===================================================== SSL 6.0.0.5 Released for QA on January 19, 2006 ===================================================== Fixes ----- Fixed Q01292019: Netdirect did not start if TunnelGuard had been running at login. ===================================================== SSL 6.0.0.4 Released for QA on January 18, 2006 ===================================================== Fixes ----- Temporary fix for Q01291007: Back out the fix for Q01195775 (from 5.1.x). ===================================================== SSL 6.0.0.3 Released for QA on January 13, 2006 ===================================================== Fixes ----- SSL backend connections from SSI/AAA (e.g. WholeSecurity, LDAPS) didn't work if the vpn was bound to a backend interface (adv/interface != 0). Expected to fix remaining problem with Q01280890. Portal NetDirect caused popup "Failed to download NetDirect XML from VPN server". ===================================================== SSL 6.0.0.2 Released for QA on January 12, 2006 ===================================================== Fixes ----- Mac and Linux NetDirect - Fixed CR Q01286569 The correct binary is now installed The tun driver is not unloaded when NetDirect is stopped. - Fixed CR Q01283504 If the Applet dies, the NetDirect client dies also - Partially fixed CR Q01281612 The NetClient directory is also removed when browser is closed - Fixed CR Q01249887 The correct OS identifier is sent from the Mac NetDirect client Fixed Q01283706: Network attributes are sent to the NetDirect client also on reconnect. Fixed Q01286075: VPN-ID was off by 3 in Radius auth request. Fixed broken ftp links in the portal - bug introduced by incomplete fix for Q01195775 in 6.0.0.1 (from 5.1.x) Added the following CLI commands: /cfg/vpn #/sslclient/ndbanner /cfg/vpn #/sslclient/ndlicense Removed the /cfg/vpn #/sslclient/ndxml command that was not used. Fixed problem with the CLI dump command that produced an extra newline that made the entry be changed if used with paste (this refers to commands like /cfg/vpn/sslclient/ndbanner that ends input with ...) Changed /cfg/vpn #/aaa/auth #/cleartrust/authtype value ntlm to nt. Changed the default Authentication Port value for Cleartrust Auth servers to 5615. Corrected help text for Clear Trust connection mode setting. ClearTrust auth: Changed the order of the flags to ctagent call. This fixes the calls to auth_servers. BBI fixes: For SSL-VPN BBI Updated the Copyright information. Updated/Added help pages for the Authentication menu. Updated the OS lists in /cfg/vpn #/sslclient menu For Cluster Manager CR Q01275523 : "(SSLVPNClusterMgr - Normal user can't be added through user management)" CR Q01276751 : "(SSLVPNClusterMgr - No Status propagation for authentication failure)" Fixed CR-Q01251133: Removed the fname argument to upload_abort.yaws for XSS attacks Fixed CR-Q01251133: Fix for XSS (cross scripting) attack using the ts argument of upload_abort.yaws ===================================================== SSL 6.0.0.1 Released for QA on January 10, 2006 ===================================================== Fixes ----- NetDirect updated to 5.5.0.13 fixes: - Q01281437 --> Win NetDirect disconnects and reconnects frequently under no load - Q01281453 --> SQA 5.5.0.20 - NDIC Conection name required for clickable Connect button - Q01281613 --> SQA 5.5.0.20 LogFile rollover and date stamp needed for NetDirect.log - Q01273035 --> Mobility on NetDirect - NetDirect exits while switching wireless access point - Q01282947 --> SQA 5.5.0.20 NDIC - https prefix and FQDN's will fail if used as 'Destination:' - Q01274083 --> SQA 5.5.0.18 NDIC will not connect if portal port differs from 443. *Note* The ActiveX component is not updated, it is still 5.5.0.12 RSA ClearTrust auth fixes - need to get some more information from RSA, but the code seems to run now and can be tested. Mac and Linux NetDirect: - Fixed Q01276931: Client now asks for splittun settings - Large amount of Mac specific fixes. Still only runnable as root though. - Fixed Q01281613: Added rotation and timestamps to log. Log is also renamed from cl.log to NetDirect.log. If the log file is larger than 3MB when the client starts, a new file will be created and the old one renamed. Fixed Q01280890: WS: Internal Yaws Error returned on succesful scan Cluster Manager fixes: Q01276798: "SSLVPNClusterMgr - Ports Information "Mode" is always "full" " Q01276796: "SSLVPNClusterMgr - Ports Information "Speed" is always "0" " Updated certificates for signing of Java applets. Fixed Q01216792: Radius accounting includes Calling-Station-ID and Framed-IP-Address. Fixed problem whith creation of new windows from Javascript. The reason for the fix is described in Customer case: 051103-42537 Microstrategy fix of 2004-08-31 disabled ALL rewrite of client side javascripts. This fix now make client side rewrite work as before. Fixed Q01264690: PKI authentication loop if TG non-match and teardown action The user will now be redirected to the auto login page in case of TG failure and certificate login which will show the TG failure reason (just like the normal login page). Improved error handling for TG ipsec handler (if client closes socket just before the tg_server sends a message we produced a crash entry in the log that is not neccessary) Fixed Q01195775: The directory and file names are hex encoded so that Internet Explorer won't corrupt them. (from 5.1.x) Fixed Q01177838: French Apostrophe problem (from 5.1.x) Fixed Q01163667: ICMP service Asks for port number while configuring in the cli /cfg/vpn#/aaa/service# (from 5.1.x) Fixed Q01177727: English Message in French portal (from 5.1.x) Fixed Q01161886: SMB and FTP upload file name with special character fails.(eg: @#$%foo.txt). (from 5.1.x) Fixed Q01154557: Sub-CA Certificates authentication Fix (from 5.1.x) ===================================================== SSL 5.5.0.20 Released for QA on December 22, 2005 ===================================================== Fixes ----- NetDirect updated to 5.5.0.12 fixes: Q01274083 - SQA 5.5.0.18 NDIC will NOT connect if portal port differs from 443. [ Added an extra dialogue box to enter the Port number ] Q01274037 - NetDirect client continue connection while prompt not to. Q01268016 - SQA 5.5.0.17 NDDC loaded in system tray doesn't allow portal ND link clicked. [ Grey Icon while idle] Q01246860 - RADIUS IP Pool Secondary WINS Server can't be passed to NetDirect client [ Secondary WINS support ] Q01258872 and the remaining UDP reconnection problems have been solved. Mac NetDirect Client is now working as the Linux client using the same applet. NetDirect Applet - Fixed CR Q01255749 If the downloaded dlls are present, they will not be downloaded again. Fixed CR-Q01278939: Fixed intermittent parse error of interfaces while SNMP checking for link status change. Removed debug printout that crashed the erlerror disk_log handler while downloading a new software package using the BBI. Removed overall limit on # of BO tunnels (was 5000) per PLM decision. Removed unsupported OS types from respective client settings (added winnt for LSP). (CR Q01235265) Fixed problem creating SMB links in the CLI. Changed how the links are organized within the columns in a linkset. Now the links are distributed to the columns row by row. Before this was done on a fill column first basis that made it hard to understand how/in which order the links were distributed: Now, if 4 columns are configured and 7 (i.e. link 1-7) links exist in the linkset they will be distributed as: col1: 1, 5 col2: 2, 6 col3: 3, 7 col4: 4 Before the links were displayed as (due to calculations that found that it should be 1 link per column and the rest is in the last column): col1: 1 col2: 2 col3: 3 col4: 4, 5, 6, 7 Added Netdirect icon to the system tray for Unix client OSs Fixed bug with IP addresses not being returned to the pool on logout. Imported the help texts from command reference file as of Dec 15. Enhanced tab completion for the /cfg/sys/host and /cfg/sys/host/interface CLI commands (the IP address is used for completion). Fixed CR-Q01123899: Enhanced tab completion for the /cfg/vpn/linkset/link CLI command. The link text configurable is used for tab completion. If the link text is longer than 11 characters the first 8 chars is used postfixed with ... Fixed CR-Q01173628: Enhanced tab completion for the /cfg/vpn/aaa/network/subnet CLI command. Depending on how the subnet is configured either the name or a combination of host/mask is used. BBI fixes: Supported the /cfg/vpn #/aaa/wholesec/quick command. Checked-in the updated TG Admin Help files (Fix for Q01269012). Q01272750: "SSL-VPN: BBI needs to support Portal Custom Content Feature in v5.5" Supported the command '/info/ippool'. For Cluster Manager: Q01275905: "SSLVPNClusterMgr - Deletion of the images should be supported" Q01275474: "SSLVPNClusterMgr - Help infomration needed for Performance windows" ===================================================== SSL 5.5.0.19 Released for QA on December 15, 2005 ===================================================== Fixes ----- Windows NetDirect updated to 5.5.0.11 fixes: - Fix for NetDirect Mobility issue, reconnection over TCP works as it should. - Q01269392: Netdirect connection established without IP assigned - Q01269878: DNS and WINS are not passed to the NetDirect client through RADIUS - Q01258936: /cfg/vpn 1/sslclient/caching on will prevent NetDirect connection - Q01269859: NetDirect exit - Route addition failed with Invalid parameter - Q01273779: Mobility on NetDirect: Connection failed the second time of switch IP - Q01258885: Mobility on ND-icon become blue but connection can't pass traffic - Q01268069: SQA 5.5.0.17 - ND disconnects and reconnects to server but traffic fails to pass Linux NetDirect: - Fixed CR Q01265029 The applet message is now saying that root login failed. Clicking the NetDirect icon again without closing the applet presents the option to enter root password to the user. - Fixed CR-Q01274101 NetDirect now connects to the port defined in the cli. BBI fixes: Q01254957: "BBI: VPN Admin unable to launch TunnelGuard Applet" Q01272757: "SSLVPNClusterMgr - default password and difference should be provided" Q01275009: "SSLVPNClusterMgr - "Modifying login password for 'admin'" should be modified". Citrix Applet: Fixed NullPointerException when accessing Windows registry. Portforwarder API: Downloadable developer archive is now a zip file instead of tgz. Fixed Q01263974: MAC address changed when adding port to interface. Added TG failure details to be displayed with the wizard tg_failed linkset created by /cfg/vpn/aaa/tg/quick Added text conversion of credentials from portal for ldap auth, now converted to UTF-8. Fixed Q01274927: FullAccess tab link to www.java.com fails HTTP 404 Fixed so warning that password expires doesn t appear when never expire flag is set (ldap auth). Merged in fixes from NSNAS branch as of NSNAS-1.0.0.31. ===================================================== SSL 5.5.0.18 Released for QA on December 08, 2005 ===================================================== Fixes ----- Fixed CR-Q1268004: FireLock is set to avoid a double click on the NetDirect link opening two applet windows. The NULL and closed checks were not enough. NonAdmin Java window updated to only retry 4 times when activate NetDirect after it has tried to install the NetDirect ActiveX control. The portal is reloaded at every check which makes the warning that the CacheWiper is inactive appear four times if ActiveX controls are not allowed in IE. This should be fixed to work better. Even if the portal has to be reloaded the warning should only be displayed once, perhaps using a cookie. Fixed CR-Q01270471: Do not use SSL license as backup for IPsec license in case the HW limit is reached for the IPsec license. Fix for having non ascii password in ntlm. Fixed a problem not handling the control channel inbetween the aaa and the simpleproxy in case of an internal aaa_server restart. The simpleproxy logout function was not re-registered that much later could lead to a AAA sub-system hang (not accepting any new login attempts) or new restart (depening on how/when the issue appeared the type of error differed due to type of operation). BBI fixes: Q01262715 : "User license added via BBI is not additive" Q01259419 : "SSL VPN/BBI: Login session Time to Live seconds field has a "-1", should be "0" Windows NetDirect 5.5.0.10 fixes: - Q01268045 -- SQA 5.5.0.17 Select "NO" when prompted for security alert does not end progress - Q01269859 -- NetDirect exit - Route addition failed with Invalid parameter - Q01269878 -- DNS and WINS are not passed to the NetDirect client through RADIUS Linux NetDirect: - Fixed CR-Q01255846 A details button is added to the applet. By pressing it a new text area is visible, showing the status information. - Fixed CR-Q01265038 NetDirect now also works with os list set to only allow linux - Fixed CR-Q01265022 Existance of all needed files is checked before starting NetDirect. If any are missing a download is triggered. - Fixed CR-Q01265025 The portal session is no longer closed when stopping NetDirect - Bugfix The correct netmask is now set for the tun interface Outlook port forwarder Fixed issue where a misconfigured port forwarder resulted in an unsuccesful connect. The port forwarder did not handle this properly leaving it in a lingering state. The error is now caught leaving it up to the user to take proper action, i.e. close the port forwarder. Ref: CR-Q01256594. Cleaned upp the aaa_smb.erl code. Made each auth request to execute in one Erlang process. This should speed up authentication due to the increased concurrency and removal of potential bottlenecks. New layout when presenting portal errors using the portal lookandfeel. Updated portal help pages. ===================================================== SSL 5.5.0.17 Released for QA on December 01, 2005 ===================================================== Fixes: ------ NetDirect 5.5.0.9 fixes: - Banner dialog shows as the topmost window. - System IPconfig information displayed in the NetDirect log file. - Condition check has been added for Tap Adapter virual IP assignment confirmation. This version checks whether the IP is properly configured or not. - License text and Banner information issue have been solved in FireFox Browser supported DLL. - Client updated because the gateway configuration has been removed from the local ip pool network attribute settings. - Fixed CRs: Q01236264, 01227580, 01227617, 01227588 Note: No WINS server can be configured in the IPPool netattrs. Having one or two WINS servers set causes the wrong info to be sent to NetDirect. This will be fixed in the next build. IEWiper 5.5.0.8 fixes: - new Nortel logo BBI fixes: - The password for the command /cfg/vpn #/linkset #/link #/ftpproxy/ppass is now hidden, which was left out while providing fix for the CR Q01255753 : "SQA 5.5.0.13 - BBI - Password needed to be hidden in BBI - CLI CR Q01227480". - Supported the menu /cfg/vpn #/aaa/tg/ipsec. - Removed support for the following commands (according to CLI changes): /cfg/vpn/ippool/netattr/gateway /cfg/vpn/aaa/auth/radius/netattr/gatewayid /cfg/vpn/aaa/auth/radius/netattr/gatewaytype IPsec fixes: - Fixed Q01178892: IPsec connections drop when multiple users behind NAT. - Fixed problem similar to Q01178892 for BO tunnels with multiple local/ remote networks: Traffic could be sent using the wrong IPsec SA. - Fixed IPsec statistics for multiple users behind NAT, and for BO tunnels with multiple local/remote networks. - Added "collision" resolution, such that when two BO tunnel endpoints concurrently negotiate the same ISAKMP or QM SA, communication should proceed properly. The Nortel logo has been updated. Fixed CR-Q01264645: SimpleProxy rewriting contents of binary executable. Fixed CR-Q01258698: Added "... (comma separated):" to the command prompt in the same way as for other commands of the same type. Fixed CR-Q01265361: License count should never go negative (fixed a race condition). Fixed CR-Q01265206: If /cfg/vpn/aaa/group/restrict was set to something else than 0 login failed with a yaws error. Fixed CR-Q01209627: Now the IP pool is also validated against the VIPs of all configured VPNs. Also, the IP pool validation is enabled in the SSP case. Always send 0.0.0.0 as gateway address to the NetdirectClient and let the client setup the gateway to be the same as the assigned IP address (i.e. remove the IP + 1 thingie in the client) Fixed CR-Q01256594: Outlook specific registry changes was written incorrectly into the registry. Fixed bug where aaa/ldap attribute parsing was not case insensitive. Now it *is* case insensitive. Bug reported by Brad Black. ===================================================== SSL 5.5.0.16 Released for QA on November 28, 2005 ===================================================== Fixes: ------ NetDirect-for-Linux fixes: CR-Q01251273: NetDirect does not provide NBNS functionality. smb.conf is now updated with the defined wins (nbns) server. CR-Q01250697: Root user does not need to enter password when starting NetDirect. CR-Q01251129: NetDirect does not provide DNS related function resolv.conf is now updated with the definded dns information. Fixed seg fault when NetDirect was not enabled in the cli. Client is now working for kernel versions > 2.6.12 BBI fixes: CR-Q01255753: "SQA 5.5.0.13 - BBI - Password needed to be hidden in BBI - CLI CR Q01227480". CR Q01242258 : "BBI Cluster Mgr: link in the Help->About not valid". Updated the Help pages of the SSL Offload menu. Fixed CR-Q01255568: Secondary auth didn't work in combination with client cert login. Fixed CR-Q01258619: The '/cfg/vpn/aaa/filter/iewiper true' setting did not work to select a profile for a user. Fixed Q01242859: HTTP compression caused memory leak. Fixed CR-Q01257387: The following CLI commands are no longer accessible unless the administrator user is a member of the admin group, e.g. for the default oper user: /cfg/sys/dns /cfg/quick /cfg/test /cfg/lang/import /cfg/lang/export /cfg/lang/vlist /cfg/lang/del Fixed CR-Q01210814: Added '/cfg/vpn #/aaa/wholesec/quick' to make WholeSecurity configuration easier. Fixed Q01249382: Simpleproxy restarted after 497 days of uptime due to "broken" return value from times(). At startup of the SNMP agent dont open the UDP socket for the MIP before the MIP has been brought up (this had the effect that some startup traps, coldStart and ssi-mipishere, was not sent). Changed the recv.buffer size for trans2-next messages. Hopefully, this fixes the bug: Q01228370 - SMB not displaying complete contents of remote machine. Fixed problem with SHA used as authproto for SNMP requests/traps. Adopted the general portal layout on logout_warning window. ===================================================== SSL 5.5.0.15 Released for QA on November 21, 2005 ===================================================== Fixes: ------ Fixed CR-Q01257952, CR-Q01258043, CR-Q01257967 and CR-Q01257961 Fixed problem related to doing a DNS lookup for an IP address if the string given as argument already is an IP address. If the DNS server is configured to do recursive lookups but doesn't reach top DNS servers our call will timeout. And, as we already had given the IP address the lookup is not needed (even though the original behaviour is correct this is not suiteable to our system. Fixed Q01258394: IPsec cert login was broken due to addition of Cleartrust Cert-DN validation. Fixed CR-Q01255833: The gateway configuration has been removed from the local ippool network attribute settings and thus also from the RADIUS network attributes settings. And, the DHCP pool ignores gateway information received from the DHCP server. The gateway setting is removed as this was just used to get a dummy gateway configured for Netdirect on windows. Now, the gateway configured will always be the same address as the IP address recived from the pool. The gateway setting is removed as it was confusing for the admin user to configure and in order to streamline this with the IPsec client (sets the gateway to be the IP address of the interface as well). Removed CLI commands: /cfg/vpn/ippool/netattr/gateway /cfg/vpn/aaa/auth/radius/netattr/gatewayid /cfg/vpn/aaa/auth/radius/netattr/gatewaytype The /config/isd directory was not cleaned up if the IP address (of interface 1) was reconfigured for the master in a single master cluster setup. Delete user content when deleting vpn/domain; don't delete on IP/Type change. Adding LDAP group search functionality (a la iPlanet) + LDAP short group command for parsin groups like cn=XXX,cn=... into XXX. ===================================================== SSL 5.5.0.14 Released for QA on November 17, 2005 ===================================================== Fixes: ------ NetDirect version 5.5.0.8 fixes: CR-Q01235972: When NetDirect denied to start because of OS Banner is not shown and no reconnection attempts are made. If the admin user name is empty, a dialogue asks admin credentials. Secondary WINS Server Support added. BBI fixes: 1. Provided fix for the CRs Q01254951: "BBI: VPN Admin unable to add the DNS server for VPN" Q01254872: "BBI: SONMP should not be part of the VPN Admin BBI" Q01237000: "BBI: Cannot create IAUTO Link in 5.5.0.9 when FQDN is in the Link." Q01245760: "BBI: IP Pool needs to be configurable in VPN Admin BBI" Q01252380: "BBI: Left side menu selection remain old BBI style in Admin BBI" Q01246969: "SSL VPN BBI:Default color theme is not reverting back to proper aqua color theme". 2. In Cluster Manager, provided fix for the CRs Q01250261: "BBI: Exit out SSL-VPN Cluster Manager on Linux freezes the browser" Q01250267: "BBI: SSL VPN Cluster System should have the same look and feel from regular BBI" Upgraded Erlang/OTP from R10B-4 to R10B-8 due to memory leak found by SNAS project. For fixes in OTP please refer to the following README files. The applications used on the target machines are: - erts - kernel - stdlib - mnesia - sasl - crypto - ssl - asn1 - snmp - compiler http://www.erlang.org/download/otp_src_R10B-8.readme http://www.erlang.org/download/otp_src_R10B-7.readme http://www.erlang.org/download/otp_src_R10B-6.readme http://www.erlang.org/download/otp_src_R10B-5.readme Fixed CR-Q01256093: Buffer overflow in BBI with username longer than 9232 chars. Added CLI banner text for unsupported software (for QA/Beta builds) Fixed CR-Q01253144: Added infinity choice to the /cfg/vpn/aaa/sessionttl prompt and added possibility to configure infinity at group level. A NetDirect link will automatically be added to the portal when when configuring Netdirect in the /cfg/test wizard. Fixed CR-Q01173644: Port range should not accept the backward range such as 89-80for /cfg/vpn/aaa/service command. Removed old NetDirect session/route at reconnect (for CR-Q01207091) Removed debug message "cli_debug_open... NNNN" ===================================================== SSL 5.5.0.13 Released for QA on November 11, 2005 ===================================================== Fixes: ------ BBI fixes: 1. Provided fix for the following CRs Q01239744:"BBI:"0" should not be the option in IP Pool-Default IP Pool" Q01246844:"BBI:Access Lists page needs to display what the content of the rule is" Q01246694:"BBI:Cannot make changes via in SSL Offload > Servers > SSL, changes t..." Q01246829:"BBI:Cant modify a users group when there are "too many users" I have 1500 u..." Q01234937:"BBI:Not able to change certadmin user's password via the GUI; cli ok" Q01203038:"BBI, Apply Pending Configuration change warnings, should be removed after apply" Q01250267:"BBI: SSL VPN Cluster System should have the same look and feel from regular BBI" Q01246142:"SSLVPN: Not able to launch Tunnelguard applet when logging in with TG admin ..." 2. Updated the maximum value for VPN Gateways > Group Settings > Networks (/cfg/vpn #/aaa/network # in CLI) to 2047 from 1023. 3. Removed the support of the command /cfg/vpn #/ippool #/dhcp/class in BBI according to the CLI changes. Fixed CR-Q01244424: Portal contains a flaw that allows a remote Cross Site Scripting attack. Changed wording of prompt for /cfg/domain/aaa/group/extend to referenced filter name. Added Client Cert-DN Cleartrust validation. Fix to handle (SECRET) for deleted items in list menues. Fix to store the password for /cfg/sys/audit and radius server encrypted in the registry. Changed /cfg/vpn/linkset/link prompt not to refer to a name. Fixed /cfg/test CLI wizard that referenced an old format ippool command. PortForwarder API demo application Removed truststore parameter since it is not needed FullAccess applet Added NetDirect as number three in priority. Partially fixed CR-Q01218797: Added a submenu, "ipsec", to aaa/tg menu Renamed "UDP Retry Interval" to "Agent Query Timeout Interval" and moved it from "tg" menu to the new "ipsec" menu. Added the ability to specify a minimum TG Agent version on the format N.N.N.N where each N can be set between 0 and 15. ===================================================== SSL 5.5.0.12 Released for QA on November 3, 2005 ===================================================== Fixes: ------ BBI fixes: - CR-Q01240789: "BBI: Cert CRL automatic retireval screen has 2 problems. - CR-Q01239745: "BBI, lable and help text needs updating in VPN Gateway/Gateway Setup/Sessions". - CR-Q01239798: "BBI: Information for /cfg/vpn x/ippool x/info doesn't exist in BBI". - CR-Q01239848: "BBI: Group Configuration "Domain X" should be "VPN X". NetDirect version 5.5.0.7 fixes: - CR-Q01227617: ND Link in portal fails because of NDDC found. - CR-Q01237279: NDDC and Cached version NetDirect support, now - Installed NetDirect uninstalls if Cachable NetDirect cached is available on the system. - NetDirect connects successfully while reconnection. Traffic flow under investigation. - CR-Q01236026: NDDC authentication fails. Fixed problem NetDirect on Linux not always restoring proper routing table before exiting. Excessive logging to Java Console caused the NetDirect Client to exit before all routes had been restored. Fixed clearing of CTSESSION cookie in the same way as SMSESSION cookie. Fixed CR-Q01227480: Now secrets and passwords are not displayed in clear text in the CLI any longer. Added the secret attribute that can be used for CLI items of type setting and for paramaters esppecially for list-menus. The value is displayed as (SECRET) in cur and diff commands. dump without a password will not display the value and dump with a password will encrypt the value and the paste command must be used to paste the configuration. Also, the password will not be echoed while typing and the user have to re-confirm. This does also apply to auto wizards. The following commands has been changed to use the secret attribute: - /cfg/sys/adm/audit/servers - /cfg/sys/adm/auth/servers - /cfg/sys/adm/snmp/users #/authpasswd - /cfg/sys/adm/snmp/users #/privpasswd - /cfg/vpn #/ipsec/botunprof #/sharedsecret - /cfg/vpn #/aaa/radacct/servers - /cfg/vpn #/aaa/auth #/radius/servers - /cfg/vpn #/aaa/auth #/ldap/isdbindpasswd - /cfg/vpn #/aaa/auth #/siteminder/secret - /cfg/vpn #/aaa/group #/ndwapassword - /cfg/vpn #/aaa/group #/ipsec/secret - /cfg/vpn #/aaa/auth #/local/add (only the prompting and re-confirm applies here) - /cfg/vpn #/aaa/auth #/local/passwd (only the prompting and re-confirm applies here) - /cfg/cert #/revoke/automatic/passwd - /cfg/vpn #/portal/faccess/ contpass - /cfg/vpn #/linkset #/link #/ftpproxy/link #/ftpproxy/ppass Fixed CR-Q01242080: Now it is not possible to delete an IP pool that is referenced by a group. Fixed problem associated with CR-Q01207091. We did loose the original IP allocated to the netdirect client in case it requested a new but provided the old IP address. Fixed CR-Q01214223: CacheWiper icon never got set to active (and NetDirect icon never got set correctly) also caused by timing issues in reloading the mainframe so now the icons are updated two seconds after the main page. CLI command /cfg/vpn #/server/http/compress was a no-op. Totally removed /cfg/vpn #/server/portal/compress and the Gateways/#/Portal/GZip registry node, and now using the Profiles/SimpleproxyProfiles/#/GZip registry node both for SSL-accel and portal/VPN server. Fixed CR-Q01237913: Cannot open Citrix applications, get error pop-up. The Citrix icon was set to "active" after 30 seconds, regardless of Citrix status. Removed the Vendor Class command in the '/cfg/vpn #/ippool/ #/dhcp' menu, since it is not needed anymore. This because no idle timeout is taken from the DHCP server any longer. Fixed problem with OWA2000 and OWA2003, See: CR Q01218778, Case 050901-75074. OWA uses anchor tags to store information about folders and folder content. The id attribute of the anchor tag contains the url to the document on the back end server. The id tag was not rewritten, now it is. This is a temporary solution to the whole reverse rewrite problem. In the OWA code each anchortag has both an id attribute and a url attribute when the url attribute gets accessed it was reversed but not the id attribute. None of the attributes should have been rewritten in the first place as the attributes are only used for storing url information, not accessing the url. The general reverse rewrite has been removed until a better solution is implemented. The only constructs which are reversed now is: location.xxx document.xxx window.xxx document.location.xxx window.location.xxx where xxx is one of the special tokens like href, url, src see js_meth.tab for a full description. All the above expressions gets rewritten when they appear as a right hand expression to something like: a = xnet.xnet_rev(document.xxx) This code has been verified against ExchangeServer2000 and ExchangeServer2003 Added the method LoadURL to be recognized as having an argument which needs to be rewritten. Added new method startDownload which has an url as first argument and thus needs to be rewritten: Case Number 050922-97168 Rewrites the tags BASEROOT and IMAGEPATH in xml files. ===================================================== SSL 5.5.0.11 Released for QA on October 27, 2005 ===================================================== Fixes: ------ NetDirect version 5.5.0.6 fixes: - NetDirect Cached mode splash screen "loading files" is changed to "checking files is ok". - CR Q01236005 - Connected with NDDC, log into portal and close browser = ND will Exit BBI fixes: - Fixed CR-Q01230912-01 : "BBI: CA certs produce "NO" on validate command, when priv key is not present". - Supported the command /cfg/vpn #/aaa/group#/ndwauser - Updated the help pages for the Networks and Certificates menu. Fixed CR-Q01240788: Limit auto CRL retrieval interval to max 31 days (2678400 seconds). Fixed CR-Q01236229: Added information to the CLI that 0=unlimited while configuring /cfg/vpn/adv/license. Fixed CR-Q01239899: An gc marked IP pool allocation is now handled properly at a free request. Fixed CR-Q01237206: Better eventlog for ssl license exhausted - now ssl is sent as extra information instead of xnet (that the license is called internally). Fixed CR-Q01237104: HW depending limit of accepted number of users doesn't work. Fixed CR-Q01239719: /cfg/vpn/ippool now display proper range. Fixed CR-Q01238916: Fixed crash in aaa_ip_pool while handling reconfiguration. Fixed CR-Q01234281: Problem with displaying Passcode/Password fields correctly in PDA portal. Fixed CR-Q01175146: Problem with FTP uploads beeing corrupted after ~200 sec. Fixed CR-Q01237913: Cannot open Citrix applications, get error pop-up. Fixed problem with LDAPS auth connection. If the the SSL connection handshake for LDAPS authentication failed to complete, the login could hang indefinitely and also block subsequent login attempts. Now the timeout configured via /cfg/vpn #/aaa/auth #/ldap/timeout covers also the SSL connection setup. (Case 050808-48008) Fixed generation of the license exhausted event for SSL licenses if the fallback for IPsec licenses could not allocate a SSL license due to no more licenses available. The FTP upload windows will now be closed when the user is logged out due to session timeout. Require only immediate CA cert for ipsec cert auth, not complete chain. Don't allow user 'oper' to /boot/{reboot,halt} (=> nothing left of /boot). Fixed class name for Citrix applet. Enable NMI watchdog on 410/2250/2424-SSL/3050/3070/4050 HW models. Known deficiences: ------------------ On some Linux boxes, NetDirect might fail to restore a proper routing table when logging out from the portal. If NetDirect is explicitly stopped before logging out, everything works as expected and the routing table is restored. This malfunction has so far been found on one PC running Fedora Core 2 and Firefox 1.0.4. PC:s running GenToo does not have this problem. ===================================================== SSL 5.5.0.10 Released for QA on October 20, 2005 ===================================================== Enhancements: ------------- NetDirect for FireFox on Linux is now supported. NetDirect is now working on Linux/FireFox. There are some cosmetic issues left and one functional issue. The cosmetic issues are for example wrong button text if NetDirect was unable to start. The functional issue is that when quiting NetDirect you are logged out from the portal. Fixes: ------ NetDirect version 5.5.0.5 fixes: - Group level Admin user name parameter has been added in OCX controller and Applet. - FireFox Support for Windows platform has been added. Installable NetDirect version 5.5.0.5, fixes: - CR-Q01227588 - non-admin clicks ND from portal fails receive error about NDDC. - CR-Q01227580 - NDDC - client with no admin rights fails to open NDDC. - CR-Q01227560 - NDDC v5.5.0.4 does not overwrite ND v5.5.0.3. - CR-Q01229541 - NDDC is not in system tray click shortcut loads to system tray. - CR-Q01227611 - grammar - You dont have Administrative Previlage to Uninstall client. - CR-Q01224295 - Branding - NDDC setup.exe splash screen displays Nortel Networks - CR-Q01224293 - Branding - banner displays Nortel Networks should be Nortel. Fixed CR-Q01218738: CLI now checks that there are no duplicate subnets or hosts within a Network. Fixed CR-Q01231318: New version of LILO needs (new) "geometric" option for bootable CD. Fixed CR-Q01215702: WholeSecurity check was failing because RP_AACL_CHECKED and RP_CLI_CONT_LENGTH_SEEN were accidentally defined as same. Added support to configure Netdirect WINDOWS admin username per group (like Netdirect WINDOWS admin password): /cfg/vpn/aaa/group/ndwauser /cfg/vpn/aaa/group/ndwapassword Window for nonAdmin support no longer opens when running with admin rights. Fixed bug where stopping and starting NetDirect on Windows/FireFox did not work. Fixed OpenSSL vulnerability. The CAN-2005-2969 vulnerability has been removed. This vulnerability only affects the ASA/NVG if protocol version SSL 2.0 has been enabled, by changing the /cfg/ssl/server #/ssl/protocol or /cfg/vpn #/server/ssl/protocol setting from the default 'ssl3' to 'ssl2' or 'ssl23'. This is disrecommended regardless of this vulnerability, since the SSL 2.0 protocol has known weaknesses. See http://www.openssl.org/news/secadv_20051011.txt for further details. ===================================================== SSL 5.5.0.9 Released for QA on October 13, 2005 ===================================================== Enhancements: ------------- NetDirect for Firefox on WINDOWS is now supported. Fixes: ------ Fixed CR-Q01227999: Don't send RST in FINWAIT-1 (wait until FINWAIT-2) in transparent proxy mode. Fixed CR-Q01223244 and CR-Q01223239: (SNAS CRs which are also valid for VPN-5.5): Now the /boot/delete is syncronised and the CLI session will not be closed before all relevant configurations have been deleted. Fixed CR-Q01226757: Failed object: mib-2.47.1.4.1.0 when snmpwalk SNAS. (reported by SNAS QA but the same problem did also exist for VPN-5.5) Note: In order to get this fix to take effect the cluster needs to be reinitiated (i.e. /boot/delete followed by a new/join). (as the problematic table is a table that is introduced in the 5.5 version there is no need to write upgrade code in order to handle the upgrade case). Backported the fix for CR-Q01054338 in ISDP-1-5-1-3 (platform release) which added the secret CLI option. Needed in order to add functionality to hide passwords in the CLI. Portal links using SSHv2 protocol are now inactive in pda portal. Fixed CR-Q01223066: FTP operation were not logged to syslog even though /cfg/vpn #/adv/log was set to all. Fixed "customer uploadable content" bugs: Deleting old content at rsync from master failed (need to exclude lost+found). Rsync of large files failed most of the time (need to use --blocking-io). Fixed CR-Q01228427: IPSec: IPsec user tunnels when using local address pools is broken (aaa_group_server:sort_groups/2 was broken after "recordification"). Fixed CR-Q01220483: Support downgrade to a 5.1.4.2+ release (i.e. available to customers 5.1.5+). As the below support is added to the 5.1 code stream to handle downgrade from 5.5 we do only support downgrade to a release later than 5.1.4.2. Especially handles the new design of the IpPool. If the default Ippool in 5.5 is of type local the settings for this pool is kept and the netdirect and ipsec network attributes are configured accordingly. If the default ippool is not of type local the first found local ippool is choosen (lowest number) and if no local pool is found the ippool will be disabled (thus it is not possible to configure anything new on the system until the ippool is configured. Also, the new TunnelGuard features introduced in 5.5+ is filtered away during the downgrade. Note that if any ClearTrust authentication server has been configured a downgrade to 5.1.2.4+ will fail as this is impossible to support. Fixed aaa crash if a cookie was beeing looked up at a node that is currently being restarted (now also handles the cache migration in this case). Fixed class cast exception when starting fullaccess applet. BBI fixes: Q01229387 : "BBI: Certificate Export of types DER and NET, will produce the Key file twice" Q01229382 : "BBI: cannot set Smart Card Setting, apply states "no changes to apply" Q01227836 : "BBI: DHCP Servers sequence should be configurable" Q01225888 : "BBI: Unable to delete all Access rules at once, only individually" Q01227474 : "SQA 5.5.0.8 Update failed: IP Pool: Unable to read value from registry". Q01220761 : "Unable to Modify/Edit a subnet under VPN Gateways-->Group settings-->Networks" Q01220655 : "SQA 5.5.0.6 - VPN Gateways>Portal Linksets>Links Type: then back button" Q01227810 : "BBI: "Relay IP address" should not be listed under IP Pool Config ->DHCP Servers" Q01227830 : "BBI: "Vendor Option Id for idle timeout" should not exist on VPN Gateway IP pool" Q01226787 : "BBI:When editing FTP link, Server IP addr appears to the right of the field box" Q01227840 : "Setting Idle time out, has error message" Q01227849 : "BBI: Radius Network Attributes "Idle Timeout " should be removed." Known deficiences: ------------------ NetDirect-Firefox on Linux is not working proprely. Using it might mess up the routing table (not restoring default GW after termination). ===================================================== SSL 5.5.0.8 Released for QA on October 06, 2005 ===================================================== Fixes: ------ Fixed CR-Q01205377: 'Cannot open shares with lots of files/folders'. Added VPN name to /cfg/quick wizard. Command '/cfg/vpn #/portal/content/available' checked space in the wrong directory. Fixed CR-Q01227009: Changed wording of validation rule. Fixed CR-Q01188727: ike daemon dead while Cisco router trying to establish BO with NVG. TG Applet updated to Build 111. Contains JRE checking method and "Not Older Than" feature fix. Fix to make SSL-VPN not fetch transitional pages for TG State changes. Also, Portal page will not be refreshed on every recheck interval as its done in case of NSNAS. Added CLI alias tab completion for /cfg/vpn number (refering to SNAS CR-Q01200389). Fixed looping SiteMinder agent. A problem in the SiteMinder agent (for SiteMinder authentication) could cause the agent to start looping, with the result that the system showed a constant 100% CPU usage (SiteMinder authentication still worked since a new agent instance was started automatically). Fixed CR-Q01221893: The default value for Netdirect caching is now off. Fixed CR-Q01202870: Fails user db import if user definition longer than 254 chars (raised the line size limit to 8192 chars). Fixed CR-Q01224197: Splitnets configuration misleading - Enter network IP number: 1 Fixed problem with IPsec not accepting new connections. In some cases where IPsec certificate authentication was rejected (e.g. revoked certificate), the session-setup flow control mechanism ("credits") was not correctly updated, with the eventual result that new no sessions were accepted. Only use one UDP socket for all not bound VPNs for TunnelGuard (the IPsec case). Fixes to the idletimeout settings in ippool. The idletimeout settings in the ippool are now removed and instead it is possible to configure the idlettl (and sessionttl) per group (and the default per VPN) (also refer to CR-Q01210166). The highest value among the groups and the default is choosen at login (an /maint/starttrace entry for aaa is added to display which timeouts a user got at login). The reason for removing the idletimeout from the pool is that it actually didn't belong in that area. And, as we moves it to the group we get the same behaviour also for normal portal logins that doesn't assign an IP address from a pool. Also, made it possible to configure the ippool per extended profile in order to be able to get a different IP pool assigned depending on the TunnelGuard result (i.e. which extended profile the user is assigned to). The CLI changes are listed below: Renamed '/cfg/vpn #/aaa/ttl' to '/cfg/vpn #/aaa/idlettl' Added 'idlettl' and 'sessionttl' to '/cfg/vpn #/aaa/group' and '/cfg/vpn #/aaa/group #/extend' Removed '/cfg/vpn #/ippool #/dhcp/idletimeid' Removed '/cfg/vpn #/ippool #/netattr/idletimeout' Added '/cfg/vpn #/aaa/group #/extend #/ippool' RADIUS CLI changes: '/cfg/vpn #/aaa/auth #/radius' ------------------------------------------------------------ [RADIUS Menu] servers - RADIUS servers menu vendorid - Set vendor id for group attribute vendortype - Set vendor type for group attribute vpnid - Set vendor id for VPN ID attribute vpntype - Set vendor type for VPN ID attribute timeout - Set RADIUS server timeout --> idletimeou - Idle Timeout menu sessiontim - Session Timeout menu macro - User-defined Macro menu netattr - Tunnel network attributes menu ------------------------------------------------------------ [IdleTimeout Menu] vendorid - Set vendor id for idle timeout attribute vendortype - Set vendor type for idle timeout attribute ena - Enable Idle-Timeout dis - Disable Idle-Timeout The idletimeout is enabled by default (to mimic old behaviour) and if vendorid is 0 the standard Idle-Timeout attribute is used. The '/cfg/vpn #/aaa/auth #/radius/netattr/idletimeid' and 'idletimetype' items are removed. BBI fixes: - Provided fix for the following CRs - CR-Q01202990 : "BBI, Certificates, "Show" should be changed, to properly display Subject DN". - CR-Q01220771 : "SSLVPN BBI: Service is still created when entering invalid port numbers". - Supported the command /cfg/vpn #/server/portal/wipecookie. - Updated the erlang code for the /cfg/vpn #/portal/lang/beconv/codesets command in order to remove the leading text. Installed NetDirect 5.5.0.4 fixes: - CR-Q01220702: NDDC unzip fails https://.../NetDirect_Setup.zip. - CR-Q01224232: NDDC reboot client NDDC loads to system tray - click shortcut fails. - CR-Q01224291: Banner text is not displayed when connecting to VPN with NDDC. - CR-Q01224227: NDDC Show Main stays locked on the desktop. - CR-Q01199613: Connect with Installable ND Client then logout/out of Portal = error. NetDirect 5.5.0.4 fixes: - CR-Q01218557: ND no admin rts - Click ND link browser closes - hs_err_pidXXX. - CR-Q01199578: NetDirect Will Exit Now appears when ND is already closed. - CR-Q01224209: NetDirect banner displays blank when not configured - CR-Q01224293: Branding - banner displays Nortel Networks should be Nortel. - CR-Q01224224: Windows New Hardware found Tap Hardware found ===================================================== SSL 5.5.0.7 Released for QA on September 30, 2005 ===================================================== Fixes: ------ NetDirect 5.5.0.3 fixes: - CR-Q01206979: Banner Text/License info have been added. - CR-Q01214679, CRQ01199578: The timing issues of NetDirect have been fixed in this version. - CR-Q01199588: User connects to 5.5 VPN with NetDirect 1.0.2.3, 1.0.2.4 failure issue has been fixed in this release. Fixed CR-Q01221340: Don't allow tftp for downoad of SW packages (doesn't work when > 32 MB). Fixed CR-Q01211068: VPN Portal can't be launched after downgrading from 5.5.0.3 to 5.1.3 (wrong version of the compiler was used to produce portal pages. Fixed CR-Q01166271: Alteon 3050: Using SMB link from the portal page exposes hidden shared folder. Fixed CR-Q01215931: Consistency when setting timers and receive error. Fixed CR-Q01215266: Enable Cut Domain feature broken, sending the domain to the ldap server. Fixed CR-Q01209305: 2424-SSL - 5.1.3.5 SSL processor fails after few hours of traffic load. Need to lock bottom half too during rekey (from kernel 2.4.22). Fixed CR-Q01217347: IPsec user tunnels have problem with packet size of 1475 or larger. Cause: Bug in iptables ipsec-03-policy-lookup kernel patch. Fixed CR-Q01183069: Backported crypto buffer mgmt fixes from kernel 2.6.9. Fixed CR-Q01218588: SMB link receive internal yaws error {abs_path,"/xnet/smb/... Fixed a related problem to CR-Q01218588, when clicking in 'Save as bookmark' without defining an URL. Fixed CR-Q01219880: Ftp Port Forwarder causing connection refused. PortForwarder API: Changed minimum interval for setStatisticsObserverInterval to 50ms. Fixed the test-srs tunnelguard rule not to include any faulty Registry configuration values any longer. Speedup of system stop if IPsec is not started. Do proxy arp also on interfaces bound to other VPNs when not doing SSP. Now the NDWAdminPassword is stored as a secret_string (DES3 encrypted) in the registry. Added support for different TG clients. For SSL the protocol version the TG applet uses is 2.0. For IPsec the protocol version of the installed TG client is 1.1. BBI fixes: - Q01199218 : Unable to Delete Users via WebUI from Local DB when User Name Contains Spaces (Priority = 2). - Q01180816 : SVG 5.1.3: WebUI update of passwords fails for certain usernames (Priority = 2). - Q01218842 : SSLVPN: Not able to delete subnets from Networks using BBI delete checkbox (Priority = 3). - Added support the command /cfg/vpn #/portal/smbworkgrp. - Added support for command /cfg/vpn #/portal/lang/beconv/codesets. SSL VPN Cluster Manager fixes: - User Management and User Card in Cluster deck is updated to support "tunnelguard" group. - Backend script of Sync. VPN functionality is updated to support Accounting Servers, TDI VPN Client and LSP VPN Client parameters. Fixed vulnerabillity issue found by SEC (see below). Now port forwarder links in pre 5.0 format (i.e created in a 4.x based system) are converted at system uprade (and system restart to cover for load, i.e. /cfg/gtcfg, of an old configuration) to the new port forwarder link format introduced in the 5.0 release. And, the tunnelform.yaws page no longer accepts a (application) and aa (application argument) parameters (thus, if an old link is loaded due to a gtcfg without a restart the client will be informed to contact the system administrator in order to reconfigure the system to handle this link). SEC CONSULT ADVISORY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nortel SSL VPN Cross Site Scripting/Command Execution | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: 05-30-2005 Author: Daniel Fabian Product: SSL VPN Affected Version: 4.2.1.6 Vendor: Nortel Networks Limited (http://www.nortel.com/) Vendor-Status: Vendor contacted ~~~~~~~~ Synopsis ~~~~~~~~~~~~~~~~~~~~~~~~ The Nortel SSL VPN is a remote access security solution. By using secure sockets layer (SSL) as the underlying security protocol, Nortel SSL VPN allows for using the Internet for remote connectivity and the ubiquitous Web browser as the primary client interface. Due to insufficient input validation within the appliance's web interface, it is possible for an attacker to supply his victim with a malicious link that results in code execution on the victim's client. The problem has been reproduced with version 4.2.1.6, however different versions might be vulnerable as well. ~~~~~~~~ Vendor Status ~~~~~~~~~~~~~~~~~~~~~~~~ The vendor has been notified .... ~~~~~~~~ Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~ Cross Site Scripting/Command Execution -------------------------------------- Scope: Due to insufficient input validation within the web interface of Nortel's SSL VPN appliance, it is possible to hide commands in links to certain pages of the web interface. As the Java Applet which is called from those web pages is cryptographically signed, it may execute operating system commands with the priviledges of the user sitting in front of the browser. An attacker can thus supply his victim with a malicious link where commands are hidden. If the victim clicks on the link and logs onto the SSL VPN web interface (where it is automatically taken), arbitrary commands are executed locally on the client of the victim. Here is an example for a crafted link that executes the command "cmd.exe /c echo test > c:\\test" (please consider the link one line): https://SSL_VPN_SERVER/tunnelform.yaws?a=+cmd.exe+/c+echo+ test+%3E+c:\\test.txt+&type=Custom&sp=443&n=1&ph=&pp=&0tm=tcp&0lh=127 0.0.1&0lp=8080&0hm=&0rh=10.117.252.129&0rp=80&sslEnabled=on&start= Start... ~~~~~~~~ Timeline ~~~~~~~~~~~~~~~~~~~~~~~~ May 30: Vulnerability discovered and vendor notified ~~~~~~~~ Contact ~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH B?ro Wien Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com http://www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com Known deficiences: ------------------ NetDirect-Firefox on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.6 Released for QA on September 23 2005 ===================================================== Fixes: ------ Fixed CR-Q01217347: Bug in iptables ipsec-03-policy-lookup kernel patch. Fixed CR-Q01183069: Backported crypto buffer mgmt fixes from kernel 2.6.9. Fixed CR-Q01014291. It is now possible to set the default SMB workgroup name. The new CLI command is: /cfg/vpn #/portal/smbworkgrp. Fixed CR-Q01215415: Initiator-side IPsec cert auth didn't work. Fixed CR-Q01214211: Back ported x11 forwarding fix from jsch-0.1.22-rc11 and also made own modification to make client reply with open channel failed, according to draft-ietf-secsh-connect-25.txt. Fixed CR-Q01213290: Need to iptables-mark with interface mark on INPUT for bound backend interface w/o SSP. PortForwarder API: Fixed bug where PortForwarder.stop(true) hanged if an error had occurred during configuration. Merged latest TG applet from snas-1-0 branch: Fix for the Logout Issue where page fails to call logoutWait() as this method name was trimmed by obfuscator. While creating a http -> https redirect server in the new setup, a proper name of the SSL server (1) is now created. Added fix for iauto links where there is no action in the form, instead the url for the page where the form resides is used. Don't use session ID 0 (possibly relevant for Q01188727). BBI fixes: - /cfg/vpn #/sslclient/caching - /cfg/vpn #/aaa/sessionttl - ClearTrust Authentication. - Support for latest TunnelGuard applet SRS format. NetDirect 5.5.0.2 fixes: - Cache Parameter option modified based on latest server support. - Non-admin support has been added w.r.t admin password methods provided by latest server build. Installed NetDirect Client 5.5.0.2 fixes: - Q01206758 : ND Client option to delete connection created via connection wizard. The new delete menu item has been provided. - Q01214857 : NDDC NetDirectRunner MFC Application has encountered problem. The code has been optimized, memory leaks have been sorted out. - Q01206747 : NetDirect downloadable client File New Connection asks for password. The Password entry has been removed from the wizard, since wizard only add valid user entries. - Q01199607 : Installable NetDirect client Main window usability. The Connection button has been disabled after the successfyl connection. - The earlier version of NDD didn't check whether NetDirect portal was running or not. This version fixes this issue. ===================================================== SSL 5.5.0.5 Released for QA on September 19 2005 ===================================================== Fixes: ------ Merged the latest TunnelGuard applet (and server) from the SNAS project which is now fixed to also work for the SSL-VPN. Netdirect commands (in /cfg/vpn/sslclient) are now available also if NetDirect is configured to be per group. Added an empty src for placeholder initially in order to get rid of the IE popup complaining about both secure and non-secure items on the page. Fixed CR-Q01209217: NetDirect did not work if a RADIUS Ippool were used. Fixed CR-Q01209375: NetDirect windows admin password question should not be displayed while creating a new group. Installed NetDirect version 5.5.0.1 fixes: - Log files locations changed. - Route table modifications cleaned up. - Server updates incorporated. Fixed intermittent crash when loading certs for IPsec (Caused by an un-initialized pointer). Changed timeout for resend of DHCPDISCOVERY from 30 secs to 3 secs. Added removal of NULL-terminated domainname string in the netattr attribute for Radius. Renamed the "userdata" mount point: /config/userdata -> /config/isd/user_content Known deficiences: ------------------ NetDirect-Firefox on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.4 Released for QA on September 15, 2005 ===================================================== Fixes: ------ BBI fixes: 1. Q01206236: "SQA 5.5.0.1 - select multiple users from the GUI and select delete fails " (Priority- 4) 2. Q01208854: "BBI: Links when edited does not have the correct Link Type" (Priority- 3) 3. Q01210687: "Error in BBI, on Monitor > BO Tunnel Sessions" (Priority- 2) 4. Q01210681: "BBI, Cannot delete user from the Local Authentication server, browser shuts" (Priority- 2) 5. Q01209674: "SQA 5.5.0.2 - get_dy_file_if_exists() in /.....main.php on line 308" (Priority- 3) 6. /cfg/vpn #/aaa/auth #/ldap/adv 7. /cfg/vpn #/aaa/auth #/radius/netattr/gatewayid 8. /cfg/vpn #/aaa/auth #/radius/netattr/gatewaytype 9. /cfg/vpn #/aaa/anongroup 10. /cfg/vpn #/aaa/wholesec Also added support for the Management Role for Tunnel Guard functionality. SSL VPN Cluster Manager(NSM Universal) fixes: 1. "NSM Universal" the name given to this application earlier has been changed to "SSL VPN Cluster Manager" every where. 2. Updated Makefile to use JARG to reduce the size of SSL VPN Cluster Manager and JFreeChart jar files. 3. Removed BBI launch point from Cluster and iSD Decks/screens. This is mainly because the launched BBI browser was affecting the original BBI browser(the browser used for launching SSL VPN Cluster Manager application) as both were sharing the same session information. And also the BBI browser launched through this for the second time to the same device was also sharing the same session information which was resulting in some invalid behavior. NetDirect 5.5.0.1 fixes: 1. Synchronized the server version 5.5 image like Client OS and Client Version info support have been added. 2. UDP tunneling changes modified as per latest server support. 3. Added Windows XP specific Pnp/Power calls 4. Identified issues while running NDISTest tool and fixed the issues 5. Added new IOCTL to notify client for route table modification. Earlier versions of client wasn't aware when to modify route table, so it tried several times for route addition. Now this has been removed and given clean solution. 6. Log file locations have been modified and is created only in temp location for admin and non-admin. Earlier version of client created the log file in different locations like root folder for admin and temp folder non-admin. This has been modified for proper consistency. 7. Cache NetDirect parameter enabled based on latest server options. This has been tested with corr. Server response flag. Fixed CR-Q01209450: The IEWiper and/or Citrix applets were not started properly if the features were configured per group and tunnelguard decided which group/profile the user belongs to. Thus, the tg_frame was added to the frameset. The tg_frame handles everything with tunnelguard and loads the placeholder.yaws frame after completion. Now, the placeholder gets the correct group/profile. Added command to set maximum session time. Previously a maximum session time could only be set via Radius authentication. A new command /cfg/vpn #/aaa/sessionttl has been added to allow setting of this regardless of the authentication type. Fixed certificate/signature validation for IPsec cert authentication. Don't require pool-specific DNS server in "VPN quick setup wizard" Fixed system crash when a botunprof group has extended profiles. Fixed CR Q01207083: SQA 5.5.0.1 - Custom PF not working. Starting of tunnel server threads had become broken in merge from 5.1. ===================================================== SSL 5.5.0.3 Released for QA on September 12, 2005 ===================================================== Enhancements: ------------- Added support for WholeSecurity. Fixes: ------ Fixed CR-Q01207904: DHCP allocation failed if a non existing DHCP server were configured. Fixed CR-Q01206465: Type error in default vendor option for DHCP in IPpool (crashed system if the DHCP system did not send the vendor specific option). ===================================================== SSL 5.5.0.2 Released for QA on September 08, 2005 ===================================================== Fixes: ------ Fixed bug that made it impossible to run applets without restarting browser after the user logs in the second time. Error message improvements for terminal applets. Fixes related to all types of applets: - Fixed centering of message boxes within frames. - Added icons to message boxes. - Yes/Ok button is set as default, i.e. connected to the enter key. Logout from a shell now triggers closing of session. BBI fixes: 1. /cfg/vpn #/ippool #/netattr/gateway 2. /cfg/vpn #/aaa/auth #/ldap/activedirectory/exppasgroup 3. /cfg/vpn #/sslclient/ndxml 4. /cfg/vpn #/aaa/group #/ndwap 5. Certificates are now listed in numerical order by number. 6. Fixed problem with all certificates showing "No" under Valid. 7. Fixed problem with Ike Profiles/Diffie Hellman the values all showing "OFF", despite beeing on. Setting the values to "ON" also triggered an error, Failed: Identifier must be a positive integer. 8. Fixed the location of the "RADIUS Group Attribute" settings and the "Acct-Session-Id " in the BBI auditing messages. 9. Removed settings of wins, gateway and netmask for NetDirect from the BBI. 10. CLI changes for SSHv2 applet is now supported in the BBI. Fixed CR-Q01206465: aaa_ip_pool crash if idletimeout option id was not set to the default. Fixed problem with restarting system if a link was deleted and recreated within the same apply and no linktext were added. The following command sequence triggered the problem: /cfg/vpn 1/linkset 1/link 1/del /cfg/vpn 1/linkset 1/link/add 1 apply (without adding link text but all other required stuff) Added caching option for NetDirect. Added support for admin password for NetDirect. Fixed CR-Q01203260: A host could be impossible to start if an interface was not configured for the host and that interface was used (bound to) in a SSP configuration. Removed the objectclass=person filter from the AD authentication search. This is now configurable instead. See the menu: .../auth #/ldap/adv Fixed CR-Q01145430: Shares that have a $ at the end of their name is interpreted as hidden. Added the DHCP option "Request-Options", which explicitly tells the DHCP server what parameter we want it to return. Changed to use wraplogs ike.log.{1,2,3...} instead of ike.log + ike.log.old. Fixed CR-Q01183087: Session traffic wasn't recorded for BO responder session. Changed name of /cfg/vpn/aaa/ippool to /cfg/vpn/aaa/defippool. Added resend functionality in case packets sent to the DHCP server is lost. We are now also checking that offered IP address is not in use. Fixed aaa_license crash when a node joins the share after reconfiguration. Added /cfg/vpn #/portal/lang/beconv/codsets. Gateway address recieved through DHCP is now hndled all the way to the NetDirect client. Fixed problem with portal link not working in frames if url is missing relative or absolute path (Q01187510-01). Previously allocated DHCP IP-addresses are now released at startup. Fixed CR-Q01104375-01: Portal is not displaying when authenticating with client Certs: Internal Yaws Error. Fixed CR-Q01179404: Handle validation errors while loading a license key in the CLI. Fixed CR-Q01205161: System crashed when installed a corrupted boot image. Fixed CASE 050601-74161: Issue with the 3050 not booting if DEL or ENTER (among other keys) are sent during boot up. Known deficiences: Whole security feature is not ready to test. NetDirect on Linux does not work. NetDirect-Firefox on WINDOWS does not work. ===================================================== SSL 5.5.0.1 Released for QA on Aug 31, 2005 ===================================================== This README will describe changes in forthcoming releases. ===================================================== Software Installation and Upgrade Notice ===================================================== The software is delivered in two different forms, as described below. - SSL-6.0.x-upgrade_complete.pkg Using this package is the preferred method for upgrading an existing SSL VPN cluster, as the upgrade is propagated across the cluster and all current configuration is preserved. The upgrade procedure is described in "Performing Minor/Major Release Upgrades" in Chapter 4 in the SSL VPN User's Guide. - SSL-6.0.x-boot.img Using this image will reset the SSL VPN device to its factory default configuration. It must be used when an SSL VPN device with different software installed is to be added to a cluster, to bring the additional SSL VPN device to the same software version as in the cluster before joining it to the cluster. The software reinstall procedure is described in "Reinstalling the Software" in Chapter 3 in the SSL VPN User's Guide. Disk repartitioning required for version 5.x on some systems ------------------------------------------------------------ This applies to the following systems: - ASA 310, ASA 310 FIPS, ASA 410, delivered with a software version prior to 4.0 pre-installed. - AAS 2424-SSL delivered with a software version prior to 5.0 pre-installed. On these systems, the existing disk partitioning does not allow for a 5.x version to be installed simultaneously with version 4.2 or later. I.e. it isn't possible to do a standard upgrade from 4.2 to 5.x, or from one version of 5.x to another. Upgrade from versions earlier than 4.2 to 5.x, and software reinstall using a 5.x version, is still possible. Hence the following applies regarding standard upgrade to version 5.0 for clusters that include systems of the above type: Current version Procedure 4.1.x or earlier Upgrade to 5.0, and repartition before subsequent upgrade. 4.2.x before 4.2.1.11 Upgrade to 4.2.1.11 or later 4.x, repartition, and then upgrade to 5.0. 4.2.1.11 or later 4.x Repartition before upgrade to 5.0. When 5.x is installed, the /boot/software/download command will give an error if one or more systems of the above type are running in the cluster, listing the hosts that need disk repartitioning. To support the repartitioning procedure, the following commands are present as of version 4.2.1.11: /boot/software/repartcheck - check for and report hosts in the cluster that need repartitioning. /boot/repartition - initiate repartitioning for the local host. /cfg/sys/cluster/host #/repartition (4.2) /cfg/sys/host #/repartition (5.x) - initiate repartitioning for the given host (which must be running). These commands are "hidden", i.e. not shown in the menu or considered for auto-completion via , since they shouldn't be used in normal operation. During the repartition, which includes two automatic reboots, the host will effectively be out of service. The time required for the repartition is approximately: 4-5 minutes for ASA 7-10 minutes for AAS 2424-SSL NOTE: It is vitally important to avoid power cycle, reset, or any other manually initiated reboot of the host while the repartition procedure is running - this may lead to a totally non-functional system. NOTE: On the AAS 2424-SSL, after repartition is completed, it will not be possible to downgrade to software versions prior to 4.2.1.8, even via software reinstall. Upgrading from Versions Earlier than 2.0.11.15 ---------------------------------------------- If you are currently running a software version earlier than 2.0.11.15, upgrade to version 2.0.11.15 (or a later 2.0.11.x version) prior to upgrading to version 3.x or later. The "intermediate" upgrade to version 2.0.11.15 is necessary in order to maintain your current configuration, and to provide reliable fallback in case the upgrade should fail. Downgrading to Versions Prior to 5.0.x -------------------------------------- SSL VPN clusters running software version 5.x cannot be downgraded to software version 4.x or earlier and still retain the configuration. To downgrade such a cluster to a version lower than 5.x, a complete software reinstall using the boot.img must be performed, followed by manual reconfiguration of the cluster. This is due to changes in the internal database format.