Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 4.1.0
Release Note

Software Release Date: 02/10/2004
Updated Date: 08/30/2013


This release note documents version 4.1 maintenance release of the FirePass controller software. We recommend this maintenance release only for those customers who want the fixes and enhancements listed in Fixes and enhancements in this release. You can apply the software upgrade to version 3.1 and later. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both new feature releases and maintenance-only releases. For more information on our new release policies, refer to Description of the F5 Networks software version number format.


- Minimum system requirements
- Installing the software
- Fixes and enhancements in this release
- Known issues

Minimum system requirements

The minimum system requirements for this release are:

  • FirePass 1000, or
  • FirePass 4000

[ Top ]

Installing the software

The following instructions explain how to install the FirePass controller version 4.1 onto existing systems running version 3.1, and later.

  1. On the Administrative Console, in the navigation pane, click Server, and then click the Maintenance link, followed by the Network Configuration link.
  2. If the Finalize link appears at the top right of the Network Configuration screen, it means that you have configuration changes pending. In that case:
    • Click the Finalize link, and finalize any pending configuration updates.
    • Then restart the FirePass controller when you are prompted to do so.
  3. Click the Maintenance link again, followed by the Online Update link.
  4. Select the link for Release 4.1 to upgrade the FirePass controller.

For more information about installing, licensing, and configuring Release 4.1, or to install a new appliance, please refer to chapters 2 and 5 of the FirePass Server Administrator Guide.

[ Top ]

Fixes and enhancements in this release

Important: Release 4.1 of the FirePass controller corrects a date issue in version 4.0.2 that prevented synchronization among clustered and failover configurations. If you already have upgraded to 4.0.2 and you have a clustered or failover unit, we recommend that you upgrade to Release 4.1 immediately.

This release includes the following fixes and enhancements.

Cookies in middle of header (CR29669)
Previously, if My Intranet was configured to pass cookies through to the user, sometimes it put the cookies in the middle of the header. This location could cause problems with some web servers. Now the My Intranet places the cookies correctly, at the end of the header.

Missing OWA 2003 icons (CR29827)
When you use Microsoft® Outlook Web Access® (OWA) 2003 through My Intranet, the icons in the navigation pane (for example, Calendar, Contacts, and LogOff) now appear correctly.

The SSL VPN and AppTunnels Clients did not accept some characters (CR30291)
In previous releases, the SSL VPN and AppTunnels client Setup tabs do not accept periods, commas, or backslashes in the local proxy settings field unless you entered them using the numeric keypad, or pasted them from the clipboard. We have corrected this issue, and you now can also type these entries using the main part of the keyboard.

Local upgrade did not give error messages (CR30318)
Formerly, if you made an error (such as mistyping a password, or specifying an invalid file) while applying a hotfix or offline upgrade, you did not get error messages when the process failed. Now the FirePass controller provides you with messages from the system log, to assist in correcting the error.

Administrator sessions on standby units expired prematurely (CR30381)
If you start an administrator session directly on the standby unit of a failover pair, the session remains active until either you log out or you time out under the normal interval. The session no longer times out after one minute, as it formerly did.

Screen sharing on a Mac (CR30404)
Previously, the JAVA screen-sharing desktop did not work on an Apple® Macintosh® computer. It failed with this error: "java.lang.ClassNotFoundException:MainApplet.class". We have corrected this error, and now you can use My Desktop screen sharing on Macintosh computers.

Importing from a user file with missing data in some fields (CR30546)
In previously releases, the FirePass controller's user import feature did not correctly parse an empty data field in a user import file. If missing data was recorded as two successive, unseparated delimiters (tabs or commas), the import function shifted the user data--one field to the left--after the point of failure. Now the import function correctly parses records with missing data elements.

No warning about restart after local code is updated (CR30654)
The FirePass controller restarts automatically after an upgrade or hotfix is applied. Previously, it did not warn the administrator that the system would restart. Now the upgrade screen warns the administrator about the pending restart.

Auto logon to desktop failed (CR30660)
In Releases 4.0 and 4.0.2, an error in decrypting the Windows password blocked My Desktop users from unlocking or rebooting their desktop systems. We have corrected this error, and now My Desktop users can unlock or reboot their office PCs from remote locations.

End-user browser language detection (CR30693)
In version 4.0.2, if the FirePass controller was set to Japanese, it always displayed the Japanese end-user interface, regardless of the end-user's browser language setting. We have corrected this error, and now the browser's language setting controls the end-user interface language (presently available in English or Japanese), as intended.

Language setting after My Desktop connection error (CR30694)
If a Japanese user made an error while connecting to My Desktop, and then used the Click here to retry link, the language setting detected at logon would revert to English. Now the correct initial setting is preserved.

ARP on startup for virtual IP addresses (CR30699)
Previously, the FirePass controller did not perform an unsolicited Address Resolution Protocol (ARP) request for virtual IP addresses when the unit was started. Now all configured IP addresses, including virtual addresses, send unsolicited ARPs each time the unit is restarted.

Sed scripts truncated during upgrade or reconfiguration (CR30700)
In earlier releases, long sed processing scripts could be truncated during upgrades and reconfigurations. Now there is no size limit on sed scripts.

Timing out inactive App Tunnels (CR30702)
Previously, an active App Tunnel did not time out if the associated application had a connection open over the tunnel. Now, the App Tunnel times out if there is no traffic over the tunnel beyond the configured time interval, even if there is an open connection.

Broadcast IP address not calculated (CR30732)
Previously, if you added an IP address using the web interface but did not specify the broadcast address, the FirePass controller did not calculate a default broadcast address. Now it correctly calculates a default broadcast address.

Incorrect routing table warning (CR30734)
In previous releases, the Settings screen presented a configuration warning if you used a routing table number of zero. However, zero is an allowable value, and we have removed the warning.

Error on Server Settings display (CR30769)
Previously, updates to the time zone and offset were not reflected on the Settings screen. They always appeared as PST and 0, respectively. Now the screen displays your settings correctly. We recommend verifying these settings after you upgrade to Release 4.1.

My Intranet access to iNotes (CR30778)
Previously, you could not use My Intranet with Lotus Domino iNotes® unless you changed the default caching and compression settings. In this release, we have changed the default settings of My Intranet to support iNotes web access to Domino servers, without any additional configuration.

Bypass template signup setting did not propagate (CR30801)
The option Bypass signup by template form and enter user information later now propagates from master to slave during synchronization, as intended.

Local upgrade link available to unauthorized users (CR30803)
In earlier versions, unauthorized administrators could not see the local upgrade link, but could access the link if they supplied the correct URL. Now, the link is not accessible to any user not authorized to upgrade the FirePass firmware from a local file.

Opening MIME-encoded PDF files in My Email (CR30826)
Previously, in My Email you could not open an attached PDF file that was encoded using the MIME standard. We have resolved this issue, and now you can open attached, MIME-encoded PDF files.

Problem downloading HTTP logs (CR30884)
Previously, if you restricted access to the Administrative Console to a specified list of client IP addresses, you could not download the user HTTP log reports. The FirePass controller instead created an empty spreadsheet. To create and download a correct spreadsheet, you needed to enable access to the Administrative Console from any IP address. Now you can create a downloadable spreadsheet containing user HTTP logs, whether or not you have restricted access to the Administrative Console by client IP address.

Setting changes took effect before clicking update (CR30896)
Previously, the FirePass controller applied any change to the default inactivity timeout immediately, before its Update button was clicked. It applied other, similar settings (for example, authentication timeout) were applied only after you had clicked their respective update buttons. Now all the timeout settings behave in a consistent manner. None are updated until their respective update buttons are clicked.

Viewing attached messages containing nested attachments (CR30919)
In previous releases, if you used a mini-browser (such as a PDA or WAP phone), you could not use My Email to view attached email messages that themselves contained attachments. We have resolved this issue, and now you can view these attached messages and their nested attachments while using a mini-browser.

Invalid administrator email caused web server to fail after reconfiguration (CR30920)
Previously, if you entered an invalid administrator email address (such as one containing spaces), and then reconfigured the FirePass controller, prevented the FirePass web server from starting after the reconfiguration. As a result, you could not start any web services or user sessions. We have corrected this issue, and invalid Administrator email addresses cannot interfere with starting FirePass controller web services and user sessions.

Default routes for failover pairs (CR30986)
In previous releases, a defect in handling multiple default routes could lead to routing failures and session termination during failover. We have corrected this issue, and the FirePass controller now correctly supports multiple default routes.

Error when operating on routing rules (CR30987)
Previously, if you added, edited, or deleted a network routing rule, when you subsequently committed the change using the Finalize screen, the operation failed. You saw this message: Error: shell invocation failed with non-zero return status. We have corrected this issue, and you now can add, edit, and delete routing rules.

Clustering and failover synchronization after January 10, 2004 (CR 31027)
In all previous versions through version 4.0.2, a data overflow caused the current timestamp to be interpreted as a negative integer, starting on January 10, 2004. This bug affected synchronization among cluster and failover units. Up to and including version 4.0.1, the UI display was affected but the synchronization continued to run normally. In version 4.0.2, synchronization failed, beginning on January 10. We have resolved this problem in version 4.1, and synchronization now runs properly.

Editing a user's My Intranet Favorites (CR31034)
In previous releases, a user could add individual Favorites to his My Intranet display, but could neither edit them later, nor add additional Favorites. We have resolved this issue, and now users can add and edit My Intranet Favorites without limit.

Missing script language attribute in tab injection (CR31079)
The FirePass controller can inject JavaScript code into My Intranet pages, to add home tabs to My Intranet pages. Previously, if the page also contained VBScript and was viewed with Internet Explorer® browser, it could fail, displaying a scripting error. Now the injected code includes an explicit LANGUAGE attribute specifying JavaScript as the language, so the browser can parse mixed-script pages correctly, without ambiguity.

Multiple cookie headers (CR31080)
In earlier releases, if My Intranet was configured to pass cookies through from the browser, it also added a second cookie header and cookie from the FirePass controller itself. Now both cookies are sent, but under a single header, as intended.

TCPdump vulnerability (CR31086)
TCPdump is vulnerable to a denial-of-service attack by a remote user sending malicious ISAKMP or RADIUS packets. We have applied a security patch published by the RED HAT™ Network. It provides updated packages fixing vulnerabilities in ISAKMP and RADIUS parsing.

Incorrect information on Client Caching and Compression screen (CR31094)
The Client Caching and Compression screen indicates that if a URL-matching template is not provided, My Intranet will pass all application cookies through to the application host. In fact, My Intranet passes these cookies through to the host only for URLs specified in the URL template list. If the list is empty, My Intranet does not pass any cookies. We have corrected the screen text in this release.

Cookie leaks in My Intranet (CR31095)
In previous releases, if My Intranet was configured to pass cookies through between an application host and the user's browser, but the application itself did not set a cookie, the FirePass controller still forwarded FirePass cookies between the host and the browser. Now the FirePass controller only sends its cookies conjointly with application cookies, as intended.

Specifying "Enforce User Agent" for a My Intranet Webifyer (CR31211)
In version 4.0.2, you could not specify a browser user-agent string substitution for a My Intranet Favorite. The only way to override a browser's user-agent string was to specify the substitution on the Content Processing screen, at the host level. We have corrected an error in the code, and now you can enforce a substitute user-agent string for a My Intranet Favorite, as intended.

Some Japanese characters in folder names(CR31339)
Some valid Japanese characters, when used as the first character in top-level folder names, prevented My Files from opening the folder. We have corrected an encoding issue, and now valid Japanese folder names beginning with any character display and open correctly.

Special characters blocked certificate request generation (CR31511)
We have corrected an issue where a special character in a certificate-request password could block the generation of a server certificate request. Now you can use any character except single quotes in a certificate-request password.

Note: The FirePass web server does not accept any of the following special characters in any other certificate-request input field:

< > ~ ! @ # $ % ^ * / \ ( ) ?.,&

Users imported from a file are now assigned to the correct group. (CR31590)
Previously, if you created new user accounts by importing a text file, the new accounts were always added to the Default group, not to the currently-selected group. We have corrected this issue, and you can import users into any group, using a text file.

OWA reminders now display properly (CR31620)
Calendar reminders now display as intended. (You may have previously received a Page not found error when you clicked a reminder to view the details of Outlook Web Access® (OWA) calendar items.)

[Top ]

Known issues

The following items are known issues in the current release

My Intranet does not correctly parse some web pages (CRs 28664, 28678, 28801, 28806, 29799, 30232)
Occasionally a web page contains Java, JavaScript, or HTML code that the FirePass controller cannot parse. If you experience problems with individual My Intranet pages, they may be caused by code errors in the source page itself. However, it may be that the application uses technology that is not compatible with reverse-proxy technology (for example, use of signed Java applets referencing third-party servers).

  • If the web application uses incompatible technology, provide user access with SSL VPN or AppTunnels rather than My Intranet.
  • If known HTML or JavaScript syntax errors on the source page are causing the problem, you may be able to create a UNIX-style stream editor (sed) script to modify it the page contents as they pass through the Content Patcher. To apply a sed script, under the Server tab, click the Maintenance link and click Content Processing.

If you do not know what code is causing the problem, please contact Technical Support. To assist Technical Support engineers in isolating the problem code, follow these steps:

  1. On the Administrative Console, expand the Server tab and click the Maintenance link. Click the Low-level link.
  2. Start a user session.
  3. On the Administrative Console session, enter the user ID in the My Intranet Engine Trace section of the page. To begin the trace, click the Connect link next to the session you just started.
  4. In the user session, start My Intranet and navigate to the page manifesting the error.
  5. Return to the Administrative Console engine trace page, and follow the Download link next to the user session to download the debug trace log.
  6. Send the debug log to the support contact who is handling your report.

Invalid logon on unconfigured system gives error (CR29560)
If you enter an invalid administrator logon/password on an unconfigured FirePass controller, you are directed to a default URL ( that does not exist, and you get a "page not found" error. You can avoid this error by entering a valid administrator logon and password.

Changes in Maintenance Console are not reflected in the manual (CR29670)
Chapter 2 of the FirePass Server Administrator Guide Version 4.1 describes an option to perform basic network configuration using the Maintenance Console. The Maintenance Console has changed since this chapter was written, and the details are no longer entirely correct. You now can perform several important operations using the Management Console:

  • Reset the network configuration and the admin password to the default values
  • Reset the network configuration to the backup network configuration saved immediately prior to the most recent committed change
  • Change the FirePass controller interface language
  • Remove all firewall rules
  • Enable the Superuser account
  • Disable SSH access
  • Remove IP-access restrictions from the Administrative Console
  • Perform diagnostics
  • Shut down or restart the server

The FirePass controller restarts after you reset the settings. You can then access it from a web browser, using the reset IP address followed by /stats/.

Users of back levels of Sun Java Runtime Environment may experience problems with Low-level Maintenance (Telnet) access (CR29737)
If you use Internet Explorer and have installed older versions of the Sun Java Virtual Machine plug-in, you may experience problems with low-level (Telnet) access to the maintenance console from the web-based Administrative Console. If you use Version 1.4.0, you may get an error message: "The host is not responding." If you use Version 1.3.1, the page is not properly displayed. In either case, the recommended solution is to disable the Sun Java Virtual Machine. To do so, from the Tools menu in Internet Explorer, click on Internet Options, and then click the Advanced tab. Clear the Use Sun Java Virtual Machine... option, and restart your browser. Alternatively, you may install a later version by going to and downloading the plugin.

Opening My Network zipped files directly from the server (CR29769)
If you zip up My Network files for download, you must save them to your local system to make them available in an unlicensed copy of Win Zip.

Error message when using Outlook Web Access® 2000 (CR29821)
Sometimes an error message Invalid procedure call or argument shows in a popup when you access an Outlook Web Access® (OWA) 2000 server through the FirePass controller. We have observed this error intermittently when using NTLM authentication.

Error in querying a Citrix server list (CR30410)
If a Terminal Server favorite is configured with a list of Citrix® servers, the FirePass controller stops querying the servers in the list once a connection is established, even if the Citrix server that was contacted returns an invalid response and should be bypassed.

Premature timeouts when using some Mac browsers (CR30411)
When using Opera® or Safari® browsers on Apple Macintosh computers, you may experience premature timeouts while using the My Files Webifyer.

RADIUS authentication fails if you require requestor address verification (CR30442)
A FirePass controller authentication request to RADIUS does not include a Network Access Server (NAS) IP address or identifier. The RADIUS standard requires these attributes for requestor address verification, so if you use that RADIUS option, the FirePass controller's RADIUS authentication attempts fail.

Configuring a Terminal Services Favorite for VNC on a port higher than 5910 (CR30631)
If you configure a Terminal Services Favorite to provide Virtual Network Computing (VNC) access on ports higher then 5910, the connection fails when you start it from the webtop. It succeeds, however, if you start it from within My Terminal Services.

First-time user loses favorites (CR30901)
If a new user logs into the FirePass controller for the first time, clicks a favorite link, and then returns to the main session screen, the pane containing all of his favorites is blank. This error occurs only in the user’s initial session.

Session-end data for current sessions (CR31372)
The Sessions report may display an ending date and time for user sessions that are, in fact, still active.

Broadcast address error message (CR31473)
After you upgrade to Release 4.1, you may get this error message: invalid broadcast address +. If you see this error message, then use the IP Configuration screen to remove the plus sign in the Broadcast field of the affected interface.

After Quick Setup, browser retains former URL (CR31505)
During Quick Setup, you are prompted to change the FirePass controller's host name and IP address. However, even if you do, the browser retains the default host name or IP address after you finish the Quick Setup and restart the controller. You must type the new host name or IP address in the browser address field to reconnect to the FirePass controller.

Configuring basic HTTP authentication against an external server (CR 31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL fails, but succeeds.

Server restart message disappears (CR31510)
If you enable the Request and Verify client certificate option, you see a new option, Autofill username, and a new message: Configuration changed. You must restart for these changes to take effect. If you click the autofill check box, the restart message disappears. However, you still must restart the server for the new settings to take effect.

Auto-login support for some terminal server applications (CR31539)
Auto-login (single-signon) services do not work correctly when a user accesses Citrix and Microsoft Windows® 2000 applications using the Terminal Services webifyer. The user must log in a second time to access those platforms.


[ Top ]

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)