5.0-1-0
Available for purchase
Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of
charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon
as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature.
For a manual download you will have to specify the support IP as username (e.g. 172.18.253.15) and the hardware ID as password
(e.g. 473I-QN34-O@:5).
Update of the base system
With this update will renew various system libraries and programms.
Failover cluster with two machines
It is now possible to cluster two machines if availability is an issue. Note however that this new feature is in an experimental
state and major extensions are still to come. To make sure your setup is already supported, please contact technical support
beforehand if you plan to use this feature.
Currently only the availability of the master node as whole and the link status of its network interfaces will be monitored.
Improved Firewall configuration
It is now possible to edit, copy or temporarily disable firewall policy rules. For diagnostic purposes there's a new logging
option for each rule. Finally you can add a comment to each rule.
The protocol and port signature has been removed from the rules to make them clearer. The signature is now defined in the
new menu item "Expert -> Firewall -> Protocols". After the update you will find a set of predefined protcols (name in capital
letters). The update will automatically add further protocols (lower case letters) as required by your current firewall policy.
Note: The Update has to convert the current set of firewall policy rules. If significant changes are necessary, a log will be sent
to admin by email after the update. Please check the firewall configuration after the update.
Time constraints for firewall policy rules
You can restrict individual firewall rules to certain periods of time per weekday.
Access LAN -> DMZ restrictable
In previous releases LAN networks had full access to a DMZ. While this is still the default, a restrictive firewall policy
can be enforced now.
Verification of mail addresse with internal mail server
When forwarding emails to an internal mailserver, you might encounter double bounces which are delivered to admin. This happens
when the internal mailserver refuses to accept an email (e.g. unknown recipient) and returning the mail to its sender fails,
too (e.g. SPAM mail with faked address).
Now there's a new "Mailrouting" feature which addresses this problem. When enabled, the internal mail server is contacted
beforehand to make sure that it will accept an email with the given sender and recipient addresses. If the mail is refused,
the mail is rejected even before its contents have been transmitted. Particularly when inbound emails are delivered with SMTP,
this feature makes sense.
Many SPAM and virus mails are addressed to non-existent recipients. So this new feature also reduces the number of unsolicited
mails. Rejecting mail early also means less virusscan and SPAM filtering, which is a great relieve for the system.
Regular SPAM filter pattern updates
Customers with a software maintenance contract can now subscribe to automatic regular SPAM filter pattern updates. As before,
customers who don't want to use this feature or who didn't sign a maintenance contract will receive new patterns every now
and then, whenever an update contains a new version of the SPAM filter software as a whole.
New SPAM filter release
Protection agains automated mailers
This new option workes only when inbound mail is delivered with SMTP. It takes advantage of the fact that the routines used
to spread unwanted emails (SPAM, viruses) are often simple. The SMTP commands are transmitted without waiting for an initial
server greeting. You can now reject these mails.
Limits to avoid mail server overload
In the web interface you will find new options to limit the total number of inbound connections, the connection rate per external
IP and minute and the maximum number of recipients per delivery attempt. In the background there's an additional limit which
restricts the number of inbound connections per external IP.
Improved bandwidth management configuration
Similar to the new firewall configuration, you can now edit and copy bandwidth management rules or add an individual comment.
Protocol and port definitions are taken from the firewall area.
Bandwidth management in VPN tunnels
The Internet IPSec interface now supports bandwidth management, too. So you can classify the data streams within VPN tunnels.
Note that the classification is preserved while encrypting. Afterwards the bandwidth management of the Internet interface
can treat the encrypted packet accordingly.
Quality-of-service for Voice-over-IP
A new QoS module optimizes the latency time which is important for VoIP connections. It can be configured independently for
unencrypted connections and connections over IPSec.
Improved SOCKS proxy configuration
SOCKS proxy rules can alos be edited and copied now. In addition you cann add comments to each rule or temporarily disable
a rule.. Protocol and port definitions are also taken from the firewall area.
New IPSec VPN options
With AES (128 and 256 bit) a new encryption algorithm is available now. For compatibility with old releases, existing connections
will continue to encrypt with TripleDES. On the new tab "Phase 2" which you can find in every configured connection you can
remove this restriction.
The new feature "Dead-Peer-Detection" helps to detect peers which are no longer reachable. Note that the peer has to support
this feature, too.
Improved support for Windows L2TP clients which need to connect to multiple servers using certificates issued by different
CAs. Windows will now automatically select the correct certificate.
More detailed setup options.
Support for MacOS X IPSec L2TP client
The builtin IPSec L2TP client of MacOS X is now supported, too. A compatibility switch in the IPSec connection setup needs
to be set if MacOS clients are used. The configuration wizard also contains this new setting. For MacOS X also the server
certificate needs to be recreated with an additional field. You will find further information in the online help system.
Revised support for Windows IPSec L2TP client
Default compatibility for IPSec L2TP clients running Windows 2000, XP or XP SP1 without patch Q818043 has been dropped with
this release. If you still need to support these clients, you will have to enable a compatibility switch in the IPSec connection
setup.
At the same time we extended the IPSec L2TP wizard. Now it reflects the peculiarities of Windows clients with patch Q818043
or Windows XP SP2 when connecting from behind a NAT router.
Minor bugfixes and improvements
In the 4.2 releases some features had only been available on systems with a software maintenance contract. In 5.0 these features will now be available on all systems. This includes:
Mail server greylisting
Greylisting requires incoming emails to be delivered by SMTP. Particularely when polling a POP server for incoming emails,
greylisting is useless.
Greylisting can help to reduce the amount of SPAM and it will stop most viruses even before they are transmitted. The load
of SPAM filter, virus scanner and hence of the whole system will be reduced. Greylisting relies on the fact that many spammers
and most viruses will only make one single attempt to deliver an email. If the combination of source IP, sender and recipient
is unrecognized yet, greylisting will refuse delivery with a transient error status code. After a configurable minimum amount
of time, any subsequent retransmission will be accepted, however. Besides the possiblity to whitelist certain addresses, greylisting
will automatically collect a database of well-known communication relationships. These will then no longer be affected by
any delay.
Redirection of SPAM mails by the relay SPAM filter
The mail server's MIME filter capabilities have been extended in different ways. It is now able to rename dangerous HTML elements.
This will affect e.g. scripts and elements used to embed active components like ActiveX or Java Applets. Links to executables
will be filtered, too. Form elements, often used in Phising Mails, are hidden. The feature will also protect from so called
web bugs, automatically loaded references to external resources. Spammers use these to verify email addresses. The value of
a verified address goes up which results in even more SPAM.
As an option, the filter can even be configured to disable every link and reference.
Some emails send the contents twice - as plain text and as HTML. In combination with the MIME filter the redundant HTML part
can be removed automatically now.
Web access to MIME filter quarantine directory
With this new release it becomes easy to access attachments which have been quarantined by the MIME filter. Simply download
them in menu "Monitoring -> Mail server". Remember to be very careful with attachments sent by someone you do not trust or
with unusual file names.
Mail server statistics
An email statistics, partially with graphics, has been added.
Anti spyware concept
Several components offer anti ad-/spyware options now. This includes:
The web proxy's URL filter provides a new database category "Spyware".
A user agent filter can now be enabled in the web proxy. The focus of this option is to detect ad- or spyware which is already
installed as a browser extension, possibly pretending to be a useful tool. Furthermore the filter will prevent some ad-/spyware
to contact its vendor. From a technical point of view the web proxy compares the contents of the user agent header provided
in the clients' requests with an integrated list of well known ad- and spyware.
The blackhole DNS feature also addresses ad- and spyware which has already been deployed on local clients. Most attempts of
these malicious programs to "call home" start with a DNS query. When blackhole DNS is enabled, requests for well known ad-
and spyware domains will be answered with the IP 192.0.2.34 instead of the real IP address. The firewall in turn blocks connections
to this specific IP. Check the firewall log to see which client has ad- or spyware installed.
Finally the firewall has a list of ad- and spyware server IPs. Enabling this feature, you will defeat both, attempts to download
ad-/spyware and outbound connections of programms already installed.
Please note that the classification of software as ad- or spyware is a subject of disputes. Apparrently useful tools may have
characteristics of ad- or spyware. Enable ad- and spyware defense only if you and the affected users will accept potential
restrictions
Web proxy filter for peer-to-peer and instant messengers
Just like the anti ad-/spyware user agent filter mentioned above the web proxy provides additional user agent filters for
peer-to-peer and instant messenging software. If the user agent header provides enough information to identify a request of
banned client software, access will be denied.
Extended URL filter access denied message
In addition to the simple "Access denied" message you can now configure a more detailed message which provides a hint why
access has been blocked. It is also possible to redirect the forbidden message to a custom web page.
Target specific upstream proxy
In previous releases the web proxy included configuration options for a single upstream proxy for all destinations and an
exception list for direct connections. Now there's an additional list to configure upstream proxies per destination IP or
domain.
SOCKS 4/5 proxy
Being a generic proxy, SOCKS can be used by many different applications. Often it is even possible to socksify applications
without builtin proxy support. A SOCKS client program is required for this.
As a generic proxy works on the curcuit level it does not understand the protocols and datatypes it forwards. Therefore it
can not provide sophisticated security features like e.g. virusscan. The way it is configured reminds of firewall rules. But
in addition to global rules which apply to every SOCKS client, it is also possible to configure per-user rules. Users have
to authenticate themselves if they want to use these rules. Hence SOCKS gives you the possiblity to recreate the concepts
of user specific firewall rules.
RAS IP addresses per user
You can now assign an individual IP address for each RAS user. It applies to the RAS services L2TP/IPSec VPN, ISDN PPP dial-in
and analogue modem. The personal IP can be used to define an individual firewall policy for each RAS user.
In addition it will be possible to determine which of the RAS services each user may use. Previously a user was either accepted
by any or none of the services.