Updated Date: 08/30/2013
This release note documents the version 5.0 Feature Pack 1-3 (FP1-3) feature release of the FirePass controller. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 5.0. For information about installing the software, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.
The minimum system requirements for this release are:
The supported browsers for the FirePass controller Administrative Console are:
The supported browsers for end-users are those listed for the Administrative Console, and also these additional browsers:
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Warning: You can apply this Feature Pack to FirePass version 5.0 only.
Warning: Feature Pack 1-3 does not support Windows® XP Service Pack 2. For the latest information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5.
Important: Any issues discovered in a Feature Pack will be addressed in a forthcoming release. F5 will not create HotFixes against a Feature Pack.
The following instructions explain how to install FirePass 5.0 FP1-3 onto existing systems running version 5.0.
You can install version 5.0 FP1-3 only on FirePass controllers already using version 5.0. For more information about upgrading to version 5.0, see the Release Note for version 5.0.
This release includes the following new features and fixes.
Support for multiple group membership
With version 5.0 Feature Pack 1-3, you can provide an end-user with all the preconfigured Favorites from more than one group. You can assign a user to one main group for purposes of authentication, Network access filtering policies, group mapping, and Far End Security policies. Then you can provide access to additional resources, or Favorites, by designating additional groups as auxiliary groups. On the User Home Page (webtop), all Favorites from both the main group and all auxiliary groups appear together in a single, undifferentiated list.
Support for AD native mode (Kerberos) Authentication
FirePass controller can use Kerberos to authenticate users with Active Directory server in native mode. We have added Active Directory support for FirePass controller authentication, user import, and group mapping features. The FirePass controller Active Directory support also provides support for obsolete account deletion.
Enhanced group management
New views of FirePass controller groups consolidate and simplify access to most group management operations. From a single summary screen, you can view and access the authentication, signup template, far end policy, and user experience settings of any group. From the same table view, you also have direct access to user management functions for each listed group, and you can easily list, add, move, and delete group members.
Enhanced VLAN support
This feature pack allows you to configure separate Virtual LANs (VLANs) for groups. Using this feature, you can map incoming Network Access connections to different VLANs, based on the user's main group. The individual VLANs may internally use the same set of IP addresses. See the online help for the Device Management : Configuration : Network Configuration > VLAN screen for detailed directions on configuring VLANs using the new support.
Resource Groups for Favorites
FirePass controller now supports two kinds of groups: master groups, and resource groups
With FP1-3, to add, edit, or delete all Favorites, use the Users : Groups screen and click Resource Groups. Perform all other aspects of group-specific configuration as before, using the various Network Access, Portal Access, Application Access, and Desktop Access screens.
Assigning aliases to reference Favorites
With this feature pack, you can configure Favorites for a group by creating aliases that reference other Favorites already pre-configured for other groups. If you later change the configuration of the source Favorite, the change applies across all groups that use an alias to reference the source Favorite.
If you delete the source Favorite, the FirePass controller offers two options:
Customizing the User Home Page (webtop) separately, for each user
Version 5.0 Feature Pack 1-3 allows you to customize the User Home Page (webtop) separately for different virtual server names or for distinct Universal Resource Indicators (URIs). For more information, please see the online help for the Device Management : Customization screen.
Accessing FTP sites using Portal Access : Web Applications
You now can access an FTP site directly using Portal Access : Web Applications (My Intranet). Portal Access supports passive FTP download. You must know the full path to a file before you can retrieve it. You cannot browse an FTP directory using Portal Access.
Citrix Metaframe Portal support
This feature pack contains support for Citrix Metaframe Portal®. The FirePass controller administrator can configure this type of terminal service access. When you connect to the Citrix Metaframe Portal favorite on the webtop, you are asked for your credentials. The FirePass controller then logs you into every Citrix server, and queries for published applications available for you to use. These applications are then displayed. When you click a desired application and the Citrix server supports Ticketing, you are automatically logged in. If Ticketing has not been enabled, then you are asked again for your Citrix client credentials.
Obsolete account deletion
With this feature pack, if a user name is not present in the LDAP or Active Directory, the user account on the FirePass controller can be deactivated or deleted. The FirePass controller administrator can specify in the administration interface, how often the synchronization is done in the background, and can have email notification of the deletion or deactivation sent to himself.
Signup template group selection
With this Feature Pack, you now can enable signup templates for different groups. You can also specify a fall back default group that a user can be assigned to if no group is specified.
Direct link to AskF5
This Feature Pack adds a direct link from the Administrative Console to AskF5. The link is next to the Help button, and provides you with the latest support information available about the FirePass controller.
PDA VPN Support
This Feature Pack introduces support for PDA VPN. VPN support is provided by a standalone client downloaded using the browser. We support:
This release includes the following fixes.
Network Access correctly propagates the remote proxy to Internet Explorer (CR31848)
We corrected an issue that occasionally interfered with using the correct proxy settings for Windows® 2000 and Windows XP remote systems using Internet Explorer with a dialup Internet connection. However, for Windows 95 and Windows 98 remote systems using Internet Explorer with a dialup connection, the Network Access client control might not use the correct proxy settings.
My Email now specifies Thai character set correctly (CR33158)
My Email now provides a configurable language setting. Character sets and MIME encoding should now be correct for languages other than English, Western European languages, and Japanese.
Licensing a FirePass controller that connects to the Internet through a proxy (CR34174)
If the FirePass controller connects to the Internet through a proxy, you can now use the Automatic option when you activate the license.
Protected workspace no longer conflicts with personal firewall settings (CR34675)
If a user has a personal firewall installed on his workstation that asks for confirmation for each special request (for example, traffic ingress and egress), and is working in a protected workspace, the user now sees the firewall dialog box prompts, and can also respond to them.
Standalone Client now displays localized Favorites (CR37363)
The Network Access Standalone VPN Client now displays localized Favorites correctly.
Yahoo! mail page authentication (CR37459)
When you authenticate to Yahoo!® mail using Web Applications, you no longer receive a Page not found error if you have successfully authenticated.
Could not clear checked files from download cart (CR37878)
You can now clear individual files from the download cart when downloading files using the MyFiles feature.
Protected Workspace not localized (CR37966)
For the Protected Workspace control, we have created Japanese and Chinese versions of the Start menu item, the Exit Protected Workspace shortcut, and the error messages.
Localized Favorites do not appear correctly using Mozilla® browsers (CR37989)
Previously, the App Tunnels and Network access client controls could corrupt localized Favorite names for users with Netscape and Mozilla browsers. Now the Favorites appear correctly using these browsers.
Support for Windows XP running MacAfee Enterprise 7.1 policy checks (CR38190)
We have added support for Windows® XP and MacAfee® Enterprise 7.1 to FirePass 5.0 FP1-3.
Special characters in passwords fail NTLM authentication (CR38251)
Previously, you could not use a Windows 2000 domain server to authenticate users whose passwords contained any of these special characters: & ^ # or $ .The FirePass controller authentication routines now process these passwords correctly.
Unable to see Exit from Protected Workspace button on Windows XP (CR38280)
On Windows XP systems, the users see the Start menu in Advanced mode, by default. For the Exit from Protected Workspace menu item to display, the Protected Workspace control requires the Start menu to be in Classic Start mode. Now the Protected Workspace control switches the registry setting to Classic Start mode while the Protected Workspace is deployed.
Specify an additional IP for xhost program (CR38301)
In this feature pack, we have added the option of specifying a comma-separated second IP address or host name that can be used by the xhost program to allow the specified host to make a connection to the X server running on FirePass controller. You can use this optional setting in an asymmetric network environment when inbound and outbound IP addresses of the custom X client are not the same.
Logout button missing (CR38442)
In version 5.0, using the Device Management : Security : Admin Access screen, if you limit access to the Administrative Console based on IP address, the Logout button might disappear. Now it appears correctly under this setting.
Help pages not localized (CR38463)
Localized versions of the user and administrator help pages did not display properly if the browser does not provide a language setting. We now provide a default character set setting matching the FirePass controller's language, and now the help displays correctly even without a browser setting.
Email subject now displays when replying to message (CR38465)
Previously, the subject did not always appear when a user was replying to the message using the FirePass controller email client. The subject now displays appropriately.
Standalone VPN client did not save settings (CR38478)
On Windows 2000 systems, the Standalone VPN client did not retain server addresses and user names properly when you selected the Maintain session information setting. The addresses and names now persist and display properly.
Setup for SSL VPN Drivers on non-English versions for Windows 9x (CR38528)
Previously, the setup for the SSL VPN Driver on Windows 9x could result in a buffer overflow on some International versions of Windows. This resulted in an Access Violation or a system hang. The SSL VPN Driver setup now works correctly.
Problems with files and folders using certain Chinese characters in their names (CR38598)
Previously, you could not create folders or copy files if their names contained characters whose second byte, in Big5 encoding, was a backslash. We have corrected this issue, and you can use these characters in file and folder names.
Windows Standalone VPN client no longer closes immediately (CR38603)
In version 5.0, the Standalone VPN client occasionally closed upon opening the connection. With Feature Pack 1-3, the Standalone VPN client works correctly.
Display of Japanese character imports (CR38606)
When importing from a file with Japanese characters for the user names, the names were not properly transferred in previous versions. With Feature Pack 1-3, the names transfer correctly.
Error installing VeriSign certificates requiring intermediate certificate (CR38615)
In version 5.0, if you added a VeriSign® certificate that required an intermediate certificate, with or without the intermediate certificate itself, you saw this error message: Validity of your certificate can not be verified! Ignoring or bypassing the message could result in the FirePass controller failing to respond to clients connecting to web services configured to use those certificates. Both issues have been resolved, and now you can install certificates requiring intermediate certificates.
New check prevents cross-platform restores (CR38668)
You can no longer restore a FirePass controller backup file to a different hardware platform.
NFS works with Chinese versions of 5.0 (CR38702)
With Feature Pack 1-3, you can now create a NFS favorite link in Chinese versions of the FirePass controller.
LDAP Synchronization included (CR38753)
We have added the ability to synchronize the FirePass controller with an LDAP database to improve LDAP integration and management.
Secure Workspace now presents an error message when %TEMP% variable is incorrect (CR38872)
If the user variable is %TEMP%, and %TEMP% is not specified, is incorrect, or contains an error in the path, the Secure Workspace now provides an error message.
Standalone virus scanner does not start up as default (CR39005)
The standalone virus scanner was not originally set up to run as the default. We have modified the product so that the standalone virus scanner is now the default.
Ethernet interfaces for heartbeat setup (CR39052)
In version 5.0, when you set up a failover pair (redundant system), the Ethernet interfaces for heartbeat were missing from the configuration list. With Feature Pack 1-3, the configuration list includes the interfaces for the heartbeat.
Accessing corporate favorite terminal services no longer causes security exception error (CR39386, CR39388)
Previously, if Terminal Services were limited to corporative favorites, and favorites were created with the list of Terminal Services hosts or with Citrix Metaframe, access to these favorites would fail with a Security Exception message. Now, you can access these favorites under these conditions.
Legacy Host favorites and direct connections no longer display blank page (CR39619)
Previously, using either a legacy host favorite or a direct connection resulted in a blank screen. With Feature Pack 1-3, you can use either a legacy host connection or a direct connection.
UNIX files favorites are now visible when using the webtop (CR39628)
Previously, if you accessed the UNIX® files webifyer using the webtop, UNIX files favorites did not display. They now display correctly if you use the webtop.
Failover configuration was lost after installing FP1 (CR40212)
If you had FirePass controllers configured as failover pairs, installing Feature Pack 1 would cause the loss of controller configurations. This problem has been corrected with Feature Pack 1-3.
The following items are known issues in the current release.
Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open it using the FirePass controller's My Lotus Notes.
Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names, not to directory names, file names, nor path specification. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less.
Deleted emails in My Outlook (CR28854)
If you use an IMAP email server, My Outlook does not provide any visual indication when a user marks an email for deletion.
Viewing UNC or JIS-encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use JIS or UNC encoding do not display correctly.
Passwords containing Euro symbol (CR30346)
When you configure a group with NTLM authentication with a Windows 2000 Primary Domain Controller, and also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.
Portal Access navigation after leaving Outlook Web Access (CR30760)
Using Portal Access, once you leave an Outlook Web Access window, links to other sites on the same host generate a Page Not Found error.
Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query may fail.
After using Setup Wizard, browser generates Page Not Found error (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.
RADIUS authentication in multi-group environments (CR31381)
If you use RADIUS authentication for some, but not all, groups, and you also use signup by templates, authentication may sometimes fail. You can often solve this problem by clearing the Allow Authenticated Signup by Template option for all groups, using the Users : Signup Templates screen, and then selecting the option again for each group.
Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the controller. After you restart the controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.
Configuring basic HTTP authentication against an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.
Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.
Page refresh corrupts the online upgrade (CR34238)
If you begin an online upgrade operation, and then perform any action that refreshes the upgrade page while the online upgrade is in progress (including opening a new browser window), the page refresh corrupts the upgrade. Do not disturb an upgrade while it is running.
You cannot use IMail Server from (vendor) Ipswitch with My Email (CR34504)
If you use Ipswitch's IMail Server configured as a POP server, you receive erroneous authentication failures with My Email. However, you can use this mail server configured as an IMAP server.
Network Access sessions limit (CR34535)
Network Access (previously called SSL VPN) connections cannot exceed 1024 concurrent sessions.
Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurs twice.
International characters in file names (CR35244)
File access cannot display, open, download, or delete files with some non-English characters in their names.
You cannot delete a UNIX directory (CR36352)
You cannot delete a UNIX® Network File Share directory while accessing the file system using the FirePass controller's UNIX Files function.
Installing Network Access control on Xandros (CR36745)
Automatic installation of the FirePass Network Access control fails under the su option, and may also fail under the sudo option. If Xandros Linux users cannot install the control automatically, advise them to follow the directions for manual installation, given in the Network Access user help page.
App Tunnels drive mapping fails with invalid or missing SSL server certificate (CR36803)
If you have not yet purchased and installed a valid SSL certificate on the FirePass controller, then when a user attempts to connect to a mapped drive using App Tunnels, his first attempt in a session usually fails. Subsequent attempts using the Relaunch button may succeed. However, we recommend installing a valid server certificate as soon as possible.
Moving users among groups can result in misconfiguration (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that may be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication may lack a password in the internal database account record. This misconfiguration can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.
Problem displaying quotes when editing Web Application URL variables (CR36982)
The Url variables box of the Portal Access : Web Applications screen has some trouble displaying quotation marks. If you type quotation marks [a "double-quote"] when you add or edit a URL variable for an Intranet favorite, when you click Update the typed value disappears and instead shows as a backslash [\]. If you type an apostrophe ['single-quote'], the apostrophe displays, but an added backslash [\] appears before it. In both cases, however, the URL variables and the strings within the quotation marks are stored and processed correctly.
Accessing Domino Web Access using Windows 98 (CR36816)
Using Windows® 98, users may see only a blank screen after logging in to a Domino Web Access® (DWA) site through Web Applications. This problem usually can be resolved by suppressing the default Home/Logout tab injection, for Domino Web Access pages. To suppress Home/Logout tab injection:
Network Access fails on Windows 2000 computer (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you may receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft problem described on this Microsoft support page. The page describes some possible interventions to perform on the system registry, but we do not recommend them.
Authentication does not check proxy settings (CR37072)
FirePass controller form-based authentication does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using a proxy server.
Unsupported browser on Linux system for Network Access session results in misleading error (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network access connection, you may receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla 1.6 or 1.7).
Network Access over dialup connection where IPSec VPN client is present (CR37127)
You cannot use Network Access over a dialup connection from a remote Windows® 2000 or Windows XP system that also has a Symantec® IPSec VPN client installed. You can use Network Access over dialup with a CheckPoint® IPSec VPN client; however, the Network Access connection may take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.
Second Telnet connection to Maintenance Console (CR37213)
Using the Telnet access feature on the Maintenance : Troubleshooting Tools screen, a second attempt to connect to the Maintenance Console screen may fail, leaving the Admin Console unresponsive. In that case, close the browser and log in again.
Safari 1.0 browser on OS X 10.2 doesn't work with Network Access (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it.
High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On a 4100 hardware platform, high levels of traffic through the Management port may cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot can also occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.
Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
When you use Legacy Hosts with a terminal type of SSH, and you use a recent version of SSH, you may see a prompt asking if you want to save the RSA key fingerprint for the target server. You must reply Yes to continue the connection. However, you see this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). You cannot save the RSA key fingerprint. Disregard the error message.
Cannot log in after changing name of My Desktop system (CR37441)
If you change the system name of an installed My Desktop computer, take these steps to access it again using My Desktop:
Installing Network Access client on Red Hat Linux (CR37476)
Installing the Network Access client occasionally fails on these and some other Linux distributions: Red Hat® 8 using the Mozilla® 1.0 browser, and Red Hat 9 using the Mozilla 1.2 browser. In that case, follow the instructions for manual installation, given in the user help for Network Access.
Undocumented limitation on Group name length (CR37544)
Group names must be 16 characters or less in length. Entering a longer name gives an error message, but the message does not indicate the maximum allowable name length.
Network Access summary status on Windows 98 systems (CR37554)
On Windows® 98 systems, the Network Access client control does not update the packet status, visible on the Summary tab. However, the session functions correctly.
User home page not correctly customized (CR37615)
The controls on the Users : User Experience screen sometimes fail to resequence categories on the users' home pages, or to govern the font sizes as intended.
Restarting Network Access on Linux systems (CR37690)
On some Linux distributions, you cannot start second and subsequent Network Access sessions within a single browser session, immediately after closing the first connection. Either wait two minutes, or restart your browser.
Incomplete cipher security changes may lock you out of the Administrative Console (CR37701, CR33703)
Using the Device Management : Security : User Access Security screen, if you enforce higher-grade SSL security, but you do not restart services, subsequent attempts to log in may fail. When you change security settings, always click the (Requires server restart.) link in the HTTPS settings screen header. If you did not restart services and you cannot log in after changing cipher settings, if your browser allows it, take these steps:
Folder names not completely localized when using Protected Workspace (CR38016)
Some folder names in the Protected Workspace, including the My Documents folder, may appear in English on localized Windows XP systems.
File Corruption when downloading Chinese zipped folders (CR38063)
In version 5.0, if a path contains two or more Chinese folders, then the zipname file name can become corrupted.
Multiple SSL-VPN Support on PDA lacking (CR39147)
The PDA SSL VPN client does not support multiple SSL VPN favorites in this release.
Information missing from My Network after accessing a remote host (CR39292)
In rare cases, if you use Desktop Access to access a remote desktop, and then click Return to my FirePass Desktop, then Desktop access, Network Access, and Mobile email may not be present. The interim solution is to log out, and log back in. Then the applications are present.
Deleted messages in mobile e-mail are missing (CR39288)
You cannot view deleted messages in the FirePass controller mobile email folder.
AppTunnels/VPN/Terminal Server do not work on Windows XP with Service Pack 2 Final (CR39338)
AppTunnels, SSL VPN, and Terminal Server connections do not work on computers running Windows XP with Service Pack 2 installed. For more information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5.
The start VPN connection button on the PDA SSL VPN does not toggle (CR39429)
The Start VPN connection button on the PDA SSL VPN client does not become the Stop VPN connection button after you start a connection. You can successfully start the connection using the button.