Jobs (DE)Terms of UsePrivacy PolicyImprint

This is a beta release. Problems with the new and modified components might occur on some installations.

To be able to install the update at least version 7.0-4.6 is required.
The 7.1-0.* release series is a beta branch which will be finished with the release of update 7.1-1.0. We would like to invite you to participate and hope to receive feedback regarding the new features. We would like to thank everyone for their active participation.
Before installing the beta update, please make sure that a current backup is available. For systems with mailboxes, please carefully read the special notes in section "Mailbox storage type and mail backups" below.

Available for purchase

Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature. For a manual download you will have to specify the support IP as username (e.g. and the hardware ID as password (e.g. 473I-QN34-O@:5).

S/MIME email encryption gateway

This new component lets you use S/MIME based signatures and encryption for your external communication without the need to roll out and maintain S/MIME for all local mail clients.
Starting with release 7.1-1.0 this component is subject to a fee!
With this solution, inbound emails will be decrypted automatically before applying security checks like virus scan or attachment filtering. Also the signatures of inbound emails will be checked. Certificates received as part of the signatures can be stored for encryption of outbound emails automatically. So all future mails to these communication partners will be encrypted without any effort. It is also possible to manually release or import peer certificates for automatic encryption of outbound emails. Finally outbound emails can be signed automatically, too.
For signing outbound emails and decrypting inbound emails an S/MIME certificate is required for each email address. The certificate has to be stored in the user administration, one certificate per users.

Menu "CA Certificates"

You can store custom trusted CA certificates in the new menu item "System > Certificate manager > CA certificates". The CA bundles which are maintained by us are also visible there. The two previous menu items of the local CA have been moved into the new menu, too.

Docker-based operating-system-level virtualization

Optional extensions (running within containers) can be installed in the new menu "System > Apps". Please note that apps have to be updated separately, so please check the "Apps" menu regularly once you have apps installed.
While fully virtualized guests each run a whole operating system of their own, with operating-system-level virtualization the host and all of its guests share the same operating system core (in our case the Linux kernel). This makes operating-system-level virtualization very efficient. Still the guests, usually called containers, run in an isolated environment. However this isolation is not as strong as with full virtualization.
Following this approach, we want to offer even bigger software modules in the future, without major impact on system security.

Administration interface now on port 44344

Browser access to containers, as described above, requires the reverse proxy, which plays a more central role now. So we decided to enable the reverse proxy on port 443. Port 443 was previously allocated to the administration interface which has been moved to port 44344.
In order to facilitate the transition, the reverse proxy will redirect requests for the administration interface to the LAN ip, port 44344. By using a redirect, the browser will then access the administration interface directly and not via reverse proxy. This is to prevent granting Internet access to the administration interface by mistake when granting Internet access to Port 443.

Webmailer replaced with new groupware

The update replaces the rather outdated web mailer with a far more extensive groupware. The solution is based on the "SOGo" groupware, which uses IMAP only to access the mail storage. So it is always possible to access emails without using the groupware, too. Contacts, events, tasks, mail filters and settings are stored in a database, which is a "MariaDB" in our case. Both, groupware and database are installed as containers.
In contrast to the web mailer, the groupware is no longer pre-installed. You can install or update it anytime without a fee in menu "System > Apps". Install the app "Database" first, then "Groupware".
When compared with the old web mailer, the groupware adds the following features:
  • modern, smartphone optimized web interface
  • share and subscribe to calendars and address books with individual user rights
  • plan and exchange appointments by mail via iCalendar
  • free-busy information
  • tasks (TODOs)
  • marks for emails, events and tasks
  • delegation of accounts ("Send as")
For native access with smartphone apps, Outlook and other mail clients we offer an extension featuring Exchange ActiveSync, CalDAV and CardDAV.
Starting with release 7.1-1.0 this extension is subject to a fee! Groupware access by browser remains free of charge.

Web client for RDP, VNC and SSH

This new component is also installed as container in menu "System > Apps". It offers access to remote desktops (RDP), VNC server and Secure Shell server with a web browser (HTML5). No need for additional client software. The reverse proxy is required to access this component, so it is possible to enforce authentication with client certificates upon request. A two-factor authentication using time-based one-time passwords (TOTP) is also possible. Free smartphone apps for TOTP are available (e.g. Google Authenticator). We also offer TOTP hardware tokens.
Starting with release 7.1-1.0 this extension is subject to a fee!

Mailbox storage type and mail backups

Mailboxes are stored in different way now. Mailboxes are converted automatically during the update and when uploading a mail backup which contains data in the old format.
We recommend to stop the mail server and download a mail backup before updating. After the update, download a mail backup in new format before starting the mail server.
Depending on the size of the mailboxes, the conversion may take several minutes or even hours if gigabytes of mails have to be converted. Rebooting or switching off the device during this process may result in the loss of data.
When uploading a mail backup in new format, the mails from the backup are merged into the current mail store, i.e. deleted mails are restored from the backup while new mails and all changes are retained. If you are using the groupware, the same applies to contacts, events and tasks. The groupware users settings and mail filters will be taken from the backup.
Mails are not merged when uploading a mail backup in old format. The mails from the backup are restored and any new mails will be lost.
Previously the data of an account was restored only if the account had no inbox. This is no longer the case. To restore data of specific accounts only, you will have to open the mail backup with a ZIP archive tool. Mail backups contain one backup file per account. Extract the backups of the accounts you want to restore and upload them one after the other.

Support for the following features has been removed: McAfee virus scanner, LDAP server for LDAP address book, IMAP/webmail access for admin to attachment and virus quarantine directories, deleting and modifying the contents of mailboxes.

Minor bugfixes and improvements

In the 7.0 releases some features had only been available on systems with a software maintenance contract. In 7.1 these features will now be available on all systems. This includes:


You can now connect Ethernet, VLAN and WLAN interfaces with a network bridge. For connections within the bridge and connections coming out of the bridge the firewall is configured individually for each port. So it is possible to run a transparent firewall between two network segments (e.g. between LAN and router). For connections routed into a bridge however, there's no firewall configuration by port, only by bridge.

Aggregation of network adapters

You can now aggregate multiple network adapters to get redundant connections with switches or to increase throughput.

URL filter message wenn breaking SSL connections

An option has been added to the web proxy content filter settings which affects what the users will see when the URL filter blocks a whole domain. The proxy used to already block the connection attempt, so the browser reported the generic error, that the proxy forbids the connection. With the new option you can change the behaviour, so the connection is initially allowed and the detailed error message of the URL filters is shown in the browser.

User specific message after logging into administration interface

For users with access to the administration interface (group "system-admin") a message can be configured in the user administration which is displayed every time after the user logged into the administration interface.

Rejecting emails with unwanted attachments

The "admin" user can now grant members of group "sytem-admin" read-only access to the most important configuration menus, e.g. to grant access for an auditor. Previously "admin" could only grant full access to individual menus.

URL filter user groups via Active Directory

The URL filter can now retrieve user groups directly from an Active Directory server. A computer account in the Windows domain is required just like for NTLM proxy authentication.

Let's Encrypt certificates

Certificates can now be updated automatically using the ACME protocol, so you can now use free Let's Encrypt certificates. This new option is available when requesting a new certificate in the "Keyring" menu. For authentication the "http-01" method is used. This requires that the reverse proxy can be reached on port 80 from the Internet and a virtual host is defined for all requested domains with the pre-defined backend "ACME HTTP-Authorization" enabled.

Avira macro detection for web proxy

On installations running Avira antivirus, a new option in the web proxy content filter allows blocking office documents containing macros or autostart macros.

Monitoring for SSH TCP forwarding

Connections via SSH TCP forwarder are now displayed on a new tab in menu "Monitoring > Network > Status".

Logging to syslog server

You can send a copy of most logs to a syslog server now.


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 15 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany