Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 5.2.0
Release Note

Software Release Date: 09/20/2004
Updated Date: 08/30/2013


This release note documents the version 5.2 feature release of the FirePass controller. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 5.0. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.


- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Upgrading from version 5.0
     - Upgrading from version 4.x
- New features and fixes in this release
     - New features
     - Fixes in this release
- Known issues

Important: If you are upgrading from version 4.x, you must upgrade to version 5.0 before installing version 5.2.x. For additional information, refer to SOL3530: Known Issue: X Windows access may not work after upgrading to FirePass versions 5.2 or 5.2.1.

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • FirePass 1000

The supported browsers for the FirePass controller Administrative Console are:

  • Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0 on Microsoft® Windows® systems
  • Netscape® Navigator, version 4.7X
  • Netscape® Navigator, version 7.X, and Mozilla-based browsers

The supported browsers for end-users are those listed for the Administrative Console, and also these additional browsers:

  • Mozilla® version 1.7 on Apple® Macintosh® and Linux® systems
  • Mozilla version 1.4 on Solaris™ systems
  • Safari® version 1.0 and 1.2 on Apple® Mac OS® X 10.2 and 10.3 systems
  • OpenWave® WAP browser
  • iMode phone
  • Pocket IE on Pocket PC
[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass 1000
  • FirePass 4000
  • FirePass 4100

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

Warning: Version 5.2 does not support Windows® XP Service Pack 2. For the latest information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients.

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, click Device Management on the navigation pane, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes.
Note: If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Important: Back up the FirePass controller configuration before upgrading the controller. To back up the configuration, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up your FirePass controller configuration. See the online help for details.
Note: If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, see New features and fixes in this release.

Important: If you installed Feature Pack 1-3, leave the feature pack installed when you upgrade the FirePass controller. Removing Feature Pack 1-3 could result in loss of group configuration. Version 5.2 installs on top of Feature Pack 1-3 and can be applied to version 5.0.

Upgrading from version 5.0

The following instructions explain how to install FirePass 5.2 onto existing systems running version 5.0.

To upgrade to version 5.2 from version 5.0

The following instructions explain how to install the FirePass controller version 5.2 onto existing systems running version 5.0, and later.

  1. On the Administrative Console, in the navigation pane, click Device Management, expand Configuration, and click Network Configuration.

  2. If the Finalize tab appears at the top right of the Network Configuration screen, it means that you have configuration changes pending. In that case:

    • Click the Finalize tab, and finalize any pending configuration updates.

    • Restart the FirePass controller when you are prompted to do so.

  3. Click Device Management, expand Maintenance, and click Online Update.

  4. Select the link for Release 5.2 to upgrade the FirePass controller.

For more information about installing, licensing, and configuring Release 5.2, or to install a new appliance, please refer to chapter 2 of the FirePass Controller Handbook.

Upgrading from version 4.x

To upgrade to version 5.2 from version 4.x

Important: Version 5.0 introduced a new licensing procedure. To upgrade from version 4.x to FirePass controller version 5.2, you must first obtain a Base Registration Key. Do not upgrade a FirePass controller running version 4.x to version 5.2 until you have received the Base Registration Key.

The following instructions explain how to obtain a new Base Registration Key, install FirePass controller version 5.2, and activate your license on existing systems running version 4.x.

To obtain your new Base Registration Key (if upgrading from version 4.x)

The following instructions describe how to obtain your new Base Registration Key. Follow the directions for the software version you currently use. If you are upgrading any version 4.x FirePass controller, you must obtain a new Base Registration Key from the F5 Networks upgrade server.

To obtain a new Base Registration Key from the upgrade server:

  1. Using a web browser, navigate to the FirePass controller registration key upgrade page at

  2. Type or paste your current FirePass Base Registration Key in the field provided.

    • If you use version 4.0 or later, you can obtain your current registration key from the Server : Settings screen of the FirePass controller that you intend to upgrade.

    • If you use a version earlier than 4.0, contact Technical Support.

    The upgrade server returns your new Base Registration Key.

  3. Copy the new Base Registration Key to your system clipboard.

If the upgrade server cannot find a record for your current Base Registration Key, it may prompt you to contact F5 customer support.

To upgrade to version 5.2 from version 4.x

The following instructions explain how to install the FirePass controller version 5.2 onto existing systems running version 4.x.

  1. On the Administrative Console, in the navigation pane, click the Server tab, then Maintenance, and click Network Configuration.

  2. If the Finalize tab appears at the top right of the Network Configuration screen, you have configuration changes pending. In that case:

    • Click the Finalize tab and then click the Finalize button to finalize any pending configuration updates.

    • Restart the FirePass controller when you are prompted to do so.

    • Log in again.

  3. In the navigation pane, click the Server tab, then Maintenance, and then click Online Update.

  4. Select the link for Release 5.2 to upgrade the FirePass controller.


To activate your license (if upgrading from version 4.x)

After you upgrade the FirePass controller to version 5.2, you must activate your license.

  1. On the Device Management : Welcome screen of the Administrative Console, click Activate License.

  2. Scroll to the Activate License section of the screen.

  3. In the Base Registration Key box, type or paste your permanent Base Registration Key.

  4. Select your Registration Method.

    • If the FirePass controller can resolve directly to the F5 Networks licensing server, and it has outgoing SSL access to port 443, select the Automatic method.

    • Otherwise, or if you are not sure, select the Manual method.

  5. Click the Request License button, and continue with the next procedure, based on the registration method you just selected.

If you selected the Automatic registration method:

  1. Accept the End User License Agreement, and provide your business email address and contact details at the prompts.
    Your license file appears.

  2. Click the Continue button to activate and install your license.
    It may take several seconds for the license to become valid.

If you selected the Manual registration method:

  1. The Activate License screen appears. Highlight all of the contents of the Product Dossier box.

  2. Copy the entire item to your local system's clipboard.

  3. Below the Product Dossier box, click the Click here to access F5 Licensing Server link.
    The Activate F5 License screen appears in a new browser window. If you cannot connect to the licensing server, please contact Technical Support.

  4. On the Activate F5 License screen, paste the Product Dossier item you copied in step 2 into the Enter your dossier box.

  5. On the Activate F5 License screen, click the Activate button.

  6. Accept the End User License Agreement, and provide your business email address at the prompt.
    After a few moments, the licensing server displays your new license file.

  7. Select all of the text in the License File text box on the Activate F5 License screen, and copy it to your system's clipboard.

  8. Return to the FirePass controller browser window. You should still be on the Device Management : Maintenance : Activate License screen.

  9. Paste the text you copied from the licensing server into the License File text box.

  10. Click the Install License button.
    Some confirmation messages appear.

  11. Click the Continue button to activate and install your license. It may take several seconds to validate the license.

For more information about installing, licensing, and configuring Release 5.2, or to install a new appliance, please refer to chapter 2 of the FirePass Controller Handbook.

[ Top ]

New features and fixes in this release

This release includes the following new features and fixes.

New features

Support for multiple group membership
With version 5.2, you can provide an end-user with all the preconfigured Favorites from more than one group. You can assign a user to one main group for purposes of authentication, Network access filtering policies, group mapping, and Far End Security policies. Then you can provide access to additional resources, or Favorites, by designating additional groups as auxiliary groups. On the User Home Page (webtop), all Favorites from both the main group and all auxiliary groups appear together in a single, undifferentiated list.

Support for Active Directory native mode (Kerberos) Authentication
FirePass controller can now use Kerberos to authenticate users with Active Directory server in native mode. We have added Active Directory support for FirePass controller authentication, user import, and group mapping features. You can delete obsolete Active Directory accounts from FirePass controller groups, and users can change their expired Active Directory passwords using FirePass controller.

Enhanced group management
New views of FirePass controller groups consolidate and simplify access to most group management operations. From a single summary screen, you can view and access the authentication, signup template, far end policy, and user experience settings of any group. From the same table view, you also have direct access to user management functions for each listed group, and you can easily list, add, move, and delete group members.

Enhanced VLAN support
The FirePass controller now supports general Virtual LAN (VLAN) capabilities, including the ability to create VLAN interfaces, assign IP addresses to them, configure web services, and create simple and advanced routing rules. Using this feature, you can map incoming Network Access connections to different VLANs, based on sets of IP pools (which may be associated with individual FirePass controller groups). The individual VLANs may internally use the same set of IP addresses. For detailed directions on configuring VLANs using the new support, see the online help for the Device Management : Configuration : Network Configuration : VLAN screen.

Resource Groups for Favorites
FirePass controller now supports two kinds of groups: master groups, and resource groups

  • Master groups

    • Contain users
    • Use authentication methods
    • Have security policies
    • Use resource groups to identify the Favorites to be made available to the users

  • Resource groups

    • Contain one or more resources (Favorites) to be made available, by reference, to master groups

With version 5.2, to add, edit, or delete all Favorites, use the Users : Groups screen and click Resource Groups. Perform all other aspects of group-specific configuration as before, using the various Network Access, Portal Access, Application Access, and Desktop Access screens.

Assigning aliases to reference Favorites
With this release, you can configure Favorites for a group by creating aliases that reference other Favorites already pre-configured for other groups. If you later change the configuration of the source Favorite, the change applies across all groups that use an alias to reference the source Favorite.

If you delete the source Favorite, the FirePass controller offers two options:

  • Delete all aliases referencing the source Favorite.
  • Copy the source Favorite separately to each group that presently references it using an alias.


Customizing the User Home Page (webtop) separately, for each user
Version 5.2 allows you to customize the User Home Page (webtop) separately for different virtual server names or for distinct Universal Resource Indicators (URIs). For more information, please see the online help for the Device Management : Customization screen.

Accessing FTP sites using Portal Access : Web Applications
You now can access an FTP site directly using Portal Access : Web Applications (My Intranet). Portal Access supports passive FTP download. You must know the full path to a file before you can retrieve it. You cannot browse an FTP directory using Portal Access.

Citrix Metaframe Portal support
This release contains support for Citrix Metaframe Portal®. The FirePass controller administrator can configure this type of terminal service access. When you connect to the Citrix Metaframe Portal favorite on the webtop, you are asked for your credentials. The FirePass controller then logs you into every Citrix server, and queries for published applications available for you to use. These applications are then displayed. When you click a desired application and the Citrix server supports Ticketing, you are automatically logged in. If Ticketing has not been enabled, then you are asked again for your Citrix client credentials.

Obsolete account deletion
With this release, if a user name is not present in the LDAP or Active Directory, the user account on the FirePass controller can be deactivated or deleted. The FirePass controller administrator can specify in the administration interface, how often the synchronization is done in the background, and can have email notification of the deletion or deactivation sent to himself.

Signup template group selection
With this release, you now can enable signup templates for different groups. You can also specify a fall back default group that a user can be assigned to if no group is specified.

Direct link to AskF5
This release adds a direct link from the Administrative Console to AskF5. The link is next to the Help button, and provides you with the latest support information available about the FirePass controller.

PDA VPN Support
This release introduces support for PDA VPN. VPN support is provided by a standalone client downloaded using the browser. We support:

  • iPAQ® PDAs with XScale/ARM processors and Windows® mobile 2003
  • Toshiba® e800 PDA


Support for nFuse Portal using Web Applications
MyIntranet now offers built-in support for Citrix® nFuse web portal. FirePass controller reverse proxy (MyIntranet) can automatically rewrite ICA files without any additional customization, and invoke AppTunnels automatically.

FirePass as a Client Certificate Server
In version 5.2 you can now configure FirePass controller to validate client certificates on the remote access points connecting to the FirePass controller. This new feature offers greater end-point security. There are four ways you can implement this feature:

  • As part of a two-factor authentication system. In addition to knowing his user name and password, a user must have a valid client certificate installed on his remote access point to be able to connect to the FirePass controller.
  • As an extra layer in policy protection for individual access function controls. You can limit access to workstations with valid client certificates installed. For example, you can limit access to the FirePass controller Network Access service to corporate laptops with valid certificates. In this case, users are not able to use the Network Access service from an untrusted location. You can choose to allow access to less sensitive functions (like specific Web Applications) from untrusted devices.
  • As a password-less automatic login mechanism. The existence of a valid client certificate where the certificate's common name (CN) matches the user's logon name enables a single-click automatic logon.
  • As a dynamic group mapping mechanism. A valid client certificate allows use of fields within the client certificate to enable dynamic mapping of users to FirePass controller master or resources groups. This provides for extensive resource policy management based on fields within a client certificate.
Note: Version 5.2 also adds the ability to email the client certificate package directly to the FirePass controller user in Public-Key Cryptography Standard (PKCS) #12 format, including a randomly generated password used for encrypting the client certificate and installation instructions.

Solaris 9 VPN Support
Version 5.2 adds SSL VPN support for Solaris 9.0 clients on SPARC platforms. This feature has the same core functionality as the Linux SSL VPN Client. Users need to download and install the Netscape plugin and server. The instructions for configuring this feature are presented the first time the user clicks the Network Access link within FirePass controller.

Snapshot function
New FirePass controllers shipping after July 6, 2004 support a greatly enhanced back up and recovery feature. With the Snapshot feature, you can create a complete image of the current FirePass controller, including controller software, all user information, and the entire network configuration. The image is saved in a backup partition. You can revert to this image, or to the original manufactured image, if necessary. This provides you with increased control, and gives you the ability to restore a FirePass controller to a specific point prior to an upgrade or a configuration change. For more information, see SOL3244: Backing up and restoring FirePass system software.

FirePass SSL Server Self-Signed Certificates
With this release, the FirePass controller can generate self-signed SSL server certificates, which can be used in place of the default certificate.

Signing ActiveX/Java components with customer certificates
This release of FirePass controller provides a method for customers to download the FirePass controller ActiveX controls and Java applets and sign them with their own internal certificate. This is useful in cases where organizations have policies prohibiting use of ActiveX controls or Java applets unless they are signed by their organization's own certificate.
Note: F5 does not provide assistance with signing the controls and applets. Refer to the appropriate developer documentation on Java and ActiveX.
Important: The custom signing procedure must be repeated after each firmware upgrade.

SSL hardware acceleration and FIPS
FirePass controller 4100 includes two new options:

  • SSL hardware acceleration. The SSL hardware accelerator option speeds SSL key exchange and encryption/decryption in hardware.

  • FIPS. A FIPS 140 level-2 enabled SSL hardware accelerator option provides unique support for FIPS-enabled key and data protection. When in FIPS mode, the FirePass controller supports only a subset of FIPS-approved algorithms after the login screen: RSA signing, AES, 3DES, and SHA-1.


RADIUS mapping
With this version, FirePass controller supports group mapping based on external RADIUS groups. These external groups can be mapped to FirePass controller groups, and users found in a RADIUS group are dynamically moved to the mapped FirePass controller group.

LDAP Synchronization included
We have added the ability to synchronize the FirePass controller with an LDAP database to improve LDAP integration and management.

Network Access Hosts settings temporarily modify client host files (CR40721)
By design, settings on the Network Access : Resources : Hosts screen can modify a local client host file for the duration of the FirePass controller session. This modification is temporary and lasts until the session is ended. Some security tools can restrict access to the host file and prevent modification by the FirePass controller. Note: If a FirePass controller session or browser session ends abnormally, the local host file may be left in a modified state. To correct this, the user should reconnect to the FirePass controller and end the session normally.

Installing FirePass controller configures user interface language correctly
When you install a new version of FirePass controller, the Administrative Console and user interface language now automatically match the configured language of the FirePass controller.
Note: When installing a Korean localized version of FirePass controller, install the English version and use the FirePass controller maintenance console to switch the language to Korean. After making this configuration, subsequent updates retain the Korean setting.

Administrative Console does not show unlicensed features
In version 5.2, the Administrative Console no longer displays features you have not licensed. Licensed features continue to appear and function normally.

Client CRL online updates
In version 5.2, the FirePass controller can periodically retrieve Certificate Revocation Lists (CRLs) from specified URLs, using HTTP or HTTPS. For details, see the online help. Note: Do not use Client CRL online updates if the FirePass controller is configured to generate and issue client certificates to users. In this case, the FirePass controller manages CRLs internally.

Fixes in this release

This release includes the following fixes.

Network Access correctly propagates the remote proxy to Internet Explorer (CR31848)
We corrected an issue that occasionally interfered with using the correct proxy settings for Windows® 2000 and Windows XP remote systems using Internet Explorer with a dialup Internet connection. However, for Windows 95 and Windows 98 remote systems using Internet Explorer with a dialup connection, the Network Access client control might not use the correct proxy settings.

My Email now specifies Thai character set correctly (CR33158)
My Email now provides a configurable language setting. Character sets and MIME encoding should now be correct for languages other than English, Western European languages, and Japanese.

Licensing a FirePass controller that connects to the Internet through a proxy (CR34174)
If the FirePass controller connects to the Internet through a proxy, you can now use the Automatic option when you activate the license.

Protected workspace no longer conflicts with personal firewall settings (CR34675)
If a user has a personal firewall installed on his workstation that asks for confirmation for each special request (for example, traffic ingress and egress), and is working in a protected workspace, the user now sees the firewall dialog box prompts, and can also respond to them.

Standalone Client now displays localized Favorites (CR37363)
The Network Access Standalone VPN Client now displays localized Favorites correctly.

Yahoo! mail page authentication (CR37459)
When you authenticate to Yahoo!® mail using Web Applications, you no longer receive a Page not found error if you have successfully authenticated.

Could not clear checked files from download cart (CR37878)
You can now clear individual files from the download cart when downloading files using the MyFiles feature.

Protected Workspace not localized (CR37966)
For the Protected Workspace control, we have created Japanese and Chinese versions of the Start menu item, the Exit Protected Workspace shortcut, and the error messages.

Localized Favorites do not appear correctly using Mozilla® browsers (CR37989)
Previously, the App Tunnels and Network access client controls could corrupt localized Favorite names for users with Netscape and Mozilla browsers. Now the Favorites appear correctly using these browsers.

Support for Windows XP running McAfee Enterprise 7.1 policy checks (CR38190)
We have added support for Windows® XP and McAfee® Enterprise 7.1 to FirePass 5.2.

Special characters in passwords fail NTLM authentication (CR38251)
Previously, you could not use a Windows 2000 domain server to authenticate users whose passwords contained any of these special characters: & ^ # or $ .The FirePass controller authentication routines now process these passwords correctly.

Unable to see Exit from Protected Workspace button on Windows XP (CR38280)
On Windows XP systems, the users see the Start menu in Advanced mode, by default. For the Exit from Protected Workspace menu item to display, the Protected Workspace control requires the Start menu to be in Classic Start mode. Now the Protected Workspace control switches the registry setting to Classic Start mode while the Protected Workspace is deployed.

Specify an additional IP for xhost program (CR38301)
In this release, we have added the option of specifying a comma-separated second IP address or host name that can be used by the xhost program to allow the specified host to make a connection to the X server running on FirePass controller. You can use this optional setting in an asymmetric network environment when inbound and outbound IP addresses of the custom X client are not the same.

Logout button missing (CR38442, CR39708)
In version 5.0, using the Device Management : Security : Admin Access screen, if you limit access to the Administrative Console based on IP address, the Logout button might disappear. Now it appears correctly under this setting.

Help pages not localized (CR38463)
Localized versions of the user and administrator help pages did not display properly if the browser does not provide a language setting. We now provide a default character set setting matching the FirePass controller's language, and now the help displays correctly even without a browser setting.

Email subject now displays when replying to message (CR38465)
Previously, the subject did not always appear when a user was replying to the message using the FirePass controller email client. The subject now displays appropriately.

Standalone VPN client did not save settings (CR38478)
On Windows 2000 systems, the Standalone VPN client did not retain server addresses and user names properly when you selected the Maintain session information setting. The addresses and names now persist and display properly.

Setup for SSL VPN Drivers on non-English versions for Windows 9x (CR38528)
Previously, the setup for the SSL VPN Driver on Windows 9x could result in a buffer overflow on some International versions of Windows. This resulted in an Access Violation or a system hang. The SSL VPN Driver setup now works correctly.

Problems with files and folders using certain Chinese characters in their names (CR38598)
Previously, you could not create folders or copy files if their names contained characters whose second byte, in Big5 encoding, was a backslash. We have corrected this issue, and you can use these characters in file and folder names.

Windows Standalone VPN client no longer closes immediately (CR38603)
In version 5.0, the Standalone VPN client occasionally closed upon opening the connection. With this release, the Standalone VPN client works correctly.

Display of Japanese character imports (CR38606)
When importing from a file with Japanese characters for the user names, the names were not properly transferred in previous versions. With version 5.2, the names transfer correctly.

Error installing VeriSign certificates requiring intermediate certificate (CR38615)
In version 5.0, if you added a VeriSign® certificate that required an intermediate certificate, with or without the intermediate certificate itself, you saw this error message: Validity of your certificate can not be verified! Ignoring or bypassing the message could result in the FirePass controller failing to respond to clients connecting to web services configured to use those certificates. Both issues have been resolved, and now you can install certificates requiring intermediate certificates.

New check prevents cross-platform restores (CR38668)
You can no longer restore a FirePass controller backup file to a different hardware platform.

NFS works with localized Chinese versions of FirePass controller (CR38702)
With this release, you can now create a NFS favorite link in Chinese versions of the FirePass controller.

Secure Workspace now presents an error message when %TEMP% variable is incorrect (CR38872)
If the user variable is %TEMP%, and %TEMP% is not specified, is incorrect, or contains an error in the path, the Secure Workspace now provides an error message.

SSL VPN DNS resolution did not work on Mac OS (CR38985)
DNS resolution for SSL VPN did not work on Macintosh® OS systems. This now works correctly.

Standalone virus scanner does not start up as default (CR39005)
The standalone virus scanner was not originally set up to run as the default. We have modified the product so that the standalone virus scanner is now the default.

Ethernet interfaces for heartbeat setup (CR39052)
In version 5.0, when you set up a failover pair (redundant system), the Ethernet interfaces for heartbeat were missing from the configuration list. With this release, the configuration list includes the interfaces for the heartbeat.

Information missing from My Network after accessing a remote host (CR39292)
In previous versions, rare cases, if you used Desktop Access to access a remote desktop, and then clicked Return to my FirePass Desktop, then Desktop access, Network Access, and Mobile email might not have been present. You can now use this sequence correctly.

Accessing corporate favorite terminal services no longer causes security exception error (CR39386, CR39388)
Previously, if Terminal Services were limited to corporative favorites, and favorites were created with the list of Terminal Services hosts or with Citrix Metaframe, access to these favorites would fail with a Security Exception message. Now, you can access these favorites under these conditions.

Logged out after impersonating user (CR39407)
Previously, in certain situations, if you used the Impersonate user feature for a user not in the default group, subsequently clicking a link resulted in your being immediately logged out. You can now use this feature without being logged out.

Legacy Host favorites and direct connections no longer display blank page (CR39619)
Previously, using either a legacy host favorite or a direct connection resulted in a blank screen. With Version 5.2, you can use either a legacy host connection or a direct connection.

UNIX files favorites are now visible when using the webtop (CR39628)
Previously, if you accessed the UNIX® files webifyer using the webtop, UNIX files favorites did not display. They now display correctly if you use the webtop.

Proxy authorization was not working (CR40019)
Previously, the FirePass controller proxy authorization (using user's credentials against a proxy for Web Applications) was not working correctly. The proxy authorization works correctly in version 5.2.

Failover configuration was lost after installing FP1 (CR40212)
If you had FirePass controllers configured as failover pairs, installing Feature Pack 1 would cause the loss of controller configurations. This feature now works correctly in version 5.2.

Speed/duplex negotiation interfering with failover ARP (CR40456)
During failover, the new active controller sends unsolicited ARP (Address Resolution Protocol) packets to update LAN switches and routers. Previously, if the FirePass controller reset the speed/duplex setting of the network interface card during failover, the ARP packets could be lost. In version 5.2, failover under these conditions works correctly without losing ARP packets.

[ Top ]

Known issues

The following items are known issues in the current release.

Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open it using the FirePass controller's My Lotus Notes.

Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names, not to directory names, file names, nor path specification. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less.

Deleted emails in My Outlook (CR28854)
If you use an IMAP email server, My Outlook does not provide any visual indication when a user marks an email for deletion.

Viewing UNC or JIS-encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use JIS or UNC encoding do not display correctly.

Passwords containing Euro symbol (CR30346)
When you configure a group with NTLM authentication with a Windows 2000 Primary Domain Controller, and also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

Portal Access navigation after leaving Outlook Web Access (CR30760)
Using Portal Access, once you leave an Outlook Web Access window, links to other sites on the same host generate a Page Not Found error.

Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query may fail.

After using Setup Wizard, browser generates Page Not Found error (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.

RADIUS authentication in multi-group environments (CR31381)
If you use RADIUS authentication for some, but not all, groups, and you also use signup by templates, authentication may sometimes fail. You can often solve this problem by clearing the Allow Authenticated Signup by Template option for all groups, using the Users : Signup Templates screen, and then selecting the option again for each group.

Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the controller. After you restart the controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.

Configuring basic HTTP authentication against an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL fails, but succeeds.

Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.

Page refresh corrupts the online upgrade (CR34238)
If you begin an online upgrade operation, and then perform any action that refreshes the upgrade page while the online upgrade is in progress (including opening a new browser window), the page refresh corrupts the upgrade. Do not disturb an upgrade while it is running.

You cannot use IMail Server from (vendor) Ipswitch with My Email (CR34504)
If you use Ipswitch's IMail Server configured as a POP server, you receive erroneous authentication failures with My Email. However, you can use this mail server configured as an IMAP server.

Network Access sessions limit (CR34535)
Network Access (previously called SSL VPN) connections cannot exceed 1024 concurrent sessions.

Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurs twice.

International characters in file names (CR35244)
File access cannot display, open, download, or delete files with some non-English characters in their names.

You cannot delete a UNIX directory (CR36352)
You cannot delete a UNIX® Network File Share directory while accessing the file system using the FirePass controller's UNIX Files function.

Installing Network Access control on Xandros (CR36745)
Automatic installation of the FirePass Network Access control fails under the su option, and may also fail under the sudo option. If Xandros Linux users cannot install the control automatically, advise them to follow the directions for manual installation, given in the Network Access user help page.

App Tunnels drive mapping fails with invalid or missing SSL server certificate (CR36803)
If you have not yet purchased and installed a valid SSL certificate on the FirePass controller, then when a user attempts to connect to a mapped drive using App Tunnels, his first attempt in a session usually fails. Subsequent attempts using the Relaunch button may succeed. However, we recommend installing a valid server certificate as soon as possible.

Moving users among groups can result in misconfiguration (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that may be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication may lack a password in the internal database account record. This misconfiguration can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.

Problem displaying quotes when editing Web Application URL variables (CR36982)
The Url variables box of the Portal Access : Web Applications screen has some trouble displaying quotation marks. If you type quotation marks [a "double-quote"] when you add or edit a URL variable for an Intranet favorite, when you click Update the typed value disappears and instead shows as a backslash [\]. If you type an apostrophe ['single-quote'], the apostrophe displays, but an added backslash [\] appears before it. In both cases, however, the URL variables and the strings within the quotation marks are stored and processed correctly.

Accessing Domino Web Access using Windows 98 (CR36816)
Using Windows® 98, users may see only a blank screen after logging in to a Domino Web Access® (DWA) site through Web Applications. This problem usually can be resolved by suppressing the default Home/Logout tab injection, for Domino Web Access pages. To suppress Home/Logout tab injection:

  1. Navigate to the Portal Access : Web Applications : Content Processing screen.

  2. Click the Global Settings link at the top of the screen.

  3. In the "Home/Logout" tab injection section, type a URL pattern match that filters for your DWA site.

  4. Click the Update button.

  5. Click the service restart link, and click the Go! button.

Network Access fails on Windows 2000 computer (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you may receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft problem described on this Microsoft support page. The page describes some possible interventions to perform on the system registry, but we do not recommend them.

Authentication does not check proxy settings (CR37072)
FirePass controller form-based authentication does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using a proxy server.

Unsupported browser on Linux system for Network Access session results in misleading error (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network access connection, you may receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla 1.6 or 1.7).

Network Access over dialup connection where IPSec VPN client is present (CR37127)
You cannot use Network Access over a dialup connection from a remote Windows® 2000 or Windows XP system that also has a Check Point® SecuRemote/SecureClient IPSec VPN client installed. You can use Network Access over dialup with a Check Point IPSec VPN client; however, the Network Access connection may take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.

Second Telnet connection to Maintenance Console (CR37213)
Using the Telnet access feature on the Maintenance : Troubleshooting Tools screen, a second attempt to connect to the Maintenance Console screen may fail, leaving the Admin Console unresponsive. In that case, close the browser and log in again.

Safari 1.0 browser on OS X 10.2 doesn't work with Network Access (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it.

High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On a 4100 hardware platform, high levels of traffic through the Management port may cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot can also occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.

Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
When you use Legacy Hosts with a terminal type of SSH, and you use a recent version of SSH, you may see a prompt asking if you want to save the RSA key fingerprint for the target server. You must reply Yes to continue the connection. However, you see this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). You cannot save the RSA key fingerprint. Disregard the error message.

Cannot log in after changing name of My Desktop system (CR37441)
If you change the system name of an installed My Desktop computer, take these steps to access it again using My Desktop:

  1. Delete the previous name using the Desktop Access : Installed Desktops screen.

  2. Delete the old key using the Desktop Access : Key Management screen.

  3. Using the same screen, generate a new key

  4. Reinstall the Desktop Agent on the target computer, using the new key.

Installing Network Access client on Red Hat Linux (CR37476)
Installing the Network Access client occasionally fails on these and some other Linux distributions: Red Hat® 8 using the Mozilla® 1.0 browser, and Red Hat 9 using the Mozilla 1.2 browser. In that case, follow the instructions for manual installation, given in the user help for Network Access.

Undocumented limitation on Group name length (CR37544)
Group names must be 16 characters or less in length. Entering a longer name gives an error message, but the message does not indicate the maximum allowable name length.

Network Access summary status on Windows 98 systems (CR37554)
On Windows® 98 systems, the Network Access client control does not update the packet status, visible on the Summary tab. However, the session functions correctly.

User home page not correctly customized (CR37615)
The controls on the Users : User Experience screen sometimes fail to resequence categories on the users' home pages, or to govern the font sizes as intended.

Restarting Network Access on Linux systems (CR37690)
On some Linux distributions, you cannot start second and subsequent Network Access sessions within a single browser session, immediately after closing the first connection. Either wait two minutes, or restart your browser.

Incomplete cipher security changes may lock you out of the Administrative Console (CR37701, CR33703)
Using the Device Management : Security : User Access Security screen, if you enforce higher-grade SSL security, but you do not restart services, subsequent attempts to log in may fail. When you change security settings, always click the (Requires server restart.) link in the HTTPS settings screen header. If you did not restart services and you cannot log in after changing cipher settings, if your browser allows it, take these steps:

  1. In your browser, disable all ciphers lower than 168-bit Triple DES and 256-bit AES.

  2. Log in again as administrator.

  3. Restart services using the Device Management : Maintenance : Restart Services screen.

  4. Restart the FirePass controller.

Folder names not completely localized when using Protected Workspace (CR38016)
Some folder names in the Protected Workspace, including the My Documents folder, may appear in English on localized Windows XP systems.

File Corruption when downloading Chinese zipped folders (CR38063)
In version 5.0, if a path contains two or more Chinese folders, then the zipname file name can become corrupted.

Multiple SSL-VPN Support on PDA lacking (CR39147)
The PDA SSL VPN client does not support multiple SSL VPN favorites in this release.

Deleted messages in mobile email are missing (CR39288)
You cannot view deleted messages in the FirePass controller mobile email folder.

AppTunnels/VPN/Terminal Server do not work on Windows XP with Service Pack 2 Final (CR39338)
AppTunnels, SSL VPN, and Terminal Server connections do not work on computers running Windows XP with Service Pack 2 installed. For more information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients .

The start VPN connection button on the PDA SSL VPN does not toggle (CR39429)
The Start VPN connection button on the PDA SSL VPN client does not become the Stop VPN connection button after you start a connection. You can successfully start the connection using the button.

Nested multipart MIME email attachments missing in mobile email (CR40033)
When users read email with nested, multipart MIME attachments using the FirePass controller mobile email service, the attachments may be lost.

Desktop installation prompt not translated (CR40126)
When installing the FirePass controller desktop on a computer configured for Chinese Windows, a Copying files message appears in English instead of in Chinese.

4100 False Fan Failure Report (CR40336)
On the 4100, when one fan has failed, the hardware platform reports all six fans in a failed state. If you receive an alert, contact your service representative.

Correct time and timezone must be set for all FirePass controller units in a cluster (CR40467)
In Version 5.2 it is important to ensure that both the current time and timezone are set for all units in the FirePass controller cluster.

4K SSL Server Certificate not supported with FIPS (40474)
Version 5.2 with FIPS supports 512-, 1024-, and 2048-bit SSL Server Certificates only.

User deactivated during test mapping of Active Directory group (CR40491)
In certain cases, if a user is manually added to a FirePass controller group but is not a valid user in Active Directory, and you run a FirePass controller test mapping operation using Active Directory, FirePass controller incorrectly deactivates the user.

Opera 7.54 not supported (CR40494)
In version 5.2 of FirePass controller, Opera version 7.54 is not supported.

Drive Mapping - Adding a share with duplicate name removes old share (CR40546)
If you add a new drive mapping share with the same name as an existing drive mapping share, the existing share is overwritten with the new drive mapping.

Installation issue with SSL-VPN on Solaris (CR40568)
In version 5.2, the LD_LIBRARY_PATH must be set in order for the SSL VPN plugin to work correctly. This issue can be resolved by setting the environment variable to LD_LIBRARY_PATH=/usr/local/lib.

Desktop installation caption is in English (CR40603)
When you install Desktop Access, the caption Uncompressing files displays in English, even in localized copies of FirePass controller. If an invalid installation key is used, a second untranslated message appears: Invalid product code, please retry.

Terminal Services not supported on Macintosh (CR40618)
Terminal services are not supported on Macintosh® systems.

Web application default URL comes from last resource group (CR40637)
The default URL for a web application is determined at a resource group level. If a user has multiple resource groups assigned to him, the web application default is picked up from the last resource group assigned to a user.

Active Directory mapping test displays Administrator in First name field (CR40694)
With dynamic group mapping and Active Directory, a test mapping of a user on the Users : Groups : Dynamic Group Mapping screen may return a false first name of Administrator rather than the actual first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.

Install intermediate client certificate by installing along with root certificate (CR40697)
In order to install an intermediate client certificate, you should install it along with the client root certificate under Device Management : Security : Certificates : Client Root Certificate. To do this, paste the client root certificate into the client root certificate box, then paste the intermediate client certificate in.

Switching standalone VPN client from advanced to simple mode results in lost connections (CR40702)
When you establish a connection using the standalone VPN client in advanced mode, you can have multiple types of connections (SSL VPN and App Tunnel). In simple mode, the standalone VPN client only supports SSL VPN connections. Any other connections are terminated. This is by design.

Test mapping from LDAP displays Administrator in First name field (CR40755)
With dynamic group mapping and LDAP, a test mapping of a user on the Users : Groups : Dynamic Group Mapping screen may return a false first name of Administrator rather than the correct first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.

NFS Users import is documented incorrectly in online help (CR40759)
The online help page for the Portal Access : Unix Files : Import NFS Users screen incorrectly states that the /etc/passwd file includes the $passwd field. The $passwd field does not appear in the /etc/passwd file.

Restoring a FirePass controller backup file disables Desktop Access (CR40821)
If you restore a FirePass controller backup file from one controller to a different controller, Desktop Access stops working. Note: This only affects those customers using the Desktop Access feature.

To correct the problem:

  1. Navigate to the Device Management : Configuration : Clustering and Failover screen on the original FirePass controller.

  2. Locate and copy the Cluster/Failover Global ID value.

  3. Navigate to the same location on the restored controller.

  4. Type or paste the ID into the Cluster/Failover Global ID box, and click the Apply Clustering/Failover Settings button.


If the original FirePass controller is not available, you can copy the global ID from the Windows Registry of a client workstation with Desktop Access installed.

To copy the global ID from the Windows Registry:

  1. Run Regedit on the client workstation.

  2. Navigate to HKEY_CURRENT_USER\Software\uRoam\RoamHome Agent\USER

  3. Copy the value listed under PartnerID.

  4. As in the procedure above, type or paste the copied ID into the Cluster/Failover Global ID box on the restored FirePass controller, and click the Apply Clustering/Failover Settings button.


Korean user interface localization missing (CR40836)
In version 5.2, Korean localization of the FirePass controller user interface is missing. Messages appear in English instead of Korean, even when Korean is selected from the Maintenance Console. To fix this problem, download and install hotfix HF-40836-1. Note: This hotfix applies only to version 5.2 of FirePass controller.

AppTunnels not supported on Mac OS and Linux
FirePass controller does not support AppTunnels on Macintosh® or Linux® computer systems.

[ Top ]

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)