Jobs (DE)Terms of UsePrivacy PolicyLegal Notice

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

Web client font smoothing

The font smoothing switch for RDP connections was without function.

Password pass-through for web client

If the same password is used for login to the web client and the target system, the connection can now be configured to forward the password, so it is no longer necessary to enter the same password twice.

Additional web client features

The administration interface supports the following new features, which require at least version 1.1.0 of the web client. The settings will be ignored as long as version 1.0.0 is installed.
Power on the target system with Wake-on-LAN. To configure this, please create IP objects of type "Host" and enter their MAC and IPv4 address, first. In the user administration you can then select these objects as target systems for web client connections.
Display of active connections in menu "Monitoring > Network > Status".
Option for dynamic re-sizing of the RDP screen resolution. The target system must support RDP version 8.1 (at least Windows 8, Windows Server 2012).
Additional RDP keyboard layouts, among them German (Switzerland), English (Greatbritain) and Turkish.

Display of "Remote devices" menu

Display errors or even timeouts occured with increasing number of entries.

Extended "Remote devices" menu

Columns for the certificate expiration date and the availability of Wifi have been added to the overview. Click the new link icon to open the remote administration interface. The info icon now opens a window with more details which had previously been displayed as tooltip.

URL filtering in web proxy content filter

If the content filter is enabled, an additional check for forbidden filenames is performed whenever a filename which differs from the URL is requested along with the file data.

Increased process count for Groupware

The maximum amount of concurrent connections is calculated based on the number of mailbox accounts. We increased the number of processes to reduce the risk of connection failures.

Minor bugfixes and improvements

PPP protocol

The update fixes a buffer overflow in the ppp service which is used for ADSL and L2TP connections. The vulnerability is critical as it can be exploited before authentication.

Disabling SMB1 protocol

If automatic backups and archiving of logfiles is configured to store the files on a Windows share, the insecure SMB1 protocol or older has been used. With the update at least SMB 2.1.0 is required (Windows 2008R2, Windows 7 or newer).
For NTLM authentication and network shares all current SMB versions used to be available, however SMB1 was also still allowed. An attacker could have forced a protocol downgrade to the SMB1 protocol. The minimum protocol version here is now also SMB 2.1.0.

Seamless CA migration

In release 7.1-1.4 a seamless VPN migration to a new CA certificate was not possible.

Nesting of CA bundles

Particularly to facilitate extending the standard CA bundle with your own CAs it is now possible to link CA bundles hierarchically.

New homepage docklet with mail server status

Minor bugfixes and improvements

Avira Antivirus

Due to a misconfigured update procedure the scanner failed to connect with the servers for online queries after the signature update of 2020-01-14, about 16:00 CET.

Tagging the subject of quarantined mails

The email attachment filter looks for emails with possibly dangerous attachments and either quarantines them or delivers them without the attachments. As an option you can now tag the subject of affected emails with an arbitrary text.

Protocol definition from DNS SRV records

In the "Definitions" menu IP objects can be configured which represent a DNS SRV record. One part of the information published by SRV records is the UDP or TCP port where the service is made available. It is now possible to refer from a protocol definition to an IP object to collect its port information and make it usable as a protocol.

Domain signatures in S/MIME gateway

Inbound emails with domain signatures will be tagged with an additional "[SIGNED BY <*@domain>]".
Mail clients should issue a warning when displaying emails with a domain signature, as the sender address doesn't match the certificate. So in addition to the option to remove all correct signatures, we've added an option to remove domain signatures only.

Occasional throughput problems due to Intrusion Prevention

Minor bugfixes and improvements

IMAP group folders

For the mail server each user group used to represent a mail distribution list. Each group member received an individual copy of mails addressed to the group. Now you can decide per group if the group should have no special meaning for the mail server, be treated as a mail distribution list or if a shared IMAP folder should be provided for the group members.

Management of remote "Orbiter" devices

This feature is still incomplete and experimental. We would appreciate your feedback.
In the new menu "System > Remote devices" you can record your "Orbiters". If access to the devices is possible, a brief status including the version number is shown. It is also possible to remotely update the devices. At the moment this requires at least version 3.1.1 on the Orbiters.
Please note that currently only the system which issued the VPN setup package for a remote device is able to connect with it. In one of the next releases we will add the possibility to authorize access manually.

Exclude connections from IPS processing

Based on protocol, source and destination addresses, connections can be excluded from being processed by the Intrusion Prevention System now.

Delivery of quarantined mails to local mailboxes

Delivery of quarantined emails to local mailboxes didn't work. Delivery to internal mailserver and access to quarantined attachments were not affected.

Endless loop when viewing IPsec log

In most IPsec log lines there's a link which opens an extra window to show all lines associated with the same connection. This extra window caused an endless loop, resulting in permanent high system load.

Minor bugfixes and improvements

Licensing of S/MIME gateway option

At the request of many of our customers we changed the licensing of the S/MIME gateway. It is now no longer licensed by user count but by the number of S/MIME keys. No license is required for S/MIME keys used as domain certificate (see next section).

New S/MIME gateway features

The S/MIME gateway now support the non-standardized concept of domain certificates. This feature can be used for free on almost all systems (exception: licenses without mail option like Enterprise VPN or Enterprise Proxy). With domain certificates, the S/MIME communication with specific peers is protected by a single S/MIME certificate for the whole domain instead of one certificate per email address. It is even possible to use the certificate of an internal CA. The peers however have to use S/MIME software which supports this concept and set it up accordingly.
It is no longer necessary to add users when the S/MIME gateway is used in combination with an internal mail server. For internal mail servers that guarantee correct sender addresses, a separate list with corresponding S/MIME keys is now maintained.
In the user administration you can now configure multiple S/MIME keys per user. When signing outbound emails the system will automatically select the matching key.
In previous releases it was possible to add multiple keys per user to decrypt inbound emails which had been encrypted with an old key. This functionality is now provided by the key-ring (see next section).

Backup when updating a key-pair in the keyring

When changing a key-pair in the keypair, a backup of the previous key-pair is kept on the device.
The S/MIME gateway uses backup keys to decrypt emails which have been encrypted with the old key during a key rollover phase.

Removal of expired entries in DNS IP objects

The default setting for deleting expired entries in DNS IP objects has been changed from "immediately" to "after 6 hours". This prevents permanent service restarts if DNS entries change after few minutes or even seconds. The update will alter the configuration of all IP objects which remove "immediately" automatically.

Let's Encrypt certificates

The Let's Encrypt client now uses the ACMEv2 protocol.

DHCP relay server

On all ethernet and VLAN interfaces the device can now act as a DHCP relay server, forwarding requests from clients to a DHCP server in a different network.

Endless loop when viewing IPsec log

In most IPsec log lines there's a link which opens an extra window to show all lines associated with the same connection. This extra window caused an endless loop, resulting in permanent high system load.

Minor bugfixes and improvements

Update of the POP3/IMAP4 server

This update fixes a critical security issue. An attacker was able to read protected information or even execute their own program code without authentication.

Improved macro detection in email attachments

Now macros will also be recognized if office documents have been mailed directly (not as attachment) or if they are attached to an attached email.

New categories for the commercial URL filter

New categories have been added to the commercial URL filter: Arms and weapons, DNS-over-HTTPS, Movies and series with questionable legal status, Education, Restaurants and recipe sites, Buy or rent a place to live, Stock markets and trading systems.

Adding new certificates to the keyring

For each certificate the corresponding root and intermediate CA certificates have to be stored. Previously the CA certificates had to be uploaded manually for each new certificate. Now the certificates of well-known root CAs will be added automatically. Certificates of intermediate CAs will be cached upon the first upload and added automatically when required by subsequent certificates. Adding multiple similar certificates as required by the S/MIME gateway feature becomes much more convenient in this way.

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany