Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Due to the update of numerous software components the update procedure will take significantly longer than usual (after the
download is complete at least 10-15 minutes). Please be patient.
Kaspersky virus scanner engine
The new version required different signatures. This is why the scanner update is unusually big (337 MB). So we decided to
not include it in the regular update file. Instead the update will download the new engine if necessary.
On devices which have an older version of the Kaspersky scanner installed, the update procedure will download the 337 MB Kaspersky
update from our website right at the beginning.
As an alternative, you can download the Kaspersky scanner from our website and install it before starting the update.
Various software components
The update includes new versions of the Linux kernel, the virus scanner engines, various system libraries and applications.
The predefined lists of trusted CA certificates, the URL filter database and the SPAM filter rules are updated as well. Systems
without daily IDS updates (systems without maintenance contract) receive new IDS rules with this update.
Update of the SSL/TLS parameters
For encrypted connections TLS 1.3 is now available for almost all components. In many components the TLS level can be configured.
The default for components which are usually addressed by a closed user group is "contemporary". The clients must support
at least TLS 1.2. Cipher-Block-Chaining and SHA1 are disabled. For outbound connections and for components which may be addressed
by any Internet user "compatibel" is the default. This includes TLS 1.0 and SHA1. Other possible settings are "outdated" (Cipher-Block-Chaining)
and "maximum" (TLS 1.3 only).
Web proxy features
Proxy authentication and transparent proxying used to be mutually exclusive. Now both can be enabled at the same time. As
a matter of principle there will be no authentication for transparent connections. Additionally transparent HTTPS proxying
is now possible even when the content filter is disabled.
The content filter port for transparent HTTPS proxying changes from 8084 to 8445. Please adjust any manually configured DNAT
rules. Port 8445 must not be in use otherwise.
Clients may now use encrypted connections to the web proxy. Note that most browsers don't have a setting for this. Use WPAD
or PAC files to configure the browsers.
The list of trusted CA certificates used when breaking SSL connections in the content filter is now configurable.
OpenVPN 2.4
The new version offers above all better cryptographic security. The prefered cipher is now AES-GCM. Clients running OpenVPN
2.4 will benefit automatically as the server is usually allowed to override the cipher configured on the client.
After issuing a new client certificate an installation package for Windows clients is available. As an alternative an ovpn
configuration file is now available with the private key either with or without password protection.
The import of an OpenVPN configuration in an OpenVPN client interface now also recognizes the parameters "compress" and "tls-crypt".
One-time-passwords for OpenVPN
User authentication with time-based one-time-passwords (TOTP) can now be enabled individually in each OpenVPN server interface.
Only members of user group "system-ras" with a TOTP key will then be able to login.
OpenVPN parameter "tls-crypt"
In each OpenVPN server interface an additional symmetric key may be configured to encrypt the control channel of connections.
This makes it hard to identify OpenVPN datastreams as such. Even the TLS handshake when initiating a new connection will be
encrypted, which otherwise exposes certificates in plaintext when TLS version 1.2 or below is used.
IPsec server configuration
The configuration options "IKEv1 preferred" and "IKEv2 preferred" are no longer available. Connections now have to be configured
for either IKEv1 or IKEv2. The configuration is converted automatically if one of the removed options had been configured.
In the phase 1 encryption configuration additional DH groups are available, for IKEv2 also AES-GCM.
For L2TP IPsec connections it was possible to store user passwords in plain text to enable challenge response authentication
methods like CHAP. This feature has been disabled but technical support can re-enable it upon request. If it turns out that
the feature is no longer needed, it will be removed in a future release.
Pre-defined IP lists
We've added various IP objects with the prefix "IP-LISTS/", providing IP addresses of several services or companies. The lists
will be updated via the normal updates. Manual changes are possible, however the next update will override them. The data
in the lists is based on publicly available information. There's no warranty, in particular for correctness and completeness.
Custom SNMP MIB
In addition to the standard SNMP MIBs a custom MIB is now available which allows monitoring of e.g. version information, licenses
and service status.
Microphone support for RDP web client
The audio input channel (microphone) can now be enabled per user. At least version 1.1.0-2 of the web client app is required.
Filtering of TNEF email attachments (winmail.dat)
As an option it is now possible to look for unwanted files in the contents of winmail.dat attachments. If the attachment filter
is configured to remove unwanted attachments from the mail and move them into the quarantine directory, in case of a winmail.dat
attachment always the whole mail is quarantined.
Configurable link to quarantined emails
The server name used in links to quarantined emails and attachments is now configurable.
Userdefined SPAM filter rules
To avoid misconfigurations the meaning of search patterns has been modfied slightly. A pattern that starts/ends with a letter
or a digit will match only if the word starts/ends with the pattern. Existing patterns will be converted automatically, so
that they still match inside words ("pattern" will be converted to "*pattern*").
Certificate management
In the keyring you can now update a certificate without changing the RSA key-pair (re-issue). This function is rarely needed,
e.g. when a CA has to re-sign all certificates due to a security breach. Furthermore you can now delete pending certificate
signing requests you no longer need.
Dynamic DNS via NAT router
Configuring dynamic DNS used to be possible in interfaces with dynamic IPs only. Now you can also configure dynamic DNS in
the "DNS" menu in case a NAT router is involved which gets the dynamic IP. A configurable external service is queried regularly
for the external IP which is then published via dynamic DNS.
DNS server configuration
Export and Import is now available in the response policy zone and for userdefined entries in domain zones and reverse lookup
zones. An individual TTL can be configured for each userdefined entry. CAA records can be configured. In forward zones you
may now use IP objects.
DHCP server configuration
You can now enable the DHCP server for an interface without specifying an IP range for dynamic leases. So a static IP only
mode is now possible.
Login failure with URLs which contain login credentials (e.g. ftp://login:password@ftp.example.com) via web proxy content
filter
The credentials had been converted to lower case.
Problems with some websites when tunnel detection is enabled in the web proxy URL filter
Minor bugfixes and improvements
New IDS/IPS version
The new version includes more and better signatures. Please update soon as the signatures for older releases will be updated
only partially.
Minor bugfixes and improvements
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
Web client font smoothing
The font smoothing switch for RDP connections was without function.
Password pass-through for web client
If the same password is used for login to the web client and the target system, the connection can now be configured to forward
the password, so it is no longer necessary to enter the same password twice.
Additional web client features
The administration interface supports the following new features, which require at least version 1.1.0 of the web client.
The settings will be ignored as long as version 1.0.0 is installed.
Power on the target system with Wake-on-LAN. To configure this, please create IP objects of type "Host" and enter their MAC
and IPv4 address, first. In the user administration you can then select these objects as target systems for web client connections.
Display of active connections in menu "Monitoring > Network > Status".
Option for dynamic re-sizing of the RDP screen resolution. The target system must support RDP version 8.1 (at least Windows
8, Windows Server 2012).
Additional RDP keyboard layouts, among them German (Switzerland), English (Greatbritain) and Turkish.
Display of "Remote devices" menu
Display errors or even timeouts occured with increasing number of entries.
Extended "Remote devices" menu
Columns for the certificate expiration date and the availability of Wifi have been added to the overview. Click the new link
icon to open the remote administration interface. The info icon now opens a window with more details which had previously
been displayed as tooltip.
URL filtering in web proxy content filter
If the content filter is enabled, an additional check for forbidden filenames is performed whenever a filename which differs
from the URL is requested along with the file data.
Increased process count for Groupware
The maximum amount of concurrent connections is calculated based on the number of mailbox accounts. We increased the number
of processes to reduce the risk of connection failures.
Minor bugfixes and improvements
IMAP group folders
For the mail server each user group used to represent a mail distribution list. Each group member received an individual copy
of mails addressed to the group. Now you can decide per group if the group should have no special meaning for the mail server,
be treated as a mail distribution list or if a shared IMAP folder should be provided for the group members.
Management of remote "Orbiter" devices
This feature is still incomplete and experimental. We would appreciate your feedback.
In the new menu "System > Remote devices" you can record your "Orbiters". If access to the devices is possible, a brief status
including the version number is shown. It is also possible to remotely update the devices. At the moment this requires at
least version 3.1.1 on the Orbiters.
Please note that currently only the system which issued the VPN setup package for a remote device is able to connect with
it. In one of the next releases we will add the possibility to authorize access manually.
Exclude connections from IPS processing
Based on protocol, source and destination addresses, connections can be excluded from being processed by the Intrusion Prevention
System now.
Delivery of quarantined mails to local mailboxes
Delivery of quarantined emails to local mailboxes didn't work. Delivery to internal mailserver and access to quarantined attachments
were not affected.
Endless loop when viewing IPsec log
In most IPsec log lines there's a link which opens an extra window to show all lines associated with the same connection.
This extra window caused an endless loop, resulting in permanent high system load.
Minor bugfixes and improvements
Licensing of S/MIME gateway option
At the request of many of our customers we changed the licensing of the S/MIME gateway. It is now no longer licensed by user
count but by the number of S/MIME keys. No license is required for S/MIME keys used as domain certificate (see next section).
New S/MIME gateway features
The S/MIME gateway now support the non-standardized concept of domain certificates. This feature can be used for free on almost
all systems (exception: licenses without mail option like Enterprise VPN or Enterprise Proxy). With domain certificates, the
S/MIME communication with specific peers is protected by a single S/MIME certificate for the whole domain instead of one certificate
per email address. It is even possible to use the certificate of an internal CA. The peers however have to use S/MIME software
which supports this concept and set it up accordingly.
It is no longer necessary to add users when the S/MIME gateway is used in combination with an internal mail server. For internal
mail servers that guarantee correct sender addresses, a separate list with corresponding S/MIME keys is now maintained.
In the user administration you can now configure multiple S/MIME keys per user. When signing outbound emails the system will
automatically select the matching key.
In previous releases it was possible to add multiple keys per user to decrypt inbound emails which had been encrypted with
an old key. This functionality is now provided by the key-ring (see next section).
Backup when updating a key-pair in the keyring
When changing a key-pair in the keypair, a backup of the previous key-pair is kept on the device.
The S/MIME gateway uses backup keys to decrypt emails which have been encrypted with the old key during a key rollover phase.
Removal of expired entries in DNS IP objects
The default setting for deleting expired entries in DNS IP objects has been changed from "immediately" to "after 6 hours".
This prevents permanent service restarts if DNS entries change after few minutes or even seconds. The update will alter the
configuration of all IP objects which remove "immediately" automatically.
Let's Encrypt certificates
The Let's Encrypt client now uses the ACMEv2 protocol.
DHCP relay server
On all ethernet and VLAN interfaces the device can now act as a DHCP relay server, forwarding requests from clients to a DHCP
server in a different network.
Endless loop when viewing IPsec log
In most IPsec log lines there's a link which opens an extra window to show all lines associated with the same connection.
This extra window caused an endless loop, resulting in permanent high system load.
Minor bugfixes and improvements