Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 6.0.0
Release Note

Software Release Date: 06/06/2006
Updated Date: 08/30/2013

Summary:

This release note documents the version 6.0 release of the FirePass controller. It applies to both the English edition and the localized editions.

To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to 5.0 and later. For information about installing the software, please refer to Installing the software.

Note: For the FirePass 1000, 4000, and 4100 platforms, version 6.0 replaces version 5.5.1 and includes all features and fixes from previous versions.

Note: F5 now offers both feature releases and maintenance releases. For more information on release policies, please see New Versioning Schema for F5 Software Releases on AskF5.

Contents:

- Minimum system requirements and supported browsers
- Supported platforms
- Supported antivirus and firewalls
- Installing the software
- New features and fixes in this release
     - New features
     - Fixes in this release
- Known issues
- Workarounds for known issues

Minimum system requirements and supported browsers

The minimum system requirements for this release are specific to your operating system.

Microsoft Windows

  • Windows®98 with Dial Up Networking (DUN) 1.4 update and Client for Microsoft Networks. The Client for Microsoft Networks, available as an option on the Windows 98 installation CD, is required for FirePass controller's Network Access setup.
  • Windows® Me
  • Windows® 2000
  • Windows® XP (see the note about the Microsoft update needed for Windows XP Service Pack 2)
  • Windows® Mobile™ 2003 (Microsoft Pocket PC 2003 and Microsoft Pocket PC Phone Edition 2003)
  • Windows® 2003 server

Note: You might find it helpful to have the Windows 98 and Windows Me distribution media available as you set up the FirePass controller. Occasionally, changing installation settings for Windows 98 and Windows Me requires that you copy information from the install media.

Macintosh

  • Apple® Mac OS® X 10.2.x
  • Apple® Mac OS® X 10.3.x
  • Apple® Mac OS® X 10.4.x (for Power PC platform only)

Note: FirePass 6.0 supports the Safari® browser for automatically installing the network access client. You must manually install the Macintosh network access client when you use a different browser.

Linux

The following supported Linux platforms require workstations with libc version 2 or later, Kernel support for PPP interfaces (loadable module or statically built in) and PPPD program in the /sbin directory :

  • Debian® 3.1r0
  • Fedora ™ Core 2
  • Fedora ™ Core 3
  • Fedora ™ Core 4
  • Fedora ™ Core 5
  • Red Hat® 9.0
  • Slackware® 10.1
  • SuSE® 9.x Professional
  • TurboLinux® Desktop

Supported browsers

The supported browsers for remote access provided through the FirePass controller are:

  • Firefox® 1.0.x, 1.5.x
  • Microsoft® Internet Explorer, version 5.5, or 6.0
  • Mozilla® version 1.7.x
  • Netscape® Navigator, version 4.7x or 7.x
  • NTT DoCoMo ™ i-mode browser
  • OpenWave® WAP browser
  • Mozilla® version 1.7.x on Apple® Mac OS® X 10.2.x systems
  • Safari® version 1.2 on Apple® Mac OS® X 10.3.x systems
  • Safari® version 2.0 on Apple® Mac OS® X 10.4.x systems (for Power PC platform only)
[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass 1000
  • FirePass 1200
  • FirePass 4000
  • FirePass 4100

    Note: To optimize performance for all access modes, the 4100 platform now supports up to 8 gigabytes of RAM.

[ Top ]


Supported antivirus and firewalls

This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you must install on the FirePass controller the antivirus and firewall license, which you can obtain from your F5 Networks sales representative or reseller. To view supported antivirus and firewall software, click one of the following links. Each link references a separate document, unique to the particular operating system.


Installing the software

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, on the navigation pane, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Warning: We have moved group-based policy routing from resource groups to master groups at the Users : Groups : Master Groups screen. If you are upgrading to version 6.0 from a release other than version 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record these routing tables. For more information, refer to SOL5502: Overview of routing table configuration and conversion in FirePass version 5.5 .

Warning: The version 6.0 software uses a new heartbeat module, which is not compatible with heartbeat modules other than version 5.5. Therefore, when you upgrade one unit in a redundant system, it might restart as the active unit, while the second unit is still running as the active unit. This might cause IP address conflicts with the virtual IP address (if a redundant system has two active units running at the same time). This can happen when you upgrade the FirePass controller to the new heartbeat module. When you upgrade and restart the second unit of the redundant system, the IP address conflicts stop because each unit now recognizes the other unit as part of its redundant system. For more information, refer to SOL4467: Upgrading a redundant pair of FirePass controllers.

Important: Back up the FirePass controller current configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 6.0. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0.

Note: Once you upgrade the FirePass controller to version 6.0, you cannot downgrade to any previous version. For more information, see SOL2847: Downgrading to a previous FirePass software version.

Upgrading from version 5.0 or later

The following instructions explain how to install FirePass 6.0 onto existing systems running version 5.0 or later.

Important:You must have an active service contract to upgrade to release 6.0. If you have a current service contract, re-activate your license and then resume installation. If your service expiration date is prior to the date you are doing the upgrade, your license needs to be re-activated. The service expiration date is located on the Device Management : Maintenance: Activate License screen.

Important: Important: If you have 6.0 beta version software installed on your system and you want to upgrade you system to the 6.0 release, you must revert to the snapshot you took before installing the beta, and then upgrade to 6.0. For more information on the FirePass controller snapshot/restore function, please see SOL3244: Backing up and restoring FirePass system software.

Important: Important: With the 6.0 release, we have removed the Desktop Adapter, UNIX Adapter, and VASCO DigiPass authentication features. When you upgrade to release 6.0, these features will not be supported or available. Before upgrading to the 6.0 release, please review your FirePass controller configuration and remove any configuration setting and Favorites associated with these features. To continue using any of these three features you must use the 5.5.x release. For more information about the end of life policy for these features please refer to SOL5492: FAQ for the End of Life Announcement of the Desktop Access, VASCO Built-in Server, Unix Adapter and Solaris Client Support Features in FirePass.

To upgrade to version 6.0
  1. Create a snapshot of the current FirePass controller.  For details about how to do this, refer to SOL3244 at SOL3244: Backing up and restoring FirePass system software.

  2. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore .

  3. Create a backup of your current configuration.
    For details about how to do this, refer to the online help on this screen.

  4. In the navigation pane, click Device Management, expand Security, and click Timeouts.

  5. Temporarily change the option Global inactivity timeout to a large value, such as 8 hours, so that the upgrade process does not time out while downloading the image.

  6. Disable all pop-up blockers in your web browser so that any generated error messages during the upgrade process (local upgrade or on-line upgrade) are displayed.

  7. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout..

    • In the User Session Lockout area, check the Lockout new user sessions option to prevent any new FirePass controller users from logging on.

    • In the Kill Current Sessions area, click the Kill all sessions (except this one) link to log out all current FirePass controller users.

  8. In the navigation pane, click Device Management, expand Maintenance, and click Active License.

    1. Select the Automatic registration method.
      For information on how to use the Manual registration method, see the online help on this screen.

    2. Scroll to the bottom of the screen and click the Request License button to reactivate your license.
      The system displays the new license.

    3. Scroll to the Service check date field in the returned license file and make sure that the date is greater than 5/01/06.
      Note: If this date is greater than 5/1/06, the system allows you to upgrade to release 6.0 release; otherwise the upgrade fails and the system displays an error message after the image is downloaded. If you need a new service contract, contact F5 sales.

    4. Click the Continue button to install and activate the new license.
      The system displays the following message: License successfully activated.

    5. Click the Continue button.

  9. In the navigation pane, click Device Management, expand Maintenance, and click Online Update.
    The screen displays a list of available FirePass controller software releases.

  10. Select the link for Release 6.0 to upgrade the FirePass controller.
    Note: If you are using the local update to upgrade the controller, the default local update package password is F5Networks.

Note: Once you upgrade, the following software fixes might affect your users. Before rolling out release 6.0, please review the following CRs and make any necessary configuration changes:

[ Top ]

New features and fixes in this release

The FirePass 6.0 release contains the following new features and fixes since release 5.5.1. Key new features and benefits include those listed below.

Access control lists

With access control lists (ACLs), you can now control user access to specific parts of web applications.

Dynamic App Tunnels

With Dynamic App Tunnels, you can now support applications that require dynamic IP addresses and ports.

F5 Networks FirePass controller client

The FirePass controller provides the following enhancements to the F5 Networks FirePass controller client:

  • Windows Dialup and Windows Logon integration settings, which allow you to establish a VPN connection when the user logons without modifying Microsoft® GINA components

  • A Windows installer service to install client component updates without requiring subsequent administrator privileges

  • A command-line interface which is integrated with third party clients such as iPass dialer software

  • A Windows VPN dialer for users familiar with dial-up connection interface

  • Support for pre-logon inspection and all authentication options similar to browser based logon

Network Access only webtop

With the App Tunnels and Network Access, you can now use the Network Access only webtop to automatically start a network access connection when a user logs on, minimize it to the system tray and eliminate browser pop-ups.

Remediation

The FirePass controller provides the following enhancements to the remediation process:

  • You can now configure an endpoint security policy to automatically deliver client-side components by redirecting users to a remediation server.

  • You can now define a remediation policy based on the results of endpoint security checks.

New features

Multiple WINS servers (CR28781)
With the WINS Servers option, you can now specify one or more WINS servers for NetBIOS name resolution in the Advanced Windows Files Settings area at the Portal Access : Windows Files : Master Group Settings screen.

Distributed file system (CR28786, CR30085)
For Window File access, the FirePass controller now supports the Microsoft® Distributed File System (DFS).

Logging nodes in a cluster on the master FirePass controller (CR28811, CR29396)
You can now log all information on all the nodes in a cluster on the master FirePass controller by checking the option Enable Log consolidation and by checking the option Synchronize Log to Master on the secondary controllers at the Device Management : Clustering and Failover screen. The logging results are displayed in the Node IP field at the Reports : Logging screen. You can see the logging results of each node in the cluster at the Device Management: Monitoring screen.

Managing the FirePass controller Windows client with command-line interface commands (CR29724)
After you have configured, downloaded, and installed the MSI package at the Network Access : Client Downloads : Windows (x86)screen, you can now use the command-line interface to start, troubleshoot, and monitor the F5 Networks FirePass controller client.

Nightly back up the with SCP (CR30214, CR61827)
You can now perform a nightly backup with SCP at the Device Management : Maintenance : Backup/Restore screen.

Post-logon actions at the master group level (CR32783)
You can now configure post logon actions at the master group level by selecting a master group from the Master Group list in the upper left of the Administrative Console at the Users: Endpoint Security: Post-logon screen.

TN3270E legacy host (CR35696)
When you have configured a TN3270 legacy host favorite, the FirePass controller now automatically attempts to support a TN3270E legacy host. If it is not available, the FirePass controller then attempts to use the TN3270 legacy host. You configure the TN3270 terminal type on the Application Access: Legacy Host : Resources screen.

Mobile Email (CR35792, CR39118, CR58734)
With IMAP corporate accounts, you now use the wildcard character, asterisk ( * ) to display all folders and assign folders for sent and deleted items in the Corporate mail account area at the Portal Access : Mobile E-mail screen. The system creates IMAP folders if they do not exist on the IMAP server. The FirePass controller now also does the following:

  • Notifies the user when it removes email permanently from the deleted email folder.
  • Tries to open email with the correct encoding when the MIME header of email is not available. The encoding is based on Default language setting in the Advanced Customization area on the Device Management : Customization screen or selected language on the logon page (if enabled).

Display decode of encrypted component of URLs (CR37979)
With URLs that are requested through the reverse proxy, you can now use the Reports : HTTP Logs screen to view the decoded host name component of back-end server URLs that are present in the front-end server URLs in a encrypted form.

Windows files and NetBIOS name resolution (CR39122, CR48543, CR57897)
For Windows files, we have added the NetBIOS Machine Name and Name Resolution Service Order options for setting the NetBIOS name (the calling name) and the order of name resolution in the Advanced Windows Files Settings area at the Portal Access : Windows Files : Master Group Settings screen.

Logon screen and advanced customization (CR39410)
At the logon screen, the Hide License Information on the Front Door page option now enforces the license check. You enable this option in the Advanced Customization area, using the Global Customization tab at the Device Management : Customization screen.

Network packet dump troubleshooting utility (CR40133)
With the network packet dump utility, you can now specify expression for capturing data; for example, not tcp port 80 and host 10.0.0.1.You configure the expression option in the Network packet dump area on the Device Management : Maintenance : Troubleshooting Tools screen.

Removal of Desktop Adapter, UNIX Adapter, VASCO authentication features (CR40802, CR63776, CR60538)
With the 6.0 release, we have removed the Desktop Adapter, UNIX Adapter, and VASCO DigiPass authentication features. When you upgrade to release 6.0, these features are no longer available or supported. Before upgrading to the 6.0 release, review your FirePass controller configuration and remove any configuration settings and Favorites associated with these features. To continue using any of these these features, you must use a 5.5.x release. For more information about the end of life policy for these features please refer to FAQ for the End of Life Announcement of the Desktop Access, VASCO Built-in Server, Unix Adapter and Solaris Client Support Features in FirePass.

Access control lists and web applications (CR41045)
With Portal Access favorites, you can now configure an access control list at the Resource Group level in the Access Control list area at the Portal Access : Web Applications : Resource screen. After you upgrade, verify that your Master Group, Resource Group, and individual Favorites access control list configuration configuration settings are correct. After the upgrade, verify that the default action setting is set to Allow on all the master groups configured on the Portal Access : Web Applications Master Group Settings screen.

Displaying NIC MAC addresses (CR41174)
You can now display NIC MAC addresses in these places:

  • Device Management : Monitoring : Statistics screen
  • Device Management : Monitoring: System Load screen
  • Device Management : Configuration : Network Configuration screen, and then select the Interface tab

Display the user's full name in the Administrator Console and user's webtop (CR43063, CR60459)
You can now control how you want to display the user's full name in the Administrator Console and user's webtop using the option Order for full user name at the Device Management: Customization: Global screen or by selecting a master group at the Users : Groups: Master Groups screen and then selecting the User Experience tab. This is useful for countries where the user's last name is normally displayed before the first name. If you upgraded a Japanese or Simplified Chinese version of FirePass controller to 6.0 release, you may want to swap the first and last name entries in the FirePass controller internal database. To do so, export the user accounts from the FirePass controller internal database to a text file and then import the user accounts using the following procedure:

  1. In the Administrative Console, click Users.
    The User's Management screen opens.

  2. Click the Import from File item from the Create user accounts by list.

  3. Click the Go button

  4. In Filename, specify the file to use, or click Browse to search for it.

  5. Click the Load list button.

  6. Check the option Import to the various groups.
    A list of columns appears, containing all of the imported data.

  7. For the first name, last name, logon, and group, in the list at the top of each column, select the FirePass controller field that corresponds to the data.

  8. Check the option Select users to import (by names).

  9. Click the Process List button.
    The screen changes to reveal a list of settings to apply to all imported users.

  10. Check the option Import existing users only, keep old password and other unmarked fields.
    Note: When you select this option, the option Overwrite user if logon already exists is also automatically selected.

  11. Click the Import users button.

Windows dialer and Winlogon integration settings (CR43237, CR60437, CR60438, CR60995, CR61342)
For Microsoft® Windows 2000®, XP and later, you can use the Windows dialer and Winlogon integration settings to specify the kind of VPN connection to establish to the FirePass controller for either of two instances:

  • Before the user logs on onto his PC using a virtual dial up entry.
  • When the user logs on to the PC.

To do so, navigate to the Device Management : Client Downloads : Windows (*86) screen and click the Customized Client Components tab.

Web-based logon and F5 FirePass controller client (CR43758, CR54620, CR55666)
When you clear (disable) the Use Legacy Logon Prompt option in in the client user interface settings area using the Customized Client Components tab at the Device Management: Client Downloads : Windows (*86) screen, the F5 FirePass controller client supports:

  • A web-based logon
  • Two-factor authentication
  • Endpoint security  

Creating/Restoring a snapshot (CR44278)
The FirePass controller no longer automatically creates or restores a snapshot when selecting actions in maintenance mode menu. Now, the FirePass controller prompts you to approve these actions before overwriting a previously created snapshot, or restoring to previous snapshot or factory default snapshot.

Logging certificate revocation list (CRLs) events (CR44750)
When a user is denied access because of a revoked client certificate, the FirePass controller now logs this error and displays it on the logon page.

Network Access only webtop (CR45313)
You can now use the option Use Network Access Only Webtop to establish a Network Access connection when you have only one Network Access favorite. To enable this feature, select a master group in the Group Name column at the Users : Groups : Master Groups screen, click the User Experience tab, and go to the Network Access Only Webtop area.

Localizing the name of favorites and UI elements (CR45645)
Different users can now access the FirePass controller simultaneously using different characters sets or languages by checking the Choice of language in logon page check box in the Advance Customization area by selecting the Global Customization tab at the Device Management : Customization screen. When you enable this option, administrators and end users can select a different character set at the logon page from the default character set list. For example, one user can select Simplified Chinese as his character set and another user can select Traditional Chinese.

Displaying messages to the user and endpoint security (CR46212, CR52691)
You can now use the Show Message Inspector to create a customized message (at the Users : Endpoint Security : Pre-logon Sequence screen) that is displayed to the user during the pre-logon sequence.

Dynamic group mapping (CR46980)
With dynamic group mapping, you can now assign alternative master groups (a fallback master group) that a user can use when a dynamic master group or a configured master group is not available. You do this by selecting the Group Mapping Sequence tab at the Users: Groups: Dynamic Group Mapping screen.

Static App Tunnel and keepalive (CR47137)
With a static App Tunnel, you can use the Keep Alive option to specify a keepalive interval (the time period between periodic keep-alive packets) to ensure that a static tunnel remains open when it is idle. You use this option when idle connections can be terminated by network infrastructure devices (such as firewalls) either between FirePass controller and client or FirePass controller and server. Enable this option when you create a favorite or click the link of an existing favorite on the Application Access : App Tunnels : Resources screen.

UTF8 support for dynamic group mapping (CR47576)
Dynamic group mapping now supports UTF8.

CRL retrieval frequency (CR47856, CR48913, CR57128)
The CRL retrieval frequency now has options starting from every 5 minutes to every 12 months To configure CRL range, use the CRL Retrieval Frequency option in the Client CRL On-Line Updates area on the Device Management : Security : Certificates screen.

Checking files on a Macintosh or Linux OS and pre-logon sequence (CR48628, CR52941)
With a pre-logon sequence check, you can check for files on a Macintosh or Linux OS using the Linux and Mac file checkers inspectors at the Users: Endpoint Security: Pre-logon Sequence screen.

Logging revoked client certificates (CR48913)
When a user attempts to log on with a revoked client certificate, the FirePass controller logs and displays this information on the Reports : Logon screen.

Redirection to an external server and endpoint security (CR49084)
With endpoint security, you can now use the External Logon Page ending to redirect users to redirect users to a remediation website designed to correct or update the client's software environment, assuring that policies required for a pre-logon check are satisfied. For example, this page could provide instructions on how to meet your security policy or how to configure the user's browser to allow the system to install F5 Networks ActiveX components on his PC. You can also use the FirePass controller sandbox to host a remediation website on the FirePass controller.

Dynamic group mapping based on virtual host (CR49250, CR58802 )
You can now use virtual hosts (at the Users : Groups: Dynamic Group Mapping screen) to dynamically map users to the appropriate master and resource group when they log on to the FirePass controller.

Uploading large files and reverse proxy (CR49529)
You can now use the non-buffering upload option to upload a large amount of data (32 - 1024 MB), such as video or voice files to a server through the FirePass controller without caching the file on the FirePass controller. You do this by adding URL patterns in the Non-buffering uploads area using the Global Settings tab at the Portal Access : Web Applications : Content Processing screen.

RSA authentication with F5 FirePass controller client (CR49227)
The F5 FirePass controller client now supports RSA authentication NextToken mode.

Client certificates key size (CR50232)
You can now specify 1024- or 512 bit-key size when you generate a client certificate at the User: User Management screen.

Active Sync (CR51046)
You can now use the FirePass controller to create a proxy for the Microsoft® Exchange Server through OWA, so that Pocket PCs and smart phones can synchronize Outlook using ActiveSync® in the Landing URI area. You do this using the URI-based Customization tab at the Device Management : Customization screen. The FirePass controller supports ActiveSync® for 2003 and 2005 Pocket PCs and Smart phones.

Removing references to F5 and FirePass controller from the system messages (CR51913)
We have removed references to F5 and FirePass controller from the system messages on the logon page.

Restarting FirePass controller services and coldStart trap (CR51916)
When you restart the FirePass controller services, the system generates the coldStart SNMP trap.

WML and compact HTML (CR52013)
The FirePass controller now supports the Wireless Markup Language (WML) and compact HTML.

Pre-logon sequence and antivirus check for database signature (CR52529)
At the Users : Endpoint Security : Pre-logon sequence screen, when you select the Windows antivirus check inspector, you can now specify additional times using the Database is not older than option:

  • 2 weeks
  • 3 weeks
  • 3 months
  • 6 months

Session variables for dynamic group mapping and Intranet Webtop (CR53149, CR60911)
You can now use session variables with dynamic group mapping that are defined during group mapping and user’s authentication at the Users : Groups: Dynamic Group Mapping screen. You can also use session variables in two other instances:

  • With the option Display extra input field at logon for user defined session variable in the User Defined Session Variable Settings area at the Users : Global Settings screen.
  • In the URL: parameter at the Portal Access : Web Applications : Intranet Webtops screen.

You can now use the option Save user's session variables to Logon Reports to troubleshoot a session variable for users for all sessions in Session Variable Dump at area at the Device Management : Maintenance : Troubleshooting screen.

Displaying name of drives instead of a loopback address (CR54144)
You can now configure the FirePass controller to display to users the name of a drive instead of the loopback address using the following areas:

  • In the Path field using the Drive Mappings tab at the Network Access : Resource screen
  • In the Application field for the MS Files Shares Static App Tunnel at the Application Access : App Tunnels : Resources screen

Multiple Active Directory servers and dynamic group mapping (CR54200)
With dynamic group mapping, you can now specify multiple Active Directory servers by checking the Use a secondary AD server and Use a tertiary AD server options using the Group mapping methods tab at the Users : Groups : Dynamic Group Mapping screen.

OPSWAT SDK 2.1.14 (CR54213)
For OPSWAT SDK 2.1.14 and later, the FirePass controller now supports

  • Sereniti Security Suite
  • avast! Antivirus 4.x
  • eTrust PestPatrol Corporate Edition 5.x
  • Trend Micro PC_cillin 2006
  • BitDefender 8 Free Edition
  • BitDefender 9 Standard and Professional Plus
  • McAfee VirusScan 10.x (for windows 9x)
  • Symantec AntiVirus 9.x (for windows 9x)
  • Kaspersky Anti-Virus Personal 5.0.383
  • Kaspersky Anti-Virus 2006 Beta
  • Trend Micro PC-cillin Internet Security 2006

Reverse proxy and encrypting URLs (CR54232)
With the reverse proxy, you can now encrypt URLs with AES cipher by checking the Encrypt hostnames option in the Web Applications Global Setting area using the Global Settings tab at Portal Access: Content Processing screen.

x509v3 extended attributes in certificates (CR54543)
With certificates, the FirePass controller now supports the Subject Alternative Name (SubjectAltName) extension, which allows the administrator to specify a regular expression to extract the logon name for auto-logon (passwordless authentication).

Choosing type of column separators in TN5250 emulators (CR54718)
For TN5250 terminal emulators, when you create a favorite on the Application Access: Legacy Hosts : Resources screen, you can now configure the type of column separators using the Column separators option.

Retrieve LDAP/AD attributes with dynamic group mapping (CR54793)
With an LDAP and AD dynamic group mapping policy, you can now dynamically retrieve LDAP and AD attributes and assign them to the appropriate LAN address space value to different users based on the value of session variable for that user. Navigate to the Network Access : Resource screen and select the Client Settings tab. Check the option Use split tunnel for traffic. The LAN address field opens. Insert the name of the session variable you want to use in the LAN address field.

Using %username% and %password% variables with Static App Tunnels (CR55026)
With static App Tunnels, you can now pass user’s credentials to the application by specifying the %username% and %password% variables in the Application field when you create or edit an existing favorite using the Application Tunnel tab at the Application Access: AppTunnel: Resource screen.

Formatting custom messages and Network Access (CR55188)
You can use the <BR> HTML tag to insert line breaks into custom messages in the Custom Messages area on the Network Access : Resources screen.

Kerberos authentication and special characters (CR55381)
With Kerberos authentication, the FirePass controller now supports the extended ISO-8859-1(Latin-1) character set.

Minimize application and Network Access to the system tray on the client (CR56403)
With Network Access, you can now minimize the application and move it to the system tray on the client. In the Customization area, use the Customization tab at the Network Access : Resources screen and check the following options:

  • Minimize window after successfully connecting Network Access client
  • Use Tray icon instead of Taskbar entry when minimized  

Also, when you use both options, the system notifies the user that the VPN tunnel is still active.

Protected configuration at the resource group (CR56715)
You can now apply endpoint protection to a resource group on the following screens:

  • Application Access: App Tunnels : Resources
  • Application Access: Legacy Hosts : Resources
  • Application Access : Terminal Servers : Resources
  • Network Access : Resources
  • Portal Access: Web Applications : Resources
  • Portal Access: Window Files: Resources

OPSWAT SDK 2.1.18 (CR57640)
With OPSWAT SDK 2.1.18 and later, the FirePass controller now supports:

  • Rising AntiVirus 17.x
  • Trend Micro Virus Buster 2006 (Japanese version)
  • F-Prot for Windows 3.16c
  • F-Prot for Windows 3.16d
  • McAfee Personal Firewall Express

Updating F5 client components on PCs without administrative rights on user accounts (CR57944)
You can now install and update F5 client components on PCs that do not have administrative rights on user accounts by checking the option Component Windows Installer Service using the Customized Package tab at the Device Management : Client Downloads : Windows (x86) screen.
Note: To install the Component Windows Installer Service , you must have administrative rights.

Norton antivirus software (CR58004)
The pre-logon sequence check at the Users: Endpoint Security: Pre-logon Sequence screen now supports the following Japanese antivirus software:  

  • Norton AntiVirus 2005, version 11.0.11.4
  • Norton Antivirus 2006, version 12.0.0.94b

OPSWAT SDK, version 2.1.21 (CR58260)
With OPSWAT SDK 2.1.21 and later, the FirePass controller now supports or has improved support for these anti-virus and firewall applications:

  • CA eTrust Internet Security Suite Antivirus 7.x
  • Panda WebAdmin Client Antivirus 3.x
  • Panda Platinum Antivirus 7.05.07
  • Panda Platinum 2005 Internet Security 9.02.00
  • Panda Antivirus Platinum 7.04
  • AOL Safety and Security Center Virus Protection 1.x
  • BlackICE 7.x
  • AOL Firewall 1.x
  • CA eTrust EZ Firewall 5.x
  • CA eTrust Personal Firewall 5.x

Certificate signing request (CR58409)
Previously, when you generated a certificate signing request you had to configure each option in the Renew/Replace SSL Server certificate area at the Device Management : Security : Certificates screen. The FirePass controller now requires that you configure only the server name, company, and passwords to generate a Certificate Signing Request.

Split tunneling and Portal Access (CR59074)
With split tunneling, you now use the Split Tunneling area at the Portal Access: Web Applications : Master Group Settings screen to complete these tasks:

  • Specify a default action to apply to a URL when it is not specified in the Bypass or Rewrite options.
  • Specify whether to check for case sensitivity on the specified path in the Bypass and Rewrite lists.

OPSWAT SDK, version 2.1.21 (CR59304)
With OPSWAT SDK 2.1.21 and later, the FirePass controller now supports or has improved support for these anti-virus and firewall applications:

  • Bit Defender 9 Internet Security Antivirus
  • Beijing Rising Antivirus 18.x
  • Command Antivirus 4.x
  • F-Prot 3.16x
  • F-Secure Antivirus 5.x
  • Grisoft AVG products
  • BlackICE FW
  • Dr. Web 4.33.x

Enhancements to TN3270 (CR59388)
The TN3270 now supports the following options:

  • Data streaming orders
    • SFE (Start Field Extended)
    • MF (Modify Field)
  • Extended Field Attributes
    • Extended highlighting
    • Default
    • Normal
    • Blink (supported as normal)
    • Reverse video
    • Underscore
  • Foreground colors and background colors
    • Black
    • Blue
    • Red
    • Pink
    • Green
    • Turquoise
    • Yellow
    • White

Jacada, JRE 1.5, and reverse proxy (CR59413)
Prior to release 6.0, when you used the Jacada Java application with JRE, version 1.5, Jacada did not work with the reverse proxy. Now it does.

Setting font size on Legacy hosts screen (CR59425)
The FirePass controller now allows you to define the default screen size in the Legacy Hosts Favorites defined by user on his webtop or in the Legacy Hosts Favorites option on the Application Access : Legacy Hosts : Resources screen.

Protected workspace and Continue button (CR59453)
We have improved the navigation for the end user within the protected workspace. When the user enters the protected work space, the FirePass controller now automatically opens the logon prompt screen instead of prompting the user to click the Continue button.

i-mode and links on messages in Mobile Email (CR59709)
Now in Mobile Email, for each message in the mailbox, FirePass controller displays only a link on the subject heading when using i-mode client.

Norton Internet Security 20005 firewall, version 8 .x (CR59971)
The pre-logon sequence check at the Users: Endpoint Security: Pre-logon Sequence screen now supports Norton Internet Security 20005 firewall, version 8 .x.

Symantec Antivirus Corporate Edition 8.1 (CR59972)
With OPSWAT SDK 2.1.22 and later, the FirePass controller now supports Symantec Antivirus Corporate Edition 8.1.

Dynamic group mapping simplified navigation (CR59987)
We have simplified the dynamic group mapping configuration process. With the new simplified navigation, there are now four main navigation tabs (instead of five) to make it easier for you to configure dynamic group mapping at the Users : Groups : Dynamic Group Mapping screens. The names of options for dynamic group mapping have also changed at the Users : Groups : Master Groups screen. After you upgrade, verify that these setting are correct.

Client certificates and BIG-IP system (CR60015)
You can now offload the processing of client certificates on the FirePass controller, when you offload SSL to BIG-IP® Local Traffic Manager system.

Adding Windows Domain group mapping entries (CR60052)
When adding a Windows Domain master or resource group mapping entry, the FirePass controller no longer automatically fetches the list of groups from the domain controller. The Administrative Console screen now provides an interface, similar to Active Directory, for adding entries manually. You can access the entire group list through the Fetch list of Windows Domain groups from Windows Domain link on the Master group mapping table tab  or Resource group mapping table tab on the Users : Groups : Dynamic Groups screen.

TN3270 terminal type and keyboard mapping (CR60822)
The TN3270 now supports key mapping for these keys:

  • ALT
  • ALT_GRAPH
  • CTRL
  • META
  • SHIFT

You configure the TN3270 terminal type on the Application Access: Legacy Host : Resources screen.

Dynamic App Tunnels (CR60318)
You can use Dynamic App Tunnels to support applications that require dynamic IP addresses and ports by selecting the App Tunnel tab at the Application Access : App Tunnels : Resource screen. Dynamic App Tunnels work best with applications that support multiple instances. To determine if an application supports multiple instances, on a PC, go to the Task manager and click the Processes tab. Start an application several times to see if more than one process of this application appears on the Process tab. If the application does not support multiple instances you will have never have more then one process of such an application. To use Dynamic App Tunnels with such applications you must enable the Terminate existing option so that the currently running instance can be terminated. If this option is enabled and there is an instance of application already running the user will be prompted to close it before the new instance is started using Dynamic App Tunnel.

Reverting to factory settings or snapshot (CR60329)
Before you revert to factory settings or a previous snapshot, the FirePass controller now notifies the user that he cannot reverse this procedure. The system also prompts the user to confirm this change.

MSI package and reordering a list of FirePass controllers (CR60461)
With an MSI package, you can now reorder a list of configured FirePass controllers in the Common Settings area using the Customized Client Components tab at the Device Management : Client Downloads : Windows (x86) screen.

Allowing direct connections for external users (CR57555, CR60765, CR61948)
You can now allow external users to directly access resources by disabling either of two options:

  • Disable the option Limit Access to Favorites only on any one of three screens:

    • Application Access : Terminal services : Master Group Settings

    • Portal Access : Windows Files : Master Group Settings

    • Application Access : Legacy Hosts : Master Group Settings

  • Disable the option Show administrator-defined favorites only on either of two screens:

    • Application Access : App Tunnels : Master Group Settings : Common screen

    • Portal Access : Windows Files : Master Group Settings screen

    Note: On these two screens, security is controlled through access control lists (ACLs). If you want to limit access to specific resources, configure your ACLs appropriately; otherwise, users might be able to access resources other than those specified in the administrator favorites.

    Note: Previously, when you enabled the Limit Access to Favorites only option on the Application Access : App Tunnels : Master Group Settings screen, the system displayed the option Allow Direct Connection limited by scope. Now this option is no longer displayed and direct connections are only allowed when you disabled the Show administrator-defined favorites only option.

Cookie policy (CR61128)
You can now permit a website to create a cookie with a path attribute that is not a valid substring of its current request URL. In the Web Applications area, use the option Ignore cookie path when accepting from next URLs by selecting the Global Settings tab on the Portal Access : Web Applications: Content Processing screen. Note that this option is incorrectly labeled in the online help as the Accept cookies from this website list despite it's path attribute.

Displaying custom messages on Mac, Linux, and UNIX clients (CR61181)
With Mac, UNIX, and Linux clients, you can now present messages to the users when they successfully log on to the FirePass controller. You use the option Present the user with a message box after successfully connecting Network Access client by selecting the Customization tab at the Network Access : Resources screen.

Attack Notification and Prevention (CR61755)
With the Report repeated logon failures as a possible attack option, you can now configure the number of consecutive failures in to as low as 2 in the Attack Notification and Prevention area at the Device Management : Security : User Access Security screen.

Clam AV version 0.88.2 (CR62161)
The FirePass controller supports Clam AV antivirus, version 0.88.2.

Memory usage graph removed on the monitoring screen (CR62270)
We have removed the memory usage graph on the Device Management : Monitoring : Statistics screen.

%SystemRoot% variable , global unique identifier, and pre-logon sequence (CR62322)
With the Windows file checker, you can now check for the presence of a global unique identifier (GUID) as file name to distinguish a software component. You can also use the %SystemRoot% or other environment variables in file names; for example: %WinDir%\explorer.exe, to obtain the Windows Explorer version at the Users : Endpoint Security : Pre-Logon Sequence screen.

Web top and direct connect (CR62673)
On the user's webtop, the App Tunnel Direct connect edit screen, we have removed the following text: The remote IP:port will be mapped to a local address:port.Please specify the host DNS name or IP and port on the corporate LAN you want to tunnel to:With App Tunnel.

Using WebDAV to start Windows Files favorites (CR64005)
You can now start a Windows Files favorite from a custom portal access page using the WebDAV /sandbox directory. We have added a Windows Files WebDAV sample in the on-line help in the Advanced WebDAV customization area. To view this sample, go to the Device Management : Customization screen and select the Global Customization tab.

 

Fixes in this release

This release includes the following fixes.

Page Not Found error in Setup Wizard (CR30978)
Prior to release 6.0, when the Quick Setup wizard finished, the FirePass controller restarted automatically. The FirePass controller's IP address and host name were generally changed during the initial Quick Setup configuration. The browser attempted to connect to the page using the previous IP address, and generated a Page Not Found error. Under these circumstances, the FirePass controller no longer restarts automatically. The Quick Setup now instructs the user on how to connect to the new address or host name and displays Restart and Shutdown options.

Online upgrade and screen refresh (CR34238)
Previously, during an online upgrade operation, if you performed any action that refreshed the upgrade screen (including opening a new browser window), the screen refresh corrupted the upgrade. The online upgrade operation now works correctly, and the system no longer corrupts the upgrade when you perform an operation that refreshes the upgrade screen.

SMB Signing (CR36976)
In previous releases, the FirePass controller could not access a shared folder on Windows servers that required SMB signing. The FirePass controller can now access a shared folder on a Windows server that requires SMB signing.

Special characters and backups (CR38842)
Previously, when you performed a nightly back up with FTP at the Device Management : Maintenance : Backup/Restore screen, the system did not correctly send certain characters in the user’s password to the FTP server; for example: $#!" . Now it sends these characters correctly.

Drive mapping overwrite of existing share (CR40546)
In prior releases, when you created a new drive-mapping using an already-mapped share name, the system overwrote the existing share without warning. Now under these circumstances, the system warns you that will overwrite an existing mapped share name.

Siebel Call Center 7.7 web application and reverse proxy(CR43904)
Previously, users could not log on to the Siebel® Call Center 7.7 web application through the FirePass controller reverse proxy. Now they can.

Multi-language support in Windows Files (CR45645)
Previously, when you used the FirePass controller Windows® Files functionality on an English-based Windows® 2000/2003 server with multi-language support, the system did not correctly show share names containing non-English characters. The system now correctly shows share names containing non-English characters.

Retrieving WebDAV sandbox content (CR45634, CR53927)
Previously, after you uploaded the sandbox content and cleared (disabled) the option Allow WebDAV sandbox customization in the Advance Customization at the Device Management : Customization screen, the FirePass controller erroneously prompted HTTP clients for their WebDAV credentials when they requested items under the /sandbox. The FirePass controller no longer erroneously prompts HTTP clients for their credentials and retrieving WebDAV content works correctly.

Erroneous error messages (CR46762)
In previous releases, in rare instances, when a system process was not running correctly, the FirePass controller displayed erroneous error messages. The FirePass controller now displays no message at all.

FirePass controllers and localization in pre-logon sequence (CR47423)
In release 5.4.x, the FirePass controller did not localize the pre-logon sequence. In release 5.5 and later, the FirePass controller localizes the pre-logon sequence.

NetBIOS name resolution and Windows Files (CR48543)
Previously, with Windows Files, the FirePass controller did not correctly process NetBIOS name resolution. To address this issue, we have added the following options in the Advance Windows Files Settings area at the Portal Access : Windows Files : Master Group Settings screen.  

  • NetBIOS Machine Name
  • Name Resolution Service Order  
  • WINS Servers

Adding new browsers and generating system warning messages (CR48660)
In prior releases, when you added a new browser on the Device Management : Configuration : New Browsers screen, the FirePass controller incorrectly generated system warning messages on the user's webtop. Under these circumstances, the FirePass controller no longer generates these system warning messages.

SharePoint and Microsoft documents (CR49949)
Prior to release 6.0, in SharePoint®, when you edited a Microsoft® Office® document, and the editor made a request to update the shared workspace, the FirePass controller could not support the update. With SharePoint, the FirePass controller now updates the shared workspace when you edit a Microsoft® Office® document.

Displaying text on TN5250 application (CR49979)
Previously, the FirePass controller did not correctly display text on a TN5250 application. The FirePass controller now correctly displays text on a TN5250 application.

Failover related SNMP variables on standalone FirePass controller (CR52708)
In previous releases, a standalone FirePass controller returned an error when it was queried for SNMP variables describing failover configuration and status. Now, the values for these variables are correctly returned.

Latin 1 character set and formed-based authentication (CR53057)
Previously, with form-based authentication, the FirePass controller did not support the extended Latin 1 character set (ISO 8859-1) for user names and passwords. Now it does.

Latin 1 character set and basic authentication (CR53058)
Previously, with basic authentication, the FirePass controller did not support the extended Latin 1 character set (ISO 8859-1) for user names and passwords. Now it does.

Client certificate (CR53783)
Prior to release 6.0, some applications could not correctly display client certificates that were generated by the FirePass controller with localized user names. These applications can now display these client certificates.

Importing users from Active Directory (CR54328)
Prior to release 6.0, when you created a master group with Active Directory® authentication and selected the Require user logon in form DOMAIN\username: option on the Authentication tab at the Users : Groups: Master Groups screen, the FirePass controller did not import the users correctly. The FirePass controller now imports users correctly.

Windows file checker and endpoint security (CR54359)
Prior to release 6.0, with endpoint security, the Windows File checker did not work correctly when the client did not require administrative rights to install a MSI package. The Windows File checker now works correctly even under these circumstances.

ISO-2022-JP and email subjects (CR54874)
In previous releases, on a Japanese FirePass controller, the system might have included unnecessary spaces in ISO-2022-JP encoded mail subjects. Certain email applications, such as Thunderbird™, could not display the spaces correctly. The FirePass controller no longer includes unnecessary spaces in ISO-2022-JP encoded mail subjects.

Retaining routing table modifications on the client (CR55025)
Previously, when the FirePass controller added routes with destination IP address from LAN address space on non-VPN interface, the FirePass controller ActiveX components incorrectly removed these routes from the client. The ActiveX components no longer remove these routes from the client.

Active Directory and resetting expired passwords for users in an external group (CR55115)
Prior to release 6.0, with Active Directory, when a user’s password had expired, FirePass controller did not prompt the user to change the password if the user belonged to an external group. Now, the FirePass controller prompts the external user to change his expired Active Directory password.

LDAP server email addresses and lowercase characters (CR55131)
In prior releases, when you selected the option Use LDAP server to obtain address option (on the Source for address list area at the Portal Access : Mobile E-mail screen), the FirePass controller search for the email address failed in the LDAP server when the address attributes were not all lowercase characters. The FirePass controller now correctly searches for email addresses in the LDAP server.

Logging on to the cluster unit for the first time (CR55266)
Prior to release 6.0, in a cluster, when a user logged on to a secondary unit for the first time, the system displayed erroneous system warning messages to the user. The system no longer displays erroneous system warning messages under these circumstances to the user.

Offloading SSL and finalizing changes(CR55307)
Previously, when you enabled the option Offload SSL processing to a BIG-IP Local Traffic Manager (at the Device Management: Configuration: Network Configuration screen using the Web Services settings tab ), and you made changes to other Network Configuration settings that did not require you to restart the FirePass controller, the finalized change always prompted you to restart the FirePass controller. Under these circumstances, the system no longer prompts you to restart the FirePass controller.

Netscape 7.2 does not display pre-logon messages (CR55499)
In earlier releases, when you enabled a pre-logon sequence check, the client did not display the pre-logon messages when it established a connection to the FirePass controller using Netscape Navigator, version 7.2. The client now displays the pre-logon messages.

Logging results of a protected configuration (CR55611)
In previous releases, when the protected configuration denied access to the user, the FirePass controller did not log the reason he was denied access at the Reports: Logon screen. Now it does.

Creating master groups and Realms (CR55675)
Previously, when you configured Realm options other than the Allow Access to all features (on the Device Management : Security : Administrative Realms screen), when you logged in as the administrator for that realm and tried to create a master group, the system displayed a blank screen. The system now displays the screen correctly.

Restoring backup files and buffer overflow (CR56020)
Previously, the FirePass controller displayed a blank screen when you tried to restore a configuration from backup file and you had set the option Restrict maximum upload size (on the Buffer Overflow tab at the Portal Access : Content Inspection screen) to a value less than the size of the restored file. The FirePass controller now presents the message Size of backup is bigger then maximum upload size and prompts you to click a link to reconfigure the option Restrict maximum upload size to a value that is larger than the restored file.

LDAP authentication and IPv6 DNS queries (CR56130)
Previously, when using LDAP authentication, the FirePass controller issued IPv6 DNS queries, which added a significant delay. Now, the FirePass controller no longer issues these queries and there are no delays.  

Maintenance Console and resetting factory settings (CR56887)
In previous releases, when you specified a network range with option 1 at the Device Management : Security : Admin Access Security screen and then logged into the Maintenance Console to reset the systems factory default settings, option 1 settings did not reset. The settings now reset correctly .

ZoneAlarm Security Suite v6.x and OPSWAT 2.1.20 SDK (CR56909)
In prior releases, the pre-logon sequence check did not support ZoneAlarm Security Suite v6.x. With OPSWAT SDK 2.1.20 and later, the pre-logon sequence check now supports ZoneAlarm Security Suite v6.x.

Windows files access and Windows 2003 file servers (CR57010)
Previously, when you accessed Windows Files using Windows 2003 file servers through Portal Access, you could not access some directories. Now you can.

Changing a password (CR57702)
Prior to release 6.0, users could not change their password when you configured both the following settings:

  • Enabled the option Required valid prelogon data for logon at the Users : Endpoint Security : Pre-logon Sequence screen.
  • Enabled the option Force user to change password on first logon when you create a new user at or edit an existing user at the Users : User Management screen.

Users can now change their passwords when you enable both these options.

VT320 emulation and legacy hosts (CR57124)
Previously, on legacy hosts, the FirePass controller did not correctly display VT320 emulation when switching from 132 columns mode to 80 columns. Now it does.

Reverse proxy and pattern-based bypass (CR57303)
In prior releases, with the reverse proxy, the pattern-based bypass did not correctly rewrite some URLs. The pattern-based bypass now correctly rewrites URLs.

BIG-IP version 9.2, Application Security Module, and reverse proxy (CR57476)
Previously, the FirePass controller reverse proxy did not correctly display the BIG-IP version 9.2, Application Security Module (ASM) menu. The FirePass controllers reverse proxy now correctly displays this menu.

Policy Fallback and Network Access client (CR57731)
In prior releases, when you configured a fallback policy in the Fallback/Secondary Settings area (using the Policy Checks tab at the Network Access : Resources screen), and the user fell back to the secondary settings, the system incorrectly minimized the window after the Network Access client successfully connected. When a user falls back to secondary settings, the FirePass controller no longer minimizes the window after the Network Access client successfully connects.

NetBIOS name and accessing Windows files (CR57897)
Prior to release 6.0, with Windows Files, the FirePass controller did not set the correct NetBIOS name. To address this issue, you can now configure the NetBIOS names for Windows file access using the NetBIOS Machine Name and WINS Servers options in the Advanced Windows Files Settings area on the Portal Access: Windows Files: Master Group Settings screen.

Java byte code rewriting files (CR58908)
In previous releases, the FirePass controller still modified files even when you excluded them from being modified as they pass through the reverse proxy. The FirePass controller no longer incorrectly modifies these files when you exclude them from being modified.

IPsec connection names (CR58963)
Previously, the FirePass controller allowed you to type an invalid IPsec connection name at the Device Management : Security : IPsec Configuration screen. The FirePass controller no longer permits invalid IPsec connection names. When you type an invalid connection name and click the Save button, the system now displays the following message: Connection name must start with a letter and contain only letters, digits, periods, underscores, and hyphens.

Clients logged off the system (CR59124)
Previously, the system incorrectly logged clients off shortly after they logged on to the FirePass controller when you configured an intranet webtop at the Portal Access: Intranet Webtop screen and when you enabled the option Force a session termination if the webtop is closed at the Users: Endpoint Security : Post-logon Actions screen. When you configure both of these options, the system no longer incorrectly logs off clients after they log on to the the FirePass controller.

Microsoft remote scripting Java applet and reverse proxy (CR59255)
Prior to release 6.0, the reverse proxy did not work correctly with the Microsoft® remote scripting Java applet. The reverse proxy now works correctly with this applet.  

Mobile E-mail and Japanese FirePass controllers (CR59515)
Previously, on Japanese FirePass controllers, for external master groups, if you did not configure Mobile-Email correctly at the Portal Access screen, the system displayed a truncated warning message to the administrator. Now, when these conditions are met, the FirePass controller displays the warning message correctly.

F5 FirePass controller client and custom link (CR59597)
In prior releases, if you configured a custom message with a hyperlink using the Customization tab at the Network Access: Resources screen, the F5 FirePass controller client incorrectly displayed raw text instead of the FirePass controller specific markup tag. The FirePass controller client now displays these links correctly.

Network Access policy check (CR59629)
Previously, if you did not define a Network Access policy check, the Win32 Network Access client made an extra call to FirePass controller to report a success on the policy check. Under heavy loads the response time for such a request could exceed the value of client side policy check report timeout (which was 5 seconds), which caused the client to stop the process by the timeout. Now, the Win32 Network Access client no longer makes an extra call to FirePass controller. We have increased the client side policy check report timeout to 60 seconds.

URLs and cascading style sheets (CR59636)
In prior releases, the FirePass controller did not correctly process some URLs in cascading style sheets. The FirePass controller now correctly processes URLs in cascading system sheets.

Time zone settings and crond process (CR59637)
Previously, when you changed the time zone settings at the Device Management : Configuration : Time screen, the crond process ignored these settings and as a result, ran certain periodic tasks at the wrong time. The crond process now uses these time zone settings and runs periodic tasks at the correct time.

Mobile-Email, external users, and upgrading (CR59643)
Previously, for external users only, the corporate email account did not work after you upgraded, unless the administrator updated the configuration at the Portal Access: Mobile-Email screen. Now, when you upgrade, the corporate email account works correctly and you no longer have to modify the corporate email configuration.

Basic Authentication to an External Server (CR59671)
Prior to release 6.0, when you created a master group that used a HTTPS URL for Basic Authentication to an external server at the Users : Groups : Master Groups screen, the FirePass controller failed to authenticate the user even though the user provided the correct credentials. The FirePass controller now correctly authenticates users under these circumstances.

Citrix terminal service and terminal screen size (CR59681)
In prior releases, with the Citrix® terminal service, when you set the option Select initial preference for the Terminal screen resolution option to Use Percent of Screen Size at the Application Access; Terminal Servers : Master Group Settings screen, the FirePass controller did not correctly display the screen size on the client. The FirePass controller now correctly displays the screen size on the client.

Linux clients, Mozilla and Firefox browsers (CR59682)
Previously, with Network Access, the Mozilla or Firefox browser might lock up when you used Linux clients. These browsers now work correctly with Linux clients.

Symantec AV 10.0.2.2000 and OPSWAT 2.1.22 SDK (CR59683)
In prior releases, the pre-logon sequence check incorrectly reported Symantec AV 10.0.2.2000 as running even when the Service was manually unloaded from Symantec Console File menu. With OPSWAT SDK 2.1.22 and later, the pre-logon sequence check now correctly detects Symantec AV 10.0.2.2000 service status.

User’s Display name in Mobile E-mail on localized FirePass controllers (CR59808)
Prior to release 6.0, on localized FirePass controllers, when you configured the corporate email account to request logon information on user’s first access to Mobile Email, the FirePass controller did not store the users’ Display names correctly. The FirePass controller now stores and displays the users’ names correctly when they access their Mobile E-mail accounts.

Network Access and drive mapping conflicts (CR59942)
Prior to release 6.0, when you configured a drive mapping on the Network Access: Resources screen, and the client was already using another drive with the same letter, the FirePass controller prompted you to select another letter, but failed to disconnect from the drive when the session ended. The FirePass controller now correctly removes the drive mapping when the client disconnects.

Windows Files and custom character set (CR59955)
Previously, when you selected the custom character set to Central & Eastern European, Arabic, Baltic, Greek, or Turkish in the Advanced Customization area at the Device Management : Customization : Global Customization screen, the list of names in Windows Files in the left webtop frame became empty. Now, the list of names in Windows Files in the left webtop frame displays correctly.

Force password change (CR60002)
In prior releases, at the User : User Management screen, when you imported users from a file, which already had the option Force password change on first logon checked, the system cleared (disabled) this option when you returned to this screen. However, the user was still prompted to change his password on his first logon. When you check this option, it now remains checked.

Mobile Email and Japanese characters (CR60005)
In prior releases, on Japanese FirePass controllers, with Mobile E-mail, the system incorrectly removed some Japanese characters from the To: field. Mobile E-mail now works correctly and the system no longer removes these characters.

Antivirus help page and incorrect cross references (CR60134)
Previously, the help page at the Users : Endpoint Security : Inspectors : Windows Antivirus Checker screen contained incorrect cross references. These links now point to the correct location.

Displaying Finnish characters in Windows Files(CR60140)
Previously, when you used Windows Files, the FirePass controller did not correctly display Finnish characters in file and directory names. When you access Windows Files, the FirePass controller now correctly displays Finnish characters.

Displaying User Experience screen (CR60148)
Previously, when the administrator with superuser rights accessed the User Experience tab using Users : Groups : Master Groups screen, the FirePass controller did not display the Administrative Console webifyer, and as result, you could not configure it. The system now correctly displays this webifyer and you can configure it.

Editing a user and enforce strong password option (CR60159)
Prior to release 6.0, the FirePass controller incorrectly prevented the administrator from editing a user account when he checked the option Enforce strong password for authentication against internal database at the Device Management : Security : User Password screen, and failed to enter a valid strong password when creating this account. The FirePass controller now correctly permits the administrator to edit a user account when you enable this option.

Logging on to email (CR60296)
Previously, when you enabled the options Treat user's logon name as case sensitive and Allow to logon with e-mail address as substitute of user name in the User Name area on the Users : Global Settings screen, users could not log on using their e-mail address. Now, they can.

Norton Antivirus 2005 Traditional Chinese and OPSWAT 2.1.22 SDK (CR60201)
In prior releases, the pre-logon sequence check did not support Norton Antivirus 2005 (Traditional Chinese). With OPSWAT SDK 2.1.22 and later, the pre-logon sequence check now supports Norton Antivirus 2005 (Traditional Chinese).

Rewriting the <base href> tags (CR60234)
In prior releases, the reverse proxy did not correctly rewrite <base href> tags when the URL contained a port number. The reverse proxy now correctly rewrites <base href> tags.

Retaining FirePass controller list settings (CR60327)
Previously, with the F5 FirePass controller client when you configured a list of FirePass controllers and cleared (disabled) the Maintained History option (using the Customized Client Components tab at the Device Management : Client Downloads : Windows (x86) screen), the list of FirePass controllers was not retained after a client connected to the system. The FirePass controller client now correctly retains these settings.

Endpoint security inspectors displaying HTML source code (CR60614)
Previously, with Windows XP SP1 and Windows 2000, SP4, some endpoint security inspectors might incorrectly display their HTML source code. These endpoint security inspectors now work correctly and no longer display their HTML source code.

Network Access client and proxy settings (CR60786)
Previously, if you configured proxy settings for the VPN Client in release 5.4.2 and earlier and then upgraded to release 5.5 or later, the VPN client might incorrectly retain previous proxy settings. To fix this issue, the VPN client now only uses proxy settings from Internet Explorer.

WholeSecurity's Confidence Online™ Server and post-logon actions (CR61118)
Previously, when you integrated the FirePass controller, and WholeSecurity's Confidence Online™ Server, and enabled Post-logon actions at the Users : Endpoint Security: Post-logon actions screen, the WholeSecurity's Confidence Online™ Server did not work. WholeSecurity's Confidence Online™ Server now works when you enable post-logon actions.

F5 FirePass controller client and custom messages (CR61182)
In prior releases, when you configured a custom message and fallback policy for the F5 FirePass controller client at the Network Access : Resource screen, the FirePass controller did two things:

  • Incorrectly displayed a custom message and the associated hyperlink did not work
  • Displayed messages too quickly for the user to read and click the associated hyperlinks

Now, the system correctly displays custom messages correctly with enough time for the user to read and click hyperlinks. And the hyperlinks now work.

Network Access and encrypting a host file (CR61183)
Prior to release 6.0, with Network Access, the FirePass controller incorrectly encrypted a host file when the user profile was encrypted. This prevented the client DNS service from working. The FirePass controller no longer erroneously encrypts a host when the user profile is encrypted and the client DNS works correctly.

HOBlink, Sun JRE, and reverse proxy (CR61269)
In prior releases, HOBlink, a Java applet, did not work with the reverse proxy under the Sun JRE. The HOBlink application now works correctly with the reverse proxy.

HOSTS file and F5 FirePass controller client (CR61352)
Previously, with Network Access, the F5 FirePass client, did not always remove the host entry in the HOSTS file when you right clicked to close the client from the tray icon. The F5 FirePass controller client now correctly removes the host entry from HOSTS file.

OWA logon form (CR61368)
Previously, when a web application used POST data to send user credentials to a OWA logon form on a different server configured to use OWA form-based authentication, the log on to OWA failed. Now, logging on to OWA succeeds.

Web applications and contracting webtop banner (CR61416)
Previously, when you accessed a web application that ran in the FirePass controller webtop main window and you then clicked the arrow in top left corner to contract the banner at the top of the page, FirePass controller would incorrectly display a list of all web applications in the main window frame. Now, the FirePass controller no longer incorrectly replaces the current web application with this list.

Active Directory authentication and required domain group check (CR61675)
Prior to release 6.0, when you configured a master group to use Active Directory authentication and required user to belong to a specific Active Directory group, but you entered the incorrect domain administrative credentials, users could still successfully authenticate to the FirePass controller master group if their credentials were correct, even though they did not belong to the required domain group. Active Directory authentication with domain groups now works correctly, and users can no longer authenticate to a master group when they do not belong to the required domain group.

Network Access client and displaying a custom message (CR62014)
Previously, with Network Access, the F5 FirePass controller client did not work when it displayed a long custom message and you enabled the option Minimize window after successfully connecting Network Access client in the Customization area using the Customization tab at the Network Access : Resources screen. The F5 FirePass controller client now works correctly.

Network access source address (CR62349, CR63762)
We have removed the Network access source address option from the Misc tab at the Device Management : Configuration: Network Configuration screen.

Failover pair and synchronizing firewall rules (CR62402)
Previously, upon failover, the standby node did not apply the new firewall rules until it was restarted. Now it applies the new firewall rules when it becomes the Active node.

Japanese FirePass controller and denied logon page (CR62434)
In prior releases, on Japanese FirePass controllers, when you configured a pre-logon sequence policy (at the Users : Endpoint Security : Pre-logon Sequence screen) to display a customized message on the denied logon page, the system did not correctly display certain Japanese characters. The FirePass controller now correctly displays all Japanese characters on the denied logon page.

Static host names (CR62491)
Prior to release 6.0, when you added a static host name at the Device Management : Configuration : Network Configuration, finalized your changes, made more changes to the network configuration and finalized your changes again, the FirePass controller created duplicate host name entries. The system now adds static host names correctly, and the system no longer creates duplicate host name entries.

.jar and .cab files truncate with the reverse proxy (CR62781)
Previously, the Web Applications reverse proxy engine incorrectly  truncated the .jar and .cab files to 5 bytes when you configured both the following settings:

  • A pattern-based bypass in the Minimal Content-Rewriting area at the Portal Access : Web Applications : Master Group Settings screen
  • Disabled the Enable Dynamic Cache option in the Web Applications cache area at the Portal Access : Web Applications : Caching and Compression screen

Now, the reverse proxy engine no longer incorrectly  truncates the .jar and .cab files.

Knowledge base links on logon screen and webifyer help screens (CR63002)
We have removed the knowledge base links on the logon screen and the webifyer help screens.

FIPS driver and Openssl (CR63284)
Prior to release 6.0, Openssl might have locked up the FIPS driver. The FIPS driver now works correctly with Openssl.

4100 platform, images, and virtual host customization (CR63463)
On 4100 platforms, when you configured virtual host customization, sometimes the custom images were not displayed correctly. These images are now always displayed correctly.

Master group and configuring a routing table with a numeric name (CR64086)
Previously, when you configured a master group to use a routing table with numeric name, the FirePass controller failed to apply a specified table to the user’s session and the main routing table was used. The FirePass controller now correctly applies specified routing tables.

Master group and configuring a routing table with a numeric name (CR64377)
Previously, when you configured a master group to use a routing table with numeric name, policy-based routing sometimes did not work. Policy based routing now works correctly.

[ Top ]


Known issues

The FirePass controller, version 6.0 includes the following general known issues. You can find localization-specific known issues in Localization known issues.

Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open the same mailbox through the FirePass controller.

Length limitations on Window File share names (CR28778)
Previously, the FirePass controller had the same length limitations on share names as older versions of Windows ® (Windows 95, Windows 98, and Windows NT). This limitation applied only to share names. Single-byte share names needed to be 13 characters or less, and double-byte share names needed to be 6 characters or less. Subfolders no longer have this limitation. This limitation now only applies to the top-level directory (root shared folder).

Deleted emails in Outlook (CR28854)
If you use an IMAP email server, Outlook® does not provide any visual indication when a user marks an email for deletion.

Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication and uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query might fail.

Basic HTTP authentication with an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.

Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.

IPSwitch IMail POP problem with My Email (CR34504)
A SASL authentication bug in IMail prevents use of POP. Using the FirePass controller to access email on IMail server results in erroneous authentication failures with My Email. However, you can use the IMail server configured for IMAP.

RADIUS challenge response with Cryptocard and blank passwords (CR34959)
The FirePass controller does not accept blank passwords when using RADIUS challenge response with Cryptocard. The workaround is to enter a temporary password and then enter a permanent password.

Monitor Statistics/System Load screen data mismatch (CR36658)
The difference in the data shown on the Device Management : Monitoring : Statistics screen and the Device Management : Monitoring : System Load screen appears to be isolated to the FirePass controller 4100 platform.

App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)
If you have not yet installed a trusted SSL certificate on the FirePass controller, then when users attempt to connect to a mapped drive using App Tunnels, the first attempt in a session usually fails. Subsequent attempts using the Relaunch button might succeed. We recommend installing a trusted server certificate as soon as possible.

Moving users between groups (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that might be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication might lack a password in the internal database account record. This can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.

Constant restart of Flash (CR36933)
Flash constantly restarts at the www.kurzweilai.net and other flash-based web sites.

Authentication does not check proxy settings (CR37072)
The FirePass controller form-based authentication component does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using the proxy server.

Misleading error using unsupported browser on Linux system for Network Access (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network Access connection, you receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla® 1.6 or 1.7). For a list of supported browsers, see supported browsers.

Network Access over dial-up connection where IPsec VPN client is present (CR37127)
You cannot use Network Access over a dial-up connection from a remote Windows® 2000 or Windows® XP system that also has a Check Point® SecuRemote/SecureClient IPsec VPN client installed. You can use Network Access over dial-up with a Check Point IPsec VPN client; however, the Network Access connection might take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.

Browser incompatibility on X Window System with Sun JRE 1.3.x (CR37174)
X Window System::Java client does not work with Windows® XP, Windows® 2000 Professional, Mozilla® 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using Java Runtime Environment (JRE) version 1.3.0_01 Java HotSpot™ Client VM. From the Mozilla release notes: "Java J2SE releases previous to 1.3.0_01 will not work with Mozilla. Problems have been reported with JRE 1.3.1. For best results, we recommend JRE 1.4.1."

Network Access on Safari 1.0 browser on OS X 10.2 (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The screen repeatedly prompts you to install it, even if you have already installed it, but you cannot use it. The Safari 1.0 browser does support the FirePass controller's HTML-based functional components: Portal Access, Mobile E-mail, Windows Files, UNIX Files, and for Desktop access, the Java client only. You can use Safari 1.2 as the Network Access browser.

High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On the 4100 hardware platform, high levels of traffic through the Management port might cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot might occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.

McAfee VirusScan Enterprise, version 7.x and Last Signature Update (CR40600)
For Network Access, when you use the pre-logon sequence check with McAfee VirusScan Enterprise, version 7.x, the Last Signature Update option works on only the English version of Windows.

Terminal services, Internet Explorer, and Macintosh (CR40618)
The FirePass controller does not support the following features on Macintosh platforms:

  • Terminal services
  • Internet Explorer

For more information about Macintosh operating system support, see SOL3364: FirePass support for Mac OS clients.

Default web application URL for resource group (CR40637)
The default URL for a web application is determined at a resource-group level. If a user has multiple resource groups assigned, the web application uses the default web page from the last resource group assigned to a user.

Incorrect user information attribute with first name (CR40694)
Mapping the user's first name against an Active Directory® account results in a first name of Administrator, not the actual first name of the user. This error occurs only with the test mapping. Mapping by the FirePass controller works correctly, and the user can log on without problem.

Restoring FIPS systems breaking imported key pairs (CR41278, CR41573)
If you have imported key pairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration might render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Administrative Console, use the Maintenance account to reinitialize the FIPS card. To correct your configuration, re-import the key pairs you need.

Browser incompatibility on legacy host systems with Sun JRE 1.3.0_01 (CR42609)
Legacy Host System:: the Java client does not work with tn3270 and vt320, Netscape® 7.2 and Mozilla® 1.7.3, Java™ Plug-in: Version 1.3.0_01, when you are using Java Runtime Environment (JRE) version 1.3.0_01 Java HotSpot™ Client VM. Problems have been reported with JRE 1.3.1. For best results, we recommend JRE 1.4.1.

Local redirect instead of full redirect with < DNS (CR42669)
If you attempt a full redirect, from admin to admin/, and DNS is not correctly configured, you actually get a local redirect. This problem does not occur if the DNS entry is configured correctly.

Redirect in frame (CR42676)
The redirect to an unlicensed screen might occur in a frame when a timeout interval has elapsed.

Post-logon uninstall of previously installed ActiveX components (CR43139)
Using the post-logon option of Uninstall ActiveX components downloaded during FirePass session, does not uninstall ActiveX components that were installed before user logon.

Problem for VLAN-based web applications with enabled cache (CR43445)
The Web Application Cache serves content by looking at the destination URL only. It does not consider the resource group of the requested resource. This can cause an invalid response to be served, if multiple resources across different resource groups are identified using the same URL. We recommend that you do not use the Web Application Cache in this situation.

Pre-logon infinite sequence (CR43509)
The pre-logon sequence functionality enables you to create a sequence that results in an infinite loop by choosing a sub-sequence that references itself as one of the final actions. If you create a sequence whose action includes a reference to itself, the end-user's browser halts during logon. To avoid this problem, make sure the final outcome of a sub-sequence is not a reference to the same sub-sequence.

Load balancing deactivate (CR44778)
Load balancing does not turn off unless you first clear the check box Allow optional manual logon to slave nodes from master logon page, and then set Load Balance to off.

Client certificates for external users (CR44888)
The FirePass controller stores client certificates. If an external server maintains your user accounts, and you want to use client certificates for your users, you must use your company's certificate authority (CA) infrastructure. FirePass controller cannot distribute client certificates that it does not create. For more information, refer to the online help for client certificates.

Window flash during client logon (CR44889)
With a pre-logon sequence that scans for antivirus, the scanning component briefly posts an in-progress window after it scans each file. Within a second or so, the component removes the window. Therefore, during logon, users might experience window-flashes as they log on. The window does not take focus away from the active application, but users might see flashing in the background.

Blank help and attachments windows in OWA (CR45150)
When you have more than one instance of Internet Explorer running and you try to open help or the attachment window for email, the window might be blank. This occurs intermittently. You can click the Help button a second time to open the help. The attachment window might not work until you close the other browser instance.

Using the at sign in the Active Directory logon (CR45446)
You can use the email address as your Active Directory® logon, and your email address can (and must) contain the at sign ( @ ). However, Active Directory logons that are not email addresses cannot contain @.

Split tunnel for Network Access on PocketPC (CR45800)
The FirePass controller does not support split tunnel for Network Access on the Pocket PC.

Protected configurations (CR46191)
Japanese versions of TrendMicro™ Virus Buster 2004 (11.x), and Trend Micro Virus Buster, and Internet Security 2005 (12.x) cannot be detected by the “Windows antivirus checker” endpoint inspector during pre-logon inspection. As a result, some resources that are associated with assigned protected configurations are not available to users if the FirePass controller uses information about these installed antivirus applications on a remote access point.

Network Access with a Windows XP client (CR46482, CR46659)
Drive mapping with Windows® XP clients might not connect to the Windows file server on the first attempt.

Using special mode with OWA and iNotes (CR47039)
On some sites, the FirePass controller incorrectly detects OWA, or iNotes servers as running, even though they are not running. If this happens, do not configure the controller to automatically detect OWA or iNotes at the Portal Access : Web Applications : Content Processing : Global Settings screen using the Global Settings tab.

Windows 98 and Internet Explorer (CR47040)
If a client is using Windows® 98, Internet Explorer, version 5.0 does not work. To work around this issue, we recommend upgrading your client to Internet Explorer, version 5.5 or later.

Strong passwords (CR47069)
When you configure an internal database of users to use strong password authentication, this setting is not applied to imported users.

Displaying messages during pre-logon sequence (CR47197)
When you configure a pre-logon sequence and do not specify an action, the system does not display any warning or explanatory message to inform the user of the reason access is prohibited.

Using a comma with a sub-sequence (CR47336)
You cannot create a sub-sequence using a comma (,) at the Users : Endpoint Security : Pre-Logon Sequence screen in the Create New Sequence box.

Naming a subsequence (CR47337)
You must specify a unique name when you create a subsequence using the screen at Users : Endpoint Security : Pre-Logon Sequence : Create New Sequence : Create Subsequence.

Warning message on a webtop (CR48630, CR47453)
When you configure master groups with the system warnings set to Don't Use at the User Experience tab of the Users : Groups : Master Groups screen, an erroneous warning message appears on the users' webtop.

FirePass 4100 and ARP requests (CR49240)
On a FirePass controller 4100 system, a non-management port responds to ARP requests for the management port’s IP address 192.168.0.99 when no cable is attached to the management port.

Web Application Type resets to generic (CR49541)
The Web Application Type resets to generic when you configure all these settings:

  1. Set a Favorite's Web application type to IBM iNotes, or OWA, in the Feature Web Applications area at the Portal Access: Web Applications: Content Processing screen using the Global Settings tab.

  2. Clear the Automatically detect hosts for OWA and iNotes check box and do not specify a corresponding host name.

  3. Add a new favorite and click the edit button at the Portal Access : Web Applications : Resources screen.

Display nodes in cluster at the logon page (CR51211)
When you change the number of members in a cluster, the loading balance menu at the logon screen does not display these changes. However, load balancing works correctly.

Cascading Style Sheets (CR52382)
With Internet Explorer 5 and 6, cascading style sheets are not displayed correctly when you configure both these options at the Portal Access : Caching and Compression settings screen:

  • The Enable Compression. Saves bandwidth option in the Web Applications cache area
  • The cache nothing in the remote browser option in the Web Applications Global settings

This is Microsoft® Internet Explorer 5 and 6 software problem.

Terminal Server and VLAN interface (CR52511)
When you enable master group-based policy routing for a particular master group, you must not allow users of the master group to create Terminal Server favorites for accessing servers that are not part of the VLAN defined for that master group. To prevent users from creating the Terminal servers user favorites, select the Limit Terminal Servers Access to Favorites only(for Extranets...) option at the Application Access: Terminal Servers: Master Group Settings screen.

SuSE 9.1 and Network Access (CR52429)
If you have enabled your firewall on your LINUX machine, you must allow both TCP incoming and outgoing traffic for loop back IP address 127.0.0.1 on port 44444. Otherwise, the Network Access tunnel is disconnected because no traffic can go through Network Access tunnel.

User name containing @ and authentication (CR52530)
A user name containing the at symbol ( @ ) cannot be authenticated using Active Directory®. However, it can be imported and it is then correctly displayed in the users' list.

Saving and opening attachments with DWA iNotes 6 Class module (CR52532)
With DWA iNotes 6 Class module, you cannot open or save some attachments through the FirePass controller reverse proxy engine. For the workaround, contact FirePass controller support group/team.

Support for Netscape 4.7x (CR52535)
In some cases, the Netscape® Navigator browsers, version 4.79 and 4.8, do not display the end user and administrative user interface correctly.

JavaScript and multi-byte characters (CR52640)
If your JavaScript™ uses multi-byte characters that include single quote ( ‘ ), double quote ( “ ) in any place or backslash ( \ ) before a quote, the FirePass controller partially displays the page, or the page is not displayed.

Netscape 4.79 and compression (CR52777)
If your end users are using Netscape® 4.79, you might need to disable compression in the Turn gzip Compression On or Off for webtop and Web Applications area at the Portal Access : Caching and Compression screen. This is a Netscape software problem.

Canceling a snapshot (CR53041)
On the Maintenance Console, when you try to cancel a snapshot, the FirePass controller fails to cancel the operation.

Microsoft file sharing and App Tunnels (CR53559)
For App Tunnels, On Windows® XP, Microsoft® file sharing does not work if the user has limited rights on his client.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime applet (CR53332)
The Chat feature for the Sametime application does not work. For the workaround process, seeHow to use the Chat feature for Sametime application in the known issue section of this release note.

Using backup file names (CR53631)
You cannot restore a file that contains special characters in the file name. When you can create a backup of a current configuration or save zip files, do not use special characters, such as ` ~ ! @ # $ % ^ in the file name.

Japanese FirePass controllers, dynamic group mapping, client certificates (CR53785)
On Japanese FirePass controllers, when you configure a dynamic group mapping policy to authenticate users with a client certificate only (client certificate passwordless authentication), dynamic group mapping fails.

Offloading SSL to BIG-IP Local Traffic Manager (CR54047)
When you configure the FirePass controller to offload SSL processing to an upstream BIG-IP® Local Traffic Manager, at least one SSL web service must be configured on the controller to overcome an existing configuration limitation on the controller. The FirePass controller requires configuration of at least one SSL web service to complete the finalize operation.

SharePoint and Microsoft Word (CR54275)
When an end user uses SharePoint® and tries to save a document with a different file name using the Save As option, the FirePass controller displays a JavaScript™ error: File can not be saved. You can ignore this error and save the document by clicking the Yes, No, or OK button.

Reverse proxy and Citrix Metaframe ICA files specifying application by name (CR54315)
When Citrix® Metaframe® ICA file specifies the application name in the Address parameter, expecting the ICA client to resolve the name using Citrix name resolution protocol, the reverse proxy cannot start the App Tunnel to the correct server address. To work around this issue, add a host entry to FirePass controller to the resolve application name to the correct server IP address.

Pre-logon sequence file checker (CR54431)
The pre-logon sequence file checker truncates a file name when the ampersand ( & ) character is present.

VNC client (CR54485)
The VNC standalone client does not provide a button to disconnect from the Terminal Server session. To disconnect from a Terminal Session, the end user must log off from the FirePass controller.

Pre-logon sequence and special characters (CR54495)
When you create a pre-logon sequence check, some special characters such as quotation marks, number sign, or ampersand, ( ", # , & ) are not displayed or truncated. If you name a pre-logon sequence using the number ( # ) sign, you cannot edit the sequence.

Logging results of a protected configuration (CR54709)
When the protected configuration denies access to the user, the FirePass controller does not log the reason he was denied access at the Reports: Logon screen.

Protected workspace and printers (CR54716)
When you enable protected workspace and you do not want your users to print out documents, select No in the Allow user to use printers option at the protected workspace Inspector Details screen.

Rewriting URLs and DWA (CR54864)
On the customized Lotus Notes Domino Web Access (DWA) welcome page, the FirePass controller fails to rewrite URLs in the Web Page and Quick Links panels.

Antivirus database signature or engine version (CR54884)
With a pre-logon sequence check, when you specify an antivirus software to scan with the any supported option, the engine and database signature fields must be empty.

Reverse proxy and alternative host/port-based bypass (CR54969)
With clustering, the alternative host/port-based bypass option does not work.

Endpoint security and scanning for antivirus software (CR56971)
With endpoint security, in rare cases, the antivirus scanning engine might incorrectly time out or lock up.

External groups and Allow user to change user information option (CR57053)
For external groups, the FirePass controller incorrectly allows you to use the option Allow user to change user information using the User Experience tab after selecting a master group in the Group Name column at the Users : Groups: Master Groups screen. This option is reserved for internal users.

Protected workspace and erroneous messages (CR57453)
On German versions of Windows XP, when you use the protected Workspace, the FirePass controller displays an incorrect error message to users indicating that their browser had disabled cookies. However, protected workspace works correctly.

Displaying top-level Windows folders in languages other than English (CR58392)
The FirePass controller cannot display top-level Windows folders in languages other than English when the names are greater than 6 double bytes or 12 bytes in size.

Mobile-Email favorites and the at ( @ ) symbol (CR58690)
Mobile E-mail might fail with some IMAP servers when you use a Mobile E-mail account name that contains at ( @ ) symbol.

Displaying the front door custom graphics (CR58779)
When you check the Disable large F5 Front Door graphics option so that you can display a custom image, the custom image is displayed in the Administrative Console but not on the front door (logon screen).

Autolaunch opens additional windows at the first logon (CR58862)
With App Tunnels, when you configure the following settings at the Application Access: App Tunnels screen, the system incorrectly opens extra windows when the client first logs on to the FirePass controller and the client system does not have App Tunnels components (ActiveX controls) preinstalled:

  • Create a new App Tunnel resource group.

  • Create several App Tunnel favorites.

  • Checked the option Autolaunch based on endpoint protection.

Internet Explorer and pre-logon sequence check (CR59072)
When you use Internet Explorer, version 5.0 with Windows 98, the browser locks when the FirePass controller performs a pre-logon sequence file or registry check on the client.

Internet Explorer, version 5.0 and closing multiple App Tunnels (CR59110)
When you use Internet Explorer, version 5.0 and you close multiple App Tunnels, the system displays JavaScript errors on the end user's browser. To avoid this issue, we recommend that you use a more recent version of Internet Explorer.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime (CR59639)
If the IBM Lotus Sametime® Java applet is installed on the IBM Lotus® Domino® Web Access server (DWA), and the server is configured to use the STLoginForm accessing mailbox over Web Applications, Sametime may fail and display an error message. To work around this issue, you enable a cookie pass-through. For the workaround process, see IBM Lotus® Domino® Web Access server (iNotes) and Sametime in the Workarounds for known issue section of this release note.

Installing the F5 FirePass controller client and Linux Core Fedora 4 (CR59758)
When you attempt to install the F5 FirePass controller client (using the root password) on to a PC that is running Linux Core Fedora 4, the automatic installation might fail. If this happens, the user must manually install the client using a sudo password that is provided by their administrator.

Japanese characters and Windows files (CR59800)
With Windows files, on the top level directory, if the Japanese folder name is greater than 12 bytes, the FirePass controller does not display the folder.

SharePoint and editing a document (CR60031)
With SharePoint ®, in rare cases, you cannot edit a document through the FirePass controllers' reverse proxy. For the workaround process, see SharePoint and editing document for known issue section of this release note.

Downloading the F5 Networks FirePass controller client (CR62326)
In rare cases, the user might not be able to download the F5 Networks FirePass controller client from his webtop on the Network Access screen.  

Single sign on and dynamic cache (CR62653)
When you use the FirePass controller to support single sign on to back-end web servers through Web Applications, you might need to clear (disable) the option Enable Dynamic Cache on FirePass in the Web Applications cache area on the Portal Access : Web Applications : Caching and Compressions screen. When you enable dynamic cache, the FirePass controller might return content directly, bypassing the security check of the back-end web application, if the web application does not manage HTTP caching headers correctly.

Application Access and upgrading to release 6.0 (CR62533)
For Citrix clients, when you upgrade to release 6.0, you must configure an access control list (ACL) that represents the IP address and port number of the Application Access favorite. To configure the ACL, navigate to the Application Access : App Tunnels :  Resources screen and click the App Tunnels tab or  Application Access : App Tunnels :  Master Group Settings screen and click the Common tab. This also applies to Citrix® MetaFrame® and NFuse portal access through Web Applications. In this case an Application Tunnel is started in the background and this requires an access control list entry configured for all backend Citrix servers.

Retaining changes to the time zone (CR62897)
When you change the time zone on the Device Management : Configuration : Time screen and then restart the FirePass controller, the system does not update the time from the NTP server. To update the time from the NT server, go to the NTP Server area, and then in the New NTP Server option, click the Apply button.

Synchronizing a failover pair or cluster and customization (CR63237)
With a failover pair or cluster, if you configure a large amount of customization data (on the Device Management: Customization screen), the failover pair or cluster might fail to synchronize.

Installing Protected Workspace ActiveX components onto Windows 2003 if TEMP folder is encrypted (CR63821)
With Windows 2003 server, the FirePass controller cannot install the ActiveX components onto the client when you have configured a protected workspace and the client temporary folder is encrypted.

Windows File checker and modification date (CR63468)
With the pre-logon sequence check, the Windows File checker reports a different time than the one reported by the client using Windows Explorer. For the workaround process, see Windows File checker and modification date in the Workarounds for known issue section of this release note.

Recovering ActiveX settings from a backup file (CR63836)
When you upgrade to 6.0 from any previous releases or restore your configuration from a backup file that was created on a previous release, the Disable top level ActiveX controls update and Use Java for installation settings (on the Device Management : Configuration : Client Update) are lost.

Adding a new browser type and UTF-8 (CR63486)
When you add a new browser type for a Desktop or Pocket PC browser (on the Device Management : Configuration : New Browsers screen), the FirePass controller incorrectly sets the UTF-8 setting to No instead of Yes. As a result, users can longer access the logon page when they select the UTF-8 character set.

Network Access and global activity timeout (CR63887)
With Network Access, when you set the global or group based inactivity timeout option (on the Device Management : Security : Timeouts screen) to less than five minutes, the FirePass controller incorrectly terminates Network Access even though traffic is passing through the tunnel during this time.

Windows dial up entry screen (CR63705)
When the Windows integration component is installed on the user’s client, and he enters his credentials on the Windows dial up entry screen and then clicks the properties, the system does not retain his changes.

Reverse proxy and response code of 300 or higher (CR63729)
When a web server sends a response code of 300 or higher to the FirePass controller, the reverse proxy incorrectly removes the content from the response.

Desktop Access Webifyier displayed on user's Webtop (CR64027)
If you have enabled the option Always default to FirePass Webtop, even when Desktop is allowed (by selecting the Global Customization tab in the Advanced Customization area on the Device Management : Customization screen) and then upgrade to release 6.0, the system incorrectly displays the Desktop Activation password screen on the user’s webtop. To fix this issue, reset your advanced customization settings to the defaults settings.

Windows dialer and Winlogon integration settings (CR64070)
Winlogon integration might not work on clients running Windows XP, Service Pack 1, if another remote access connection program (for example, an MSN dialer) is installed on the client because of a Windows XP software issue. To correct this issue, apply the Windows XP, Service Pack 2 onto these clients.

Desktop service, web services, and upgrading (CR64108)
When you upgrade to release 6.0, the FirePass controller correctly removes the Desktop Service from the system (this feature is no longer supported). However, the system incorrectly retains the web service configuration associated with the Desktop Service (the option is on the Web Server tab on the Device Management : Configuration : Network Configuration screen).

SharePoint profile (CR64197)
With SharePoint®, when a user attempts to make changes to his profile, such as the font type, font size, text color, and background color through the FirePass controller, the reverse proxy displays error messages.

Uninstalling the Windows logon component and dial up entries (CR64292)
When you remove the Windows logon component from the F5 client using the Start: Control Panel: Add/Remove : Change or Remove Programs screen, the system sometimes fails to remove the F5 dial up entry.

Mobile E-mail and external users (CR64420)
Mobile E-mail and external users(CR64420) For external users, the Administrative Console incorrectly allows the administrator to change (enable/disable) the Limit E-Mail Access to Corporate mail account only option on the Portal Access : Mobile E-Mail screen. This option does not affect external users because they are always limited to the Corporate mail account.

Pre-logon sequence, virtual keyboard, protected workspace (CR64221)
If you upgraded from any release older that 5.4 to release 6.0, and you enabled the virtual keyboard before you upgraded, you can no longer disable the virtual keyboard. We recommend that you disable the virtual keyboard before you upgrade.

F5 FirePass controller client, dynamic group mapping, signup by templates (CR64294)
When you use the F5 FirePass controller client (or just the Windows Logon Integration) with dynamic group mapping, you must check the sign-up by template option Bypass signup by template form and enter user information later. You do this by selecting the master group at the Users : Group: Master Groups screen and then selecting the Signup by templates tab. In general, for Windows Logon Integration we recommend using external user groups or initially importing the users (for local user groups) instead of using the signup by template feature.

Changing passwords, dynamic group mapping, NTLM authentication (CR64490)
If you configure a dynamic group mapping policy with NTLM authentication and you require the user to change his password at the next logon, the FirePass controller successfully changes the user's password; however, the user cannot access the system on the next logon.

Applying a protected configuration to the webtop (CR64196)
With endpoint security, when you apply a protected configuration to the webtop and the user is denied access, the system does not explain to the user why access was denied and does not log the reason on the Reports : Logons screen.

Deleting Subarea in Sharepoint (CR64583)
When the Sharepoin®t administrator tries to delete Subarea, the FirePass reverse proxy sends content which causes the users' browsers to incorrectly access the Sharepoint server directly. This might result in the server asking for credentials, or the page might fail to load.  

Command-line interface and F5 FirePass controller client (CR64647)
With the F5 FirePass controller client, when you use the command-line interface you must specify the short cut of an option, you cannot use the full text of the option. For example, the short cut version for help, /h, works but the long version, /help, does not.

Restoring LDAP base group mapping method (CR 64875)
If you restore your configuration from a previously created backup file, the system does not restore the settings Searce Base DN and Attributes to map group for the LDAP base group mapping method.

Active Directory server in the logon report (CR64912)
The FirePass controller shows the primary Active Directory server in the logon report, even if the secondary or tertiary server was used for authentication.

Restoring user-defined session variable settings (CR 64978)
If you restore your configuration from a backup file, the system does not restore the settings Display extra input field at logon for user defined session variable and User defined session variable prompt for user-defined session variable settings.

Settings for FTP nightly backups (CR 65029)
If you upgrade the FirePass controller from a previous release, the system does not retain the settings for the additional options for the Perform nightly backups to ftp server setting.

Standalone Client command line favorites starting (CR64954)
When you start a configured favorite with the Standalone Client command line interface using the /n option, the favorite type is not optional; it must be included. For example, the command:

f5fpc.exe -start /h <ip_addr> /u <user> /p <password> /n <fav_name>:<fav_type> works properly, but f5fpc.exe -start /h <ip_addr> /u <user> /p <password> /n <fav_name> fails.

Standalone Client Simple/Advanced mode switching (CR64955)
Switching from simple to advanced modes (and the reverse) in the Standalone Client with active connections results in lost connections and incorrect connection status. Please configure simple or advanced modes before starting active connections.

Standalone Client limitations (CR65069)
The Standalone Client does not save passwords under Windows ® 98.

The Standalone Client is not well integrated with the Protected Workspace feature. When the user starts Protected Workspace, the Standalone Client does not automatically restart, too

Windows Logon Integration and Standalone Client components removed by Cache Cleaner (CR65117, CR65121)
If the user selects the option Uninstall ActiveX components downloaded during FirePass 1000 session on the User Management : Endpoint Security : Post-Logon Actions screen , then the system might remove the controls required by the Windows Logon Integration and Standalone Client.

[ Top ]

 

 

 


Localization known issues

Viewing EUC or JIS encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use Japanese Industrial Standard (JIS) or Extended UNIX Coding (EUC) encoding do not display correctly.

Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication that uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a € (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

Localization of pre-defined actions (CR44620)
In non-English systems, the pre-logon sequence screen lists the pre-defined actions in English.

Localization of pre-defined templates (CR44798)
In non-English systems, the Protected Configurations screen shows the pre-defined templates in English.

Local update (CR54564)
The FirePass controller displays an error message when all the following conditions occur:

  • You are running Chinese version of Windows® XP or Japanese version of Windows® 2000 professional.
  • You configure the controller in Chinese, English, Japanese, or Taiwanese.
  • You perform a local update at the Device Management: Maintenance : Local Update screen without a specifying a password.

Accessing Windows files (CR 58392)
On a Japanese FirePass controller, you might not be able to access Windows files.

Japanese FirePass controllers, Network Access, and Windows 2000 (CR62856)
On Japanese FirePass controllers, with Network Access, users on Windows 2000 clients might not be able to access the FirePass controller because of Microsoft® software issue. To solve this issue, apply the Microsoft® Windows 2000 patch KB896424 to these clients.

Multi-language logon and Mac OS (CR63667)
On clients using Mac OS 10.x, when you enter your credentials at the logon page and then select a default character set from the Default character set list, the system incorrectly logs on the user or if available, the system does not present the Translate UI option to the user. To work around this issue, see Logging on to the FirePass controller using Mac OS 10.x in the Workarounds for known issue section of this release note.

F5 FirePass controller client and Japanese FirePass controllers (CR64671)
With Japanese FirePass controllers, on the F5 Firepass controller client, the user name and password prompt are not localized.

Displaying the system load (CR64703)
After you upgrade to release 6.0 , the FirePass controller might not display the system load correctly on the Device Management : Monitoring : System Load screen. To resolve this issue, scroll to the bottom of this screen and click the Click here to zeroinit the load monitor database link.

 

[ Top ]

Workarounds for known issues

The following section describes a workarounds for the corresponding known issue listed in the previous section.

How to use the Chat feature for the Sametime Application (CR53332)

This workaround describes how use the Chat feature for the Sametime application (when it is installed on your iNotes server)

  1. In Administrative Console, in the navigation pane, click Portal Access, expand Web Applications and click Content Processing, and click the Global Settings tab.

  2. Below the Java Byte Code Rewriting area, click on Show Java tuning link.
    The Java Applet Tunning options appear below the Java Byte Code Rewritting area.
    Note: Do not click the Update button. You might need to click the Show Java tunning link twice.

  3. In Archive, type an * (asterisk)

  4. In Class, type an * (asterisk)

  5. In Method, type getCommand(0)

  6. Click the Add button.

Importing user accounts from a file (CR57827)
This workaround describes how to set the Mobile Email experience to Beginner so that you can successfully import users at the Users : Users Management screen.

  1. On the Administrative Console, in the navigation pane, click Users, expand Groups, click Master Groups.

  2. In the Group Name column select a master group.

  3. Click the User Experience tab.

  4. Go to the area titled Select and order FirePass Webtop Webifyers.

  5. Scroll down to Mobile E-mail and select Beginner

  6. Click the Update button.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime (CR59639)
This workaround describes how to enable a cookie pass-through on the FirePass controller with Lotus® Domino® Web Access server and Sametime

  1. On the Administrative Console, in the navigation pane, click Portal Access, click Web Applications, click Content Processing, and click the Global Settings tab.  

  2. Check the box for Do not block cookies at FirePass.

  3. In the Do not block cookies at FirePass box; type one of the following:

    • An ( * ) asterisk.  The * passes all cookies through the FirePass controller for all configured web applications.

    • The host name of your DWA server; for example, *://dwa-server-hostname*,  to the list of URLs so that cookies are passed through the FirePass controller from the specified DWA server.

  4. Click the Update button.

  5. Click the services restart link to restart FirePass controller services.

Logging on to the FirePass controller using Mac OS 10.x (CR63667)
This workaround describes how to log on to the FirePass controller on a client that is using Mac OS 10.x.

  1. On the logon screen, select a default character set from the Default character set list.

  2. In Username, type your user name.

  3. In Password, type your password.

  4. If it is available, check the Translate UI option.

  5. Click the Logon button.

Creating a rule for the Windows File checker (CR63468)
This workaround describes how to set the last modification date for the Windows File checker in a pre-logon sequence rule.

  1. On the Windows File checker Endpoint Security Details screen, clear the Last modified field (s).

  2. Position the cursor on the Success rule associated with the Windows File checker action and define a rule for the action by clicking the connector line.
    The Update Rule panel opens.

  3. Type the session variable session.file_check.last_check.item_0.modified into the rule and specify a date for the last modified time to check for; for example, to specify a range to check for type (session.file_check.last_check.item_0.modified > "2005.04.20 16:57:00") AND (session.file_check.last_check.item_0.modified < "2005.04.20 16:58:00")

SharePoint and editing a document(60031)
This workaround describes how to edit a document on SharePoint through the FirePass controller reverse proxy.

  1. On your PC, close all your web browsers and Microsoft® Office applications.

  2. Navigate to the Start : My Network Places screen to view your list of existing web folders.

  3. Delete any Web folders that correspond to the resource you want to access.
    Note: The icon for web folders is a folder with a globe inside it.

  4. If this procedure does not work, clear your browsers cache and reboot your PC.

 

[ Top ]


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)