Software Release Date: 10/23/2005
Updated Date: 08/30/2013
This release note documents the version 5.5 release of the FirePass controller. It applies to both the English edition and the localized editions.
To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 5.0 and later. For information about installing the software, please refer to Installing the software.
Note: For the FirePass 1000, 4000, and 4100 platforms, version 5.5 replaces version 5.4.2 and includes all features and fixes from previous versions.
Note: F5 now offers both feature releases and maintenance releases. For more information on release policies, please see Description of the F5 Networks software version number format on AskF5.
The minimum system requirements for this release are specific to your operating system.
Important: If you are running Windows XP Service Pack 2, you must install a hotfix (Windows XPSP2 Update KB884020) in order to resolve an issue (CR39338) which keeps the FirePass controller from connecting. You can find the update at Update for Windows XP Service Pack 2 (KB884020). For the latest information from F5 Networks, see SOL3289: SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5.
Note: You might find it helpful to have the Windows 98 and Windows Me distribution media available as you set up the FirePass controller. Occasionally, changing installation settings for Windows 98 and Windows Me requires that you copy information from the install media.
Note: FirePass 5.5 does not support Windows NT®. For more information, see SOL3840: End of Life Announcement for the Windows NT client support feature in FirePass on AskF5.
Note: FirePass 5.5 supports the Safari® browser for automatically installing the network access client. You must manually install the Macintosh network access client when you use a different browser.
The supported browsers for remote access provided through the FirePass controller are:
This release supports the following platforms:
[ Top ]
This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you must install on the controller the antivirus and firewall license, which you can obtain from your F5 Networks sales representative or reseller. To view supported antivirus and firewall software, click one of the following links. Each link references a separate document, unique to the particular operating system.
Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, on the navigation page, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.
Warning: Group-based policy routing has been moved from resource groups to master groups at the Users : Groups : Master Groups screen. After upgrading to version 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record these routing tables. For more information, refer to SOL5502 on Ask 5.
Warning: The version 5.5 software uses a new heartbeat module, which is not compatible with the previous version heartbeat module. Therefore, when you upgrade one unit in a failover pair, it might restart as the Active unit, while the second unit is still running as the Active unit. This might cause IP conflicts with the virtual IP address (if a failover pair having has two Active units running at the same time). This can happen because upgrading to the controller to the new heartbeat module. When you upgrade and restart the second unit of the failover pair, the IP conflicts stop because each unit now recognizes the other unit as part of its failover pair. For more information, refer to SOL4467: Best practice: Upgrading a redundant pair of FirePass controllers
Important: Back up the FirePass controller configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.
Warning: On 4100 platforms, if you are performing a local upgrade to release 5.5, you must first install HF-48784-1.
Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 5.5 . For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5.
Note: Once you upgrade the FirePass controller to version 5.5 , you cannot downgrade to any previous version. For more information, see SOL2847: Restoring a previous software version on AskF5.
The following instructions explain how to install FirePass 5.5 onto existing systems running version 5.0 or later.
Note: Once you upgrade, the following software fixes might affect your users. Before rolling out release 5.5, please review the following CRs and make any necessary configuration changes:
The FirePass 5.5 release contains the following new features and fixes.
Content processing (CR29989)
You can now use the <FP_DO_NOT_TOUCH> and </FP_DO_NOT_TOUCH> HTML tags to prevent the FirePass Web Applications engine from rewriting content between these tags in the following ways:
License feature limits (CR34505)
The FirePass controller now generates an SNMP trap when its licensed feature limits are exceeded.
DNS suffix (CR35953, CR44816)
You can now configure a DNS suffix to send to Network Access clients (use the Network Access : Resources screen on the DNS tab using the Default domain suffix setting). If you do not configure this option, the FirePass controller sends its own DNS suffix to the client.
Standalone client and saving session information (CR39858)
With the standalone client, you can now save session information; for example, a user name and password.
Decrypt SSL data in the network traces (CR40131)
For troubleshooting, the FirePass controller can now decrypt SSL data in the network traces gathered in the Network packet dump area at the Device Management : Maintenance : Troubleshooting Tools screen.
Administrative email (CR41185, CR44351)
The FirePass controller now provides the following new administrative email options at the Device Management: Configuration: Admin E-Mail screen:
Download VPN client for Pocket PC (CR41364)
Previously, to download the VPN client and emulator for the Pocket PC, you had to connect to the webtop. You can now download the VPN client for Pocket PC and VPN client for Pocket PC emulator at the Device Management : Client Downloads : Windows CE (Pocket PC) screen.
Change to administrator's email notification (CR41531)
When a user attempts to log on to the FirePass controller's administrative console with a non-administrative account, the FirePass controller now sends an email similar to the following:
Non-administrator account <user> attempted to access admin account on the FirePass <FQDN> (<s/n>).
Signup by templates and Active Directory (CR41867)
When you use the signup by templates feature with Active® Directory, it now populates the user information from the Active® Directory server.
Resource groups and inheriting settings (CR42157)
When you create a new resource group at the Users : Groups : Resource Groups screen, you can now inherit settings from an existing resource group by using the following options:
These options allow you to easily create complex resource groups based on existing resource groups.
Log policy checks and network access (CR42894)
When a network access policy fails, the client send this information about the policy failure to the FirePass controller, which stores this information in its system logs.
Legacy hosts (CR43057)
Previously, the FirePass controller did not support double byte characters for legacy hosts. Now the controller supports double byte UNICODE characters in UTF-8, UTF-16 and UTF-32.
Remove VPN dial up entries from client (CR43113)
The FirePass controller now removes dial up entries from the client when the client's VPN connection is terminated or when the cache cleanup is enabled at the Users : Endpoint Security : Post-Logon Actions screen.
Restarting and network configuration (CR43680, CR47709)
In some cases, after you have committed your changes to the network configuration you do not need to restart the controller in order for the changes to take effect. When you finalize your changes, the system now prompts you if you need to restart your controller.
Standalone client (CR43797, CR43798, CR43799, CR43800, CR438001, CR45938, CR46131, CR48383, CR49163)
The following enhancements are now available for the standalone client:
UTF-8 support (CR43864)
The FirePass controller now supports UTF-8 for the user name and the common name (CN) in the client certificate.
Overlapping IP pools (CR44326, CR47044)
The FirePass controller now supports overlapping IP address pools at the Network Access: Global Settings screen.
Default time zone for all log entries (CR44708)
On a FirePass controller, the default time zone for all log entries is now set to GMT. If you want to change the time zone for all the log entries, go to the Device Management : Configuration : Time screen.
Support of port ranges as a part of App Tunnel definition (CR44791, CR45295)
You can now define a range of ports for a single tunnel at the Application Access : App Tunnels : Resources screen.
Scalable fonts for Vt-100 terminal (CR44982)
End users can now change font size inside the Java applet using Alt-+ and Alt --. You configure this feature at the Application Access: Legacy Hosts: Resources screen using the Legacy Hosts Keyboard Map settings.
Full text search and index for online help (CR45126)
The online help now provides an index and full text search.
Restricting access to App Tunnel direct connections (CR45299)
To restrict App Tunnel direct access connections to a set of allowed sites, ports, or both, you can now define a range of allowed IP addresses and ports for master groups at by selecting the Limit AppTunnels Access to Favorites only option and then the Allow Direct Connection limited by the scope option at the Application Access : App Tunnels : Master Group Settings screen.
Apache and ModSSL (CR45456)
The FirePass controller now uses Apache, version 1.3.33 and ModSSL, version 2.8.22-1.3.33.
Native NTLM authentication services (CR45534)
When prompted by the FirePass controller, Windows® domain users can now change their passwords. The user can change the password only when prompted. For example, when a new Windows account is created with this option: User must change password at next logon, or when the password expires. In these instances, the controller prompts for a new password at logon (after the current credentials are entered).
Network Access and split tunneling (CR45928)
Previously, if you did not enable split tunneling at the Network Access: Resources screen with the Client Settings area, all traffic (except traffic for the local subnet) was sent through the VPN. You can now also use the following options:
Log IP addresses of users when they fail to log on (CR46000)
The FirePass controller now emails the following message to the administrator when users fail to log on: Please check the Logons page in the Reports section of the Admin console for additional details, including the IP address for all logon attempts
Minimal content rewriting and reverse proxy (CR46054)
To support very complex applications which have trouble with the default reverse proxy, you can use the alternative host/port-based bypass or pattern-based bypass option in the Minimal Content-Rewriting Bypass area at the Portal Access: Web Applications: Master Group settings screen.
Offload SSL processing to a BIG-IP Local Traffic Manager (CR46368, CR49305)
The FirePass controller now supports offloading of SSL processing to a BIG-IP® Local Traffic Manager. With the FirePass controller, you configure this feature using two screens.
You also configure a virtual server on the BIG-IP® system. For more information about offloading SSL processing to a BIG-IP® system and virtual servers, see the BIG-IP® local traffic manager documentation.
Note: When you use this feature, the FirePass controller does not support Desktop Access, and you must configure administrative access on an SSL web service on the FirePass controller.
Automatically launch domain logon script Access (CR46588)
At the Network Access: Resources screen using the Launch Application tab, you can automatically launch a domain logon script after establishing a Network Access connection. Type logon in the App Path field and type <domain_controller_ip_address> %username% or <domain_name> %username% in the Parameters field, where <domain_name >and <domain_controller_ip_address> is either a target domain name or an IP address of the domain controller. The following is a list of requirements for using this feature.
Reverse proxy and modifying Java applets (CR47009)
You can now disable the reverse proxy bypass rewriting on Java applets by clearing the Automatically patch Java Applet check box in the Web Applications Global Settings area at the Portal Access : Content Processing screen using the Global Settings tab.
Network packet dump for VLAN interfaces (CR47013)
The controller now supports capturing network packets for VLAN interfaces at the Device Management: Maintenance: Troubleshooting Tools screen.
ICAP client (CR47062, CR49254)
You can specify path and port of the ICAP server at the Portal Access: Content Inspection screen using the settings on the Antivirus tab.
Group-based policy routing for Window Files (CR47071)
FirePass controller now supports Master-group based policy for Windows Files. You can also specify a WINS server for each master group in the Advance Windows Files Settings area at the Portal Access: Windows Files: Master Group Settings screen.
Group-based policy routing for Mobile Email (CR47072)
FirePass controller now supports Master-group based policy routing for Mobile Emails. You can also specify outgoing and incoming mail servers for each master group in the Corporate mail account area at the Portal Access: Mobile E-mail screen. If no outgoing mail server is configured at the master group level, the FirePass controller uses the global outgoing mail server configured at the Device Management : Configuration: STMP screen.
Reverse proxy support for Centricity web application (CR47328)
The 1000 platform now provides reverse proxy support for the Centricity web application.
New session variable: session.ui_mode.mode (CR47353)
To check if a remote network device is a standalone client, you can specify the variable, expression session.ui_mode.mode==standalone in
Record logon limits (CR47355)
When you select the Limit the number of concurrent sessions for this group option (using the General tab at the Users: Groups: Master Groups screen), and the group limit is exceeded, the FirePass controller now records this information at the Reports : Logons screen under the individual user name. The FirePass controller also now records the failed log on attempts and the reasons at the Reports: System Logs screen.
Packet filtering rules (CR47374, CR48450)
With packet filter rules, you can now specify the source address and mask at the Network Access: Global Settings screen. You can also log packet filtering rules configured at either the Network Access : Resources screen using the IP Group Filters tab, or the Network Access: Global Settings screen.
Reverse proxy and cookies (CR47468)
To prevent end users from viewing cleartext cookie values, select the Obfuscate cleartext cookies option in the Web Applications Global Settings area at the Portal Access : Web Applications: Content Processing screen using the Global Settings tab.
Security settings (CR47656)
The controller now provides the following security settings:
App logs and extended App logs (CR47703)
To provide aggregate and per-user application logs or extended App logs, the controller now provides the following features:
Adding new browsers (CR47835)
To troubleshoot the browsers not supported on the FirePass controller, you can record which browser parameters are used by all FirePass controller users. Select the Save parameters for used browsers option in the Collect browser information area at the Device Management: Network Configuration : New Browsers screen. You save the collected browser parameters to a file and send them to F5 Networks support. F5 then updates the controllers browser database. To obtain the updated browser database, install a special hotfix or upgrade to the next release
Note: Like packet trace, this feature is intended to be used temporarily, in this case, long enough to record the browsers that are not supported. After you collect the browser parameters and send them to F5 support, you must clear the Save parameters for used browsers check box; otherwise, the performance of the FirePass controller decreases.
FirePass controller integration with Whole Security (CR47995, CR50884)
You can now integrate the FirePass controller and WholeSecurity's Confidence Online™ Server. For more information about how to use this feature, see the FirePass Integration with Whole Security Deployment Guide. For information about other controller deployment guides, click here and select the FirePass tab.
Client certificates (CR48127)
The procedure for generating a certificate for a client has changed. You now use the Users: User Management screen and follow this procedure.
Dynamic packaging of MSI clients and ActiveX components (CR48200)
You can now create a customized MSI package to install on clients at the Device Management : Client Downloads screen.
Single signon (CR48681)
Using HTTP form-based authentication, the FirePass controller now supports single signon for Network Access and App Tunnels. To use this feature, enable the Pass cookies to client on successful logon at the Users : Groups : Master Groups : Authentication screen.
Mysqld and default timeout (CR48757)
We have changed the default inactivity timeout for mysqld to 300 seconds, which improves the controller resources. The new default timeout corresponds to the default HTTPD timeout.
Logging pre-logon system messages (CR48917)
With endpoint security, you can now log pre-logon system messages to the system log. To do so, click the Logger link at the Users: Endpoint Security : Endpoint Inspectors screen.
Configurable cluster synchronization interval (CR48921)
When you enable clustering, you can now specify a time to periodically synchronize the members of a cluster in the Cluster synchronization Time Interval area at the Device Management: Configuration : Clustering and Failover screen. By default, synchronizing members of a cluster is set to once every 10 seconds.
IPsec and support for the Authentication Header protocol (CR49038)
For IPsec, the controller now supports Authentication Header (AH) protocol. When you enable this feature at the Device Management : Security: IPsec Configuration screen, the FirePass controller uses both AH and ESP authentication.
Mobile email and navigation links (CR49231)
The controller now provides navigation links at the bottom of each screen for mobile email users using handheld browsers. You can also specify an outgoing mail server for a master group level at the Portal Access: Mobile Email screen.
Pre-logon inspection and protected configuration (CR49310)
With endpoint security, the controller now supports a Logon Allowed protection criteria that uses the session.result variable to determine whether the client has sent the data collected during pre-logon check. The administrator can use the Logon Allowed protection criteria in the Protected configuration and associate it with the webtop.
Support for AV® app-antivirus, version 0.86.2. (CR49776, CR51519, CR54212)
The FirePass controller integrates Clam AV® app-antivirus, version 0.86.2.
FirePass controller system MIB (CR50083)
The FirePass controller now supports a new FirePass controller system MIB. To monitor FirePass controller devices, you must download this MIB. To obtain this MIB, navigate to the Device Management: Configuration: SNMP screen, click the Help button, and click the Change Access Control link at the bottom of the help page.
Group-based policy routing (CR50401)
We have moved policy routing from resource groups to master groups at the Users : Groups : Master Groups screen. After upgrading to 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record your routing tables. For more information, refer to SOL5502 on Ask 5.
Support for Zlib packages, version 1.2.3 (CR50590)
The FirePass controller now uses Zlib®, version 1.2.3.
Pre-logon sequence and support for the WindowsÂ® 2003 server as a remote client (CR50671)
For pre-logon sequences, the FirePass controller now supports Windows® 2003 server as a remote client.
Define custom variable inspector (CR50951)
You can now define a custom variable using the Define custom variable inspector at the Users : Endpoint Security : Pre-logon Sequence screen, and then use it with a protected configuration at the User : Endpoint Security : Protect Configuration screen.
Desktop Access is disabled (CR51116)
By default, Desktop Access is now disabled. To enable Desktop Access, configure a Web service at the Device Management: Configuration : Network Configuration screen, using the Web Services tab.
Landing URI, hyphen, and underscore characters (CR52160)
You can now create a new landing URI with a hyphen (-) or underscore (_) character using the Customization tab at the Device Management : Customization screen.
Mailer inspector and pre-logon sequence (CR52743)
The FirePass controller now provides a mailer inspector and predefined action titled, Send mail , for troubleshooting and testing a pre-logon sequence. In the mail inspector Endpoint Inspector Details area inside the visual policy editor at the Users: Endpoint Security : Pre-logon Sequence screen, you can specify an email address to send this information to, and also the body of an email message which can include session variables.
Display files by date and time (CR53720)
By default, the FirePass controller now sorts log files by date and time in the logs-*.zip files.
Limit to favorites only setting for new master groups (CR54215)
By default, users can only access favorites defined by the administrator. To let users also create and access their own favorites or open direct connections, clear the Limit to Favorites only check box at the Master Group Setting screen for each application.
This release includes the following fixes.
Support for non-English language logons for LDAP (CR28746)
Previously, the FirePass controller did not support non-English language logons for LDAP. Now it does.
Java VT-320 Telnet session (CR29887)
Previously, when you selected the 0 (Exit) option with a Telnet session using the Java VT-320 through the maintenance console, the window to the console did not close. The window now closes when you select this option.
Tab key use in Host Access with Sun JVM (CR34485, CR49848)
Previously, when you used Host Access, you could not use the Tab key when using the SUN® JVM®. Now you can.
Duplicate records in Extra Access log (CR34544)
Each record in the Extra Access log occurred twice in previous versions. Now each record correctly appears only once.
Network Access, split tunneling, and IP filtering (CR36354)
Previously, with Network Access, if you enabled the split tunneling for traffic and integrated IP filtering engine options, the Network Access client software might drop traffic if the VPN pool overlapped with LAN Address Space. The client no longer drops traffic.
Saving RSA key using Legacy Hosts with SSH terminal (CR37383)
Previously, when you used Legacy Hosts with a terminal type of SSH, and you used a recent version of SSH, you might see a prompt asking if you wanted to save the RSA key fingerprint for the target server. When you replied Yes to continue the connection, you saw this error message: Failed to add the host to the list of known hosts (/home/uroam/.ssh/known_hosts). This message no longer appears.
Linux client installation halt (CR37476)
Previously, the Network Access Linux client automatic installation might halt unexpectedly due to insufficient privileges. The automatic installation no longer halts unexpectedly due to insufficient privileges.
Incorrect user home page customization (CR37615)
Previously, changes you made on the Users : User Experience screen after initial configuration sometimes failed to re-sequence categories on the users' home pages, or to govern the font sizes as intended. The FirePass controller now re-sequences the categories and displays the correct font size.
Network Access restart on Linux systems (CR37690)
Previously, on some Linux distributions, you could not start second and subsequent Network Access sessions within a single browser session immediately after closing the first connection. You had to wait two minutes or restart your browser. With Linux systems, you can now restart on second and subsequent Network Access sessions within a single browser session immediately after closing the first connection.
Start VPN connection button on the PDA Network Access (CR39429)
Previously, the Start VPN connection button on the PDA Network Access client did become the Stop VPN connection button after you started a connection. In version 5.5, this issue is now fixed.
Incorrect display of links and pictures (CR39491, CR43191)
Previously, on the www.alcatel.com site, the www.microsoft.com site, and maybe others, some links and pictures display incorrectly. The FirePass controller now displays the links and pictures correctly.
Incorrect navigation path on the Dynamic Group Mapping screen (CR40356)
Previously, when you navigated to the Users: Groups: Dynamic Group Mapping screen, selected the Mapping methods tab and clicked Landing URIs, the FirePass controller displayed the incorrect navigation path. Now it shows the correct path.
Imported user names with extra spaces (CR40549)
Previously, when you imported user names, the FirePass controller added an extra space in the user’s name. It now imports user names correctly.
Extra spaces in Admin email on user password change (CR41079)
Previously, when a new user changed his password, the FirePass controller sent an email to the administrator that contained the name of the user and the user ID. The controller added an extra space between the user's first and last name, and between the comma and user name. Now it processes these names correctly.
Non-English Windows and Internet Explorer sometimes halted with first Network Access connection (CR41183)
Previously, the Network Access connection sometimes halted on its first attempt when using non-English versions of Microsoft® Windows®. Now it works correctly with non-English versions of Microsoft® Windows®.
Authentication requirement for access to shared folders (CR41486)
Previously, with Windows Files, to access shared folders from FirePass controller, you needed to use the IP address if the user needed to be authenticated, because selecting a computer name from the left navigation pane on the webtop did not allow you to access the share folders. Selecting a computer name now allows you access shared Window File folders.
Linux client installation halt (CR41552)
Previously, the Network Access Linux client automatic installation might have halted unexpectedly due to insufficient privileges. It now installs correctly with sufficient privileges.
Impersonating users restriction for administrators (CR41569)
Previously, an administrator could impersonate a user in another group even though the administrator was restricted from doing so. Now the restriction works correctly.
SNMP agent shut down occasionally (CR41617)
Previously, the SNMP agent shut down occasionally when the FirePass controller was queried. Now, the SNMP agent runs correctly.
iNotes and OWA compression and caching issue (CR43026, CR44536)
Previously, in bypass mode, the iNotes and OWA applications did not work with the option Enable Compression and Cache nothing at the remote browser set at the Portal Access : Web Applications : Caching and Compression screen. Both applications now work with any caching and compression settings.
Active Directory and Russian localization (CR43295)
Previously, when you used a Russian version of Windows® 2000 Server as a Domain Controller and an Active Directory® server, the resource groups created in Russian did not display correctly. The resource group names are now displayed correctly in Russian.
File save with Firefox 1.0 (CR43936)
Previously, with Firefox® 1.0, you could not right mouse click to save an attachment using OWA 2000 or 2003 through Web Applications . You can now save the attachment with this method.
Restoring configuration settings from a backup file (CR44273)
Previously, restoring a backup file did not restore settings from the Device Management : Customization screen, Global Customization tab settings, the Device Management : Configuration : SMTP Server screen, or the Device Management : Configuration : Admin E-Mail screen. These settings are now restored accurately from the backup file.
iMode and pre-logon sequence (CR44285)
Previously, if a user used a NTT i-mode HTML Simulator, version 7.2, to access the FirePass controller, the session.ui_mode.mode variable did not set the correct value to imode. The FirePass controller now sets the correct value
Legacy hosts and xterm Java (CR44427)
Previously, for legacy hosts, the FirePass controller provided an unnecessary option called xterm Java at the Application Access: Legacy Hosts : Resources screen. We have removed this option.
Network Access and Mac OS X 10.3.x (CR44641)
Previously, if your client was running Mac OSÂ® X 10.3.x, you might have been disconnected from Network Access when you accessed the controller using the SafariÂ® browser when you did one of the following:
Now your connection remains active under these circumstances.
Terminal Server favorites (CR44748)
Previously, when you created a terminal server favorite with the apostrophe ( ' ) character, the FirePass controller also included the backslash ( \ ) character. Now it contains only the apostrophe character.
SharePoint document support (CR44815)
Previously, Microsoft® Office documents that you download from SharePoint® Office (such as Word documents, Excel spreadsheets, and others) could not accept the SharePoint Update functionality; the application showed a warning dialog box. The FirePass controller no longer displays an erroneous error message when you use the SharePoint Update. Also, some documents that you opened were read-only; the most likely reason was that other processes did not properly release the lock on the document. The documents are now properly released.
ZoneAlarm activation detection (CR44931)
Previously, the FirePass controller antivirus components detected the presence of ZoneAlarm® 22.214.171.124, but not whether it was active. Now the antivirus components also detect whether ZoneAlarm® 126.96.36.199 is active.
Legacy hosts and direct connection page (CR45023)
Previously, for Legacy hosts, the FirePass controller returned the user to the direct connection page instead of the Legacy Hosts favorite folder page. The controller now correctly returns the user to the Legacy Host favorite folder page.
Show as plain text functionality (CR45057)
Previously, in Windows Files, viewing a file As plain text did not show the last line if it had no return at the end. When you view a file as As plain text, the last line now correctly shows when it has no return at the end.
Pre-login sequence and Windows 2003 (CR45088)
Previously, on Windows® 2003 systems, the pre-logon sequence stalled when it checked for a firewall. Now it works correctly.
OWA .zip attachment handling (CR45152)
Previously, when trying to open a .zip attachment using Windows Compressed Folder, users received the error message: The Compressed (zipped) Folder is invalid or corrupted. This was due to an issue in Internet Explorer that occurs when users have no external application, such as WinZip, associated for opening .zip archives in Windows. Now, opening a .zip attachment using Windows Compressed Folder works correctly and no longer displays an error message.
Licensed options appear differently (CR45157)
Previously, in Network Configuration screens, if you did not yet activate your license, some items were missing, others said Require license. This did not affect finalizing the setup. The setup completed without problems, and the items appeared after license activation. The licensing options now appear correctly in the Network Configuration screens.
Standalone client (CR45164, CR46393, CR48256)
Previously, the standalone client was unstable, disconnected, and had localization issues. In release 5.5, these issues are now fixed and the standalone client functions correctly.
OWA 2000 (CR45402)
Previously, when an email message containing URL links was forwarded through OWA 2000 or iNotes and accessed through the FirePass controller reverse proxy at the Portal Access: Web Applications: Content Processing screen, the links in the email were displayed incorrectly and the recipient could not access the resources associated with these links. The links in the email are now displayed correctly and the recipient can now access the resources associated with these links.
Signup by template with RADIUS and RSA SecurID (CR45738)
Previously, you could not have the signup by template feature configured for both RSA SecurID and RADIUS. FirePass controller now supports this configuration.
Password confirmation (CR45797)
Previously, the FirePass controller did not require that you confirm your password when you generated a client certificate at the Users: User Management screen with the Client Certificates settings. You are now required to confirm your password in this area.
Log on to Intranet webtop using i-mode (CR45799)
Previously, when you specified Intranet webtop access for a group of users, i-mode-based mobile users could not log on. A logon attempt resulted in the FirePass controller posting the following message: URL address is not valid(302). The controller no longer displays this message and i-mode-based mobile users can now log on.
Dynamic user groups for external users and Active Directory (CR45844)
Previously, if you created a dynamic user group for external users and used the Active Directory® at the Users : Groups : Master Groups screen, imported users were displayed in the wrong master group. This function now works correctly and imported users are now displayed in the correct master group.
Western European languages logon names (CR45889, CR46772)
Previously, the FirePass controller did not support logon names in Western European languages, such as German and Swedish. The FirePass controller 5.5 now supports logon names in non-English languages, such as German, French, Swedish, Chinese, and Japanese.
.inc files for landing URIs (CR46001)
Previously, the FirePass controller supported only three .inc files for landing URIs. Now the controller supports all .inc files for landing URIs at the Device Management: Customization screen using the URI-based Customization tab settings.
WAP devices sending erroneously emails (CR46192)
Previously, the FirePass controller sent an email to the administrator indicating that some WAP devices were not supported, even though they were. The controller no longer sends these erroneously emails to the administrator.
VT320 and legacy host mapping (CR46203)
Previously, with IBM850 and POSIX C legacy host keyboard mapping, the FirePass controller did not display the characters correctly. The characters are now displayed correctly.
WebDAV settings and synchronizing with a cluster or failover pair (CR46253)
Previously, WebDAV settings and custom content placed in the WebDAV sandbox did not synchronize with a cluster or failover pair (standby controller). Now they do.
Empty screen when logon fails (CR46285)
Previously, with an Exchange server your browser might have returned an empty screen if you selected all the following options at the Portal Access : Web Applications : Caching and Compression screen.
The browser now displays the screen correctly.
Numeric log on name for local user accounts (CR46416)
In previous versions, if you had local user accounts with numeric log on names, the log on name did not display in the logon field when you edited the user's details. With version 5.5, the log on name displays.
Logon names for localized languages length restriction (CR46389, CR46418)
Previously, the restriction for Japanese logon names was limited to 8 characters. For logon names in non-English languages, the FirePass controller now supports 255 characters, which allows 51 characters for Japanese.
TN3270 emulator not working (CR46849, CR51235, CR53004, CR54282, CR54581)
Previously, the TN3270 did not work correctly at the Application Access : App Tunnels : Master Group Settings screen. Now it does.
Network Access and drive mapping (CR46866)
Previously, when the end user disconnected from Network Access, the mapping to the drive still remained on the client. The mapping is now removed when the client disconnects from Network Access.
Japanese user names and Active Directory (CR46913)
Previously, you could not import Japanese user names with a forward slash ( \ ) from the an Active Directory® server. Now you can.
End user's home page link (CR46953)
Previously, when end users accessed their Web applications on a English or Japanese FirePass controller, the controller omitted the users name from the Home link. For example, the Home link displayed Home instead of John Smiths Home. The controller now correctly displays the Home link.
Also, in previous versions, when users accessed their Web applications on a Simplified Chinese or Traditional Chinese FirePass controller, the controller omitted the users name from the Home link and displayed the Home link as s Home and not, for example, John Smith's Home. The FirePass controller now correctly displays the Home link.
iMode clients limited access (CR46999)
Previously, limiting access to iMode clients, did not work. Now limiting access to iMode clients works correctly.
App Tunnels favorites (CR47038)
Previously, when the user logged on to a Japanese FirePass controller, the FirePass controller did not display App Tunnel favorites on the user's webtop. In version 5.5, App Tunnel favorites are displayed correctly in this instance.
Landing URI and protected workspace (CR47046)
Previously, when a user accessed the FirePass controller using a landing URI and your security policy required a protected workspace, the FirePass controller did not redirect the user back to the landing URI once inside the protected workspace. The controller now redirects the user back to the landing URI.
Connecting to App Tunnel favorites (CR47053)
Previously, the Japanese version of the FirePass controller did not reconnect to App Tunnel favorites. Now it reconnects to App Tunnel favorites.
Running IPsec on FirePass 4100 controllers (CR47149)
Previously, IPsec did not work on FirePass 4100 controllers. IPsec now works on FirePass 4100 controllers.
Delete protected configurations (CR47248)
Previously, when you deleted a protected configuration at the Users : Endpoint Security : Protected Configurations screen, you could not use the Cancel button to back out of deleting the configuration. You had to use the Back button in your browser or select another menu. Now you can use the Cancel button to back out of deleting the configuration.
Default setting for SSL encryption (CR47322)
By default, the FirePass controller uses the Medium-grade security setting, which allows only ciphers supporting 128-bit or higher encryption. To change this setting, go to the SSL Cipher Security area at the Device Management: Security: User Access Security screen.
WAP devices and UTF-8 encoding (CR47371)
Previously, on some WAP devices, the FirePass controller might have sent pages in UTF-8 encoding on the mobile email composition page which the device could not display. The controller no longer sends UTF-8 to devices that it does not support.
Upgrade form-based authentication settings (CR47375)
Previously when you upgraded from releases prior to 5.4.2, the HTTP form-based authentication settings might be lost at the User : Groups : Master Groups screen with the Authentication option. The 5.5 version maintains those settings through upgrades.
RSA authentication in new PIN mode for external groups or for signup by template (CR47429)
Previously, RSA authentication in new PIN mode might have failed when you used external groups or enabled signup by templates if there were any additional fallback groups whose names started with a later letter. RSA authentication now works correctly.
Automatically installing the Network Access client on Linux (CR47431)
Previously, you could not automatically install the Network Access client on Linux using the Mozilla browser, because the controller referenced the wrong path to the Linux network access package. The controller now uses the correct reference, and you can now automatically install the Network Access client on Linux using Mozilla from the controller.
QAD application and Portal Access (CR47495)
Previously, the Java application, QAD® did not work correctly with Portal Access. Now it works correctly with Portal Access.
Deleting favorites (CR47446)
Previously, you could not delete a favorite when an alias was associated with it. Now you can.
HTTPD memory space (CR47579)
Previously, in some rare cases, the FirePass controller might have used too much HTTPD memory space. The controller no longer uses too much HTTPD memory space.
VLAN range (CR47725)
Previously, when you entered a VLAN ID (tag) greater than 9999 at the Device Management : Configuration : Network Configuration screen on the VLAN tab, the FirePass controller displayed the erroneous warning Vlan tag should be a number between 1 and 9999. The correct VLAN ID range is a number between 1 and 4094. If you enter a VLAN ID greater than 4094, you now see the correct message.
Favorites and external users (CR47726) , (CR49481)
Previously, the controller incorrectly allowed external users to save personal favorites. For groups with external users, no user-specific settings should have been saved on the controller. Now, the FirePass controller no longer allows external users to save personal favorites.
Protected workspace and client system user level permissions (CR47772, CR52367)
Previously, if the users had administrative privileges on their client, it was possible for the user to delete the dynamic loading library and as result, bypass the protected workspace. The user can no longer bypass the protected workspace by deleting the dynamic loading library.
Dynamic master and resource group mapping (CR47990)
Previously, when you configured dynamic master and resource group mapping and enabled the Bypass signup by template form and enter user information later option at the Users: Groups: Master Groups screen using the Signup Templates tab, the end users on the first logon were assigned an erroneous resource group called Array and no resource groups were displayed on the webtop during their first logon. On the second logon, resource group assignment worked correctly. Resource group assignment now works correctly the first time.
Network Access and Mac OS X 10.4 (CR48020)
Network Access now works with Mac OS® X 10.4.
External users (CR48050)
Previously, external master groups were available in the list of master groups that you could reassign users to. Now only internal users are available for you to move to another master group.
Client certificate with Chinese CN (CR48125)
Previously, when the FirePass controller generated a client certificate for a user using the Chinese common name (CN), the installed certificate in Windows displayed the wrong encoding (Unicode). The certificate now displays the correct encoding.
Standalone client and Active Directory (CR48255)
Previously, the standalone client could not log on users to the FirePass controller with Active Directory® authentication. Now it can.
Mobile Email and attachments (CR48372)
Previously, if you created an email using Mobile Email with a long file name, the file name of the attachment was corrupted. The file name is now displayed correctly.
Windows file access (CR48380)
Previously, when the FirePass controller authenticated a user whose password contained a colon ( : ) , the end user could not access Windows Files favorites. End users can now access Windows Files favorites.
SNMP current sessions (CR48412)
Previously, the FirePass controller did not display the correct SNMP value for the number of controller sessions. The FirePass controller now displays the correct SNMP value.
Unauthorized access to PHP files (CR48470, CR50885)
Previously, unauthorized users might be able to access FirePass controller PHP files. Now they cannot access these files.
Routing table monitoring and Network Access (CR48569)
Previously, with Network Access, the controller did not monitor routing tables on a client PC. Now it does.
UNIX files and endpoint security (CR48601)
In previous versions, when you configured a UNIX file resource to have a protected configuration and the protected configuration failed or the pre-logon sequence was deactivated, users could still access the UNIX resource. In version 5.5, users can no longer access the protected UNIX resource if the pre-logon sequence is not used.
Clustering and erroneous system messages on user's webtop (CR48630)
Previously, with cluster load balancing turned on for some client accesses that were redirects to the cluster secondary unit, an erroneous system warning appeared on the user's webtop. The erroneous system warning no longer appears on the user's webtop.
Local upgrade on FirePass controller 4100 platform (CR48784)
Previously, on 4100 platforms, if you performed a local upgrade, the FirePass controller did not restart after it was upgraded. Now, after you upgrade to release 5.5 and then perform a local upgrade, the controller restarts correctly.
Code signing and cachecleaner.cab ActiveX control (CR48955)
Previously, the ability to re-sign the cachecleaner.cab ActiveX control and upload it back to FirePass controller should have been available but was not listed at the Device Management : Customization screen using the Code Signing tab. The cachecleaner.cab ActiveX control is now listed on that screen and you can re-sign and upload it back to FirePass controller.
Administrators accessing resource groups (CR48959)
In previous versions when you added a user as an administrator and deselected Allow access to all groups at the Device Management : Security : Administrative Realms screen, the user still had access to the selected resource groups. With version 5.5, the administrator no longer has access to unauthorized resource groups.
Also, in previous versions, if you created a new resource group for an administrator and added it to list of available resource groups, the administrator could not access the added resource group. Now the administrator can now access newly created resource groups.
Post URL variables (CR48962)
Previously, when you selected the Post Url variables option for single sign on with portals and web applications at the Portal Access: Web Application : Resources screen, special characters caused problems with the FirePass controller %username% and %password% variables. In version 5.5, these issues are now fixed.
Scheduling a client CRL online update (CR48992)
Previously, when you configured a client revocation list (CRL) online update, the update might not run according to schedule. Now it does.
Underscore character in user name (CR49048)
Previously, if you had a legacy host with SSH access, and an end user tried to log on to the FirePass controller with a user name that contained an underscore (_) character, the user was denied access. In version 5.5, this issue is now fixed and a user name can now contain an underscore character.
Landing URIs and PDA Network Access (CR49162)
Previously, you could not specify the landing URI for a PDA to use Network Access. Now you can.
Safari plug-in creates an infinite loop (CR49228)
Previously, with the Safari® browser, version 1.3, identical HTTP GET requests sent by plug-ins were always cached by this browser. Putting no-cache directives in the HTTP header seemed to be ignored by the Safari browser. This issue caused the Safari plug-in to create an infinite loop. The Safari® plugin no longer creates an infinite loop and works correctly.
Bypassing a configured pre-logon sequence check (CR49310)
Previously, users with a valid user name and password could bypass a configured pre-logon sequence check because there was no standard way for the FirePass controller to determine whether the client sent the data collected during the pre-logon check. Now the protected configuration prevents users from bypassing a configured pre-logon sequence check when you use the Logon Allowed protection criteria in the protected configuration and associate it with the webtop.
App Tunnels and favorites (CR49386)
Previously, when an end user started an App Tunnel favorite through a proxy and the favorite contained more than one App Tunnel, he could connect only to the favorite started first. Now the end user can access all the App Tunnels under one favorite.
Pre-logon sequence check and client data (CR49425)
Previously, a pre-logon sequence check might incorrectly fail. The pre-logon sequence now works correctly.
Restricted access to App Tunnel favorites with a protected resource (CR49525)
Previously, when you configured an App Tunnel favorite to have a protected resource and the required pre-logon check failed, users could still access the protected resource. Now they cannot access the protected resource.
Network Access clients IP Address assignment using external RADIUS (CR49531)
Previously, IP Address assignment for Network Access using external RADIUS server did not work if the subnet mask was not specified. Now IP assignment works correctly.
Editing a pre-logon sequence (CR49784)
Previously, when you edited a pre-logon sequence and selected the back to console access link, the FirePass controller logged you out of your session. Also, when you tried to edit an action, the Edit Panel did not appear. This occurred when the FirePass controller used a secondary IP on an interface, and the secondary IP had a web service that was only available by Administrator access. The controller no longer logs the administrator out when he selects the back to console access link, and the Edit Panel now appears when you edit an action.
Disabling dynamic resource assignment (CR49785)
Previously, when you disabled dynamic resource assignment, the FirePass controller still dynamically mapped a resource group to an end user. Now, if dynamic resource is disabled, the controller does not continue to map the end user.
Truncated Japanese user names (CR49981)
Previously, on Japanese versions of the FirePass controller, the user name was truncated. Now it displays correctly.
Intranet webtop access for end users restricted (CR49985)
Previously, end users who were limited to accessing only their intranet webtop were still able to access the FirePass controller webtop. Now, if the end users are limited to intranet WebTop, they can only access their intranet webtop.
Concurrent sessions for external groups restricted (CR50059)
Previously, with external groups, the controller did not restrict the maximum number of concurrent sessions. The controller now restricts the maximum number of concurrent sessions correctly for external groups.
Host key mapping and VT320 (50185)
Previously, host key mapping with VT320 Java did not work for some key sequences. Host key mapping now works correctly.
Authenticating a case-sensitive user name (CR50213)
Previously, by default, the FirePass controller converted the entire user name to lowercase letters, and then sent the user name to the authentication server. You can now configure the controller to retain the case of a user name and send it to the authentication server, by selecting the option Treat user's logon name as case sensitive in the Case sensitive user logon name settings area at the Device Management : Security : User Access Security screen.
Using spaces in routing table names (CR50300)
Previously, the FirePass controller did not support spaces in routing table names. Now it does.
Citrix terminal server and security exception message (CR50420)
Previously, the FirePass controller displayed a security exception message when Limit Terminal Servers Access to Favorites only option is was enabled on the Citrix terminal server in the Screen resolution area at the Application Access : Terminal Servers : Master Group Settings screen. The connection between the Citrix terminal server and the controller now works correctly.
Customization area configuration lost (CR50440)
Previously, the configuration in the customization area at the Application Access: Global Settings screen was sometimes lost. The configuration is now saved correctly.
Linux Network Access client auto installation (CR50556)
Previously, on some localized versions of Linux operating systems, the auto installation on the Network Access client did not work. Auto installation now works correctly.
Memory paging graph SwapIn and PageOut numbers swapped (CR50663)
Previously, the memory paging graph displayed erroneous information; the SwapIn and PageOut numbers were swapped at the Device Management: Monitoring: System Load screen. The memory paging graph no longer swaps the SwapIn and PageOut numbers, and the graph now displays the correct information.
Pre-logon sequence check and client data (CR50950)
Previously, the client might have been able to log on to the controller without providing client data with a pre-logon sequence check. To correct this issue, check the Required valid pre-logon data for logon option at the Users: Endpoint Security : Pre-logon screen. In most cases, we recommend enabling this option when you use a pre-logon sequence. This option is not compatible with Windows and Pocket PC standalone clients prior to the release of FirePass version 5.5, and the protected configuration with Logon allowed criteria must be used to the protect webtop if users have such clients installed on their devices.
Passive FTP on Windows 2000 over an App Tunnel (CR51023)
Previously, passive FTP on Windows® 2000 over an App Tunnel did not work. Now it works correctly.
iNotes and Portal Access (CR51074)
Previously, when you accessed iNotes through Portal Access, the menus in the Web mail composer did not appear. The menus now appear.
Citrix Java client and connecting to the FirePass controller (CR51136)
Previously, when using SUN® Java, the Citrix® Java client could not connect to the FirePass controller. The Citrix Java client can now connect to the FirePass controller.
iMode phone and webtop (CR51231)
Previously, with iMode® phones, the FirePass controller could not display the webtop correctly when you selected the Back to Webtop link. The FirePass controller now displays the webtop correctly.
Specifying the time for scanning a process on the Windows Antivirus inspector (CR51236)
Previously, the Windows® antivirus inspector scanned every process for a fixed period of time: 44 seconds. You can now specify the time for scanning a process on the Windows antivirus checker Endpoint Inspector details screen at the Users : Endpoint Security : Pre-logon Sequence screen. By default, the scanning process is set to 5 minutes, and after the timeout, a new scanning process begins.
File checker inspector and Windows 98 (CR51238)
Previously, when you configured a pre-logon sequence check, the check file inspector did not work with Windows® 98. The check file inspector now works with Windows® 98.
Active Directory displays empty pages (CR51242)
Previously, if you configured a web service with administrator access only and Active Directory®, the FirePass controller displayed an empty page when it tried to display a list of master groups from Active Directory. The controller now correctly displays a list of master groups from Active Directory.
Antivirus Inspector and pre-logon sequence (CR51334)
The antivirus inspector now uses a new variable called session.detected_av which contains a list of detected antivirus software and a reason, why particular antivirus software was not included into the session.AV list.
Light mode and routing (CR51516)
Previously, the routing screen always started in advanced mode when you selected the Routing tab at the Device Management : Configuration : Network Configuration screen. The Routing screen now starts in light mode.
Default settings for NTP server (CR51569)
Previously, when you set the NTP server to a value different from the default setting at the Device Management : Configuration : Time screen, and then restored the default settings through the maintenance console, the NTP server was not reset to default. Now the NTP server is correctly reset to its default setting.
Administrative realms (CR51636)
Previously, when you created a new administrative realm at the Device Management : Security : Administrative Realms screen, and select the Allow access to all features option, and you did not select any master group to access, the administrator could view all the users from all the master groups. The administrator can now only view users from selected master groups.
Form-based authentication and terminating with a \r\n sequence (CR51690)
Previously, with you used form-based authentication to look for a string in the body of the response, the FirePass controller incorrectly required the last line to be terminated with a \n sequence, and if not, the controller did not read the last line. Form-based authentication now works correctly.
Far end security and enabling webtop protection (CR51990)
Previously, when you configured far end security and upgraded from release 5.21 to 5.4.2, the FirePass controller incorrectly enabled webtop protection. Now the upgrade is performed correctly.
Post-processing and pre-processing simultaneously with SED scripts (CR52127)
Previously, with you used a SED script, post-processing and pre-processing mode did not work simultaneously in the Web Applications Content Processing Scripts area at the Portal Access : Web Applications : Content Processing screen using the Preprocess Scripts tab. Now post-processing and pre-processing mode work simultaneously.
Legacy host webtop (CR52200)
Previously, for Legacy Hosts, the navigation tabs on the upper left of the user’s webtop appeared unavailable, even though they were available (the text on the tabs was grayed out). We have redesigned the tabs so that the text is no longer grayed out, and they are now easier to use.
Searching for users by first name or last name that contained a backslash ( \ ) character (CR52316)
Previously, you could not search for users by first name or last name that contained a backslash ( \ ) character and at the Users : User Management screen. Now you can.
OPSWAT SDK 2.1.13 (CR52572)
The FirePass controller now supports the OPSWAT SDK, version 2.1.13. For a list of supported antivirus and firewalls, click here
Auto upgrade on Mac OS X client (CR 52665)
Previously, when a newer version of a Mac plugin was available on the FirePass controller, the Mac OS® X client 's browser was not automatically upgraded with the newer version. Now, the Mac OS® X client 's browser is automatically upgraded with the newer version of a plugin.
Blocking cookies by default (CR52807)
eTrust Antivirus and eTrust EZ Antivirus (CR53098)
Previously, when you used a pre-logon sequence check, OPSWAT required a different ID for eTrust Antivirus and eTrust EZ Antivirus. With a pre-logon sequence, if you want to detect a Computer Associate's eTrustÂ® Antivirus or eTrustÂ® EZ Antivirus, you must now specify the eTrust ID.
Policy check for Internet Explorer service packs (CR53293)
Previously, when you use Internet Explorer service packs option and specified the Internet Explorer 5 or 6 in at Network Access screen using the Policy Checks tab, Network Access did not work. Network Access now works correctly with Internet Explorer 5 or 6 browsers.
Master groups and dynamic mapping (CR53522)
Previously, master groups specified in the master mapping table at the Users : Groups: Dynamic Group Mapping were incorrectly also used as fallback groups. Now they are not.
X11 and ActiveX (CR53562)
Previously, when you pre-installed an X11 component on a client and the user had limited user rights on his client, the ActiveX® component did not work. Now, when you pre-installed X11 component on the client and the user has limited rights on the client, ActiveX works.
Pre-logon sequence check and comparing IP ranges (CR53911)
Previously, with a pre-logon sequence, you could not use the session variable, session.network.ip, to compare IP ranges. Now you can compare IP ranges.
Logon IDs and special characters (CR53956)
Previously, if the logon name contained special characters; for example, a hyphen (-), the FirePass controller did not display the logon name correctly when you purged your logs at the Device Management : Maintenance: Logs screen. The logon names are now displayed correctly.
Files checker inspector (CR54096)
Previously, with a pre-logon sequence check, the file checker inspector displayed erroneous modification dates. The file checker inspector now displays modification dates correctly.
Protected workspace and endpoint security (CR54103)
Previously, when the allow user to temporarily switch from Protected Workspace option was set to No, the user could get around this restriction. Now he cannot.
Static IP assignment and Network Access (CR54174)
Previously, the static IP address per user from mapping table (1st priority) option (selected on the Configure IP Address Assignment area at the Network Access : Resources screen using the Client Settings tab) did not work for external users who were authenticated by an Active Directory® server when the user name had the form <domain>\<username>. Now this option works correctly.
DNS and server (CR54230)
Previously, when the DNS configuration had the wrong DNS server, or the DNS server was down, the Device Management : Configuration : SNMP screen was not correctly displayed. Now, the SNMP screen is always displayed.
Knowledge base pages (CR54243)
Previously, the Knowledge Base pages were accessible through a direct URL, even though the link to Knowledge Base was hidden. Now, if the URL link to the Knowledge Base is hidden, only users with an active FirePass controller session can access the Knowledge Base.
FIPS card (CR54351)
Previously, when you upgraded a FirePass controller 4100 platform, the FIPS card did not work. Now, after you upgrade to release 5.5, the FIPS card works.
Pre-logon sequence and actions (CR54433)
Previously, when you added an action in a pre-logon sequence using the backslash (\) character, and clicked the Update details button, the backslash was duplicated in the action name. The backslash is no longer duplicated in the action name.
Purging logs (CR54645)
Previously, to minimize database table size for logs, you could not purge logs in 1, 6, or 12 hour intervals in the Purge logs area at the Device Management : Maintenance : Logs screen. Now you can.
[ Top ]
The FirePass controller, version 5.5 includes the following general known issues. You can find localization-specific known issues in Localization known issues.
Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open the same mailbox through the FirePass controller.
Length limitations on My Files share names (CR28778)
The FirePass controller has the same length limitations on share names as older versions of Windows® (Windows 95, Windows 98, and Windows NT). This limitation applies only to share names. Single-byte share names must be 13 characters or less, and double-byte share names must be 6 characters or less. Users can view the contents of longer share names by typing the explicit path from the FirePass controller My Windows Files screen Go dialog box.
Deleted emails in Outlook (CR28854)
If you use an IMAP email server, Outlook® does not provide any visual indication when a user marks an email for deletion.
Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication and uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.
Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query might fail.
Page Not Found error in Setup Wizard (CR30978)
When the Quick Setup wizard finishes, the FirePass controller restarts automatically. The controller's IP address and host name are generally changed during the initial Quick Setup configuration. The browser attempts to connect to the page using the previous IP address, and generates a Page Not Found error. To correct the display, type the new IP address or the new host name in the browser address field, and press the Enter key.
Host name after Quick Setup (CR31505)
When you use the Quick Setup for initial configuration of the FirePass controller, ordinarily you change the host name of the FirePass controller. After you restart the FirePass controller, your browser still attempts to connect to the previous (default) host name. You must enter the new host name in your browser address field to reconnect to the configured FirePass controller.
Basic HTTP authentication with an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.
Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.
Online upgrade and page refresh (CR34238)
During an online upgrade operation, if you perform any action that refreshes the upgrade page, including opening a new browser window, the page refresh corrupts the upgrade. To avoid this problem, do not disturb an upgrade in progress.
IPSwitch IMail POP problem with My Email (CR34504)
A SASL authentication bug in IMail prevents use of POP. Using the FirePass controller to access email on IMail server results in erroneous authentication failures with My Email. However, you can use the IMail server configured for IMAP.
RADIUS challenge response with Cryptocard and blank passwords (CR34959)
The FirePass controller does not accept blank passwords when using RADIUS challenge response with Cryptocard. The workaround is to enter a temporary password and then enter a permanent password.
UNIX Network File System directory-delete restriction (CR36352)
You cannot delete a UNIX® Network File System directory while accessing the file system using the FirePass controller's UNIX Files function.
Monitor Statistics/System Load page data mismatch (CR36658)
The difference in the data shown on the Device Management : Monitoring : Statistics screen and the Device Management : Monitoring : System Load screen appears to be isolated to the FirePass controller 4100 platform.
App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)
If you have not yet installed a trusted SSL certificate on the FirePass controller, then when users attempt to connect to a mapped drive using App Tunnels, the first attempt in a session usually fails. Subsequent attempts using the Relaunch button might succeed. We recommend installing a trusted server certificate as soon as possible.
Moving users between groups (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that might be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication might lack a password in the internal database account record. This can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.
Constant restart of Flash (CR36933)
Flash constantly restarts at the www.kurzweilai.net and other flash-based web sites.
Network Access fails on computers running WindowsÂ® 2000 SP4 (CR37050)
If you use Windows® 2000 with Service Pack 4 installed, when you attempt to install the Network Access client control, you might receive the following error message: An error occurred during the installation of the device. The inf or the device information set or element does not match the specified install class. The installation fails. This is a Microsoft® software problem described on this Microsoft support page.
Authentication does not check proxy settings (CR37072)
The FirePass controller form-based authentication component does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using the proxy server.
Misleading error using unsupported browser on Linux system for Network Access (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network Access connection, you receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla® 1.6 or 1.7). For a list of supported browsers, see supported browsers.
Network Access over dial-up connection where IPsec VPN client is present (CR37127)
You cannot use Network Access over a dial-up connection from a remote Windows® 2000 or Windows® XP system that also has a Check Point® SecuRemote/SecureClient IPsec VPN client installed. You can use Network Access over dial-up with a Check Point IPsec VPN client; however, the Network Access connection might take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.
Browser incompatibility on X Window System with Sun JRE 1.3.x (CR37174)
X Window System::Java client does not work with Windows® XP, Windows® 2000 Professional, Mozilla® 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using Java Runtime Environment (JRE) version 1.3.0_01 Java HotSpot™ Client VM. From the Mozilla release notes: "Java J2SE releases previous to 1.3.0_01 will not work with Mozilla. Problems have been reported with JRE 1.3.1. For best results, we recommend JRE 1.4.1."
Network Access on Safari 1.0 browser on OS X 10.2 (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The page repeatedly prompts you to install it, even if you have already installed it, but you cannot use it. The Safari 1.0 browser does support the FirePass controller's HTML-based functional components: Portal Access, Mobile E-mail, Windows Files, Unix Files, and for Desktop access, the Java client only. You can use Safari 1.2 as the Network Access browser.
High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On the 4100 hardware platform, high levels of traffic through the Management port might cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot might occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.
Accessing system after changing the Desktop Access computer name (CR37441)
If you change the system name of an installed Desktop Access computer, take these steps to access it again using Desktop Access.
SNMP trap setting refusal even with defined hosts (CR39354)
The FirePass controller refuses the SNMP trap setting, even if you have defined the hosts using the host name. If this happens, use the IP address instead of the host name.
Opera 7 and 8 (CR40494)
Terminal services does not work when the client uses Opera 8. When a client uses terminal services with the Opera 7 browser, the end user cannot input data using the keyboard.
Drive mapping overwrite of existing share (CR40546)
When you create a new drive-mapping using an already-mapped share name, the system overwrites the existing share without warning.
Lack of terminal services support through Internet Explorer for the Macintosh (CR40618)
The FirePass controller does not support terminal services through the Internet Explorer browser on Macintosh® systems. For more information about Macintosh operating system support, see SOL3364: FirePass support for Mac OS clients on AskF5.
Note: Microsoft no longer supports Internet Explorer for the Macintosh operating system.
Default web application URL for resource group (CR40637)
The default URL for a web application is determined at a resource-group level. If a user has multiple resource groups assigned, the web application uses the default web page from the last resource group assigned to a user.
Incorrect user information attribute with first name (CR40694)
Mapping the user's first name against an Active Directory® account results in a first name of Administrator, not the actual first name of the user. This error occurs only with the test mapping. Mapping by the FirePass controller works correctly, and the user can log on without problem.
Incorrect online help for NFS Users (CR40759)
The online help page for the Portal Access : UNIX Files : Import NFS Users screen incorrectly states that the /etc/passwd file includes the $passwd field. The $passwd field does not appear in the /etc/passwd file.
Restoring FIPS systems breaking imported key pairs (CR41278, CR41573)
If you have imported key pairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration might render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Administrative Console, use the Maintenance account to reinitialize the FIPS card. To correct your configuration, re-import the key pairs you need.
Browser incompatibility on legacy host systems with Sun JRE 1.3.0_01 (CR42609)
Legacy Host System:: the Java client does not work with tn3270 and vt320, Netscape® 7.2 and Mozilla® 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using Java Runtime Environment (JRE) version 1.3.0_01 Java HotSpot™ Client VM. Problems have been reported with JRE 1.3.1. For best results, we recommend JRE 1.4.1.
Local redirect instead of full redirect with < DNS (CR42669)
If you attempt a full redirect, from admin to admin/, and DNS is not correctly configured, you actually get a local redirect. This problem does not occur if the DNS entry is configured correctly.
Redirect in frame (CR42676)
The redirect to an unlicensed page might occur in a frame when a timeout interval has elapsed.
Post-logon uninstall of previously installed ActiveX components (CR43139)
Using the post-logon option of Uninstall ActiveX components downloaded during FirePass session, does not uninstall ActiveX components that were installed before user logon.
Siebel Call Center 7.7 logon issue (CR43287, CR43904)
Siebel® Call Center 7.7 cannot log on. Two windows appear after successful logon. Although the main window tries to connect directly, the smaller window tries to connect through the FirePass controller. Eventually the process halts, and an error appears in the browser status bar.
Problem for VLAN-based web applications with enabled cache (CR43445)
The Web Application Cache serves content by looking at the destination URL only. It does not consider the resource group of the requested resource. This can cause an invalid response to be served, if multiple resources across different resource groups are identified using the same URL. We recommend that you do not use the Web Application Cache in this situation.
Pre-logon infinite sequence (CR43509)
The pre-logon sequence functionality enables you to create a sequence that results in an infinite loop by choosing a sub-sequence that references itself as one of the final actions. If you create a sequence whose action includes a reference to itself, the end-user's browser halts during logon. To avoid this problem, make sure the final outcome of a sub-sequence is not a reference to the same sub-sequence.
Load balancing deactivate (CR44778)
Load balancing does not turn off unless you first clear the check box Allow optional manual logon to slave nodes from master logon page, and then set Load Balance to off.
Client certificates for external users (CR44888)
The FirePass controller stores client certificates. If an external server maintains your user accounts, and you want to use client certificates for your users, you must use your company's certificate authority (CA) infrastructure. FirePass controller cannot distribute client certificates that it does not create. For more information, refer to the online help for client certificates.
Window flash during client logon (CR44889)
With a pre-logon sequence that scans for antivirus, the scanning component briefly posts an in-progress window after it scans each. Within a second or so, the component removes the window. Therefore, during logon, users might experience window-flashes as they log on. The window does not take focus away from the active application, but users might see flashing in the background.
Blank help and attachments windows in OWA (CR45150)
When you have more than one instance of Internet Explorer running and you try to open help or the attachment window for email, the window might be blank. This occurs intermittently. You can click the Help button a second time to open the help. The attachment window might not work until you close the other browser instance.
Using the at sign in the Active Directory logon (CR45446)
You can use the email address as your Active Directory® logon, and your email address can (and must) contain the at sign ( @ ). However, Active Directory logons that are not email addresses cannot contain @.
Split tunnel for Network Access on PocketPC (CR45800)
The FirePass controller does not support split tunnel for Network Access on the Pocket PC.
Protected configurations (CR46191)
Japanese versions of TrendMicro™ Virus Buster 2004 (11.x), and Trend Micro Virus Buster, and Internet Security 2005 (12.x) cannot be detected by the Windows antivirus checker endpoint inspector during pre-logon inspection. As a result, some resources that are associated with assigned protected configurations are not available to users if the FirePass controller uses information about these installed antivirus applications on a remote access point.
Network access with a Windows XP client (CR46482, CR46659)
Drive mapping with Windows® XP clients might not connect to the Windows file server on the first attempt.
Switching from Desktop Access to My Network (CR46813)
When users switch from Desktop Access to My Network, the FirePass controller logs them out.
Using special mode with OWA and iNotes (CR47039)
On some sites, the FirePass controller incorrectly detects OWA, or iNotes servers as running, even though they are not running. If this happens, do not configure the controller to automatically detect OWA or iNotes at Portal Access : Web Applications : Content Processing : Global Settings screen using the Global Settings tab.
Windows 98 and Internet Explorer (CR47040)
If a client is using Windows® 98, Internet Explorer, version 5.0 does not work. To work around this issue, we recommend upgrading your client to Internet Explorer, version 5.5 or later.
Strong passwords (CR47069)
When you configure an internal database of users to use strong password authentication, this setting is not applied to imported users.
Displaying messages during pre-logon sequence (CR47197)
When you configure a pre-logon sequence and do not specify an action, the system does not display any warning or explanatory message to inform the user of the reason access is prohibited.
Using a comma with a sub-sequence (CR47336)
You cannot create a sub-sequence using a comma (,) at the Users : Endpoint Security : Pre-Logon Sequence screen in the Create New Sequence box.
Naming a subsequence (CR47337)
You must specify a unique name when you create a subsequence using the screen at Users : Endpoint Security : Pre-Logon Sequence : Create New Sequence : Create Subsequence.
Warning message on a webtop (CR48630, CR47453)
When you configure master groups with the system warnings set to Don't Use at the User Experience tab of the Users : Groups : Master Groups screen, an erroneous warning message appears on the users' webtop.
Windows Files and custom character set (CR47844)
When you select the custom character set to Central & Eastern European, Arabic, Baltic, Greek, or Turkish in the Advanced Customization area at the Device Management : Customization : Global Customization screen, the list of names in Windows Files in the left webtop frame becomes empty.
FirePass 4100 and ARP requests (CR49240)
On a FirePass controller 4100 system, a non-management port responds to ARP requests for the management ports IP address 192.168.0.99 when no cable is attached to the management port.
Web Application Type resets to generic (CR49541)
The Web Application Type resets to generic when you configure all these settings:
Network configuration and finalizing changes (CR49675)
When you change your network configuration at the Device Management : Configuration : Network Configuration screen after upgrading the FirePass controller, and then you finalize your changes, the FirePass controller displays an erroneous message: Desktop settings have been changed, even though you have not changed your Desktop settings. However, when you finalize your changes, all your network configuration changes are saved correctly.
SharePoint and Microsoft documents (CR49949)
In SharePoint®, when you edit a Microsoft® Office® document, and the editor makes a request to update the shared workspace, the FirePass controller cannot support the update. For details on how to work around this issue, refer to solution 5139 on http://www.askf5.com/.
SharePoint and saving a new document (CR49957)
In SharePoint®, you cannot save a new document at the Shared Documents screen. SharePoint® displays an empty icon image in the Saved As dialog box.
Cascading Style Sheets (CR52382)
With Internet Explorer 5 and 6, cascading style sheets are not displayed correctly when you configure both these options at the Portal Access : Caching and Compression settings screen:
This is Microsoft® Internet Explorer 5 and 6 software problem.
Terminal Server and VLAN interface (CR52511)
When you enable master group-based policy routing for a particular master group, you must not allow users of the master group to create Terminal Server favorites for accessing servers that are not part of the VLAN defined for that master group. To prevent users from creating the Terminal servers user favorites, select the Limit Terminal Servers Access to Favorites only(for Extranets...) option at the Application Access: Terminal Servers: Master Group Settings screen.
SuSE 9.1 and Network Access (CR52429)
If you have enabled your firewall on your LINUX machine, you must allow both TCP incoming and outgoing traffic for loop back IP address 127.0.0.1 on port 44444. Otherwise, the Network Access tunnel is disconnected because no traffic can go through Network Access tunnel.
User name containing @ and authentication (CR52530)
A user name containing the at symbol ( @ ) cannot be authenticated using Active Directory®. However, it can be imported and it is then correctly displayed in the users' list.
Support for Netscape 4.7x (CR52535)
In some cases, the Netscape® Navigator browsers, version 4.79 and 4.8, do not display the end user and administrative user interface correctly.
Netscape 4.79 and compression (CR52777)
If your end users are using Netscape® 4.79, you might need to disable compression in the Turn gzip Compression On or Off for webtop and Web Applications area at the Portal Access : Caching and Compression screen. This is a Netscape software problem.
Microsoft file sharing and App Tunnels (CR53559)
For App Tunnels, On WindowsÂ® XP, MicrosoftÂ® file sharing does not work if the user has limited rights on his client.
Using backup file names (CR53631)
You cannot restore a file that contains special characters in the file name. When you can create a backup of a current configuration or save zip files, do not use special characters, such as ` ~ ! @ # $ % ^ in the file name.
WebDAV based customization (CR53927)
When you enable WebDAV customization on the URI-based Customization screen at the Device Management: Customization screen and put files in the sandbox to customize your websites, the controller does not support HTTP logons.
SSL Proxy (CR53968)
If you configure the Set up the optional HTTP and SSL proxies for the public Internet access area using the Enable SSL proxy and Use Basic Proxy Authorization options at the Portal Access: Web Applications: Proxies screen without providing the required credentials for the websites, the FirePass controller cannot display the web page.
SSL Proxy and NTML (CR53975)
In rare cases, if you enable the Proxy Basic and NTML authorization using the FirePass user logon firm option at the Portal Access: Web Applications: Master Group Settings screen and you do not provide required credentials for the websites, the FirePass controller displays an erroneous message.
Offload SSL processing (CR54046)
When SSL termination is offloaded to an upstream BIG-IP® LTM device, the controller does not support Bridge mode for Desktop access; only over-pass mode is supported.
Offloading SSL to BIG-IP system (CR54047)
When you configure the FirePass controller to offload SSL processing to an upstream BIG-IP® Local Traffic Manager, at least one SSL web service must be configured on the controller to overcome an existing configuration limitation on the controller. The FirePass controller requires configuration of at least one SSL web service to complete the finalize operation.
SharePoint and Microsoft Word (CR54275)
Import users from Active Directory (CR54328)
When you create a master group with Active Directory® authentication and select the Require user logon in form DOMAIN\username: option on the Authentication tab at the Users : Groups: Master Groups screen, the controller does not import the users correctly.
Create favorites with the (\) backslash character (CR54428)
Creating favorites ending with the backslash ( \ ) character might corrupt the administrative user interface.
Pre-logon sequence file checker (CR54431)
The pre-logon sequence file checker truncates a file name when the ampersand ( & ) character is present.
VNC client (CR54485)
The VNC standalone client does not provide a button to disconnect from the Terminal Server session. To disconnect from a Terminal Session, the end user must log off from the FirePass controller.
Pre-logon sequence and special characters (CR54495)
When you create a pre-logon sequence check, some special characters such as quotation marks, number sign, or ampersand, ( ", # , & ) are not displayed or truncated. If you name a pre-logon sequence using the number ( # ) sign, you cannot edit the sequence.
Protected workspace and printers (CR54716)
When you enable protected workspace and you do not want your users to print out documents, select No in the Allow user to use printers option at the protected workspace Inspector Details screen.
Reverse Proxy and NTLM (CR54723)
The reverse proxy engine proxies only NTLMv1 authentication. If you want to use NTLMv2 or NTLM2, you must disable the Proxy Basic and NTLM auth using FirePass user login form option at the Portal Access : Web Applications: Master Group Settings. In this case, the FirePass controller translates authorization requests and responses directly to client browser.
Antivirus database signature or engine version (CR54884)
With a pre-logon sequence check, when you specify an antivirus software to scan with the any supported option, the engine and database signature fields must be empty.
Reverse proxy and alternative host/port-based bypass R54969)
With clustering, the alternative host/port-based bypass option does not work.
Offloading SSL and finalizing changes (CR55307)
When the Offload SSL processing to a BIG-IP Local Traffic Manager option at the Device Management: Configuration: Network Configuration screen using the Web Services settings tab is enabled, and you make changes to other Network Configuration settings that do not require you to restart the controller, the finalized change always prompts you to restart the controller.
Post-logon actions and erroneous security warning (CR55374)
The FirePass controller emails an erroneous security warning that there was a possible intrusion attempt on the controller to the administrator when all the following conditions are met:
Custom images are lost when you restore a back file from 5.4.2 to 5.5 (CR55421)
If you restore a 5.4.2 configuration on version 5.5 using the backup and restore mechanism, the global customization images are lost. To work around this issue, reconfigure all the global customization images settings in the Custom images area at the Device Management: Customization screen.
Pre-logon messages not displayed in Netscape 7.2 (CR55499)
When you enable a pre-logon sequence check, the pre-logon messages are not displayed on the client when it establishes a connection to the FirePass controller using 0.Netscape Navigator, version 7.2.
[ Top ]
Viewing EUC or JIS encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use Japanese Industrial Standard (JIS) or Extended UNIX Coding (EUC) encoding do not display correctly.
Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication that uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.
English desktop installation messages (CR40603)
When you install Desktop Access, the message Uncompressing files displays in English, even in localized copies of FirePass controller. If an invalid installation key is used, a second untranslated message appears: Invalid product code, please retry.
Localization of pre-defined actions (CR44620)
In non-English systems, the pre-logon sequence screen lists the pre-defined actions in English.
Localization of pre-defined templates (CR44798)
In non-English systems, the Protected Configurations screen shows the pre-defined templates in English.
Multi-language support in Windows Files (CR45645)
When you use the FirePass controller Windows® Files functionality on an English-based Windows® 2000/2003 server with multi-language support, the system does not correctly show share names containing non-English characters.
Latin 1 character set and formed-based authentication (CR53057)
With form-based authentication, the FirePass controller does not support the extended Latin 1 character set (ISO 8859-1) for user names and passwords.
Latin 1 character set and basic authentication (CR53058)
With basic authentication, the FirePass controller does not support the extended Latin 1 character set (ISO 8859-1) for user names and passwords.
Client certificate (CR53783)
Some applications cannot correctly display client certificates that are generated by the FirePass controller with localized user names. With certificates, we recommend that you use a trusted certificated authority.
Local update (CR54564)
The FirePass controller displays an error message when all the following conditions occur: