Security issue in SSH. This release includes a security hot fix for the AppGate SSH daemon.
Various daemon fixes. This release fixes various bugs which could, under some circumstances, cause the following daemons to crash: ag_userd, ag_vdbd, ag_mgmtd and ag_sdbadmind.
Radius as account source. Another bug in ag_userd made it impossible to use Radius as an account source. This has now been fixed.
Android/iPhone/iPad connectivity. This version fixes a number of issues related to the Android/iPhone/iPad clients. The problems fixed are:
These clients could not connect to an older AppGate system running Open Solaris b103, even if it had been upgraded to 10.0
The console will now refuse to enable L2TP/IPsec unless a DNS server, which is required for this to work, has been defined.
Removed confusing logout entry which was logged when the user closed the AppGate client on the device. The device is still logged in, it was just the authentication channel which closed.
Increased logging of the initial L2TP/IPsec session set up phase - this makes it easier to debug potential problems with external firewalls not letting traffic through etc.
Web access to https-servers could fail. An issue in the built in web proxy made it sometimes fail to properly rewrite links when using https to communicate to the back end server.
Upgrade broke on databases using net groups. A bug in the upgrade script caused the upgrade to fail if any component in the database used net groups or attribute values.
User login failed after LDAP/AD server had been down. A bug in ag_userd caused it to never start accepting LDAP/AD users again if the LDAP/AD server had been down. That is even if ag_userd noted that the server was up again it refused to let users log on.
Improved progress feedback during backups. The backup process starts by collecting all the files to back up on the server. There was no feedback during this process and if there were many files to back up it could take a while. This gave the impression that the console had locked up.
This release fixes that problem by making the console show a progress bar while the backup is constructed. It will also then show the progress while the backup is being downloaded.
Fixed log start and time delta display. This version fixes a problem where the console sometimes would leave the log start time and clock difference fields, in the top log panel, blank.
Fix for empty client OS list. The upgrade script to 10.0 would unfortunately clear out the list of client operating systems which is used when creating client commands. This upgrade will restore the list.
PKCS#11 support on Mac OS X. It is now possible to use PKCS#11 libraries for smart card integration on Mac OS X as well as on Windows.
Problems when changing Look and Feel fixed. The AppGate client could experience problems in the form of java crashes if the Look and Feel was changed.
Updated included Java Runtime Environment. The installable versions of the AppGate client and console for Windows include a complete Java Runtime Environment. This included JRE has now been upgraded to version 1.6.0_25.
Multi user client did not clean up properly. The multi user service (ag_mud) is used when running the client on a multi user system like Terminal Server or a Linux system. This daemon had a bug which caused it to not properly clean up if a client unexpectedly disappeared. The end result of this was that this user could not use the service again until it was restarted.
Support for iPhone/iPad and Android. This version of AppGate adds AppGate clients for iPhone/iPad and Android. These devices will use IPsec to communicate with the AppGate server. The authentication is handled by the AppGate app, which supports all keyboard based authentication methods.
New authentication method: Cryptzone OTP. Cryptzone OTP is a new authentication method which uses One Time Passwords generated by a client on a mobile phone. This is intended to be used together with some other authentication method like password to implement two-factor authentication.
Specify authentication domain for web access components. It is now possible to specify an authentication domain in web access components. This is useful if the web server requires authentication but is using a different (or multiple) authentication domain(s).
Status becomes yellow on LDAP/AD failure. The status of an AppGate system will now turn yellow if the communication with any configured LDAP/AD servers fails.
Negative nets.
It is now possible to exclude network ranges in
components granting access. For example a destination of
"192.168.0.0/16, not 192.168.2.0/24"
which gives access to everything in 192.168.0.0/16
except 192.168.2.0/24. This can also be used in and when
referring to net groups.
New attribute login.connected_nets.
There is a new attribute
login.connected_nets which is defined
in every session. This attribute lists all networks
reachable from the AppGate system through local
interfaces or defined routes, except any default routes.
This can be very useful when you have iPhone/iPad or
Android devices connected. Since these use the built in
IPsec client all network traffic will go through the
tunnel to the AppGate server. And if you want to allow
them to browse the Internet, but not every internal server
you can create an IP access components which gives access
to: "0.0.0.0/0, not ${login.connected_nets}"
New icons and logos. This version uses new icons and logotypes to reflect the fact that AppGate is now a product by the Cryptzone Group AB.
New look of built in web pages. This version also features a new look of the built in web pages. This applies to both the client download pages as well as the SSL module.
Short host names. It is now possible to configure components to add both the fully qualified as well as the short host name to the local hosts file.
More sanity checks. There are more sanity checks in the system which check for common errors and give appropriate warnings.
Removed "Push" button. This version removes the Push button in the console. Changes are instead pushed immediately when they are saved. There is a rate-limiting check which may delay the automatic push for up to 10 seconds.
Copy & Paste Roles, Services etc. It is now possible to copy Roles, Folders, Services etc from one AppGate server to another. This can be done either directly in the console, or the copied objects can be stored in an xml-file which can later be imported.
Added encryption control panel. There is a new tab in the Connection Settings panel which allows the administrator to control which encryption algorithms the server allows and prefers. This can be used to control which encryption algorithms are used between the server and the client when using the SSH-based AppGate clients.
Added buttons to sort the contents of roles and folders. The Role and Folder panels now contain buttons which allows the administrator to sort the contained services according to name or description.
AD group to AppGate role mapping table moved. The table showing the mappings from AD group membership to AppGate roles has been moved to a separate tab. This allows the table to be larger and easier to work with.
Live log panel. There is now a clear button in the live log panel which removes all shown log events. This version also fixes a bug in the live log window where it would forget that it was showing the last entries and therefore not scroll down to the last entry.
Automatic description. The console will automatically update the description of an object with any changes made to the name. This happens as long as the name and the description match.
New daemons panel. There is a new daemons panel under System Settings. This panel allows the administrator to change the debug levels of most daemons. It is also possible to manually restart daemons using this panel.
Select multiple print jobs. It is now possible to select multiple jobs in the client print tab.
The port mover on Linux and Mac OS. This version changes how the port mover is checked and installed on Mac OS and Linux. This should make it possible to run both v10 and v9 webstart clients on the same machine.
Improved handling of missing attributes. This version is better at handling missing attributes. Instead of completely disabling the user or role it will just disable those parts which are really affected by the missing attribute.
RDP sessions could unexpectedly close. A bug in ag_rdpproxy could cause RDP sessions to unexpectedly close.
VLAN configuration. It is now possible to configure tagged VLAN's via the AppGate console again.
Several daemon crashing bugs fixed. This version fixes a number of bugs which could cause various daemons (ag_sdbadmind, ag_ssld, ag_ssld_cgi and ag_webproxy) to crash.
Unusual characters in database. There were instances when using certain characters in certain database fields could break the database. This has now been fixed.
Allow virtual interface to be connected to same net as physical interface. The system should not longer complain if a virtual network interface is connected to the same network as the underlying physical interface.
Time synchronisation issues fixed. This version fixes a bug where systems would not always synchronise correctly against an external NTP server.
check.exe -deviceserialno. The -deviceserialno switch to check.exe now returns the real device serial number rather than the volume ID.
Fixed attributes in descriptions. It was not possible to use attributes in the description of any database objects.
Attribute script for SSL clients. This version will also run any defined attribute script for SSL clients.
AppGate web proxy could truncate cookies. The built in web proxy could truncate some cookies passing through.
Agsh could generate bad satellite configuration. This version fixed a bug in agsh which could cause it to generate bad satellite configurations when running in some specific network configurations.
ag_galed did not block ICMP redirects. A bug in ag_galed made it pass through ICMP redirects which could prevent IP-tunnelling from working in some environments.
Fixed client tab dance. The AppGate client could sometimes switch automatically a number of times between different tabs when connecting.
Fixed SSL rewriting. There were errors in the web page rewriting in the SSL module if it was configured to listen to another port than 443.
Report correct port number in client. The client would sometimes report that it failed to open a local listener. But the error message could list another port that it was actually trying to open.
Linux xlock integration fix. The local screen locker integration on Linux would fail if the server connection was lost and then reestablished.
Restore could fail. Restoring a backup could fail if it contained a file with a '"' in the name.
Various graphical glitches fixed. This version fixes various graphical glitches in the AppGate console and clients.
Only servers running version 9.0 or later can be upgraded to 10.0.1. Machines running earlier versions must first be upgraded to 9.0 or later.
The upgrade can be applied without disturbing users who are using the system. But the system must be rebooted in order to activate the upgrade.
There is a bug in the AppGate Console version 9.1 (up to and including 9.1.6) which sometimes makes the console only show upgrade progress data from one node in the cluster.
The work around is relatively simple. Before upgrading log on to any node in the cluster and run:
secmsg_query | grep ag_mgmtd
Then look for the line which shows where
ag_mgmtd is registered (not the standby
lines). This line should also show which node in the cluster
the daemon is registered on. Make sure the console is logged
in to this node of the cluster before applying the upgrade.
There is a bug in the AppGate Console for 9.0 and 9.0.1 which must be taken into account when upgrading a cluster. The upgrade will apply without problem, but the reboot button in the upgrade status window will only reboot one of the systems. The workaround is simple:
Do not use the reboot button on the upgrade status screen. Instead just close it once the upgrade is complete.
Go to the file system manager panel. There should be a new clone where the upgrade has been applied. Press the button in the boot column to make this clone the next booted clone. Do not press the reboot now button in the dialog which pops up (this is also broken).
Go to the top node in the admin tree where there is a shutdown button. Use this to reboot the entire cluster.