Applies To:

Show Versions Show Versions

Release Note: FirePass Controller version 6.1.0
Release Note

Updated Date: 08/30/2013


This release note documents the version 6.1.0 maintenance release of the FirePass controller. To review the fixes introduced in this release, see New fixes in this release. For existing customers, you can apply the software upgrade to version 5.5 and later. For information about installing the software, please refer to Installing the software.

Note: F5 now offers both feature releases and maintenance releases. For more information on our new release policies, please see Description of the F5 Networks software version number format.


- User documentation for this release
- Installing the software
- New fixes in this release
- Known Issues
     - Known Issues for network access
     - Known Issues for Administration
     - Known Issues for Application Access
     - Known Issues for Authentication
     - Known Issues for Network Access
     - Known Issues for Portal Access
     - Known Issues for Pre-logon and Post-logon Inspection
     - Known Issues for Clients
     - Other Known Issues
- Workarounds for known issues
- Upgrading from previous releases to FirePass 6.1.0 (CR133285)
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the Solutions database on the AskF5 Technical Support web site.

[ Top ]

Minimum system requirements and supported browsers

For information on system requirements and supported browsers, refer to the Client Compatibility Matrix for 6.1.0.

[ Top ]

Supported platforms

This release supports the following FirePass® platforms:

  • FirePass® 1000
  • FirePass® 1200
  • FirePass® 4100
  • FirePass® 4300

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Supported antivirus and firewalls

This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you might need to reactivate your license. To view supported antivirus and firewall software, click one of the following links. Each link references a separate document, unique to the particular operating system.

Note: The supported antivirus chart references the OPSWAT version available at the time of release. The internal antivirus support chart updates when you install OPSWAT hotfixes which F5 Networks® releases on a regular basis. You can view this chart by clicking on the Help button in the upper right corner of the Administrative Console and in the new window which opens. Navigate to Users: Endpoint Security: Inspectors: Antivirus Support Chart: Antivirus Support Chart.

Also, please see SOL6664: Obtaining and installing OPSWAT hotfixes for more information about these important updates.

[ Top ]

Installing the software

The following instructions explain how to install the FirePass controller version 6.1.0 onto existing systems running version 5.5 or later.

Warning: To upgrade from an earlier version to FirePass controller version 6.1.0, refer to the Workarounds section for important upgrade information.

Important: Back up the FirePass controller current configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5SM. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.

Note: Once you upgrade the FirePass controller to version 6.1.0, you cannot downgrade to any previous version, which is why it is critical that you use the snapshot function outlined earlier in SOL3244: Backing up and restoring FirePass system software because if you need to revert and you make a snapshot first, you can restore in minutes. For more information, see SOL2847: Downgrading to a previous FirePass software version on AskF5SM.

Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings if you have any unsaved changes. To do this, on the navigation pane, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.

Important: We have moved group-based policy routing from resource groups to master groups at the Users : Groups : Master Groups screen. If you are upgrading to version 6.1.0 from a release earlier than version 5.5, you must manually create new associations between your master groups and any routing tables that were associated with resource groups. Routing tables are no longer associated with resource groups. Before you upgrade, we recommend that you record these routing tables. For more information, refer to SOL5502: Overview of routing table configuration and conversion in FirePass version 5.5 on AskF5SM.

Important: The version 6.1.0 software uses a new heartbeat module, which is only compatible with releases 5.5 and later. If upgrading from a release earlier than 5.5, refer to SOL4467: Best practice: Upgrading a redundant pair of FirePass controllers to prevent potential IP address conflicts due to an incompatible heartbeat modules.

Important: If you upgraded from any release older than 5.4 to release 6.1.0 and you enabled the virtual keyboard before you upgraded, you can no longer disable the virtual keyboard. We recommend that you disable the virtual keyboard before you upgrade.

Note: If you are running any version previous to FirePass version 5.0, you must first upgrade to version 5.0 before upgrading to 6.1.0. For instructions for upgrading to version 5.0, see SOL4272: Upgrading a version 4.x FirePass controller to version 5.0 on AskF5SM.

Note: If you are upgrading from FirePass version earlier than 6.0.2, and area also using Active Directory authentication or group mapping, please make sure that you specify the Domain in the Active Directory configuration in Fully Qualified Domain Name (FQDN) format. Non-FQDN format is not supported in FirePass 6.0.2 and later. Please refer to SOL8180: Change in Behavior: Fully Qualified Domain Name is required for Active Directory authentication or group mapping.


Upgrading from version 5.5 or later

The following instructions explain how to install FirePass version 6.1.0 onto existing systems running version 5.5 or later.

Important: You must have an active service contract to upgrade to release 6.1.0. If you have a current service contract, re-activate your license and then resume installation. If your service expiration date is prior to the date you are doing the upgrade, you need to reactivate your license. The service expiration date is located on the Device Management : Maintenance: Activate License screen.

Important: With release 6.0 and later, we have removed the Desktop Adapter, UNIX Adapter, and VASCO DigiPass authentication features. When you upgrade to release 6.0 or later, these features will not be supported or available. Before upgrading to the 6.1.0 release, please review the FirePass controller configuration and remove any configuration settings and Favorites associated with these features. To continue using any of these three features you must use the 5.5.x release. For more information about the end of life policy for these features please refer to SOL5492: FAQ for the End of Life Announcement of the Desktop Access, VASCO Built-in Server, Unix Adapter and Solaris Client Support Features in FirePass.

Upgrading to version 6.1.0

  1. Create a snapshot of the current FirePass controller.  For details about how to do this, refer to SOL3244 at SOL3244: Backing up and restoring FirePass system software.

  2. On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore.

  3. Create a backup of your current configuration.
    For details about how to do this, refer to the online help on this screen.

  4. In the navigation pane, click Device Management, expand Security, and click Timeouts.
    The Timeouts screen opens.

  5. Temporarily change the option Global inactivity timeout to a large value, such as 8 hours, so that the upgrade process does not time out while downloading the image.

  6. Disable all pop-up blockers in your web browser so that any generated error messages during the upgrade process (local upgrade or on-line upgrade) are displayed.

  7. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
    The User Session Lockout screen opens.

  8. Configure the following user session lockout options.

    1. In the User Session Lockout area, check the Lockout new user sessions option to prevent any new FirePass controller users from logging on.

    2. In the Kill Current Sessions area, click the Kill all sessions (except this one) link to log off all current FirePass controller users.

Upgrading via Online Update (recommended)

    Note: The online update relies on your internet connection to be fully stable during the upgrade, and you must have proper DNS configured. Additionally, FirePass must have internet access to its interface where the default gateway resides. Please be aware that the Online Update does not install hotfixes; it is only for major upgrade versions, such as 6.0.3, 6.1, etc.

      1. In the navigation pane, click Device Management, expand Maintenance, and click Online Update.

      2. Select the link for Release 6.1.0 to upgrade the FirePass controller.
        The upgrade may take several minutes to complete, and once it is completed, the controller automatically reboots.

      3. After the controller reboots, reconnect to FirePass and logon to the Administrative Console.

      4. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
        The User Session Lockout screen opens.

      5. Clear the checkbox Lockout new user sessions to allow users to logon to the FirePass controller again.


Upgrading using the Local Update feature

The following instructions explain how to download and install FirePass version 6.1.0 onto existing systems running version 5.5 or later using the local upgrade mechanism. This upgrade method is only recommended if you cannot upgrade using the Online Update.

To upgrade to version 6.1.0, you can use the F5 Electronic Software Distribution site to download the new software image at You can then follow the installation instructions below to install the new image.

To download the upgrade

To download the software upgrade, you must first create an account at This site uses an F5 single sign-on account for technical support and downloads. After you create an account, you can log on and download the FirePass version 6.1.0 release installation image.

  1. Using a web browser connected to the internet, go to
    The F5 Sign-on screen opens.

  2. In the User Email box, type the email address associated with your F5 technical support account.

  3. In the Password box, type the password.

  4. Click the Login button.
    The Overview screen opens and provides notes about using the Downloads site.

  5. Click the Find a Download button.
    The Product Lines screen opens listing all F5 product families.

  6. Locate the FirePass product family and click the adjacent FirePass link.
    The Product Version screen opens, listing the available download containers for the current product version.

  7. Click the release link for version 6.1.0.
    The End User License Agreement screen opens.

  8. Read the license agreement, and click I Accept to agree to the terms of the license.
    The Select a Download screen opens.

  9. Click the FP-6.10-20091009.tar.gz.enc link to begin downloading the upgrade image to your local system.
    The Select Download Method screen opens.

  10. Click an option indicating the method you want to use to download the file.


To install the upgrade

  1. Log on to the Administrative Console.

  2. On the navigation pane, expand Maintenance and click Local Update.
    The Local Update screen opens.

  3. Type F5Networks for the Password box.

  4. For the File setting, click Browse.
    A dialog box opens.

  5. Using the dialog box, browse to the location where you downloaded the FP-6.10-20091009.tar.gz.enc file in step 9 of the previous procedure.

  6. Using the dialog box, click the FP-6.10-20091009.tar.gz.enc file name to select it, and click the Open button.
    The dialog box closes, and a path name appears in the File Name box.

  7. Click the Submit button.
    The upgrade may take some time to complete. When finished, the FirePass controller automatically reboots.

  8. Once the system reboots, reconnect to the FirePass controller and logon to the Console. In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
    The User Session Lockout screen opens.
  9. Clear the checkbox "Lockout new user sessions" to allow users to logon to the FirePass controller again.


[ Top ]


New fixes in this release

The following fixes are new to FirePass version 6.1.0.

Legacy hosts and European local keyboards (CR48818)
Previously, European users using local keyboards could not pass all characters to legacy hosts. Now, they can pass all characters to legacy hosts using local keyboards.

Japanese IME 2007 protected workspace with Windows Vista (CR89943, CR89943-1)
Previously, if you were using protected workspace on Windows® Vista, you could not use Kanji characters at all. Now, you can use Kanji characters.

DNS information in client interface (CR93690)
Previously, if you configured a server DNS address identical to the client DNS server address from the Network Access: Resources: DNS screen, the FirePass controller erroneously removed the client DNS address from the local interfaces. As a result, client network configuration becomes corrupted. This is fixed.

Utimaco Safeguard Enterprise and protected workspace (CR95430)
In previous release, if the user entered protected workspace with Utimaco Safeguard Enterprise version 5.2 installed, the protected workspace on the client PC hangs, and automatically shuts down. This is fixed.

Protected workspace and Recent folder (CR102741)
Previously, when you ran network access connection on a Windows system, in certain network configurations, some hostnames failed to resolve. This is fixed.

Cache Cleaner not hidden (CR108080)
In previous release, the cache cleaner window was not hidden. It is now hidden.

Support for Citrix XenApp MSI package inside InstallControl (CR108839)
We now support MSI installation inside InstallControl, and support of uploading MSI packages for the Citrix XenApp Web Control.

Old RequireIssure value remains (CR116825)
In previous release, the RequireIssuer value in each master group's auth.ini file remains even when the corresponding client root certificate was removed. As a result, the administrator had to manually change the RequireIssuer value manually through the administrator UI. Now, the administrator no longer is required to change the RequireIssuer value manually.

DNS relay service (CR118292)
In previosu release, DNS relay proxy service can resolve domain names and hosts. However, if the host was not FQDN, then the service does not resolve domain names. This has been fixed.

DNS relay service and the registry (CR118960)
In previosu release, DNS Relay Proxy service fails to resolve names if DNS is corrupted in the registry. This has been fixed.

Network Access TunnelServerX (CR119897)
Previously, when you open NetworkAccess: AppTunnel: TerminalServer for the first time, TunelServerX.dll will start a new TunnelServer.exe process that is used to create SSL Tunnel to FirePass. The current timeout for TunnelServerX to wait for TunnelServer.exe to start was 11 seconds. Occasionally, TunnelServer.exe will start after 11 seconds, and TunnelServerX will time out. Therefore, a user will see "Couldn't connect to proxy server" message in the network access popup window. This has been fixed by increasing the time that the TunnelServerX waits for the TunnelServer.exe to start.

Network Access with Relay Proxy (CR119015-1)
Name resolution fails after you establish a network access connection. This was caused by the relay proxy service, and has been fixed.

[Flash] Issue with jump length limitX (CR120684)
In previous release, a client resets a connection in time of receiving /launch/viewer.swf. This is fixed.

Loading of icons for Citrix Portal (CR121527)
In previous release, we fetch icons right after we get the list of published applications. As a result, loading the Citrix Portal may take some time to occur. Now, we have delayed the loading of the icons to increase the speed of loading the Citrix Portal.

Web applications with rewriting scripts (CR122556)
Previously, one-line comments made in a JavaScript scheme will break rewritten scripts. This is no longer the case.

Network Access cannot be established if a proxy PAC file is over a HTTP redirect (CR123128)
Previously, network access cannot be established when the automatic configuration script is hosted behind a redirected server. Now, network access can be established with a PAC file

Dynamic script includes for FireFox (CR123376)
In previous release, client web applications with FireFox 2 browser sometimes caused javascript error. This is fixed.

Citrix window opened off-screen (CR123814)
Previously, when you open a Citrix window, and apply a screen resolution of 90%, the screen was displayed off-screen. Modification of the window position are scripted through Citrix ICA Client Object API. That API's security standards prevented such operations as window position modification from execution at untrusted locations. Now, the correct terminal window position is set only with administrator rights or if FirePass is hosted in the Trusted Sites zone.

Support for multiple issuer CN attributes (CR124039)
In previous release, required client certificate issuer attribute did not allow administrator to select specific issuer if the certificate contained multiple issuers. Now, it is allowed.

Client side javascript rewrite (CR124332)
In previous release, if you enter two slashes in the path, it will cause an error. Now, you can enter two slashes without errors.

Localization: French translation with pre-logon (CR124417)
Previously, If you enable "Choice of language in the logon page" under Advanced customization and set it to French, create pre-logon sequence failed. This has been fixed.

Reverse proxy and special characters (CR124664)
Previously, certain characters would break F5 strip function in cache-fm. This has been fixed.

Terminal Server with Citrix (CR124732)
When opening a Citrix shared desktop with "open in new window" favorite with screen resolution of 90% of screen, you do not get scrollbars. Now, the remote session is correctly displayed in the terminal server window and no scrollbars are needed.

Communicator Web Access 2007 not working with HF-603-3 (CR124743)
Firefox (v3.0.xx) users was not able to send messages to their contact using Microsoft Communicator WebAccess 2007 when using FirePass' portal access with HF-603-3. This is fixed and Communicator Web Access message window now opens correctly.

Loading big javascript files (CR124734)
Previously, when big java script (1.6Meg. in test case) is loaded through web application, memory usage of httpd process increases to about 300 Mb. If the memory limit of FirePass is exceeded, the browser failed to load this javascript file. Now, memory allocation is optimized to fix this problem.

Network Access favorite and RSA SoftToken (CR125224)
In previous release, when RSA SoftToken IE plugin is installed (as part of RSA SoftToken installation), and "Activate RSA SecurID Software Token browser plugin on logon page" is enabled under Users : Global Settings, the user is automatically logged in, but they do not get network access favorite. However, application tunnels and Portal favorites are displayed. As a previous workaround, if that checkbox is disabled, user can manually type their username and current RSA token value as a password to login and their network access is displayed. This is fixed and user no longer needs to manually type their username and current RS token value.

Mobile email (CR125292)
Previously, when a user tried to open an email which is sent from Outlook without a multi-part body, Firepass displayed another email's body, which was previously displayed. This has been fixed.

Protected Workspace and large files (CR125353)
In previous release, you cannot copy a file larger than 153K from PWS. The file copy will fail. This is fixed.

Multiple ASVs with logical AND OR operators does not work (CR125522)
In previous release, using Multiple ASVs (combined with AND or OR) in the Condition breaks the ASV. This is fixed.

Javascript rewrite engine (CR125625)
In previous release, you cannot copy a file larger than 153K from PWS. The file copy will fail. This is fixed.

Disabling NA autolaunch with multiple favorites (CR125711)
Previously, when you have multiple network access favorites set to auto-launch, auto launch occurs with first network access favorite in the list. However, there was no way to turn it off. We now have a new option in Network Access: Master Group Settings to disable NA autolaunch if multiple favorites are marked for autolaunch.

ActiveSync does not work with Windows Mobile 6.1.0 (CR125714)
Previously, activeSync proxied through FirePass did not work with Windows Mobile 6.1.0 with HF-603-4 installed. This is fixed.

Active Directory domain fails after new PIN request from RSA authentication(CR125780)
In previous release, if Active Directory domain password had special characters, the wrong password is sent to Active Directory. This is fixed.

Network Access favorite duplication (CR125802)
Previously, network access favorite is duplicated if there were two resource group mappings. For example, if FirePass is configured to use global resource group mapping and resource group mapping in user’s master group, and both of the methods returns equal resource group, then the user will see 2 identical Network Access favorites. This is fixed.

ATL vulnerability (MS09-035) in client ActiveX controls (CR125945)
In previous release, on July 28, 2009 Microsoft released a Security Bulletin MS09-035 describing a vulnerability in ATL library code that could allow remote code execution. Based on this, some F5 ActiveX controls were vulnerable. Now, we have removed unused functionality (COM interfaces) from our ActiveX controls.

Problem with External client root certificate's without Country field in Subject (CR126680)
In previous release, there was an issue in the Country name parsing code for Client root certificate. This issue caused a failure to create client certificates with certain subject patterns of the CA cert. This is fixed.

Network Access IP packets with size 1500 and bigger are lost (CR126865)
Previously, IP packets were lost with ICMP packets with 1472 payload and bigger. That is for IP packets of size = IP header (20 bytes) + ICMP header (8 bytes) + payload (1472) = 1500. Now, IP packets with that payload are acceptable.

[Flash] Problems with variable scope negotiation in some rare cases (CR127845)
Previously, 'Do not perform dynamic TextField content patching for next URLs:.' field was placed into Portal Access : Web Applications : Master Group Settings.

Sync with LDAP/AD deletes/deactivates all users that are not in LDAP/AD (CR65995)
Previously, all users were deleted or deactivated only in groups that have setting "assign users to this group using dynamic group mapping" turned on. Now, other users from other groups are safe from deletion/deactivation.

User Experience for 1 Group changes all Groups (CR72340)
Previously, FirePass Webtop won't show logo and banner by default. This is fixed.

Host screen for Firefox (CR 80208)
In previous release, when using Firefox, if you use a terminal server to connect to a remote machine, and set the initial preference for screen resolution to percent of screen size and check the open in a new window option, you may get a window that does not display the entire host screen correctly. As a result, you may not be able to access the Start menu. Now 'Toggle scrollbars' link is present on non-IE browsers - Firefox and Safari.

Updating local account passwords (CR126841)
In previous release, local account update password function failed after installing HF-603-4.2-1. Now, local account password function works.

Active Directory Dynamic Group Mapping fails for case sensitive logons (CR126300)
Previously, when using case sensitive usernames to dynamically map Active Directory users to resources or groups, failed. Now, you can use case sensitive usernames successfully.

Web application fails to work with portal access (CR122568)
Previously, web application fails to work with portal access. The application failed with the error "Failed to create ur$top.cache:[object Error]. This is fixed in this release.

Usernames with non-US characters incorrectly encoded in NTLM (CR123248)
In previous release, when you access a web site that requires NTLM or Negotiate auth, FirePass incorrectly encodes username if it has non-US characters. As a result, user can't pass authentication, and is returned to the Proxy form. We have corrected the unicode conversion.

Dynamic Active Directory Resource Group Mapping (CR125518)
Previously resources are assigned dynamically using a per master group dynamic resource group mapping on AD. Installing HF-603-4, causes (at least) one resource to not bet assigned to users. This is fixed.

Active Directory Dynamic Group Mapping fails for nested group (CR125615)
Previously, Active Directory groups were cached (and later reused), but in the previous release, that call was missing a query for nested groups, so nested groups info is not available in the cache. This is fixed.

Changes in [ControlHandling] silently restarts apache on cluster slave (CR106540)
Previously, the Apache server will not come back up again on cluster slave after an auto-restart. Now, it will resume after an auto-restart.

Unable to send archive log via email (CR117160)
In previous release, if you upgraded from 6.0.2 to 6.0.3, you longer received any archive logs via E-Mail. This is fixed.

Java web start applications fail to run inside PWS (CR120649)
In previous release, Java applications will not work inside protected workspace. Now, you can run Java applications inside protected workspace.

Access to sshd via legacy hosts fails if server replaced (CR120737)
Previously, Access to sshd using legacy host failed if the server replaced, or the server host-key regenerated. This no longer occurs.

PPP interface has incorrect mtu value on client side (CR120913)
Previously, the mtu value for FirePass was 1500, while the client side mtu value was 1012. The mtu for both is now 1500.

Single sign-on does not work for 10.x Citrix clients (CR121028)
Previously, Citrix client version was incorrectly detected. As a result, an old method of passing credentials for SSO is used that did not work for new Citrix clients (10.x and above). This is fixed.

Encapsulated tcp packets loss (CR121220)
Previously, MacOS X users experienced very slow file transfers through network access, while Windows and Linux clients have much higher throughput than OS X when transmitting files. This is fixed.

Citrix chunked data may come without final CRLF (CR121523)
Previously, some Citrix servers, when responding with chunked data, did not send the final CRLF. This is fixed.

MacOS X slow to bind with Active Directory over Network Access (CR121529)
Previously, MacOS X clients bounded to Active Directory can take a few minutes to open some applications. This delay only occurred on the first launch and is presumably the client joining the domain across Network Access. This is fixed.

Javascript errors in Web Applications (CR121768)
In previous release, a web application failed to display a page after a link is clicked. The application works in compatibility. mode 2 but this mode broke a different application. This is fixed. does not use configured Reply-To E-Mail address when sending (CR121773)
In previous release, when FirePass sends Client certificate package via email to user, did not use the "Reply-To E-Mail Address:" value defined under Device Management:Configuration: administrator E-Mail when sending the email message. This is fixed.

Pre-logon sequences (CR121820)
Previously, when you edit active pre-login sequences, only partial content of the sequence.xml file was synced to the cluster slave. As a result, it was not fully written. This is fixed.

Standalone client and RSA token (CR121875)
Previously, when the user goes into next token code mode, the box was already pre-filled with existing credentials. Because of this, the user saw the box already pre-filled and simply hits Logon instead of waiting for the RSA token to change, and then enter it along with their pin. This was causing users to get locked out of their accounts. This is fixed.

Fragmented IP packet loss with certain packet size (CR121948)
Previously, network traffic from the intranet machines in the LAN did not get transmitted to VPN clients over Network Access connection after changing from 602 to 603 client components. This is fixed.

Case-sensitive username breaks external authentication (CR121904)
Previously, Firepass tried to authenticate with lower case usernames to external auth servers, like Radius, and fails. This is fixed.

Improve cluster/failover sync performance (CR122039)
Previously,with more than 10 node clusters, periodically, the load became very high in the cluster and caused FirePass to slow substantially. This is fixed.

Mac NA connection drops when using Safari to start network access (CR122046)
In previous release, using Safari to start network access, once the network access connection was established, network access connection dropped after inactivity on Safari. This is fixed.

JavaRDP client fails to connect to Windows 2008 and Vista (CR122060)
In previous release, Java RDP clients could not connect to Windows 2008 or Vista. This is fixed.

[Standalone client] added an extra host to the drop down list while auto-update (CR122073)
In previous release, standalone clients were not being properly updated when you upgraded from 6.02 to 6.03. This is fixed.

iPhone generates multiple sessions (CR122092, CR129089, CR103787)
Previously, when a user connected through the Firepass with an iPhone and synced via activeSync, it generated at least two user sessions, just seconds apart from each other. This is fixed.

User not being sync'd from primary to secondary in failover pair (CR122232)
Previously, user database was not syncing all users across to secondary node in a failover pair. This is fixed.

Reverse Proxy does not t display content in javascript pop-up window while using Firefox (CR122248)
Previously, HTML content (for a date selection calendar) was not being written to new window opened via JavaScript when using FireFox. This is fixed.

Reverse Proxy failed to retrieve the .jar file due to the unpatched JavaApplet (CR122350)
Previously, Reverse Proxy sent unnecessary "0" when an unpatched .jarfile is returned to JRE. As a result, JRE could not retrieve the .jar file and errors occurred. This is fixed.

Password expiration system warning not displayed (CR122548)
Previously, if an internal Active Directory master group with 'Warn user of password expiration' option is enabled, System Warnings were enabled for the master group, and users successfully receives a password expiration warning when logging into windows. However, they did not receive a warning message when logging onto FirePass. This is fixed.

Standalone FirePass 4100 does not support forced media to either Full Duplex or Half Duplex (CR122644)
Previously, standalone Firepass GUI allowed the user to force media settings for dataplane interfaces, and wrote the configuration files properly, but the interface stayed in auto-negotiate mode. This is fixed.

PPP frames with tilde character(~) silently discarded by Windows VPN driver (CR122826)
Previously, packet loss occurred in Windows VPN driver when uploading file with many tilde characters (~). This is fixed.

Passive FTP thru Static Apptunnel does not work (CR122966)
Previously, after tunnel code changed in HF-602.1, passive FTP thru Static Apptunnel no longer worked. This is fixed.

Standalone Client does not work in simple mode with a few network access favorites (CR104750)
Previously, if more than one different resource groups were assigned to a user, standalone client in Simple mode (with Legacy and WebUI logon prompt) could not establish SSL VPN connection. This is fixed.

SNMP Logs even though Log level is at Emergency (CR109120)
In previous release, when using a mib browser to query the FirePass for SNMP information, the FirePass creates log entries in /var/uroam/log/firepass even though the log level is set to Emergency. This caused a lot of log information which can fill up /var quickly. Now, log entries are no longer created for Emergency level logs.

SSL proxy exclusion list bypassed for ActiveSync (CR111311)
In previous release, SSL proxy exclusion list was being bypassed for ActiveSync.This is fixed.

ActiveSync fails with "show administrator-defined favorites only" checked (CR117737)
In previous release, when "show administrator-defined favorites only" was checked in Portal Access: Master Group Settings for a given master group, activeSync failed. This is fixed.

Users cannot login into standby unit after failover (CR117934)
In previous release, users could not logon to FirePass after failover occurred, and the following message was displayed on the logon page: The number of concurrent sessions has exceeded the maximum licensed. This is fixed.

Java RDP applet does not free resources-OutOfMemory exception (CR118229)
In previous release, every time you started a Java RDP terminal server favorite, it allocated some resources like threads. When you close the favorite, these resources were not released. As a result, if you open the Java RDP favorite multiple times, the used Java heap space grew until you received a java.lang.OutOfMemoryError exception. This is fixed.

Browser/OS detection breaks if UA string is longer than 256 chars (CR119119)
In previous release, FirePass' OS detection broke and the user could not go thru the Pre logon check. This is fixed.

RADIUS group mapping method shared secret cleared in Japanese UI (CR119156)
In previous release, Radius Group mapping methods and shared secret and confirm shared secret cleared itself if you changed any other configuration & clicked Update. This occurred only when Japanese UI was used with "Translate UI" option checked. This is fixed.

Autologon does not work for existing favorites after upgrade to HF-603-2.1 (CR119458)
After upgrade to HF-603-2.1 terminal service autologon stopped working for existing favorites. This is fixed.

Standalone client legacy mode does not load balance 2 cluster slave (CR119598)
Previously, if cluster random load balance was enabled on FirePass, standalone clients in legacy mode could not log on to cluster master or on cluster slave. This is fixed.

Downloads via Web Applications do not work in PWS (CR119635)
Previously, when CacheCleaner option "Require cache cleanup ActiveX/Plugin to be loaded to allow attachment downloads in Mobile E-Mail and downloads via Web Applications" was enabled, downloads done through web applications did not work in protected workspace. This is fixed.

Proxy AutoConfig script file can be truncated when receiving WSAEventSelect signals (CR119794)
In previous release, when the network access favorite was configured with Client proxy settings, Proxy AutoConfig script and "Use http:// path for auto-generated ProxyAutoConfig script" enabled, there is an intermittent chance that the proxy pac file was not completely streamed to the client applications (such as browsers) and led to client applications not being able to contact the correct proxy servers. This is fixed.

Incorrect Active Directory password expiration message (CR119972)
Previously, a wrong message was displayed when prompting the user to change their password. The correct message is now displayed.

System logs cannot be deleted through GUI (CR119980)
Previously, you cannot delete system logs from Device Management: Maintenance: Logs. Now you can.

Protected configurations fail with boolean characters (CR120102)
Previously, if the logical operators for greater than, less than, greater than or equal to, less than or equal to, i.e. '>', '<', '>=' and '<=', were configured with the logical operators 'AND', 'OR' and/or 'NOT' in the same protected configuration criteria check, then the logical operators 'AND', 'OR' and 'NOT' was transformed to lowercase after you clicked Save. As a result, invalidating the protected configuration criteria check. This is fixed.

Dynamic Tunnel connection fail if loopback IP specified (CR120345)
Previously, applications failed to connect thru DynamicTunnels/WebAppTunnels if it used loopback IP address on socket::connect call. This is fixed.

Thread leaks when establishing SSL VPN on Windows Mobile 5 devices (CR120600)
Previously, the SSL VPN client for Windows Mobile 5 used virtual serial port driver for establishing NA connection. The driver got loaded by Device Manager (device.exe) on ppcvpn.exe application startup and unloaded when application exited. After each loading/unloading procedure, one thread was left running in the Device Manager process device.exe. This caused the driver to fail to load the driver after many sequential load/unload iterations. This is fixed.

Access denied error seen when Windows files Webifyer icon is clicked (CR120623)
After installing HF-603-1, users received an error 'access denied' when they clicked on the Windows Files webifyer icon in the left hand column on the webtop, or if they clicked on the Windows Files link in the main screen. Now. they no longer see the error.

Administrator deletes groups, users lose personal favorites (CR120727)
In previous release, when the administrator deleted groups, users lost their personal favorites. This is fixed.

Standalone auto update doesn't stop parent instance (CR120904-1)
In previous release, standalone client's auto update process did not stop the parent instance (pre-login sequence performed). Therefore, auto update failed to update itself. This is fixed.

Unable to extract DOM document from JavaScript include due to the typo (CR121453)
In previous release, there was a typo in the inclusion of javascript-includes which rendered the ability to extract DOM documents. This is fixed.

Vista: IE7 or IE8 cannot be launched by Dynamic Apptunnel (CR86595)
In previous release, dynamic tunnels that launched Internet Explorer7 did not work through the TunnelServer. This is fixed.

Zip archive is corrupt when folder downloaded from "Windows Files"(CR118658)
In previous release, corrupted zip archives were generated when folders were downloaded as zips through FirePass "Windows Files." Now, they are no longer corrupt when downloaded.

Client ACL with split tunneling enabled is patched incorrectly (CR118881)
In previous release, web applications would fail thru portal access. Now, a change in ACL and split tunneling fixed the issue.

Log files rotation does not work for Windows Mobile SSL VPN client (CR118400)
In previous release, SSL VPN for Windows had a log rotation feature which was not working in Windows Mobile client. Now, the log rotation feature works with Windows Mobile client.

Disabling terminal server bitmap caching does not work (CR118797)
In previous release, the setting for a terminal server favorite "Enable persistent cache (bitmap caching)" was not functioning properly. When unchecked (disabled), the ActiveX component was still caching content Now, the setting is working and ActiveX components are caching properly.

Internet Explorer 6 fails to load OWA and Citrix with Reverse Proxy (CR117800)
In previous release, Citrix Presentation Server and OWA server would not work with Portal Access when using Internet Explorer 6. Now, they work with Internet Explorer 6.

TN3270 Legacy host enter key does not work properly (CR117794)
In previous release, TN3270 Legacy host enter key did not work properly. Now, it works.

Display dialog box option does not work if server in trusted list (CR117261)
Previously, FirePass static AppTunnel and Network Access had an option "Display dialog box before launching application". However, the dialog box did not display if the server is listed in the trusted list. Now, the dialog box is displayed appropriately.

Cannot launch multiple instances of Citrix App in Portal Access (CR117451)
Previously, you cannot open more than one instance of a published application from Citrix Web Interface (Portal Access favorite). This is fixed.

For Terminal Server, sound is not redirected for Citrix Portal applications (CR117199)
Previously, sound was not working for Citrix Portal applications, assuming "Redirect local audio" was checked. Now, sound is working for Citrix Portal applications.

Web tunnel delay (CR116924)
Previously, from time to time, loading of a website through a Web application tunnel delays for 10 minutes (with no content displayed) or times out. Now, you no longer see this delay.

User Defined Session content is lost on authentication failure (CR116138)
Previously, if you enabled the option "Display extra input field at logon for user defined session variable" under Users:Global Settings in the "User Defined Session Variable Settings" section and populated it with several comma-separated domains (such as,,, etc), and then navigated to the FirePass logon page and incorrectly enter your user credentials, the return logon page displayed showed the User defined session configuration as blank with no drop down options. Now, it works by maintaining the previously selected option as well as the selectable options in the drop down list.

Citrix apps fail to start from Web Interface thru Portal Access on HF-603-2 (CR117490)
Previously, Citrix published applications failed to start from WebInterface thru Portal Access. An application tunnel popup is started as usual, but then you get a message box with an error: This is fixed.

Icon for the first published application is missing on Citrix Portal page (CR116590)
Previously, FirePass closed the TCP connection after the request for the icon was submitted. This is fixed.

SharePoint2007 doc library drop down menu breaks in FireFox (CR117454)
Previously, SharePoint2007 document library drop down menus did not working under Firefox, unless the SharePoint was opened in a new browser window. This is now fixed and SharePoint2007 will work without having to open a new browser window.

Mac client network access drops on timeout with Safari (CR116911)
Previously, some controls (context menu, drop down menus) caused javascript to stop. As a result, Safari stopped responding. This is fixed.

Sanitized front page URLs to avoid XSS injection (CR116015)
Previously, XSS vulnerabilities were found on FirePass's URLs. Now, there are sanitation checks in place which eliminate these vulnerabilities.

CRL retrieval fails when URL contains port (CR91372-1)
Previously, when URL for automatic CRL retrieval was specified on Device Management : Security : Certificates administrator UI page, CRL retrieval fails. This fixed.

Unable to have multiple Citrix sessions when using session reliability (CR94417)
Previously, a user was unable to open more than one citrix application at a time when session reliability was enabled on both sessions. Now, a user can have multiple citrix applications open at one time.

NTLMv2 authentication support for Windows 2008 (CR100553)
Previously, NTLMv2 authentication did not work with Windows 2008 Server. Now, it is supported.

[Standalone] post-logon unexpected session termination (CR101486)
Previously, standalone's (web logon mode) network access favorite disconnected after start with configured post-logon session termination option. This is fixed.

Firefox crash after closing Citrix session & typing text in location bar (CR106976)
Previously, after a user running Firefox closed a citrix favorite (embedded or new window), the browser crashed. This is fixed.

Launching java terminal server from Mac OSX results in java error (CR107418)
Previously, when attempting to launch an app Tunnel resource with a Mac client, the following error displayed: Java applet cannot be started. Please make sure that a required version of Java is installed. This is fixed.

Network Access fallback policy check doesn't work (CR108278-1)
Previously, FirePass sent an HTTP 404 response with the message "FirePass server could not handle the request Reason: Network Access policy fallback is not permitted - security violation," when the option "Enable policy fallback" was checked in (enabled) under Network Access: Resources: Policy Checks (tab). This is fixed.

Cannot change expired password with WebDav (CR108742)
Previously, you could not change expired Active Directory password with WebDav. Now, you can change the expired password with WebDav.

WinLogon integration unable to connect with DHCP and while GZIP compression enabled (CR109282)
Previously, Windows logon integration dialer was unable to connect when DHCP was configured for the network access resource, and while GZIP compression enabled. Now, it connects successfully with DHCP configured and GZIP compression enabled.

Auto-logon with java client does not work on terminal server (CR109323)
In previous version, single sign-on did not work for terminal services with Java client checked. Now, auto-logon works with java MS terminal servers.

Network Access and Dial-up connection in Internet Explorer (CR109359-4)
In previous version, if you set the Internet Explorer's "Internet Options:Connections to "Dial whenever network connection is present," and then launched network access, the option automatically switched to "Always dial my default connection." Now, this no longer occurs.

DNS configured entries corrupt local client DNS setting (CR109492)
In previous version, if you had multiple DNS domain suffixes configured for FirePass network configuration and network access' DNS option "Enforce DNS search order" was enabled, after network access established, the entire DNS suffix configuration became corrupted. This is fixed.

Network access connection drops on ping traffic when using Safari (CR110342)
In previous version, if you were using Safari to start network access, and ping the connection, network access drops. This is fixed.

Username/login and password prompts are not rendered correctly in Japanese (CR110638)
In previous version, user password recovery pages were not properly localized. Now, entering the login and password in Japanese renders correctly.

Proxy AutoConfig setting remains for other Dialup/VPN connections (CR111811)
In previous version, if there was another connected Dialup/VPN connection with a network access connection established, and the Proxy AutoConfig Script was pushed down from FirePass, that setting was also applied to the other Dialup/VPN connection. However, that setting remained on the other dialup/vpn connection, even after network access disconnected. This is fixed.

Java Applet cannot start when using Java RDP for terminal service (CR112445)
In previous version, if you used Java RDP with terminal service, the Java Applet will not start. This is fixed.

RSA Authentication fails after a period of time in threaded mode (CR112435)
In previous version, RSA Authentication failed after a random amount of time in threaded mode. This is fixed.

Web application portal access fails to translate unicode characters (CR112521)
In previous version, if you tried to deliver a javaScript and ASP based web application through portal access. Accessing the application through this portal access failed with a HTTP 404 (File Not Found) Response. This is fixed.

When using Java RDP, the Select a program property is not honored (CR112541)
In previous version, when a Terminal Server favorite was configured for Java client and "Select a program:" property was also set, the selected program did not start when a user started the favorite. This is fixed.

OWA breaks under compatibility mode 2 with Firefox (CR112589)
In previous version, .using compatibility mode 2 with Firefox broke Outlook Web Access. This is fixed.

Portal Access failure with Siebel eCommunications Server (CR112685)
Previously, a problem with this Siebel application when using FirePass caused one of the popup pages when using the application failed to load because FirePass was not rewriting the URL. This is fixed.

Static route to FirePass is not removed upon network access shutdown (CR112733-1)
Previously, Mac and Linux Network Access client added a static route to FirePass so that they can reach the FirePass after the tunnel was established. However, when the network access connection was terminated, this route was expected to be removed, but it did not remove itself on the Mac client. This is fixed.

Microsoft Communicator Web access does not work through reverse proxy (CR112985)
Previously, MS Communicator Web Access did not work through reverse proxy. This is fixed.

JavaScript based web application fails to load through Portal Application (CR113099)
Previously, if you launched a web application through portal access, the page did not load. Now, the page loads correctly.

Typo in Mobile email source code causing character encoding problems (CR113161)
Previously, a typo in the email source code caused a failure to recognize the UTF-8 character set declarations, causing browsers to render the characters incorrectly. This is fixed.

Resource group required protection can be bypassed (CR113275)
Previously, when protected configuration is set on a resource group, users can bypass the protection criteria using the Back button while on the webtop, and re-login. This is fixed.

Dynamic Tunnel ignores broken tcpip.sys with less than 2 connections established (CR113286)
Previously, FirePass would searched an internal "lookup" table for localhost tunnel addresses for already established tunnels. FirePass would detect that was already in use (by the first tunnel) and would change the address to a different address. However, if the broken tcpip.sys was detected, the code omitted the lookup table. This is fixed.

Java RDP on MacOSX fails with invalid window size 0x0 (CR113305)
Previously, If you created a Java RDP favorite and specified a screen size of 0x0, you received a general exception error. This is fixed.

Mobile Email "Reply-All" feature does not work properly under I-Mode (CR113721)
Previously, if you used Mobile Email "Reply All" feature with I-Mode browser, it will not include all the recipients in the "To" field." Now, all the recipients are included.

Active Directory dynamic resource group mapping failure (CR113861)
Previously, the Active Directory administrator password for Active group mapping was being saved incorrectly, causing a mapping failure. This is fixed.

Remove reference to cluster log synchronization (CR114067)
Previously, references to cluster log synchronization was made to the online help. Now, since the feature is removed, the reference no longer exists.

Japanese Warning messages for cert warnings are garbled in javapatch Windows 2000(CR114142)
Previously, these Japanese messages contained garbles text in both server-related security warnings and client certification. This is fixed.

Vista with UAC fails to remove DNS setting after network access disconnects (CR114254)
Previously, your DNS setting remained even after network access disconnected. This is fixed.

Full screen for Java Citrix client does not work (CR114256)
Previously, full screen for Java Citrix client did not work (embedded window, new browser window). Citrix window is opened inside the page that embedded the JICA client. This is fixed.

Unlocalized message in AD Password change page (CR114805)
Previously, In Japanese Language mode, when a user has to change their Active Directory password because it expired,, the message from Firepass was mixed with Japanese & English characters. This is fixed.

VPN adapter installer fails in Japanese environment (CR115060)
Previously, driver installer urvpn.exe did not work if it was placed in non-English named folders. This is fixed.

Active Directory UPN auth fails (CR115074)
Previously, Active Directory UPN authentication failed if the user name part of UPN and sAMAccountName (also known as pre-win2k names) are different. This is fixed.

HTML/Javascript Form's action/method patching with Split Tunneling is absent (CR92163)
In previous release, HTML/JS Form's action/method patching with Split Tunneling was absent on the client.This is fixed.

Multi-byte characters and Mobile E-mail (CR98343-3)
Previously, the sender's name was unreachable if you used multi-byte characters, and if the user was authenticated through an external server, such as Active Directory or RADIUS. Now, you can use multi-byte characters with Mobile E-mail.

User certificates are not synced (CR111944)
Previously, if the administrator created a client certificate for user "aaa" , the certificate was not synchronized to failover standby or cluster slave units. The failover standby unit's user edit page still displayed the user as not having any certificate. This is fixed.

OWA Java menu bar fails to load (CR107350)
Previously, if you opened a mass mail and scrolled to the bottom and double-clicked on more information, the link opened, but the java menu bar at the top failed to load. This is fixed.

Some Web AppTunnels failed after upgrade to 6.0.3 (CR109849)
Previously, upgrading caused some web applications to fail. This is fixed.

Windows Domain Legacy Authentication breaks (CR108007)
Previously, windows domain legacy authentication did not work on 6.0.3. This is fixed.

[Vista][DynamicAppTunnelRDP / mstsc.exe crashes upon connecting (CR109116-1)
Previously, after upgrading to 6.0.2-5, Vista clients could longer use RDP over Dynamic App tunnels. Upon specifying a host and clicking connect in mstsc.exe, the application immediately responded with a Windows app crash error. This is fixed.

Nested Groups issue if the root group contains space in name (CR109030)
Previously, Authentication / mapping failed if the following conditions are true:

1. Authentication/mapping defined based on nested groups
2. Group we are looking for is nested from primary user's group
3. Primary user's group contains space in name

This is fixed.

PocketIE user cannot create new Mobile email (CR110642)
In previous release, if you used PocketIE, you could not create email account favorites, in Mobile email. This is fixed.

PocketIE user cannot change email address (CR110645)
In previous release, if you used PocketIE, you could not change your email address. This is fixed.

Mobile Email displays UTF8 encoded multibytes character incorrectly (CR110747)
In previous release, when you launched the PocketPC Mobile e-mail, the Corporate Account of Mobile E-mail was displayed in the main menu without any problems. However, once you got into the pane of e-mail account entry/authentication, the "Corporate Account of Mobile E-mail" name got corrupted. This is fixed.

Mobile Email Settings cannot be saved in Japanese Language mode (CR110749)
In previous release, there were items that were not configurable in Japanese mode: IMPA folders, sent folder, and deleted items. This is fixed.

AD password change fails with DOMAIN\username (CR111853-1)
In previous release, if you changed AD password change with DOMAIN\username from Tools:Account Details, it failed. This is fixed.

Java Runtime Exception with Java RDP Client (CR108313)
In previous release, Java Terminal server client failed with the following error: "memory accessed out of Range!". This is fixed.

64bit Windows Vista (WinVI) Ultimate does not detect SP1 (CR108533)
In previous release, connecting to FirePass login page from 64bit WinVI Ultimate running 32bit IE web browser did not detect SP1. This is fixed.

FirePass drop VNC connection (CR102305)
In previous release, FirePass dropped connection to VNS Terminal Server after 3-4 minutes. This is fixed.

Client certificates on Windows Vista with protected workspace (CR89304-5)
In previous release, if you installed client certificates on Windows Vista, you could not access the certificates through protected workspace. This is fixed.

"Error initializing proxy" if proxy autoconfig script URL is specified (CR108535)
In previous release, Firepass failed to establish network access connection if Autoconfig Script parameter were specified in the network access configuration. "Error initializing proxy" was displayed. This is fixed.

Windows Files does not support docx and xlsx of office 2007 (CR110631)
In previous release, when using Windows Files via Portal Access, you can download files from a
windows share. However, when you downloaded a docx or. xlsx Office 2007 document, it renamed to .zip This is fixed.

Flicking in terminal service screen (CR128530)
In previous release, if you opened RDP terminal service favorite in full-screen, and then switching focus to the Internet Explorer window that embeds the RDP control caused flickering of the screen. This is fixed.

Network access connection drops with proxy settings (CR128417-1)
In previous release, network access connection dropped with certain client PC proxy settings because network access clients were unable to properly parse scripts. This is fixed.

Multiple application tunnel connections gets dropped (CR128547)
In previous release, application tunnel may drop connections from client applications if the applications performed multiple simultaneous connections to the same server. This is fixed.

[ Top ]


Known Issues

The following items are known issues in the FirePass controller 6.1.0 release.

Known Issues for network access

Configuring network access with local address (CR114765)
If you configure IP address as from Device Management: Configuration: Network Configuration, synchronization fails when you establish a network access tunnel because the FirePass network access PPP tunnel may occasionally use as a local address. In other words, Firepass uses as a self IP address for VPN connections and cannot communicate with other hosts with that same particular address. The workaround is to avoid using IP address on any interfaces.

Known Issues for Administration

Setting for FTP server is lost when upgrading to 6.0.3 (CR65029)
When you upgrade to version 6.0.3, the FTP server settings from the Device Management: Maintenance: Backup/Restore screen disappear. There is no workaround for this issue at this time.

Session stats, Application logs and short log purge interval (CR70817)
When you configure a log purge interval that is short (a few hours), some of the sessions statistics information and application log entries might be purged from the database and not included in any log archives.

Run As command on Windows Vista does not work properly (CR82368)
The Run As command on Windows Vista™ using PWS (Protected Workspace) does not provide sufficient access limitations.

Files and folders created in arbitrary locations using Protected Workspace under Windows Vista (CR82451, CR82452)
While you are using PWS (Protected Workspace) on Windows Vista™, the system saves files and folders arbitrarily in different locations.

Windows Vista Protected Workspace privilege elevation (CR83302)
On Windows Vista™ systems with User Account Control (UAC) enabled, the Protected Workspace that requires standard user rights runs at Medium integrity level, and cannot monitor or control system services and processes that are elevated to High or System integrity levels. However, user rights are elevated by some applications, for some operations, like creating and saving file folders and saving temporary attachments. Instead of remaining in Protected Workspace, these files are saved outside the Protected Workspace to the system. When these operations occur, typically the user is presented with a Privilege Elevation dialog box, and prompted for a logon and password, or the user is required to click OK on a consent dialog box.

Logging failed FTP events (CR84674)
The FirePass controller fails to log FTP failed events. There is currently no workaround for this issue.

Users with administrator privileges and Administrative Realms (CR85898)
When a user with administrator access privileges logs on through the user logon page and accesses an Admin Console favorite, then edits Feature Access for an Administrative Realm, the FirePass controller saves the settings in the wrong location. To work around this issue, a user should log on through the admin logon screen to edit these settings, and not the user screen to edit Realm features.

Improperly configured NIC (CR86546)
During a failover configuration, if you enter a Heartbeat NIC without any IP address associated with that NIC, the FirePass controller fails to indicate an error, and proceeds to allow the configuration to occur.

Impersonating a local user with domain password (CR87948)
Resources are unavailable if you impersonate a local user in a master group with domain password verification against Active Directory®. To work around this issue, disable domain password verification.

Editing SSL certificate with a web service (CR88257)
The FirePass controller does not display any messages indicating that a service restart is required when an SSL certificate is edited or modified. However, you must restart the service in order for changes to take effect.

Client root CA certificate (CR89537)
You must restart service if you delete a Client root CA certificate from the FirePass controller. Otherwise, the Client root CA certificate is still valid, and users can still log on to the system.

System log messages does not display correct information (CR93340)
If a user is disabled, and the user attempts to retrieve his password, the system log does not display the name of the disabled user who tried to log on..

Impersonating a user with a client certificate (CR94098)
As an administrator, if you try to use resources assigned to the user who you are trying to impersonate, and that user has a secondary client certificate, the resources will be unavailable to you. To work around this issue, disable the secondary certificate requirement in the master group, and then impersonate the user.

Resource and logon case sensitivity feature (CR94099)
If you enable the logon case sensitivity feature, and you try to impersonate a user, you cannot access the resources assigned to that user. To work around this issue, disable the logon case sensitivity feature.

Client certificate remains on the CRL list (CR94435)
If you delete a user account, the client certificate remains on the FirePass controller and listed in the CRL. The workaround is to manually delete the old client certificate and create a new one.

Administrative realms users and the Admin console (CR94748)
When creating administrative realm users, even if you do not allow editing for all features available, the administrative realm user still has the ability to access and edit all features. There is currently no workaround for this issue.

The %username% variable is incorrectly set to domain\username form (CR101860)
If you configure a user name with a backslash, the %username& variable may be set to username\domainname instead.

Java patcher statistics displays incorrect information (CR102729)
If you access the Device Management: Monitoring: System Load screen, you can ignore any statistics you see in this diagram because they are likely to be incorrect.


Known Issues for Application Access

DynamicAppTunnel and top level ActiveX controls (CR84893)
You cannot use Dynamic AppTunnel if you disable top Level ActiveX controls, although you can use StaticAppTunnel.

Legacy host connection closes without message indicator (CR85458)
If a legacy host connection is timed out by the host, there are no messages indicating this state on the emulator.

TN5250 client flicker in internet Explorer 7 (CR86020)
If you use TN5250 on Internet Explorer® 7, pressing the F4 key causes the emulator to flicker. As a workaround, press Alt+Enter instead, to enter full-screen mode, or use Internet Explorer® 6.

Mobile E-mail LDAP attribute for display name (CR94317)
When you are sending messages from Mobile e-mail, the external LDAP users Display Name settings appears as empty. There is currently no workaround for this issue.

Citrix Terminal Server and Windows Vista (CR95182)
On Windows® Vista, if you open a Citrix terminal server favorite for the first time, and download the Citrix® ICA client, the following errors display: Error downloading required file and Couldn't connect to the terminal server Citrix. To work around this issue, pre-deploy the Citrix® client, and install the Citrix® certificate into the F5 trusted storage for Installer Service.

Incorrect port handling for Java app tunnels (CR100193)
Creating a JavaAppTunnel with a port ranges less than 1024 causes the tunnels to not start.

Java AppTunnels favorite, Java exception (CR100651)
When a user tries to start any Java AppTunnels favorite, the following Java exception message appears in the Java console: java.ioFileNotFoundException. However, the exception message does not appear if the Java console is closed. This exception does not affect the functionality of the Java AppTunnels feature.

Java Terminal Server fails to display correctly on Firefox (CR103082)
If you are using a Firefox browser on a Mac®, the Java terminal server intermittently fails to display correctly. There is no workaround for this issue.


Known Issues for Authentication

RADIUS accounting with numeric values (CR52636)
When you configure RADIUS accounting, you must enter a string value as the RADIUS secret on both the RADIUS server and the FirePass controller to receive stop messages when you log out.

Domain password for Active Directory (CR91201)
If you use two-factor authentication with a secondary Active Directory server, and verification against the domain password fails, then the FirePass controller incorrectly reports an error code against the primary authentication method instead of against the domain password.

Password recovery with special characters (CR93339)
If a user logon password contains special characters, such as an underscore, and the password recovery feature is enabled, any attempts by the user to recover the lost password through answering a challenge question results in an error.

Password retrieval and challenge questions (CR93343)
If you did not configure the password recovery feature, and a user attempts to recover his password, the system fails to display an error message, and the system does not log any attempt by the user retrieving the password. The workaround is to create challenge questions when you enable the password recovery feature.

RSA SecurID and sdconf.rec file (CR104668)
If a FirePass using RSA SecurID authentication suddenly starts sending a large volume of UDP packets, check that you have uploaded the correct sdconf.rec file to the RSA SecurID Server configuration (on the Device Management : Configuration : RSA SecurID screen, click Configure a New RSA SecurID Server).


Known Issues for Network Access

SSL VPN client and Windows Mobile (CR85401)
If you install an SSL VPN client for Windows Mobile® 5 on a device where the client has a previous version installed, the old client is uninstalled, but the upgrade does not occur. There is currently no workaround for this issue.

Windows Mobile version 5 and 6 with Network Access (CR94803)
When users log on to the FirePass controller using either Windows® Mobile version 5 or 6, information about multiple resources or favorites does not appear on their webtop, despite the fact that multiple resources were created for network access. There is currently no mechanism to select a favorite for Windows Mobile 5 and 6.

Standalone client displays numeric characters in place of user name and password (CR100188)
There are no references to special handling of numeric characters on either the server or client side. To work around this issue, administrators should select an appropriate character set when logging on to the Admin console.

Limitations with 2000 ACLs (CR102547)
You may experience an impact with memory and performance if you use more than 2000 ACLs in your network. To work around this issue, use fewer than 2000 ACLs in your network environment.


Known Issues for Portal Access

Outlook feature and SharePoint Calendar 2007 or SharePoint Events 2003 (CR73239)
If you attempt to connect to Microsoft Outlook® using either SharePoint Calendar or SharePoint Events, the connection fails. There is currently no workaround for this issue.

PocketPC and Backout/Logout links in cookieless mode (CR84898)
Web Application using cookieless mode does not display both backout and logout links on the Pocket PC.

Java patcher and Jar packages (CR85710)
Java patcher may fail to re-sign itself to some Jar packages. As a result, a Jar file may fail to execute after going through reverse proxy. As a work around, add the URL of the Jar file to the Portal Access: Web Application: Content Processing: Java Byte code Rewriting field. Once this is done, no rewriting will be attempted by the FirePass controller on this Jar package and re-signing to the Jar package will not be necessary.

JavaScript error with Home tab (CR86281)
With some systems, there is an unspecified JavaScript runtime error that causes the web page to fail. To correct this error, add the URL that causes the error to the No-hometab tab.

Unexpected error displays using Portal Access (CR87191)
The error message: This page contains both secure and nonsecure items. Do you want to display nonsecure items displays when you use Portal Access and encounter this message: <iframe scr="about:blank"></iframe> from the Portal Access: Reverse Proxy screen. You can safely ignore this message.

Citrix full access mode with File Access Security feature (CR93456)
When you configure a Citrix® Terminal Server favorite with the FirePass options Separate Window with Menu (citrix only) and Redirect Local Resources and Redirect Local Audio enabled, and the Citrix server is configured to prompt for file access, the File Access Security screen is displayed behind the new Citrix window. This prevents the user from seeing it, so they cannot respond to the file access security question. There is currently no workaround for this issue.

Outlook Web Access with MIME control and reverse proxy (CR97313)
Installing MIME with Microsoft® Outlook Web Access may cause unexpected errors to occur. We recommend that you do not install MIME with Outlook Web Access when using reverse proxy.

Web applications with Portal Access (CR98728)
The FirePass controller fails to correctly handle Javascript files that contain Chinese characters encoded in BIG5 using Portal Access. As a result, the controller prematurely returns the page content upon seeing a backslash (\). To work around this issue, use the following two SED scripts to
properly escape all instances of backslash (\), and then remove the escape before the file is served to the browser.

  • The first SED script below replaces the backslash (\) with \\F5Networks.
  • The second SED script removes \\F5Networks and change it back to backslash (\) back
    content patching.

    SED script 1
    URL match patterns
    Content Type
    Sed processing script
    Pre-process response data (before content patching)

    SED script 2
    URL match patterns
    Content Type
    Sed processing script
    Post-process response data (after content patching)


Citrix and single sign-on (CR99067)
If you use Citrix® Presentation Server V4.5, single sign-on to the server fails the first time the favorite is selected. After the failed first attempt, single sign-on will succeed on the second attempt.

Cookies limitation on the FirePass controller (CR100072)
You cannot add websites with cookie manipulation exceeding 252 URL patterns. Doing so causes the FirePass controller to stop adding cookies.

User interface displays inconsistently in Portal Access (CR102059)
If you navigate to the Portal Access: Resources screen, and select a resource group, the Windows file tab does not appear. However, if you navigate to Users: Groups: ResourceGroup, and select a resource group, the Windows file tab appears.

Uninstall FirePass controller and ActiveX components and Internet Explorer (CR71261, CR102032)
When you enable the option Uninstall FirePass client components or the option Uninstall ActiveX components downloaded during FirePass session, or both, on the Users: Endpoint Security: Post-logon Actions screen, and the users are using the Internet Explorer®, the ActiveX or FirePass controller client components are not uninstalled for 15 minutes after the session ends.


Known Issues for Pre-logon and Post-logon Inspection

Pre-logon fails to detect Windows hotfix with a period in the name (CR62452)
When the system is doing pre logon inspection, if you attempt to check for the existence of a Windows hotfix, the process fails if the hotfix name contains a period. A workaround is to use the Registry key check.

Cluster load balancing and collected data during a pre-logon sequence check (CR73575)
Logging on for administrative users does not work under the following conditions:

  • You disabled cluster load balancing or enabled users to select a cluster node on the logon screen.
  • For the pre-logon sequence check, you selected the option Require valid pre-logon data for logon.
  • The user is directed to cluster secondary node by external load balancer or manually selects a secondary node on a master's logon page.

Cache cleaner feature and Firefox (CR75115)
Although the cache cleaner feature can clean temporary folders, the recycle bin, and monitor user activity timeout, it does not clean the Firefox browser cache. There is currently no workaround for this issue.

Protected workspace, Microsoft Outlook 2003, and Microsoft Word attachments (CR83079)
Microsoft Outlook® 2003 running in protected workspace fails to open Microsoft Word documents. For more information, refer to the Microsoft Knowledge Base at

Protected workspace and My Recent documents (CR84609)
While working in protected workspace, clearing any My Recent documents will clear all My recent Documents located outside of the protected workspace area, such as on your desktop. There is currently no workaround for this issue.

Protected workspace and Recent folder (CR93835)
After exiting protected workspace, Microsoft files, such as Word docs or Excel spreadsheets may not get removed from the Recent folder. As a workaround, before exiting protected workspace, manually remove these files.

CheckOS inspector and correct rule (CR100183)
If upgrading to FirePass 6.0.3., you must enter the correct rule in order for the OS checker feature to recognize Mac® OS. The correct rule is OR session.os.platform=="MacOSX".

Prelogons applied twice in cluster environment (CR104612)
During a cluster environment process of deployment, the prelogon sequence runs twice for the end-user. To work around this issue, when you deploy clustering, make sure to install a valid SSL server certificate.

Custom templates in a cluster/failover environment (CR103888)
Using the Windows Group Policy feature, you can define custom group policy templates. However, you cannot synchronize those templates across a cluster/failover node. For example, when you select a custom template in a pre-logon sequence, and try to synchronize the pre-logon sequence across the nodes, the pre-logon sequence only connects to the master node. If connection falls back to the secondary node, a denied page appears. For a workaround, you must synchronize the pre-logon sequence, and upload the policy file on each node in the cluster/failover.


Known Issues for Clients

Windows Vista logon integration credentials (CR74375)
On Windows® Vista, users must enter their logon credentials twice, once to establish a VPN connection to the FirePass controller, and the second time to log on to their Windows® system.

Enable logging does not work on Windows Vista (CR74840)
The View log option does not display correct logging information on Windows® Vista. There is currently no workaround for this issue.

Dynamic App Tunnel, Firefox, and updating FirePass controller client components (CR75312)
You cannot install FirePass controller client components onto the client when you use Dynamic App Tunnels and the Firefox® browser. To work around this issue, install the client components on the client with Microsoft® Installer Package (MSI), or start Dynamic App Tunnels ( at least once) with Internet Explorer®. After that, you no longer need to use Internet Explorer® to start Dynamic App Tunnels. You can use the Firefox® browser.

Character limitations with Windows Vista standalone client (CR78170)
When creating a network access favorite, you cannot use the following characters when creating names for your favorites: \ / : * ? < >. This is also true if you use Japanese characters as part of the name. Doing so causes the error message Unknown RAS error to appear.

Windows Vista, power and limited user accounts, and ActiveX controls (CRCR82885)
If you are either a power user or a limited user, you cannot install ActiveX components on Windows® Vista. However, it installs successfully on Windows® XP. To install the ActiveX components on Windows® XP, you must have system administrator privileges.

Upgrading to a newer version of the OPSWAT ActiveX control (CR12501)
During upgrade, the OPSWAT Active X does not properly unload. To work around this issue, either restart your system after you install the new version, or close the Internet Explorer® instance that currently accesses your FirePass server, and start Internet Explorer® again to access the new FirePass server.

Erroneous message in Internet Explorer (CR100756)
The message Page contains both secure and nonsecure items may occasionally appear in the Internet Explorer®. You can safely ignore these messages.

Removing client components from the FirePass controller (CR104255)
You cannot remove the following client components after downloading the full package install from Device Management: Client Downloads screen.

  • F5InstallerService.exe
  • F5fltDrv.sys, F5fltSrv.exe


Other Known Issues

Idle timeout events and reauthentication warnings (CR70439)
Currently, certain actions can cuase a user's FirePass session to timeout without the user receiving a reauthentication warning. There is no workaround for this issue.

]Cluster and user names with special characters (CR70818)
When you disable load balancing in a cluster, the system does not redirect users to the master node if their user names contain special characters.

Backup file and user session lockout (CR72007)
When you restore a backup file, the new user lockout option is disabled even though you might have enabled it previously. To view this option, navigate to the Device Management : Maintenance : User Session Lockout screen, and locate the “Lockout new user sessions” setting.

Automated virus update and restoring a backup configuration (CR73973)
You cannot restore the automatic virus database update setting from a backup file. To view this option, navigate to the Portal Access -> Content Inspection screen, select the Antivirus tab, and scroll to the Virus Database Update area.

Javascript and webtop (CR77807)
Disabling Javascript causes the webtop to display improperly.

Console Access Security settings are not backed up/restored (CR84930)
In the Admin console,  Device Management-> Security ->Console Access Security The settings: “Enable Password for maintenance console”, and  “Disable Maintenance SSH Access” are Not restored when a backup is restored on the controller.

Client certification package notification (CR88992)
If you set two email address in your email notification configuration for client certification, the email notification fails to reach the recipient. To configure this feature properly, follow these steps:

  1. Make sure your environment is set up where the FirePass controller can send SMTP emails.
  2. Make sure to create users and client certifications on your FirePass controller.
  3. Supply only one email address in the Configuration: Admin Email: Admin Email Address screen.

Webtop favorites listing displays oddly (CR91964)
If you create more than four groups of favorites, and you configure three columns using the Tools: Webtop Settings: Favorite panel: Columns screen, the two columns on the left are used, while the third column is left blank. As a result, the favorites listing scrolls off the screen rather than displaying in the third column.

Session timeouts and multiple webtop windows (CR106904)
If a user opens two or more FirePass webtop windows, the inactivity timeout countdown may not display correctly, and timeouts may not occur at the correct time.

SharePoint, Excel, and reverse proxy (CR50925-1)
You cannot export an Excel spreadsheet through the FirePass controllers' reverse proxy.

Upgrading from previous releases to FirePass 6.1.0 (CR133285)
When upgrading from earlier FirePass versions to FirePass 6.1.0, the generation of the FirePass registry can fail if a dot ( .) was ever included in the master group names, and the master groups are configured with intranet webtops. A pop-up box will be displayed with the following error message: Installation failed with status: Error: (number-string) bad argument type: 17\n\n\n\n\n\nRELOAD. Please contact F5 technical support.This failure can cause the httpd daemons to not run, and the FirePass will become inaccessible via the internet browser. Note: Simply removing dots (.) from the master group names will not rectify this issue. See the workaround in the following section for more information.


Workarounds for known issues

The following sections describe workarounds for the corresponding known issues listed in the previous section.

Upgrading from previous releases to FirePass 6.1.0 (CR133285)

  • Backups and snapshots should be created prior to any upgrades or installing point hot fixes.
  • We strongly recommend that you upgrade to 6.1.0 release using the online update instead of the local update. During the online update, the latest cumulative hot-fix is automatically installed to address this specific issue.

Warning: Do not install the pre-upgrade hot-fix HF-133602-1 unless you are upgrading to FirePass version 6.1 after you apply the hot-fix. This hot-fix disables failover and cluster synchronization. Synchronization is re-enabled once the user upgrades to FirePass version 6.1.

This workaround describes how to upgrade to FirePass 6.1.0 using a local upgrade.

  1. Take a snapshot and backup prior to the upgrade
  2. Download the pre-upgrade hot-fix HF-133602-1 for your current FirePass version.
  3. Download 6.1.0 release build, and the latest cumulative hot-fix.
  4. Install the pre-upgrade hot fix HF-133602-1.
    Warning: do not install this hot-fix unless you are upgrading the FirePass version to 6.1 after you install the hot-fix.
  5. Upgrade to the 6.1.0 release.
  6. Install the latest cumulative hot-fix.

This workaround describes how to recover if a failure has already occurred.

  1. Download the pre-upgrade hot-fix HF-133602-1 for your current FirePass version, and the latest cumulative hot-fix.

  2. Revert back to the previous working snapshot.

  3. Install the pre-upgrade hot-fix HF-133602-1.
    Warning: do not install this hot-fix unless you are upgrading the FirePass version to 6.1 after you install the hot-fix.

  4. Upgrade to the 6.1.0 release.

  5. Install the latest cumulative hot-fix.

If you are unable to revert back to the previous working snapshot, please revert back to the manufacturing image .

  1. Upgrade to the 6.1.0 release.

  2. Install the latest cumulative hot-fix.

  3. Restore your latest FirePass backup.

Note: If you revert back to the manufacturing image, and backups are restored, installation of pre-upgrade HF-133602-1 is required before a local upgrade to 6.1.0 is performed.
Warning: do not install this hot-fix unless you are upgrading the FirePass version to 6.1 after you install the hot-fix.


[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)