Release Notes CSG 5.5.0

Collax Security Gateway
13.03.2012

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. In the administration interface go to System → System Operation → Software → System Update and read the information for version 5.5. Please note the information aboute the duration.
  2. Tick the checkbox Yes, I want to start the upgrade to version 5.5 if all preperations are made. Afterwards click on Start upgrade.
  3. Click Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  4. Click Get Packages to download the update packages. Important: If you download the packages over a slow connection (ISDN, analog, etc.), the browser may drop the connection to the administration interface. Note that, the download will continue in the background. If you get an error message, wait a few minutes and try again otherwise continue to the next step.
  5. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  6. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

Installation Notes

Updates for 32 Bit and 64 Bit Systems Available

From this version on all new Collax server are delivered in 64bit. Software updates are continued in 32bit for the installed base and for the new 64bit systems.

New in this Version

Security: Password Policies for System Users

This update adds optional password policies that can be applied to system users. The parameters that can be configured are: password length, password valid duration, number of special characters, number of capital letters and number of digits. Different Different policies can be applied on different users. The security of the system and the company can be increased by applying more strict, yet practical, policies to users.

GUI: Installing Add-on Modules During Registration

To speed up and simplify the setup of a Collax server the registration wizard can now automatic installation all licensed modules directly after a successful registration.

Web Proxy: SSL Interception

Normally, the content of encrypted HTTP traffic (HTTPS) cannot be evaluated or filtered, as encryption is used between the Web server and the browser. In this update you can configure the new function SSL Interception that enables the Web proxy to intercept this encrypted traffic, e.g. to analyze the content for malware or unwanted contents.

Certificates: Compatibility Of Certificates to OS X

From this update Collax servers are going to use the IP address as an attribute for certificates. This lets Mac OS X systems to read and use this cetificate for VPN links.

VPN: StrongSwan IPsec

From this version the new IPsec base system is StrongSwan.

VPN: IPsec with XAUTH

The extended authentication XAUTH can now be configured for IPsec VPN links in Collax servers. XAUTH can either act as a Server where incoming VPN requests will be authenticated by local group policies or act as a Client where outgoing VPN links are authenticated with a login ID and password by the remote gateway.

Backup/Restore: Run Time Limitation for Backup Jobs

Occasionally it is useful for backup jobs to be skipped or canceled automatically. From this version four different Run Time Limitations can be set for backup strategies: Max start delay specifies the maximum delay between the scheduled time and the actual start time for the job. Max wait time specifies the maximum allowed time allowed for a job to wait for a resource, for example waiting for a tape to be mounted. Max run time specifies the maximum time allowed for a job may run, calculated from the time when the job actually starts. Max duration specifies the maximum time allowed for a job may run, calculated from the time when the job was scheduled to start. Each parameter can be set in the dialog Settings → System Configuration → Backup → General.

Misc: Important System Components

This update will also install/update the following important system components:

  • apache2 2.2.21
  • bacula 5.2.3
  • bind 9.6
  • kernel 2.6.32.55
  • libc6 2.8
  • openldap 2.4.23
  • openssl 0.9.8k

Misc: MySQL Version 5.5.20

The database MySQL version 5.5.20 is now provided with this update. The default storage engine will also be changed. In the past if an application did not defined an engine to create a database, the MyISAM engine was taken as default. From this version the default will be the InnoDB engine.

Misc: MySQL Dialog

From this version the dialog MySQL will be shown on everey Collax product.

Misc: Extended MySQL Tuning Paramater

This version will make available a new tuning parameter for the MySQL database. This parameter can be split into percentages for the storage engines InnoDB and MyISAM. All tuning details will be displayed for the MySQL database.

System Management: GUI Notification of System Jobs

The ease of use of the Collax administration GUI is based on, among other things, on triggering background processes which reduce the work of the operator. This update delivers an interface in administration GUI which visualizes background processes and their results.

System Management: Watchdog Timer Client for Collax Server

This update lets you control the device Intel 6300ESB (watchdog). The setting can be found in Settings → System Configuration → Monitoring → Watchdog Timer. The watchdog timer on a Collax server is a device that resets the system if the data partition can not be written to any more.

System Management: New Monitoring Options for DNS Hosts

Network services of a host can be actively monitored by a Collax server. From this update host-side services can also be monitored. This comprises of several network-based services such as DNS, HTTP, POP3, SMTP and additional system-internal functions/values such as CPU, RAM, swap, processes, running services, events and hard disks of the host.

Issues Fixed in this Version

GUI: Firefox and Focus in Tables

Previously, the table row focus did not work correctly in tables displayed in a section of a dialog with scroll bars. This error only occurred in the Firefox browser when there were scroll bars present. This update deactivates the qx.html.Scroll method is in the AJAX framework which will correct the table row focus in new browsers.

GUI: Popup Appears in the Wrong Place in the Dialog

When scrolling in dialogs and accessing pop-up objects such as list boxes or context menus, the pop-up objects were not displayed in the correct place. This update corrects the qx.ui.popup.Popup method ensuring correct display of all pop-up objects in dialogs.

E-Mail: SMTP Auth for User from Active Directory

If users are authenticated via Active Directory and emails are sent from an external network, like internet, with the SMTP Auth method, authentication failed because a PAM file in the system was incorrect. This file is now corrected in this update: User authentication via Active Directory with the SMTP Auth method will now work.

Web Proxy: Web-Proxy, Virus Scanner and wrong internal DNS

When using the web proxy with a virus scanner and if a reverse DNS lookup failed while browsing web sites, this can take longer than 1 minute. From this update the reverse DNS lookups via the web proxy is disabled.

If a new link was added an error message was displayed within the dialog Monitoring → Status → Link Status because there was no performance data for that new link. This is now corrected.

Net: Script for Configurating Traffic Shaping creates Kernel Out Of Memory

The script shaper.gen went into an infinitive loop if a routing loop and bandwith management was set up. Thereby the kernel ran out of memory (OOM) and closed the processes. The script is now corrected to avoid loops and kernel OOM.

VPN: SNAT Rule not set

If more than one SNAT firewall rules were set for the local networks of a VPN tunnel, specific rules were not set within the firewall system. This is now corrected and all SNAT firewall rules for local networks of VPN tunnels are now set up.

VPN: IPSEC_BLOCK Rule Was Not Deleted

When an IPsec VPN tunnel was closed not all firewall rules were deleted. Subsequently network packets were blocked when the VPN tunnel was rebuilt. This is now fixed.

Saving an IPsec link containing a RSA Key led to an error message within the GUI dialog. This was because of incorrect validation within the GUI backend. This validation method is now fixed, the RSA key setting is validated correctly and the link settings can now be saved.

Authentication: Start of LDAP and AD-Proxy

The start of a local LDAP directory could be delayed if the server was synchronising against an Active Directory. The reason for this was the large number of LDAP log files which had to be read while starting up the local LDAP. These log files are cleaned up with this update. This means the LDAP can start faster.

Authentication: Improvements of Active Directory Integration

In this update many improvements will be implemented for the integration of Active Directories. These improvements deal with email addresses, active monitoring of the AD proxy and clean up of imported AD objects when leaving an AD.

Wrong Note of Licence Status

The license status dialog displayed zero users. This is corrected with this updates. The license limits for Collax Virus Protection are now displayed correctly.

Misc: IP Address of Collax Server when in DNS Master Zone

In the past all local IP addresses of a Collax server were written to a zone file of a DNS master zone, even if the host element of the Collax server contained only one IP address. This is now corrected with this update. If a Collax server is set up as DNS host and is also a member of a DNS zone then only the set IP address of the DNS host is written to the zone file.

System Management: Active Monitoring of LSI Megaraid Controller

This update corrects the monitoring and email notification for Megaraid-Controller from the vendor LSI. The active monitoring checks the status of Raid systems.

Notes

Security: Changing Password shows Error Message in Windows XP

Only if a Collax server is acting as a PDC and providing password policies: If a user password is changed with Windows XP a false-positive error message will be displayed even the password had been changed correctly.

Net: VPN Tunnel with iPhone

To establish a VPN tunnel between a Collax server and an iPhone the link type PPTP must be used.

VPN: IPsec Proposals

The old IPsec proposal _old_cisco is going to be removed from this version. Also the encryption method DES (56Bit) and the Diffie-Hellmann-Group 1 can not be selected as an attribute for an IPsec proposal. Alternatively stronger encryption methods shall be chosen for IPsec links.

VPN: Aggressive Mode

Aggressive Mode is not available any more for IPsec links.

Backup/Restore: First Backup Will As Full Backup

Because the backup system is going to be updated, the first backup scheduled after the update to version 5.5 will be a full backup. This will happen even if the next backup is meant to be an incremental backup.

Table of contents