI: SSL VPN Cluster System should have the same look and feel from regular BBI" Q01246142:"SSLVPN: Not able to launch Tunnelguard applet when logging in with TG admin ..." 2. Updated the maximum value for VPN Gateways > Group Settings > Networks (/cfg/vpn #/aaa/network # in CLI) to 2047 from 1023. 3. Removed the support of the command /cfg/vpn #/ippool #/dhcp/class in BBI according to the CLI changes. Fixed CR-Q01244424: Portal contains a flaw that allows a remote Cross Site Scripting attack. Changed wording of prompt for /cfg/domain/aaa/group/extend to referenced filter name. Added Client Cert-DN Cleartrust validation. Fix to handle (SECRET) for deleted items in list menues. Fix to store the password for /cfg/sys/audit and radius server encrypted in the registry. Changed /cfg/vpn/linkset/link prompt not to refer to a name. Fixed /cfg/test CLI wizard that referenced an old format ippool command. PortForwarder API demo application Removed truststore parameter since it is not needed FullAccess applet Added NetDirect as number three in priority. Partially fixed CR-Q01218797: Added a submenu, "ipsec", to aaa/tg menu Renamed "UDP Retry Interval" to "Agent Query Timeout Interval" and moved it from "tg" menu to the new "ipsec" menu. Added the ability to specify a minimum TG Agent version on the format N.N.N.N where each N can be set between 0 and 15. ===================================================== SSL 5.5.0.12 Released for QA on November 3, 2005 ===================================================== Fixes: ------ BBI fixes: - CR-Q01240789: "BBI: Cert CRL automatic retireval screen has 2 problems. - CR-Q01239745: "BBI, lable and help text needs updating in VPN Gateway/Gateway Setup/Sessions". - CR-Q01239798: "BBI: Information for /cfg/vpn x/ippool x/info doesn't exist in BBI". - CR-Q01239848: "BBI: Group Configuration "Domain X" should be "VPN X". NetDirect version 5.5.0.7 fixes: - CR-Q01227617: ND Link in portal fails because of NDDC found. - CR-Q01237279: NDDC and Cached version NetDirect support, now - Installed NetDirect uninstalls if Cachable NetDirect cached is available on the system. - NetDirect connects successfully while reconnection. Traffic flow under investigation. - CR-Q01236026: NDDC authentication fails. Fixed problem NetDirect on Linux not always restoring proper routing table before exiting. Excessive logging to Java Console caused the NetDirect Client to exit before all routes had been restored. Fixed clearing of CTSESSION cookie in the same way as SMSESSION cookie. Fixed CR-Q01227480: Now secrets and passwords are not displayed in clear text in the CLI any longer. Added the secret attribute that can be used for CLI items of type setting and for paramaters esppecially for list-menus. The value is displayed as (SECRET) in cur and diff commands. dump without a password will not display the value and dump with a password will encrypt the value and the paste command must be used to paste the configuration. Also, the password will not be echoed while typing and the user have to re-confirm. This does also apply to auto wizards. The following commands has been changed to use the secret attribute: - /cfg/sys/adm/audit/servers - /cfg/sys/adm/auth/servers - /cfg/sys/adm/snmp/users #/authpasswd - /cfg/sys/adm/snmp/users #/privpasswd - /cfg/vpn #/ipsec/botunprof #/sharedsecret - /cfg/vpn #/aaa/radacct/servers - /cfg/vpn #/aaa/auth #/radius/servers - /cfg/vpn #/aaa/auth #/ldap/isdbindpasswd - /cfg/vpn #/aaa/auth #/siteminder/secret - /cfg/vpn #/aaa/group #/ndwapassword - /cfg/vpn #/aaa/group #/ipsec/secret - /cfg/vpn #/aaa/auth #/local/add (only the prompting and re-confirm applies here) - /cfg/vpn #/aaa/auth #/local/passwd (only the prompting and re-confirm applies here) - /cfg/cert #/revoke/automatic/passwd - /cfg/vpn #/portal/faccess/ contpass - /cfg/vpn #/linkset #/link #/ftpproxy/link #/ftpproxy/ppass Fixed CR-Q01242080: Now it is not possible to delete an IP pool that is referenced by a group. Fixed problem associated with CR-Q01207091. We did loose the original IP allocated to the netdirect client in case it requested a new but provided the old IP address. Fixed CR-Q01214223: CacheWiper icon never got set to active (and NetDirect icon never got set correctly) also caused by timing issues in reloading the mainframe so now the icons are updated two seconds after the main page. CLI command /cfg/vpn #/server/http/compress was a no-op. Totally removed /cfg/vpn #/server/portal/compress and the Gateways/#/Portal/GZip registry node, and now using the Profiles/SimpleproxyProfiles/#/GZip registry node both for SSL-accel and portal/VPN server. Fixed CR-Q01237913: Cannot open Citrix applications, get error pop-up. The Citrix icon was set to "active" after 30 seconds, regardless of Citrix status. Removed the Vendor Class command in the '/cfg/vpn #/ippool/ #/dhcp' menu, since it is not needed anymore. This because no idle timeout is taken from the DHCP server any longer. Fixed problem with OWA2000 and OWA2003, See: CR Q01218778, Case 050901-75074. OWA uses anchor tags to store information about folders and folder content. The id attribute of the anchor tag contains the url to the document on the back end server. The id tag was not rewritten, now it is. This is a temporary solution to the whole reverse rewrite problem. In the OWA code each anchortag has both an id attribute and a url attribute when the url attribute gets accessed it was reversed but not the id attribute. None of the attributes should have been rewritten in the first place as the attributes are only used for storing url information, not accessing the url. The general reverse rewrite has been removed until a better solution is implemented. The only constructs which are reversed now is: location.xxx document.xxx window.xxx document.location.xxx window.location.xxx where xxx is one of the special tokens like href, url, src see js_meth.tab for a full description. All the above expressions gets rewritten when they appear as a right hand expression to something like: a = xnet.xnet_rev(document.xxx) This code has been verified against ExchangeServer2000 and ExchangeServer2003 Added the method LoadURL to be recognized as having an argument which needs to be rewritten. Added new method startDownload which has an url as first argument and thus needs to be rewritten: Case Number 050922-97168 Rewrites the tags BASEROOT and IMAGEPATH in xml files. ===================================================== SSL 5.5.0.11 Released for QA on October 27, 2005 ===================================================== Fixes: ------ NetDirect version 5.5.0.6 fixes: - NetDirect Cached mode splash screen "loading files" is changed to "checking files is ok". - CR Q01236005 - Connected with NDDC, log into portal and close browser = ND will Exit BBI fixes: - Fixed CR-Q01230912-01 : "BBI: CA certs produce "NO" on validate command, when priv key is not present". - Supported the command /cfg/vpn #/aaa/group#/ndwauser - Updated the help pages for the Networks and Certificates menu. Fixed CR-Q01240788: Limit auto CRL retrieval interval to max 31 days (2678400 seconds). Fixed CR-Q01236229: Added information to the CLI that 0=unlimited while configuring /cfg/vpn/adv/license. Fixed CR-Q01239899: An gc marked IP pool allocation is now handled properly at a free request. Fixed CR-Q01237206: Better eventlog for ssl license exhausted - now ssl is sent as extra information instead of xnet (that the license is called internally). Fixed CR-Q01237104: HW depending limit of accepted number of users doesn't work. Fixed CR-Q01239719: /cfg/vpn/ippool now display proper range. Fixed CR-Q01238916: Fixed crash in aaa_ip_pool while handling reconfiguration. Fixed CR-Q01234281: Problem with displaying Passcode/Password fields correctly in PDA portal. Fixed CR-Q01175146: Problem with FTP uploads beeing corrupted after ~200 sec. Fixed CR-Q01237913: Cannot open Citrix applications, get error pop-up. Fixed problem with LDAPS auth connection. If the the SSL connection handshake for LDAPS authentication failed to complete, the login could hang indefinitely and also block subsequent login attempts. Now the timeout configured via /cfg/vpn #/aaa/auth #/ldap/timeout covers also the SSL connection setup. (Case 050808-48008) Fixed generation of the license exhausted event for SSL licenses if the fallback for IPsec licenses could not allocate a SSL license due to no more licenses available. The FTP upload windows will now be closed when the user is logged out due to session timeout. Require only immediate CA cert for ipsec cert auth, not complete chain. Don't allow user 'oper' to /boot/{reboot,halt} (=> nothing left of /boot). Fixed class name for Citrix applet. Enable NMI watchdog on 410/2250/2424-SSL/3050/3070/4050 HW models. Known deficiences: ------------------ On some Linux boxes, NetDirect might fail to restore a proper routing table when logging out from the portal. If NetDirect is explicitly stopped before logging out, everything works as expected and the routing table is restored. This malfunction has so far been found on one PC running Fedora Core 2 and Firefox 1.0.4. PC:s running GenToo does not have this problem. ===================================================== SSL 5.5.0.10 Released for QA on October 20, 2005 ===================================================== Enhancements: ------------- NetDirect for FireFox on Linux is now supported. NetDirect is now working on Linux/FireFox. There are some cosmetic issues left and one functional issue. The cosmetic issues are for example wrong button text if NetDirect was unable to start. The functional issue is that when quiting NetDirect you are logged out from the portal. Fixes: ------ NetDirect version 5.5.0.5 fixes: - Group level Admin user name parameter has been added in OCX controller and Applet. - FireFox Support for Windows platform has been added. Installable NetDirect version 5.5.0.5, fixes: - CR-Q01227588 - non-admin clicks ND from portal fails receive error about NDDC. - CR-Q01227580 - NDDC - client with no admin rights fails to open NDDC. - CR-Q01227560 - NDDC v5.5.0.4 does not overwrite ND v5.5.0.3. - CR-Q01229541 - NDDC is not in system tray click shortcut loads to system tray. - CR-Q01227611 - grammar - You dont have Administrative Previlage to Uninstall client. - CR-Q01224295 - Branding - NDDC setup.exe splash screen displays Nortel Networks - CR-Q01224293 - Branding - banner displays Nortel Networks should be Nortel. Fixed CR-Q01218738: CLI now checks that there are no duplicate subnets or hosts within a Network. Fixed CR-Q01231318: New version of LILO needs (new) "geometric" option for bootable CD. Fixed CR-Q01215702: WholeSecurity check was failing because RP_AACL_CHECKED and RP_CLI_CONT_LENGTH_SEEN were accidentally defined as same. Added support to configure Netdirect WINDOWS admin username per group (like Netdirect WINDOWS admin password): /cfg/vpn/aaa/group/ndwauser /cfg/vpn/aaa/group/ndwapassword Window for nonAdmin support no longer opens when running with admin rights. Fixed bug where stopping and starting NetDirect on Windows/FireFox did not work. Fixed OpenSSL vulnerability. The CAN-2005-2969 vulnerability has been removed. This vulnerability only affects the ASA/NVG if protocol version SSL 2.0 has been enabled, by changing the /cfg/ssl/server #/ssl/protocol or /cfg/vpn #/server/ssl/protocol setting from the default 'ssl3' to 'ssl2' or 'ssl23'. This is disrecommended regardless of this vulnerability, since the SSL 2.0 protocol has known weaknesses. See http://www.openssl.org/news/secadv_20051011.txt for further details. ===================================================== SSL 5.5.0.9 Released for QA on October 13, 2005 ===================================================== Enhancements: ------------- NetDirect for Firefox on WINDOWS is now supported. Fixes: ------ Fixed CR-Q01227999: Don't send RST in FINWAIT-1 (wait until FINWAIT-2) in transparent proxy mode. Fixed CR-Q01223244 and CR-Q01223239: (SNAS CRs which are also valid for VPN-5.5): Now the /boot/delete is syncronised and the CLI session will not be closed before all relevant configurations have been deleted. Fixed CR-Q01226757: Failed object: mib-2.47.1.4.1.0 when snmpwalk SNAS. (reported by SNAS QA but the same problem did also exist for VPN-5.5) Note: In order to get this fix to take effect the cluster needs to be reinitiated (i.e. /boot/delete followed by a new/join). (as the problematic table is a table that is introduced in the 5.5 version there is no need to write upgrade code in order to handle the upgrade case). Backported the fix for CR-Q01054338 in ISDP-1-5-1-3 (platform release) which added the secret CLI option. Needed in order to add functionality to hide passwords in the CLI. Portal links using SSHv2 protocol are now inactive in pda portal. Fixed CR-Q01223066: FTP operation were not logged to syslog even though /cfg/vpn #/adv/log was set to all. Fixed "customer uploadable content" bugs: Deleting old content at rsync from master failed (need to exclude lost+found). Rsync of large files failed most of the time (need to use --blocking-io). Fixed CR-Q01228427: IPSec: IPsec user tunnels when using local address pools is broken (aaa_group_server:sort_groups/2 was broken after "recordification"). Fixed CR-Q01220483: Support downgrade to a 5.1.4.2+ release (i.e. available to customers 5.1.5+). As the below support is added to the 5.1 code stream to handle downgrade from 5.5 we do only support downgrade to a release later than 5.1.4.2. Especially handles the new design of the IpPool. If the default Ippool in 5.5 is of type local the settings for this pool is kept and the netdirect and ipsec network attributes are configured accordingly. If the default ippool is not of type local the first found local ippool is choosen (lowest number) and if no local pool is found the ippool will be disabled (thus it is not possible to configure anything new on the system until the ippool is configured. Also, the new TunnelGuard features introduced in 5.5+ is filtered away during the downgrade. Note that if any ClearTrust authentication server has been configured a downgrade to 5.1.2.4+ will fail as this is impossible to support. Fixed aaa crash if a cookie was beeing looked up at a node that is currently being restarted (now also handles the cache migration in this case). Fixed class cast exception when starting fullaccess applet. BBI fixes: Q01229387 : "BBI: Certificate Export of types DER and NET, will produce the Key file twice" Q01229382 : "BBI: cannot set Smart Card Setting, apply states "no changes to apply" Q01227836 : "BBI: DHCP Servers sequence should be configurable" Q01225888 : "BBI: Unable to delete all Access rules at once, only individually" Q01227474 : "SQA 5.5.0.8 Update failed: IP Pool: Unable to read value from registry". Q01220761 : "Unable to Modify/Edit a subnet under VPN Gateways-->Group settings-->Networks" Q01220655 : "SQA 5.5.0.6 - VPN Gateways>Portal Linksets>Links Type: then back button" Q01227810 : "BBI: "Relay IP address" should not be listed under IP Pool Config ->DHCP Servers" Q01227830 : "BBI: "Vendor Option Id for idle timeout" should not exist on VPN Gateway IP pool" Q01226787 : "BBI:When editing FTP link, Server IP addr appears to the right of the field box" Q01227840 : "Setting Idle time out, has error message" Q01227849 : "BBI: Radius Network Attributes "Idle Timeout " should be removed." Known deficiences: ------------------ NetDirect-Firefox on Linux is not working proprely. Using it might mess up the routing table (not restoring default GW after termination). ===================================================== SSL 5.5.0.8 Released for QA on October 06, 2005 ===================================================== Fixes: ------ Fixed CR-Q01205377: 'Cannot open shares with lots of files/folders'. Added VPN name to /cfg/quick wizard. Command '/cfg/vpn #/portal/content/available' checked space in the wrong directory. Fixed CR-Q01227009: Changed wording of validation rule. Fixed CR-Q01188727: ike daemon dead while Cisco router trying to establish BO with NVG. TG Applet updated to Build 111. Contains JRE checking method and "Not Older Than" feature fix. Fix to make SSL-VPN not fetch transitional pages for TG State changes. Also, Portal page will not be refreshed on every recheck interval as its done in case of NSNAS. Added CLI alias tab completion for /cfg/vpn number (refering to SNAS CR-Q01200389). Fixed looping SiteMinder agent. A problem in the SiteMinder agent (for SiteMinder authentication) could cause the agent to start looping, with the result that the system showed a constant 100% CPU usage (SiteMinder authentication still worked since a new agent instance was started automatically). Fixed CR-Q01221893: The default value for Netdirect caching is now off. Fixed CR-Q01202870: Fails user db import if user definition longer than 254 chars (raised the line size limit to 8192 chars). Fixed CR-Q01224197: Splitnets configuration misleading - Enter network IP number: 1 Fixed problem with IPsec not accepting new connections. In some cases where IPsec certificate authentication was rejected (e.g. revoked certificate), the session-setup flow control mechanism ("credits") was not correctly updated, with the eventual result that new no sessions were accepted. Only use one UDP socket for all not bound VPNs for TunnelGuard (the IPsec case). Fixes to the idletimeout settings in ippool. The idletimeout settings in the ippool are now removed and instead it is possible to configure the idlettl (and sessionttl) per group (and the default per VPN) (also refer to CR-Q01210166). The highest value among the groups and the default is choosen at login (an /maint/starttrace entry for aaa is added to display which timeouts a user got at login). The reason for removing the idletimeout from the pool is that it actually didn't belong in that area. And, as we moves it to the group we get the same behaviour also for normal portal logins that doesn't assign an IP address from a pool. Also, made it possible to configure the ippool per extended profile in order to be able to get a different IP pool assigned depending on the TunnelGuard result (i.e. which extended profile the user is assigned to). The CLI changes are listed below: Renamed '/cfg/vpn #/aaa/ttl' to '/cfg/vpn #/aaa/idlettl' Added 'idlettl' and 'sessionttl' to '/cfg/vpn #/aaa/group' and '/cfg/vpn #/aaa/group #/extend' Removed '/cfg/vpn #/ippool #/dhcp/idletimeid' Removed '/cfg/vpn #/ippool #/netattr/idletimeout' Added '/cfg/vpn #/aaa/group #/extend #/ippool' RADIUS CLI changes: '/cfg/vpn #/aaa/auth #/radius' ------------------------------------------------------------ [RADIUS Menu] servers - RADIUS servers menu vendorid - Set vendor id for group attribute vendortype - Set vendor type for group attribute vpnid - Set vendor id for VPN ID attribute vpntype - Set vendor type for VPN ID attribute timeout - Set RADIUS server timeout --> idletimeou - Idle Timeout menu sessiontim - Session Timeout menu macro - User-defined Macro menu netattr - Tunnel network attributes menu ------------------------------------------------------------ [IdleTimeout Menu] vendorid - Set vendor id for idle timeout attribute vendortype - Set vendor type for idle timeout attribute ena - Enable Idle-Timeout dis - Disable Idle-Timeout The idletimeout is enabled by default (to mimic old behaviour) and if vendorid is 0 the standard Idle-Timeout attribute is used. The '/cfg/vpn #/aaa/auth #/radius/netattr/idletimeid' and 'idletimetype' items are removed. BBI fixes: - Provided fix for the following CRs - CR-Q01202990 : "BBI, Certificates, "Show" should be changed, to properly display Subject DN". - CR-Q01220771 : "SSLVPN BBI: Service is still created when entering invalid port numbers". - Supported the command /cfg/vpn #/server/portal/wipecookie. - Updated the erlang code for the /cfg/vpn #/portal/lang/beconv/codesets command in order to remove the leading text. Installed NetDirect 5.5.0.4 fixes: - CR-Q01220702: NDDC unzip fails https://.../NetDirect_Setup.zip. - CR-Q01224232: NDDC reboot client NDDC loads to system tray - click shortcut fails. - CR-Q01224291: Banner text is not displayed when connecting to VPN with NDDC. - CR-Q01224227: NDDC Show Main stays locked on the desktop. - CR-Q01199613: Connect with Installable ND Client then logout/out of Portal = error. NetDirect 5.5.0.4 fixes: - CR-Q01218557: ND no admin rts - Click ND link browser closes - hs_err_pidXXX. - CR-Q01199578: NetDirect Will Exit Now appears when ND is already closed. - CR-Q01224209: NetDirect banner displays blank when not configured - CR-Q01224293: Branding - banner displays Nortel Networks should be Nortel. - CR-Q01224224: Windows New Hardware found Tap Hardware found ===================================================== SSL 5.5.0.7 Released for QA on September 30, 2005 ===================================================== Fixes: ------ NetDirect 5.5.0.3 fixes: - CR-Q01206979: Banner Text/License info have been added. - CR-Q01214679, CRQ01199578: The timing issues of NetDirect have been fixed in this version. - CR-Q01199588: User connects to 5.5 VPN with NetDirect 1.0.2.3, 1.0.2.4 failure issue has been fixed in this release. Fixed CR-Q01221340: Don't allow tftp for downoad of SW packages (doesn't work when > 32 MB). Fixed CR-Q01211068: VPN Portal can't be launched after downgrading from 5.5.0.3 to 5.1.3 (wrong version of the compiler was used to produce portal pages. Fixed CR-Q01166271: Alteon 3050: Using SMB link from the portal page exposes hidden shared folder. Fixed CR-Q01215931: Consistency when setting timers and receive error. Fixed CR-Q01215266: Enable Cut Domain feature broken, sending the domain to the ldap server. Fixed CR-Q01209305: 2424-SSL - 5.1.3.5 SSL processor fails after few hours of traffic load. Need to lock bottom half too during rekey (from kernel 2.4.22). Fixed CR-Q01217347: IPsec user tunnels have problem with packet size of 1475 or larger. Cause: Bug in iptables ipsec-03-policy-lookup kernel patch. Fixed CR-Q01183069: Backported crypto buffer mgmt fixes from kernel 2.6.9. Fixed CR-Q01218588: SMB link receive internal yaws error {abs_path,"/xnet/smb/... Fixed a related problem to CR-Q01218588, when clicking in 'Save as bookmark' without defining an URL. Fixed CR-Q01219880: Ftp Port Forwarder causing connection refused. PortForwarder API: Changed minimum interval for setStatisticsObserverInterval to 50ms. Fixed the test-srs tunnelguard rule not to include any faulty Registry configuration values any longer. Speedup of system stop if IPsec is not started. Do proxy arp also on interfaces bound to other VPNs when not doing SSP. Now the NDWAdminPassword is stored as a secret_string (DES3 encrypted) in the registry. Added support for different TG clients. For SSL the protocol version the TG applet uses is 2.0. For IPsec the protocol version of the installed TG client is 1.1. BBI fixes: - Q01199218 : Unable to Delete Users via WebUI from Local DB when User Name Contains Spaces (Priority = 2). - Q01180816 : SVG 5.1.3: WebUI update of passwords fails for certain usernames (Priority = 2). - Q01218842 : SSLVPN: Not able to delete subnets from Networks using BBI delete checkbox (Priority = 3). - Added support the command /cfg/vpn #/portal/smbworkgrp. - Added support for command /cfg/vpn #/portal/lang/beconv/codesets. SSL VPN Cluster Manager fixes: - User Management and User Card in Cluster deck is updated to support "tunnelguard" group. - Backend script of Sync. VPN functionality is updated to support Accounting Servers, TDI VPN Client and LSP VPN Client parameters. Fixed vulnerabillity issue found by SEC (see below). Now port forwarder links in pre 5.0 format (i.e created in a 4.x based system) are converted at system uprade (and system restart to cover for load, i.e. /cfg/gtcfg, of an old configuration) to the new port forwarder link format introduced in the 5.0 release. And, the tunnelform.yaws page no longer accepts a (application) and aa (application argument) parameters (thus, if an old link is loaded due to a gtcfg without a restart the client will be informed to contact the system administrator in order to reconfigure the system to handle this link). SEC CONSULT ADVISORY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nortel SSL VPN Cross Site Scripting/Command Execution | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: 05-30-2005 Author: Daniel Fabian Product: SSL VPN Affected Version: 4.2.1.6 Vendor: Nortel Networks Limited (http://www.nortel.com/) Vendor-Status: Vendor contacted ~~~~~~~~ Synopsis ~~~~~~~~~~~~~~~~~~~~~~~~ The Nortel SSL VPN is a remote access security solution. By using secure sockets layer (SSL) as the underlying security protocol, Nortel SSL VPN allows for using the Internet for remote connectivity and the ubiquitous Web browser as the primary client interface. Due to insufficient input validation within the appliance's web interface, it is possible for an attacker to supply his victim with a malicious link that results in code execution on the victim's client. The problem has been reproduced with version 4.2.1.6, however different versions might be vulnerable as well. ~~~~~~~~ Vendor Status ~~~~~~~~~~~~~~~~~~~~~~~~ The vendor has been notified .... ~~~~~~~~ Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~ Cross Site Scripting/Command Execution -------------------------------------- Scope: Due to insufficient input validation within the web interface of Nortel's SSL VPN appliance, it is possible to hide commands in links to certain pages of the web interface. As the Java Applet which is called from those web pages is cryptographically signed, it may execute operating system commands with the priviledges of the user sitting in front of the browser. An attacker can thus supply his victim with a malicious link where commands are hidden. If the victim clicks on the link and logs onto the SSL VPN web interface (where it is automatically taken), arbitrary commands are executed locally on the client of the victim. Here is an example for a crafted link that executes the command "cmd.exe /c echo test > c:\\test" (please consider the link one line): https://SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+ test+%3E+c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127 0.0.1&0lp=8080&0hm=&0rh=10.117.252.129&0rp=80&sslEnabled=on&start= Start... ~~~~~~~~ Timeline ~~~~~~~~~~~~~~~~~~~~~~~~ May 30: Vulnerability discovered and vendor notified ~~~~~~~~ Contact ~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH B?ro Wien Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com http://www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com Known deficiences: ------------------ NetDirect-Firefox on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.6 Released for QA on September 23 2005 ===================================================== Fixes: ------ Fixed CR-Q01217347: Bug in iptables ipsec-03-policy-lookup kernel patch. Fixed CR-Q01183069: Backported crypto buffer mgmt fixes from kernel 2.6.9. Fixed CR-Q01014291. It is now possible to set the default SMB workgroup name. The new CLI command is: /cfg/vpn #/portal/smbworkgrp. Fixed CR-Q01215415: Initiator-side IPsec cert auth didn't work. Fixed CR-Q01214211: Back ported x11 forwarding fix from jsch-0.1.22-rc11 and also made own modification to make client reply with open channel failed, according to draft-ietf-secsh-connect-25.txt. Fixed CR-Q01213290: Need to iptables-mark with interface mark on INPUT for bound backend interface w/o SSP. PortForwarder API: Fixed bug where PortForwarder.stop(true) hanged if an error had occurred during configuration. Merged latest TG applet from snas-1-0 branch: Fix for the Logout Issue where page fails to call logoutWait() as this method name was trimmed by obfuscator. While creating a http -> https redirect server in the new setup, a proper name of the SSL server (1) is now created. Added fix for iauto links where there is no action in the form, instead the url for the page where the form resides is used. Don't use session ID 0 (possibly relevant for Q01188727). BBI fixes: - /cfg/vpn #/sslclient/caching - /cfg/vpn #/aaa/sessionttl - ClearTrust Authentication. - Support for latest TunnelGuard applet SRS format. NetDirect 5.5.0.2 fixes: - Cache Parameter option modified based on latest server support. - Non-admin support has been added w.r.t admin password methods provided by latest server build. Installed NetDirect Client 5.5.0.2 fixes: - Q01206758 : ND Client option to delete connection created via connection wizard. The new delete menu item has been provided. - Q01214857 : NDDC NetDirectRunner MFC Application has encountered problem. The code has been optimized, memory leaks have been sorted out. - Q01206747 : NetDirect downloadable client File New Connection asks for password. The Password entry has been removed from the wizard, since wizard only add valid user entries. - Q01199607 : Installable NetDirect client Main window usability. The Connection button has been disabled after the successfyl connection. - The earlier version of NDD didn't check whether NetDirect portal was running or not. This version fixes this issue. ===================================================== SSL 5.5.0.5 Released for QA on September 19 2005 ===================================================== Fixes: ------ Merged the latest TunnelGuard applet (and server) from the SNAS project which is now fixed to also work for the SSL-VPN. Netdirect commands (in /cfg/vpn/sslclient) are now available also if NetDirect is configured to be per group. Added an empty src for placeholder initially in order to get rid of the IE popup complaining about both secure and non-secure items on the page. Fixed CR-Q01209217: NetDirect did not work if a RADIUS Ippool were used. Fixed CR-Q01209375: NetDirect windows admin password question should not be displayed while creating a new group. Installed NetDirect version 5.5.0.1 fixes: - Log files locations changed. - Route table modifications cleaned up. - Server updates incorporated. Fixed intermittent crash when loading certs for IPsec (Caused by an un-initialized pointer). Changed timeout for resend of DHCPDISCOVERY from 30 secs to 3 secs. Added removal of NULL-terminated domainname string in the netattr attribute for Radius. Renamed the "userdata" mount point: /config/userdata -> /config/isd/user_content Known deficiences: ------------------ NetDirect-Firefox on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.4 Released for QA on September 15, 2005 ===================================================== Fixes: ------ BBI fixes: 1. Q01206236: "SQA 5.5.0.1 - select multiple users from the GUI and select delete fails " (Priority- 4) 2. Q01208854: "BBI: Links when edited does not have the correct Link Type" (Priority- 3) 3. Q01210687: "Error in BBI, on Monitor > BO Tunnel Sessions" (Priority- 2) 4. Q01210681: "BBI, Cannot delete user from the Local Authentication server, browser shuts" (Priority- 2) 5. Q01209674: "SQA 5.5.0.2 - get_dy_file_if_exists() in /.....main.php on line 308" (Priority- 3) 6. /cfg/vpn #/aaa/auth #/ldap/adv 7. /cfg/vpn #/aaa/auth #/radius/netattr/gatewayid 8. /cfg/vpn #/aaa/auth #/radius/netattr/gatewaytype 9. /cfg/vpn #/aaa/anongroup 10. /cfg/vpn #/aaa/wholesec Also added support for the Management Role for Tunnel Guard functionality. SSL VPN Cluster Manager(NSM Universal) fixes: 1. "NSM Universal" the name given to this application earlier has been changed to "SSL VPN Cluster Manager" every where. 2. Updated Makefile to use JARG to reduce the size of SSL VPN Cluster Manager and JFreeChart jar files. 3. Removed BBI launch point from Cluster and iSD Decks/screens. This is mainly because the launched BBI browser was affecting the original BBI browser(the browser used for launching SSL VPN Cluster Manager application) as both were sharing the same session information. And also the BBI browser launched through this for the second time to the same device was also sharing the same session information which was resulting in some invalid behavior. NetDirect 5.5.0.1 fixes: 1. Synchronized the server version 5.5 image like Client OS and Client Version info support have been added. 2. UDP tunneling changes modified as per latest server support. 3. Added Windows XP specific Pnp/Power calls 4. Identified issues while running NDISTest tool and fixed the issues 5. Added new IOCTL to notify client for route table modification. Earlier versions of client wasn't aware when to modify route table, so it tried several times for route addition. Now this has been removed and given clean solution. 6. Log file locations have been modified and is created only in temp location for admin and non-admin. Earlier version of client created the log file in different locations like root folder for admin and temp folder non-admin. This has been modified for proper consistency. 7. Cache NetDirect parameter enabled based on latest server options. This has been tested with corr. Server response flag. Fixed CR-Q01209450: The IEWiper and/or Citrix applets were not started properly if the features were configured per group and tunnelguard decided which group/profile the user belongs to. Thus, the tg_frame was added to the frameset. The tg_frame handles everything with tunnelguard and loads the placeholder.yaws frame after completion. Now, the placeholder gets the correct group/profile. Added command to set maximum session time. Previously a maximum session time could only be set via Radius authentication. A new command /cfg/vpn #/aaa/sessionttl has been added to allow setting of this regardless of the authentication type. Fixed certificate/signature validation for IPsec cert authentication. Don't require pool-specific DNS server in "VPN quick setup wizard" Fixed system crash when a botunprof group has extended profiles. Fixed CR Q01207083: SQA 5.5.0.1 - Custom PF not working. Starting of tunnel server threads had become broken in merge from 5.1. ===================================================== SSL 5.5.0.3 Released for QA on September 12, 2005 ===================================================== Enhancements: ------------- Added support for WholeSecurity. Fixes: ------ Fixed CR-Q01207904: DHCP allocation failed if a non existing DHCP server were configured. Fixed CR-Q01206465: Type error in default vendor option for DHCP in IPpool (crashed system if the DHCP system did not send the vendor specific option). ===================================================== SSL 5.5.0.2 Released for QA on September 08, 2005 ===================================================== Fixes: ------ Fixed bug that made it impossible to run applets without restarting browser after the user logs in the second time. Error message improvements for terminal applets. Fixes related to all types of applets: - Fixed centering of message boxes within frames. - Added icons to message boxes. - Yes/Ok button is set as default, i.e. connected to the enter key. Logout from a shell now triggers closing of session. BBI fixes: 1. /cfg/vpn #/ippool #/netattr/gateway 2. /cfg/vpn #/aaa/auth #/ldap/activedirectory/exppasgroup 3. /cfg/vpn #/sslclient/ndxml 4. /cfg/vpn #/aaa/group #/ndwap 5. Certificates are now listed in numerical order by number. 6. Fixed problem with all certificates showing "No" under Valid. 7. Fixed problem with Ike Profiles/Diffie Hellman the values all showing "OFF", despite beeing on. Setting the values to "ON" also triggered an error, Failed: Identifier must be a positive integer. 8. Fixed the location of the "RADIUS Group Attribute" settings and the "Acct-Session-Id " in the BBI auditing messages. 9. Removed settings of wins, gateway and netmask for NetDirect from the BBI. 10. CLI changes for SSHv2 applet is now supported in the BBI. Fixed CR-Q01206465: aaa_ip_pool crash if idletimeout option id was not set to the default. Fixed problem with restarting system if a link was deleted and recreated within the same apply and no linktext were added. The following command sequence triggered the problem: /cfg/vpn 1/linkset 1/link 1/del /cfg/vpn 1/linkset 1/link/add 1 apply (without adding link text but all other required stuff) Added caching option for NetDirect. Added support for admin password for NetDirect. Fixed CR-Q01203260: A host could be impossible to start if an interface was not configured for the host and that interface was used (bound to) in a SSP configuration. Removed the objectclass=person filter from the AD authentication search. This is now configurable instead. See the menu: .../auth #/ldap/adv Fixed CR-Q01145430: Shares that have a $ at the end of their name is interpreted as hidden. Added the DHCP option "Request-Options", which explicitly tells the DHCP server what parameter we want it to return. Changed to use wraplogs ike.log.{1,2,3...} instead of ike.log + ike.log.old. Fixed CR-Q01183087: Session traffic wasn't recorded for BO responder session. Changed name of /cfg/vpn/aaa/ippool to /cfg/vpn/aaa/defippool. Added resend functionality in case packets sent to the DHCP server is lost. We are now also checking that offered IP address is not in use. Fixed aaa_license crash when a node joins the share after reconfiguration. Added /cfg/vpn #/portal/lang/beconv/codsets. Gateway address recieved through DHCP is now hndled all the way to the NetDirect client. Fixed problem with portal link not working in frames if url is missing relative or absolute path (Q01187510-01). Previously allocated DHCP IP-addresses are now released at startup. Fixed CR-Q01104375-01: Portal is not displaying when authenticating with client Certs: Internal Yaws Error. Fixed CR-Q01179404: Handle validation errors while loading a license key in the CLI. Fixed CR-Q01205161: System crashed when installed a corrupted boot image. Fixed CASE 050601-74161: Issue with the 3050 not booting if DEL or ENTER (among other keys) are sent during boot up. Known deficiences: Whole security feature is not ready to test. NetDirect on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.1 Released for QA on Aug 31, 2005 ===================================================== This README will describe changes in forthcoming releases. ===================================================== Software Installation and Upgrade Notice ===================================================== The software is delivered in two different forms, as described below. - SSL-6.0.x-upgrade_complete.pkg Using this package is the preferred method for upgrading an existing SSL VPN cluster, as the upgrade is propagated across the cluster and all current configuration is preserved. The upgrade procedure is described in "Performing Minor/Major Release Upgrades" in Chapter 4 in the SSL VPN User's Guide. - SSL-6.0.x-boot.img Using this image will reset the SSL VPN device to its factory default configuration. It must be used when an SSL VPN device with different software installed is to be added to a cluster, to bring the additional SSL VPN device to the same software version as in the cluster before joining it to the cluster. The software reinstall procedure is described in "Reinstalling the Software" in Chapter 3 in the SSL VPN User's Guide. Disk repartitioning required for version 5.x on some systems ------------------------------------------------------------ This applies to the following systems: - ASA 310, ASA 310 FIPS, ASA 410, delivered with a software version prior to 4.0 pre-installed. - AAS 2424-SSL delivered with a software version prior to 5.0 pre-installed. On these systems, the existing disk partitioning does not allow for a 5.x version to be installed simultaneously with version 4.2 or later. I.e. it isn't possible to do a standard upgrade from 4.2 to 5.x, or from one version of 5.x to another. Upgrade from versions earlier than 4.2 to 5.x, and software reinstall using a 5.x version, is still possible. Hence the following applies regarding standard upgrade to version 5.0 for clusters that include systems of the above type: Current version Procedure 4.1.x or earlier Upgrade to 5.0, and repartition before subsequent upgrade. 4.2.x before 4.2.1.11 Upgrade to 4.2.1.11 or later 4.x, repartition, and then upgrade to 5.0. 4.2.1.11 or later 4.x Repartition before upgrade to 5.0. When 5.x is installed, the /boot/software/download command will give an error if one or more systems of the above type are running in the cluster, listing the hosts that need disk repartitioning. To support the repartitioning procedure, the following commands are present as of version 4.2.1.11: /boot/software/repartcheck - check for and report hosts in the cluster that need repartitioning. /boot/repartition - initiate repartitioning for the local host. /cfg/sys/cluster/host #/repartition (4.2) /cfg/sys/host #/repartition (5.x) - initiate repartitioning for the given host (which must be running). These commands are "hidden", i.e. not shown in the menu or considered for auto-completion via , since they shouldn't be used in normal operation. During the repartition, which includes two automatic reboots, the host will effectively be out of service. The time required for the repartition is approximately: 4-5 minutes for ASA 7-10 minutes for AAS 2424-SSL NOTE: It is vitally important to avoid power cycle, reset, or any other manually initiated reboot of the host while the repartition procedure is running - this may lead to a totally non-functional system. NOTE: On the AAS 2424-SSL, after repartition is completed, it will not be possible to downgrade to software versions prior to 4.2.1.8, even via software reinstall. Upgrading from Versions Earlier than 2.0.11.15 ---------------------------------------------- If you are currently running a software version earlier than 2.0.11.15, upgrade to version 2.0.11.15 (or a later 2.0.11.x version) prior to upgrading to version 3.x or later. The "intermediate" upgrade to version 2.0.11.15 is necessary in order to maintain your current configuration, and to provide reliable fallback in case the upgrade should fail. Downgrading to Versions Prior to 5.0.x -------------------------------------- SSL VPN clusters running software version 5.x cannot be downgraded to software version 4.x or earlier and still retain the configuration. To downgrade such a cluster to a version lower than 5.x, a complete software reinstall using the boot.img must be performed, followed by manual reconfiguration of the cluster. This is due to changes in the internal database format.