4.2-1-0
Available for purchase
Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of
charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon
as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature.
For a manual download you will have to specify the support IP as username (e.g. 172.18.253.15) and the hardware ID as password
(e.g. 473I-QN34-O@:5).
Reverse proxy and load balancer
If internet access to a web application running on a server inside your corporate LAN is required but VPN is not an option,
the new reverse proxy can enhance the security. You can connect to the reverse proxy with HTTP or HTTPS (encrypted). The connection
between the reverse proxy and the backend will always use HTTP. So you can even use HTTPS Internet connections if the backend
does not support encryption.
To date DNAT (Portforwarding) has been used to forward Internet connections to a web server in the LAN by rewriting the destination
IP's. As the reverse proxy processes requests on application layer, it can offer additional capabilities such as an additional
authentication or a syntax check of requests to defeat e.g. buffer overflow attacks.
Internet access to the webmail client is also supported by the new reverse proxy. It can allow access to the webmail client
while denying access to the system's web administration.
Furhtermore the reverse proxy can be used as a load balancer infront of a web server pool.
Extended features of the web proxy (formerly "proxy cache")
The menu item "proxy cache" has been renamed into "web proxy". All the proxies are now grouped together below the new menu
item "proxies".
Note: In previous versions it was possible to bypass the virusscan proxy by using port 8081. After installing the update this will
no longer be possible. If scanning has to be disabled for certain domains, please use the "Trusted servers" setting instead.
For compatibility with older releases a switch has been made available which allows enabling port 8081 again.
Transparent use of the web proxy can now be enabled, too. With the help of a firewall DNAT rule, connections to port 80 can
now be redirected automatically to the proxy. So it would no longer be necessary to reconfigure the web browser. However you
should keep in mind that HTTP access to non-standard ports as well as HTTPS connections are not supported in transparent mode.
A new setting allows the specification of IP addresses which are allowed to use the web proxy. By default only the local networks
configured in the setup are accepted.
The option "Deny multiple logins of the same user" is now available even if the virusscan proxy is enabled.
Finally the web proxy provides an ICAP client now. Browser requests and the server replies from the Internet can be forwarded
to an external ICAP server for filtering.
SIP outbound proxy with integrated RTP proxy for Voice over IP
Most LAN's use internal IP addresses which have to be masqueraded with NAT (Network Address Translation). This is a problem
for Voice over IP protocols. With the new SIP proxy it will now be possible for multiple users to send and receive Voice over
IP calls. If no external Voice over IP provider is available, the SIP proxy can even act as a simple registrar.
Bandwidth management
A traffic shaper can now be enabled for IP packets destined to the Internet which will devide them into different priority
classes. High priority for VPN and Voice over IP can be assigned by simply enabling the corresponding switches. For other
applications it is possible to increase or decrease the priority based on the IP and port signature of the corresponding data
packets.
Unused bandwidth of high priority classes is dynamically assigned to lower classes. A minimum bandwidth is guaranteed even
for the lowest class.
User administration with Active Directory
The basic user and group administration can now be made in a Windows Active Directory. Use this feature for an initial import
of the Windows users and groups or for a manual regular update. In one of the following releases even a scheduled automatic
update will be available.
A Windows DLL is provided which would even allow the import of the Windows passwords if it is installed on the Domain Controller.
You will find further information in the manual or the online help.
Update of the SPAM filter with new features
The update includes a new release of the SPAM filter software along with an up-to-date builtin signature database. An additional
check has been introduced If the DNS-based realtime blackhole lists are enabled. To date the mail relay servers involved to
transmit the mail have been looked up in the blacklists. Now the link targets found within the message body will also have
to pass a realtime check.
The administration GUI allows the configuration of lower thresholds for tagging or discarding SPAM mails.
Update of the MIME attachment filter with extended features
With the new release of the attachment filter, the contents of ZIP archives will also be scanned for banned file types. This
is a non-recursive scan however. If a blocked file is found within an archive, the whole archive will be quarantined.
The default list of banned file extensions has been extended from 15 to now 88 entries. The new extensions will be appended
to the configuration of any system which is still using at least 12 extensions from the original default. It included the
following extensions: bat, com, dll, eml, exe, ini, js, lnk, ocx, pif, reg, scr, shs, vbs, vxd.
Of course the changes will only be effective if the attachment filter is enabled.
Updated mail virusscan module
The new module supports additional archive types (independent of the ones supported by the installed virusscanner).
Statistics of the total amount of data transmitted via the Internet interface
A new table has been included in the network statistics. The amount of data transmitted via the Internet interface is listed
per month.
Note: The values for previous months depicted after the update are a projection based upon the data rate. These values are not
precise. Accurate values will be collected starting at the time this update has been installed.
New Version of perl interpreter
In the 4.1 releases some features had only been available on systems with a software maintenance contract. In 4.2 these features will now be available on all systems. This includes:
FTP proxy for "real" FTP clients
In previous releases the firewall policy had to be modified to allow FTP uploads (e.g. to update the contents of the web server
in the Internet). Now an FTP proxy is available on port 2121. FTP clients can use it to contact FTP servers in the Internet.
So it is no longer necessary to allow direct FTP connections in the firewall. As an option, downloads will be scanned for
viruses.
The FTP proxy can even operate in transparent mode. The configuration of FTP clients or browsers does not have to be modified
in this case. Note however that web browsers should preferably use the web proxy on port 8080 for FTP downloads. In non-transparent
mode the FTP proxy cannot be used by browsers.
By default the FTP proxy service is not active. Furthermore access to any FTP server via the proxy is denied. Adjust the FTP
proxy configuration accordingly. Further information is provided in the online help or the manual.
Redirection of SPAM mails by the relay SPAM filter
Instead of delivering an email which has been tagged as SPAM to the original recipient, it is now also possible to redirect
it to a specific address. This feature applies only to the user independant SPAM filter (relay SPAM filter).
Virtual email addresses
Up to now it was not possible to deliver emails to e.g. info@domainA and info@domainB to different local users. The new tab
"Virtual addresses" in the "Expert -> Mail server" menu provides this functionality.
Intrusion prevention for the IDS
Optionally the IDS can now inform the dynamic firewall of certain suspicous activity. The dynamic firewall can then take appropriate
countermeasures.