Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 5.4.1
Release Note

Software Release Date: 03/01/2005
Updated Date: 08/30/2013


This release note documents the version 5.4.1 feature release of the FirePass remote access controller. It applies to both the English edition and the localized editions.

To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 5.0 and later. For information about installing the software, please refer to Installing the software.

Note: Version 5.4.1 replaces version 5.4 and includes all features and fixes from previous versions.

Note: F5 now offers both feature releases and maintenance releases. For more information on release policies, please see Description of the F5 Networks software version number format on AskF5.


- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- New features and fixes in this release
     - New features
     - Fixes in this release
- Known issues

Minimum system requirements and supported browsers

The minimum system requirements for this release are specific to your operating system.

Microsoft Windows

  • Windows® 98 with Dial Up Networking (DUN) 1.4 update and Client for Microsoft Networks. The Client for Microsoft Networks, available as an option on the Windows 98 installation CD, is required for FirePass controller's Network Access setup.
  • Windows® Me
  • Windows® 2000
  • Windows® XP (see the note about the Microsoft update needed for Windows XP Service Pack 2)
  • Windows Mobile™ 2003 (Microsoft Pocket PC 2003 and Microsoft Pocket PC Phone Edition 2003)

Important: If you are running Windows XP Service Pack 2, you must install a hotfix (Windows XPSP2 Update KB884020) in order to resolve an issue (CR39338) which causes the FirePass SSL VPN product to not connect. You can find the update at Update for Windows XP Service Pack 2 (KB884020). For the latest information from F5 Networks, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5.

Note: You may find it helpful to have the Windows 98 and Windows Me distribution media available as you set up the FirePass controller. Occasionally, changing installation settings for Windows 98 and Windows Me requires that you copy information from the install media.

Note: FirePass 5.4.1 does not support Windows NT. For more information, see End of Life Announcement for the Windows NT client support feature in FirePass on AskF5.


  • Apple® Mac OS® X 10.2
  • Apple Mac OS X 10.3


  • Workstations with libc version 2 and later
  • Kernel support for PPP interfaces (loadable module or statically built in)
  • PPPD program in the /sbin directory


  • Solaris™ Operating Environment version 9 on SPARC® systems

Supported browsers

The supported browsers for remote access provided through the FirePass controller are:

  • Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0
  • Netscape® Navigator, version 4.7X
  • Mozilla® version 1.7 on Apple Macintosh® and Linux® systems
  • Mozilla version 1.4 on Solaris systems
  • Safari® version 1.0 and 1.2 on Apple Mac OS X 10.2 and 10.3 systems
  • OpenWave® WAP browser
  • i-mode phone
  • Microsoft Pocket PC 2003 and Microsoft Pocket PC Phone Edition 2003
  • Firefox 1.0 Sun 1.5.0
[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass 1000
  • FirePass 4000
  • FirePass 4100

Note: The version 5.4.1 release does not support the FirePass 600 platform.

[ Top ]

Installing the software

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 5.4.1. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5.

Note: Once you upgrade the FirePass controller to version 5.4.1, you cannot downgrade to any previous version. For more information, see SOL2847: Restoring a previous software version on AskF5.

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, click Device Management on the navigation pane, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Important: Back up the FirePass controller configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Upgrading from version 5.0 or later

The following instructions explain how to install FirePass 5.4.1 onto existing systems running version 5.0 or later.

To upgrade to version 5.4.1

  1. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Online Update.

  2. Select the link for Release 5.4.1 to upgrade the FirePass controller.

For more information about installing and configuring version 5.4.1, see chapter 2 of the FirePass Controller Handbook . To install a new FirePass controller, please refer to the printed Quick Start Instructions, included with the product.

[ Top ]

New features and fixes in this release

The FirePass 5.4.1 release contains the following new features and fixes.

New features

You can find the list of fixes in Fixes in this release.

Portal Access enhancements

Java bytecode rewrite for web applications

  • Automatically re-signs rewritten, Java-signed .jar and .cab archives to support access to the network, local hard drives, etc.
  • Supports URL rewriting for any Java bytecode contained in class files, as well as .jar and .cab archives using reverse proxy.

Enhanced JavaScript rewrite support

  • Robust support rewrites a wide variety of JavaScript content in the web pages.
  • Provides out-of-the-box reverse proxy support for JavaScript-based web applications.

Split tunneling support for web applications

  • Selectively rewrites specific URLs that are part of web applications accessed through Intranet Webtop. You can apply the selective URL re-write for resources at the master-group level.
  • Provides faster end-user performance when accessing public web sites.

Dynamic caching support for web applications

  • Support for controller-side caching for web applications.
  • Increased performance for web applications.

View as HTML option for Mobile E-Mail

  • Provides a View as HTML link in Mobile E-Mail to display the body of the email.

Endpoint security

Flexible endpoint policy enforcement

Supports flexible endpoint security policy enforcement controls access:

  • Before and after user logon.
  • Across all access modes: to the network, at the portal, and for the application).

Configurable master-group level endpoint security policies

  • Supports configuration based on client environment attributes, certificates, protected workspace, and so on.
  • Enables specification of endpoint policies that need to be verified at the individual resource (Favorites) as well as Webifyer level.
  • Enables enterprises to set policies based on the trust level of the client device (corporate-managed computers, home computers, kiosk) and provides access to specific resources based on the client device trust level.
  • Supports administrative control over the users ability to leave the protected workspace, providing additional security for remotely accessed data.

Pre-logon trusted IP and client-configuration check

  • Pre-login trusted IP and client configuration check allows access to specific resources based on the client's device-trust level.
  • Secures the enterprise network from vulnerable and virus-infected clients as well as prevents password-guessing attacks.

Client antivirus check

  • Provides broad, certified support for pre-login client antivirus check for over 10+ AV vendors including Symantec, Trend Micro, McAfee, Computer Associates (eTrust), F-Secure, Kaspersky, Sophos, Panda, Zone Labs, and others.
  • Checks for several antivirus attributes, including the presence of the antivirus software and version, and the presence of the latest antivirus signatures, as well as whether an antivirus engine is active.
  • Supports out-of-the-box certified interoperability with a variety of client antivirus products helps organizations leverage existing investment with existing client antivirus software for VPN endpoint security while eliminating integration costs and lowering total cost of ownership (TCO).

    Note: The FirePass product license provides antivirus and firewall functionality as add-on modules available on the 1000 and 4x00 platforms.

Personal firewall check

  • Provides broad, certified support for pre-logon check for several personal firewalls including Sygate, Zone Labs, Microsoft, McAfee, and Symantec.
  • Checks to see if Firewall is installed and running.
  • Supports out-of-the-box certified interoperability with a variety of personal firewall products helps organizations leverage existing investment with existing personal-firewall software for VPN endpoint security while eliminating integration costs and lowering TCO.

    Note: The FirePass product license provides antivirus and firewall functionality as add-on modules available on the 1000 and 4x00 platforms.

Application Access support

Host access enhancements for VT, 3270 Terminals

  • Supports keyboard mapping.
  • Eliminates the need for third-party host access software.

Policy-based routing

  • Maps routing tables to resource groups. This allows for advanced policy-based routing capabilities. The FirePass controller can use routing tables to map resource-group traffic to particular VLANs.

Network Access support

Static IP support per user

  • Network Access supports assigning a static IP based on the user, when the user establishes a network access VPN connection.
  • Provides options for assigning static IP in multiple ways:
    • Defined for specific users in the user database (this is the default first priority).
    • Automatically mapped based on RADIUS Framed-IP-Address attribute (this is the default second priority).
  • Assigns the user an IP dynamically from the IP address pool if no static IP is defined for a specific user.
  • Uses the IP information for a specific user for remote desktop support.


Visual policy editor

  • Provides unique support for graphical definition and simplified management of endpoint security policies. You can very easily and accurately define a visual flow-chart for even sophisticated endpoint security policies.
  • Drastically simplifies policy definition and automates policy configuration and management, resulting in lowest TCO.
  • Enables security auditors to easily audit security policies without requiring expert product knowledge.

30-minute install

  • Quick Setup wizard guides even non-experts to install and configure the system in 30 minutes.

Logon and portal page customization

  • Enables administrators to completely customize an entire logon and webtop web page to suit their existing corporate web-site portals.
  • Uploads the custom pages using WebDAV capability.
  • Enhances the end-user experience with a customized look-and-feel.

Auto-launch VPN

  • Supports auto-launch of network access VPN favorites, which enhances end-user experience and lowers end-user support calls.

Complete login and webtop customization

  • Administrators can completely customize an entire login and webtop web page to suit their existing corporate web site portals, and can upload the custom pages using WebDAV capability.
  • Customized look-and-feel enhances the end-user experience.

Authentication support

Native ACE authentication

  • FirePass 5.4.1 can use the RSA native ACE protocol to authenticate users when using RSA 2-factor, token-based authentication.
  • With native ACE support, administrators can use their authentication method of choice for RSA 2-factor authentication.

Client certificate authentication enhancements

  • Provides increased flexibility for the FirePass controller authentication and dynamic group mapping support to extract the user logon name and group information from the client certificate.
  • Supports additional client certificate issuer restrictions, and you can verify fields in the certificate against Active Directory attributes.
  • Using client certificate authentication enables full automatic logon. When this is enabled, users are automatically logged into the FirePass webtop when navigating to the FirePass controller front-door.

Enterprise integration

  • VPNC-Certified interoperability with corporate web portals and Exchange guarantees application interoperability and lowers testing and deployment costs.
  • Provides out-of-the-box interoperability with common corporate web applications such as Outlook Web Access (OWA), iNotes, SharePoint Portal, and wide variety of web applications (including dynamic web applications based on Java and JavaScript).
  • Supports external users with the new external group type, which enables management of user information completely external to the FirePass controller, leveraging existing user directories and scaling the number of users without any system-imposed limits on user count.

Group management

Multiple group mapping - RADIUS

  • Queries the RADIUS server for group information and automatically maps multiple RADIUS groups to FirePass controller-based resource groups
  • Uses group mapping to simplify deployment and shorten time to deploy in large-scale environments.

Primary domain use

  • Queries for a user's primary Active Directory group (in addition to all other groups the user belongs to), enabling use of primary domain for additional dynamic group mapping or authentication access configuration.

Performance and scalability

Support for 2000 concurrent users

  • Supports up to 2000 concurrent user sessions on the 4100 platform.
  • Reduces the number of devices needed for large-scale enterprise implementation, and simplifies management.

New heartbeat version

  • Provides alternate failover heartbeat implementation, which is more stable under very heavy loads. You can enable the new failover heartbeat using the FirePass Maintenance Console, available in the Telnet access section on the Device Management : Maintenance : Troubleshooting Tools screen.
[ Top ]

Fixes in this release

The FirePass controller, version 5.4.1 includes the following fixes.

Windows password expiration handling (CR30900)
Previously, remote users who always used the FirePass controller to log on to their Windows domain resources, were never alerted when their password expired. Now, when using Active Directory or Windows Domain authentication, the FirePass controller checks at logon for a reset or expired domain password. If one is detected, the FirePass controller shows a password-change form to the user, requiring entry of the current password as well as a new password. The FirePass controller then contacts the Active Directory or Windows Domain server and updates the password on behalf of the user.

Note: To work with Windows Domain, the administrator must check the Join Windows Domain box and enter valid administrative credentials when configuring authentication.

RADIUS authentication in multi-group environments (CR31381)
RADIUS authentication now works with more than one group configured.

International character-handling in share name (CR35244)
Previously, using the FirePass Windows Files functionality on an English-based Windows 2000/2003 server with multi-language support did not correctly show share names containing non-English characters. This is now fixed, and the FirePass controller shows the correct share name for single-language environments. See issue Multi-language support in Windows Files (CR45645) for information about multi-language environments.

Blank screen accessing Domino Web Access using Windows 98 (CR36816)
Windows® 98 can now log on to Domino Web Access® (DWA) sites without problems.

Double quotation marks in URL variables (CR36982)
The Url variables box of the Portal Access : Web Applications screen now shows double quotation marks correctly.

Second Telnet connection to Maintenance Console (CR37213)
Accessing Maintenance Console using a second Telnet connection now works.

FirePass 5.4.1 security audit (open port) concerns using syslogd and Desktop Access (CR37254)
The FirePass controller no longer keeps open port 514.

Group name length (CR37544)
Group names are no longer limited to 16 characters. Names may now contain 48 characters including the period (.). underscore (_), and hyphen (-), but no spaces, symbols, or other punctuation.

Network Access summary status on Windows 98 systems (CR37554)
On Windows® 98 systems, the Network Access client control now updates the packet status, visible on the Summary tab.

Incomplete localization of protected workspace folder names (CR38016)
Protected workspace folder names now show correctly localized names.

File corruption when downloading zipped folders with Chinese names (CR38063)
In versions 5.0 to 5.2.1, if a path contained two or more folders with Chinese names, then the zip file name could become corrupted. This corruption problem is now fixed.

Incomplete support for multiple SSL-VPN favorites on Pocket PC-based browsers (CR39147)
FirePass 5.4.1 supports your option to choose SSL-VPN favorites from multiple links on a Pocket PC-based browser.

Missing deleted messages in mobile email (CR39288)
You can now choose a folder for deleted IMAP messages, or you can select an option to delete them immediately.

Missing multipart MIME email attachments in mobile email (CR40033)
The email parser now properly provides attachments in mobile email.

Untranslated desktop installation prompt (CR40126)
In the localized Chinese version, the Copying files installation message previously encountered in English now shows in Chinese.

4K SSL server certificate import with FIPS (CR40474)
Previously, importing a 4K SSL server certificate caused an Apache-restart error. Although FIPS only supports 512-, 1024-, and 2048-bit SSL server certificates, the import now posts an alert, preventing the import from continuing, which does not affect Apache at all.

User deactivation during test of an Active Directory group mapping (CR40491)
The FirePass controller no longer deactivates an invalid Active Directory user who was manually added to a group.

Installation issue with SSL-VPN on Solaris (CR40568)
Installation now sets the environment variable properly, to LD_LIBRARY_PATH=/usr/local/lib.

Intermediate client certificate install support (CR40697)
Previously, you had to install intermediate client certificates along with the client root certificate. FirePass 5.4.1 provides you the ability to enter intermediate client certificates as well.

Lost connections switching from advanced to simple mode in standalone VPN client (CR40702)
When you establish a connection using the standalone VPN client in advanced mode, you can have multiple types of connections (SSL VPN and App Tunnel). In simple mode, the standalone VPN client only supports SSL VPN connections. Any other connections are terminated. This is by design. FirePass 5.4.1 provides an option to enable reconnection and posts a confirmation request indicating that the user will lose all the active Application Tunnels and Terminal connections.

FirePass controller restore of Desktop Access functionality (CR40821)
Previously, restoring from one controller to another caused Desktop Access to stop working. FirePass 5.4.1 supports backup to different controllers, and keeps Desktop Access functional.

Option for specifying language (CR40987)
Version 5.4.1 provides an option on the Customization page, Change configured language, that you can use to select from the various localized languages available.

UTF-8 character set in Mobile E-Mail (CR41107)
Previously, if a Japanese Mobile E-Mail message contained certain vendor-specific Japanese characters that do not appear in the standard character set, the FirePass controller encoded the email using the UTF-8 character set, instead of using the default ISO-2022-JP character set. However, many Asian email clients do not support UTF-8. Now, if the message cannot be encoded in the specified encoding, the FirePass controller returns users to the compose-email page with a warning, requiring users to change the character set or delete the character.

Corrupted AppTunnel and Network Access connection names (CR41125)
FirePass 5.4.1 now supports double-byte characters Network Access and AppTunnel Favorites in Mozilla or Netscape browsers. This fix is relevant for localized versions.

Using View as plain text on non-English files (CR41129, CR42183)
The View as plain text feature for Windows Files and Mobile E-Mail uses a heuristic algorithm to detect printable characters in English and Japanese. Therefore, this feature does not work for files that contain text in Chinese, German, or any other non-English language. You can work around this issue using the Load into browser feature instead.

Administrator access to resource groups (CR41131)
Formerly, to access resource groups, an administrator had to have access to all groups. FirePass 5.4.1 provides support for configuring administrator access to specific resource groups.

Adding new users with sign-up templates (CR41697)
Master groups using sign-up templates without dynamic group mapping no longer need the fallback group option set.

Logon failure using email for Active Directory authentication (CR42154)
The logon process now works when using email as the logon in an Active Directory authentication setup.

SSL VPN with iPaq driver load error: 2404 (CR42438)
The F5 Com port driver has an FFN7 name now. Parameters for RAS phonebook have a changed entry-creation process.

SQL DB errors occur when users are logged on during an upgrade (CR42439)
FirePass 5.4.1 provides the ability to lock out new user sessions on the Device Management : Maintenance : User Session Lockout screen.

Japanese character display (CR43052)
Previously, some Japanese characters displayed incorrectly in Windows files, Terminal Server, and Web Applications favorites. Now, the correct characters display.

Using View as Text feature on double-byte files (CR43397)
Previously, viewing some attachments containing Japanese, Chinese, or other double-byte characters showed incorrect characters or formatting, making the file appear to be corrupted. Now text/plain attachments show without ASCII filtering, so all text shows correctly. This fix is relevant for localized versions.

Single sign-on support for FirePass controller using both RADIUS and VASCO (CR43479)
FirePass 5.4.1 now provides support for single sign-on for RADIUS and VASCO for all attributes except IETF RADIUS attribute number 26 (the vendor-specific code).

Expiration Time option functionality (CR43518)
Expiration Time under Reports : Sessions now indicates the correct estimated expiration time for the user's session.

No access to resource groups with ' (single quote) in the name (CR43748)
The apostrophe ( ' or single quote) is now a permissible character.

Network access controls connection failure after reboot (CR43792)
Now SSL VPN works after workstation reboots. This was an issue only with beta versions of FirePass 5.4.1.

Japanese characters in attached Mobile E-Mail HTML file name (CR43853)
Previously, Japanese characters displayed incorrectly in Mobile E-Mail HTML file names. Now, the FirePass controller displays the correct characters.

Incorrect link for more information on installing MSI packages (CR43917)
The new link is as follows: Installing a Package with Elevated Privileges for a Non-Admin

Japanese characters in Mobile E-Mail .zip file names (CR44315)
Previously, Japanese characters in Mobile E-Mail .zip file names caused a file-save error. Now, you can save without error.

Japanese characters in Mobile E-Mail .rar file names (CR44316)
Previously, the FirePass controller lost the .rar extension when saving Mobile E-Mail files named with Japanese characters. Now, you can save without loss.

Support for certain Japanese characters in favorites (CR44349, CR44350)
Previously, favorites containing certain Japanese characters failed. Now, the FirePass controller correctly handles Network Access and UNIX favorites containing all Japanese characters.

Japanese characters in Mobile E-Mail HTML email (CR44485)
Previously, Japanese characters displayed incorrectly in HTML Mobile E-Mail. Now, the FirePass controller displays the correct characters.

Application Tunnels through proxy server (CR44636)
Previously, using large numbers of Application Tunnels could result in performance degradations or even dropped connections with high traffic through the proxy. Now, the Application Tunnel through the proxy server handles a high number of connection requests without dropping them.

Performance slowdown with Network Access (SSL-VPN) service (CR44774)
Previously, running the Network Access service resulted in a slow resource leak for each new Network Access connection. The resource leak is not present in version 5.4.1.

Character set use in HTML Mobile E-Mail (CR44827)
Previously, the FirePass controller showed the Mobile E-Mail body in UTF-8 encoding, even though ISO-2022-JP was the page character set. Now, the FirePass controller uses the correct character set.

RADIUS access-challenge functionality in sign-up-by-template (CR44973)
Previously, when the RADIUS server sent an access challenge, the FirePass controller responded by requiring the user to log on a second time. Now, the FirePass controller recognizes the access-challenge code from the RADIUS server, and only presents one logon request.

Attack notification functionality on Japanese systems (CR44980)
Previously, the FirePass controller did not send attack-notification email on Japanese systems. Now, the FirePass controller correctly sends email when conditions match the system-attack configuration.

Uploading Windows files from UNIX systems (CR45021)
Previously, you could not upload files from UNIX systems. Now, you can.

Tilde (~) functionality in Japanese-language URLs (CR45034)
Previously, the tilde (~) character in Japanese-language URL rendered links nonfunctional. Now, the FirePass controller correctly processes Japanese-language links containing the tilde (~) character.

Functionality of ending user sessions (CR45217)
Previously, clicking the link Kill all sessions (except this one) ended one session. Now, clicking the link ends all sessions.

Effect of upgrade on user visibility (CR45240)
Previously, upgrading FirePass software caused non-admin user accounts with full admin privileges to lose the ability to see users. Now, the User Management screen shows users correctly.

Expansion of non-alphanumeric characters in logon names (CR45248)
Previously, the system did not correctly expand user logon names that contained non-alphanumeric characters when substituting the logon name (%username%) in the favorite. Now, the system expands logon names correctly.

Non-alphanumeric characters in logon names created in 5.2.1 or earlier (CR45278)
Previously, logon failed when logon names created in 5.2.1 or earlier contained non-alphanumeric characters. Now, logon works correctly.

McAfee VirusScan 4.5.1 and SSL VPN Policy Checking on Windows 98 (CR45301)
Previously, McAfee VirusScan 4.5.1 SP1 running on Windows 98 did not work correctly with FirePass SSL VPN Policy Checking. Now, this works correctly.

Nonfunctional application paths in Terminal Servers (CR45311)
Previously, applications that you started from Terminal Servers links did not work. Now, they work.

Missing webtop links (CR45376)
Previously, webtop links were missing when a user logged in and navigated to MyDesktop and back to MyNetwork. Now, links remain.

RADIUS dynamic group mapping of logons containing special characters (CR45377)
Previously, RADIUS dynamic group mapping failed if logons contained the at sign ( @ ) or other non-alphanumeric characters. Now, these logons work.

Intranet webtop URL variables (CR45395)
Previously, after update, Intranet webtop URL variables were truncated. Now, update has no effect on URL variables.

Security issues when switching from the protected workspace (CR45427)
Previously, when users switched from the protected workspace, any mapped drives remained available, and the content of the Windows clipboard was visible. Now, the system clears the clipboard when the user leaves the protected workspace. In addition, there is an option to control whether the user can switch out of the protected workspace.
Note: This fix does not address the issue of having access to mapped drives outside of the protected workspace.

FTP password functionality (CR45479)
Previously, the FTP password displayed in clear text in the input field. Now, the input field contains no clear text password.

Japanese content corruption (CR45768)
Previously, Japanese content was corrupted when sent from a WAP device. Now, the FirePass controller correctly processes Japanese content originating from a WAP device.

Network Access tunnel termination (CR45771)
Previously, if a user logged out of the FirePass controller webtop without first closing the Network Access status window, the VPN connection could stay open for up to a minute, blocking all traffic over the connection. Now, the system shows an alert, indicating that the Network Access connection has terminated, and the Network Access status window and the connection close.

[ Top ]

Known issues

The FirePass controller, version 5.4.1 includes the following known issues. You can find localization-specific known issues in Localization known issues.

Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open the same mailbox through the FirePass controller.

Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names, not to directory names, file names, or path specification. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less. It is possible to view the contents of longer shares by typing the explicit path from the FirePass My Network Files Go dialog box.

Deleted emails in Outlook (CR28854)
If you use an IMAP email server, Outlook does not provide any visual indication when a user marks an email for deletion.

Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query may fail.


Page Not Found error in Setup Wizard (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.

Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the controller. After you restart the controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.

Basic HTTP authentication with an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL fails, but succeeds.

Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.

Automatic URL-decode javascript variables (CR33580)
URL decoding may be completely fixed in this release, so you may not notice the implications of the lack of URL decoding with the new reverse-proxy functionality.

Online upgrade and page refresh (CR34238)
During an online upgrade operation, if you perform any action that refreshes the upgrade page, including opening a new browser window, the page refresh corrupts the upgrade. Do not disturb an upgrade in progress.

The Tab key use in Host Access with Sun JVM (CR34485)
When using Host Access, you cannot use the Tab key for navigation in Sun JVM.

IPSwitch IMail POP problem with My Email (CR34504)
The SASL authentication bug in IMail prevents use of POP. Using the FirePass controller to access email on IMail server results in erroneous authentication failures with My Email. However, you can use the IMail server configured for IMAP.

Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurs twice.

RADIUS challenge response with Cryptocard and blank passwords (CR34959)
FirePass 5.4.1 does not accept blank passwords when using RADIUS challenge response with Cryptocard. The workaround is to enter a temporary password and later correct it.

UNIX Network File Share directory-delete restriction (CR36352)
You cannot delete a UNIX® Network File Share directory while accessing the file system using the FirePass controller's UNIX Files function.

Monitor Statistics/System Load page data mismatch (CR36658)
The difference in the data shown on the Monitor Statistics page and the System Load page may be an issue for only the 4100. We are still testing this.

App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)
If you have not yet purchased and installed a valid SSL certificate on the FirePass controller, then when users attempt to connect to a mapped drive using App Tunnels, the first attempt in a session usually fails. Subsequent attempts using the Relaunch button may succeed. However, we recommend installing a valid server certificate as soon as possible.

Moving users among groups (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that may be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication may lack a password in the internal database account record. This can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.

Constant restart of Flash (CR36933)
Flash constantly restarts at the web site.

Network Access fails on Windows 2000 computer (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you may receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft problem describes on this Microsoft support page.

Authentication does not check proxy settings (CR37072)
The FirePass controller form-based authentication component does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using a proxy server.

Misleading error using unsupported browser on Linux system for Network Access (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network Access connection, you may receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla 1.6 or 1.7).

Network Access over dial-up connection where IPsec VPN client is present (CR37127)
You cannot use Network Access over a dial-up connection from a remote Windows® 2000 or Windows XP system that also has a Check Point® SecuRemote/SecureClient IPsec VPN client installed. You can use Network Access over dial-up with a Check Point IPsec VPN client; however, the Network Access connection may take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.

Browser incompatibility on X Window System with Sun JRE 1.3.x (CR37174)
X Window System::Java client does not work with Windows XP, Windows 2000 Professional, Mozilla 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using JRE version 1.3.0_01 Java HotSpot™ Client VM. From the Mozilla release notes: "Java J2SE releases previous to 1.3.0_01 will not work with Mozilla. Problems have been reported with JRE 1.3.1. For best results JRE 1.4.1 is recommended."

Network Access on Safari 1.0 browser on OS X 10.2 (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it. The Safari 1.0 browser does support the FirePass controller's HTML-based functional components: PortalAccess, Mobile E-mail, Windows Files, Unix Files, and for Desktop access, the Java client only. You can use Safari 1.2 as the Network Access browser.

High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On a 4100 hardware platform, high levels of traffic through the Management port may cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot can also occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.

Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
When you use Legacy Hosts with a terminal type of SSH, and you use a recent version of SSH, you may see a prompt asking if you want to save the RSA key fingerprint for the target server. When you reply Yes to continue the connection, you see this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). although it works. You cannot save the RSA key fingerprint. Disregard the error message.

Accessing system after changing the Desktop Access computer name (CR37441)
If you change the system name of an installed Desktop Access computer, take these steps to access it again using Desktop Access.

  1. Delete the previous name using the Desktop Access : Installed Desktops screen.

  2. Delete the old key using the Desktop Access : Key Management screen.

  3. Using the same screen, generate a new key.

  4. Reinstall the Desktop Agent on the target computer, using the new key.

Linux client installation halt (CR37476, CR41552)
Sometimes the SSL VPN Linux client automatic installation halts unexpectedly. The halt may be due to insufficient privileges. If your users experience failed installations, you can advise them to follow the instructions for manual installation, given in the user help for Network Access. If they still experience problems, you can offer them the following steps:

  1. First, completely remove the client using the following commands:

    rm -rf /usr/local/lib/F5Networks
    rm -rf .F5networks
    rm .mozilla/plugins/

  2. Follow the FirePass Knowledge Base instructions under FirePass Webtop : Network Access, available at https://<your_FirePass_controller>/kb/.

  3. Restart the browser and try it again.


Incorrect user home page customization (CR37615)
Changes made on Users : User Experience screen after initial configuration sometimes fail to resequence categories on the users' home pages, or to govern the font sizes as intended.

Network Access restart on Linux systems (CR37690)
On some Linux distributions, you cannot start second and subsequent Network Access sessions within a single browser session immediately after closing the first connection. Either wait two minutes, or restart your browser.

Scope of FirePass 5.4.1 Handbook (CR38310)
The FirePass 5.4.1 Handbook scope and intent is to cover some of the new issues from earlier versions. This release does not contain a fully updated handbook. However, there is extensive online help for all the new features. In addition, we have updated many existing topics with additional content and procedures. We are planning updates as well as a more comprehensive administrator guide.

SNMP trap setting refusal even with defined hosts (CR39354)
The FirePass controller refuses the SNMP Trap setting, even if you have defined the hosts. Although we believe we have corrected this issue, if you experience it, the workaround is to use IP addresses instead of host names.

Start VPN connection button on the PDA SSL VPN (CR39429)
The Start VPN connection button on the PDA SSL VPN client does not become the Stop VPN connection button after you start a connection. You can successfully start the connection using the button.

Incorrect display of links and pictures (CR39491) (CR43191)
On the site, the site, and maybe others, some links and pictures display incorrectly. FirePass 5.4.1 should correct these Flash-related problems, but some may remain.

Left navigation pane/screen mismatch (CR40356)
When you navigate using links within the screens, the navigation pane (on the left) and the content of the right pane do not synchronize.

Drive mapping overwrite of existing share (CR40546)
When you create a new drive-mapping using an already-mapped share name, the system overwrites the existing share without warning.

Lack of terminal services support through Internet Explorer for the Macintosh (CR40618)
The FirePass controller does not support terminal services through the Internet Explorer browser on Macintosh® systems. For more information about Macintosh OS support, see SOL3364: FirePass support for Mac OS clients on AskF5.
Note: Microsoft no longer supports Internet Explorer for the Macintosh OS.

Default web application URL for resource group (CR40637)
The default URL for a web application is determined at a resource-group level. If a user has multiple resource groups assigned, the web application default is picked up from the last resource group assigned to a user.

Incorrect user information attribute with first name (CR40694)
Mapping the user's first name against an Active Directory account results in a first name of Administrator, not the actual first name of the user. This error occurs only with the test mapping. Actual mapping by the FirePass controller works correctly, and the user can log on without problem.

Incorrect online help for NFS Users (CR40759)
The online help page for the Portal Access : Unix Files : Import NFS Users screen incorrectly states that the /etc/passwd file includes the $passwd field. The $passwd field does not appear in the /etc/passwd file.

Deleting system logs (CR41134)
The Device Management : Maintenance : Logs screen erroneously offers an option to delete all system logs. This option does not delete the system logs, and you should not attempt to delete system logs completely. However, you can use the remaining options to purge old entries.

Authentication requirement for access to shared folders (CR41486)
In Windows Files, you must use the IP address to share folders if the user needs to be authenticated; selecting a computer name from the left pane does not work.

Impersonating a user outside of an administrator's authorized groups (CR41569)
Administrators with access to the Users : Impersonate User screen can impersonate users who are outside their scope of authority. Until we have corrected this issue, we recommend that you use the Device Management : Security : Administrators > Feature access screen to disable this privilege for administrators with restricted group access, by not configuring the Users : Impersonate User.

Restoring FIPS systems breaking imported keypairs (CR41573)
If you have imported keypairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration may render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Admin Console, use the Maintenance account to reinitialize the FIPS card. To correct your configuration, re-import the keypairs you need.

Local redirect instead of full redirect with < DNS/ (CR42669)
If you attempt a full redirect, from admin to admin/, you actually get a local redirect. This problem does not occur if the DNS is configured.

Redirect in frame (CR42676)
The redirect to an unlicensed page may occur in a frame when a timeout interval has elapsed.

iNotes compression and caching issue (CR43026)
The iNotes application only works with Enable Compression set and Cache nothing at the remote browser.

Post-logon uninstall of previously installed ActiveX components (CR43139)
Using the post-logon option of Uninstall ActiveX components downloaded during FirePass session, does not uninstall ActiveX components that were installed before user logon.

Siebel Call Center 7.7 login issue (CR43287)
Siebel Call Center 7.7 cannot log in. Two windows appear after successful login. Although the main window tries to connect directly, the smaller window tries to connect through the FirePass controller. Eventually the process halts, and an error appears in the browser status bar.

Changing landing URI during active session (CR43296)
The landing URI does not return to its standard appearance after you make changes. You must open a new window to have changes take effect.

Problem for VLAN-based web applications with enabled cache (CR43445)
The Web Application Cache serves content by looking at the destination URL only. It does not consider the resource group of the requested resource. This can cause an invalid response to be served, if multiple resources across different resource groups are identified using the same URL. We recommend that you do not use the Web Application Cache in this situation.

Pre-logon infinite sequence (CR43509)
The pre-logon sequence functionality enables you to create a sequence that results in an infinite loop by choosing a subsequence that references itself as one of the final actions. If you create a sequence whose action includes a reference to itself, the end-user's browser halts during logon. To avoid this problem, check to make sure the final outcome of a subsequence is not a reference to the same subsequence.

File save with FireFox 1.0 (CR43936)
Using a right mouse click to save an attachment does not work in FireFox 1.0. To save the file, copy the link and paste it into the browser address bar.

Restore from 4000 to 4100 (CR44273)
Backing up and restoring from a FirePass 4000 to a FirePass 4100 does not restore settings for Device Management : Customization : Global Customization, Device Management : Configuration : SMTP Server, or Device Management : Configuration : Admin E-Mail. Because of different internal network setups on the 4000 and 4100, the backup operation cannot restore these settings.

OWA and iNotes caching requirement (CR44536)
OWA and iNotes require some caching, so for OWA and iNotes, choose an option other than the Cache nothing at the remote browser. Performance may suffer. Some advanced web applications may malfunction. As an alternative, you can configure a special UI mode in the pre-logon sequence for OWA, iNotes, i-mode, Pocket PC, Wireless Markup Language (WML) clients, and other mobile browsers. Choosing this UI mode automatically enables the caching and compression settings best suited to the browser type.

Load balancing deactivate (CR44778)
Load balancing does not turn off unless you first clear the Allow optional manual logon to slave nodes from master logon page check box and then set Load Balance to off.

SharePoint document support (CR44815)
Microsoft Office documents that you download from SharePoint Office (such as Word documents, Excel spreadsheets, and others) cannot accept the SharePoint Update functionality; the application shows a warning dialog box. However, you can still edit and save the document. If the document you open is a read-only version, the most likely reason is that other processes did not properly release the lock on the document. To work around this problem, you can use the Save As feature to save the document using a different name.

Client certificates for external users (CR44888)
FirePass 5.4.1 stores client certificates on the FirePass controller. If an external server maintains your user accounts, and you want to use client certificates for your users, you must use your company's CA infrastructure. FirePass cannot distribute client certificates that it does not create. For more information, refer to the online help for client certificates.

Window flash during client logon (CR44889)
With a pre-logon sequence that scans for antivirus, the scanning component briefly posts an in-progress window after it scans each. Within a second or so, the component removes the window. Therefore, during logon, users may experience window-flashes as they log on. The window does not take focus away from the active application, but users may see flashing in the background.

ZoneAlarm activation detection (CR44931)
FirePass controller antivirus components detect the presence of ZoneAlarm but not whether it is active. We plan to address this in a future release.

Show as plain text functionality (CR45057)
In Windows Files, viewing a file As plain text does not show the last line if it has no return at the end. To work around this issue, add a final return character at the end of any text files.

No caching requirement for VLAN web application (CR45123)
In addition to turning cache off for web application, if you use group-based VLAN to access hosts with the same host name/IP address on different VLANs, follow these steps:

  • On the Portal Access : Web Applications : Caching and Compression screen, clear the box for Enable Dynamic Cache on FirePass. Generally improves WebApplications performance.

  • In the Web Application Global Settings section of Caching and Compression, select Cache nothing at the remote browser. Performance may suffer. Some advanced Web Applications may malfunction.


Blank help and attachments windows in OWA (CR45150)
When you have more than one instance of Internet Explorer running and you try to open help or the attachment window for email, the window may be blank. This does not happen every time. You can click the Help button a second time to open the help. The attachment window may not work until you close the other browser instance.

OWA .zip attachment handling (CR45152)
When trying to open a .zip attachment using Windows' Compressed Folder users can receive the error message: The Compressed (zipped) Folder is invalid or corrupted. This is due to a bug in Internet Explorer that occurs when users have no external application, such as WinZip, associated for opening .zip archives in Windows. To work around the issue, users can save the attachment first, and then open it using the target application, including Windows' Compressed Folder. To save the attachment, users can right-click the attachment and choose Save Target As.

Licensed options appear differently (CR45157)
In Network Configuration, if you have not yet activated your license, some items are missing, others say "Require license." This does not affect finalizing the setup. The setup completes without problems, and the items appear after license activation.

Using the at sign in the Active Directory logon (CR45446)
You can use the email address as your Active Directory logon, and your email address can (and must) contain the at sign ( @ ). However, Active Directory logons that are not email addresses cannot contain @.

Sign-up by template with RADIUS and RSA SecurID (CR45738)
If you configure both RSA SecurId and RADIUS as authentication methods, you cannot use sign-up by template simultaneously for both methods.

Backup/Restore of VLAN routing tables (CR45791)
In backup and restore of VLAN settings, the FirePass controller does not restore the routing tables, although it does restore VLAN interfaces and IP addresses.

Logon to Intranet Webtop using i-mode (CR45799)
When you specify Intranet Webtop access for a group of users, i-mode-based mobile users cannot log on. A logon attempt results in the FirePass controller posting the following message: URL address is not valid(302).

Split tunnel for Network Access on PocketPC (CR45800)
FirePass 5.4.1 does not support split tunnel for Network Access on the Pocket PC.

[ Top ]

Localization known issues

Viewing EUC or JIS-encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use JIS or EUC encoding do not display correctly.

Euro symbol in Password (CR30346)
When you configure a group with NTLM authentication with a Windows 2000 Primary Domain Controller, and also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

English desktop installation messages (CR40603)
When you install Desktop Access, the message Uncompressing files displays in English, even in localized copies of FirePass controller. If an invalid installation key is used, a second untranslated message appears: Invalid product code, please retry.

Non-English Windows Internet Explorer halt with SSL VPN first connect (CR41183)
Occasionally the SSL VPN connection can halt when using non-English versions of Microsoft Windows. To work around this issue, you can close the browser using the Windows Task Manager and try connecting again.

Localization of pre-defined actions (CR44620)
In non-English systems, the pre-logon sequence screen lists the pre-defined actions in English.

Localization of pre-defined templates (CR44798)
In non-English systems, the Protected Configurations screen shows the pre-defined templates in English.

Multi-language support in Windows Files (CR45645)
When you use the FirePass Windows Files functionality on an English-based Windows 2000/2003 server with multi-language support, the system does not correctly show share names containing non-English characters.

[ Top ]

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)