Available for purchase

Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon as a maintenance contract has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature. For a manual download you will have to specify the support IP as username (e.g. and the hardware ID as password (e.g. 473I-QN34-O@:5).

Important notice:

Please pay attention to the following information regarding the changed administration interface port and the storage type of local mailboxes.

Docker-based operating-system-level virtualization

Optional extensions (running within containers) can be installed in the new menu "System > Apps". Please note that apps have to be updated separately, so please check the "Apps" menu regularly once you have apps installed.
While fully virtualized guests each run a whole operating system of their own, with operating-system-level virtualization the host and all of its guests share the same operating system core (in our case the Linux kernel). This makes operating-system-level virtualization very efficient. Still the guests, usually called containers, run in an isolated environment. However this isolation is not as strong as with full virtualization.
Following this approach, we want to offer even bigger software modules in the future, without major impact on system security.

Administration interface now on port 44344

Browser access to containers, as described above, requires the reverse proxy, which plays a more central role now. So we decided to enable the reverse proxy on port 443. Port 443 was previously allocated to the administration interface which has been moved to port 44344.
In order to facilitate the transition, the reverse proxy will redirect requests for the administration interface to the LAN ip, port 44344. By using a redirect, the browser will then access the administration interface directly and not via reverse proxy. This is to prevent granting Internet access to the administration interface by mistake when granting Internet access to Port 443.
The redirect probably won't work when trying to access the administration interface from outside the LAN. Please consider using the reverse proxy for external access to the administration interface or make sure that you can access port 44344.

Web client for RDP, VNC and SSH

This new component is installed as container in menu "System > Apps". It offers access to remote desktops (RDP), VNC server and Secure Shell server with a web browser (HTML5). No need for additional client software. The reverse proxy is required to access this component, so it is possible to enforce authentication with client certificates upon request. A two-factor authentication using time-based one-time passwords (TOTP) is also possible. Free smartphone apps for TOTP are available (e.g. Google Authenticator). We also offer TOTP hardware tokens.
A license must be purchased for this optional extension.

Webmailer replaced with new groupware

The update replaces the rather outdated web mailer with a far more extensive groupware, which is also installed as container. The solution is based on the "SOGo" groupware, which uses IMAP only to access the mail storage. So it is always possible to access emails without using the groupware, too. Contacts, events, tasks, mail filters and settings are stored in a database, which is a "MariaDB" in our case. Both, groupware and database are installed as containers.
In contrast to the web mailer, the groupware is no longer pre-installed. You can install or update it anytime without a fee in menu "System > Apps". Install the app "Database" first, then "Groupware".
When compared with the old web mailer, the groupware adds the following features:
  • modern, smartphone optimized web interface
  • share and subscribe to calendars and address books with individual user rights
  • plan and exchange appointments by mail via iCalendar
  • free-busy information
  • tasks (TODOs)
  • marks for emails, events and tasks
  • delegation of accounts ("Send as")
For native access with smartphone apps, Outlook and other mail clients we offer an extension featuring Exchange ActiveSync, CalDAV and CardDAV.
A license must be purchased for this optional extension. Groupware access by browser remains free of charge.

Mailbox storage type and mail backups

Mailboxes are stored in different way now. Mailboxes are converted automatically during the update and when uploading a mail backup which contains data in the old format.
We recommend to stop the mail server and download a mail backup before updating. After the update, download a mail backup in new format before starting the mail server.
Depending on the number of the emails, the conversion may take several minutes or even hours if tens of thousands of mails have to be converted. Rebooting or switching off the device during this process may result in the loss of data.
When uploading a mail backup in new format, the mails from the backup are merged into the current mail store, i.e. deleted mails are restored from the backup while new mails and all changes are retained. If you are using the groupware, the same applies to contacts, events and tasks. The groupware users settings and mail filters will be taken from the backup.
Mails are not merged when uploading a mail backup in old format. The mails from the backup are restored and any new mails will be lost.
Previously the data of an account was restored only if the account had no inbox. This is no longer the case. To restore data of specific accounts only, you will have to open the mail backup with a ZIP archive tool. Mail backups contain one backup file per account. Extract the backups of the accounts you want to restore and upload them one after the other.

S/MIME email encryption gateway

This new component lets you use S/MIME based signatures and encryption for your external communication without the need to roll out and maintain S/MIME for all local mail clients.
A license must be purchased for this optional extension.
With this solution, inbound emails will be decrypted automatically before applying security checks like virus scan or attachment filtering. Also the signatures of inbound emails will be checked. Certificates received as part of the signatures can be stored for encryption of outbound emails automatically. So all future mails to these communication partners will be encrypted without any effort. It is also possible to manually release or import peer certificates for automatic encryption of outbound emails. Finally outbound emails can be signed automatically, too.
For signing outbound emails and decrypting inbound emails an S/MIME certificate is required for each email address. The certificate has to be stored in the user administration, one certificate per users.

Macro detection for email attachment filter

The attachment filter can now quarantine attachments that contain an office document with a macro. The filter can distinguish between autoexec macros and macros in general. If the attachment filter is already enabled, this new feature will be enabled by the update automatically.
It still makes sense to quarantine office documents based on the filename, if the filename extension already indicates that the file contains a macro (docm, dotm, pptm, potm, xlsm, xltm). But those who filter the "classic" filename extensions by name (doc, ppt, xls) might consider to rely on the new feature instead, as it quarantines those documents only if they contain a macro.

Email synchronisation between cluster nodes

The contents of the mail folders on clusters with local mail domains will now be synchronized.

Two-factor authentication for access to administration interface

To better secure the administration interface, one-time-passwords (OTPs) may be enabled. There are separate settings for direct access and for access via reverse proxy. If OTPs are mandatory, users without OTP can no longer login. If "optional" an OPT is only required for accounts with enabled OTPs.

Extended functionality of DNS IP objects

In addition to hostnames, you are now also able to resolve service (SRV), mail exchanger (MX) and name server records (NS) in IP objects.
The periodical update of DNS IP objects has been replaced by dynamic intervals based on the records' individual time-to-live (TTL), i.e. the period the IP may be cached.
The IP addresses associated with a hostname may change every few seconds when DNS-based loadbalancers come into play. But the same addresses re-occur when viewed over a longer period of time. With a new option you can keep old addresses for a while in order to reduce the number of configuration changes.

Background image and dark colour theme

The new dark theme is the default. You can disable it via the tools menu in the upper right corner.

Homepage docklet "Updates"

The new docklet checks if new system or app updates are available.

Menu "CA Certificates"

You can store custom trusted CA certificates in the new menu item "System > Certificate manager > CA certificates". The CA bundles which are maintained by us are also visible there. The two previous menu items of the local CA have been moved into the new menu, too.

Redesigned license menu

You can now view and change all kinds of license keys in this menu (base system, virusscanners, URL filter, apps).

Incorrect routing for IPsec tunnels with SNAT

In some situations it is necessary to SNAT the local sender address when forwarding connections into a certain IPsec tunnel. In these situations, manually configured routes had precedence, so that connections actually destined for IPsec might have been routed incorrectly.

Support for the following features has been removed: McAfee virus scanner, LDAP server for LDAP address book, IMAP/webmail access for admin to attachment and virus quarantine directories, deleting and modifying the contents of mailboxes.

Minor bugfixes and improvements

In the 7.0 releases some features had only been available on systems with a software maintenance contract. In 7.1 these features will now be available on all systems. This includes:


You can now connect Ethernet, VLAN and WLAN interfaces with a network bridge. For connections within the bridge and connections coming out of the bridge the firewall is configured individually for each port. So it is possible to run a transparent firewall between two network segments (e.g. between LAN and router). For connections routed into a bridge however, there's no firewall configuration by port, only by bridge.

Aggregation of network adapters

You can now aggregate multiple network adapters to get redundant connections with switches or to increase throughput.

URL filter message when breaking SSL connections

An option has been added to the web proxy content filter settings which affects what the users will see when the URL filter blocks a whole domain. The proxy used to already block the connection attempt, so the browser reported the generic error, that the proxy forbids the connection. With the new option you can change the behaviour, so the connection is initially allowed and the detailed error message of the URL filters is shown in the browser.

User specific message after logging into administration interface

For users with access to the administration interface (group "system-admin") a message can be configured in the user administration which is displayed every time after the user logged into the administration interface.

Rejecting emails with unwanted attachments

The "admin" user can now grant members of group "sytem-admin" read-only access to the most important configuration menus, e.g. to grant access for an auditor. Previously "admin" could only grant full access to individual menus.

URL filter user groups via Active Directory

The URL filter can now retrieve user groups directly from an Active Directory server. A computer account in the Windows domain is required just like for NTLM proxy authentication.

Let's Encrypt certificates

Certificates can now be updated automatically using the ACME protocol, so you can now use free Let's Encrypt certificates. This new option is available when requesting a new certificate in the "Keyring" menu. For authentication the "http-01" method is used. This requires that the reverse proxy can be reached on port 80 from the Internet and a virtual host is defined for all requested domains with the pre-defined backend "ACME HTTP-Authorization" enabled.

Avira macro detection for web proxy

On installations running Avira antivirus, a new option in the web proxy content filter allows blocking office documents containing macros or autostart macros.

Monitoring for SSH TCP forwarding

Connections via SSH TCP forwarder are now displayed on a new tab in menu "Monitoring > Network > Status".

Logging to syslog server

You can send a copy of most logs to a syslog server now.


DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.


Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany