Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 5.4.0
Release Note

Software Release Date: 02/07/2005
Updated Date: 08/30/2013

Summary:

This release note documents the version 5.4 release of the FirePass remote access controller version 5.4. It applies to both the English edition and the localized editions.

To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 5.4. For information about installing the software, please refer to Installing the software.

Note: Version 5.4 replaces version 5.2 and includes all features and fixes from version 5.2.1 and 5.2.2.

Note: F5 now offers both feature releases and maintenance releases. For more information on release policies, please see Description of the F5 Networks software version number format on AskF5.

Contents:

- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- New features in this release
- Fixes in this release
- Known issues


Minimum system requirements and supported browsers

The minimum system requirements for this release are specific to your operating system.

Microsoft Windows

  • Windows® 98 with Dial Up Networking (DUN) 1.4 update
  • Windows® Me
  • Windows® 2000
  • Windows® XP (see the note about the Microsoft update needed for Windows XP Service Pack 2)
  • Windows Mobile™ 2003 (Microsoft Pocket PC 2003 and Microsoft Pocket PC Phone Edition 2003)

Important: If you are running Windows XP Service Pack 2, you must install a hotfix (Windows XPSP2 Update KB884020) in order to resolve an issue (CR39338) which causes the FirePass SSL VPN product to not connect. You can find the update at Update for Windows XP Service Pack 2 (KB884020). For the latest information from F5 Networks, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5.

Note: You may find it helpful to have the Windows 98 and Windows Me distribution media available as you set up the FirePass controller. Occasionally, changing installation settings for Windows 98 and Windows Me requires that you copy information from the install media.

Note: FirePass 5.4 does not support Windows NT. For more information, see SOL3840: End of Life Announcement for the Windows NT client support feature in FirePass on AskF5.

Macintosh

  • Apple® Mac OS® X 10.2
  • Apple Mac OS X 10.3

Linux

  • Workstations with libc version 2 and later
  • Kernel support for PPP interfaces (loadable module or statically built in)
  • PPPD program in the /sbin directory

Solaris

  • Solaris™ Operating Environment version 9 on SPARC® systems

Supported browsers

The supported browsers for remote access provided through the FirePass controller are:

  • Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0
  • Netscape® Navigator, version 4.7X
  • Mozilla® version 1.7 on Apple Macintosh® and Linux® systems
  • Mozilla version 1.4 on Solaris systems
  • Safari® version 1.0 and 1.2 on Apple Mac OS X 10.2 and 10.3 systems
  • OpenWave® WAP browser
  • i-mode phone
  • Microsoft Pocket PC 2003 and Microsoft Pocket PC Phone Edition 2003
  • Firefox 1.0 Sun 1.5.0
[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass 1000
  • FirePass 4000
  • FirePass 4100

Note: The version 5.4 release does not support the FirePass 600 platform.

[ Top ]

Installing the software

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 5.4. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5.

Note: Once you upgrade the FirePass controller to version 5.4, you cannot downgrade to any previous version. For more information, see SOL2847: Restoring a previous software version on AskF5.

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, click Device Management on the navigation pane, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Important: Back up the FirePass controller configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Upgrading from version 5.0 or later

The following instructions explain how to install FirePass 5.4 onto existing systems running version 5.0 or later.

To upgrade to version 5.4

  1. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Online Update.

  2. Select the link for Release 5.4 to upgrade the FirePass controller.

For more information about installing and configuring version 5.4, see chapter 2 of the FirePass Controller Handbook . To install a new FirePass controller, please refer to the printed Quick Start Instructions, included with the product.

[ Top ]

New features in this release

The FirePass 5.4 release contains the following features.

Portal access enhancements

Java byte code rewrite for web applications

  • Automatically re-signs rewritten, Java-signed .jar and .cab archives to support access to the network, local hard drives, etc.
  • Supports URL rewriting for any Java bytecode contained in class files, as well as .jar and .cab archives using reverse proxy.

Enhanced JavaScript rewrite support

  • Robust support rewrites a wide variety of JavaScript content in the web pages.
  • Provides out-of-the-box reverse proxy support for JavaScript-based web applications.

Split tunneling support for web applications

  • Selectively rewrites specific URLs that are part of web applications accessed through Intranet Webtop. You can apply the selective URL re-write for resources at the master-group level.
  • Provides faster end-user performance when accessing public web sites.

Dynamic caching support for web applications

  • Support for controller-side caching for web applications.
  • Increased performance for web applications.

View as HTML option for Mobile E-Mail

  • Provides a View as HTML link in Mobile E-Mail to display the body of the email.

Endpoint security

Flexible endpoint policy enforcement

  • Supports flexible endpoint security policy enforcement controls access:
    • Before and after user logon.
    • Across all access modes: to the network, at the portal, and for the application.

Configurable master-group level endpoint security policies

  • Supports configuration based on client environment attributes, certificates, protected workspace, and so on.
  • Enables specification of endpoint policies that need to be verified at the individual resource (Favorites) as well as Webifyer level.
  • Enables enterprises to set policies based on the trust level of the client device (corporate-managed computers, home computers, kiosk) and provides access to specific resources based on the client device trust level.
  • Supports administrative control over the users ability to leave the protected workspace, providing additional security for remotely accessed data.

Pre-logon trusted IP and client-configuration check

  • Pre-login trusted IP and client configuration check allows access to specific resources based on the client's device-trust level.
  • Secures the enterprise network from vulnerable and virus-infected clients as well as prevents password-guessing attacks.

Client antivirus check

  • Provides broad, certified support for pre-login client antivirus check for over 10+ AV vendors including Symantec, Trend Micro, McAfee, Computer Associates (eTrust), F-Secure, Kaspersky, Sophos, Panda, Zone Labs, and others.
  • Checks for several antivirus attributes, including the presence of the antivirus software and version, and the presence of the latest antivirus signatures, as well as whether an antivirus engine is active.
  • Supports out-of-the-box certified interoperability with a variety of client antivirus products helps organizations leverage existing investment with existing client antivirus software for VPN endpoint security while eliminating integration costs and lowering total cost of ownership (TCO).

    Note: The FirePass product license provides antivirus and firewall functionality as add-on modules available on the 1000 and 4x00 platforms.

Personal firewall check

  • Provides broad, certified support for pre-logon check for several personal firewalls including Sygate, Zone Labs, Microsoft, McAfee, and Symantec.
  • Checks to see if Firewall is installed and running.
  • Supports out-of-the-box certified interoperability with a variety of personal firewall products helps organizations leverage existing investment with existing personal-firewall software for VPN endpoint security while eliminating integration costs and lowering TCO.

    Note: The FirePass product license provides antivirus and firewall functionality as add-on modules available on the 1000 and 4x00 platforms.

Application access support

Host access enhancements for VT, 3270 Terminals

  • Supports keyboard mapping and screen color customization.
  • Eliminates the need for third-party host access software.

Policy-based routing

  • Maps routing tables to resource groups. This allows for advanced policy-based routing capabilities. The FirePass controller can use routing tables to map resource-group traffic to particular VLANs.

Network access support

Static IP support per user

  • Network access supports assigning a static IP based on the user, when the user establishes a network access VPN connection.
  • Provides options for assigning static IP in multiple ways:
    • Defined for specific users in the user database (this is the default first priority).
    • Automatically mapped based on RADIUS Framed-IP-Address attribute (this is the default second priority).
  • Assigns the user an IP dynamically from the IP address pool if no static IP is defined for a specific user.
  • Uses the IP information for a specific user for remote desktop support.

Usability

Visual policy editor

  • Provides unique support for graphical definition and simplified management of endpoint security policies. You can very easily and accurately define a visual flow-chart for even sophisticated endpoint security policies.
  • Drastically simplifies policy definition and automates policy configuration and management, resulting in lowest TCO.
  • Enables security auditors to easily audit security policies without requiring expert product knowledge.

30-minute install

  • Quick Setup wizard guides even non-experts to install and configure the system in 30 minutes.

Logon and portal page customization

  • Enables administrators to completely customize an entire logon and webtop web page to suit their existing corporate web-site portals.
  • Uploads the custom pages using WebDAV capability.
  • Enhances the end-user experience with a customized look-and-feel.

Auto-launch VPN

  • Supports auto-launch of network access VPN favorites, which enhances end-user experience and lowers end-user support calls.

Complete login and webtop customization

  • Administrators can completely customize an entire login and webtop web page to suit their existing corporate web site portals, and can upload the custom pages using WebDAV capability.
  • Customized look-and-feel enhances the end-user experience.

Authentication support

Native ACE authentication

  • FirePass 5.4 can use the RSA native ACE protocol to authenticate users when using RSA 2-factor, token-based authentication.
  • With native ACE support, administrators can use their authentication method of choice for RSA 2-factor authentication.

Client certificate authentication enhancements

  • Provides increased flexibility for the FirePass controller authentication and dynamic group mapping support to extract the user logon name and group information from the client certificate.
  • Supports additional client certificate issuer restrictions, and you can verify fields in the certificate against Active Directory attributes.
  • Using client certificate authentication enables full automatic logon. When this is enabled, users are automatically logged into the FirePass webtop when navigating to the FirePass controller front-door.

Enterprise integration

  • VPNC-Certified interoperability with corporate web portals and Exchange guarantees application interoperability and lowers testing and deployment costs.
  • Provides out-of-the-box interoperability with common corporate web applications such as Outlook Web Access (OWA), iNotes, SharePoint Portal, and wide variety of web applications (including dynamic web applications based on Java and JavaScript).
  • Supports external users with the new external group type, which enables management of user information completely external to the FirePass controller, leveraging existing user directories and scaling the number of users without any system-imposed limits on user count.

Group management

Multiple group mapping - RADIUS

  • Queries the RADIUS server for group information and automatically maps multiple RADIUS groups to FirePass controller-based resource groups
  • Uses group mapping to simplify deployment and shorten time to deploy in large-scale environments.

Performance and scalability

Support for 2000 concurrent users

  • Supports up to 2000 concurrent user sessions on the 4100 platform.
  • Reduces the number of devices needed for large-scale enterprise implementation, and simplifies management.

Primary domain use

  • Queries for a user's primary Active Directory group (in addition to all other groups the user belongs to), enabling use of primary domain for additional dynamic group mapping or authentication access configuration.

New heartbeat version

  • Provides alternate failover heartbeat implementation, which is more stable under very heavy loads. You can enable the new failover heartbeat using the FirePass Maintenance Console, available in the Telnet access section on the Device Management : Maintenance : Troubleshooting Tools screen.
[ Top ]

Fixes in this release

The FirePass controller, version 5.4 includes the following fixes.

RADIUS authentication in multi-group environments (CR31381)
RADIUS authentication now works with more than one group configured.

Blank screen accessing Domino Web Access using Windows 98 (CR36816)
Windows® 98 can now log on to Domino Web Access® (DWA) sites without problems.

Double quotes showing as backslash URL variables (CR36982)
The Url variables box of the Portal Access : Web Applications screen now shows double quotes correctly.

Second Telnet connection to Maintenance Console (CR37213)
Accessing Maintenance Console using a second Telnet connection now works.

FirePass 5.4 security audit (open port) concerns using syslogd and Desktop Access (CR37254)
The FirePass controller no longer keeps open port 514.

4100 platform reboot with high traffic levels on Management port (CR37341)
High levels of traffic on the Management port no longer cause a reboot.

Group name length (CR37544)
Group names are no longer limited to 16 characters. Names may now contain 48 characters including the period (.). underscore (_), and hyphen (-), but no spaces, symbols, or other punctuation.

Network Access summary status on Windows 98 systems (CR37554)
On Windows® 98 systems, the Network Access client control now updates the packet status, visible on the Summary tab.

Incomplete localization of protected workspace folder names (CR38016)
Protected workspace folder names now show correctly localized names.

File corruption when downloading zipped folders with Chinese names (CR38063)
In versions 5.0 to 5.2.1, if a path contained two or more folders with Chinese names, then the zip file name could become corrupted. This corruption problem is now fixed.

Incomplete support for multiple SSL-VPN favorites on Pocket PC-based browsers (CR39147)
FirePass 5.4 supports being able to choose SSL-VPN favorites from multiple links on a Pocket PC-based browser.

Missing deleted messages in mobile email (CR39288)
You can now choose a folder for deleted IMAP messages, or you can select an option to delete them immediately.

Missing multipart MIME email attachments in mobile email (CR40033)
Email parser now properly provides attachments in mobile email.

Untranslated desktop installation prompt (CR40126)
The Copying files installation message previously encountered in English now shows in Chinese. This fix is related to the localized Chinese version.

4K SSL server certificate import with FIPS (CR40474)
Previously, importing a 4K SSL server certificate caused an Apache-restart error. Although FIPS only supports 512-, 1024-, and 2048-bit SSL server certificates, the import now posts and alerts, preventing the import from continuing, which does not affect Apache at all.

User deactivation during test of an Active Directory group mapping (CR40491)
The FirePass controller no longer deactivates an invalid Active Directory user who was manually added to a group.

Installation issue with SSL-VPN on Solaris (CR40568)
Installation now sets the environment variable properly, to LD_LIBRARY_PATH=/usr/local/lib.

Intermediate client certificate install support (CR40697)
Previously, you had to install intermediate client certificates along with the client root certificate. FirePass 5.4 provides the ability to enter intermediate client certificates as well.

Lost connections switching from advanced to simple mode in standalone VPN client (CR40702)
When you establish a connection using the standalone VPN client in advanced mode, you can have multiple types of connections (SSL VPN and App Tunnel). In simple mode, the standalone VPN client only supports SSL VPN connections. Any other connections are terminated. This is by design. FirePass 5.4 provides an option to enable reconnection and posts a confirmation request indicating that the user will lose all the active Application Tunnels and Terminal connections.

FirePass controller restore of Desktop Access functionality (CR40821)
Previously, restoring from one controller to another caused Desktop Access to stop working. FirePass 5.4 supports backup to different controllers, and keeps Desktop Access functional.

Corrupted AppTunnel and Network Access connection names (CR41125)
FirePass 5.4 now supports double-byte characters Network Access and AppTunnel Favorites in Mozilla or Netscape browsers. This fix is relevant for localized versions.

Using View as Text feature on double-byte files (CR41129, CR42183, CR43397)
Previously, viewing some attachments containing Japanese, Chinese, or other double-byte characters showed incorrect characters or formatting, making the file appear to be corrupted. Now text/plain attachments show without ASCII filtering, so all text shows correctly. This fix is relevant for localized versions.

Administrator access to resource groups (CR41131)
Formerly, to access resource groups, an administrator had to have access to all groups. FirePass 5.4 provides support for configuring administrator access to specific resource groups.

Adding new users with sign-up templates (CR41697)
Master groups using sign-up templates without dynamic group mapping no longer need the fallback group option set.

Logon failure using email for Active Directory authentication (CR42154)
The logon process now works when using email as the logon in an Active Directory authentication setup.

Single sign-on support for FirePass controller using both RADIUS and VASCO (CR43479)
FirePass 5.4 now provides support for single sign-on for RADIUS and VASCO for all attributes except IETF RADIUS attribute number 26 (the vendor-specific code).

No access to resource groups with ' (single quote) in the name (CR43748)
The apostrophe ( ' or single quote) is now a permissible character.

Network access controls connection failure after reboot (CR43792)
Now SSL VPN works after workstation reboots. This was an issue only with beta versions of FirePass 5.4.

Incorrect link for more information on installing MSI packages (CR43917)
The new link is as follows: Installing a Package with Elevated Privileges for a Non-Admin

SSL VPN with iPaq driver load error: 2404 (CR42438)
The F5 Com port driver has an FFN7 name now. Parameters for RAS phonebook have a changed entry-creation process.

SQL DB errors occur when users are logged on during an upgrade (CR42439)
FirePass 5.4 provides the ability to lock out new user sessions, and end all existing sessions.

Using the View as HTML feature (CR43397)
Previously, the View as HTML feature for Mobile E-Mail incorrectly showed tags. Now, the email appears as HTML, without any tags.

Using the View as HTML feature (CR44636)
Previously, using large numbers of Application Tunnels could result in performance degradations or even dropped connections with high traffic through the proxy. Now, the Application Tunnel through the proxy server handles a high number of connection requests without dropping them.

[ Top ]

Known issues

The FirePass controller, version 5.4 includes the following known issues. You can find localization-specific known issues in Localization known issues.

Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open the same mailbox through the FirePass controller.

Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names, not to directory names, file names, or path specification. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less. It is possible to view the contents of longer shares by typing the explicit path from the FirePass My Network Files Go dialog box.

Deleted emails in Outlook (CR28854)
If you use an IMAP email server, Outlook does not provide any visual indication when a user marks an email for deletion.

Windows password expiration handling (CR30900)
If remote users always use the FirePass controller to log on to their Windows domain resources, they are never alerted when their password expires. When the password expires, users cannot log on to the domain to change their password, nor can they log on to the FirePass controller.

Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query may fail.

Page Not Found error in Setup Wizard (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.

Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the controller. After you restart the controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.

Basic HTTP authentication with an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.

Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.

Automatic URL-decode javascript variables (CR33580)
URL decoding may be completely fixed in this release, so you may not notice the implications of the lack of URL decoding with the new reverse-proxy functionality.

Online upgrade and page refresh (CR34238)
During an online upgrade operation, if you perform any action that refreshes the upgrade page, including opening a new browser window, the page refresh corrupts the upgrade. Do not disturb an upgrade in progress.

The Tab key use in Host Access with Sun JVM (CR34485)
When using Host Access, you cannot use the Tab key for navigation in Sun JVM.

IPSwitch IMail POP problem with My Email (CR34504)
The SASL authentication bug in IMail prevents use of POP. Using the FirePass controller to access email on IMail server results in erroneous authentication failures with My Email. However, you can use the IMail server configured for IMAP.

Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurs twice.

RADIUS challenge response with Cryptocard and blank passwords (CR34959)
FirePass 5.4 does not accept blank passwords when using RADIUS challenge response with Cryptocard. The workaround is to enter a temporary password and later correct it.

UNIX Network File Share directory-delete restriction (CR36352)
You cannot delete a UNIX® Network File Share directory while accessing the file system using the FirePass controller's UNIX Files function.

Monitor Statistics/System Load page data mismatch (CR36658)
The difference in the data shown on the Monitor Statistics page and the System Load page may be an issue for only the 4100. We are still testing this.

App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)
If you have not yet purchased and installed a valid SSL certificate on the FirePass controller, then when users attempt to connect to a mapped drive using App Tunnels, the first attempt in a session usually fails. Subsequent attempts using the Relaunch button may succeed. However, we recommend installing a valid server certificate as soon as possible.

Moving users among groups (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that may be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication may lack a password in the internal database account record. This can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.

Constant restart of Flash (CR36933)
Flash constantly restarts at the www.kurzweilai.net web site.

Network Access fails on Windows 2000 computer (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you may receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft problem describes on this Microsoft support page.

Authentication does not check proxy settings (CR37072)
The FirePass controller form-based authentication component does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using a proxy server.

Misleading error using unsupported browser on Linux system for Network Access (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network Access connection, you may receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla 1.6 or 1.7).

Network Access over dial-up connection where IPsec VPN client is present (CR37127)
You cannot use Network Access over a dial-up connection from a remote Windows® 2000 or Windows XP system that also has a Check Point® SecuRemote/SecureClient IPsec VPN client installed. You can use Network Access over dial-up with a Check Point IPsec VPN client; however, the Network Access connection may take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.

Browser incompatibility on X Window System with Sun JRE 1.3.x (CR37174)
X Window System::Java client does not work with Windows XP, Windows 2000 Professional, Mozilla 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using JRE version 1.3.0_01 Java HotSpot™ Client VM. From the Mozilla release notes: "Java J2SE releases previous to 1.3.0_01 will not work with Mozilla. Problems have been reported with JRE 1.3.1. For best results JRE 1.4.1 is recommended."

Network Access on Safari 1.0 browser on OS X 10.2 (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it.

Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
When you use Legacy Hosts with a terminal type of SSH, and you use a recent version of SSH, you may see a prompt asking if you want to save the RSA key fingerprint for the target server. When you reply Yes to continue the connection, you see this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). although it works. You cannot save the RSA key fingerprint. Disregard the error message.

Accessing system after changing the Desktop Access computer name (CR37441)
If you change the system name of an installed Desktop Access computer, take these steps to access it again using Desktop Access.

  1. Delete the previous name using the Desktop Access : Installed Desktops screen.

  2. Delete the old key using the Desktop Access : Key Management screen.

  3. Using the same screen, generate a new key.

  4. Reinstall the Desktop Agent on the target computer, using the new key.

Linux client installation halt (CR37476, CR41552)
Sometimes the SSL VPN Linux client automatic installation halts unexpectedly. The halt may be due to insufficient privileges. If your users experience failed installations, you can advise them to follow the instructions for manual installation, given in the user help for Network Access. If they still experience problems, you can offer them the following steps:

  1. First, completely remove the client using the following commands:

    rm -rf /usr/local/lib/F5Networks
    rm -rf .F5networks
    rm .mozilla/plugins/np_F5_SSL_VPN.so

  2. Follow the FirePass Knowledge Base instructions under FirePass Webtop : Network Access, available at https://<your_FirePass_controller>/kb/.

  3. Restart the browser and try it again.

 

Incorrect user home page customization (CR37615)
Changes made on Users : User Experience screen after initial configuration sometimes fail to resequence categories on the users' home pages, or to govern the font sizes as intended.

Scope of FirePass 5.4 Handbook (CR38310)
The FirePass 5.4 Handbook scope and intent is to cover some of the new issues from earlier versions. However, this release does not contain a fully updated handbook. However, there is extensive online help for all the new features. In addition, we have updated many existing topics with additional content and procedures. We are planning updates as well as a more comprehensive administrator guide.

Network Access restart on Linux systems (CR37690)
On some Linux distributions, you cannot start second and subsequent Network Access sessions within a single browser session immediately after closing the first connection. Either wait two minutes, or restart your browser.

SNMP trap setting refusal even with defined hosts (CR39354)
The FirePass controller refuses the SNMP Trap setting, even if you have defined the hosts. Although we believe we have corrected this issue, if you experience it, the workaround is to use IP addresses instead of host names.

Start VPN connection button on the PDA SSL VPN (CR39429)
The Start VPN connection button on the PDA SSL VPN client does not become the Stop VPN connection button after you start a connection. You can successfully start the connection using the button.

Incorrect display of links and pictures (CR39491) (CR43191)
On the www.alcatel.com site, the www.microsoft.com site, and maybe others, some links and pictures display incorrectly. FirePass 5.4 should correct these Flash-related problems, but some may remain.

Left navigation pane/screen mismatch (CR40356)
When you navigate using links within the screens, the navigation pane (on the left) and the content of the right pane do not synchronize.

Drive mapping overwrite of existing share (CR40546)
When you create a new drive-mapping using an already-mapped share name, the system overwrites the existing share without warning.

Lack of terminal services support through Internet Explorer for the Macintosh (CR40618)
The FirePass controller does not support terminal services through the Internet Explorer browser on Macintosh® systems. For more information about Macintosh OS support, see SOL3364: FirePass support for Mac OS clients on AskF5.
Note: Microsoft no longer supports Internet Explorer for the Macintosh OS.

Default web application URL for resource group (CR40637)
The default URL for a web application is determined at a resource-group level. If a user has multiple resource groups assigned, the web application default is picked up from the last resource group assigned to a user.

Incorrect user information attribute with first name (CR40694)
Mapping the user's first name against an Active Directory account results in a first name of Administrator, not the actual first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.

Deleting system logs (CR41134)
The Device Management : Maintenance : Logs screen erroneously offers an option to delete all system logs. This option does not delete the system logs, and you should not attempt to delete system logs completely. However, you can use the remaining options to purge old entries.

Incorrect online help for NFS Users (CR40759)
The online help page for the Portal Access : Unix Files : Import NFS Users screen incorrectly states that the /etc/passwd file includes the $passwd field. The $passwd field does not appear in the /etc/passwd file.

Authentication requirement for access to shared folders (CR41486)
In Windows Files, you must use the IP address to share folders if the user needs to be authenticated; selecting a computer name from the left pane does not work.

Impersonating a user outside of an administrator's authorized groups (CR41569)
Administrators with access to the Users : Impersonate User screen can impersonate users who are outside their scope of authority. Until we have corrected this issue, we recommend that you use the Device Management : Security : Administrators > Feature access screen to disable this privilege for administrators with restricted group access, by not configuring the Users : Impersonate User.

Restoring FIPS systems breaking imported keypairs (CR41573)
If you have imported keypairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration may render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Admin Console, use the Maintenance account to reinitialize the FIPS card. To correct your configuration, re-import the keypairs you need.

"FirePass License Not Installed" alert after upgrading (CR41755)
When upgrading from 4.1.1 to 5.4, you must log out and log back on after reactivating a license.

Local redirect instead of full redirect with < DNS/ (CR42669)
If you attempt a full redirect, from admin to admin/, you actually get a local redirect. This problem does not occur if the DNS is configured.

Redirect in frame (CR42676)
The redirect to an unlicensed page may occur in a frame when a timeout interval has elapsed.

iNotes compression and caching issue (CR43026)
The iNotes application only works with Enable Compression set and Cache nothing at the remote browser.

Error on slate.com (CR43080)
FirePass controller returns a security error the slate.com site because JavaScript SRC is not prepended with J.

Post-logon uninstall of previously installed ActiveX components (CR43139)
Using the post-logon option of Uninstall ActiveX components downloaded during FirePass session, does not uninstall ActiveX components that were installed before user logon.

Siebel Call Center 7.7 login issue (CR43287)
Siebel Call Center 7.7 cannot log in. Two windows appear after successful login. Although the main window tries to connect directly, the smaller window tries to connect through the FirePass controller. Eventually the process halts, and an error appears in the browser status bar.

Changing landing URI during active session (CR43296)
The landing URI does not return to its standard appearance after you make changes. You must open a new window to have changes take effect.

Problem for VLAN-based web applications with enabled cache (CR43445)
The Web Application Cache serves content by looking at the destination URL only. It does not consider the resource group of the requested resource. This can cause an invalid response to be served, if multiple resources across different resource groups are identified using the same URL. We recommend that you do not use the Web Application Cache in this situation.

Pre-logon infinite sequence (CR43509)
The pre-logon sequence functionality enables you to create a sequence that results in an infinite loop by choosing a subsequence that references itself as one of the final actions. If you create a sequence whose action includes a reference to itself, the end-user's browser halts during logon. To avoid this problem, check to make sure the final outcome of a subsequence is not a reference to the same subsequence.

File save with FireFox 1.0 (CR43936)
Using a right mouse click to save an attachment does not work in FireFox 1.0. To save the file, copy the link and paste it into the browser address bar.

OWA and iNotes caching requirement (CR44536)
OWA and iNotes require some caching, so for OWA and iNotes, choose an option other than the Cache nothing at the remote browser. Performance may suffer. Some advanced web applications may malfunction. As an alternative, you can configure a special UI mode in the pre-logon sequence for OWA, iNotes, i-mode, Pocket PC, Wireless Markup Language (WML) clients, and other mobile browsers. Choosing this UI mode automatically enables the caching and compression settings best suited to the browser type.

Performance slowdown with Network Access (SSL-VPN) service (CR44774)
When you are running the Network Access service, a slow resource leak occurs for each new Network Access connection. After many thousands of Network Access connections, the FirePass system performance decreases dramatically. The only workaround for this issue is to restart the FirePass controller.

Load balancing deactivate (CR44778)
Load balancing does not turn off unless you first clear the Allow optional manual logon to slave nodes from master logon page check box and then set Load Balance to off.

SharePoint document support (CR44815)
Word documents, Excel spreadsheets, and other documents downloaded from SharePoint Office open as read-only version, without the SharePoint Update functionality.

Client certificates for external users (CR44888)
FirePass 5.4 stores client certificates on the FirePass controller. If an external server maintains your user accounts, then it is impossible for the FirePass controller to create a client certificate. If your groups are configured for external users, and you want to create/deploy client certificates to users, you can use your company's CA infrastructure. For more information, see the online help for certificates.

Window flash during client logon (CR44889)
With a pre-logon sequence that scans for antivirus, the scanning component briefly posts an in-progress window after it scans each. Within a second or so, the component removes the window. Therefore, during logon, users may experience window-flashes as they log on. The window does not take focus away from the active application, but users may see flashing in the background.

ZoneAlarm activation detection (CR44931)
FirePass controller antivirus components detect the presence of ZoneAlarm 3.5.166.0 but not whether it is active. We plan to address this in a future release.

Show as plain text functionality (CR45057)
In Windows Files, viewing a file As plain text does not show the last line if it has no return at the end. To work around this issue, add a final return character at the end of any text files.

No caching requirement for VLAN web application (CR45123)
In addition to turning cache off for web application, if you use group-based VLAN to access hosts with the same host name/IP address on different VLANs, follow these steps:

  • On the Portal Access : Web Applications : Caching and Compression screen, clear the box for Enable Dynamic Cache on FirePass. Generally improves WebApplications performance.

  • In the Web Application Global Settings section of Caching and Compression, select Cache nothing at the remote browser. Performance may suffer. Some advanced web Applications may malfunction.

 

Blank help and attachments windows in OWA (CR45150)
When you have more than one instance of Internet Explorer running and you try to open help or the attachment window for email, the window may be blank. This does not happen every time. You can click the Help button a second time to open the help. The attachment window may not work until you close the other browser instance.

OWA .zip attachment handling (CR45152)
When trying to open a .zip attachment using Windows' Compressed Folder user can receive error message The Compressed (zipped) Folder is invalid or corrupted. This is due to bug in Internet Explorer that occurs when users have no external application, such as WinZip, associated for opening .zip archives in Windows. To work around the issue, users can save the attachment first, and then open it using the target application, including Windows' Compressed Folder. To save the attachment, users can right-click the attachment and choose Save Target As.

Licensed options appear differently (CR45157)
In Network Configuration, if you have not yet activated your license, some items are missing, others say "Require license." This does not affect finalizing the setup. The setup completes without problems, and the items appear after license activation.

End user session functionality (CR45217)
FirePass 5.4 upgrade provides a link: Kill all sessions (except this one). Clicking the link ends one session. To end all sessions, click the link once for each user session you want to end.

Expansion of non-alphanumeric characters in logon names (CR45248)
The system does not correctly expand user logon names that contain non-alphanumeric characters when substituting the logon name (%username%) in the favorite.

Non-alphanumeric characters in logon names created in 5.2.1 or earlier (CR45278)
Users with logon names containing non-alphanumeric characters cannot log on to the FirePass controller if the accounts were created in previous versions of FirePass, that is, version 5.2.1 or earlier.

Nonfunctional application paths in Terminal Servers (CR45311)
Applications that you start from Terminal Servers links do not work.

RADIUS dynamic group mapping of logons containing special characters (CR45377)
RADIUS dynamic group mapping fails if logons contain the at sign (@) or other non-alphanumeric characters.

Security issues when switching from the protected workspace (CR45427)
When users switch from the protected workspace, any mapped drives remain available, and the content of the Windows clipboard is visible. Having access to mapped drives outside of the protected workspace is a function of VPN. The protected workspace is not intended to restrict access to mapped drives or to prevent users from copying or cutting information to the Windows clipboard.

[ Top ]

Localization known issues

Viewing EUC or JIS-encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use JIS or EUC encoding do not display correctly.

Euro symbol in Password (CR30346)
When you configure a group with NTLM authentication with a Windows 2000 Primary Domain Controller, and also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

International character-handling in share name on multi-language environment (CR35244)
Using the FirePass Windows Files functionality on an English-based Windows 2000/2003 server with multi-language support does not correctly show share names containing non-English characters. The same issue can prevent file operations through Windows Files (for instance, open, download, rename, delete, and so on), which results in the following error: Error: can't open file <filepath>. Alternatively, using Windows Files to name a non-English file to a Windows 2000/2003 server shows incorrectly for the local network drive user. The solution is to use the same language type for the FirePass controller and the Windows 2000/2003 server. Using the FirePass Terminal Service functionality shows the correct share name.

English desktop installation messages (CR40603)
When you install Desktop Access, the message Uncompressing files displays in English, even in localized copies of FirePass controller. If an invalid installation key is used, a second untranslated message appears: Invalid product code, please retry.

UTF-8 character set in Mobile E-Mail (CR41107)
If a Japanese Mobile E-Mail user enters certain vendor-specific Japanese characters that do not appear in the standard character set, the FirePass controller encodes the email using the UTF-8 character set, instead of using the default ISO-2022-JP character set. However, many Asian email clients do not support UTF-8.

Non-English Windows Internet Explorer halt with SSL VPN first connect (CR41183)
Occasionally the SSL VPN connection can halt when using non-English versions of Microsoft Windows. To work around this issue, you can close the browser using the Windows Task Manager and try connecting again.

Using View as plain text on non-English files (CR41129, CR42183)
The View as plain text feature for Windows Files and Mobile E-Mail uses a heuristic algorithm to detect printable characters in English and Japanese. Therefore, this feature does not work for files that contain text in Chinese, German, or any other non-English language. You can work around this issue using the Load into browser feature instead.

[ Top ]

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)