Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 6.0.2
Release Note

Updated Date: 08/30/2013


This release note documents the version 6.0.2 feature release of the FirePass controller. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 5.5 and later. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.

Note: The FirePass® 4000 is not supported with this release. Please see SOL7992: End of Software Development for FirePass 4000 FAQ for more information.


- User documentation for this release
- Minimum system requirements and supported browsers
- Installing the software
- New features and fixes in this release
     - New features in this release
     - Fixes in this release
- Known issues
     - Known issues for administration
     - Known issues for authentication
     - Known issues for Application Access
     - Known issues for Network Access
     - Known issues for Portal Access
     - Known issues for pre-logon and post logon inspection
     - Known issues for clients
     - Localization known issues
     - Other known issues
- Workarounds for known issues
     - How to resolve reverse proxy issues with Citrix MetaFrame ICA files (CR54315)
     - Windows Vista and modify windows logon integration dial up entry(CR75429)
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the Solutions database on the AskF5 Technical Support web site.

Minimum system requirements and supported browsers

The minimum system requirements for this release include the listed FirePass software version, and are specific to your operating system.

FirePass software version

Version 5.5 or later software for the FirePass controller is required. All 5.5 system requirements also apply to this release.

Microsoft Windows

  • Windows® 2000 SP4
  • Windows® XP Professional and Home Edition (see note about the Microsoft update needed for Windows XP Service Pack 2)
  • Windows® XP 64-bit
  • Windows® 2003 server
  • Windows® Vista™
  • Windows® Vista™ 64-bit
  • Windows® Mobile™ 2003 (Microsoft® Pocket PC™ 2003 and Microsoft® Pocket PC™ Phone Edition 2003)
  • Windows® Mobile 5 (Windows Mobile for Pocket PC, Windows Mobile for Pocket PC™ Phone Edition, Windows Mobile for Smartphone)
  • Windows® Mobile 6 (Windows Mobile 6 Classic, Windows Mobile 6 Professional, Windows Mobile 6 Standard)


  • Apple® Mac OS® X 10.3.x and 10.4.x ( Power PC and Intel-based platforms). Mac OS® X platforms are supported for Network Access and Portal Access.

For information about Intel-based Macintosh support, refer to the New features and fixes in this release section.


The following supported Linux platforms require workstations with libc version 2 and later, Kernel support for PPP interfaces (loadable module or static) and the pppd program in the correct directory (typically /usr/sbin or /usr/bin). Linux platforms are supported for Network Access and for Legacy Hosts (Java and HTML plugins only). 64-bit Linux clients are not supported.

  • Debian® 3.1r0a
  • Fedora™ Core 6
  • Slackware® 10.1
  • SuSE® 10.x Professional and OpenSuSE® 10.x
  • TurboLinux® Desktop
  • Ubuntu® 7.04

Supported browsers

The supported browsers for remote access through the FirePass controller are:

  • Firefox® 2.0.x
  • Microsoft® Internet Explorer® 6.0, or 7
  • NTT DoCoMo™ i-mode® browser
  • OpenWave® WAP browser
  • Safari® 1.x on Apple® Mac OS® 10.3.x systems
  • Safari® 2.0 on Apple® Mac OS® X 10.4.x systems (Power PC and Intel-based platforms)
  • Safari® on Apple® iPhone™
  • Firefox® 2.0.x on Apple® Mac OS® X 10.3.x, 10.4.x systems

Certified applications for Portal Access Web Applications feature

  • Microsoft® Outlook® Web Access (OWA) 2000, 2003, 2007
  • Microsoft® SharePoint® 2003, 2007, and Services 3.0
  • IBM Lotus® Domino® Web Access (including Sametime) 6.5, 7.0
  • Oracle® Portal 3.0 (Oracle 10g Portal)
  • Oracle® Siebel Call Center 7.7
  • Oracle® PeopleSoft Portal 8.1 and PeopleSoft HR 8.1
  • SAP® ERP Central Component (ECC) 2005 and SAP NetWeaver® 7.0 (2004s) SP12

Browser type compatibility matrix

The following table lists favorites and supported browser types. The plus sign (+) indicates that the browser type is supported by the FirePass controller.

Favorite Full Browser Mini-Browser (i-mode) Pocket PC™ WML
App Tunnels +      
Dynamic App Tunnels (Windows® 2000, XP, and Vista™ only +      
Mobile-Email + + + +
Network Access +   +  
Terminal Services +      
Web Applications + +    
Windows Files + + + +

[ Top ]

Supported platforms

This release supports the following platforms:

  • FirePass® 1000
  • FirePass® 1200
  • FirePass® 4100
  • FirePass® 4300

Note: The FirePass® 4000 is not supported with this release. Please see SOL7992: End of Software Development for FirePass 4000 FAQ for more information.

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Supported antivirus and firewalls

This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you might need to reactive your license. To view supported antivirus and firewall software, click one of the following links. Each link references a separate document, unique to the particular operating system.

[ Top ]

Installing the software

The following instructions explain how to install the FirePass controller version 6.0.2 onto existing systems running version 5.5 or later.

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings. To do this, on the navigation pane, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Warning: We have moved group-based policy routing from resource groups to master groups at the Users : Groups : Master Groups screen. If you are upgrading to version 6.0.2 from a release earlier than version 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record these routing tables. For more information, refer to SOL5502: Overview of routing table configuration and conversion in FirePass version 5.5 on AskF5sm.

Warning: The version 6.0.2 software uses a new heartbeat module, which is only compatible with releases 5.5 and later. If upgrading from a release earlier than 5.5, refer to SOL4467: Best practice: Upgrading a redundant pair of FirePass controllers to prevent potential IP address conflicts due to an incompatible heartbeat modules.

Warning: If you upgraded from any release older than 5.4 to release 6.0.2 and you enabled the virtual keyboard before you upgraded, you can no longer disable the virtual keyboard. We recommend that you disable the virtual keyboard before you upgrade.

Important: Back up the FirePass controller current configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5sm. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 6.0.2. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5sm.

Note: Once you upgrade the FirePass controller to version 6.0.2, you cannot downgrade to any previous version. For more information, see SOL2847: Downgrading to a previous FirePass software version on AskF5sm.

Upgrading from version 5.5 or later

The following instructions explain how to install FirePass version 6.0.2 onto existing systems running version 5.5 or later.

Important: You must have an active service contract to upgrade to release 6.0.2. If you have a current service contract, re-activate your license and then resume installation. If your service expiration date is prior to the date you are doing the upgrade, you need to reactive your license. The service expiration date is located on the Device Management : Maintenance: Activate License screen.

Important: With release 6.0 and later, we have removed the Desktop Adapter, UNIX Adapter, and VASCO DigiPass authentication features. When you upgrade to release 6.0 or later, these features will not be supported or available. Before upgrading to the 6.0.2 release, please review the FirePass controller configuration and remove any configuration settings and Favorites associated with these features. To continue using any of these three features you must use the 5.5.x release. For more information about the end of life policy for these features please refer to SOL5492: FAQ for the End of Life Announcement of the Desktop Access, VASCO Built-in Server, Unix Adapter and Solaris Client Support Features in FirePass.

To upgrade to version 6.0.2
  1. Create a snapshot of the current FirePass controller.  For details about how to do this, refer to SOL3244 at SOL3244: Backing up and restoring FirePass system software.

  2. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore.

  3. Create a backup of your current configuration.
    For details about how to do this, refer to the online help on this screen.

  4. In the navigation pane, click Device Management, expand Security, and click Timeouts.
    The Timeouts screen opens.

  5. Temporarily change the option Global inactivity timeout to a large value, such as 8 hours, so that the upgrade process does not time out while downloading the image.

  6. Disable all pop-up blockers in your web browser so that any generated error messages during the upgrade process (local upgrade or on-line upgrade) are displayed.

  7. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
    The User Session Lockout screen opens.

  8. Configure the following user session lockout options.

    1. In the User Session Lockout area, check the Lockout new user sessions option to prevent any new FirePass controller users from logging on.

    2. In the Kill Current Sessions area, click the Kill all sessions (except this one) link to log off all current FirePass controller users.

  9. In the navigation pane, click Device Management, expand Maintenance, and click Activate License.
    The Active License screen opens.

  10. Active the license using the Automatic registration method.

    1. Select the Automatic registration method.
      For information on how to use the Manual registration method, see the online help on this screen.

    2. Scroll to the bottom of the screen and click the Request License button to reactivate your license.
      The system displays the new license.

    3. Scroll to the Service check date field in the returned license file and make sure that the date is after 05/01/06.
      Note: If this date is after 05/01/06, the system allows you to upgrade to the 6.0.2 release; otherwise the upgrade fails and the system displays an error message after the image is downloaded. If you need a new service contract, contact F5 Sales.

    4. Click the Continue button to install and activate the new license.
      The system displays the following message: License successfully activated.

    5. Click the Continue button.

  11. In the navigation pane, click Device Management, expand Maintenance, and click Online Update.
    The screen displays a list of available FirePass software releases.
    Alternatively, you can perform a local image update. See the next section for this procedure.

  12. Select the link for Release 6.0.2 for your language to upgrade the FirePass controller.

Upgrading from version 5.5 or later using the Local Update feature

The following instructions explain how to download and install FirePass version 6.0.2 onto existing systems running version 5.5 or later using the local upgrade mechanism.

To upgrade to version 6.0.2, you can use the F5 Electronic Software Distribution site to download the new software image at You can then follow the installation instructions below to install the new image.

To download the upgrade

To download the software upgrade, you must first create an account at This site uses an F5 single sign-on account for technical support and downloads. After you create an account, you can log on and download the FirePass version 6.0.2 release installation image.

  1. Using a web browser connected to the internet, go to
    The F5 Sign-on screen opens.

  2. In the User Email box, type the email address associated with your F5 technical support account.

  3. In the Password box, type the password.

  4. Click the Login button.
    The Overview screen opens and provides notes about using the Downloads site.

  5. Click the Find a Download button.
    The Product Lines screen opens listing all F5 product families.

  6. Locate the FirePass product family and click the adjacent FirePass link.
    The Product Version screen opens, listing the available download containers for the current product version.

  7. Click the release link for version 6.0.2.
    The End User License Agreement screen opens.

  8. Read the license agreement, and click I Accept to agree to the terms of the license.
    The Select a Download screen opens.

  9. Click the FP-6.02-20071001-tar.gz.enc link to begin downloading the upgrade image to your local system.
    The Select Download Method screen opens.

  10. Click an option indicating the method you want to use to download the file.

To install the upgrade
  1. Log on to the Administrative Console.

  2. On the navigation pane, expand Maintenance and click Local Update.
    The Local Update screen opens.

  3. Type F5Networks for the Password box.

  4. For the File setting, click Browse.
    A dialog box opens.

  5. Using the dialog box, browse to the location where you downloaded the FP-6.02-20071001-tar.gz.enc file in step 9 of the previous procedure.

  6. Using the dialog box, click the FP-6.02-20071001-tar.gz.enc file name to select it, then click the Open button.
    The dialog box closes, and a path name appears in the File Name box.

  7. Click the Submit button.
    The upgrade may take some time to complete. When finished, the FirePass controller automatically reboots.

[ Top ]

New features and fixes in this release

This release includes the following fixes and enhancements.

New features in this release

Windows Mobile Network Access
We now support Windows® Mobile 5.0 and 6.0 (includes Smartphones™ and native Connection Manager integration). For more information on how to install and set up mobile devices, refer to the FirePass SSL VPN Mobile Devices Installation documentation on the AskF5 Technical Support web site.

Intel Mac Network Access
We now support Network Access connections on Intel®- based Mac platforms.

iPhone support
We now support the Apple iPhone. Support for the iPhone includes Web applications, Windows Files, and Mobile Email.

New Web Applications Engine
The FirePass version 6.0.2 release provides a new Portal Access Web Applications engine designed to support a broader set of complex web applications. This Web Applications engine includes significantly more powerful HTML and JavaScript parsing and patching capabilities than previous Web Applications engines. A larger number of standard web applications are qualified with the new Web Applications engine, and we expect that the need for application-specific FirePass controller Web Applications configuration changes (for example, minimal content-rewriting bypass and content processing scripts) will be greatly reduced.
Note: We have not updated the existing Flash and Java applet parsing/patching capabilities as part of the new Portal Access (Web Applications) engine.
Note: By default, the new Web Applications engine is not enabled. To enable the new engine, navigate to the Portal Access: Web Applications: Content Processing: Global Settings screen, and clear the check box for Compatibility Mode in the Web Applications Global Settings section.

Web Application Access Control Exception error page customization
In this release, you can now customize a FirePass controller's Web Application Access Control exception error page when you encounter a Deny ACL. To perform this task, create an HTML page called The file should contain the following variables: %F5_MSG_TITLE%, %F5_MSG%, and %F5_URL%. Once you have created this file, upload it to the FirePass controller as you would normally do with any other customizable pages. For more information, from the Administrative Console, go to the Device Management: Customization: Global: Advanced WebDAV customization section of the online help.

Active Directory authentication and UPN names
With this release, you can now authenticate users against Active Directory using their user principal names (UPN). From the Administrative Console, navigate to Groups: Master Groups, and select the Authentication tab. Fill in the required fields, and check the Forest Mode check box.

Two-factor authentication with a client certificate and LDAP
We have enhanced this feature since the last release by providing a two-factor authentication method that requires the user to present a valid client certificate, which is verified against the LDAP database. You can use this method if you have a client root certificate authority tied to the LDAP database, where certificates are generated based on information stored in the LDAP database. Previously, only Active Directory was available to perform the two-factor authentication method by selecting the Perform additional client certificate check against Active Directory attribute check box. Now, the obsolete check box is replaced by a new list, called Perform additional client certificate checking using, along with three new options: None, Active Directory, and LDAP.

ROHS FIPS card support
We now support the RoHS (Directive on the Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment) FIPS (Federal Information Processing Standards) card which gives new versions of FirePass 4100 and 4300 platforms certified support for FIPS acceleration cards. This card replaces the non-RoHS FIPS card for all FirePass controllers.

64-bit driver support (XP/Vista)
To support 64-bit operating systems, we now provide both Windows XP 64-bit AMD/Intel and Windows Vista™ 64-bit AMD/Intel drivers. The correct version of the driver is installed automatically during the initial Network Access client installation. The end-user experience of running Network Access on 64-bit Windows does not change from previous releases.
Note: You must run Internet Explorer in 32-bit mode in Windows XP 64-bit and Windows Vista™ 64-bit operating systems.

Citrix session reliability
The FirePass controller now includes support for Citrix® Session Reliability in Terminal Services, Static AppTunnels, and Portal Access modes. Since the main ICA connections between the Citrix ICA clients and MetaFrame servers has been changed from port 1494 to port 2598, when Session reliability is enabled, the Citrix ICA client automatically reconnects if the connection to the remote host is dropped. The Remote user session continues to run without requiring the users to re-enter credentials. To enable Session Reliability, create a Terminal Server favorite, check the Session Reliability (Citrix-only) option, and specify a remote TCP port. The default port is 2598.

Dynamic Resource Group Mapping in Master Groups
To improve flexibility of user authorization, master groups can use dynamic resource group mapping. In addition to Global Dynamic Master Group and Resource Group Mapping, Dynamic Resource Mapping can be done separately for each master group. This feature authenticates users against multiple sources of the same type. Each Master Group can dynamically map resources using its own combination of Active Directory, LDAP, and Windows Domain or RADIUS methods. See the online help for more information on how to set up this feature.

Flexible query for client certificate and Active Directory (CR63663)
Previously, client certificate and Active Directory authentication required that user records be retrieved from Active Directory using the sAMAccountName attribute and the user name extracted from the client certificate based on global settings. Now, you can retrieve user records based on arbitrary AD attributes by using flexible filter expressions in the form of attribute=value, where value can contain variables such as %username% %logon%, or %certfield%. To use this feature, navigate to the Users: Groups: Master Groups screen. From the Perform additional client certificate checking using list, select Active Directory.

Cluster Log Consolidation feature no longer available (CR80857)
The Cluster Log Consolidation feature is no longer available for FirePass controller. For more information, see SOL7537: Cluster Log Consolidation Feature.

Screen resolution for terminal servers changes
With this release, you can now specify screen resolution of a Terminal Server window such as an RDP (Microsoft Terminal Server), ICA (Citrix®), and VNC window. You can specify the Terminal Server screen resolution separately for each Terminal Server favorite. When you add or edit a Terminal Server favorite on the Application Access: Terminal Servers: Resources screen, you can select a screen resolution from the Screen resolution list, or you can select the option to use the settings from the master group.

Windows Vista drive mapping support
FirePass controller now supports drive mapping on Windows Vista™ clients.

Windows Vista Protected Workspace support
FirePass controller now supports protected workspace on Windows Vista™ clients. The Microsoft fix KB 935885 fix is required for Vista™ Protected Workspace to run properly. Refer to Microsoft KB 935855 for more information.

Windows Vista StoneWall IP filtering support
In this release, you can now use the integrated IP Filtering Engine with Windows Vista™ . From the Administrative Console, select Network Access: Resources: Client Policy. Check the Enable Integrated IP Filtering Engine check box. This option is available only if Split Tunneling is previously enabled. Please note that this version does not support IP traffic filtering if McAfee® antivirus is installed on Windows XP . However, this version does support IP filtering if McAfee antivirus is installed on Windows Vista™.

Client certificate passwordless authentication for Pocket PC and Windows Mobile 5.0 and 6.0 devices
Users with Pocket PC and Windows Mobile 5.0 and 6.0 devices can authenticate without a password if they have a client certificate installed that matches the FirePass root certificate, and the administrator configures the users for client certificate passwordless authentication.

Client certificate requests for individual Web services
Although the Security/Certificate screen under Global Settings is still used to configure client certificate settings across all web services, you can now disable and enable client certificate requests for individual web services. From the Administrative Console, select Device Management: Configuration: Network Configuration: Web Services, and check the Request Client Certificate check box. This option appears only if the web service already has SSL enabled.

Customize popup blocker message
In this release, you can now customize popup blocker messages. Upload the file named blocked_popups_warning.htm to the FirePass controller. For more information about this feature, refer to the Device Management: Customization: Advanced WebDAV Customization section of the online help.

Customize domain and password order
To reduce the possibility of authentication failures due to One-Time Password (OTP) authentication methods such as RSA and RADIUS, you can now customize your standardized credential entry fields so that the Password field appears as the last entry field. You can also display additional credential fields, such as Domain and Domain Password for add-on security. To configure this feature, from the Administrative Console, navigate to Users: Global Settings and check the Display password input field last on logon page check box. To add a domain entry, check the Use extra domain password for single sign on check box. Click the Update button for changes to take effect.

Launch legacy hosts favorites from customized webtops/web page
Previously, you could not start a pre-configured legacy host favorite from the customized webtop/web application page. Now, you can start any legacy hosts from your customized webtop. Please refer to the example on the Device Management: Customization: Advanced WebDAV Customization page of the online help.

Client components troubleshooting utility
This release includes a utility to assist in troubleshooting FirePass controller windows client components. With this utility, you can view setup status for each component, and determine whether components are installed, not installed, or not installed properly. To access this utility, from the Administrative Console, navigate to the Device Management: Client Downloads: Downloads screen.

[ Top ]

Fixes in this release

The following fixes are new to FirePass version 6.0.2.

Client certificate fails to successfully perform SSL handshake (CR48129)
In some rare cases, client certificates failed with FirePass version 5.4.1. In version 6.0.2 these client certificates no longer fail.

Customize error page using WebDAV (CR48197)
To allow the customization of the error page that appears, for example, when a user accesses a site denied by the Master Group security settings, we have added the file to the WebDav sandbox. Firepass controller system administrators can now customize this message.

Client Certificate authentication as a Web service (CR48369)
Previously, Client Certificate authentication was a global option only. Now, the option Request Client Certificate has been added to SSL web services, and you can allow client certificate authentication for a web service.

Additional Domain Password configurable for separate landing URI (CR48371)
Previously, you could set the Additional Domain Password setting only globally. With this release, you can configure this setting on a per landing URI basis. Now, the option Enable extra domain password per landing URI or Virtual Host is available on the Device Management : Security : User Access Security screen.

Unnecessary space characters in iso-2022-jp encoded mail subject (CR54874)
In previous versions, unnecessary space characters appeared in iso-2022-jp encoded mail subject fields sent by the FirePass controller. Further, after characters were deleted, the encoded characters were decoded correctly. Unnecessary space characters no longer appear in iso-2022-jp encoded mail subjects.

Complete list of client fixes (KBs) in log (CR57678)
In previous versions, there was no place to see a complete list of all client fixes (KBs). With this release, you can now find a comprehensive list of client fixes (KBs) in the FirePass controller log.

Auto purge log limit adjustable on manufacturing and customer builds (CR61801-1)
In previous versions, the log size was set to reach 1.8 GB before the FirePass controller automatically purged the log. In this version, you can configure the log file limit to a size between 500 MB and 1.8 GB.

Variable %username% substituted as DOMAIN\username instead of username (CR64572-2)
In previous versions, when users were logging on to a FirePass controller using the format DOMAIN\username and accessing a Windows Files favorite with \\server\path\%username%, the FirePass controller substituted the domain name and the user name for the %username% variable. This variable substitution created \\server\path\DOMAIN\username instead of \\server\path\username. The connection failed as a result. This issue also occurred with Portal Access, App Tunnel, and Terminal Server favorites. The FirePass controller now substitutes the user name without the domain name for the %username% variable.

Inactivity timeout and Legacy Hosts (CR67150)
In previous versions, global inactivity timeout settings and master group inactivity timeout settings did not apply to Legacy Hosts. Legacy Hosts now use these settings.

Show maximum concurrent logons (CR67798)
In previous versions, you could not see the maximum number of concurrent user logons that had ever occurred on the FirePass controller in the FirePass controller logs. Now, you can see the maximum number of concurrent logons that have ever occurred in the FirePass controller on the Device Management : Monitoring : Statistics screen.

Alias Web Application favorites (CR68564)
In previous versions, when you modified a web portal favorite, all other alias type favorites that referred to the modified favorite failed if the associated resource group of the alias favorite was assigned to a master group that had the Show administrator-defined favorites only option enabled. Alias type favorites no longer fail when you modify the web portal favorites to which they refer with this option enabled.

Mac and Linux Network Access client not closed when webtop closed (CR68662)
In previous versions, when a user closed the webtop on Mac or Linux operating systems, the Network Access client was not disconnected. Now, the Network Access client disconnects when the Mac or Linux webtop is closed.

JavaScript error on portal site (CR69015)
In earlier versions, an SAP portal site displayed numerous errors with the FirePass controller reverse proxy. Now SAP portal site works correctly with the FirePass controller reverse proxy.

JavaScript functions called with two arguments separated by a comma (CR69062)
In prior versions, Portal Access did not support JavaScript functions called with two arguments separated by a comma. For example, writeln('string1','string2'). FirePass controller now supports these JavaScript functions.

Citrix Session Reliability in Portal Access and App Tunnels (CR69649, CR69653, CR72757)
The main ICA connections between Citrix® ICA clients and MetaFrame servers previously occurred on port 1494 over TCP. MetaFrame Presentation Server v3.0 and later use the default port 2598. Citrix also added the Session Reliability feature to MetaFrame server connections. You can now use these ports and the Citrix Session Reliability feature when you create Portal Access favorites and App Tunnels.

Documentation for session variable usage (CR69829)
Previously, FirePass online help incorrectly described the use of sessions variables on the screen Users : Endpoint Security : Protected Configurations : Security. Session variables were quoted in examples enclosed in percentage signs (%). Percentage signs are not used to quote session variables, and this information has been removed from the online help.

Double quotes keyword in reverse proxy (CR70737)
In previous versions, the reverse proxy showed an error, Parse Error: EOI in quot-quoted string, when it encountered double quote characters (""   "") in some pages. Double quote characters no longer cause errors with the reverse proxy.

Online Help for customized FirePass controller logon form (CR72230)
In previous versions, administrators could not access online help that described the options that could be used to create a customized index.htm page in the WebDAV sandbox. The index.htm page is displayed when a user requests the FirePass controller root URI. Now, the Online Help contains configuration information and code for an example index.htm page.

Online Help for customized failed or denied logon and popup blocker warning (CR72250, CR72390)
In previous versions, the screens that a user saw when a logon failed or was denied by the FirePass controller could not be customized. In this version, the screens can now be customized. In addition, the FirePass controller cache cleaner screen includes a popup window that is used during the configuration of the cache cleaner. If the user's browser is blocking popup windows, this popup is not allowed, and a blocked popup warning screen is sent by the FirePass controller. This blocked popup warning screen can be customized. The online help has been updated to include information about how you can update,, and blocked_popups_warning.htm in the WebDAV sandbox.

Back to webtop link in Web Applications with i-mode device (CR72356)
Previously, when using Web Applications with an i-mode® device, there was only a Logout link, and no Back to webtop link. We have added a Back to webtop link on this screen.

VASCO and UNIX adapters in Online Help (CR72710)
Previously, the Online Help contained references to the VASCO and UNIX adapters, which are now obsolete. The Online Help no longer contains references to these obsolete features.

Txqueuelen value for Ethernet interfaces in Online Help (CR72712)
You can configure the transmit queue, or txqueuelen value, for each Ethernet interface on the Device Management : Configuration : Network Configuration : Interfaces screen. The default value for txqueuelen is 1000. In previous versions of the online help, the default value for txqueuelen was specified as 100. This value is now corrected to 1000 in the Online Help.

Hotfix removal in Online Help (CR73015)
Previously, the Online Help did not explain how to remove a hotfix. Now, the Online Help explains how to remove a hotfix on the Version and Settings page.

Integrated IP Filtering Engine Support on Vista (73174)
The StoneWall / Integrated IP filtering engine is now supported under Microsoft Vista.

Citrix client options menu for MetaFrame Terminal Server favorite (CR73216)
In previous versions, users starting a Citrix® application through a Citrix MetaFrame terminal server favorite on FirePass controller were unable to configure Citrix session options, which allowed window resizing and other options. The Citrix ICA client now starts in a window that includes Citrix client options, if you configure the Citrix client favorite to open with the option Separate window with menu checked.

OCSP for multiple client root CA certificates (CR73493)
In previous releases, Certificate Management allowed the installation of more than one root certificate; however, the Online Certificate Status Protocol (OCSP) supports only one root certificate. In this version, when you install multiple root certificates and use OCSP for certificate verification, the FirePass controller uses information from the client certificate to select the correct server root certificate if there are multiple root certificates installed, and OCSP verification works correctly.

Internal database user details and password changes (CR73889-2)
In previous versions, when an internal database user was forced to change the logon password on the first logon, in some situations the user's information was removed after log on and a password change. This occurred when the setting Force password change on first logon option was enabled, and the user belonged to a Master Group where the option Allow user to change user information was disabled. Now when a user with these options logs on and changes the password, user information is retained.

Standalone client shows webtop to new users (CR73923)
In previous versions, in some situations, new users registered through the signup by template option with bypass enabled were able to see the FirePass controller webtop before they were allowed access. We have corrected this version, and new users now cannot see the webtop until they are allowed access.

Signup template screen displayed when bypass is enabled and user skips cache cleaner (CR73924)
In previous versions, a user logging on for the first time on a system with the signup by template option enabled, saw the signup by template screen, even though bypass was enabled. This only occurred when the user selected not to start the cache cleaner. In this version, users logging in for the first time with signup by template and bypass enabled do not see the signup by template screen if they do not start the cache cleaner.

Logon to POP corporate account with user name that contains a hyphen (CR73929-2)
In previous versions, users could not log on to POP email servers if their usernames contained a hyphen. Now users with hyphens in their user names can log on to POP email servers.

Popup warning message displayed during VPN Driver installation on Vista (CR73933, CR73953)
When you install the VPN driver on a Windows Vista™ client, the operating system displays a popup warning message that confirms the installation of an unsigned driver. This popup might block the F5 Component Installer Service from installing the VPN driver onto the client. Automated deployment tools might also not work for the same reason.

Deny Default ACL policy in online help (CR73971)
We highly recommend the use of a default deny policy when deploying Access Control Lists (ACLs) for Web Applications on the FirePass controller. A default allow policy presents much higher security risks to your system and your users. The online help now includes information about this recommendation, and how to configure the default deny policy for ACLs.

Terminal server screen resolution (CR74016)
In previous versions, if you configured a terminal server favorite with the initial preference for screen resolution to Percent of screen size and checked the option Open in a new window, users might see a window that did not display the entire host screen correctly, depending on their monitor resolution. As a result, users could not see or access the Start menu when the percentage of screen size was high enough (90-99%). In this version, the browser includes scrollbars when the screen is larger than the browser window, so users can access all features of the terminal screen.

Active Directory for dynamic resource group mapping with RSA for authentication (CR74071)
In previous versions, you could not configure authentication and dynamic group mapping from two different, unconnected systems. In this version, significant changes have been made to dynamic group mapping, resource group mapping, and master groups. These changes allow global dynamic master group mapping, global resource group mapping, and mapping that is done separately for each master group. This additional mapping phase follows authentication, and allows authorization against multiple sources of the same type.

FirePass client components and limited privilege account (CR74572)
FirePass controller client components are not installed when a user with a limited privilege account attempts to install them through the web. Also, on Windows Vista clients, you cannot upgrade the FirePass client components without an administrative account. The upgrade appears successful to the user even though the upgrade failed. To work around the Windows Vista™ issue, see FirePass client components and limited privilege account.

RSA token code entry position on logon page (CR74779)
In previous versions, the RSA token code entry field was in the second field on the logon page, and in some situations where the RSA token code had a very short timeout period, the RSA token timed out before users could and enter the token. Now the RSA token code field is the last field on the page.

Memory in Compatibility Mode (CR74794)
Previously, when a user accessed a web application that required HTTP authentication, in reverse proxy compatibility mode, with proxy authentication disabled in the master group, and the user entered incorrect credentials, the FirePass controller encountered an error. Now, when a user accesses a web application under the same circumstances, no FirePass controller system error occurs.

Network Access connection name and Vista operating system (CR74797)

With Network Access, you cannot specify connection name for Windows Vista™ clients with the following characters:

Backslash ( \ )
slash ( / )
Colon ( : )
Asterisk ( * )
Question mark ( ? )
Less than ( < )
Greater than ( > )
Pipe ( | )
Quotation mark ( " )

If you specify a session variable in the connection name, make sure the variable does not return these characters. To view the Connection name option, navigate to the Network Access : Resources screen. Then select the Client Settings tab.

Drive mapping errors (CR74834)
In previous versions, with Network Access Drive Mapping, if there were exactly ten drive mappings, the user saw an error message that the second drive mapping had failed. Despite the error, the drive mounted correctly. In this version, this error no longer appears when there are ten drive mappings.

NTLM auth option as proxy in Web Applications (CR75037)
Previously, when you configured Web Applications with the option Proxy Basic and NTLM auth using FirePass controller user logon form enabled, the FirePass controller sent the NTLM_authentication request to the Web server. In the Web server request, the host name parameter (in the NTLMSSP data structure) was always set to the FirePass controller user name. Now, the FirePass controller uses the host name from the Fully Qualified Domain Name (FQDN).

Administrator logon to cluster secondary system redirected to cluster primary system (CR75485)
In previous versions, an administrative user who attempted to logon to a cluster secondary system was always redirected to the cluster master. In this version, the administrative user can log on to the secondary cluster system.

Focus change in full screen Citrix Web client causes flicker in IE7 (CR75619)
In previous versions, when using the Citrix® ICA Win32 Web Client in full screen mode with Internet Explorer 7, the display flickered if the user changed window focus using Alt + Tab. This flicker continued until the user minimized and restored all windows. In this version, this flicker does not occur under the same circumstances.

Dynamic App Tunnels with DNS split tunneling always use default master group settings (CR75717)
In previous versions, when you used DNS split tunneling with Dynamic App Tunnels, the FirePass controller always used the default master group settings instead of the user's master group. Now DNS split tunneling uses the user's master group with Dynamic App Tunnels.

Adobe Reader 7 reinstalls itself in Protected Workspace (CR76069)
In previous versions, when Adobe Reader 7 or later was installed on a PC, and that PC then connected to a FirePass controller with Protected Workspace enabled in the prelogon sequence, Adobe Reader restarted the installer. Adobe Reader no longer restarts the installer in Protected Workspace.

Password reset field not cleared when moving a user to an external authentication group (CR76127)
In previous versions, when a user was moved from an internal database authentication group to an external authentication group, password management information in the user record was not cleared, and passwords were incorrectly enforced. In this version, password management information is cleared when a user is moved from an internal database authentication group to an external authentication group.

Timeout for Mobile email connections (CR76152)
In previous versions, when a user connected to a Mobile email favorite, then closed the browser, the IMAP PHP module stayed connected over TCP and did not time out. Now the Mobile email connection times out after five minutes, and the connection is closed.

Windows key shortcuts with full screen Citrix web client (CR76158)
In previous versions, Windows keyboard shortcuts were not received by Citrix servers when the Citrix web client was used in Full Screen mode. In this version, we have implemented the following keys and key combinations:

  • The Windows key
  • Ctrl + Esc and Alt + Tab
  • Citrix® session hotkey Shift + F2 to toggle the session window between full screen and windowed mode
  • Citrix session hotkey Shift + F3 to bring up the Citrix disconnect dialog box

Network Access clears include proxy bypass list option in Intranet Zone (CR76237)
Previously, when a user started a Network Access tunnel, the Internet Explorer option Include all sites that bypass the proxy server was cleared from the Internet Options : Security : Local Intranet zone screen. Now, when the user connects through Network Access, that security setting is retained.

ZIP file extension with cart in Windows Files (CR76301)
In previous versions, when a user chose files in Windows Files and added the files to a cart, then attempted to download the cart files, the .zip extension was not appended to the file. The .zip extension is now appended to files added to a cart in Windows Files.

TN 3270 unable to pass numeric characters (CR76473)
In previous versions, legacy applications that used the IBM 3270 terminal server were unable to pass the numeric characters necessary to select options in a menu. Now, IBM 3270 legacy applications can pass numeric characters.

CAB file installation with subdirectories with urSmartUpdateEx update code (CR76591)
In previous versions, the urSmartUpdateEx code could not install a cab file that included subdirectories. When this occurred, the logterminal.txt file indicated that a failure occurred in FDICopy with error code 11. The urSmartUpdateEx code can now install a cab file that includes subdirectories.

Citrix ICA client cab file name restrictions (CR76593)
In previous versions, only two file names could be used to upload Citrix® ICA client CAB files: and These file names corresponded to old Citrix client versions, and with the new versions, v9 and v10, different file names were used for the client CAB files, so FirePass controller users were unable to use these newer client files. This issue has been fixed. In this version, other file names can be used to upload Citrix ICA client CAB files.

Documentation for cache cleaner in Online Help (CR76693)
In previous versions, the online help page for the Users : Endpoint Security : Post-Logon Actions screen contained an ambiguous description of cache cleaner behavior.
Cache cleaner removes all files, cookies and URL history entries created during the FirePass controller session, and all files, cookies and URL history entries associated with the FirePass controller URL regardless of their creation time. In the current version, the Online Help correctly describes the cache cleaner functionality.

Mobile Email splits long emails without space characters on mini browser (CR76775)
In previous versions, when using mobile email for mini browsers, the page splitting function did not work properly for long emails that did not contain any space characters, even if the email contained carriage returns. Long emails without space characters are now properly split on carriage returns when no space characters are present.

Network Access appears on webtop for Pocket PC devices (CR76782)
In previous versions, the Network Access link was always displayed on the Pocket PC webtop. In this version, the administrator can choose to hide the Network Access link for Pocket PC devices.

Windows Vista Launch Application feature invokes application too early (CR76829)
In previous versions, the Network Access Launch Application feature attempted to start an application immediately upon the establishment of a new network connection. If the application used Windows networking, the application failed to start on Windows Vista™ systems. This issue occurred because the Client for Microsoft Networks required processing time to initialize the network. In this version, the Launch Application feature waits and retries the application start if it fails initially.

Custom check for protected resource for i-mode and mini devices (CR76987)
In previous versions, some i-mode® and mini device protected configurations that used custom checks, such as i-mode-only checks, could not start. For example, the check session.ui_mode.mode == "imode" did not work for i-mode devices. When a resource supported for i-mode (such as Windows Files or Web Applications) was protected with a custom check like this, the check failed and the i-mode user could not access the resource. Protected resources with i-mode custom checks now start.

Domain Password entry field customization (CR77029)
In previous versions, FirePass controller administrators could not configure a custom name for the additional domain password entry field, Domain password. This field can now be customized to display a custom entry, instead of the text Domain password.

Resource group-based IP filters requires service restart (CR77068)
In previous versions, when Network Access IP filters were configured on the Resources : IP filters screen, these IP filters did not function until the service was restarted. Resource Group-bases Network Access IP filters now function without a service restart.

Reports page shows blank session expiration time (CR77072)
In previous versions, under certain conditions, a session expiration time was not displayed for all FirePass controller users on the Reports : Session : Currently Active screen. Session expiration time is now displayed for all FirePass controller users .

Incorrect credentials with Windows Files in Portal Access display no warning (CR77100)
In previous versions, when users attempted to access Windows Files in Portal Access with an incorrect password, the FirePass controller did not report a logon error to the user. Because there was no warning, users might keep trying to log on with the wrong password, and eventually be locked out of the resource for failed logon attempts. The FirePass controller now reports a logon error when a user attempts to connect to Windows Files in Portal Access with the incorrect credentials.

Authentication requests with reverse proxy fail for new master groups of external users (CR77125)
In previous versions, when new master groups with external users were created, an authentication page when viewed through the reverse proxy appeared blank. Now, authentication pages through the reverse proxy for newly created master groups of external users appear correctly.

Select session variables from a predefined list (CR77128)
In previous versions, session variables had to be manually typed for each connection. Now, users can select a session variable from a list of variables that are configured by the FirePass controller administrator on the Users : Global Settings screen. If no list of predefined variables exists, the session variable field is displayed as a blank text box, and users can manually type a session variable.

Cookies removed from HTTP request cause incorrect logoff page (CR77242)
In previous versions, when custom index.htm and pages were configured for a specific URI, and the intranet webtop was enabled, the user saw the standard logoff page instead of the custom logoff page when logging off. Instead, the standard logoff page is displayed. Now, a user sees the custom logoff page when the user logs off.

Protected configuration fails for some IP addresses (CR77285)
In previous releases, protected configurations based on trusted networks would fail for IP addresses containing the numeral 8 or 9 in octets that were less than 3 decimal digits. The following are examples of IP addresses that failed:,,, and Now, IP addresses containing the numeral 8 or 9 in octets that are less than 3 decimal digits work correctly with protected configurations.

Network Access with GZIP compression fails when using SSL Offload (CR77308)
In previous versions, when SSL Offload was used and Network Access was configured with GZIP compression enabled, the Network Access client crashed when a large file download was initiated from an HTTP server. Now, Network Access connections can be used to download large files with GZIP compression enabled using SSL offload.

RoadSync request URI parsing (CR77314)
In previous versions, the GetAttachment command in RoadSync through a FirePass controller failed with a 500 error. The result of this error was a RoadSync endless loop when attempting to download an attachment. The RoadSync GetAttachment command no longer fails, and attachments can be downloaded through the FirePass controller.

Windows logon integration with two-factor authentication with client certificates (CR77357)
In previous versions, Windows logon integration did not work with two-factor authentication with client certificates, and users could not log on. Windows logon integration Now, users can log on to Windows when using two-factor authentication with client certificates.

Legacy host favorites expired certificate warning (CR77399)
In previous versions, connections to a legacy host favorite using Internet Explorer with Microsoft's Java Virtual Machine caused an error to be displayed that the Java™ applet was signed with an expired certificate, and the publisher could not be verified. These certificate errors no longer appear when using legacy host favorites with Internet Explorer and the Microsoft Java Virtual Machine.

Proxy bypass connections with Internet Explorer (CR77451)
In previous versions, when you used a proxy server with a proxy bypass list in Internet Explorer, the proxy bypass list was parsed incorrectly, so connections that should have bypassed the proxy were made through the proxy and not directly. Now, connections that are on the proxy bypass list do bypass the proxy.

Network Access icons do not appear in cookieless mode (CR77470)
In previous versions, Network access icons did not appear when the browser was configured not to send cookies (cookieless mode). In cookieless mode, Network Access icons now appear.

Cache cleaner leaves RAS entries in Merge or Delete Network Locations on Windows Vista (CR77516)
In previous versions, after cache cleaner removed RAS entries from the Windows Vista™ Network and Sharing Center, the RAS entries still appeared in the Merge or Delete Network Locations screen. Now, RAS entries are removed from the Merge or Delete Network Locations screen by the cache cleaner.

FirePass controller caches incorrect password with RSA authentication and Active Directory authentication (CR77596)
In previous versions, when RSA authentication was configured with secondary Active Directory authentication, and a user entered the incorrect domain password on the first attempt, the FirePass controller cached the incorrect password, and authentication failed on subsequent attempts, even if the correct domain password was later submitted. Now the FirePass controller clears the incorrect password and subsequent authentication attempts succeed, if the correct password is submitted.

Batch Conversion wizard in Microsoft Word does not work in Protected Workspace (CR77749)
In previous versions, the Batch Conversion Wizard in Microsoft Word from Microsoft Office 2003 SP2 does not work in Protected Workspace. Now, the Batch Conversion wizard in Microsoft Word works in Protected Workspace.

FP_DO_NOT_TOUCH tag in Online Help (CR77765)
In previous versions, the Online Help stated that the FP_DO_NOT_TOUCH tag was disabled by default, and was not processed. The FP_DO_NOT_TOUCH tag is actually enabled by default. Now the documentation states that the FP_DO_NOT_TOUCH tag is enabled, and processed, by default.

Internet Explorer slow script warning with cookies obfuscated (CR77855)
In previous versions, when the user started a web application page in Internet Explorer™ that used several long cookies with cookie obfuscation enabled, an Internet Explorer warning could appear: A script on this page is causing Internet Explorer to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script?
Now, this warning no longer appears when Internet Explorer has cookie obfuscation enabled and a web application uses several long cookies.

Command Line Interface /h, /u, and /p parameters with spaces and slashes not parsed correctly (CR77924)
Previously, in the Command Line Interface, when the parameters /h, /u, and /p, were used with arguments that contained the space symbol and the slash character, the command was not parsed correctly and did not work as expected. Now, when you use the /h, /u, and /p characters in these instances, the commands are parsed correctly.

Windows Files auto logon option (CR77962)
In previous versions, the option Auto logon to Windows Files shares was not disabled, even when it was not checked. Now, clearing the check box for the option Auto logon to Windows Files shares disables the option.

Session variables in Windows Files favorites when users limited to administrator-defined favorites (CR77994)
In previous versions, Windows Files favorites that contained session variables in the path could not be accessed by users, when the master group limited access to administrator-defined favorites only. Now, users can access Windows Files favorites that contain these session variables in the path.

Hyperdoc-Web/Global Java application does not work (CR78025)
Previously, the Hyperdoc®-Web/Global Java™ application did not work through the reverse proxy. Now, this Java application works through the reverse proxy.

Radius state not released in new access request (CR78031)
Previously, the RADIUS state was not released when two-factor RADIUS authentication was configured with an access challenge mechanism, and group mapping was enabled. Because the RADIUS state was not released, logon problems occurred if the user typed the secret incorrectly the first time. Now, the RADIUS state is released, and logon problems do not occur if the user types the secret incorrectly the first time.

Security alert email encoding (CR78148)
Previously, if a Security Alert email that was sent to the administrator when a user successfully changed his password had the user name in Japanese, the user name appeared in the email in UTF-8 encoding, and was unreadable. Now, Japanese user names appear in the correct characters in the Security Alert emails.

Firefox reports operating system as Windows NT instead of Windows Vista (CR78183)
Previously, when the administrator configured a Check OS prelogon sequence, the FirePass controller identified Mozilla Firefox® running on Windows Vista™ as if it were running on Windows NT 6.0. Now, the operating system is identified correctly when the Firefox browser is running on Windows Vista.

Windows Files View as plain text does not show Japanese characters (CR78197)
Previously, in Windows Files, the View as plain text option did not show Japanese characters correctly, and the Load into browser option also did not show Japanese characters correctly. Now, the View as plain text and Load into browser options show Japanese characters correctly.

SSL VPN ActiveX component and autoconfig script (CR78269)
Previously, when a client accessed the FirePass controller with a preset proxy autoconfiguration script that was defined by describing its URI and not locally stored, and the URI for the selected proxy in the autoconfig script could not be contacted, the FirePass controller SSL VPN ActiveX component tried to access the proxy server instead of trying the direct connection. Now, the SSL VPN ActiveX component allows direct connections when the selected proxy cannot be contacted.

Improvements to install and uninstall of PocketPC Network Access client (CR78363)
We have made the following improvements over previous versions to the PocketPC Network Access client installation process:

  • The installation does not occur if the client is already running.
  • A reboot is requested after the installation completes.
  • The client is not uninstalled if the client is running.
  • The installation of comdriver.dll allows the driver to be loaded at boot time, and uninstalled correctly.

iNotes with Web Portal user logoffs (CR78423)
Previously, when a user read a small number of emails in the iNotes application through the Web Portal, the user was logged off of the FirePass controller. Now, users can use the iNotes application through the Web Portal without being logged off.

Cookie with longest matching path not sent to backend server (CR78598)
Previously, when a web server sent two cookies with the same name but different paths, and one path was part of the other path, the reverse proxy would send only one cookie to the server, and it would not the same one when accessing the same favorite multiple times in the same session. For example the cookies might be JSESSIONID=ABCD; path=/ and JSESSIONID=EFGH; path=/portal, and only the first matched cookie would be sent. Now, all cookies that match the same name are sent, with the longest matching path sent first.

App Tunnels Access Control List character input limitation with Internet Explorer (CR78659)
Previously, if you attempted to add a list of URLs to an Access Control List that exceeded 2,083 characters including the form code, the request failed in Internet Explorer. Now, Access Control Lists longer than 2,083 characters work with Internet Explorer.

Internet Explorer crashes connecting to Terminal Server with version 6.0 ActiveX components (CR78660)
Previously, when a user attempted to connect to a Terminal Server favorite on a FirePass controller running version 6.0.1 software, if the user had installed ActiveX controls from a version 6.0 FirePass controller, and the Disable top level ActiveX controls update option was checked by the administrator, Internet Explorer would crash. With FirePass controller version 6.0.2 software, Terminal Server favorites now work with Internet Explorer when the client's ActiveX controls are installed from a version 6.0 FirePass controller.

FirePass controller Certificate Authorities for LDAP SSL authentication (CR78677)
Previously, when self-signed certificates were used for LDAP SSL authentication, authentication would fail. Now, self-signed certificates can be used for LDAP SSL authentication.

Unable to restore an option from backup file (CR78733)
In previous versions, the option Allow to logon with e-mail address as substitute for user name was not restored when the FirePass controller database was restored from a backup file. Now this option is restored when the FirePass controller is restored from a backup file.

Searching Windows Files with native encoding (CR78880)
In previous versions, when a user searched Windows Files on an operating system that used an encoding other than UTF-8, UTF-8 encoding was used for the file search, even when a different character set was used for the search term. Now, the Windows Files search feature uses the correct native encoding for search terms.

Custom Network Access IP pool fails after 127 IP pools configured (CR78954)
Previously, when you added more than 127 IP pools to your Network Access configuration, all IP pools after the 127th failed to work. Now, IP pools after the 127th work with Network Access.

Arabic language Windows share subfolders (CR79022)
Previously, when a user with a default Arabic character set tried to open a subfolder of a Windows share, the subfolder was not visible and could not be accessed. Now, subfolders on Windows shares are visible to users with a default Arabic character set.

Path for location of ProxyAutoConfig file (CR79045)
Previously, when an application requested the ProxyAutoConfig file from Network Access, the FirePass controller gave the path for the generated file as a file:\\ path instead of an http:\\ or https:\\ path. Some applications could not create a proxy list when the URL was given as file:\\, so some applications failed. Now, the FirePass controller gives the URL as http:\\.

Very large user names cause MySQL errors on logon (CR79176)
Previously, if very large logon names of 4.2 MB or larger were sent to the FirePass controller, a MySQL error occurred. Now, the logon name size is limited to 512 KB to prevent this error.

Unable to restore WebDAV settings from backup file (CR79345)
Previously, the option Allow WebDAV sandbox customization was not restored when the FirePass controller database was restored from a backup file. Now, the Allow WebDAV sandbox customization setting is restored when you restore from a backup file.

User group changed by dynamic mapping when source group user mapping disabled (CR79454)
Previously, if a user initially belonged to a local database master group with local or remote authentication, dynamic master group mapping was enabled in the new group, or globally, and landing URI mapping was configured, dynamic mapping failed, but the FirePass controller attempted to authenticate the user in the new group anyway, instead of using the old authentication information for the user. Therefore, the user could not be authenticated. Now, if the current group has dynamic mapping disabled, dynamic mapping is not used. Both groups must have dynamic mapping enabled to move the user.

Peoplesoft Portal menu (CR79969)
Previously, some PeopleSoft sites were unable to see expanding menus correctly, and users saw an hourglass and got no server response. We have determined that these applications work correctly when compatibility mode is disabled.

Multiple file upload to SharePoint fails to upload files (CR80240)
Previously, when a user attempted to upload multiple files to a SharePoint folder through the reverse proxy, the client browser accessed the Sharepoint server directly and bypassed the reverse proxy, causing the upload to fail, and the SharePoint server to prompt the user for credentials. Now, these connections go through the proxy and multiple file uploads work.

Legacy host favorites started from custom webtop (CR80242)
Previously, the administrator could configure legacy host favorites for a custom webtop, but users could not start the favorites from the custom webtop. Now users can start legacy host favorites from a custom webtop.

Windows Files corrupts ZIP downloads with GZIP compression (CR80273)
Previously, when a user downloaded a ZIP file with Firefox® or Mozilla through Windows Files with the Download and save locally option, the result was a corrupted ZIP file if GZIP compression was enabled. Now, ZIP files downloaded with Firefox® or Mozilla from Windows Files with the Download and save locally option are not corrupted.

Legacy Host session closes after user switches to another window (CR80564)
Previously, when a user started a Legacy Hosts session, and switched to another window or webtop, when the user tried to return to the Legacy Hosts session, the session failed. Now, the user can go back to a Legacy Hosts session after switching windows or switching to a different webtop.

Windows Files download as ZIP includes empty directories (CR80587)
Previously, when a Portal Access user attempted to access the Windows Files Download as Zip option, if the Include subfolders option was not enabled, all directories in the directory that were downloaded were included in the ZIP file, though they were empty. Now, ZIP files downloaded with the Download as Zip option no longer include empty directories when the Include subfolders option is not enabled.

Passive FTP connections through static App Tunnel (CR80525)
Previously, when a user connected to a passive FTP connection through a static App Tunnel, the FTP connection failed to start a data connection. Now, data connections over passive FTP connections through static App Tunnels start correctly.

Java exception and reverse proxy (CR80600)
Some internal Java™ applications are not correctly passed by the reverse proxy engine.

Network Access IP group filters (CR80716)
Previously, if the administrator configured a Network Access IP group filters rule name with spaces in it, the syntax of an internal call was broken when a log action was selected. Also, an IP group filters rule name made up only of numbers caused firewallctl. to fail. Now, IP Group Filters rule names that include spaces, or are made up only of numbers, work correctly.

Network Access with compression enabled and PNG files (CR80799)
Previously, when a user attempted to view a PNG file over a Network Access tunnel that had the the option Enable Compression. Saves bandwidth, at the expense of server resources enabled, the PNG file displayed very slowly, and had the wrong MIME type. Now, PNG files display at the correct speed and with the correct MIME type with compression enabled.

WebDAV disabled after upgrade from version 5.5 (CR80828)
Previously, when the FirePass controller software was upgraded from version 5.5 to version 6.0.x, WebDAV was disabled. Now, WebDAV settings are preserved when you upgrade the FirePass controller to version 6.0.2 from version 5.5.

External users prompted to enter email address, or email address incorrect, with i-mode (CR81211)
Previously, if an external user accessed mobile email from an i-mode® browser, the From field was not valid in the outgoing email, or the user would be prompted to enter an email address, instead of having the correct information added from the user's external database account. Now the i-mode® email gets the correct email address from the external account.

Web Applications pages processed by customer sed scripts get no-cache added to head (CR81275)
Previously, when a customer processed a Web Applications page with a customer-installed sed script, the FirePass controller added a Cache-Control: no-cache tag to the head of the file. This caused problems like the inability to return to a previous page if the current page was retrieved by a POST method. Now, the FirePass controller does not add the Cache-Control: no-cache tag to the head of a Web Applications file processed by a customer sed script.

Windows Files user name and password prompts corrupt in translated FirePass controller screens (CR81392)
Previously, when users attempted to access Windows File shares on non-English versions of the FirePass controller, and typed the credentials incorrectly, the user saw a corrupted error message. Now the user sees the correct error message if he types credentials incorrectly for a Windows File share on a non-English FirePass controller.

Windows Files ZIP download with Distributed File System (CR81396)
Previously, when a user attempted to download Windows Files as a ZIP file, from a directory path referred by Windows Distributed File System, the download failed. Now, a user can download Windows Files as a ZIP file, when referred by the Distributed File System.

Full backup configuration uploaded when Partial backup selected (CR81552)
Previously, when an administrator started a manual backup of the FirePass controller, if the FirePass controller was configured to back up nightly using either FTP or SCP, and the Partial backup option was enabled, the FirePass controller always backed up the full configuration. Now, when the administrator starts a manual backup, the FirePass controller correctly backs up only the partial configuration.

Mac PowerPC autoinstall plugin on Safari for Java 1.42 and 1.5 (CR81633)
In previous versions, the SSL VPN auto install option did not work with Power PC Macs with the Safari web browser, with Java™ 1.42 and 1.5. With Java 1.42, errors appeared in the Java console. With Java 1.5, the Java console did not appear and the user saw a blank window. Now, the SSL VPN auto install option works with Power PC Macs, Safari, and Java 1.42 or Java 1.5.

Command Line Interface VPN /c command (CR81683)
Previously, if the administrator configured the FirePass controller to establish a VPN tunnel without user intervention using the Command Line Interface, a profile was used so that different tunnel parameters could be saved and used to establish different tunnels automatically. However, when using the Command Line Interface option /c, the connect screen appeared. Now, the Command Line Interface /c options works, and the user does not see the connect screen.

Show largest database size on System Health screen (CR81706)
Previously, the administrator could not see the size of the database tables on the Device Management : Monitoring : System Health screen. On a busy FirePass unit, a MySQL table such as tblLogLogonDetails could become very large. Now, the System Health screen reports the largest database size.

Session history report shows logon with special characters incorrectly (CR81785)
Previously, when the administrator viewed the session history of a user with special characters (_'#\.@-) in the user name, if the session history was longer than one page, the FirePass controller Administrative Console did not show any pages after the first page. Now, the administrator can view all pages of the session history of a user with special characters in his user name.

Failed primary Active Directory server does not come back online until secondary and tertiary servers fail (CR82495)
Previously, in a configuration with multiple Active Directory servers, if the primary server failed, the FirePass controller attempted to connect to the secondary and then the tertiary servers. If one of these servers worked, the primary server was not retried until the secondary or tertiary server failed, even if there was a configuration change to the primary server. Now the FirePass controller checks for the availability of the primary Active Directory server, and uses the primary server when it becomes available.

User information behavior inconsistent (CR82776)
Previously, when an administrator checked the option Allow user to change user information in a master group, the setting was not saved correctly to the system. In version 6.0, the option was disabled, and in version 6.0.1, the option was enabled. Now, this option is saved correctly to the master group.

MacOS CheckFiles (CR82926)
Previously, when the administrator configured a prelogon sequence that used the CheckFiles module to check for the MacOS, and the user attempted to log on with this sequence, the FirePass controller was unable to complete the prelogon sequence for the Mac. Now, the CheckFiles module processes a prelogon sequence with the Mac CheckFiles module correctly, and the user can log on.

User records with double quote character stops user import (CR82931)
Previously, when the administrator imported users from a comma-delimited text file, if a user record contained a double-quote character ("), user import failed to complete. Now, user import completes when a user record contains a double quote character.

McAfee VirusScan version 8.5i Network Access policy check (CR83053)
Previously, Network Access policy checks could not detect McAfee VirusScan version 8.5i, so prelogon sequences configured for McAfee VirusScan would fail. Now, Network Access detects McAfee VirusScan Version 8.5i.

Session durations in Indian Standard Time zone (CR83091)
Previously, when the administrator changed the time zone of the FirePass controller to Indian Standard Time from Greenwich Mean Time, all session durations listed in the reports for that day were increased by 30 minutes. Now, when the administrator changes the time zone to Indian Standard Time from Greenwich Mean Time, session durations are not increased.

Packet loss and high latency on PC with CheckPoint SecureClient installed (CR83120)
Previously, when some users connected through the Network Access client on a PC with the CheckPoint SecureClient installed, high latency occurred. Now, these connections occur without high latency.

FirePass controller private MIB change (CR83169)
In 6.x FirePass controller versions, when the FirePass controller attempted to retrieve the FirePass controller private MIB 100.4.0, an error occurred. 100.4.0 is an SNMP MIB that is no longer supported by FirePass controller. In this version, the response for 100.4.0 is set to always return 0.

Endpoint Protection for Resource group in Application Tunnels (CR83210)
Previously, you could not save the Endpoint Protection Required for this Resource Group option on the Application Tunnel and Web Application Tunnel screens. Now, the Endpoint Protection Required for this Resource Group option can be saved on these screens.

Protected Configuration with Web Application Tunnels (CR83211)
Previously, if you selected a Protected Configuration globally for all Web Application Tunnels, the FirePass controller would show an error. Now, you can apply a Protected Configuration globally to all Web Application Tunnels.

Protected configurations restored from backup and synchronization (CR83317)
Previously, when an administrator restored a failover active/standby pair from a backup file, the Protected Configuration information was not restored to the standby system, even after a successful sync. Now, protected configuration information is restored to the standby device when the system is restored from a backup.

Session ID in syslog (CR83332)
Previously, when a user logged on or logged off of a FirePass controller session, the session ID was not written to the syslog. Now, the FirePass controller logs the session ID on user log on and user log off events.

Network Access IP address pools with numeric names (CR83532)
Previously, when the administrator created an IP address pool for Network Access that was named with a number (for example, 123), the IP address pool was not used by Network Access, and the resource group would fall back to the default IP address pool. Now, the administrator can create IP address pools with numeric names and use them in Network Access.

WebDAV and offloaded SSL web services (CR83549)
Previously, WebDAV was enabled on offloaded SSL web services. This caused users to be prompted to log on any time they accessed a file in the WebDAV sandbox. Now, WebDAV is automatically disabled on any SSL offloaded web service.

Network Access Client Online Help (CR83596)
Previous versions of the FirePass controller online help did not contain the information that the Windows standalone client does not support the Autolaunch feature. A note has been added to the FirePass controller online help page at Network Access : Resources : Client Settings : Autolaunch that explains this option, and describes how to use Autolaunch with the Windows Standalone Client.

User details screen with password containing double quotes and angle brackets (CR83761)
Previously, if the administrator set a user's password on the User details screen to include both a double quote character (") and a left or right angle bracket character (< or >), the User details screen did not display correctly. Now, the User details screen appears correctly when these characters are included in the password.

SSL VPN drivers cannot install or uninstall on some Windows Vista PCs (CR84143)
Previously, when you attempted to install or uninstall the SSL VPN drivers on some Windows Vista™ systems with the Microsoft Debugging Tools for Windows installed, an error prevented the install or uninstall of the drivers. Now, SSL VPN drivers can be installed or uninstalled on Windows Vista machines with the Microsoft Debugging Tools for Windows installed.

Restore backup with client root certificate and CRL (CR84172)
Previously, when you restored a backup that included a client root certificate and a CRL to the FirePass controller in a master/secondary cluster, it could cause a secondary server to fail. Now, the secondary server no longer fails when restored from backup.

ARP on FirePass 4100 (CR84406)
Previously, the FirePass 4100 platform made ARP requests incorrectly, using sender IPs that were on interfaces to which the IP addresses were not bound. Now, the FirePass 4100 makes ARP requests correctly.

New browsers not restored from backup file (CR84650)
Previously, when the administrator created a backup file with the Create backup of your current configuration option, new web browsers that were added to the configuration were not restored when the configuration was restored from the backup file. Now, new web browsers added by the administrator are restored from the backup file.

Japanese translation (CR84804)
Previously, when the administrator of a Japanese language FirePass controller viewed the configuration on the Device Management : Current Settings screen, the value for Session Timeout was shown in minutes instead of seconds. Now, this screen correctly shows the Session Timeout value in seconds.

Web applications not correctly detected (CR85017)
Previously, the FirePass controller did not recognize some web applications as HTML, and the applications were not processed correctly. Now, these web applications are correctly processed.

JavaPatcher Garbage Collector runs too frequently (CR85175)
Previously, in some installations, system delays were experienced when many small Java™ applets were executed. This delay occurred because the Java Garbage Collector was running frequently, and it caused a processing delay each time it ran. Now, the Java Garbage Collector runs after every 500 data requests, so the processing delay is minimized.

[ Top ]

Known issues

The following items are known issues in the FirePass controller 6.0.2 release.


Known issues for administration

Backup file and user session lockout (CR72007)
The option Lockout new user sessions is disabled when you restore a backup file, even though you have enabled it. To view this option, navigate to the Device Management : Maintenance : User Session Lockout screen.

Administrative realms and backslashes ( \ ) (CR73298)
When you create an administrative realm with a backslash ( \ ) in the name, the FirePass controller incorrectly adds two backslashes in the name instead of one.

Automated virus update and restoring a backup configuration (CR73973)
You cannot restore the automatic virus database update setting from a backup file. To view this option, navigate to the Portal Access : Content Inspection screen, select the Antivirus tab, and scroll to the Virus Database Update area.

Trace logging option on Windows Vista™ (CR74840)
When you access the Network Access connection status popup window, click the Setup tab, and check the Enable logging option in the Trace Logs area, on a Windows Vista™ client machine, no trace logging occurs.

Group mapping and backup files (CR78662)
If you backup your FirePass software configuration, and the configuration that you back up includes no group mapping definitions, when you restore the FirePass software configuration from that backup file, the group mapping configuration is not cleared. If you have defined new group mapping since you backed up the configuration, these group mapping definitions are not cleared.

Obsolete feature not removed after upgrade (CR81578)
If the license for the KB feature is not installed or is expired on the FirePass controller, and you upgrade the FirePass controller from version 5.5 to version 6.x, the KB feature is not removed from the FirePass controller.

Web Service client certificate address (CR83342)
If you define a web service, and it is not defined as the last web service in the list, and you enable certificate validation, other web services may potentially be configured differently than they appear to be configured in the FirePass controller Admin pages. To properly use the client certificate validation feature for a web service, make sure that only one web service is selected to use this feature, and that the web service is defined as the last web service in the list.

Restoring control access security settings (CR84930)
You cannot backup or restore your control access security settings after you made modifications. To view this option, navigate to Device Management: Security: Console Access Security.

Routing tables, master groups, and synchronization with secondary servers (CR85250)
When you configure a FirePass controller cluster, and create multiple routing tables on the primary and secondary servers, then assign the primary routing tables to a master group and restart services on the primary server, the routing tables are not synchronized to the secondary server. As a workaround, you must restart services on the secondary server.

WebDAV enabled after series of upgrades (CR85251)
When you enable WebDAV on a version 5.5 FirePass controller, and you upgrade the FirePass software to version 6.0 or version 6.0.1, WebDAV is disabled. If you do not enable the WebDAV option on this FirePass controller, and then you upgrade the FirePass software to version 6.0.2, WebDAV is enabled again.

User with administrator privileges and Administrative Realms (CR85898)
When a user with administrator access privileges logs on through the user logon page and accesses an Admin Console favorite, then edits Feature Access for an Administrative Realm, the FirePass controller saves the settings in the wrong location, so the Feature Access settings are not saved with the Administrative Realm. To workaround this isse, a user should log in to edit these settings with the admin logon page.

Upgrading to the latest version of FirePass (CR114827, CR114827-1)
If you want to upgrade to the latest FirePass version from versions 5.5 thru 6.0.1, you must uninstall the Hotfix 102424 before you upgrade. Otherwise, FirePass will be inaccessible from the user interface. For more information, see SOL8938 BIND DNS cache poisoning vulnerability on AskF5.

Known issues for authentication

URI-based customization for certificates (CR54963)
You cannot currently configure the Request for client certificate on the Device Management : Security : Certificates page to request different certificates for different landing URIs.

Active Directory authentication with Windows Server 2003 (CR83186)
If you use Forest mode to authenticate using Active Directory on Windows® Server 2003, you must install Service Pack 1 onto all domain controllers. Otherwise, authenticating through Active Directory without the Service Pack does not work properly.

Radius Authentication using Radius Master Group mapping fails (CR85680)
When FirePass is set up to use Radius authentication and Radius Master group mapping, the FirePass incorrectly performs the authentication part using the attributes for the group mapping specified.

Passwordless certificate authentication with Windows Mobile 5.0 and 6.0 and Internet Explorer Mobile (CR85910)
When you configure your FirePass for passwordless client certificate authentication, and a user connects with Windows Mobile version 5.0 or 6.0, and the Internet Explorer Mobile web browser, Internet Explorer becomes unresponsive if the user taps Cancel, the list of certificates is empty and the user taps OK, or the user selects an incorrect certificate and taps OK.

Known issues for Application Access


File Sharing using Static App Tunnels on Windows Vista (CR73903)
On Windows Vista, file sharing through static App Tunnels does not work

App Tunnels, Firefox® 2.0, and Windows Vista™ clients (CR73943)
When you are using App Tunnels, the FirePass controller might not work with Firefox® 2.0 on Windows VistaT clients because the software update might fail if the browser is installed in a non-default location. You can reinstall the software to the default location, or to a non-default location as long as the installation folder is named Mozilla Firefox. Alternatively, you can right-click the Firefox® icon and select from a menu Run as administrator to start Firefox.

Dynamic App Tunnels, Firefox, and updating FirePass client components (CR75312)
You cannot install FirePass controller client components onto the client when you use Dynamic App Tunnels and the Firefox® browser. To work around this issue, install them on the client with Microsoft Installer Package (MSI), or start Dynamic App Tunnels (at least once) with Internet Explorer. After that you no longer need to use Internet Explorer to start Dynamic App Tunnels. You can use the Firefox browser.

Citrix favorites seamless window screen resolution (CR75447)
When the user starts a Citrix® favorite that is configured to use the Citrix seamless window option, the favorite does not start at the specified screen resolution. As a workaround, configure Citrix favorites to start with the Separate window with menu option.

Citrix MetaFrame applications and unauthenticated access (CR79339)
FirePass controller users are not required to logon to a Citrix® MetaFrame favorite, if the Citrix server does not require authentication. The FirePass controller attempts to connect the user with anonymous access when the first connection is made. If anonymous access fails, then the logon window appears.

Toggle Scrollbar link and Firefox (CR80208)
When you configure a terminal server favorite to start in a new window, and the screen resolution is configured to be greater than the available screen resolution on the user's computer, the Toggle Scrollbar link is not available if the user's browser is Firefox.

Browser window delay when Citrix terminal server starts (CR80135)
When a Citrix® terminal server starts while session reliability is enabled, the user's browser window fails to respond for about 10 seconds while trying to establish a connection.

Citrix sessions on Windows Vista with Internet Explorer (CR82224, CR83432)
When the user starts a Citrix® web client or a Citrix MetaFrame client in fullscreen mode on Windows Vista™, the user cannot close the application window, or use Citrix session shortcut keys (Shift + F3, Shift + F4). As a workaround, the user can add the FirePass controller address to the list of Trusted Sites in Internet Explorer, the user can start the favorite in the Firefox® browser, or the administrator can configure the Citrix client to start in non-fullscreen mode.

tn5250 client flicker in Internet Explorer 7 (CR86020)
When using the tn5250 client in full screen mode with Internet Explorer 7, the display might flicker if the user presses the F4 button.

Internet Explorer 7 Protected Mode AppTunnels with User Access Control (CR86595)
When a user attempts to start and AppTunnel favorite for Internet Explorer 7, and the user is running Windows Vista™ with User Access Control enabled and Internet Explorer 7 in Protected Mode, the user cannot access web sites through Internet Explorer 7 in the AppTunnel.

Protected Workspace, AppTunnels with fully qualified domain names, and Windows Vista (CR86751)
Users with configurations that use Protected Workspace cannot access AppTunnel hosts over static or dynamic AppTunnels when the users have the Windows Vista™ operating system with non-administrator accounts, and the host is identified by the fully qualified domain name. Configure the AppTunnel host with the IP address instead of the domain name to work around this issue.

Known issues for Network Access

Allow local subnet access option (CR63951)
The Allow local subnet access option actually allows access from any host or subnet if an explicit route to this host or subnet exists in the client routing table at the time the client starts Network Access.

RTF files with Protected Workspace and Internet Explorer 7 (CR71187)
When users in Protected Workspace try to open RTF files from any web site with Internet Explorer 7, the RTF files do not open in the default application, but Internet Explorer prompts to save the file.

Windows Vista™ logon integration (CR74375)
On Windows Vista™ clients, users have to enter their logon credentials twice, once to establish a VPN connection to FirePass controller, the second time to log on to their Windows® system.

Japanese characters in Network Access favorites with Windows Vista™ (CR78170)
Currently, you cannot specify a name that uses Japanese characters for a Network Access favorite, a Phone book entry name, or a Connection Name in the Network Connection Folder.

Network Access does not load a local proxy autoconfiguration file when the path contains backslashes (CR82700)
When the web browser on the client PC has a local proxy autoconfiguration file with a path containing backslashes, for example, file://C:\path\file.pac, the Network Access client does not load the file.

Network Access custom Connection Established message with Firefox® 2.0 (CR83651)
When you create a custom Connection Established message to display for a Network Access connection, that Connection Established message appears with corrupted text in the Firefox® 2.0 browser.

Network Access names with double-byte characters on Windows Vista™ (CR84693)
If you configure a Network Access favorite with a name that uses localized double-byte characters on an English or European language FirePass controller, users with Windows Vista™ and Internet Explorer 7 get an Unknown RAS error when they attempt to connect.

Macintosh Safari browser and Network Access URLs (CR86151)
If you create a custom connection message in Network Access, and specify a URL with the Firepass-specific <URL> tag, this link is corrupted and cannot be clicked by Network Access users browsing with Macintosh computers and the Safari web browser.

Protected Workspace, Windows Vista with UAC, and Firefox (CR86598)
Users with Windows Vista™ with UAC enabled cannot start Network Access tunnels to Protected Workspace connections with the Firefox browser.

Known issues for Portal Access

Reverse proxy and Citrix MetaFrame ICA files in Compatibility mode (CR54315)
The reverse proxy cannot start App Tunnels from the correct server address when the Citrix® MetaFrame ICA file specifies the application name in the Address parameter and waits for the ICA client to resolve the name using the Citrix name resolution protocol. To work around this issue, see How to resolve reverse proxy issues with Citrix MetaFrame ICA files in Compatibility mode in the Workarounds section of this release note.

Portal Access, SSL termination, and SUN JRE (CR69009)
With Portal Access, you cannot run Java™ applets at if SSL termination is offloaded to an upstream BIG-IP Local Traffic Manager and you are using SUNR JRE, version 1.5.0_06.

Macromedia flash and Internet Explorer (CR70214, CR73140)
When a client uses Internet Explorer, Macromedia flash might not be able to load XML data during an SSL VPN connection. To work around this issue, in the Web Applications Global Settings area, check the box Don't enforce no-cache. Only use with trusted terminals on the Portal Access : Caching and Compression screen.

Portal Access and ActiveSync (CR74556)
ActiveSync fails if you enable these two settings:

  • You check the box Show administrator-defined favorites only on the Portal Access : Web Applications : Master Group Settings screen.
  • You enable pattern-based bypass, in the Minimal Content-Rewriting Bypass area on the Portal Access : Web Applications : Master Group Settings screen.

SUN Java and iNotes7 STlinks applet (CR75263)
An exception occurs when a Java™ machine verifies a FirePass controller certificate. Therefore, the iNotes7 STlinks applet fails to load properly.

Reverse proxy processes CSS file slowly (CR78033)
A specific CSS script on a customer's internal web site is processed for more than one minute. The internal web site is a database search engine, and this issue occurs only when a search query produces no results, for example, when a nonsensical search term is queried. If the search query is successful, the results page appears without the delay.

Cannot use SharePoint 2003 with Microsoft Office 2007 on Windows Vista (CR80438)
To edit Word documents using SharePoint 2003 on Windows Vista™, you must add a FirePass controller host to the Trusted Site zone on Internet Explorer 7. Additionally, you must install a valid FirePass controller certificate on the FirePass controller. Refer to Microsoft KB 932118 for more information.

Proxy Autoconfiguration (PAC) file retrieval (CR81555)
If a client is not able to retrieve the Proxy AutoConfiguration (PAC) file in the time period specified in the Network Access favorite, the client should try to download the PAC file again.

Java Patcher not working under load (CR82118)
Tests of the Java™ applet patcher under load shows exceptions after about 10 seconds.

PeopleSoft links with reverse proxy (CR83854)
When starting PeopleSoft applications from a portal page, if the application is configured to start in the same window with the code target="_parent", empty or incorrect links can appear on portal pages. To work around this issue, configure applications to start in a new browser window.

Reverse proxy OWA images not displayed CR92052) When an email containing embedded image(s) is forwarded from OWA through FireMonkey reverse proxy and opened by the recipient with Outlook client, images are not displayed.

Known issues for pre-logon and post logon inspection

AV database age endpoint inspector (CR65431)
Currently, you cannot configure an endpoint inspector to check for a custom database age. The current options are:

  • one day
  • two days
  • three days
  • one week
  • one month
  • two months

Uninstall FirePass and ActiveX components and Internet Explorer (CR71261)
When you enable the option Uninstall FirePass client components or the option Uninstall ActiveX components downloaded during FirePass session, or both, on the Users: Endpoint Security: Post-logon Actions screen, and users are using the Internet Explorer web browser, the ActiveX or FirePass controller client components are not uninstalled for 15 minutes after the session ends.

Trusted Windows Version in Protected Configuration (CR81504)
When you create a Protected Configuration and add Trusted Windows Version information, if you add Windows hotfixes, the hotfixes must each be added on a separate line, with no space characters.

FirePass controller prelogon sequence loses entries (CR83557)
If you configure a pre-logon sequence with a number of sequences (10 or more), some of those sequences are not run.

Endpoint inspector settings not backed up (CR85012)
When you configure some endpoint inspector settings, then back up the FirePass software and attempt to restore the settings, the endpoint inspectors are not restored. The settings that are not restored include the Windows Antivirus checker Maximum time for one process scanning, the logging option Write to system log, and the far end security URL and URL for result verification.

64-bit Windows pre-logon inspectors (CR86149)
On 64-bit Windows systems, a pre-logon file check inspector cannot find files in the windows\system32\drivers directory. These pre-logon inspectors fail to work.

Known issues for clients

Whole Security integration using Vista and IE7 (CR74345)
Whole Security integration does not support Windows Vista and Internet Explorer, version 7.0.

Windows Vista Clients and disabling top level ActiveX controls update option (CR74763)
When you enable (check) the check box Disable top level ActiveX controls update, the user might not be able to access the FirePass controller. To work around this issue, go to the Device Management : Configuration : Client Update screen and clear the check box Disable top level ActiveX controls update. Make sure the version 6.0.2 FirePass controller client components are already installed on the user's computer.

Client components do not update (CR75184)
If a client XP system is loaded with previous FirePass ActiveX components and the client is then upgraded to Vista, thereafter, the client will not automatically update.


Windows Vista™ and Windows logon integration dial up entry (CR75429)
On Windows Vista™ clients, you cannot modify a Windows logon integration dial up entry when you right click the entry on the Control Panel : Network Connection screen. For a workaround, see Windows Vista and modify windows logon integration dial up entry.

Windows Component installer service and upgrade to Windows Vista (CR75587)
If a Windows XP PC has the FirePass controller client installed, and the PC is upgraded to Windows Vista™, the FirePass controller client cannot be updated.

Windows 2003 Server Remote Desktop Connection with Windows Vista and Internet Explorer 7 (CR75630)
A user cannot connect to a Windows 2003 Server through a Remote Desktop connection from a Windows Vista™ computer with the web browser Internet Explorer 7, if Protected Mode is enabled in Windows Vista. As a workaround, users can add the FirePass controller URL to the Trusted Sites list in Internet Explorer 7.

Client component installation with custom certificate (CR75888)
When the administrator signs FirePass controller client components with a custom certificate on the Device Management: Customization: Code Signing screen, the downloaded client fails to install on Windows systems. The client components must be signed by F5 Networks to successfully install the downloaded clients.

JavaScript disabled webtop problems (CR77807)
When JavaScript is disabled in the user's browser, some pages on the webtop appear incorrectly.

Run As command on Windows Vista does not work properly (CR82368)
The Run As command on Windows Vista™ using PWS (Protected Workspace) does not provide sufficient access limitations.

Files and folders created in arbitrary locations using Protected Workspace under Windows Vista (CR82451, CR82452)
While you are using PWS (Protected Workspace) on Windows Vista™, the system saves files and folders arbitrarily in different locations.

Windows logon integration (Custom Dialer) does not work on 64-bit version of Windows (CR82477)
When you try to log on using the Winlogon screen, either by using a dial-up connection, or by dialing directly through the Windows Explorer: Network Connections folder using the rasphone.exe, Winlogon integration with the CustomDialer does not work on 64-bit Windows® operating system (Windows XP and Windows Vista™). However, it does work on 32-bit operating systems.

Protected Workspace, Windows Help, and Windows keys with Windows Vista (CR82554)
When a Windows Vista™ user in a Protected Workspace configuration tries to access Windows Help, Help opens on the user's desktop, and not in Protected Workspace. Windows command keys (including Windows + F for Find, Windows + R for Run, and Windows + E for Explorer) also start on the user's desktop and not in Protected Workspace.

Protected Workspace and Microsoft Word files (CR83079, CR83354)
When a user connects to Protected Workspace on Windows XP SP2, starts Microsoft Outlook 2003, and attempts to open a Word (.doc) attachment, the user cannot open the file. Users also cannot open .doc files in Protected Workspace with Windows XP and Microsoft Office 2003 or 2007, or with Windows Vista™ and Office 2007

Windows Vista Protected Workspace privilege elevation (CR82368, CR82451, CR82452, CR83302)
On Windows Vista™ systems with User Account Control (UAC) enabled, the Protected Workspace that requires standard user rights runs at Medium integrity level, and cannot monitor or control system services and processes that are elevated to High or System integrity levels. However, user rights are elevated by some applications, for some operations, like creating and saving file folders and saving temporary attachments. Instead of remaining in Protected Workspace, these files are saved outside the Protected Workspace to the system. When these operations occur, typically the user is presented with a Privilege Elevation dialog box, and prompted for a logon and password, or the user is required to click OK on a consent dialog box.

Login name and email address internal users only (CR84388, CR84402)
A user cannot connect through SSL VPN on Linux if there is no /dev/ppp device file on the user's system. If this file is missing, the pppd package on the user's system is not configured correctly. As a workaround, the user or administrator can run mknod /dev/ppp c 108 0 as the root user to create the file.

Security exception appearance on Firefox (CR86153)
When users encounter a security exception error in Firefox, the screen is not displayed correctly, because a quotation mark tag ( &quot; ) is missing the closing semicolon ( ; ).

64-bit Windows and web browsers (CR86274)
On 64-bit Windows systems, users must run their web browsers in 32-bit compatibility mode. Some FirePass controller components do not support native 64-bit mode.

JavaScript error with Home tab (CR86281)
With some systems, there is an unspecified JavaScript runtime error that causes the web page to fail. To fix this error, add the URL that causes the error to the no-hometab table.

VPN client in Protected Workspace with Internet Explorer 7 and Windows Vista (CR86286)
Windows Vista™ users in Protected Workspace configurations cannot install VPN client components in Internet Explorer 7 if Windows Vista User Access Control is disabled.

Windows Vista, UAC at Low Integrity Level, Protected Workspace, and Internet Explorer 7 in Protected Mode (CR86574)
If a user has a Windows Vista™ system running in User Access Control (UAC) mode at Low Integrity Level in Protected Workspace, applications accessed through Internet Explorer 7 in Protected Mode at Low Integrity Level fail to work.

Localization known issues

Japanese i-mode browsers with Unicode HTML (CR82762)
The Japanese language FirePass controller always sends the Company Name value as Unicode text in Japanese, and this text appears incorrectly in some older i-mode® browsers that do not support Unicode.

Japanese Windows File and ZIP file downloads with Internet Explorer (CR86098, CR86099)
When a user attempts to download a ZIP file of a folder with Japanese characters in the name, or a single file with Japanese characters in the name, with Internet Explorer, incorrect characters appear in the download dialog file name.

Other known issues

DNS server, ICMP, and remote system log server (CR66668)
You cannot enable the remote system log server when the ICMP packet is blocked between the FirePass controller and DNS server.

External groups, clusters, and failover configuration (CR67678)
When you delete external users from the main FirePass controller configuration in a clustered or failover configuration, the users remain on the standby unit. This can cause configuration errors when the users are added to the FirePass controller again.

ActiveX controls, administrator rights, and encrypted temporary folder (CR69475, CR69992)
When encryption is enabled on the %temp% folder, and a user with administrative rights installs ActiveX® controls through Internet Explorer, users without administrative rights cannot use these controls because Internet Explorer encrypts them in the Downloaded Program Files folder.

Failover pair external monitoring (CR70799)
Currently, the failover latency for a failover pair heartbeat, and when using external monitoring, is greater than 60 seconds.

Backup file and user session lockout (CR72007)
When you restore a backup file, the new user lockout option is disabled even though you might have enabled it previously. To view this option, navigate to the Device Management : Maintenance : User Session Lockout screen, and locate the “Lockout new user sessions” setting.

Change of SSL Cipher Security may cause FirePass to become inaccessible (CR72417)
If High-Grade Security is selected in: Security -> User Access Security ->SSL Cipher Security and the FirePass is not restarted, only the console will be accessible. The admin GUI and user GUI access will not be accessible. The only way to get access to the FirePass is to reboot.

Protected Workspace and Firefox (CR73409)
If a user closes a Firefox 2.0 session, then logs in to a Protected Workspace session, Firefox 2.0 starts a new tab with the new log on session, and another tab with the previous session.

Automated virus update and restoring a backup configuration (CR73973)
You cannot restore the automatic virus database update setting from a backup file. To view this option, navigate to the Portal Access -> Content Inspection screen, select the Antivirus tab, and scroll to the Virus Database Update area. session variable not available after upgrade to FirePass version 6.0.2 (CR76259)
The session variable is no longer available after you upgrade to FirePass version 6.0.2. If you have defined a pre-logon sequence or protected configuration that requires this variable, the logon or protected configuration fails. As a workaround, remove the session variable from your pre-logon sequences or protected configurations. For more information, see SOL8000: The session variable is no longer available after upgrading to FirePass version 6.0.2.

BIG-IP v9.4 SSL offload with FirePass controller (CR83710, CR84059, CR84110, CR84269, CR85485)
When you configure the FirePass controller for BIG-IP System SSL offload with BIG-IP version 9.4, a number of issues can occur. BIG-IP version 9.4 is not recommended with the FirePass controller for SSL offload. BIG-IP version 9.4.2, and earlier versions of BIG-IP (before version 9.4) work correctly.

Console Access Security settings are not backed up/restored (CR84930)
In the Admin console,  Device Management-> Security ->Console Access Security The settings: “Enable Password for maintenance console”, and  “Disable Maintenance SSH Access” are Not restored when a backup is restored on the controller.

Windows Mobile and domain names or landing URIs with dashes (CR85799)
If your domain includes one or more dashes, or you configure a custom landing URI that includes one or more dashes, a Windows Mobile version 5 or 6 device removes the dash when it processes the URL or URI, and the device cannot connect.

Workarounds for known issues

The following sections describes workarounds for the corresponding known issues listed in the previous section.

How to resolve reverse proxy issues with Citrix MetaFrame ICA files (CR54315)

This workaround describes how to use the reverse proxy when the Citrix® MetaFrame ICA file specifies the application name in the Address parameter and waits for the ICA client to resolve the name using the Citrix name resolution protocol. Do one of the following:

  • Add a host entry to the FirePass controller that resolves the application name to the correct server IP address.
  • Configure server location for Citrix NFuse. For more information about this topic, refer to the Web-server-side server location and Server location through firewalls sections of the Citrix NFuse Administrator's Guide.

Windows Vista and modify windows logon integration dial up entry(CR75429)

This workaround describes how to modify a Windows logon integration dial up entry on Windows Vista™ clients.

  1. On the Windows Vista™ client, click the Windows icon.
    The Program screen opens.
  2. Run rasphone.exe as an administrator.
    The network connection screen opens.
  3. In network connection, select the Windows logon integration dial up entry that you want to modify.
  4. Click the edit button.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)