Software Release Date: 10/18/2004
Updated Date: 08/30/2013
This release note documents the version 5.2.1 maintenance release of the FirePass controller. It applies to both the English edition and the localized editions.
To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 5.x. For information about installing the software, please refer to Installing the software.
Note: Version 5.2.1 replaces version 5.2 and includes all features and fixes from version 5.2.
Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.
Important: If you are upgrading from version 4.x, you must upgrade to version 5.0 before installing version 5.2.x. For additional information, refer to SOL3530: Known Issue: X Windows access may not work after upgrading to FirePass versions 5.2 or 5.2.1.
The minimum system requirements for this release are:
The supported browsers for the FirePass controller Administrative Console are:
The supported browsers for end-users are those listed for the Administrative Console, and also these additional browsers:
This release supports the following platforms:
If you are unsure which platform you have, check the help page for the Device Management : Welcome screen of the Administrative Console.
Warning: Version 5.2.1 does not support Windows® XP Service Pack 2. For the latest information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients.
Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, click Device Management on the navigation pane, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.
Important: Back up the FirePass controller configuration before upgrading the controller. To back up the configuration, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.
If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, see New features and fixes in this release.
Important: If you installed Feature Pack 1-3, leave the feature pack installed when you upgrade the FirePass controller. Removing Feature Pack 1-3 could result in loss of group configuration. Version 5.2.1 installs on top of Feature Pack 1-3 and can be applied to version 5.x.
Note: When you upgrade from version 4.x or version 5.0, the upgrade process automatically creates one master group and one resource group for each existing FirePass group, to comply with the new groups functionality. If you have configured the same network resource as a Favorite for more than one existing FirePass group, that resource appears in each group's new, corresponding resource group. In that case, you may want to reorganize your resource groups to reduce duplication, and to take advantage of the new functionality. For more information, see the descriptions of master and resource groups in New features and fixes in this release.
The following instructions explain how to install FirePass 5.2.1 onto existing systems running version 5.x.
The following instructions explain how to install the FirePass controller version 5.2.1 onto existing systems running version 5.x, and later.
For more information about installing, licensing, and configuring Release 5.2.1, or to install a new appliance, please refer to chapter 2 of the FirePass Controller Handbook .
Important: Version 5.0 introduced a new licensing procedure. To upgrade from version 4.x to FirePass controller version 5.2.1, you must first obtain a Base Registration Key. Do not upgrade a FirePass controller running version 4.x to version 5.2.1 until you have received the Base Registration Key.
The following instructions explain how to obtain a new Base Registration Key, install FirePass controller version 5.2.1, and activate your license on existing systems running version 4.x.
The following instructions describe how to obtain your new Base Registration Key. Follow the directions for the software version you currently use. If you are upgrading any version 4.x FirePass controller, you must obtain a new Base Registration Key from the F5 Networks upgrade server.
To obtain a new Base Registration Key from the upgrade server:
The upgrade server returns your new Base Registration Key.
If the upgrade server cannot find a record for your current Base Registration Key, it may prompt you to contact F5 customer support.
The following instructions explain how to install the FirePass controller version 5.2.1 onto existing systems running version 4.x.
After you upgrade the FirePass controller to version 5.2.1, you must activate your license.
If you selected the Automatic registration method:
- Accept the End User License Agreement, and provide your business email address and contact details at the prompts.
Your license file appears.
- Click the Continue button to activate and install your license.
It may take several seconds for the license to become valid.
If you selected the Manual registration method:
- The Activate License screen appears. Highlight all of the contents of the Product Dossier box.
- Copy the entire item to your local system's clipboard.
- Below the Product Dossier box, click the Click here to access F5 Licensing Server link.
The Activate F5 License screen appears in a new browser window. If you cannot connect to the licensing server, please contact Technical Support.
- On the Activate F5 License screen, paste the Product Dossier item you copied in step 2 into the Enter your dossier box.
- On the Activate F5 License screen, click the Activate button.
- Accept the End User License Agreement, and provide your business email address at the prompt.
After a few moments, the licensing server displays your new license file.
- Select all of the text in the License File text box on the Activate F5 License screen, and copy it to your system's clipboard.
- Return to the FirePass controller browser window. You should still be on the Device Management : Maintenance : Activate License screen.
- Paste the text you copied from the licensing server into the License File text box.
- Click the Install License button.
Some confirmation messages appear.
- Click the Continue button to activate and install your license. It may take several seconds to validate the license.
For more information about installing, licensing, and configuring Release 5.2.1, or to install a new appliance, please refer to chapter 2 of the FirePass Controller Handbook .
This release includes the following new features and fixes.
Support for multiple group membership
With version 5.2.1, you can provide an end-user with all the preconfigured Favorites from more than one group. You can assign a user to one main group for purposes of authentication, Network access filtering policies, group mapping, and Far End Security policies. Then you can provide access to additional resources, or Favorites, by designating additional groups as auxiliary groups. On the User Home Page (webtop), all Favorites from both the main group and all auxiliary groups appear together in a single, undifferentiated list.
Support for Active Directory native mode (Kerberos) Authentication
FirePass controller can now use Kerberos to authenticate users with Active Directory server in native mode. We have added Active Directory support for FirePass controller authentication, user import, and group mapping features. You can delete obsolete Active Directory accounts from FirePass controller groups, and users can change their expired Active Directory passwords using FirePass controller.
Enhanced group management
New views of FirePass controller groups consolidate and simplify access to most group management operations. From a single summary screen, you can view and access the authentication, signup template, far end policy, and user experience settings of any group. From the same table view, you also have direct access to user management functions for each listed group, and you can easily list, add, move, and delete group members.
Enhanced VLAN support
The FirePass controller now supports general Virtual LAN (VLAN) capabilities, including the ability to create VLAN interfaces, assign IP addresses to them, configure web services, and create simple and advanced routing rules. Using this feature, you can map incoming Network Access connections to different VLANs, based on sets of IP pools (which may be associated with individual FirePass controller groups). The individual VLANs may internally use the same set of IP addresses. For detailed directions on configuring VLANs using the new support, see the online help for the Device Management : Configuration : Network Configuration : VLAN screen.
Resource Groups for Favorites
FirePass controller now supports two kinds of groups: master groups, and resource groups
With version 5.2.1, to add, edit, or delete all Favorites, use the Users : Groups screen and click Resource Groups. Perform all other aspects of group-specific configuration as before, using the various Network Access, Portal Access, Application Access, and Desktop Access screens.
Assigning aliases to reference Favorites
With this release, you can configure Favorites for a group by creating aliases that reference other Favorites already pre-configured for other groups. If you later change the configuration of the source Favorite, the change applies across all groups that use an alias to reference the source Favorite.
If you delete the source Favorite, the FirePass controller offers two options:
Customizing the User Home Page (webtop) separately, for each user
Version 5.2.1 allows you to customize the User Home Page (webtop) separately for different virtual server names or for distinct Universal Resource Indicators (URIs). For more information, please see the online help for the Device Management : Customization screen.
Accessing FTP sites using Portal Access : Web Applications
You now can access an FTP site directly using Portal Access : Web Applications (My Intranet). Portal Access supports passive FTP download. You must know the full path to a file before you can retrieve it. You cannot browse an FTP directory using Portal Access.
Citrix Metaframe Portal support
This release contains support for Citrix Metaframe Portal®. The FirePass controller administrator can configure this type of terminal service access. When you connect to the Citrix Metaframe Portal favorite on the webtop, you are asked for your credentials. The FirePass controller then logs you into every Citrix server, and queries for published applications available for you to use. These applications are then displayed. When you click a desired application and the Citrix server supports Ticketing, you are automatically logged in. If Ticketing has not been enabled, then you are asked again for your Citrix client credentials.
Obsolete account deletion for remote authentication
With this release, if a user name is not present in the LDAP or Active Directory, the user account on the FirePass controller can be deactivated or deleted. The FirePass controller administrator can specify in the administration interface, how often the synchronization is done in the background, and can have email notification of the deletion or deactivation sent to himself.
Signup template group selection
With this release, you now can enable signup templates for different groups. You can also specify a fall back default group that a user can be assigned to if no group is located.
Direct link to AskF5
This release adds a direct link from the Administrative Console to AskF5. The link is next to the Help button, and provides you with the latest support information available about the FirePass controller.
PDA VPN Support
This release introduces support for PDA VPN. VPN support is provided by a standalone client downloaded using the browser. We support:
Support for nFuse Portal using Web Applications
MyIntranet now offers built-in support for Citrix® nFuse web portal. FirePass controller reverse proxy (MyIntranet) can automatically rewrite ICA files without any additional customization, and invoke AppTunnels automatically.
FirePass as a Client Certificate Server
In version 5.2.1 you can now configure FirePass controller to validate client certificates on the remote access points connecting to the FirePass controller. This new feature offers greater end-point security. There are four ways you can implement this feature:
Note: Version 5.2.1 also adds the ability to email the client certificate package directly to the FirePass controller user in Public-Key Cryptography Standard(PKCS) #12 format, including a randomly generated password used for encrypting the client certificate and installation instructions.
Solaris 9 VPN Support
Version 5.2.1 adds SSL VPN support for Solaris 9.0 clients on SPARC platforms. This feature has the same core functionality as the Linux SSL VPN Client. Users need to download and install the Netscape plugin and server. The instructions for configuring this feature are presented the first time the user clicks the Network Access link within FirePass controller.
New FirePass controllers shipping after July 6, 2004 support a greatly enhanced back up and recovery feature. With the Snapshot feature, you can create a complete image of the current FirePass controller, including controller software, all user information, and the entire network configuration. The image is saved in a backup partition. You can revert to this image, or to the original manufactured image, if necessary. This provides you with increased control, and gives you the ability to restore a FirePass controller to a specific point prior to an upgrade or a configuration change. For more information, see Solution 3244: Backing up and restoring FirePass system software on AskF5.
FirePass SSL Server Self-Signed Certificates
With this release, the FirePass controller can generate self-signed SSL server certificates, which can be used in place of the default firepass.company.xyz certificate.
Signing ActiveX/Java components with customer certificates
This release of FirePass controller provides a method for customers to download the FirePass controller ActiveX controls and Java applets and sign them with their own internal certificate. This is useful in cases where organizations have policies prohibiting use of ActiveX controls or Java applets unless they are signed by their organization's own certificate.
Note: F5 does not provide assistance with signing the controls and applets. Refer to the appropriate developer documentation on Java and ActiveX.
Important: The custom signing procedure must be repeated after each firmware upgrade.
SSL hardware acceleration and FIPS
FirePass controller 4100 includes two new options:
With this version, FirePass controller supports group mapping based on external RADIUS groups. These external groups can be mapped to FirePass controller groups, and users found in a RADIUS group are dynamically moved to the mapped FirePass controller group.
LDAP Synchronization included
We have added the ability to synchronize the FirePass controller with an LDAP database to improve LDAP integration and management.
Installing FirePass controller configures user interface language correctly
When you install a new version of FirePass controller, the Administrative Console and user interface language now automatically match the configured language of the FirePass controller.
Note: When installing a Korean localized version of FirePass controller, install the English version and use the FirePass controller maintenance console to switch the language to Korean. After making this configuration, subsequent updates retain the Korean setting.
Administrative Console does not show unlicensed features
In version 5.2.1, the Administrative Console no longer displays features you have not licensed. Licensed features continue to appear and function normally.
Client CRL online updates
In version 5.2.1, the FirePass controller can periodically retrieve Certificate Revocation Lists (CRLs) from specified URLs, using HTTP or HTTPS. For details, see the online help. Note: Do not use Client CRL online updates if the FirePass controller is configured to generate and issue client certificates to users. In this case, the FirePass controller manages CRLs internally.
Network Access Hosts settings temporarily modify client host files (CR40721)
By design, settings on the Network Access : Resources : Hosts screen can modify a local client host file for the duration of the FirePass controller session. This modification is temporary and lasts until the session is ended. Some security tools can restrict access to the host file and prevent modification by the FirePass controller. Note: If a FirePass controller session or browser session ends abnormally, the local host file may be left in a modified state. To correct this, the user should reconnect to the FirePass controller and end the session normally.
Download link for Pocket PC VPN added to MiniBrowser (CR41209)
This release adds a download link to the webtop for the Pocket PC Network Adapter client.
Alert user if browser has popup blocker enabled (CR41232)
This release includes a new alert that displays if the user's browser has a popup blocker enabled.
Note: The alert does not display for the AOL® popup blocker in Internet Explorer or the Yahoo!® popup blocker.
This release includes the following fixes. Fixes related to non-English (localized) editions are listed separately, in the Localization Fixes section, below.
Network Access correctly propagates the remote proxy to Internet Explorer (CR31848)
We corrected an issue that occasionally interfered with using the correct proxy settings for Windows® 2000 and Windows XP remote systems using Internet Explorer with a dialup Internet connection. However, for Windows 95 and Windows 98 remote systems using Internet Explorer with a dialup connection, the Network Access client control might not use the correct proxy settings.
Licensing a FirePass controller that connects to the Internet through a proxy (CR34174)
If the FirePass controller connects to the Internet through a proxy, you can now use the Automatic option when you activate the license.
Protected workspace no longer conflicts with personal firewall settings (CR34675)
If a user has a personal firewall installed on his workstation that asks for confirmation for each special request (for example, traffic ingress and egress), and is working in a protected workspace, the user now sees the firewall dialog box prompts, and can also respond to them.
Yahoo! mail page authentication (CR37459)
When you authenticate to Yahoo!® mail using Web Applications, you no longer receive a Page not found error if you have successfully authenticated.
Could not clear checked files from download cart (CR37878)
You can now clear individual files from the download cart when downloading files using the MyFiles feature.
Support for Windows XP running McAfee Enterprise 7.1 policy checks (CR38190)
We have added support for Windows® XP and McAfee® Enterprise 7.1 to FirePass 5.2.1.
Special characters in passwords fail NTLM authentication (CR38251)
Previously, you could not use a Windows 2000 domain server to authenticate users whose passwords contained any of these special characters: & ^ # or $ .The FirePass controller authentication routines now process these passwords correctly.
Unable to see Exit from Protected Workspace button on Windows XP (CR38280)
On Windows XP systems, the users see the Start menu in Advanced mode, by default. For the Exit from Protected Workspace menu item to display, the Protected Workspace control requires the Start menu to be in Classic Start mode. Now the Protected Workspace control switches the registry setting to Classic Start mode while the Protected Workspace is deployed.
Specify an additional IP for xhost program (CR38301)
In this release, we have added the option of specifying a comma-separated second IP address or host name that can be used by the xhost program to allow the specified host to make a connection to the X server running on FirePass controller. You can use this optional setting in an asymmetric network environment when inbound and outbound IP addresses of the custom X client are not the same.
Logout button missing (CR38442, CR39708)
In version 5.0, using the Device Management : Security : Admin Access screen, if you limit access to the Administrative Console based on IP address, the Logout button might disappear. Now it appears correctly under this setting.
Email subject now displays when replying to message (CR38465)
Previously, the subject did not always appear when a user was replying to the message using the FirePass controller email client. The subject now displays appropriately.
Standalone VPN client did not save settings (CR38478)
On Windows 2000 systems, the Standalone VPN client did not retain server addresses and user names properly when you selected the Maintain session information setting. The addresses and names now persist and display properly.
Windows Standalone VPN client no longer closes immediately (CR38603)
In version 5.0, the Standalone VPN client occasionally closed upon opening the connection. With this release, the Standalone VPN client works correctly.
Error installing VeriSign certificates requiring intermediate certificate (CR38615)
In version 5.0, if you added a VeriSign® certificate that required an intermediate certificate, with or without the intermediate certificate itself, you saw this error message: Validity of your certificate can not be verified! Ignoring or bypassing the message could result in the FirePass controller failing to respond to clients connecting to web services configured to use those certificates. Both issues have been resolved, and now you can install certificates requiring intermediate certificates.
New check prevents cross-platform restores (CR38668)
You can no longer restore a FirePass controller backup file to a different hardware platform.
NFS works with localized Chinese versions of FirePass controller (CR38702)
With this release, you can now create a NFS favorite link in Chinese versions of the FirePass controller.
Secure Workspace now presents an error message when %TEMP% variable is incorrect (CR38872)
If the user variable is %TEMP%, and %TEMP% is not specified, is incorrect, or contains an error in the path, the Secure Workspace now provides an error message.
SSL VPN DNS resolution did not work on Mac OS (CR38985)
DNS resolution for SSL VPN did not work on Macintosh® OS systems. This now works correctly.
Standalone virus scanner does not start up as default (CR39005)
The standalone virus scanner was not originally set up to run as the default. We have modified the product so that the standalone virus scanner is now the default.
Role-based administrators creating new users (CR39029)
Previously, an administrator with limited authorities could not create new user accounts, even if he or she had user management privileges. We have corrected this issue, and now administrators with user management authority can create new user accounts.
Ethernet interfaces for heartbeat setup (CR39052)
In version 5.0, when you set up a failover pair (redundant system), the Ethernet interfaces for heartbeat were missing from the configuration list. With this release, the configuration list includes the interfaces for the heartbeat.
Information missing from My Network after accessing a remote host (CR39292)
In previous versions, rare cases, if you used Desktop Access to access a remote desktop, and then clicked Return to my FirePass Desktop, then Desktop access, Network Access, and Mobile email might not have been present. You can now use this sequence correctly.
Accessing corporate favorite terminal services no longer causes security exception error (CR39386, CR39388)
Previously, if Terminal Services were limited to corporative favorites, and favorites were created with the list of Terminal Services hosts or with Citrix Metaframe, access to these favorites would fail with a Security Exception message. Now, you can access these favorites under these conditions.
Logged out after impersonating user (CR39407)
Previously, in certain situations, if you used the Impersonate user feature for a user not in the default group, subsequently clicking a link resulted in your being immediately logged out. You can now use this feature without being logged out.
Legacy Host favorites and direct connections no longer display blank page (CR39619)
Previously, using either a legacy host favorite or a direct connection resulted in a blank screen. With Version 5.2.1, you can use either a legacy host connection or a direct connection.
UNIX files favorites are now visible when using the webtop (CR39628)
Previously, if you accessed the UNIX® files webifyer using the webtop, UNIX files favorites did not display. They now display correctly if you use the webtop.
Proxy authorization was not working (CR40019)
Previously, the FirePass controller proxy authorization (using user's credentials against a proxy for Web Applications) was not working correctly. The proxy authorization works correctly in version 5.2.1.
FirePass Active Directory functions failed (CR40210)
If your Active Directory contained groups without a SAM-Account-Name attribute (sAMAccountName) set, the FirePass controller Active Directory-based functions failed (authentication, group mapping, user import). These functions now work on groups without a SAM-Account-Name attribute set.
Failover configuration was lost after installing FP1 (CR40212)
If you had FirePass controllers configured as failover pairs, installing Feature Pack 1 would cause the loss of controller configurations. This feature now works correctly in this version.
Active Directory import of users slow, returned incomplete information (CR40247)
When you tried to use Active Directory to import many users, the import took a long time and the results were sometimes incomplete. You can now use the Active Directory user import feature as designed.
Note: The user import function may still take several minutes when you import large numbers of users.
SSL VPN did not automatically fail over when active controller restarted (CR40384)
If the active controller in a failover pair restarted, SSL VPN connections did not automatically switch over to the new active controller. SSL VPN connections now fail over as intended.
Speed/duplex negotiation interfering with failover ARP (CR40456)
During failover, the new active controller sends unsolicited ARP (Address Resolution Protocol) packets to update LAN switches and routers. Previously, if the FirePass controller reset the speed/duplex setting of the network interface card during failover, the ARP packets could be lost. In version 5.2.1, failover under these conditions works correctly without losing ARP packets.
FIPS card disabled because of firmware issue (CR40791)
The vendor providing F5 Networks with the FIPS card has identified a bug in their firmware that can make the FIPS card unstable after licensing. As a result, all 4100 FirePass controllers are shipped with FIPS disabled. You should enable the FIPS card only after installing the version 5.2.1 release.
To enable the FIPS card:
Interface list on IP Address screen was empty after upgrade (CR40942)
In rare cases, after upgrading to version 5.2, the list of interfaces on the IP Address screen was empty. The IP Address screen now displays configured interfaces correctly after an upgrade.
FIPS synchronization error on failover/clustering systems (CR41067)
On FirePass controllers with FIPS cards installed, failover or clustering synchronization could fail with a Cannot load certificate error. Synchronization now occurs without error on FirePass controllers equipped with FIPS cards.
Content processing script overwritten by upgrading to 5.2 (CR41089)
Upgrading to version 5.2 of FirePass controller overwrote any existing content processing script. With version 5.2.1, the upgrade does not overwrite content processing scripts.
This release includes the following fixes related to non-English (localized) editions of the FirePass controller.
My Email now specifies Thai character set correctly (CR33158)
My Email now provides a configurable language setting. Character sets and MIME encoding should now be correct for languages other than English, Western European languages, and Japanese.
Standalone Client now displays localized Favorites (CR37363)
The Network Access Standalone VPN Client now displays localized Favorites correctly.
Protected Workspace now localized (CR37966)
For the Protected Workspace control, we have created Japanese and Chinese versions of the Start menu item, the Exit Protected Workspace shortcut, and the error messages.
Localized Favorites now appear correctly using Mozilla® browsers (CR37989)
Previously, the App Tunnels and Network access client controls could corrupt localized Favorite names for users with Netscape and Mozilla browsers. Now the Favorites appear correctly using these browsers.
Help pages now localized (CR38463)
Localized versions of the user and administrator help pages did not display properly if the browser does not provide a language setting. We now provide a default character set setting matching the FirePass controller's language, and now the help displays correctly even without a browser setting.
Setup for SSL VPN Drivers on non-English versions for Windows 9x (CR38528)
Previously, the setup for the SSL VPN Driver on Windows 9x could result in a buffer overflow on some International versions of Windows. This resulted in an Access Violation or a system hang. The SSL VPN Driver setup now works correctly.
Problems with files and folders using certain Chinese characters in their names (CR38598)
Previously, you could not create folders or copy files if their names contained characters whose second byte, in Big5 encoding, was a backslash. We have corrected this issue, and you can use these characters in file and folder names.
Display of Japanese character imports (CR38606)
When importing from a file with Japanese characters for the user names, the names were not properly transferred in previous versions. With version 5.2.1, the names transfer correctly.
iNotes file attachments with Unicode names could not be downloaded (CR39746)
If you tried to download a file attachment with a name containing Unicode characters using Portal Access from a Lotus® iNotes® Web Access server, the download failed. With this release, you can now use Portal Access to access and download file attachments with names containing Unicode characters from an iNotes server.
Korean user interface localization was missing (CR40836)
In version 5.2, Korean localization of the FirePass controller user interface was missing. Messages appeared in English instead of Korean, even when Korean is selected from the Maintenance Console. With this release, the user interface is now translated into Korean when Korean is selected from the Maintenance Console.
Japanese user names imported from LDAP servers (CR41133)
In previous versions, you could not import user names containing Japanese characters from LDAP servers. Japanese user names now import correctly.
Japanese attachments to iNotes messages (CR41135)
In earlier versions, if you used Portal Access : Web Applications to access a Lotus iNotes Web Access server, you could not open Japanese files attached to iNotes messages. Now you can open and view the Japanese attachments correctly.
Downloaded Application Log on Japanese system contained corrupted first line (CR41136)
Previously, if you used a Japanese FirePass controller to download the Application Log report, you might have seen extra or corrupted Japanese characters on the first line of the report. We have corrected this issue, and the report now downloads correctly in spreadsheet format.
Non-standard Shift-JIS characters corrupted mail attachment names (CR42243)
Previously, when using Japanese Windows 98 and Windows XP, the Mobile E-mail feature corrupted attachment names containing Shift-JIS characters that are not present in the standard character set table. The attachment names now display correctly.
The following items are known issues in all language editions of the current release. Issues related to non-English (localized) editions are listed in a separate Localization Known Issues section, below.
Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open it using the FirePass controller's My Lotus Notes.
AppTunnels not supported on Mac OS and Linux (CR28772)
FirePass controller does not support AppTunnels on Macintosh® or Linux® computer systems.
Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names, not to directory names, file names, nor path specification. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less.
Deleted emails in My Outlook (CR28854)
If you use an IMAP email server, My Outlook does not provide any visual indication when a user marks an email for deletion.
Portal Access navigation after leaving Outlook Web Access (CR30760)
Using Portal Access, once you leave an Outlook Web Access window, links to other sites on the same host generate a Page Not Found error.
Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query may fail.
After using Setup Wizard, browser generates Page Not Found error (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.
RADIUS authentication in multi-group environments (CR31381)
If you use RADIUS authentication for some, but not all, groups, and you also use signup by templates, authentication may sometimes fail. You can often solve this problem by clearing the Allow Authenticated Signup by Template option for all groups, using the Users : Signup Templates screen, and then selecting the option again for each group.
Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the controller. After you restart the controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.
Configuring basic HTTP authentication against an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.
Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.
Page refresh corrupts the online upgrade (CR34238)
If you begin an online upgrade operation, and then perform any action that refreshes the upgrade page while the online upgrade is in progress (including opening a new browser window), the page refresh corrupts the upgrade. Do not disturb an upgrade while it is running.
You cannot use IMail Server from (vendor) Ipswitch with My Email (CR34504)
If you use Ipswitch's IMail Server configured as a POP server, you receive erroneous authentication failures with My Email. However, you can use this mail server configured as an IMAP server.
Network Access sessions limit (CR34535)
Network Access (previously called SSL VPN) connections cannot exceed 1024 concurrent sessions.
Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurs twice.
International characters in file names (CR35244)
Previously, File Access could not display, open, download, or delete files with some non-English characters in their names. We have corrected this issue, and these files can be handled properly.
You cannot delete a UNIX directory (CR36352)
You cannot delete a UNIX® Network File Share directory while accessing the file system using the FirePass controller's UNIX Files function.
Installing Network Access control on Xandros (CR36745)
Automatic installation of the FirePass Network Access control fails under the su option, and may also fail under the sudo option. If Xandros Linux users cannot install the control automatically, advise them to follow the directions for manual installation, given in the Network Access user help page.
App Tunnels drive mapping fails with invalid or missing SSL server certificate (CR36803)
If you have not yet purchased and installed a valid SSL certificate on the FirePass controller, then when a user attempts to connect to a mapped drive using App Tunnels, his first attempt in a session usually fails. Subsequent attempts using the Relaunch button may succeed. However, we recommend installing a valid server certificate as soon as possible.
Moving users among groups can result in misconfiguration (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that may be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication may lack a password in the internal database account record. This misconfiguration can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.
Problem displaying quotes when editing Web Applications URL variables (CR36982)
The Url variables box of the Portal Access : Web Applications screen has some trouble displaying quotation marks. If you type quotation marks [a "double-quote"] when you add or edit a URL variable for an Intranet favorite, when you click Update the typed value disappears and instead shows as a backslash [\]. If you type an apostrophe ['single-quote'], the apostrophe displays, but an added backslash [\] appears before it. In both cases, however, the URL variables and the strings within the quotation marks are stored and processed correctly.
Accessing Domino Web Access using Windows 98 (CR36816)
Using Windows® 98, users may see only a blank screen after logging in to a Domino Web Access® (DWA) site through Web Applications. This problem usually can be resolved by suppressing the default Home/Logout tab injection, for Domino Web Access pages. To suppress Home/Logout tab injection:
Network Access fails on Windows 2000 computer (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you may receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft problem described on this Microsoft support page. The page describes some possible interventions to perform on the system registry, but we do not recommend them.
Authentication does not check proxy settings (CR37072)
FirePass controller form-based authentication does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using a proxy server.
Unsupported browser on Linux system for Network Access session results in misleading error (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network access connection, you may receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla 1.6 or 1.7).
Network Access over dialup connection where IPSec VPN client is present (CR37127)
You cannot use Network Access over a dialup connection from a remote Windows® 2000 or Windows XP system that also has a Check Point® SecuRemote/SecureClient IPSec VPN client installed. You can use Network Access over dialup with a Check Point IPSec VPN client; however, the Network Access connection may take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.
Second Telnet connection to Maintenance Console (CR37213)
Using the Telnet access feature on the Maintenance : Troubleshooting Tools screen, a second attempt to connect to the Maintenance Console screen may fail, leaving the Admin Console unresponsive. In that case, close the browser and log in again.
Safari 1.0 browser on OS X 10.2 doesn't work with Network Access (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it.
High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On a 4100 hardware platform, high levels of traffic through the Management port may cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot can also occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.
Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
When you use Legacy Hosts with a terminal type of SSH, and you use a recent version of SSH, you may see a prompt asking if you want to save the RSA key fingerprint for the target server. You must reply Yes to continue the connection. However, you see this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). You cannot save the RSA key fingerprint. Disregard the error message.
Cannot log in after changing name of My Desktop system (CR37441)
If you change the system name of an installed My Desktop computer, take these steps to access it again using My Desktop:
Installing Network Access client on Red Hat Linux (CR37476)
Installing the Network Access client occasionally fails on these and some other Linux distributions: Red Hat® 8 using the Mozilla® 1.0 browser, and Red Hat 9 using the Mozilla 1.2 browser. In that case, follow the instructions for manual installation, given in the user help for Network Access.
Undocumented limitation on Group name length (CR37544)
Group names must be 16 characters or less in length. Entering a longer name gives an error message, but the message does not indicate the maximum allowable name length.
Network Access summary status on Windows 98 systems (CR37554)
On Windows® 98 systems, the Network Access client control does not update the packet status, visible on the Summary tab. However, the session functions correctly.
User home page not correctly customized (CR37615)
The controls on the Users : User Experience screen sometimes fail to resequence categories on the users' home pages, or to govern the font sizes as intended.
Restarting Network Access on Linux systems (CR37690)
On some Linux distributions, you cannot start second and subsequent Network Access sessions within a single browser session, immediately after closing the first connection. Either wait two minutes, or restart your browser.
Incomplete cipher security changes may lock you out of the Administrative Console (CR37701, CR33703)
Using the Device Management : Security : User Access Security screen, if you enforce higher-grade SSL security, but you do not restart services, subsequent attempts to log in may fail. When you change security settings, always click the (Requires server restart.) link in the HTTPS settings screen header. If you did not restart services and you cannot log in after changing cipher settings, if your browser allows it, take these steps:
Folder names not completely localized when using Protected Workspace (CR38016)
Some folder names in the Protected Workspace, including the My Documents folder, may appear in English on localized Windows XP systems.
File Corruption when downloading Chinese zipped folders (CR38063)
In versions 5.0 to 5.2.1, if a path contains two or more Chinese folders, then the zipname file name can become corrupted.
Multiple SSL-VPN Support on PDA lacking (CR39147)
The PDA SSL VPN client does not support multiple SSL VPN favorites in this release.
Deleted messages in mobile email are missing (CR39288)
You cannot view deleted messages in the FirePass controller mobile email folder.
AppTunnels/VPN/Terminal Server do not work on Windows XP with Service Pack 2 Final (CR39338)
AppTunnels, SSL VPN, and Terminal Server connections do not work on computers running Windows XP with Service Pack 2 installed. For more information, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients.
The Start VPN connection button on the PDA SSL VPN does not toggle (CR39429)
The Start VPN connection button on the PDA SSL VPN client does not become the Stop VPN connection button after you start a connection. You can successfully start the connection using the button.
Nested multipart MIME email attachments missing in mobile email (CR40033)
When users read email with nested, multipart MIME attachments using the FirePass controller mobile email service, the attachments may be lost.
4100 False Fan Failure Report (CR40336)
On the 4100, when one fan has failed, the hardware platform reports all six fans in a failed state. If you receive an alert, contact your service representative.
Correct time and time zone must be set for all FirePass controller units in a cluster (CR40467)
In Version 5.2.1 it is important to ensure that both the current time and time zone are set for all units in the FirePass controller cluster.
4K SSL Server Certificate not supported with FIPS (40474)
Version 5.2.1 with FIPS supports 512-, 1024-, and 2048-bit SSL Server Certificates only.
User deactivated during test mapping of Active Directory group (CR40491)
In certain cases, if a user is manually added to a FirePass controller group but is not a valid user in Active Directory, and you run a FirePass controller test mapping operation using Active Directory, FirePass controller incorrectly deactivates the user.
Opera 7.54 not supported (CR40494)
In version 5.2.1 of FirePass controller, Opera version 7.54 is not supported.
Drive Mapping - Adding a share with duplicate name removes old share (CR40546)
If you add a new drive mapping share with the same name as an existing drive mapping share, the existing share is overwritten with the new drive mapping.
Installation issue with SSL-VPN on Solaris (CR40568)
In version 5.2.1, the LD_LIBRARY_PATH must be set in order for the SSL VPN plugin to work correctly. This issue can be resolved by setting the environment variable to LD_LIBRARY_PATH=/usr/local/lib.
Terminal Services not supported on Macintosh (CR40618)
Terminal services are not supported on Macintosh® systems.
Web application default URL comes from last resource group (CR40637)
The default URL for a web application is determined at a resource group level. If a user has multiple resource groups assigned to him, the web application default is picked up from the last resource group assigned to a user.
Active Directory mapping test displays Administrator in First name field (CR40694)
With dynamic group mapping and Active Directory, a test mapping of a user on the Users : Groups : Dynamic Group Mapping screen may return a false first name of Administrator rather than the actual first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.
Install intermediate client certificate by installing along with root certificate (CR40697)
In order to install an intermediate client certificate, you should install it along with the client root certificate under Device Management : Security : Certificates : Client Root Certificate. To do this, paste the client root certificate into the client root certificate box, then paste the intermediate client certificate in.
Switching standalone VPN client from advanced to simple mode results in lost connections (CR40702)
When you establish a connection using the standalone VPN client in advanced mode, you can have multiple types of connections (SSL VPN and App Tunnel). In simple mode, the standalone VPN client only supports SSL VPN connections. Any other connections are terminated. This is by design.
Test mapping from LDAP displays Administrator in First name field (CR40755)
With dynamic group mapping and LDAP, a test mapping of a user on the Users : Groups : Dynamic Group Mapping screen may return a false first name of Administrator rather than the correct first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.
NFS Users import is documented incorrectly in online help (CR40759)
The online help page for the Portal Access : Unix Files : Import NFS Users screen incorrectly states that the /etc/passwd file includes the $passwd field. The $passwd field does not appear in the /etc/passwd file.
Restoring a FirePass controller backup file disables Desktop Access (CR40821)
If you restore a FirePass controller backup file from one controller to a different controller, Desktop Access stops working. Note: This only affects those customers using the Desktop Access feature.
To correct the problem:
If the original FirePass controller is not available, you can copy the global ID from the Windows Registry of a client workstation with Desktop Access installed.
To copy the global ID from the Windows Registry:
Administrator access to resource groups (CR41131)
Version 5.2.1 does not list resource groups on the Device Management : Security : Administrators > Group Access screen. As a result, if you restrict an administrator’s access by clearing the Allow access to all groups check box, that administrator cannot operate on any resource groups. To modify resource groups, use an administrator logon having explicit access to all groups.
Deleting system logs (CR41134)
The Device Management : Maintenance : Logs screen erroneously offers an option to delete all system logs. This option does not delete the system logs; further, you should not attempt to delete system logs completely. However, you can use the remaining options to purge old entries.
Impersonating a user outside of an administrator's authorized groups (CR41569)
An administrator with access to the Users : Impersonate User screen can impersonate users who are outside his or her scope of authority. Until we have corrected this issue, we recommend that you use the Device Management : Security : Administrators > Feature access screen to disable this privilege for administrators with restricted group access, by clearing the Users : Impersonate User check box.
Restoring FIPS systems breaking imported keypairs (CR41573)
If you have imported keypairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration may render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Admin Console, use the Maintenance account to reinitialize the FIPS card. Then reimport the keypairs you need to correct your configuration.
Adding new users with sign-up templates (CR41697)
If you use sign-up by template but do not use dynamic group mapping, then after you upgrade to version 5.2.1, you cannot add new users until you do the following tasks for at least one group using sign-up templates:
1. Using the Users : Groups : Master Groups > Signup Templates screen, select the group.
2. Enable the Use as fallback group option.
3. Click Update Template.
Viewing EUC or JIS-encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use JIS or EUC encoding do not display correctly.
Passwords containing Euro symbol (CR30346)
When you configure a group with NTLM authentication with a Windows 2000 Primary Domain Controller, and also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.
Desktop installation prompt not translated (CR40126)
When installing the FirePass controller desktop on a computer configured for Chinese Windows, a Copying files message appears in English instead of in Chinese.
Desktop installation caption is in English (CR40603)
When you install Desktop Access, the caption Uncompressing files displays in English, even in localized copies of FirePass controller. If an invalid installation key is used, a second untranslated message appears: Invalid product code, please retry.
Mobile E-Mail sometimes uses UTF-8 character set (CR41107)
If a Japanese Mobile E-Mail user enters certain vendor-specific Japanese characters that do not appear in the standard character set, the FirePass controller encodes the email using the UTF-8 character set, instead of using the default ISO-2022-JP character set. However, many Asian email clients do not support UTF-8.
Corrupted AppTunnel and Network Access connection names (CR41125)
On Japanese Windows 98 and Windows XP systems using Mozilla and Netscape browsers, the Network Access and AppTunnels client popup windows may corrupt connection names that contain double-byte characters. In those cases, the character input table also fails to appear as intended. We recommend using only single-byte characters to name Network Access and AppTunnel Favorites, if your users use Mozilla or Netscape browsers.
Using View as Text feature on double-byte text files (CR41129, CR42183)
If a Mobile E-mail user uses the View as Text feature, intended for non-text formats, on a text attachment, some Japanese and Chinese text attachments may appear to be corrupted. Please advise users to open all text attachments by clicking on the attachment name.