Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 6.0.1
Release Note

Software Release Date: 03/04/2007
Updated Date: 08/30/2013

Summary:

This release note documents the version 6.0.1 release of the FirePass controller. It applies to both the English edition and the localized editions. To review the features introduced in this release, see New features and fixes in this release. You can apply the software upgrade to 5.5 and later. For information about installing the software, please refer to Installing the software.

Note: For the FirePass 1000, 1200, 4000, 4100, and 4300 platforms, version 6.0.1 replaces version 6.0 and includes all features and fixes from previous versions.

Note: F5 now offers both feature releases and maintenance releases. For more information on release policies, please see New Versioning Schema for F5 Software Releases on AskF5.

Contents:

- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Supported antivirus and firewalls
     - Pre-installation
- Installing the software
- Known issues
     - Known issues for Windows Vista
     - Known issues for administration
     - Known issues for authentication
     - Known issues for Application Access
     - Know issues for Network Access
     - Known issues for Portal Access
     - Known issues for pre-logon and post logon inspection
     - Known issues for Non-Windows clients
     - Other known issues
- Workarounds for known issues


User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the AskF5sm Technical Support web site, http://login.f5.com.

[ Top ]


Minimum system requirements and supported browsers

The minimum system requirements for this release are specific to your operating system.

Microsoft Windows

  • Windows® 2000 Professional 
  • Windows® XP Professional and Home Edition (see the note about the Microsoft update needed for Windows XP Service Pack 2)
  • Windows® Mobile 2003 (Microsoft® Pocket PC 2003 and Microsoft® Pocket PC Phone Edition 2003) and Windows® Mobile 5 (Microsoft® Pocket PC 2005 and Microsoft® Pocket PC Phone Edition 2005)
  • Windows® 2003 server
  • Windows Vista
    Note: Windows Vista™ clients do not support drive mapping, protected workspace, and the Network Access integrated Firewall. For information about unsupported features and Windows Vista™ known issues, see the Known issues for Windows Vista™ section.

Important: If you are running Windows XP Service Pack 2, you must install a hotfix (Windows XPSP2 Update KB884020) in order to resolve an issue (CR39338) that prevents Network Access and Application tunnels from working. You can find the update at Update for Windows XP Service Pack 2 (KB884020). For the latest information from F5 Networks, see SOL3289: FirePass compatibility with Windows XP Service Pack 2 clients on AskF5sm.

Macintosh

  • Apple® Mac OS® X 10.2.x
  • Apple® Mac OS® X 10.3.x
  • Apple® Mac OS® X 10.4.x (for Power PC platform only)
    For the information about support for Intel-based Macintoshes, see (CR59504)

Note: FirePass 6.0.1 supports the Safari® browser for automatically installing the network access client. You must manually install the Macintosh network access client when you use a different browser.

Linux

The following supported Linux platforms require workstations with libc version 2 and late, Kernel support for PPP interfaces (loadable module or statically built in) and PPPD program in the /sbin director:

  • Debian® 3.1r0
  • Fedora Core 6
  • Redhat® 9.0
  • SuSE® 10.x Professional
  • TurboLinux® Desktop 10

Palm

  • PalmOS® 5.4, using Palm Blazer 4.3 (MiniBrowser Mode)

Supported browsers

The supported browsers for remote access provided through the FirePass controller are:

  • Firefox® 1.5.x, 2.0
  • Microsoft® Internet Explorer®, version4.0.1, 5.5, 6.0, or 7.
  • Mozilla® version 1.7.x
  • NTT DoCoMo i-mode browser
  • OpenWave® WAP browser
  • Mozilla® version 1.7.x on Apple® Mac OS® X 10.2.x systems
  • Safari® version 1.x on Apple® Mac OS® X 10.3.x systems
  • Safari® version 2.0 on Apple® Mac OS® X 10.4.x systems (Power PC platform only)

Browser type compatibility matrix

The following table lists favorites and supported browser types. The plus sign (+) indicates that the browser type is supported by the FirePass controller.

Favorite      Full Browser Mode       Mini-browser (i-mode)   Pocket PC Mode           WAP Mode
App Tunnels
+
 
 
 
Dynamic App Tunnels
(Windows® 2000, XP, and Vista only)
 +
 
 
 
Mobile-Email
 +
  +
  +
 +
Network Access
  +
 
  + *
 
Terminal Services
  +
 
 
 
Web Applications
  +
  +
 
 
Windows Files
  +
  +
  +
  +

* Network Access works only on Microsoft® Pocket PC 2003.

[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass 1000
  • FirePass 1200
  • FirePass 4000
  • FirePass 4100
  • FirePass 4300

[ Top ]


Supported antivirus and firewalls

This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you might need to reactive your license. To view supported antivirus and firewall software, click one of the following links. Each link references a separate document, unique to the particular operating system.

[ Top ]

Pre-installation

We strongly recommend that you read the following known issues before you install the 6.0.1 upgrade. The known issues might impact your functionality once you upgrade the FirePass controller.

Windows Vista

  • Protected workspace (CR69798)

  • Integrated IP filtering engine and Windows Vista (CR73174)

  • Windows Vista and detecting firewall with OPSWAT SDK 2.3.2 (CR73322)

  • App Tunnels, Firefox 2.0, and Windows Vista clients (CR73943)

  • Static App Tunnels, Windows Vista, and file sharing (CR73903)

  • Network Access and Windows Vista clients (CR73982)

  • Cache cleanup and Windows Vista clients (CR74101)

  • Windows Vista logon integration (CR74375)

  • Network Access, Windows Vista, and removing Network Access components (CR75184)

  • Network Access, drive mapping, and Windows Vista (CR75721)

For information about Windows Vista™ known issues, see the Known issues for Windows Vista™ section.

App Tunnels

  • App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)

  • Dynamic App Tunnels, Firefox, and updating FirePass client components (CR75312)

For information about App Tunnel known issues, see the Known issues for App Tunnels section.

[ Top ]


Installing the software

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, on the navigation pane, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Warning: We have moved group-based policy routing from resource groups to master groups at the Users : Groups : Master Groups screen. If you are upgrading to version 6.0.1 from a release earlier than version 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record these routing tables. For more information, refer to SOL5502: Overview of routing table configuration and conversion in FirePass version 5.5 on AskF5sm.

Warning: The version 6.0.1 software uses a new heartbeat module, which is only compatible with releases 5.5 and later. If upgrading from a release earlier than 5.5, refer to SOL4467: Best practice: Upgrading a redundant pair of FirePass controllers to prevent potential IP address conflicts due to an incompatible heartbeat modules.

Warning: If you upgraded from any release older than 5.4 to release 6.0.1 and you enabled the virtual keyboard before you upgraded, you can no longer disable the virtual keyboard. We recommend that you disable the virtual keyboard before you upgrade.

Important: Back up the FirePass controller current configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5sm. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 6.0.1. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5sm.

Note: Once you upgrade the FirePass controller to version 6.0.1, you cannot downgrade to any previous version. For more information, see SOL2847: Downgrading to a previous FirePass software version on AskF5sm.

Upgrading from version 5.5 or later

The following instructions explain how to install FirePass 6.0.1 onto existing systems running version 5.5 or later.

Important: You must have an active service contract to upgrade to release 6.0.1. If you have a current service contract, re-activate your license and then resume installation. If your service expiration date is prior to the date you are doing the upgrade, you need to reactive your license. The service expiration date is located on the Device Management : Maintenance: Activate License screen.

Important: With release 6.0 and later, we have removed the Desktop Adapter, UNIX Adapter, and VASCO DigiPass authentication features. When you upgrade to release 6.0 or later, these features will not be supported or available. Before upgrading to the 6.0.1 release, please review the FirePass controller configuration and remove any configuration setting and Favorites associated with these features. To continue using any of these three features you must use the 5.5.x release. For more information about the end of life policy for these features please refer to SOL5492.

To upgrade to version 6.0.1
  1. Create a snapshot of the current FirePass controller.  For details about how to do this, refer to SOL3244 at SOL3244: Backing up and restoring FirePass system software.

  2. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore.

  3. Create a backup of your current configuration.
    For details about how to do this, refer to the online help on this screen.

  4. In the navigation pane, click Device Management, expand Security, and click Timeouts.
    The Timeouts screen opens.

  5. Temporarily change the option Global inactivity timeout to a large value, such as 8 hours, so that the upgrade process does not time out while downloading the image.

  6. Disable all pop-up blockers in your web browser so that any generated error messages during the upgrade process (local upgrade or on-line upgrade) are displayed.

  7. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
    The User Session Lockout screen opens.

  8. Configure the following user session lockout options.

    1. In the User Session Lockout area, check the Lockout new user sessions option to prevent any new FirePass controller users from logging on.

    2. In the Kill Current Sessions area, click the Kill all sessions (except this one) link to log out all current FirePass controller users.

  9. In the navigation pane, click Device Management, expand Maintenance., click Activate License.
    The Active License screen opens.

  10. Active the license using the Automatic registration method.

    1. Select the Automatic registration method.
      For information on how to use the Manual registration method, see the online help on this screen.

    2. Scroll to the bottom of the screen and click the Request License button to reactivate your license.
      The system displays the new license.

    3. Scroll to the Service check date field in the returned license file and make sure that the date is after 5/01/06.
      Note: If this date is after 5/1/06, the system allows you to upgrade to the 6.0.1 release; otherwise the upgrade fails and the system displays an error message after the image is downloaded. If you need a new service contract, contact F5 Sales.

    4. Click the Continue button to install and activate the new license.
      The system displays the following message: License successfully activated.

    5. Click the Continue button.

  11. In the navigation pane, click Device Management, expand Maintenance, and click Online Update.
    The screen displays a list of available FirePass controller software releases.

  12. Select the link for Release 6.0.1 to upgrade the FirePass controller.

Upgrading from version 5.5 or later using the local update feature

The following instructions explain how to download and install FirePass 6.0.1 onto existing systems running version 5.5 or later using the off-line local upgrade mechanism.

To upgrade to version 6.0.1, you can use the F5 Electronic Software Distribution site to download the new software image at http://downloads.f5.com/. You can then follow the installation instructions below to install the new image.

To download the upgrade

To download the software upgrade, you must first create an account at http://downloads.f5.com/. This site uses an F5 single sign-on account for technical support and downloads. After you create an account, you can log on and download the FirePass 6.0.1 release installation image.

  1. Using a web browser connected to the internet, go to http://downloads.f5.com/.
    The F5 Sign-on screen opens.

  2. In the User Email box, type the email address associated with your F5 technical support account.

  3. In the Password box, type the password.

  4. Click the Login button.
    The Overview screen opens and provides notes about using the Downloads site.

  5. Click the Find a Download button.
    The Product Lines screen opens listing all F5 product families.

  6. Locate the FirePass product family and click the adjacent FirePass link.
    The Product Version screen opens, listing the available download containers for the current product version.

  7. Click the release link for version 6.0.1.
    The End User License Agreement screen opens.

  8. Read the license agreement, and click I Accept to agree to the terms of the license.
    The Select a Download screen opens.

  9. Click the FP-6.0.1-xxxxxxxx-tar.gz.enc link to begin downloading the upgrade image to your local system.
    The Select Download Method screen opens.

  10. Click an option indicating the method you want to use to download the file.

To install the upgrade
  1. Log into the Administrative Console.

  2. On the navigation pane, expand Maintenance and click Local Update.
    The Software Images screen opens.

  3. Type F5Networks for the Password box.

  4. For the File setting, click Browse.
    A dialog box opens.

  5. Using the dialog box, browse to the location where you downloaded the FP-6.0.1-xxxxxxxx-tar.gz.enc file in step 9 of the previous procedure.

  6. Using the dialog box, click the FP-6.0.1-xxxxxxxx-tar.gz.enc file name to select it, then click the Open button.
    The dialog box closes, and a path name appears in the File Name box.

  7. Click the Submit button.
    The upgrade may take some time to complete. When finished, the FirePass controller will automatically reboot.

[ Top ]


New features and fixes in this release

The FirePass 6.0.1 release contains the following new features and fixes since release 6.0.

New features

  • Windows Vista client support The FirePass controller now supports Microsoft® Windows Vista operating system clients to increase organization productivity by enabling remote users to access applications from a wide-variety of client devices, including Windows Vista, Windows® XP, Windows® 2000, Mac OS® X, Linux and PocketPC.
    Note: Windows Vista™ clients do not support drive mapping, protected workspace, and the Network Access integrated Firewall. For information about unsupported features and Windows Vista™ known issues, see the Known issues for Windows Vista™ section.

  • New FirePass 4300 high performance hardware platform Designed for medium to large enterprise SSL VPN deployments, the 4300 platform offers the best price-performance, scalability, and high availability for large enterprise SSL VPN deployments. It supports up to 2,000 concurrent users on a single device and ships with built-in redundant power supplies for high availability. Multiple 4300 platforms can be clustered and load balanced using BIG-IP® Local Traffic Manager to scale for larger deployments.
  • Global high-availability and business continuity with BIG-IP Global Traffic Manager integration
    With the unique BIG-IP® Global Traffic Manager integration with the FirePass controller, BIG-IP® Global Traffic Manager can dynamically query the FirePass controller and redirect users to the optimal FirePass controller. Optimal controller choice is geographically based on the remaining number of concurrent user sessions or the CPU load of the FirePass controller device. In addition, you can use the combined FirePass controller and BIG-IP® Global Traffic Manager solution to ensure business continuity in case of site failures or emergencies.
  • Windows Component Installer Service
    In this release, the Windows installer component is packaged as Windows Component Installer Package Microsoft® Installer Package (MSI) from the FirePass controller Administrative Console , and can be used for automated service deployment in incorporated environments.
  • Session variables
    We have enhanced session variables so that you can now use them in various types of access policies to control access to resources as part of network access policies. These Access policies include:

    • Network access polices, which include IP address assignments

    • Application Access favorites, which include App Tunnels, Terminal Services, Legacy Hosts

    • Portal Access favorites, which include web applications and windows files

  • Split tunneling
    We have enhanced split tunneling so that you can now restrict local subnet access to specific DHCP servers or specific local subnets.
  • Clientless terminal services access
    We have enhanced clientless terminal services access to support Citrix® seamless windows feature.
  • Pre-Logon client integrity check
    We have enhanced the pre-logon client integrity check to restrict access based on a Windows® machine certificate prior to user logon.
  • Logging enhancements
    This version of the FirePass controller provides the following enhancements to the Logging feature:

  • Ability to disable database logging

  • Ability to disable local system logging

  • Ability to set the logging level for the FirePass controller components
    Note: The FirePass controller now supports log level settings. By default, log level is set to Emergency, which reduces the amount of log entries you will see when you upgrade from a previous release. To view all logs, manually set all log levels to Information.

  • Ability to set the HTTP error and SSL Engine logging level options

  • Ability to disable HTTP access logs

  • Domain password authentication
    Domain password authentication can now perform verification of additional domain passwords against an Active Directory® server.
  • Autolaunch Web Application Tunnels with updated network access webtop
    We have updated the Network Access Webtop, which can now automatically start Web Application Tunnels favorites, in addition to automatically starting to network access and application tunnels that are available in previous versions.
  • Monitor multiple external IP addresses for detecting failures
    The FirePass controller can now monitor multiple IP addresses for external monitoring, and ensure that all the IP addresses are available and respond to ping queries. Otherwise, the FirePass controller declares the external link a failure and changes its state.

Seamless Citrix now available (CR28699, CR71769)
You can now have Citrix® favorites start and run in an application window instead of a browser window. Navigate to the Application Access : Terminal Services : Resources screen and check the box Seamless window (Citrix only). You can also automatically minimize the Citrix® terminal services client and place it into the system tray when the user logs in. Navigate to the Application Access : App Tunnels: Master Group Settings screen and check the following boxes:

  • Present the user with a message box after successfully creating Static Tunnel
  • Do not show remote server address in App Tunnel window

Prohibit end users from viewing the URLs of web applications (CR33757)
You can now prohibit end users from viewing the URLs of web applications that were defined by the administrator. Navigate to the Portal Access : Web Applications: Master Group Settings screen. Scroll to the URL area and check the box Hide URLs of administrator-defined favorites.

Microsoft OWA and IBM DWA log on page (CR45630)
When a user logs off from Outlook® Web Access (OWA) or Domino® Web Access (DWA), you can now return him to the original OWA or DWA logon page instead of to FirePass controller page. Navigate to the Portal Access : Web Applications : Master Group Settings screen. Scroll to the NTLM and Basic Auth Proxy area and clear the check box Override Microsoft OWA and IBM DWA logout. The default is checked (disabled).

Note: To view this option, navigate to the location listed above, and clear the box Proxy Basic and NTLM auth using FirePass user logon form.

Terminal services and autolaunch based on endpoint inspection (CR47220, CR62570, CR65493)
You can now configure terminal server connections to automatically start after the user logs on to the FirePass controller. Navigate to the Application Access : Terminal Services : Resources screen and check the box Autolaunch based on endpoint inspection. You can also configure an alternate webtop. Navigate to the Application Access: App Tunnels : Resources screen, select the Web Application Tunnels tab, and then check the box Alternate Webtop .

Restoring a backup and hotfixes (CR54027)
The FirePass controller no longer requires that you have installed certain hotfixes to restore a backup file

Windows machine certificate and endpoint security (CR54072)
You can now use the Windows® machine certificate checker to check for the presence of a valid machine certificate on Windows® client systems during a pre-logon sequence inspection. Navigate to the Users : Endpoint Security : Pre-logon Sequence screen.

Secondary authentication method (CR61434)
You can now configure a secondary authentication method, Active Directory, to verify the identity of user:

  1. Check the box Use extra domain password for single sign on (in the Additional Domain Password area on the Users : Global Settings screen).
  2. Select the master group authentication method (using the Authentication tab on the Users : Groups : Master Groups screen).

For information about how to configure this feature, navigate to the Users : Groups : Master Groups screen, select a master group and then select the Authentication tab.

Purge logs and maximum log file size (CR61801)
The FirePass controller now forces a log purge when any log file size exceeds the maximum limit (approximately 1.8G).

Session variables (CR62964, CR63447, CR64947, CR65587, CR65588, CR65589)
You can now specify session variables in most text fields throughout the Administrative Console. Support for session variables is indicated on the Administrative Console user interface with a % icon next to particular fields.

You can also assign an IP address to the user, using a session variable. Navigate to the Network Access : Resources screen, select the Client Settings tab, and then scroll to the Configure IP Address Assignment area. Check the box Assign IP addressing using session variables. In the session variable text box, type the session variable that you want to use. The IP address is retrieved from the specified session variable at the time of authentication.

We have also added the following new session variables (in additional variables available through pre-logon checks and those available through Active Directory® or LDAP authentication or group mapping)  These session variables are only available after the user logs on to the FirePass controller. You cannot use these session variables with dynamic group mapping or pre-logon sequences.

Variable
Type
Description
session.user.username string Users logon name
session.user.firstname string Users first name
session.user.lastname string

Users last name

session.user.fullname string Users full name
session.group.name string Users master group name

Acct-Session-Id attribute in RADIUS packets (CR62997)
We have added the following RADIUS enhancements:

  • RADIUS authentication request packets (Access-Request) now include the Acct-Session-Id attribute, which contains the MD5 value of the FirePass controller session ID.
  • RADIUS accounting request packets (Accounting-Request) now include the MD5 value of the FirePass controller session ID (to match the authentication request packets) instead of the FirePass controller session ID.

Network Access and split tunnels (CR63951, CR65126)
We have removed the option Force all traffic except local subnet traffic from the Client Settings tab on the Network Access : Resource screen, and added both these options on the same screen.

  • Allow local subnet access
  • Exclude local subnets

Important: The online help incorrectly documents the option Allow local subnet access. Here is the correct description.
The option Allow local subnet access permits local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. When you use this option, the FirePass controller does not support integrated IP filtering.

FirePass client and Windows Vista support (CR65880)
The FirePass controller client now supports the Windows Vista operating system. For information about issues for Windows Vista , see the Known issues for Windows Vista™ section.

Cache cleaner idle timeout (CR66224)
On Windows® 2000, Windows® XP, and Windows Vista client systems, you can now have the system terminate users FirePass controller sessions when they do not input data from their key board or mouse within a specified period of time. Navigate to the Users : Endpoint Security : Post-logon Actions screen and check the box Terminate users session when they are inactive.

Chinese language and displaying the users first name and last name (CR66458)
For Chinese language, we have added a new setting to display the user last name and first name: LastnameFirstname. To view this option, navigate to the Device Management : Customization screen, scroll to the Advance Customization area, and select this setting from the Default order for full user name setting list.

FirePass controller client, legacy prompt, and web logon (CR66768)
With the FirePass controller client command-line interface, you can now specify that the FirePass controller client must use the legacy logon prompt instead of the web logon prompt. You do this using the option /legacy-prompt.

App Tunnels, and Web App Tunnels, and alternate webtop (CR66819, CR66823)
We have renamed the option Network Access only to Use Alternate Webtop in the Additional Settings area at the Client Setting tab on the Network Access Resource screen. The Network Access alternate webtop now fills the web browser. You can now also configure an alternate webtop using either of in the following screens:

  • Application Access : App Tunnels : Resources: Application Tunnels.
  • Application Access : App Tunnels : Resources: Web Application Tunnels

Passwordless logon for i-mode devices (CR67030)
With i-mode devices, the FirePass controller now supports client certificate passwordless authentication (on the Device Management : Security : Certificates screen).

Component Windows Installer Service package (CR67251, CR65422)
With the FirePass controller client, you can now download the Component Windows Installer Service package by itself. Navigate to the Device Management : Client Downloads : Windows (x86) screen and select the Downloads tab. Scroll to the Component Installer Service Package Only area and click the Download Installation Service MSI link.

Certificate support for multiple organizational units (CR67881)
You can now check for multiple Organizational Units (OU) for users with client certificates when you use dynamic group mapping on the Users : Groups : Dynamic Group Mapping screen.

FirePass client and FirePass controller list (CR68043)
The FirePass controller client now maintains a list of FirePass controllers that you can access when you clear (disable) the box Maintain History on the client. To view this option, navigate Settings: Session Settings screen.

Load monitoring using an external device (CR68856)
You can use an external device to monitor the load status of FirePass controllers. To view the FirePass controller load status statistics, type the following URL in your browser: https://firepassnameorip/load_status.php. The external device polls the FirePass controller for the following statistics:

  • Session Usage : The number of licensed concurrent users (licensed seats) in use divided by the total number of licensed concurrent users.

  • Session Usage Percentage : The percentage of total licensed concurrent users in use.

  • 1 -Min Load Average : The Linux one-minute load average.

To configure this feature, navigate to the Device Management : Monitoring : Load Status Access Security screen.

Web logon option (CR68858)
With the FirePass controller client is in web logon mode, you can now use the command-line interface to pass the user's name and password to the client.

FirePass controller client and maintaining history (CR68880)
To allow the user to log on faster, the FirePass controller client now sorts the user's list of FirePass controllers by the most recently accessed, regardless of the whether the Maintain History box is checked (enabled) or cleared (disabled). With a cluster, individual members of the cluster are not added to the FirePass controller client. Only the initial access point is added to the client history list. This is useful when you do not want users to connect directly to individual members of a cluster. To find the Maintain history option, navigate to the Device Management: Client Downloads : Windows (X86): screen and select the Customize Client Components tab.

F5 End User Diagnostics (CR69072, CR71843)
You can now diagnose hardware issues with the FirePass End-User Diagnostics (EUD) feature on 1200, 4100, and 4300 platforms. To use EUD, you might need to install a hotfix. For more information, refer to the following solutions:

Network Access and DHCP renewal (CR69243)
With Network Access, you can allow clients access to the local DHCP server when you enable the following options:

  • Force all traffic through tunnel (by selecting the Client Settings tab on the Network Access : Resources screen).
  • Enable integrated IP filtering engine and Allow access to local DHCP server (by selecting the Policy Checks tab on the Network Access : Resources screen).

Note: Enabling this option is a three-step process:

  1. You must first clear the check box Allow local subnet access.
  2. Then you are able to check the box Enable Integrated IP filter engine.
  3. Only then can you check the box Allow access to local DHCP server.

Automatic MIME type recognition (CR69697)
You can now set the FirePass controller reverse proxy engine to automatically detect correct content type, regardless of content-type sent by the web server. Navigate to the Portal Access : Web Applications : Content Processing screen and select the Global Settings tab. Then scroll to the Web Applications Global Settings area and check the box Automatic MIME type recognition.

Failover and monitoring multiple external IP addresses (CR69731)
With a redundant system, you can now use the option External IP Address for monitoring to monitor the connectivity of up to ten external IP addresses instead of a single external IP address. Navigate to the Device Management : Configuration : Network Configuration screen and select the Failover tab.

Microsoft SharePoint
now available (CR69903)
You can enable Microsoft® SharePoint® specific processing when you are using the FirePass controller to access a SharePoint® server. Navigate to the Portal Access : Web Applications : Content Process screen, select the Global Settings tab. Go to the Feature Web Applications area and check the box Support Microsoft SharePoint.

LDAP queries using distinguished name from client certificate (CR70040)
With the option Get user DN using template , you can use the variable %certdn% to query LDAP. For example, you can search LDAP using the distinguished name obtained from the client certificate in the Query LDAP user object area on the Users: Groups Dynamic Group Mapping: Group Mapping Method screen. This variable contains the distinguished name (DN) extracted from the client certificate.

SUN package java.nio (CR71571)
The reverse proxy now supports the SUN package java.nio.

Logging options added (CR71737)
On the Device Management: Maintenance: Logs screen, we have added the following logging options.

  • Disable Database Logging
  • Disable Local System Logging
  • HTTP Access Log
  • HTTP Error Log
  • Options to set log level for individual FirePass controller components

Content processing scripts (CR72027)
You can now control the processing of the <FP_DO_NOT_TOUCH> and </FP_DO_NOT_TOUCH> tags. Navigate to the Portal Access : Web Applications : Content Process screen and select the Global Settings tab. Scroll to the Web Applications Global Settings area and check the box Process content of the FP_DO_NOT_TOUCH element. When you upgrade to release 6.0.1, this feature is disabled by default.

Windows machine certificate checker and FirePass controller client component package (CR74370)
You can now include the Windows machine certificate checker in the FirePass controller client component package. To do so, navigate to Device Management: Client Downloads: Windows (x86) screen.

64-bit version of Windows Vista and Internet Explorer (CR74436)
You can now detect 64-bit versions of Windows Vista and Internet Explorer during a pre-logon sequence check using the session variable. %session.browser.platform_ex%. To use this variable, navigate to the Users : Endpoint Security : Pre-logon Sequence screen.

OPSWAT SDK 2.3.2 (CR73977)
The FirePass controller now supports OPSWAT® SDK 2.3.2.

Alternate Webtop and automatically resizing browser window (CR74735)
With Network Access, when you start an Alternate Webtop and then open another window, the FirePass controller adjusts the window size to the size of the Network Access popup window.

Clam AV, version 0.90 support (CR75585)
The FirePass controller now supports Clam® AV, version 0.90.

Fixes in this release

This release includes the following fixes.

SSL error messages (CR31929)
In the earlier releases, the FirePass controller incorrectly displayed the SSL error message Cannot open SSLSessionCache DBM file in the system logs due to a race condition. We have fixed the race condition and the FirePass controller no longer displays error messages in the system logs.

Online help and importing users (CR47069)
Previously, the online help did not indicate that the FirePass controller does not apply the option Enforce strong password for authentication against internal database when you import a list of user accounts on the Device Management : Security : User Password screen. The online help now correctly documents this feature.

SharePoint, Excel, and Portal Access (CR50925)
Previously, with SharePoint®, you could not export an Excel® spreadsheet through Portal Access. Under these circumstances, you can now export an Excel® spreadsheet.

SharePoint and Microsoft Word (CR54275)
In prior releases, when you used SharePoint® and tried to save a document with a different file name using the Save As option, the FirePass controller displayed a JavaScript error: File can not be saved, but you could still save the document by clicking the Yes, No, or OK button. The FirePass controller no longer displays this error and now correctly allows you to save this document by clicking Yes.

TN3270 (CR54581)
In earlier releases, the TN3270 emulator did not correctly display some legacy applications. The TN3270 emulator now correctly displays these applications.

WebDav and customized logon page (CR54744)
Previously, when the user failed to log on to the system through the logon form on the WebDAV customized index.html page, the FirePass controller incorrectly redirected the user to the regular logon page. Under these circumstances, the FirePass controller now correctly directs the user to the customized pages logon.denied.inc or logon.failed.inc, depending on the logon results.

FirePass client and installing client package (CR54851)
Previously, you could not install the FirePass controller components on the client if the client's PC had no branch titled: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. Under these circumstances, you can now install the FirePass controller client package onto the client.

CRL Retrieval frequency option (CR56188)
Prior to release 6.0.1, the FirePass controller skipped the next automatic update if it was within 24 hours of the manual update under the following conditions:

  • You set the CRL Retrieval frequency option to Every day .
  • You performed a manual CRL update.

Under these circumstances, the option Every day now works correctly, and the FirePass controller no longer skips the next automatic update.

Mobile Email and certificate signed messages (CR57230)
In earlier releases, Mobile E-mail did not display the email message when it was digitally signed with a certificate. Under these conditions, Mobile E-mail now works correctly and displays the email message.  

IPsec and Deleting a connection (CR58980)
In prior releases, when you deleted an IPsec connection, the FirePass controller displayed erroneous data on the Device Management : Security : IPsec Configuration screen. Under the same conditions, the FirePass controller now deletes an IPsec connection correctly, and no longer displays erroneous data.

IPsec tunnels (CR59303)
In previous releases, IPsec tunnels configured on eth2.2, eth2.3, and eth 1.4 did not work. Under these circumstances, IPsec tunnels now work on these interfaces.

IP filter, host name, and maintenance console (CR59707)
Previously, you could not access the maintenance console under the following conditions:

  • You configured an IP filter with a host name.
  • The FirePass controller could not connect to DNS server.

Because the FirePass controller no longer allows you to specify a host name in an IP filter, this is issue is resolved.

SharePoint and editing a document (CR60031)
Previously with SharePoint ®, in rare cases you could not edit a document through the FirePass controllers' reverse proxy. Under these circumstances, you can now edit a document.

Pre-logon sequence check, Firefox, and protected workspace (CR60032)
Previously, with Firefox®, the pre-logon sequence check failed when the user entered a protected workspace. Under these conditions, the pre-logon now works correctly and no longer fails.

1200 platform and fan speed (CR60257)
Previously, on 1200 platforms the hardware sensor displayed the incorrect fan speed. The 1200 platform hardware sensor now works correctly and displays the correct fan speed.

Microsoft KB912945 patch interferes with ActiveX controls (CR61155)
Previously, when you installed the Microsoft® Internet Explorer® KB912945 patch onto the client, the patch prevented the client from interacting with ActiveX controls. The client's CPU usage also became unusually high. Clients can now interact with the ActiveX controls, and their CPU usage is now normal.

SSL termination and accessing landing URIs (CR61712)
In earlier releases, when SSL termination was offloaded to an upstream BIG-IP® Local Traffic Manager, users could not access landing URIs. SSL termination now works correctly, and users can now access landing URIs,

Timeout and allowing sessions without cookies (CR61774)
Previously, the timeout did not work under the following conditions:

  • You checked the Allow session without cookies box (in the Session Security area on the Device Management : Security : User Access Security screen).
  • The clients Internet Explorer® browser was set to block cookies and the pop-up blocker was enabled.

Timeout now works under these conditions.  

Client for Linux and Network Access (CR62326)
Prior to 6.0.1, in rare cases, the user could not manually download the FirePass controller Linux client from his Webtop from the Network Access screen using Internet Explorer®. Under these circumstances, the user can now download the FirePass controller client only according to the operating system he is using.

Windows File checker and modification date (CR63468)
In previous releases, with the pre-logon sequence check, the Windows File checker reported a different time than the one reported by Windows® Explorer. The Windows File checker now reports the same time as the one reported by Windows® Explorer.

Multi-language logon and Mac OS (CR63667)
Previously, on clients using Mac OS® 10.x, the FirePass controller incorrectly logged on the user, or it it is available, or did not present the Translate UI option to the user, if it's available, under the following conditions:

  1. The user entered his credentials at the logon page.
  2. The user selected a default character set from the Default character set list.

Under these circumstances, the system no longer logs on the user or presents the user the Translate UI option.

Windows dial up entry screen (CR63705)
Previously, when the Windows integration component was installed on the users client, and he entered his credentials on the Windows dial up entry screen and then clicked the properties, the system did not retain his changes. Under these circumstances, the system retains the users changes.

Pocket PC and opening web applications in a new window from the Webtop (CR63810)
In earlier releases, you could not access Web applications under the following conditions:

  • You configured a web application to open a new window.
  • You used a Pocket PC 2003 client to start the web application from the FirePass controller Webtop,

Under these circumstances, you can now access your web applications.

Protected Workspace ActiveX components on Windows 2003 with TEMP folder encrypted (CR63821)
Previously, the FirePass controller could not install the ActiveX components onto the Windows Server 2003® client when you configured a protected workspace and the temporary folder was encrypted. Under these same conditions, you can now install the ActiveX components onto the client.

SSL termination and BIG-IP Local Traffic Manager (CR64249)
In prior releases, when SSL termination was offloaded to an upstream BIG-IP® Local Traffic Manager, the content rewriting engine incorrectly rewrote HTTPS URLs to HTTP URLs, which prevented some applications, for example, Outlook® Web Access (OWA), or web sites from working. The content rewriting engine now works correctly, and no longer rewrites HTTPS URLs to HTTP URLs.

Mobile E-mail and external users (CR64420)
In earlier releases, for external users, the Administrative Console incorrectly permitted the administrator to change (enable or disable) the option Limit E-Mail Access to Corporate mail account only on the Portal Access : Mobile E-Mail screen. This option did not affect external users because they were always limited to the Corporate mail account. Under these circumstances, you can no longer use the Administrative Console no longer allows you to change the option Limit E-Mail Access to Corporate mail account only.

Virtual keyboard and disabling movement (CR64497)
Prior to release 6.0.1, disabling the virtual keyboard from moving failed when you took these steps:

  1. Check the Enforce password entry from virtual keyboard box in the Password Security area on the Portal Access : Web Applications : Master Group Settings.

  2. Set the option to Disable Virtual Keyboard movement across the screen to Yes (in the Endpoint Inspector Details after adding the virtual key inspector on the Users: Endpoint :Pre-logon Sequence screen). 

Disabling the virtual keyboard from moving now works.

%username% is substituted as DOMAIN\username instead of user name (CR64572)
In earlier releases, the FirePass controller incorrectly attempted to access the \\server\path\DOMAIN\username instead of \\server\path\%username% under the following conditions:

  • You logged on to the FirePass controller using the format DOMAIN\username.
  • You accessed a Windows Files favorite using \\server\path\%username%.

The FirePass controller now accesses the correct path: \\server\path\%username%.

Deleting Subarea in SharePoint (CR64583)
In prior releases, when the Windows® SharePoint® administrator tried to delete Subarea, the FirePass controller reverse proxy sent content which caused the users' browsers to incorrectly access the SharePoint® server directly. The FirePass controller reverse proxy no longer causes users browsers to access the SharePoint® server directly.

SharePoint, Portal Access, and editing a list in Datasheet view (CR64679)
In prior releases, with SharePoint® 2003 you could not add a new row to the list when you tried to edit a list in the Datasheet view through Portal Access.  In these circumstances, Internet Explorer® also displayed an error message.  With SharePoint® 2003 , you can now edit a list in the Datasheet view and the FirePass controller no longer displays an error message when you use Internet Explorer®.

Protected workspace and Symantec AV 9.0.1 (CR64759)
In earlier releases, the FirePass controller incorrectly prompted the user to reinstall his Symantec® antivirus software under the following conditions:

  • The user had Symantec® antivirus software, version 9.0.1 installed on his PC.

  • The user entered the protected workspace.

  • The user clicked any icon on the Windows desktop.

Under these conditions, the protected workspace now works correctly and the FirePass controller no longer prompts the user to reinstall his Symantec® antivirus software.

FirePass client and Reconnect button (CR64760)
Previously, the FirePass controller client incorrectly displayed an error message when the user changed his password during the session and then the clicked the Reconnect button. Under these circumstances, the FirePass controller client no longer displays an error message, and now correctly prompts the user to input a new password.

FirePass client and web logon (CR64818)
In prior releases, the FirePass controller client could not reconnect to the system in web logon mode. The FirePass controller client can now connect to the system in web logon mode.

Online help, static App Tunnels and access control list (CR64942)
Previously, the online help incorrectly documented how an access control list worked on App Tunnels. The online help now correctly documents this feature on Application Access : App Tunnels : Master Group Settings Screen.

FirePass client and command-line interface command /n (CR64954)
Prior to version 6.0.1, when you started a configured favorite with the FirePass controller client command line interface using the /n option, the favorite type was not optional; it needed to be included. For example, the command f5fpc.exe -start /h <ip_addr> /u <user> /p <password> /n <fav_name>:<fav_type> worked properly, but f5fpc.exe -start /h <ip_addr> /u <user> /p <password> /n <fav_name> failed. Under these circumstances, the favorite type is now optional.

Restoring user-defined session variable settings (CR64978)
Previously, when you restored your configuration from a backup file, the system did not restore the settings Display extra input field at logon for user defined session variable and User defined session variable prompt for user-defined session variable. Under the same circumstances, the system now restores these settings.

Windows Logon Integration and Standalone Client components removed by Cache Cleaner (CR65117)
Previously, when you selected the option Uninstall ActiveX components downloaded during FirePass session the FirePass controller might have removed controls required by the Windows Logon Integration and FirePass controller client. This option is located on the User Management : Endpoint Security : Post-Logon Actions screen. Under these circumstances, the FirePass controller no longer removes these controls.

Cache cleanup control and removing client components (CR65121)
Previously, the cache cleanup control incorrectly removed FirePass controller client components from the users system. The cache cleanup control now leaves the FirePass controller client alone.

LDAP synchronization using %logon% expression in query template (CR65190)
In earlier releases, the FirePass controller failed to synchronize its internal database of users with LDAP under the following conditions:

  • You configured the LDAP method for dynamic group mapping using the %logon% expression in the LDAP query template.
  • You enabled FirePass controller user database synchronization with LDAP.

Under these circumstances, the FirePass controller now synchronizes its internal database of users with LDAP.

Citrix terminal server and policy routing (CR65199)
In previous releases, the FirePass controller failed to connect to a Citrix® terminal server under the following conditions:

  • You configured a policy routing with a routing table that was separate from the main routing table.

  • The main routing table did not allow the user to access the terminal server.

Under these conditions, the FirePass controller now works correctly with the Citrix® terminal server and no longer fails.

Citrix and user experience (CR65258)
In earlier releases, with Terminal Services, when you set the user experience to Dont Use, Citrix® applications did not work. Under these conditions, Citrix® applications now work correctly.

Import files and reporting users that were not imported (CR65271)
Previously, when the system was importing user accounts from a file, the FirePass controller did not notify the administrator when the system did not successfully import the user accounts. The FirePass controller now displays an error message in the Administrative Console and sends an email to the administrator.

Portal Access and accessibility scope (CR65302)
In earlier releases, the Accessibility Scope settings (on the Portal Access : Web Applications : Master Group Settings screen) failed when they were greater than 1024 bytes. Under these circumstances, these settings now work correctly and no longer fail.

Static App Tunnels and local addresses starting with 127 (CR65352)
With release 6.0, on a static App Tunnel, you could only type a local IP address that began with 127. You can now type any valid local IP addresses on a static App Tunnel.

Windows share and displaying error messages (CR65375)
In earlier releases, the FirePass controller incorrectly displayed a blank page to the user, instead of a denied access message, under the following conditions:

  • You configured a Windows® share with list folder access and a Windows file favorite.

  • The user tried to download or open the file from the shared list folder using a browser.

  • You configured a favorite on the FirePass controller pointing to that share, and assigned a resource to master group.

Under these conditions, the FirePass controller now correctly displays a denied access message instead of a blank page. 

Battery voltage and system health (CR65407)
Previously, on 4000 platforms the FirePass controller reported battery voltage values incorrectly and displayed erroneous system warnings on the Device Management : Monitoring : System Health screen. The FirePass controller now reports the correct battery voltage values, and no longer displays erroneous system warnings.

4100 controller, ARP, and management interface (CR65426)
In earlier releases, on a FirePass 4100 controller you could not reconnect to the management interface after taking the following actions:

  1. Disable ARP on the management interface.
  2. Shut down the system (or remove the power supply).
  3. Restart the system.

On a FirePass 4100 controller, you can longer disable ARP on the management interface using the Administrative Console.

Citrix terminal favorite and defining multiple IP address (CR65545)
Previously, when you defined multiple IP addresses (or hosts) for a Citrix® terminal server favorite, the FirePass controller incorrectly attempted to connect to each IP address (or hosts) even though it had successfully connected to the Citrix® Metaframe® server. The FirePass controller also created duplicate icons for Citrix® portal applications. Under these conditions, the Citrix® terminal favorite now works correctly. The FirePass controller no longer attempts to connect to another Citrix® Metaframe® server after it successfully connects, and it no longer creates duplicate icons for Citrix® portal applications.

App Tunnels and Firefox (CR65632)
Prior to release 6.0.1, you could not create an App Tunnel using the Firefox® browser. You can now create an App Tunnel with the Firefox® browser.

App Tunnels and specifying a hyphen (-) character in host name (CR65669)
In release 6.0, static App Tunnels failed when you specified a hyphen ( - ) in a host name in the following areas:

  • In the Allow list box in the Access Control List area on the Application Access : App Tunnels: Master Group Settings: Common screen.

  • In the Allow list box in the Access Control List area Application Access : App Tunnel: Resources screen.

  • In the Allow list box in the Access Control List area Application Access : App Tunnels: Resources: Web Application screen.

Under these circumstances, App Tunnels now work successfully.

Terminal services and retaining color depth settings (CR65735)
In earlier releases, when an external user made changes to the color depth of his terminal, the FirePass controller incorrectly reverted to the Use favorite defined setting. Under these conditions, the color depth settings work correctly, and changes made by external users no longer revert to the Use favorite defined setting for the duration of the session.

Custom checks and protected configurations (CR65764)
In release 6.0, you could not log on to the FirePass controller when you used a pre-logon sequence check with two or more protected configurations that had custom checks. Under these circumstances, you can now log on to the FirePass controller.

App Tunnel favorite and upgrading from release 5.5 to 6.0 (CR65792)
In previous releases, when you upgraded from release 5.5 to release 6.0, App Tunnel favorites did not work and the Administrative Console might not have displayed the entire App Tunnel configuration. Under these circumstances, App Tunnel favorites now work correctly and you can now view the entire App Tunnel configuration in the Administrative Console.

Dynamic App Tunnels and %username% variable (CR65823)
In previous releases, you could not specify the %username% variable in a Dynamic App Tunnel. You can now specify the %username% variable in a Dynamic App Tunnel.

Memory usage and exiting a Legacy Host terminal (CR65825)
In prior releases, the FirePass controller memory usage might have become unusually high when a user exited a Legacy Host terminal session by closing the window instead of correctly using the exit command. Under these same conditions, the FirePass controller memory usage is now normal, and no longer becomes unusually high.

Portal Access and host names with underscore ( _ ) (CR65864)
In earlier releases, the user could not access the Web application favorite when you configured one that contained a underscore ( _ ) character in the host name . Under these circumstances, the user can now access the Web Application favorite.

Microsoft RDP ActiveX component (CR65871)
In earlier releases, when installing F5 FirePass controller client components through the Microsoft® Installer Package (MSI) package in quiet mode, you could not install the Microsoft ® Remote Desktop Protocol (RDP) ActiveX component. You can now install these components in quiet mode.

SNMP walk, PPP interfaces, CPU utilization unusually high (CR66059)
Previously, when you performed an SNMP MIB walk query on the interface tree, the SNMP agent in the FirePass controller included PPP interface details with the response. When the number of PPP interfaces reached the maximum supported limit, the SNMP MIB walk caused unusually high CPU utilization on the FirePass controller. The FirePass controller no longer includes PPP interface details for SNMP MIB walk queries on the interface tree and CPU utilization is normal.

SSL offloading and PHPA (CR66060)
When you enabled SSL offloading to BIG-IP® Local Traffic Manager, the FirePass controller disabled acceleration on web services, which degraded performance. Under these circumstances, acceleration on web services now remains enabled.

Network Access and IP address group filters (CR66061)
In previous releases, when you copied a resource group (on the Users: Groups: Resources Groups screen) that had a Network Access IP address group filters defined, the filters did not work on the new resource group. Under these circumstances, the filters now work on the new resource group.

1000 and 1200 platforms and alarms (CR66072)
In earlier releases, on 1000 and 1200 platforms, the FirePass controller did not send email alerts to the administrator even though the Device Management : Monitoring : System Health screen reported alarms. Under these conditions, the FirePass controller now works correctly, and sends email alerts to the administrator.

Routing entries that overlap (CR66099)
Previously, when you specified two routing entries that overlapped (one routing entry was more specific than the other), the FirePass controller incorrectly added only one routing entry. The FirePass controller now allows you to add two routing entries that overlap.

Norton antivirus software and pre-logon sequence check (CR66104)
In earlier releases, the antivirus scan during a pre-logon sequence took an unusually time to complete when you checked for any of the following antivirus software on the client:

  • Norton® System Works 2005
  • Norton® Antivirus 2005 and 2006
  • Norton® Internet Security Suite 2006

Under these circumstances, the antivirus scan now runs normally.

Macintosh and saving Windows file locally (CR66146)
In earlier releases, on Macintosh platforms, the FirePass controller incorrectly truncated the file under the following conditions:

  • You downloaded and saved a file locally from Windows Files.
  • You enabled compression (on the Portal Access : Web Application : Caching And Compression screen).

Under these conditions, the FirePass controller no longer truncates the file.

Administrator password and remote system log server (CR66152)
Previously, new administrator passwords were displayed in clear text in the system logs under the following conditions

  • You enabled the Remote Log Server and Enable Extended System Logs options (on the Device Management : Maintenance : Logs screen).

  • You changed your administrator password.

The system logs now work correctly, and the system logs now mask the changed administrator password.

IPsec configuration and specifying IP addresses (CR66218)
Previously, you could not specify an IPsec connection with a local or remote endpoint address containing 255 in the second or third octet. Under these circumstances, you can now specify 255 in the second and third octet in the local or remote endpoint addresses.

FirePass client and Internet Explorer (CR66274)
In previous releases, when you set Internet Explorer® to work offline, the FirePass controller client could not connect to the FirePass controller. Under these circumstances, the FirePass controller client now displays a dialog prompting user to connect or stay offline. If the user selects Connect, the client successfully connects to the FirePass controller. If user selects Stay offline the client fails.

Cannot access Webtop (CR66330)
Previously, when a user belonged to an administrator realm, left his standard Webtop, and then clicked the Back to Home link, one of the following results happened:

  • The user incorrectly accessed the i-mode version of his Webtop instead of his standard Webtop.

  • The user could no longer access his standard Webtop.

The user now correctly returns only to his standard Webtop.

TN5250 terminal emulator (CR66356)
In earlier releases, the FirePass controller incorrectly redrew the TN5250 terminal emulator screen under certain conditions:

  • You configured more than one TN5250 terminal emulator favorite (on the Application Access : Legacy Hosts; Resources screen).

  • You had more than one TN5250 session opened.

The FirePass controller now correctly redraws the TN5250 emulator screen under these conditions.

Redundant system and configuring two IP addresses (CR66500)
In previous releases on a redundant system, both units incorrectly became standby units under the following conditions:

  • You configured two IP addresses on different subnets with non-virtual IP addresses.

  • You configured the interface for a failover heartbeat.

Under these circumstances, failover now works correctly, and one unit becomes the active unit, and the other the standby unit. 

Cluster and RSA SecurID (CR66592)
The system did not authenticate the user under two conditions:

  • The user attempted to be authenticated using RSA® SecurID® on a cluster of FirePass controllers.
  • The user was forced into New PIN Mode by RSA SecurID®.

The user is now authenticated under these two conditions.

Online help, endpoint security, and Mac OSX and Linux support (CR66682)
Previously, the online help did not correctly document what the endpoint security feature supports for Mac OS® X and Linux® . The online help now correctly documents support for Mac OSX ® and Linux® on the Users : Endpoint Security : Inspectors : Inspectors and Actions Compatibility Matrix help page.

Backup configuration file and monitoring an external IP address (CR66683)
Previously, the FirePass controller could not restore the user settings on the External IP address monitoring option (available only in failover configuration) from a backup configuration file. The FirePass controller now restores the user preferences for the External IP address monitoring option.

User could change name and email when not allowed (CR66828)  
In earlier releases, the FirePass controller incorrectly allowed end users to change their name and e-mail information under certain conditions:

  • You disabled (cleared) the box Allow user to change user information (using User Experience tab on the Users : Groups : Master Groups).

  • You checked (enabled) the box Force password change on first logon (on the Users : User Management screen) ,

Now, under these circumstances, the system correctly prohibits users from changing their account information.

Network Access and traditional Chinese (CR66954)
On FirePass controllers using a Traditional Chinese language setting, Network Access failed to start on Windows® XP clients under certain conditions:

  • You installed hotfix HF-61155-1 on the FirePass controller, or the Microsoft® patch KB912945 on the client.

  • The client was using Internet Explorer® and the local language was set to Chinese Traditional.

Under these conditions, the Network Access now works correctly.

Protected workspace, Network Access, and removing some HOST file entries (CR66982)
In previous releases, the system did not remove some HOSTS file entries from the users PC added by the Network Access connection when a Windows® user in protected workspace logged out from the FirePass controller without terminating the Network Access connection. Under these circumstances, the FirePass controller now removes these HOST file entries from the user's PC.

Mobile E-mail, external users, and LDAP query (CR67019)
Previously, the From field became empty under certain conditions:

  • External users sent email through Mobile E-mail.

  • You selected the option Use LDAP query for mail server, display, and login information from the Logon Information list (in the Corporate mail account area on the Portal Access : Mobile E-mail screen).

Now, under these circumstances, the From field displays the email address of the sender.

Windows Files and accessing subfolders requiring different credentials (CR67023)
Prior to release 6.0.1, the FirePass controller could not access subfolders requiring different credentials when you configured the FirePass controller to access a shared folder through Windows Files feature. Under these circumstances, the FirePass controller can now access subfolders requiring different credentials.

Locked Browser, Tab and Enter keys (CR67122)
Prior to 6.0.1, the enter and tab keys did not work on the Locked Browser option. The Enter and Tab keys now work on the Locked Browser option.

Secondary Active Directory server (CR67124)
In release 6.0, the FirePass controller used a secondary Active Directory® server setting even though you had disabled this feature. Under these circumstances, the FirePass controller now ignores those settings.

Terminal server favorite on port numbers below 24 (CR67179)
Previously, when you configured any Terminal Server favorite with a port number between 1 and 23, the connection failed. Under these conditions, terminal server favorites now work correctly.

JavaScript error and Portal Access (CR67211)
In earlier releases, with Portal Access, the FirePass controller displayed a JavaScript error when you accessed certain URLs. Under these conditions, you can now access these URLs.

Legacy hosts and displaying characters (CR67250)
Prior to release 6.0.1, when you typed very fast on a legacy host keyboard, you had to wait for the FirePass controller to display this information. Under these circumstances, the FirePass controller displays this information immediately.

Form-based authentication, domain attribute, and cookies (CR67300)
In earlier releases, when you used form-based authentication, the FirePass controller ignored the domain attribute in cookies received from the form-based authentication server. Under these circumstances, the FirePass controller now reads the domain attribute.

Cookies and Firewall Forms-based Authentication server (CR67301)
Previously, the FirePass controller reverse proxy incorrectly truncated long cookies received from Form-based Authentication server (FBA) over SSL connection. The total length of the Set-Cookie header was limited to 128 bytes, and the rest was truncated. Under these circumstances, the reverse proxy now correctly reads these cookies and no longer truncates them.

Mac OSX, Network Access, and autolaunch (CR67522)
In previous releases, with Network Access, Mac OS®X users could not log on to the FirePass controller under certain conditions. Under these conditions, Mac OS®X users can now log on to the FirePass controller.

Default character set and Non-English logon names (CR67561)
Previously, the FirePass controller fixed the default character set to only English (ISO-8859-1) when you disabled the option Choice of language in login page on the Device Management : Customization screen. This prevented users with non-English logon names from logging on. Under these circumstances, users with Non-English logon names can now log on.

Web Application Tunnels and Kerberos authentication (CR67651)
In release 6.0, Kerberos authentication failed with Web Application Tunnels. Kerberos authentication now works correctly with Web Application Tunnels.

Time zone and pre-logon sequence check (CR67671)
In prior releases, the FirePass controller created a loop in the pre-logon sequence check when the time difference between low bandwidth clients and the FirePass controller was greater than one more hour. Under these circumstances, the pre-logon sequence checking process now works correctly even if the time difference between the FirePass controller and client are more than one hour.

DFS referrals that contain IP address (CR67698)
Previously, the FirePass controller failed to access distributed files system (DFS) referrals that contained IP addresses. The FirePass controller now successfully accesses DFS referrals that contained IP addresses.

1200 platform and erroneous fan alarms (CR67918)
In earlier releases, on 1200 platforms, the FirePass controller incorrectly reported CPU fan alarms even though the 1200 platform does not have CPU fans. 1200 platforms no longer report CPU fan alarms.

Windows Files favorite, display name or path (CR68029)
Previously, with Portal Access, when you added a Windows Files alias favorite, the FirePass controller did not display the name and path of the resource it referred to. Under these circumstances, the FirePass controller now displays the name and the path of the resource it refers to.

Japanese FirePass controllers, Mobile E-mail and users display name in UTF-8 (CR68247)
In prior releases, on Japanese FirePass controllers, the users Webtop did not display his display name correctly in the Mobile E-mail settings under the following conditions:

  • You configured Mobile E-mail to retrieve logon information from a LDAP server.

  • The LDAP server sent a users display name in UTF-8 format.

Under these conditions, the users Webtop now displays his correct display name in his Mobile E-mail settings.

Online help and antivirus policy check for Network Access (CR68305)
Previously, with Networks Access, the online help did not indicate that you could create an antivirus policy check for McAfee® VirusScan Enterprise 8.x. The online help now correctly documents this policy check.

Portal Access and %username%, %password%, and administrator defined favorites (CR68311)
In release 6.0, Portal Access favorites did not work under the certain conditions:

  • You configured a Portal Access favorite with the %username% or %password% variable in the URLs box (on the Portal Access : Web Applications : Resources screen).

  • You checked (enabled) the box Show administrator-defined favorites only (in the Access Limitation area on the Portal Access : Web Applications : Master Group Settings screen).

Portal Access favorites now work.

Windows files, double-byte characters, and saving (CR68631)
In earlier releases, when a Windows file contained double-byte characters, you could not download it to your local drive. Under these circumstances, you can now download Windows files to your local drive.

Dynamic group mapping, Active Directory, and client certificates (CR68701)
Previously, the FirePass controller did not automatically log on the user under all these conditions:

  • You enabled dynamic master group mapping for both Active Directory ® and client certificates.

  • The master group for the current user was set to Active Directory.

  • The user tried to log on with a client certificate.

The FirePass controller incorrectly displayed the password field, and pressing the Logon button did not allow the user to log on. Under these circumstances, the FirePass controller now automatically logs the user on without displaying the password field.

FirePass client and simple mode (CR68821)
Previously, when you started the FirePass controller client in simple mode and then started another instance of the client, the first session terminated and the second session failed. The FirePass controller now checks to see if an SSL VPN session already exists on the client before attempting to start another one. If the VPN already exists, the FirePass controller terminates the second session and displays warning on the client that a SSL VPN already exists.

FirePass client controller list (CR68913)
Prior to release 6.0.1, the FirePass controller client did not delete a FirePass controller entry from its Select FirePass controller list when you deleted one on the FirePass controller. To view a list of FirePass controllers on the FirePass controller client, click the Connect button. Under these circumstances, the FirePass controller client now correctly updates its list of FirePass controllers.

Local users and dynamic group mapping (CR69054)
In release 6.0, the FirePass controller incorrectly deactivated or deleted local users when you enabled dynamic group mapping on master group with internal database authentication. Under these circumstances, local users are no longer deleted or deactivated from the FirePass controller internal database.

Form-based authentication, passwords, and system logs (CR69134)
In prior releases, when you used form-based authentication, the FirePass controller incorrectly recorded passwords in clear text on the Reports : Logon screen. Form-based authentication now works correctly and the FirePass controller correctly protects passwords on this screen.

User name, specifying special characters, remote system log server (CR69174)
In previous releases, when you created a user name that contained special characters (for example, @), the system incorrectly converted these characters to send to the remote log server. The FirePass controller now leaves this special characters as they are.

Display name for users with external authentication in Mobile E-mail (CR69175)
In prior releases, the FirePass controller failed to include the external users display name in Mobile Email outgoing messages when the users credentials on the mail server were different from the users credentials on the authentication server. Under these circumstances the display name is now included.

FirePass controller cluster and failover (CR69187)
In release 6.0, during a failover, the standby member of the cluster took too much time to become the active member. Under these circumstances, the standby member now fails over in a timely fashion.

Dynamic App Tunnels and validating an SSL certificate (CR69201)
Previously, dynamic App Tunnels failed to validate an SSL certificate when the certificate chain had an intermediate certificate. Under these circumstances, the dynamic App Tunnels successfully validates the SSL certificate.

RADIUS and Active Directory and unexplained logon error code SSO (CR69202)
In release 6.0, the FirePass controller incorrectly displayed the message Passcode Accepted under all these conditions

  • You configured two-factor authentication on a master group (for external users only) : RADIUS and Active Directory® single sign on (SS0).

  • You typed the correct RADIUS password and incorrect Active Directory® password.

Under these circumstances, the FirePass controller no longer displays this erroneous error message.

SED script and empty URL matches (CR69220)
When you used multiple SED scripts and one of them had empty URL match pattern, the scripts that followed it in the list were always skipped (disabled). Under these circumstances, the SED scripts that followed the list with an empty match now work correctly.

Web Application Tunnels and creating a Webtop with JavaScript (CR69278)
Previously, Web Application Tunnels links did not work when you created an Intranet Webtop with JavaScript. Under these conditions, Web Application Tunnel links now work.

Portal Access and scrolling (CR69281)
Previously, with Portal Access, some text areas for certain applications did not scroll under specific conditions. With version 6.0.1, these applications now scroll correctly.

ActiveX controls, Microsoft Cumulative Security Update for Internet Explorer (916281) (CR69346)
In previous releases, when you installed the Microsoft® Cumulative Security Update for Internet Explorer (916281) on the client, the FirePass controller incorrectly prompted the client to press the space bar or the Enter key to activate the ActiveX controls, even though the ActiveX controls worked correctly. Under these conditions, the FirePass controller no longer erroneously prompts the user to activate these controls.

Portal Access and specifying a port in an ACL (CR69352)
In previous releases, with Portal Access, when you specified a port in the access control list (ACL), you could not access the port. Under these circumstances, you can now access the port.

Master group and dynamic resource groups (CR69480)
In rare instances, when you changed a users master group, the previous master group resources might be incorrectly displayed as dynamic resources when the user logged in at least once before the change. Under these circumstances, the master group no longer displays the previous master group resources as dynamic resources.

Pattern-based bypass mode and displaying 403 error messages (CR69510)
In earlier releases, the pattern-based bypass mode did not work, and the FirePass controller displayed a 403 error message to the client under the following conditions:

  • You enabled a pattern-based bypass mode on the reverse proxy.

  • The client sent a request to a web application where the first part of its URL path was greater than 255 characters.

Under these conditions, the pattern-based bypass mode now works correctly, and the FirePass controller no longer displays an error message.

FirePass client and Pocket PC 2003 Second Edition (CR69613)
In release 6.0, when you enabled a pre-logon sequence check, the FirePass controller client on Pocket PC 2003 Second Edition devices did not work. Under these conditions, the FirePass controller client now works on Pocket PC 2003 Second Edition devices.

Online help and Web Application Tunnels (CR69623)
Previously, the online help did not provide a JavaScript example for Portal Access. The online help now includes a JavaScript example for Portal Access example on the Device Management : Customization : Global Customization screen.

Active Directory, administrator account, and changing a password (CR69628)
In release 6.0, the user could not change his expired Active Directory® password during logon to the FirePass controller when the domain administrator account configured in the users master group Active Directory® authentication settings belonged to a large number (over 300) of Active Directory® domain groups. Under these circumstances the user can now change his expired password.

Portal Access and JavaScript (CR69826)
In earlier releases, with Portal Access, some applications might not work with JavaScript. These applications now work correctly with JavaScript.

Static App Tunnels and Outlook (CR69848)
In release 6.0, on Windows® XP, Windows® 2000, and Windows® 2003 operating systems, Outlook® failed when you configured a static App Tunnel with the Exchange type. Under these circumstances, Outlook® now works.

Numeric proxy password and finalizing a network configuration (CR69937)
In earlier releases, the FirePass controller deleted your proxy password when you did the following:

  1. You checked (enabled) the box Use Basic Authorization on the Device Management : Configuration : Proxies screen.

  2. You entered a proxy password that contain only numbers.

  3. You finalized your network configuration on the Device Management : Configuration Network Configuration screen.

Under these circumstances, the FirePass controller now retains the proxy password.

Windows files shares (CR70034)
Previously, when you upgraded to release 6.0 you could not access Windows® Files shares. You can now access Windows® Files shares.

Dynamic group mapping and LDAP user object (CR70041)
In earlier releases, with dynamic group mapping, the FirePass controller might have received a positive LDAP user object match even though the user object was not found when you used the LDAP (user object) group mapping method. The positive match occurred even though it was not found under all these conditions:

  • You used the LDAP (user object) group mapping method with the option Get user object using DN template .
  • Your mapping table contained entries matched the parent distinguished name (DN).

Under these circumstances, the FirePass controller receives a positive match only when the LDAP user object is found.

Protected workspace and removing files (CR70195)
Previously, the FirePass controller did not remove protected workspace files from a user's local hard drive when he logged off or shut down his PC instead of exiting the protected work space. Under these circumstances, the FirePass controller now removes these files from the user's local hard drive.

SecureID native authentication (CR70307)
Prior to 6.0.1, when the user used SecureID native authentication, and entered a valid user name and a password that was longer than the system accepted maximum length, the FirePass controller returned an erroneous message: Your PIN has changed to the end user. Now, the FirePass controller correctly displays the correct message: Access denied to the end user.

1000 platform and erroneous fan alarm (CR70451)
In earlier releases, the 1000 platforms generated erroneous alarms for system fan 2 alarms. The 1000 platform no longer generates these erroneous alarms.

Network Access Webtop and HF-600-2 (CR70452)
Previously, Network Access failed to start under all these conditions:

  • You enabled the option Use Alternate Webtop only (formerly called Network Access only Webtop) on the Network Access : Resources screen.

  • You set the Translate UI option on the logon page to Japanese.

  • You installed HF-600-2 or later.

Under these circumstances, the Network Access now starts successfully.

Static App Tunnels and specifying a port range with comma separate list (CR70494)
In earlier releases, with static App Tunnels, all the local ports moved up one favorite, under these conditions:

  1. You added a new favorite on the Application Access : App Tunnels : Resources screen.

  2. You added a static App Tunnel with a port range without a comma separated list.

  3. You added a static App Tunnel with a port range using a comma separated list.

  4. You modified the local port of the any previously created favorite and clicked the Update all button.

Under these circumstances, adding a static App Tunnel now works correctly and no longer moves all local ports up one favorite.

Default character set on logon page (CR70532)
In earlier releases, when you selected UTF-8 from the Default character set list on the logon page, the FirePass controller incorrectly reset it to English (ISO-8859-1). Under these circumstances, the FirePass controller now correctly retains your settings.

Citrix applications and Webtop (CR70562)
Previously, you could only start Citrix ® applications in the Webtop. Now you can also start Citrix® applications in a  new window.

Default character set list (CR70563)
In release 6.0, when you changed the default character set language from English to Japanese, Chinese, or Korean and clicked the Continue or Cancel button, the FirePass controller incorrectly removed the default character set list from the Administrative Console. Under these circumstances, the FirePass controller now retains the default character set list in the Administrative Console.

Japanese FirePass controller and App Tunnel name (CR70592)
On Japanese FirePass controllers, the system did not correctly display the App Tunnel name in the App Tunnel popup window. The system now correctly displays the App Tunnel name.

Default character set on logon page and non-English ASCII characters (CR70595)
In release 6.0, external users had to type their credentials twice before the FirePass controller allowed them access to the system. Now, the FirePass controller requires external users to type their credentials only once before they can access the system.

Cluster and random load balancing (CR70678)
In release 6.0, when you configured a cluster to perform random load balancing, the primary unit incorrectly sent new sessions to other units that were not a available. The primary unit no longer sends new sessions to unavailable secondary units.

Dynamic App Tunnels and case-sensitive access control list (CR70689)
In previous releases, the access control list for Dynamic App Tunnels was case sensitive. The access control list is no longer case sensitive.

Java Applet (CR70728)
In prior releases, some Java applets might not work in Portal Access. These Java applets now work in Portal Access.

FirePass client and Network Access (CR70833)
In release 6.0, Network Access failed to start automatically after you started the FirePass controller client with a shortcut, under the following conditions:

  • You disabled the option Use Legacy Logon Prompt.

  • You enabled Advance mode.

  • You specified a FirePass controller alias name that contained a space.

Under the circumstances, Network Access now automatically starts.

Mobile E-mail and Japanese files names greater than 13 characters (CR70851)
Previously, Mobile E-mail could not open attachments, if you used Internet Explorer®, and the attachment had a Japanese file name that was greater than 13 characters. Mobile E-mail now opens these attachments.

FirePass client and Korean Windows XP (CR70941)
In earlier releases, the FirePass controller client on a Korean Windows® XP system did not work. The FirePass controller client on a Korean Windows® XP system now works.

External users and Webtop (CR70988)
Previously, in rare cases, with external users, the FirePass controller might take too long to load the users Webtop. The FirePass controller now loads the external users Webtop promptly.

Web Application Tunnels and replacing URL variables (CR71086)
In prior releases, with Web Application Tunnels, FirePass controller failed to replace URL variables. The FirePass controller now replaces these variables appropriately.

Active Directory, NTLM, and passwords that contain a backslash ( \ ) (CR71160)
Previously, the FirePass controller incorrectly added an extra backslash ( \ ) character to the user password under the following conditions:

  • The Active Directory® or NTLM server forced the user to change their password.

  • The users entered a new password that contained a backslash ( \ ) character.

Under these conditions, the FirePass controller no longer adds an extra backslash ( \ ) character to the user password.

Online help and specifying passwords (CR71161)
In earlier releases, the online help incorrectly stated that you could not specify a backslash ( \ ) in a users password on the Users : User Management screen. In fact, you can use a backslash in this case, and we have removed this statement from the online help.

Redundant SMTP server configuration (CR71318)
In release 6.0, the backup SMTP server did not become the active SMTP server under the following conditions:

  • You configured the FirePass controller to use a primary and backup SMTP server.

  • The primary SMTP server timed out.

Under these circumstances, the backup SMTP server now becomes the active SMTP server.

IPv6, web and dynamic App Tunnels, Windows XP (CR71329)
Previously, web and dynamic App Tunnels failed on clients running Windows® XP with SP2, and Windows Vista with IPv6 installed. Under these circumstances, web and dynamic App Tunnels now succeed.

Redundant system and client root certificate (CR71403)
In previous releases, on a redundant system, when you deleted a client root certificate on the standby system, the active system did not synchronize this change. You can now configure only client certificates on the active system, and the standby system no longer displays the client certificates menu.

McAfee Security Center 10, Windows client, and Web Application Tunnels (CR71490)
In release 6.0, Web Application Tunnels failed under the following conditions:

  • You logged onto the FirePass controller using a Windows® client

  • You installed a Comcast® or Dell® version of McAfee® Security Center 10.

Under these circumstances, you can now successfully start a Web Application Tunnel.

Citrix terminal favorite and 256 color depth (CR71526)
In previous releases the FirePass controller incorrectly applied the 256 color depth on a Citrix® terminal favorite when you set it to 16 bit or higher. Under these circumstances, the FirePass controller now applies the correct color depth.

Portal Access and access control list (CR71703)
In previous releases with Portal Access, the access control list (ACL) failed when you inserted extra backslashes ( \ ) or slashes ( / ) in the ACL. Under these circumstances, the access control list works correctly.

Passwords that begin and end with a space (CR71746)
In prior releases, when a user created a password that began or ended with the space character, authentication failed. Under these circumstances, authentication now succeeds.

New browser settings and wild cards CR71766)
In previous releases, if you added new browser settings with wild cards in the user agent string, the FirePass controller deleted the new browser when you finalized any changes in the network configuration. Under these circumstances, the FirePass controller now saves your new browser settings.

Windows Antivirus message (CR71911)
In previous releases, when you used the Windows Antivirus checker in a pre-logon sequence, the system displayed a message that was grammatically incorrect. The message is now grammatically correct.

Changes in US and Canada Daylight Saving Time (CR72049)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to Solution 6551 on the AskF5 web site.

Network Access, Linux, and Firefox (CR72054)
In previous releases, with Network Access, when you used Firefox®, the Linux SSL VPN connection failed under the following circumstances:

  • You checked (enabled) the box Present the user with a message box after successfully connecting Network Access client (on the Network Access: Resources : Customization screen).

  • You typed a custom message in the Connection Established option (on the Network Access: Resources : Customization screen).

Under these circumstances, Network Access now works.

Mobile E-mail, external users, and double-byte characters (CR72062)
Previously, on systems using double-byte characters, the FirePass controller sometimes displayed the incorrect senders name in the email, or did not include the senders email address in outgoing messages under all these conditions.

  • The external authentication server (such as RADIUS) did not provide information about the user's display name.
  • The users first logon to the mail server failed because either the authentication server's credentials did not match the mail server's (POP or IMAP) credentials, or the user did not enter his logon template information correctly.

Under these conditions, the FirePass controller displays the correct senders name and email address in the email.

Network Access tunnel and closing Webtop window (CR72077)
In release 6.0, the FirePass controller always prompted users to close their SSL VPN or Application tunnels when they closed their main Webtop window. You can now configure FirePass controller to not prompt users about closing the SSL VPN or Application tunnels when they close the main Webtop window. To do this, navigate to the Network Access Global Settings screen and .check (enable) the box Leave VPN Connection/Application tunnels open when webtop is closed option.

IP group filters, adding and deleting (CR72093)
In release 6.0, with Network Access, you could not add or delete an IP group filter when the net mask was in a four octet decimal format (xxx.xxx.xxx.xxx). Under these circumstances, you can now delete or add an IP group filter.

Portal Access and Home Tab (CR72135)
Previously, on Portal Access, the FirePass controller did not rewrite URLs under the following conditions:  

  • The administrator disabled the Home tab.

  • The page contains only a META refresh tag.

  • The page does not contain <HTML> tag.  

Under these circumstances, the FirePass controller now rewrites URLs correctly.

SUN JRE 1.5.0_08 and Legacy host Java-based favorites (CR72308)
In release 6.0, with SUN JRE 1.5.0_08 and later, you could not use the tab key on Legacy host Java-based favorites. Under these circumstances, you can now use the tab key.

Display name, email address, and spaces (CR72322)
In prior releases, the FirePass controller incorrectly deleted the space or inserted a space between the display name and email address. The FirePass controller no longer modifies the space or inserts a space between the display name and email address.

Portal Access and JavaScript (CR72373)
In release 6.0, on Portal Access, the FirePass controller reverse proxy failed to rewrite certain JavaScript containing HTML comment tags with an XML tags and a double-quoted string. Under these circumstances, the FirePass controller now successfully rewrites these JavaScripts.

Home link, web application, dynamic cache, gzip compression (CR72402)
In earlier releases, the web application did not display the Home tab when you enabled the following options on the Portal Access : Web Applications : Caching and Compression screen:

  • Enable Dynamic Cache on FirePass

  • Enable Compression

Under these circumstances, the web page now displays the Home tab.

Portal Access and downloading attachments (CR72410)
In release 6.0, on Portal Access, you might not have been able to download an attachment under the following conditions:

  • You enabled the protected workspace (on the Users : Endpoint Security: Pre-logon Sequence screen).

  • You checked (enabled) the box Require cache cleanup ActiveX/ Plugin to be loaded to allow file downloads in Windows Files (on the Users : Endpoint Security : Post-logon actions screen).

  • You checked (enabled) the box Don't cache anything, except for images, Style Sheets and Javascript includes and Enable compression (on the Portal Access: Web Applications: Caching and Compression screen).

Under these circumstances, you can now download an attachment.

Application logs, master groups, administrative users (CR72415)
On the Reports : Log Apps screen, the FirePass controller did not display users assigned to an administrative realm when they belonged to a master group with a name longer than 32 characters. The master group name now supports up to 64 characters.

App Tunnel and changing the order of favorites (CR72465)
In release 6.0, when you created multiple App Tunnel favorites and then tried to change the order of the favorites, the name of the App Tunnel changed but the remote hosts or applications attached to the favorite were not retained. Under these circumstances, the remote hosts or applications attached to the favorite are now retained and the system changes the order of favorites correctly.

Network Access and Internet Explorer (CR72538)
In prior releases, Internet Explorer® locked under all these conditions:

  • The Network Access connection dropped (physical link) for a short period of time and then resumed.

  • The remote client is using DHCP.

Under these conditions, Internet Explorer® now remains functional.

i-mode and adding a browser type (CR72595)
In earlier releases, when you added an i-mode® phone browser type with a regular expression, the FirePass controller incorrectly detected the browser type as a mini-browser when you logged in with a user agent that matched the regular expression. Under these circumstances, the FirePass controller now detects the correct browser type.

Locked browser and Microsoft JVM (CR72618)
In previous releases, with Web Application Tunnels, when you enabled the Locked browser option, the client always selected the Microsoft® JVM™. Under these circumstances, the client now selects the correct Java Virtual Machine.

Windows Files shares and sorting in alphabetic order (CR72701)
In previous releases, the FirePass controller did not sort the file list in alphabetic order when you configured a Windows Files share of the format \\servername instead of \\servername\sharefolder. The FirePass controller now sorts all Window Files shares in alphabetic order.

Dynamic App Tunnels and VNC Viewer (CR72768)
In earlier releases, Dynamic App Tunnels failed when you upgraded the VNC Viewer, version 4.2.7.Under these conditions, Dynamic App Tunnels work successfully.

Expired cookies not removed (CR72920)
In release 6.0, the FirePass controller did not remove expired cookies on some web applications through Portal Access. The FirePass controller now removes expired cookies on these web applications.

Firefox, Netscape, and recognizing Windows 2003 (CR73106)
Previously, the FirePass controller did not correctly detect the Windows® 2003 platform when you used Firefox® or Netscape® browsers. The FirePass controller now correctly recognizes Windows® 2003 systems when you use these browsers.

Excel, Euro Currency Tool, and protect workspace (CR73133)
Previously, the FirePass controller incorrectly prompted the user to install the Microsoft® Euro Currency Tool for Excel® under the following conditions:

  • The Microsoft® Euro Currency Tool was previously installed.

  • The user restarted Excel® in a protected workspace.

Under these circumstances, the FirePass controller no longer prompts the user to install the Microsoft® Euro Currency Tool.

Citrix MetaFrame Portal and passwords containing non-ASCII Western European characters (CR73165)
In previous releases, the FirePass controller could not automatically log on a user to a Citrix® MetaFrame® Portal favorite when the user password contained non ASCII Western European characters, such as "¦","¸","¥". Under these circumstances, the FirePass controller can now automatically log the user on to the Citrix® MetaFrame® Portal favorite.

Mobile E-mail and logon name with special characters (CR73236)
In release 6.0, users could not access their Mobile E-mail corporate account when their logon name contained special characters and the corporate account was configured to retrieve their information from an LDAP server. Under these conditions, users can now access Mobile E-mail.

Proxy auto configuration timeout (CR73371)
In previous releases, the FirePass controller might have failed to load the proxy auto configuration file from a slow proxy server due to a short timeout. We have increased the timeout, and the FirePass controller no longer fails to load the proxy auto configuration file.

External IP monitoring and upgrading (CR73524)
Previously, when you upgraded, external IP address monitoring was enabled even though you disabled it. Under these circumstances, the system retains your external IP address monitoring setting.

Dynamic group mapping, and Framed-IP-Address RADIUS attribute (CR73646)
In prior releases, dynamic group mapping using Framed-IP-Address RADIUS attribute failed. Under these circumstances, dynamic group mapping now succeeds.

Static App Tunnels and Exchange (CR73728)
Previously, in release 6.0 with a cumulative hotfix HF-600-8 or later installed, when the user started a Exchange or Exchange Client/Server Comm feature on a static App Tunnel, the FirePass controller responded in one of the following ways:

  • The system incorrectly prompted the user if he wanted to start the application when the system administrator disabled the option Display message box before launching applications.

  • The system asked the user twice instead once, if he wanted to start the application when the system administrator enabled the option Display message box before launching applications.

Under these circumstances, the FirePass controller no longer prompts the user to start an application when the system administrator disables this option. Also, the system now only asks the user once when the system administrator enables this option.

Local users and changing passwords (CR73889)
In earlier releases, the FirePass controller might have corrupted the local users first name, last name, and email address when you disabled the option Allow user to change user information. To view this option, select a master group on the Users : Groups : Master Group screen: User Experience, and then click the User Experience tab. Under these circumstances, the FirePass controller no longer corrupts the user's first name, last name and email address.

Network Access, packet filtering, system logs (CR73989)
In prior releases, the FirePass controller displayed erroneous error messages in the system logs if you configured packet filters for Network Access and restarted the FirePass controller services. Under these circumstances, the FirePass controller no longer displays erroneous error messages in the system logs.

Maintenance console and legacy host session (CR74216)
Previously, when you established a legacy host session from the user interface, then started a maintenance console session from the Administrative Console, the system displayed the established legacy host session instead of maintenance console. Under these circumstances, the FirePass controller now displays only the maintenance console.

Client certificate, dynamic group mapping, subjectAltName field (CR74298)
In release 6.0, users could not log on to the FirePass controller under all these conditions:

  • You used client certificate authentication on the users master group.

  • You allowed users to be assigned to a master group by dynamic group mapping.

  • You allowed the client to automatically log on when FirePass controller detected the client certificate on the client.

  • You enabled an additional client certificate check against the Active Directory® attribute.

  • The FirePass controller checked for the client certificate subject field, certificate ext subjectAltName field (regex extraction).

Under these circumstances, users can now successfully log on to the FirePass controller.

ActiveSync and Windows Mobile 5 (CR74554, CR74555)
On the FirePass controller, previous versions, ActiveSync® did not work with Windows® Mobile 5 devices. Now, ActiveSync® now works with Windows® Mobile 5 devices on the FirePass controller.

Logon button and automatic log on client certificate (CR75022)
In previous releases, users might not be able to log on to the FirePass controller if they clicked the Logon button while waiting for the automatic logon with the client certificate to finish. Now when users log on with client certificate and automatic logon is enabled, the Logon button is no longer displayed.

Protected configuration, session variables, and using custom rules (CR75155)
Previously, with endpoint security, some session variables that contain characters such as an equal sign ( = ) did not match a protected configuration custom rule. Under these circumstances, these session variables now match a protected configuration custom rule.

[ Top ]

 

Known issues

The FirePass controller, version 6.0.1 includes the following general known issues. You can find localization-specific known issues in Localization known issues.

 

Known issues for Windows Vista

Protected workspace (CR69798)
This version of the FirePass controller does not support protected workspace on Windows Vista clients.

Integrated IP filtering engine and Windows Vista (CR73174)
This version of the FirePass controller does not support the integrated IP filtering engine on Windows Vista™ clients.

Windows Vista and detecting firewall with OPSWAT SDK 2.3.2 (CR73322)
The pre-logon sequence check cannot detect a firewall on Windows Vista™ clients due to software considerations of the OPSWAT®2.3.2 SDK.

Static App Tunnels, Windows Vista, and file sharing (CR73903)
On Windows Vista™ clients, file sharing through static App Tunnels does not work. With Windows® XP, file sharing requires an administrative user account.

Popup warning message displayed during VPN Driver installation on Vista (CR73933, CR73953)
When you install the VPN driver on a Windows Vista™ client, the operating system displays a popup warning message that confirms the installation of an unsigned driver. This popup might block the F5 Component Installer Service from installing the VPN driver onto the client. Automated deployment tools might also not work for the same reason.

App Tunnels, Firefox 2.0, and Windows Vista clients (CR73943)
When you are using App Tunnels, the FirePass controller might not work with Firefox® 2.0 on Windows Vista clients because the software update might fail if the browser is installed in a non-default location. You can reinstall the software to the default location, or to a non-default location as long as the installation folder is named Mozilla Firefox. Alternatively, you can start Firefox® by right-clicking its icon and select from a menu Run as administrator.

Network Access and Windows Vista clients (CR73982)
With Network Access, the Windows Vista operating system unnecessarily prompts the user to select a firewall type (home, work, or public location). However, the client establishes a Network Access connection when the user selects a firewall.

Whole Security integration, Vista, and Internet Explorer, version 7 (CR74345)
Whole Security integration does not support Windows Vista and Internet Explorer®, version 7.0.

Windows Vista logon integration (CR74375)
On Windows Vista™ clients, users have to enter their logon credentials twice, once to establish a VPN connection to FirePass controller, the second time to log on to their Windows® system.

FirePass client components and limited privilege account (CR74572)
FirePass controller client components are not installed when a user with a limited privilege account attempts to install them through the web. Also, on Windows Vista clients, you cannot upgrade the FirePass client components without an administrative account. The upgrade appears successful to the user even though the upgrade failed. To work around the Windows Vista™ issue, see FirePass client components and limited privilege account.

Windows Vista Clients and disabling top level ActiveX controls update option (CR74763)
When you enable (check) the check box for Disable top level ActiveX controls update, the user might not be able to access the FirePass controller. To work around this issue, see Disable top level ActiveX controls update option and Windows Vista.

Network Access connection name and Vista operating system (CR74797)
With Network Access, you cannot specify connection name for Windows Vista™ clients with the following characters:

  • Backslash ( \ )
  • slash ( / )
  • Colon ( : )
  • Asterisk ( * )
  • Question mark ( ? )
  • Less than ( < )
  • Greater than ( > )
  • Pipe ( | )
  • Quotation mark ( " )

If you specify a session variable in the connection name, make sure the variable does not return these characters. To view the Connection name option, navigate to the Network Access : Resources screen. Then select the Client Settings tab.

Network Access, Windows Vista, and removing Network Access components (CR75184)
On Windows Vista™ client, the user cannot establish a Network Access connection when he performs the following steps:

  1. The user is running 6.0.1 FirePass controller client components and removes these components from his PC.

  2. The user installs 5.5.2 FirePass controller client components from a FirePass controller running release 5.5.2.

  3. The user attempts to access FirePass controller running version 6.0.1.

For the work around process, see Network Access, Windows Vista, and removing Network Access components.

Windows Vista and modify Windows logon integration dial up entry (CR75429)
On Windows Vista™ clients, you cannot modify a Windows logon integration dial up entry when you right click the entry on the Control Panel : Network Connection screen. For the workaround process, see Windows Vista™ and modify windows logon integration dial up entry.

Windows Component installer server and upgrading to Windows Vista (CR75587)
On a FirePass controller running version 6.0.1, the previous version of Windows Component Installer Service does not upgrade on Windows Vista clients even if you try to do so with administrative privileges. To work around this issue, reinstall the Windows Component Installer Service manually onto the client. To do so, navigate to the Device Management : Client Downloads : Windows (x86) screen.

Network Access, drive mapping, and Windows Vista (CR75721)
With Network access, you cannot map a drive on Windows Vista™ client.

Known issues for administration

Progress bar during online update (CR31670)
During an online update of FirePass controller software, occasionally the third progress bar freezes, and does not indicate the true status of the update. The update, however, ordinarily completes as expected.

Monitor Statistics/System Load screen data mismatch (CR36658)
The difference in the data shown on the Device Management : Monitoring : Statistics screen and the Device Management : Monitoring : System Load screen appears to be isolated to the FirePass controller 4100 platform.

Load balancing deactivate (CR44778)
Load balancing does not turn off unless you first clear the check box Allow optional manual logon to slave nodes from master logon page, and then set Load Balance to off.

Display nodes in cluster at the logon page (CR51211)
When you change the number of members in a cluster, the loading balance menu at the logon screen does not display these changes. However, load balancing works correctly.

Canceling a snapshot (CR53041)
On the Maintenance Console, when you try to cancel a snapshot, the FirePass controller fails to cancel the operation.

Logging results of a custom protected configuration (CR54709)
When a custom protected configuration denies access to the user, the FirePass controller does not log the reason he was denied access at the Reports: Logon screen.

Restore settings and backup file (CR58103, CR73892, CR73893)
You cannot restore the following settings from a backup file:

  • Administrator password (on the Device Management : Security : Admin Name and Password screen)

  • IPsec settings (on the Device Management : Security : IPsec Configuration)

  • Enable system email-alerts option (on the Device Management : Monitoring : System Health screen).

  • Health monitoring settings for a redundant pair (on the Device Management : Monitoring : System Health screen).

System logs and viewing active sessions (CR60097)
The FirePass controller incorrectly limits the display of currently active sessions on the Reports: Sessions screen to the number of sessions it keeps in the log file. The number of session records is limited by the amount time set in Keep logs for option multiplied by 2. For example, when you set the option Keep for logs option to one hour, the maximum time frame for which the FirePass controller reports sessions statistics is limited to the last two hours. To view this option, navigate to the Device Management : Maintenance : Logs screen.

Retaining changes to the time zone (CR62897)
When you change the time zone on the Device Management : Configuration : Time screen and then restart the FirePass controller, the system does not update the time from the NTP server. To update the time from the NT server, go to the NTP Server area, and then in the New NTP Server option, click the Apply button.

Maintenance console, cancel button, extra characters (CR62959)
When you use the maintenance console, you may experience difficulties on some screens:

  • If you press the Enter button while the Cancel button is highlighted, the Enter button does not work (except on the first screen).

  • Each time you press the Yes and No options, the maintenance console incorrectly inserts extra characters but it does correctly accept your yes or now selection.

Race condition and packet filters (CR63229)
During a race condition, some packet filters might not work. As result, some users might not be able to log on to the FirePass controller.

Desktop service, web services, and upgrading (CR64108)
When you upgrade to release 6.0. and later, the FirePass controller correctly removes the Desktop Service from the system (this feature is no longer supported). However, the system incorrectly retains the web service configuration associated with the Desktop Service (the option is on the Web Server tab on the Device Management : Configuration : Network Configuration screen).

FTP nightly backups settings (CR65029)
If you upgrade the FirePass controller from a previous release, the system does not retain the settings for the additional options for the Perform nightly backups to ftp server setting.

Windows 98, Windows ME, and Windows NT (CR66854)
The Administrative Console and the online help incorrectly refer to Windows® NT, Windows® 98, and Windows® ME, even though the FirePass controller does not support these platforms.

Finalize tab and Desktop settings (CR67129)
The FirePass controller incorrectly displays Desktop Access settings on the Finalized tab (on the Device Management: Configuration : Network Configuration screen) even though they are not supported.

DNS server, ICMP, and remote system log server (CR66668)
You cannot enable the remote system log server when the ICMP packet is blocked between the FirePass controller and DNS server.

HTTPS access and restoring a backup (CR67857)
You cannot restore the option Allow Insecure Access from a backup configuration because it incorrectly retains the option Enforce HTTPS access instead of the option Allow Insecure Access.

Backup file and user session lockout (CR72007)
When you restore a backup file, the new user lockout option is disabled even though you might have enabled it previously. To view this option, navigate to the Device Management : Maintenance : User Session Lockout screen, and locate the Lockout new user sessions setting.

Administrative realms and backslashes ( \ ) (CR73298)
When you create an administrative realm with a backslash ( \ ) in the name field, the FirePass controller incorrectly adds four backslashes in the name instead of one.

Sessions stats, Application Logs and short log purge interval (CR73575)
When you configure a log purge interval that is short (a few hours), some of the sessions statistics information and application log entries might be purged from the database and not included in any log archives.

Automated virus update and restoring a backup configuration (CR73973)
You cannot restore the automatic virus database update setting from a backup file. To view this option, navigate to the Portal Access : Content Inspection screen, select the Antivirus tab, and scroll to the Virus Database Update area.

User name and using HTML tags (CR74380)
The Reports : Logon screen might become corrupted when you type a user name that contains HTML tags.

Online help and 4300 platform (CR74734)
The online help documents the 4300 platform interfaces and ports incorrectly. The correct description is the following. There are two additional ports available on the FirePass 4300 controller. These are labeled 2.1 and 2.2 on the controller chassis, and eth 1.21 and eth 1.22 in the configuration interface. These fiber ports provide direct connection to additional services such as dedicated clustering, failover synchronization, DMZ use, or to a LAN. You must install a small-form-factor pluggable (SFP) into the ports to enable them. For the correct information about this topic, refer to the FirePass ® Controller Administrator Guide.

Known issues for authentication

Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication and uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

Question mark in LDAP URL (CR30914)
If the filter portion of an LDAP query contains an embedded question mark, the query might fail.

Basic HTTP authentication with an external server (CR31506)
If you configure a group to authenticate users over HTTP, you must specify an object in the path you set for the external server. Otherwise, authentication fails. For example, the URL http://myauthserver.com fails, but http://myauthserver.com/ succeeds.

RADIUS challenge response with Cryptocard and blank passwords (CR34959)
The FirePass controller does not accept blank passwords when using RADIUS challenge response with Cryptocard. The workaround is to enter a temporary password and then enter a permanent password.

Moving users between groups (CR36808)
When you move a user from one group to another, the FirePass controller does not prompt for additional data that might be required by the target group. For example, a user moved from a group using LDAP authentication to a group using internal database authentication might lack a password in the internal database account record. This can potentially result in failures of authentication. To prevent these failures, verify the completeness of user account records using the Users : User Management screen.

Authentication does not check proxy settings (CR37072)
The FirePass controller form-based authentication component does not check or use proxy settings or proxy server credentials. Do not configure a FirePass controller to perform HTTP or HTTPS-based authentication using the proxy server.

Incorrect user information attribute with first name (CR40694)
Mapping the user's first name against an Active Directory® account results in a first name of Administrator, not the actual first name of the user. This error occurs only with the test mapping. Mapping by the FirePass controller works correctly, and the user can log on without problem.

Client certificates for external users (CR44888)
The FirePass controller stores client certificates. If an external server maintains your user accounts, and you want to use client certificates for your users, you must use your company's certificate authority (CA) infrastructure. FirePass controller cannot distribute client certificates that it does not create. For more information, refer to the online help for client certificates.

Using the at sign in the Active Directory logon (CR45446)
You can use the email address as your Active Directory® logon, and your email address can (and must) contain the at sign ( @ ). However, Active Directory® logons that are not email addresses cannot contain @.

Strong passwords (CR47069)
When you configure an internal database of users to use strong password authentication, this setting is not applied to imported users.

User name containing @ and authentication (CR52530)
A user name containing the at symbol ( @ ) cannot be authenticated using Active Directory®. However, it can be imported and it is then correctly displayed in the users' list.

Japanese FirePass controllers, dynamic group mapping, client certificates (CR53785)
On Japanese FirePass controllers, when you configure a dynamic group mapping policy to authenticate users with a client certificate only (client certificate passwordless authentication), dynamic group mapping fails.

External groups and allow user to change user information option (CR57053)
For external groups, the FirePass controller incorrectly allows you to use the option Allow user to change user information using the User Experience tab after selecting a master group in the Group Name column at the Users : Groups: Master Groups screen. This option is reserved for internal users.

Single sign on and dynamic cache (CR62653)
When you use the FirePass controller to support single sign on to back-end web servers through Web Applications, you might need to clear (disable) the option Enable Dynamic Cache on FirePass in the Web Applications cache area on the Portal Access : Web Applications : Caching and Compressions screen. When you enable dynamic cache, the FirePass controller might return content directly, bypassing the security check of the back-end web application, if the web application does not manage HTTP caching headers correctly.

Changing passwords, dynamic group mapping, NTLM authentication (CR64490)
If you configure a dynamic group mapping policy with NTLM authentication and you require the user to change his password at the next logon, the FirePass controller successfully changes the user's password; however, the user cannot access the system on the next logon.

Restoring LDAP base group mapping method restoring settings (CR64875)
If you restore your configuration from a previously created backup file, the system does not restore the settings Searched Base DN and Attributes to map group for the LDAP base group mapping method.

Active Directory server in the logon report (CR64912)
The FirePass controller shows the primary Active Directory® server in the logon report, even if the secondary or tertiary server was used for authentication.

RADIUS and single sign on password (CR67628)
The FirePass controller incorrectly retrieves the RADIUS single sign on (SSO) password even if you have disabled the options to do so. To view this option, select the Authentication tab on the Users :Groups : Master Groups screen, and locate the setting for Retrieve Single Sign On Password from the RADIUS attribute.

Single sign-on and dynamic cache (CR67873)
Single sign-on (SS0) to resources protected by RSA® ClearTrust® does not work correctly when you have already enabled dynamic cache setting on FirePass controller. To work around this issue, navigate to Portal Access : Web Applications : Caching and Compression screen and clear (disable) the box for the setting Enable Dynamic Cache on FirePass.

Active Directory and UPN names (CR69104)
With external users, authentication fails when you configure a user account that refers to a user principal name (UPN).

NTLM, version 2 (CR73790)
The FirePass controller does not support NTLMv2 for Windows® Domain authentication.

Active Directory and changing passwords (CR75250)
The FirePass controller incorrectly advises the user that his password change failed even though it was successful. This incorrect message occurs under the following conditions.:

  • The user changes his expired Active Directory® password on FirePass controller logon page.

  • The Active Directory® server is behind NAT.

Known issues for Application Access

App Tunnels drive mapping with invalid or missing SSL server certificate (CR36803)
If you have not yet installed a trusted SSL certificate on the FirePass controller, then when users attempt to connect to a mapped drive using App Tunnels, the first attempt in a session usually fails. Subsequent attempts using the Relaunch button might succeed. We recommend installing a trusted server certificate as soon as possible.

Terminal Server and VLAN interface (CR52511)
When you enable master group-based policy routing for a particular master group, you must not allow users of the master group to create Terminal Server favorites for accessing servers that are not part of the VLAN defined for that master group. To prevent users from creating the Terminal servers user favorites, select the Limit Terminal Servers Access to Favorites only(for Extranets...) option at the Application Access: Terminal Servers: Master Group Settings screen.

Microsoft file sharing and App Tunnels (CR53559)
For App Tunnels, On Windows® XP, Microsoft® file sharing does not work if the user has limited rights on his client.

VNC client (CR54485)
The VNC standalone client does not provide a button to disconnect from the Terminal Server session. To disconnect from a Terminal Session, the end user must log off from the FirePass controller.

Displaying the front door custom graphics (CR58779)
When you check the Disable large F5 Front Door graphics option so that you can display a custom image, the custom image is displayed in the Administrative Console but not on the front door (logon screen).

Autolaunch opens additional windows at the first logon (CR58862)
With App Tunnels, when you configure the following settings at the Application Access: App Tunnels screen, the system incorrectly opens extra windows when the client first logs on to the FirePass controller and the client system does not have App Tunnels components (ActiveX controls) preinstalled:

  • Create a new App Tunnel resource group.

  • Create several App Tunnel favorites.

  • Checked the option Autolaunch based on endpoint protection.

Internet Explorer, version 5.0 and closing multiple App Tunnels (CR59110)
When you use Internet Explorer®, version 5.0 and you close multiple App Tunnels, the system displays JavaScript errors on the end user's browser. To avoid this issue, we recommend that you use a more recent version of Internet Explorer®.

Japanese characters and Windows files (CR59800)
With Windows files, on the top level directory, if the Japanese folder name is greater than 12 bytes, the FirePass controller does not display the folder.

Single sign on and dynamic cache (CR62653)
When you use the FirePass controller to support single sign on to back-end web servers through Web Applications, you might need to clear (disable) the option Enable Dynamic Cache on FirePass in the Web Applications cache area on the Portal Access : Web Applications : Caching and Compressions screen. When you enable dynamic cache, the FirePass controller might return content directly, bypassing the security check of the back-end web application, if the web application does not manage HTTP caching headers correctly.

TN3270E terminals and LU names (CR65498)
The FirePass controller does not support LU names on TN3270E terminals.

Legacy hosts and inactivity timeout (CR67150)
With legacy hosts, when you set the global inactivity timeout or the master group inactivity timeout (on the Device Management : Security : Timeout screen), the FirePass controller does not automatically log-out of abandoned sessions.

Citrix terminal server favorite and screen resolution (CR67678)
With internal users, the FirePass controller incorrectly sets the screen resolution on a Citrix® terminal favorite. To work around this issue, we recommend that you use external master groups.

Dynamic App Tunnels, Internet Explorer 7, client certificates (CR70987)
When you select the option Request client certificate during logon with the option Do not use certificate field for logon username, if the user starts a Dynamic App Tunnel, it might incorrectly prompt a request by Internet Explorer® 7 for a client certificate even if the user already selected that at logon. To view these options, navigate to the Device Management : Security : Certificates screen. Also, the FirePass controller might display the message Invalid server certificate, even if the user previously confirmed the client certificate on Internet Explorer® 7.

Windows Files and Novell Netware servers older than 6.5, SP2 (CR73581)
On the FirePass controller, Windows Files might not work with Novell® Network severs that are older than 6.5, SP2

Know issues for Network Access

Network Access over dial-up connection where IPsec VPN client is present (CR37127)
You cannot use Network Access over a dial-up connection from a remote Windows® 2000 or Windows® XP system that also has a Check Point® SecuRemote/SecureClient IPsec VPN client installed. You can use Network Access over dial-up with a Check Point IPsec VPN client; however, the Network Access connection might take a long time to close, and you must drop and redial the connection to the ISP in order to continue with Internet access.

Network Access on Safari 1.0 browser on OS X 10.2 (CR37217)
The Network Access control for Macintosh® OS X version 10.2 does not install properly under the Safari® 1.0 browser. The screen repeatedly prompts you to install it, even if you have already installed it, but you cannot use it. The Safari 1.0 browser does support the FirePass controller's HTML-based functional components: Portal Access, Mobile E-mail, Windows Files, UNIX Files, and for Desktop access, the Java client only. You can use Safari 1.2 as the Network Access browser.

McAfee VirusScan Enterprise, version 7.x and Last Signature Update (CR40600)
For Network Access, when you use the pre-logon sequence check with McAfee® VirusScan Enterprise, version 7.x, the Last Signature Update option works on only the English version of Windows®.

Split tunnel for Network Access on PocketPC (CR45800)
The FirePass controller does not support split tunnel for Network Access on the Pocket PC.

Network Access with a Windows XP client (CR46482, CR46659)
Drive mapping with Windows® XP clients might not connect to the Windows file server on the first attempt.

Network Access and global activity timeout (CR63887)
With Network Access, when you set the global or group based inactivity timeout option (on the Device Management : Security : Timeouts screen) to less than five minutes, the FirePass controller incorrectly terminates Network Access even though traffic is passing through the tunnel during this time.

Network Access, protected workspace, local default gateway (CR68042)
The FirePass controller might remove the user’s local default gateway when the user exits the protected workspace even though his Network Access connection is still active. This prevents the client from accessing resources on the network.

Network Access and application logs (CR69525)
When you check the box Enable Extended App logs and establish a Network Access connection, the Reports: App logs screen records two Network Access connections instead of one. To view this option, navigate to the Device Maintenance : Logs screen.

Network Access, McAfee Security Center 10, and IP filtering (CR72665)
The Network Access connection fails under both conditions:

  • You install McAfee® Security Center 10 on the client
  • You enable the IP filtering engine option (by selecting the Policy Checks tab on the Network Access: Resources screen).

Network Access and VPN drive mapping (CR74834)
With Network Access, if system administrator configures 10 drive mappings, the FirePass controller displays an erroneous error message to the end user that the second drive mapping failed even though all the drives were successfully mounted.

Known issues for Portal Access

Certificates in Lotus Notes (CR28747)
You can open a Lotus® iNotes® mailbox with an expired server certificate. However, you must have a current certificate to open the same mailbox through the FirePass controller.

Length limitations on Window File share names (CR28778)
Previously, the FirePass controller had the same length limitations on share names as older versions of Windows ® (Windows 95, Windows 98, and Windows NT). This limitation applied only to share names. Single-byte share names needed to be 12 characters or less, and double-byte share names needed to be 6 characters or less. Subfolders no longer have this limitation. This limitation now only applies to the top-level directory (root shared folder).

Deleted emails in Outlook (CR28854)
If you use an IMAP email server, Outlook® does not provide any visual indication when a user marks an email for deletion.

Constant restart of Flash (CR36933)
Flash constantly restarts at the www.kurzweilai.net and other flash-based web sites.

Default web application URL for resource group (CR40637)
The default URL for a web application is determined at a resource-group level. If a user has multiple resource groups assigned, the web application uses the default web page from the last resource group assigned to a user.

Problem for VLAN-based web applications with enabled cache (CR43445)
The Web Application Cache serves content by looking at the destination URL only. It does not consider the resource group of the requested resource. This can cause an invalid response to be served, if multiple resources across different resource groups are identified using the same URL. We recommend that you do not use the Web Application Cache in this situation.

Blank help and attachments windows in OWA (CR45150)
When you have more than one instance of Internet Explorer® running and you try to open help or the attachment window for email, the window might be blank. This occurs intermittently. You can click the Help button a second time to open the help. The attachment window might not work until you close the other browser instance.

Using special mode with OWA and iNotes (CR47039)
On some sites, the FirePass controller incorrectly detects Outlook® Web Access (OWA), or iNotes servers as running, even though they are not running. If this happens, do not configure the controller to automatically detect OWA or iNotes on the Portal Access : Web Applications : Content Processing : Global Settings screen using the Global Settings tab.

Web Application Type resets to generic (CR49541)
The Web Application Type resets to generic when you configure all these settings:

  1. Set a Favorite's Web application type to IBM iNotes, or OWA, in the Feature Web Applications area at the Portal Access: Web Applications: Content Processing screen using the Global Settings tab.

  2. Clear the Automatically detect hosts for OWA and iNotes check box and do not specify a corresponding host name.

  3. Add a new favorite and click the edit button at the Portal Access : Web Applications : Resources screen.

Cascading Style Sheets (CR52382)
With Internet Explorer® 5 and 6, cascading style sheets are not displayed correctly when you configure both these options at the Portal Access : Caching and Compression settings screen:

  • The Enable Compression. Saves bandwidth option in the Web Applications cache area
  • The cache nothing in the remote browser option in the Web Applications Global settings

This is an issue with Microsoft® Internet Explorer® versions 5 and 6.

Saving and opening attachments with DWA iNotes 6 Class module (CR52532)
With DWA iNotes 6 Class module, you cannot open or save some attachments through the FirePass controller reverse proxy engine. For the workaround, contact FirePass controller support group/team.

JavaScript and multi-byte characters (CR52640)
If your JavaScript uses multi-byte characters that include single quote ( ), double quote ( ) in any place or backslash ( \ ) before a quote, the FirePass controller partially displays the page, or the page is not displayed.

Netscape 4.79 and compression (CR52777)
If your end users are using Netscape® 4.79, you might need to disable compression in the Turn gzip Compression On or Off for webtop and Web Applications area at the Portal Access : Caching and Compression screen. This is a Netscape software problem.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime applet (CR53332)
The Chat feature for the Sametime application does not work. For the workaround process, see How to use the Chat feature for Sametime application in the known issue section of this release note.

Reverse proxy and Citrix Metaframe ICA files (CR54315)
The reverse proxy cannot start App Tunnels from the correct server address when the Citrix® Metaframe® ICA file specifies the application name in the Address parameter and waits for the ICA client to resolve the name using the Citrix® name resolution protocol. To work around this issue, do one of the following:

  • Add a host entry to the FirePass controller that resolves the application name to the correct server IP address.

  • Configure server location for Citrix® NFuse. For more information about this topic, refer to the Web-server-side server location and Server location through sections of the Citrix ® NFuse Administrator's Guide.

Rewriting URLs and DWA (CR54864)
On the customized Lotus Notes Domino Web Access (DWA) welcome page, the FirePass controller fails to rewrite URLs in the Web Page and Quick Links panels.

Reverse proxy and alternative host/port-based bypass (CR54969)
With clustering, the alternative host/port-based bypass option does not work.

Mobile-Email favorites and the at ( @ ) symbol (CR58690)
Mobile E-mail might fail with some IMAP servers when you use a Mobile E-mail account name that contains at ( @ ) symbol.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime (CR59639)
If the IBM Lotus Sametime® Java applet is installed on the IBM Lotus® Domino® Web Access server (DWA), and the server is configured to use the STLoginForm accessing mailbox over Web Applications, Sametime may fail and display an error message. To work around this issue, you enable a cookie pass-through. For the workaround process, see IBM Lotus® Domino® Web Access server (iNotes) and Sametime in the Workarounds for known issue section of this release note.

Reverse proxy and response code of 300 or higher (CR63729)
When a web server sends a response code of 300 or higher to the FirePass controller, the reverse proxy incorrectly removes the content from the response.

SharePoint profile (CR64197)
With SharePoint®, when a user attempts to make changes to his profile, such as the font type, font size, text color, and background color through the FirePass controller, the reverse proxy displays error messages.

Mobile E-mail and LDAP server (CR68826)
Mobile E-Mail requires additional back-end server configuration when your LDAP server. On the LDAP server, add an attribute with a string value in representing the FQDN of your mail server. On the FirePass controller, type this attribute in the Attribute for mail server: field (on Portal Access : Mobile-Email screen).

Portal Access, SSL termination, and SUN JRE (CR69009)
With Portal Access, you cannot run Java® applets at http://mg.mud.de/online/ under the following conditions if SSL termination is offloaded to an upstream BIG-IP® Local Traffic Manager and you are using SUN® JRE, version 1.5.0_06.

Portal Access and compatibility mode (CR69015)
With Portal Access, you cannot access some sites when you enabled the compatibility mode option. To view this option, select the Global Settings tab on the Portal Access : Web Applications: Content processing screen.

Reverse proxy, Internet Explorer, and Macromedia flash (CR69137)
On some sites, the FirePass controller reverse proxy cannot load Macromedia® Flash because of an Internet Explorer® software bug. To workaround this issue, check (enable) the box Don't enforce no-cache. Only use with trusted terminals on the Portal Access: Web Applications Caching and Compression screen.

Portal access and memory (CR69196)
With Portal Access, the FirePass controller might run out of memory when it is under a heavy load.

Macromedia flash and Internet Explorer (CR70214)
When a client uses Internet Explorer®, Macromedia® flash might not be able to load XML data during an SSL VPN connection. To work around this issue, scroll to the Web Applications Global Settings area and check (enable) the box Don't enforce no-cache. Only use with trusted terminals on the Portal Access : Caching and Compression screen.

External users, Portal Access, access control list (CR73279)
When Portal access is enabled, the system incorrectly adds the default master group's Access control list (ACL) to the user's master group ACL list under all these conditions:

  • You have not assigned resources to an external user's master group.
  • You enabled the Intranet Webtop for this master group.
  • You configure a Portal Access ACL for this master group.

To work around this issue, configure a resource group with no resources attached to it, and statically assign it to the master group.

Portal Access and comment tag (CR73917)
With Portal Access, when an HTML document head section contains a comment tag of this format<!--< another tag >--> where the NOT operator [ <!-- ] is immediately followed by the opening caret [ < ] without a space in between, the reverse proxy engine incorrectly rewrites this tag.

Mobile E-mail and Japanese characters (CR74551)
On Japanese FirePass controllers, on Mobile E-mail, when you add an account name for the first time, the system displays the name incorrectly under either one of the following conditions:

  • You are using Windows® XP, SP2 with Internet Explorer®, version 6.0.

  • You are using Windows Vista and Internet Explorer®, version 7.0.

To work around this issue, add the account name again.

Portal Access and ActiveSync (CR74556)
ActiveSync® fails if you enable these two settings:

  • You check (enable) the box Show administrator-defined favorites only (on the Portal Access : Web Applications : Master Group Settings screen).

  • You enable pattern-base bypass (in the Minimal Content-Rewriting Bypass area on the Portal Access : Web Applications : Master Group Settings screen).

Portal Access, Basic or NTLM authentication, compatibility mode (CR74794)
An HTTP process on the FirePass controller fails causing the browser to time out under the following conditions:

  • You access the application through Portal Access.

  • You use Basic or NTLM authentication (on the Portal Access : Web Applications : Master Group Settings screen).

  • You enable compatibility mode (on the Portal Access : Web Applications : Content Processing : Global Settings screen).

  • You disable proxy authentication and enable autologin ( on the Portal Access : Web Applications : Master Group Settings screen).

  • The FirePass users credentials are different from the application server.

  • The user enters incorrect credentials when he is prompted by the browser.

To work around this issue enable proxy authentication.

Firefox and cache cleaner (CR75115)
The cache cleaner does not clean Firefox cache.

Known issues for pre-logon and post logon inspection

Pre-logon infinite sequence (CR43509)
The pre-logon sequence functionality enables you to create a sequence that results in an infinite loop by choosing a sub-sequence that references itself as one of the final actions. If you create a sequence whose action includes a reference to itself, the end-user's browser halts during logon. To avoid this problem, make sure the final outcome of a sub-sequence is not a reference to the same sub-sequence.

Window flash during client logon (CR44889)
With a pre-logon sequence that scans for antivirus, the scanning component briefly posts an in-progress window after it scans each file. Within a second or so, the component removes the window. Therefore, during logon, users might experience window-flashes as they log on. The window does not take focus away from the active application, but users might see flashing in the background.

Displaying messages during pre-logon sequence (CR47197)
When you configure a pre-logon sequence and do not specify an action, the system does not display any warning or explanatory message to inform the user of the reason access is prohibited.

Using a comma with a sub-sequence (CR47336)
You cannot create a sub-sequence using a comma (,) at the Users : Endpoint Security : Pre-Logon Sequence screen in the Create New Sequence box.

Naming a subsequence (CR47337)
You must specify a unique name when you create a subsequence using the screen at Users : Endpoint Security : Pre-Logon Sequence : Create New Sequence : Create Subsequence.

Pre-logon sequence file checker (CR54431)
The pre-logon sequence file checker truncates a file name when the ampersand ( & ) character is present.

Pre-logon sequence and special characters (CR54495)
When you create a pre-logon sequence check, some special characters such as quotation marks, number sign, or ampersand, ( ", # , & ) are not displayed or truncated. If you name a pre-logon sequence using the number ( # ) sign, you cannot edit the sequence.

Protected workspace and printers (CR54716)
When you enable protected workspace and you do not want your users to print out documents, select No in the Allow user to use printers option at the protected workspace Inspector Details screen.

Antivirus database signature or engine version (CR54884)
With a pre-logon sequence check, when you specify an antivirus software to scan with the any supported option, the engine and database signature fields must be empty.

Endpoint security and scanning for antivirus software (CR56971)
With endpoint security, in rare cases, the antivirus scanning engine might incorrectly time out or lock up.

Protected workspace and erroneous messages (CR57453)
On German versions of Windows XP, when you use the protected Workspace, the FirePass controller displays an incorrect error message to users indicating that their browser had disabled cookies. However, protected workspace works correctly.

Internet Explorer and pre-logon sequence check (CR59072)
When you use Internet Explorer, version 5.0 with Windows 98, the browser locks when the FirePass controller performs a pre-logon sequence file or registry check on the client.

Firefox, protected workspace, cache cleanup control (CR60123)
When you use Firefox®, the cache cleanup control is disabled when you use browser and protected workspace. To view the cache cleanup control, navigate to the Users : Endpoint Security : Post-logon actions screen.

Applying a protected configuration to the webtop (CR64196)
With endpoint security, when you apply a protected configuration to the webtop and the user is denied access, the system does not explain to the user why access was denied and does not log the reason on the Reports : Logons screen.

Pre-logon sequence, virtual keyboard, protected workspace (CR64221)
If you upgraded from any release older than 5.4 to release 6.0.1, and you enabled the virtual keyboard before you upgraded, you can no longer disable the virtual keyboard. We recommend that you disable the virtual keyboard before you upgrade.

Pocket PC, full browser mode, and post-logon actions (CR70199)
When cache cleaner is enabled, the FirePass controller cannot detect the browser type for a Pocket PC and display the web page designed for that browser type. To view the cache cleaner feature, navigate to the Users : Endpoint Security : Post-logon actions screen.

Post-logon actions (CR70222)
The cache cleaner times out under all these conditions:

  • You use an Intranet Webtop.

  • You configure the Alternative Host/Port-based option (in the Minimal Content-Rewriting Bypass area at the Portal Access: Web Applications: Master Group settings screen).

  • You enable the option Force FirePass session termination if the browser or Webtop is closed (on the Users : Endpoint Security : Post Logon Actions screen).

Cluster and pre-logon sequence check (CR72234)
With a cluster, when a user fails to pass the pre-logon sequence check on a secondary node, the user is redirected to the master node, which incorrectly runs the pre-logon sequence check again.

Cache cleaner, Windows Explorer, Internet Explorer, version 6 (CR74989)
All instances of Internet Explorer® version 6 refresh when you make configuration changes to the screen Windows Explorer : Tools : Folder Options : View. The refresh causes the FirePass controller cache-cleaner component to terminate the user's session. This is an issue with Internet Explorer, version 6.

Known issues for Non-Windows clients

Windows inspectors on non-windows clients (CR75499)
In release 6.0 and later, when you use any Windows® inspectors in a pre-logon sequence path configured for Mac OS® X or Linux clients, the FirePass controller incorrectly asks users to install Inspection Host plug-in. To work around this issue, do not use Windows® inspectors in pre-logon sequence path configured for Mac OS® X or Linux clients.

Other known issues

IPSwitch IMail POP problem with My Email (CR34504)
A SASL authentication bug in IMail prevents use of POP. Using the FirePass controller to access email on IMail server results in erroneous authentication failures with My Email. However, you can use the IMail server configured for IMAP.

Misleading error using unsupported browser on Linux system for Network Access (CR37113)
If you use an unsupported browser (for example, Opera®) on a Linux® system to establish a Network Access connection, you receive a misleading error message: This is for Win32 OS only. In fact, you can establish a Network Access connection from x86-based Linux systems, but you must use a supported browser (Mozilla® 1.6 or 1.7). For a list of supported browsers, see supported browsers.

High traffic levels on Management port can cause 4100 platform to reboot unexpectedly (CR37341)
On the 4100 hardware platform, high levels of traffic through the Management port might cause the unit to reboot. The Management port is intended only for direct connection to the Administrative Console. We do not recommend connecting the FirePass controller to the LAN using this port. An unexpected 4100 reboot might occur if you connect to the Management port with a hub, due to high levels of traffic on the hub. Use a switch rather than a hub when connecting to the Management port.

Terminal services, Internet Explorer, and Macintosh (CR40618)
The FirePass controller does not support the following features on Macintosh® platforms:

  • Terminal services
  • Internet Explorer®

For more information about Macintosh operating system support, see SOL3364: FirePass support for Mac OS clients.

Restoring FIPS systems breaking imported key pairs (CR41278, CR41573)
If you have imported key pairs into a FIPS card and have reinitialized the card since making the most recent backup, then restoring your configuration might render some web services inaccessible. If you use FIPS and then, after restoring your configuration, you lose access to the Administrative Console, use the Maintenance account to reinitialize the FIPS card. To correct your configuration, re-import the key pairs you need.

Local redirect instead of full redirect with < DNS (CR42669)
If you attempt a full redirect, from admin to admin/, and DNS is not correctly configured, you actually get a local redirect. This problem does not occur if the DNS entry is configured correctly.

Redirect in frame (CR42676)
The redirect to an unlicensed screen might occur in a frame when a timeout interval has elapsed.

Windows 98 and Internet Explorer (CR47040)
If a client is using Windows® 98, Internet Explorer, version 5.0 does not work. To work around this issue, we recommend upgrading your client to Internet Explorer, version 5.5 or later.

Warning message on a webtop (CR47453, CR48630)
When you configure master groups with the system warnings set to Don't Use at the User Experience tab of the Users : Groups : Master Groups screen, an erroneous warning message appears on the users' webtop.

FirePass 4100 and ARP requests (CR49240)
On a FirePass controller 4100 system, a non-management port responds to ARP requests for the management ports IP address 192.168.0.99 when no cable is attached to the management port.

64-bit processing for Windows (CR51670)
The 6.0.1 version does not support FirePass controller client components on 64-bit editions of Windows® XP and Windows Vista.

SuSE 9.1 and Network Access (CR52429)
If you have enabled your firewall on your LINUX machine, you must allow both TCP incoming and outgoing traffic for loop back IP address 127.0.0.1 on port 44444. Otherwise, the Network Access tunnel is disconnected because no traffic can go through Network Access tunnel.

Using backup file names (CR53631)
You cannot restore a file that contains special characters in the file name. When you can create a backup of a current configuration or save zip files, do not use special characters, such as ` ~ ! @ # $ % ^ in the file name.

Offloading SSL to BIG-IP Local Traffic Manager (CR54047)
When you configure the FirePass controller to offload SSL processing to an upstream BIG-IP® Local Traffic Manager, at least one SSL web service must be configured on the controller to overcome an existing configuration limitation on the controller. The FirePass controller requires configuration of at least one SSL web service to complete the finalize operation.

Intel Mac and Network Access client (CR59504)
The FirePass controller Network Access client does not work on Intel-based Macintoshes. To work around this issue, refer to SOL6468: FirePass support for Intel-based Macintosh.

Installing the F5 FirePass controller client and Linux Core Fedora 4 (CR59758)
When you attempt to install the F5 FirePass controller client (using the root password) on to a PC that is running Linux Core Fedora 4, the automatic installation might fail. If this happens, the user must manually install the client using a sudo password that is provided by their administrator.

FirePass Client Component Package and Windows 2000, service pack 4 (CR62854)
When you have power user rights, you cannot install the F5 Networks FirePass Client Component Package on to a PC running Windows 2000, service pack 4. To work around this issue, install the F5 Networks FirePass Client Component Package with administrative rights.

Synchronizing a failover pair or cluster and customization (CR63237)
With a failover pair or cluster, if you configure a large amount of customization data (on the Device Management: Customization screen), the failover pair or cluster might fail to synchronize.

Adding a new browser type and UTF-8 (CR63486)
When you add a new browser type for a Desktop or Pocket PC browser (on the Device Management : Configuration : New Browsers screen), the FirePass controller incorrectly sets the UTF-8 setting to No instead of Yes. As a result, users can longer access the logon page when they select the UTF-8 character set.

Recovering ActiveX settings from a backup file (CR63836)
When you upgrade to 6.0.1 from any previous releases or restore your configuration from a backup file that was created on a previous release, the Disable top level ActiveX controls update and Use Java for installation settings (on the Device Management : Configuration : Client Update) are lost.

Desktop Access Webifyer displayed on user's Webtop (CR64027)
If you have enabled the option Always default to FirePass Webtop, even when Desktop is allowed and then upgrade to release 6.0.1, the FirePass controller incorrectly displays the Desktop Activation password screen on the users webtop. To fix this issue, reset your advanced customization settings to the default settings on the Device Management : Customization; Global Customization screen.

Windows dialer and Winlogon integration settings (CR64070)
Winlogon integration might not work on clients running Windows® XP, Service Pack 1, if another remote access connection program (for example, an MSN dialer) is installed on the client because of a Windows® XP software issue. To correct this issue, apply the Windows XP, Service Pack 2 onto these clients.

Uninstalling the Windows logon component and dial up entries (CR64292)
When you remove the Windows logon component from the F5 client using the Start: Control Panel: Add/Remove : Change or Remove Programs screen, the system sometimes fails to remove the F5 dial up entry.

F5 FirePass controller client, dynamic group mapping, signup by templates (CR64294)
When you use the F5 FirePass controller client (or just the Windows Logon Integration) with dynamic group mapping, you must check the sign-up by template option Bypass signup by template form and enter user information later. You do this by selecting the master group at the Users : Group: Master Groups screen and then selecting the Signup by templates tab. In general, for Windows Logon Integration we recommend using external user groups or initially importing the users (for local user groups) instead of using the signup by template feature.

Command-line interface and F5 FirePass controller client (CR64647)
With the F5 FirePass controller client, when you use the command-line interface you must specify the short cut of an option, you cannot use the full text of the option. For example, the short cut version for help, /h, works but the long version, /help, does not.

FirePass controller client and protected workspace (CR64659)
The FirePass controller client does not work with the protected workspace feature.

Firefox and post-logon actions (CR64678)
With Network Access, Firefox® version 1.5 displays an erroneous security message when you enable post-logon actions. To view post-logon actions, navigate to the Users : Endpoint Security : Post-logon actions screen.

Standalone Client Simple/Advanced mode switching (CR64955)
Switching from simple to advanced modes (and the reverse) in the Standalone Client with active connections results in lost connections and incorrect connection status. Please configure simple or advanced modes before starting active connections.

Standalone Client limitations (CR65069)
The Standalone Client does not save passwords under Windows ® 98.

The Standalone Client is not well integrated with the Protected Workspace feature. When the user starts Protected Workspace, the Standalone Client does not automatically restart, too

ActiveX controls, administrator rights, and encrypted temporary folder (CR69475)
When encryption is enabled on the %temp% folder, and a user with administrative rights installs ActiveX® controls through Internet Explorer®, users without administrative rights cannot use these controls because Internet Explorer® encrypts them in the Downloaded Program Files folder.

One arm configuration and GARP (CR69815)
In an one arm failover configuration, in rare instances, the system might not send out GARP.

Cluster load balancing and collected data during a pre-logon sequence check (CR70817)
Logging on by administrative users does not work under the following conditions:

  • The system administrator already disabled cluster loading balancing or enabled users to select a cluster node on the logon page.

  • For the pre-logon sequence check, the system administrator selected the option Require valid pre-logon data for logon.

  • The user is directed to cluster secondary node by an external load balancer or manually selects a secondary node on the masters logon page.

Cluster and user names with special characters (CR70818)
When you disable load balancing in a cluster, the system does not redirect users with administrative privileges to the primary node when their user names contain special characters.

Network Access, App Tunnels, and Autolaunch (CR72030)
When you enable autolaunch for Network Access and App Tunnels simultaneously, Autolaunch might not work. Under these circumstances, we do not recommend setting autolaunch for both Network Access and App Tunnels.

4100 platform and restoring a snapshot (CR73856)
On 4100 platforms, you must power cycle the FirePass controller after you restore a snapshot.

IPv6 (CR73885)
This version of the FirePass controller does not support IPv6.

FirePass client and displaying a Webtop (CR73923)
When the user connects to the FirePass controller for the first time with the FirePass controller client, the client incorrectly displays the users Webtop in its window under the following conditions:

  • The user belongs to master group with local users and external authentication.

  • The system administrator enabled Signup Template and checked (enabled) the box Bypass signup by template form and enter user information later for the users master group. To view this option, select a master group on the Users : Groups : Master Groups screen. Then click the Signup Templates tab.

  • The system administrator enabled gzip compression on the FirePass controller (in the Turn gzip Compression On or Off for Webtop and Web Applications area on the Portal Access : Web Applications : Caching and Compression screen).

  • The system administrator disabled the FirePass controller client option Use legacy prompt (in the Standalone Client Settings area on the Device Management : Client Downloads : Windows (x86).

  • The user enabled HTTP 1.1 in Internet Explorer®.

To work around this issue, disable gzip compression on the Portal Access : Web Applications : Caching and Compression screen or disable HTTP 1.1. in Internet Explorer® .

Signup template and cache cleaner (CR73924)
The FirePass controller incorrectly displays the signup by templateform to the user under all these conditions:  

  • The user logs on to the FirePass controller for the first time.  
  • The user skips loading the loading the cache cleaner.   ·
  • The administrator had enable the option Bypass signup by template form and enter user information later.
    (To view this option, navigate to the User : Groups : Master Groups screen, select a master group, then click the Signup Templates tab).

Redundant system and synchronization (CR74379)
With a redundant system, the following the settings are not synchronized:

  • Admin E-Mail Address and E-Mail From Name (on the Device Management : Configuration : Admin E-Mail screen)

  • Global re-authentication timeout (on the Device Management : Security: Timeouts screen)

  • IPsec (on the Device Management : Security : IPsec Configuration screen)

  • Time (on the Device Management : Configuration : Time screen )

  • User Session Lockout (on the Device Management : Maintenance : User Session Lockout screen)

Failover pair, IP group filters and warning message (CR74866)
Under certain conditions, the redundant system incorrectly displays a message to each node that your IP group filters have changed and that you need to click the Apply button to save your changes. These are the conditions:

  1. You added a new IP group filter rule on the active system.

  2. The active system was synchronized to the standby system.

  3. You did not click the Apply button on the active unit.

  4. You restarted the active system and it became the standby system.

WINS only name resolution and Windows Files access (CR75114)
Users cannot access remote file shares using Windows Files if the first WINS server is not accessible and WINS only name resolution is configured in the master group settings.

Dynamic App Tunnels, Firefox, and updating FirePass client components (CR75312)
You cannot install FirePass controller client components onto the client when you use Dynamic App Tunnels and the Firefox® browser.  To work around this issue, install them on the client with Microsoft® Installer Package (MSI), or start Dynamic App Tunnels ( at least once) with Internet Explorer®. After that you no longer need to use Internet Explorer® to start Dynamic App Tunnels. You can use the Firefox® browser.

System load monitor screen and upgrading from 5.5.2 (CR75936)
 When you upgrade from release 5.5.2 to 6.0.1, FirePass controller incorrectly displays some graphics on the Device Management : Monitoring : System Load screen. To work around this issue, navigate to this screen and click the link Click here to zeroinit the load monitor database.

[ Top ]

 

 

 


Localization known issues

Viewing EUC or JIS encoded Japanese text files (CR30091)
On a Japanese FirePass controller, when you display a text file from a UNIX® (NFS) server, My UNIX Files always assumes Shift-JIS encoding, even when the browser is set to auto-detect the encoding of the document. As a result, NFS documents that use Japanese Industrial Standard (JIS) or Extended UNIX Coding (EUC) encoding do not display correctly.

Euro symbol in password (CR30346)
When you configure a group that uses NTLM authentication that uses a Windows® 2000 Primary Domain Controller, and you also use the signup by template feature, the FirePass controller does not correctly send passwords containing a (Euro currency) symbol. Please advise new users not to use this symbol when they select their passwords.

Localization of pre-defined actions (CR44620)
In non-English systems, the pre-logon sequence screen lists the pre-defined actions in English.

Localization of pre-defined templates (CR44798)
In non-English systems, the Protected Configurations screen shows the pre-defined templates in English.

Local update (CR54564)
The FirePass controller displays an error message when all the following conditions occur:

  • You are running Chinese version of Windows® XP or Japanese version of Windows® 2000 professional.
  • You configure the controller in Simplified Chinese, Traditional Chinese, and English, Japanese.
  • You perform a local update at the Device Management: Maintenance : Local Update screen without a specifying a password.

Displaying top-level Windows folders in languages other than English (CR58392)
The FirePass controller cannot display top-level Windows folders in languages other than English when the names are greater than 6 double bytes size.

Japanese FirePass controllers, Network Access, and Windows 2000 (CR62856)
On Japanese FirePass controllers, with Network Access, users on Windows 2000 clients might not be able to access the FirePass controller because of Microsoft® software issue. To solve this issue, apply the Microsoft® Windows 2000 patch KB896424 to these clients.

F5 FirePass controller client and Japanese FirePass controllers (CR64671)
With Japanese FirePass controllers, on the F5 FirePass controller client, the user name and password prompt are not localized.

Displaying the system load (CR64703)
After you upgrade to release 6.0.1, the FirePass controller might not display the system load correctly on the Device Management : Monitoring : System Load screen. To resolve this issue, scroll to the bottom of this screen and click the Click here to zeroinit the load monitor database link.

 

[ Top ]

Workarounds for known issues

The following section describes a workarounds for the corresponding known issue listed in the previous section.

How to use the Chat feature for the Sametime Application (CR53332)

This workaround describes how use the Chat feature for the Sametime application (when it is installed on your iNotes server)

  1. In Administrative Console, in the navigation pane, click Portal Access, expand Web Applications and click Content Processing, and click the Global Settings tab.

  2. Below the Java Byte Code Rewriting area, click on Show Java tuning link.
    The Java Applet Tuning options appear below the Java Byte Code Rewriting area.
    Note: Do not click the Update button. You might need to click the Show Java tuning link twice.

  3. In Archive, type an * (asterisk)

  4. In Class, type an * (asterisk)

  5. In Method, type getCommand(0)

  6. Click the Add button.

Importing user accounts from a file (CR57827)
This workaround describes how to set the Mobile Email experience to Beginner so that you can successfully import users at the Users : Users Management screen.

  1. On the Administrative Console, in the navigation pane, click Users, expand Groups, click Master Groups.

  2. In the Group Name column select a master group.

  3. Click the User Experience tab.

  4. Go to the area titled Select and order FirePass Webtop Webifyers.

  5. Scroll down to Mobile E-mail and select Beginner

  6. Click the Update button.

IBM Lotus® Domino® Web Access server (iNotes) and Sametime (CR59639)
This workaround describes how to enable a cookie pass-through on the FirePass controller with Lotus® Domino® Web Access server and Sametime

  1. On the Administrative Console, in the navigation pane, click Portal Access, click Web Applications, click Content Processing, and click the Global Settings tab.  

  2. Check the box for Do not block cookies at FirePass.

  3. In the Do not block cookies at FirePass box; type one of the following:

    • An ( * ) asterisk.  The * passes all cookies through the FirePass controller for all configured web applications.

    • The host name of your DWA server; for example, *://dwa-server-hostname*,  to the list of URLs so that cookies are passed through the FirePass controller from the specified DWA server.

  4. Click the Update button.

  5. Click the services restart link to restart FirePass controller services.

FirePass client components and limited privilege account (CR74572)
This workaround describes how to remove and upgrade FirePass client components on a Windows Vista™ client.

  1. On Windows Vista™ client, log on with a privileged account.

  2. Download the Windows Component Installer Service on to the client.

  3. Install the FirePass client components with the client component package using a privileged account.

<Disable top level ActiveX controls update option and Windows Vista (CR74763)
This workaround describes how to allow Windows Vista™ clients access to the FirePass controller. Take either of the following steps to work around this issue.

• Navigate to the Device Management: Configuration : Client Update screen and clear (disable) the check box Disable top level ActiveX controls update.

• Make sure the 6.0.1 FirePass client components are already installed on the user’s PC.

Network Access, Windows Vista, and removing Network Access components (CR75184)
This workaround describes how to remove the F5 Networks VPN manager component from a end user's PC and then how to download the 6.0.1 FirePass controller client components from a FirePass controller running version 6.0.1.

  1. On Internet Explorer® version 7, navigate to Tools : Manage Add-ons : Enable or Disable Add-ons  screen.
    The Enable or Disable Add-ons  screen opens.

  2. On the top of the screen, select Downloaded Active-X controls option.

  3. Select the F5 Networks VPN manager control.

  4. At the bottom right of the screen, click the Delete button to delete this control.

Now users can reinstall the FirePass controller components with the Microsoft® Installer Package (MSI) or automatically through their browser when they access the FirePass controller running version 6.0.1.

Windows Vista and modify windows logon integration dial up entry (CR75429)
This workaround describes how to modify a Windows logon integration dial up entry on Windows Vista clients.

  1. On the Windows Vista client, press the Windows® icon.
    The Program screen opens.

  2. Run rasphone.exe as an administrator.
    The network connection screen opens.

  3. In network connection, select the Windows logon integration dial up entry that you want to modify.

  4. Click the edit button.

[ Top ]


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)