Updated Date: 08/30/2013
This release note documents the version 7.0.0 feature release of the FirePass controller. This release note outlines upgrade information, known issues, and resolved issues. An overview of new features introduced by this release are located in the section New features and fixes in this release.
This software upgrade can be installed on supported platforms which are currently running Firepass versions 5.5 and later. Installation information is located in the section Installing the software.
Web Applications Compatibility modes no longer available
Previously, F5 Networks provided two compatibility modes which affected the way links were rewritten (covering previous generations of the core rewrite engine). The current Web Applications core rewrite engine works with most web applications, and the previous compatibility modes have now been removed. You may continue to use the proxy bypass mode and content processing scripts to modify rewrite behavior for particular websites. The compatibility modes are now excluded from Portal Access: Web Applications: Content Processing: Global Settings. If you need to continue running either of the previous compatibility modes, please remain on the FirePass 6.1 maintenance release.
Group Policy not available in FirePass 7.0
Due to a number of group policy issues that could not be remedied prior to this release, Group Policy is currently not licensed, therefore unavailable at this time, for FirePass 7.0. Please check for updates in the readme files with each FirePass 7.0 hotfix rollup regarding this feature. If you are currently on FirePass 6.1.0 and using Group Policy, we advise that you do not upgrade. However, if you wish to upgrade, please note the following:
In addition to this release note, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the AskF5 web site.
For information on system requirements and supported browsers, refer to the Client Compatibility Matrix for 7.0.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
This release supports detection of a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you might need to reactivate your license. To view supported antivirus and firewall software, click on the following links.
Note: The above supported antivirus and firewall support charts reference the OPSWAT version available at the time of release. Since F5 Networks® releases OPSWAT, hotfix updates frequently. When OPSWAT updates are installed, please reference the charts located in the Firepass on-box help section as they are updated with any changes or additions, and the above charts are not. You can view the updated charts by clicking on the Help button in the upper right corner of the Administrative Console and in the new window which opens. Navigate to Users: Endpoint Security: Inspectors: Antivirus Support Chart where current antivirus support charts for Windows®, Macintosh®, and Linux® are located. You can also navigate to Users: Endpoint Security: Inspectors: Firewall Support Chart where current firewall support charts for Windows®, Macintosh®, and Linux® are located .
Also, please see SOL6664: Obtaining and installing OPSWAT hotfixes for more information about these important updates.
[ Top ]
The following instructions explain how to install the FirePass controller version 7.0 onto existing systems running version 5.5 and later.
Important: Back up the FirePass controller current configuration before upgrading the controller. If you have a newer FirePass controller, use the Snapshot feature to back up the entire controller configuration. For more information, refer to SOL3244: Backing up and restoring FirePass system software on AskF5SM. To back up older FirePass controllers, click Device Management on the navigation pane, expand Maintenance, and click Backup/Restore. Click the Create backup of your current configuration link to back up the FirePass controller configuration. See the online help for details.
Warning: Prior to upgrading any FirePass controller, it is important to finalize all your network configuration settings if you have any unsaved changes. To do this, on the navigation pane, click Device Management, expand Configuration, and click Network Configuration. Click the Finalize tab at the upper right to finalize your network configuration changes. If the Finalize tab does not appear on the Network Configuration screen, your configuration has been finalized.
Note: Once you upgrade the FirePass controller to version 7.0, you cannot downgrade to any previous version, which is why it is critical that you use the snapshot function outlined earlier in SOL3244: Backing up and restoring FirePass system software because if you need to revert and you make a snapshot first, you can restore in minutes. For more information, see SOL2847: Downgrading to a previous FirePass software version on AskF5SM.
The following instructions explain how to install FirePass version 7.0 onto existing systems running version 5.5 or later.
Important: You must have an active service contract to upgrade to release 7.0. If you have a current service contract, please re-activate your license before you proceed with installation. If your service check date is too old, you need to reactivate your license or the upgrade may not be allowed to complete. The service check date and license activation options are located in the Administrative Console under Device Management : Maintenance: Activate License. If no service check date is listed in your installed license, we recommended that you reactivate your license before upgrading.
Create a snapshot of the current FirePass controller. For details about how to do this, refer to SOL3244: Backing up and restoring FirePass system software.
On the Administrative Console, in the navigation pane, click Device Management, expand Maintenance, and click Backup/Restore.
Create a backup of your current configuration.
For details about how to do this, refer to the online help on this screen.
In the navigation pane, click Device Management, expand Security, and click Timeouts.
The Timeouts screen opens.
Temporarily change the option Global inactivity timeout to a large value, such as 8 hours, so that the upgrade process does not time out while downloading the image.
Disable all pop-up blockers in your web browser so that any generated error messages during the upgrade process (local upgrade or on-line upgrade) are displayed.
In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
The User Session Lockout screen opens.
Configure the following user session lockout options.
In the User Session Lockout area, check the Lockout new user sessions option to prevent any new FirePass controller users from logging on.
In the Kill Current Sessions area, click the Kill all sessions (except this one) link to log off all current FirePass controller users.
The following instructions explain how to download and install FirePass version 7.0 onto existing systems running version 5.5 or later using the local upgrade mechanism.
To upgrade to version 7.0, you can use the F5 Electronic Software Distribution site to download the new software image at http://downloads.f5.com/. You can then follow the installation instructions below to install the new image.
To download the software upgrade, you must first create an account at http://downloads.f5.com/. This site uses an F5 single sign-on account for technical support and downloads. After you create an account, you can log on and download the FirePass version 7.0 release installation image.
Using a web browser connected to the internet, go to http://downloads.f5.com/.
The F5 Sign-on screen opens.
In the User Email box, type the email address associated with your F5 technical support account.
In the Password box, type the password.
Click the Login button.
The Overview screen opens and provides notes about using the Downloads site.
Click the Find a Download button.
The Product Lines screen opens listing all F5 product families.
Locate the FirePass product family and click the adjacent FirePass link.
The Product Version screen opens, listing the available download containers for the current product version.
Click the release link for version 7.0.
The End User License Agreement screen opens.
Read the license agreement, and click I Accept to agree to the terms of the license.
The Select a Download screen opens.
Click the FP-7.0-20100611.tar.gz.enc. link to begin downloading the upgrade image to your local system.
The Select Download Method screen opens.
Click an option indicating the method you want to use to download the file.
Log on to the Administrative Console.
On the navigation pane, expand Maintenance and click Local Update.
The Local Update screen opens.
Type F5Networks for the Password box.
For the File setting, click Browse.
A dialog box opens.
Using the dialog box, browse to the location where you downloaded the FP-7.0-20100611.tar.gz.enc. file in step 9 of the previous procedure.
Using the dialog box, click the FP-7.0-20100611.tar.gz.enc. file name to select it, and click the Open button.
The dialog box closes, and a path name appears in the File Name box.
Click the Submit button.
The upgrade may take some time to complete. When finished, the FirePass controller automatically reboots.
Note: The online update relies on your internet connection to be fully stable during the upgrade, and you must have proper DNS configured. Additionally, FirePass must have internet access to its interface where the default gateway resides. Please be aware that the Online Update does not install hotfixes; it is only for major upgrade versions, such as 6.1, 7.0, etc.
In the navigation pane, click Device Management, expand Maintenance, and click Online Update.
Select the link for Release 7.0 to upgrade the FirePass controller.
The upgrade may take several minutes to complete, and once it is completed, the controller automatically reboots.
After the controller reboots, reconnect to FirePass and logon to the Administrative Console.
In the navigation pane, click Device Management, expand Maintenance, and click User Session Lockout.
The User Session Lockout screen opens.
[ Top ]
This release includes the following new features and fixes.
FirePass Virtual Edition .
The FirePass® Virtual Edition (VE) is a full featured SSL-VPN ready to run in VMware® ESX4 environments. The FirePass® VE-LAB version is an easy way to run FirePass in your lab, where you can experiment with new access policies on your FirePass VE without having to obtain extra hardware. The production version of FirePass VE can be licensed for up to 2000 concurrent users. This package gives you a new option for disaster recovery planning when extra capacity is needed
VMware View terminal services In this release, VMware View® virtual desktop infrastructure allows you to balance the requirements of your business with the needs of your users and create a seamless experience where desktops are virtual and follow the user, regardless of device or location. FirePass 7.0 includes the VMware View® web client which provides the highest degree of security and access control to VMware View while providing easy access for remote users. Remote users simply open a browser, navigate to FirePass, authenticate. and then View client is automatically started in the browser while at the same time a connection is returned to the virtual desktop for that user.
In this release, VMware View® virtual desktop infrastructure allows you to balance the requirements of your business with the needs of your users and create a seamless experience where desktops are virtual and follow the user, regardless of device or location. FirePass 7.0 includes the VMware View® web client which provides the highest degree of security and access control to VMware View while providing easy access for remote users. Remote users simply open a browser, navigate to FirePass, authenticate. and then View client is automatically started in the browser while at the same time a connection is returned to the virtual desktop for that user.
Citrix Smart Access integration As part of our integrated Citrix® terminal services feature, FirePass can now pass results of endpoint inspections back to Citrix® applications. This capability provides administrators granular application control and provides remote access from anywhere, anytime. FirePass becomes a single point of control for controlling access to those applications based on user identity and end point security checks.
As part of our integrated Citrix® terminal services feature, FirePass can now pass results of endpoint inspections back to Citrix® applications. This capability provides administrators granular application control and provides remote access from anywhere, anytime. FirePass becomes a single point of control for controlling access to those applications based on user identity and end point security checks.
Java RDP FirePass offers administrators a way to deploy RDP terminal services by using a Java-based RDP client. This is particularly useful on non-Windows machines connecting to a virtual Windows desktop. Use our Java RDP client for better screen resolution and color depth to enhance end user experience with Java-based RDP terminal services.
FirePass offers administrators a way to deploy RDP terminal services by using a Java-based RDP client. This is particularly useful on non-Windows machines connecting to a virtual Windows desktop. Use our Java RDP client for better screen resolution and color depth to enhance end user experience with Java-based RDP terminal services.
Support for BIG-IP Edge Client In this release, we provide the ability for users to access both the FirePass and BIG-IP Edge Gateway appliances. This client is compatible with both FirePass versions 6.1 and 7.0, and is bundled with FirePass 7.0 as another standalone client option for the user, providing a superior end-user experience with features such as smart connect and windows login integration.
In this release, we provide the ability for users to access both the FirePass and BIG-IP Edge Gateway appliances. This client is compatible with both FirePass versions 6.1 and 7.0, and is bundled with FirePass 7.0 as another standalone client option for the user, providing a superior end-user experience with features such as smart connect and windows login integration.
Protected Workspace (PWS) enhancements , with the exception of Windows XP 64-bit.
We have made several enhancements to the Protected Workspace (PWS). First, we have added file virtualization and encryption, Now, if a user session ends abnormally, all session information on the local disk is left encrypted, therefore, making unauthorized reading of this data extremely difficult. Also, we have integrated the Protected Workspace with IronKey’s encrypted USB flash drives, allowing PWS state to be stored on a secure, removable medium. Lastly, Protected Workspace works on the latest Windows operating systems including 64-bit operating systems
, with the exception of Windows XP 64-bit.
Endpoint security checking for Mac and Linux clients Enterprise end-users are demanding Apple® Macs for business use more and more. With the increase in popularity of non-Windows clients like the Mac, so too does the risk of malware targeting these platforms. In this release, we have added the capability to scan and detect A/V and personal firewall products on these endpoints. Administrators can now define access policies in the Visual Policy Editor that controls access for these users based on identity and end point security posture.
Enterprise end-users are demanding Apple® Macs for business use more and more. With the increase in popularity of non-Windows clients like the Mac, so too does the risk of malware targeting these platforms. In this release, we have added the capability to scan and detect A/V and personal firewall products on these endpoints. Administrators can now define access policies in the Visual Policy Editor that controls access for these users based on identity and end point security posture.
Endpoint hardware inspectors Administrators can now create policies that include unique hardware identifiers on the client machine, such as Ethernet MAC addresses and HDD IDs.This gives you an alternative to machine certificates to identify IT-owned assets.
Administrators can now create policies that include unique hardware identifiers on the client machine, such as Ethernet MAC addresses and HDD IDs.This gives you an alternative to machine certificates to identify IT-owned assets.
CAPTCHA option on login page
To prevent possible script-based brute force attacks on users' passwords, we have implemented the ability to display a CAPTCHA input box on the login page.
[ Top ]
This release includes the following fixes.
Split tunneling support for overlapping local and remote IP address space (CR63951)
In the previous release, if you use split tunneling and had overlapping internal or local subnets, local users were unable to use their local printers, etc., since FirePass used the local route as a higher priority than the once used for split tunneling. Now, a new option called Allow local subnet access is added, and if checked, local pre-existing routes take precedence over VPN routes.
Dynamic App Tunnel, Firefox, and updating FirePass controller client components (CR75312)
In the previous release, you could not install FirePass controller client components onto the client when you use Dynamic App Tunnels and the Firefox browser. Now, this is no longer an issue since client components are installed automatically.
Files and folders created in arbitrary locations using Protected Workspace under Windows Vista (CR82451, CR82452)
Previously, when you used the PWS (Protected Workspace) on Windows Vista™, the system saved files and folders arbitrarily in different locations. This is fixed.
Windows Vista, power and limited user accounts, and ActiveX controls (CR82885)
Previously, if you were either a power user or a limited user, you could not install ActiveX components on Windows® Vista. However, it was installed successfully on Windows® XP. To install the ActiveX components on Windows® XP, you must have system administrator privileges. Now, you can install ActiveX components as a power user or limited user.
Windows Vista Protected Workspace privilege elevation (CR83302)
In the last release, On Windows® Vista™ systems with User Account Control (UAC) enabled, the Protected Workspace that required standard user rights runs at Medium integrity level, could not monitor or control system services and processes that are elevated to High or System integrity levels. However, user rights were elevated by some applications, for some operations, like creating and saving file folders and saving temporary attachments. Instead of remaining in Protected Workspace, these files were saved outside the Protected Workspace to the system. When these operations occurred, typically the user was presented with a Privilege Elevation dialog box, and prompted for a logon and password, or the user is required to click OK on a consent dialog box. This is no longer the case.
Protected workspace and My Recent Documents (CR84609)
Previously, while working in Protected Workspace, clearing any document from My Recent Documents cleared all My Recent Documents located outside of the protected workspace area, such as on your desktop. Now, clearing any document from My Recent Documents no longer clears all recent documents located outside of the protected workspace area.
Protected workspace and saved documents (CR86873)
In the previous release, you could save Microsoft® Office documents anywhere outside of protected workspace. Now, documents are saved to temporary locations inside the protected workspace, and are deleted after you exist protected workspace.
Protected workspace and recent folder (CR93835)
In the last release, after exiting protected workspace, Microsoft® Office files, such as Word documents or Excel spreadsheets, did not get removed from the Recent Documents folder. This is fixed.
Multi-byte characters and Mobile E-mail (CR98343)
In the previous release, the sender's name was unreachable if you used multi-byte characters, and if the user was authenticated through an external server, such as Active Directory or RADIUS. Now, you can use mult-byte characters to specify a sender's name with Mobile E-mail.
Standby HA unit displays too many sessions (CR101535)
Previously, in the Users: User Management section of the UI there was a line near the top that said Concurrent sessions: X out of Y used. If users compared the X value on their HA standby unit to the current value of active sessions in Device Management: Monitoring: System Load: Active Sessions, it was not correct; the User Management numbers displayed too many sessions. This is fixed.
FirePass host name with network access (CR103063)
Previously, network access would initially report a connection was established, but after a short time (around 10 seconds), the message "Reconnecting" was displayed. As a result, Network Access failed to connect successfully. If the user waited two minutes or longer, a popup message window displayed stating Error: server rejected the connection with Abort, Retry and Ignore options. All of these options failed. This issue no longer occurs.
Removing client components from the FirePass controller (CR104255)
Previously, you could not remove the following client components after downloading the full package install from Device Management: Client Downloads screen.
Now, you can remove these client components fro the full package install.
Limited colors for terminal server favorites (CR109713)
In the previous release, an administrator could specify high and true color resolutions when creating terminal server favorites. However, if you used Java instead of ActiveX, when you selected high color, the system only displayed 256 colors. This is fixed.
Active Directory password change fails (CR111853)
Previously, if you set the Require user logon in the form DOMAIN/Username option from AD master group : Authentication tab, you received an error message after you performed a password change and clicked update from Tools : Account Details. This is no longer occurs and you are able to change your password without errors.
Deleted master groups appearing on slave and standby units (CR112334)
Previously, master groups that were created before an high availability pairing remained on the failover standby system or cluster slave. Now, previously created master groups are removed from both standby and slaves units on full sync.
Recursive links cause stack overflows (CR133133)
In a previous release, if you tried to access a portal with Internet Explorer, a stack overflow error occurred. This is fixed.
Portal access opens with blank page after logon (CR135965)
IP filter group not applied on cluster slave (CR116812)
Previously, when applying IP group filter rules on the master FirePass Network Access favorite, these rules did not get set on the standby FirePass Network Access favorite until the services was restarted. This is fixed.
Terminal services with preinstalled components (CR116968)
Previously, users could preinstall all FirePass components, but if users tried to launch a terminal service favorite for Citrix, a pop-up window appeared with the error: Error downloading required files (-1). Now, users with administrative rights can install third-party components using the regular installer.
Summary report displays incorrectly (CR121146)
Previously, when you went to Reports: Summary Report, the Sessions total number was always equal to the Average number of sessions per week. This is fixed.
DNS suffix order and restore (CR132738)
In the previous release, DNS suffix order did not restore properly when there was an overlap of domain suffixes between the client-side and FirePass' network access DNS configuration. In some cases, the domain suffix lists and orders were changed after session termination. This is fixed.
Invalid Back link in intranet webtop (CR132952)
Previously, if you try and access the intranet webtop from your mobile device, you received an error and will be disconnected from FirePass when you clicked the Back link at the bottom of the page. This is fixed.
Upgrading from previous release to FirePass 6.1.0 (CR133285)
In the last release, when upgrading from earlier FirePass versions to FirePass 6.1.0, the generation of the FirePass registry failed if a period ( . ) is included in a master group name, and master groups are configured with intranet webtops. In this scenario, a pop-up box displayed the error message: Installation failed with status: Error: (number-string) bad argument type: 17\n\n\n\n\n\nRELOAD. Please contact F5 technical support. Because of this failure, the FirePass controller did not respond to browser requests. Now, you no longer receive an error message or failure during the upgrade if the FirePass controller registry includes a period ( . ) in a master group name.
Client package on Citrix website from Admin UI(CR133393)
Previously, non-working direct links to client packages appeared on the Citrix® website through the Admin UI. Now, these direct links are removed from the Admin UI.
Server self-signed certificate request (CR134002)
Previously, the FirePass controller failed to delete self-signed certificate and certificate requests from temporary storage. This is now fixed.
Application tunnel when launched immediately(CR134231)
Previously, if you closed an application tunnel and then immediately opened up another one, the application tunnel failed to launch. This is fixed.
ActiveSyn and mobile adapter licenses (CR134305)
Previously, when using a Nokia® E71 with Active Sync through a FirePass controller, the device failed to work unless a Mobile Adaptor license was installed. Now, Active Sync does not require the Mobile Adapter license.
Duplicate static tunnels (CR134396)
Previously, when the administrator tried to set two or more Static Tunnels to the same remote host, the system returned the same local host IP address. This is fixed
URI with NULL bytes (CR134897)
Previously, a URI with NULL bytes (%00) in a query string was not properly sanitized to prevent XSS injection. This is fixed.
Cross-site scripting and URL query (CR134904)
In a previous release, it was possible to inject a cross-site script (XSS) to the cache cleaner page by adding a single quote to the parameter name. Now, XSS injection into the cache cleaner page is fixed.
Reverse proxy and embedded URL(CR135212)
Previously, reverse proxy failed to rewrite embedded URLs containing no quotes. Now, reverse proxy can rewrite embedded URLs containing no quotes.
Cache cleaner for Linux and Mac clients (CR135287)
Previously, when the FirePass controller was configured with the cache cleaner check enabled and the option Require cache cleanup ActiveX/Plugin was enabled, Mac® OS X users could not download files through Portal Access because the downloads were blocked. This is fixed.
Exceeded maximum group limit does not display error (CR135569)
Previously, the Logon denied User session exceeds maximum group limit did not display when the actual limit was reached on the login or logout page. Now, an appropriate error message is displayed.
Session variable for URL not substituted (CR135695)
Previously, session variables in the following format, %session.xxxx.xxxx%, were not being substituted in i-mode or Windows® Mobile clients. Now, they are substituted appropriately for the URL.
VHOST SSO password not honored in cluster (CR135784)
Previously, when FirePass cluster load balancing was used, the Use extra domain password for single sign on option in Users: Global Settings was not honored for the specific Landing URI if the logon was load balanced to a slave node. Now, the SSO password is honored in a cluster with load balancing.
Login name case changes allocated resources (CR135848)
In the previous release, logging on with the same username in different alphabetic cases resulted in the user being allocated different resources from the master group. Now, this issue has been resolved.
Inconsistent PIN code with a cluster (CR136027)
Previously, when a cluster load balance is set to random, RSA/Radius' new PIN mode becomes inconsistent. This is fixed.
Wrong data conversion in UProxyChannel (CR136371)
In the previous release, a network access tunnel could not be established through proxy servers when the web service was running on higher ports. This is fixed.
Cluster sync fails with same FQDN (CR137524)
In a previous release, when a cluster slave sent a sync request, the cluster master collected all the sync data. However, when cluster slaves' FQDN are identical, that caused the collision of data collection, and as a result, it failed to sync. This is fixed.
Certificate issuer not displayed in list (CR137771)
Previously, certificates did not appear in the require issuer selection list. Now, they do appear in the list.
Consecutive Java patcher transformations (CR138149)
LDAP sync (CR138290)
In the previous release, the LDAP mapping method with the Synchronize FirePass option deactivated or deleted users if Get user DN using query was used instead of User CN. This is fixed.
Custom image setting not synced (CR138292)
In the previous release, the front door custom graphics image was synchronized from active to standby mode when it was first uploaded onto the active unit. However, it did not synchronize back to the default (no image) when the Reset Default action was performed on the active unit. Now, performing that action will synchronize the default image to the active unit.
Restoring FirePass network settings (CR138362)
Previously, network settings from a FirePass 4100 platform could not be restored to a FirePass 4300 platform. Now, you can restore your settings from one platform to the other.
Network Access connection and Chinese or Japanese characters (CR139647)
In the previous release, the connection name for network access is customizable through the Admin Console at Network Access: Customization: Connection Name in the Network Connections Folder. However, if the connection name contained extended characters (like Chinese or Japanese characters) the connection would fail to create a VPN connection on Windows® Vista or Windows® 7. Now, the VPN connection no longer fails with these characters in the connection name.
Windows file share login (CR139777)
Previously, access to the Windows files favorite through FirePass failed if the credential password contained colon (":"). This is fixed.
Element styles and FireFox 3.x (CR140009)
Previously, some element styles had no filter properties using FireFox® version 3. This is fixed.
Message inspector with long text (CR140016)
Previously, if the Display Message action was configured in pre-logon checks with very long message text, the text was but off and no scroll bars appeared, in both Internet Explorer and Firefox browsers. Now, the long message text appears correctly, and scroll bars appear.
NTLM auth proxy usernames (CR140041)
Previously, the FirePass Web Access NTLM Auth Proxy feature truncated domain, user name, and workstation names to 32 characters. This is fixed.
Test map fails for master group (CR140495)
In the previous release, if the master group's Resource Group Mapping used the same RADIUS server as the Global Master group or Global Resource group mapping, the test page did not display returned RADIUS attributes. This is fixed.
Portal Access favorite with empty URL (CR141038)
Previously, if you edited a favorite, and specified blank fields for Name, URL, and Allow list, then clicked Update, the entire list of favorites below the edited one was removed. This is fixed.
The following items are known issues in the current release.
Setting for FTP server is lost when upgrading to 7.0 (CR65029)
When you upgrade to version 7.0, the FTP server settings from the Device Management: Maintenance: Backup/Restore screen disappear. There is no workaround for this issue at this time.
Session stats, Application logs and short log purge interval (CR73575)
When you configure a log purge interval that is short (a few hours), some of the sessions statistics information and application log entries might be purged from the database and not included in any log archives.
Run As command on Windows Vista does not work properly (CR82368)
The Run As command on Windows® Vista™ using PWS (Protected Workspace) does not provide sufficient access limitations.
Logging failed FTP events (CR84674)
The FirePass controller fails to log FTP failed events. There is currently no workaround for this issue.
Users with administrator privileges and Administrative Realms (CR85898)
When a user with administrator access privileges logs on through the user logon page and accesses an Admin Console favorite, then edits Feature Access for an Administrative Realm, the FirePass controller saves the settings in the wrong location. To work around this issue, a user should log on through the admin logon screen to edit these settings, and not the user screen to edit Realm features.
Improperly configured NIC (CR86546)
During a failover configuration, if you enter a Heartbeat NIC without any IP address associated with that NIC, the FirePass controller fails to indicate an error, and proceeds to allow the configuration to occur.
Impersonating a local user with domain password (CR87948)
Resources are unavailable if you impersonate a local user in a master group with domain password verification against Active Directory®. To work around this issue, disable domain password verification.
Editing SSL certificate with a web service (CR88257)
The FirePass controller does not display any messages indicating that a service restart is required when an SSL certificate is edited or modified. However, you must restart the service in order for changes to take effect.
Client root CA certificate (CR89537)
You must restart service if you delete a Client root CA certificate from the FirePass controller. Otherwise, the Client root CA certificate is still valid, and users can still log on to the system.
System log messages does not display correct information (CR93340)
If a user is disabled, and the user attempts to retrieve his password, the system log does not display the name of the disabled user who tried to log on.
Impersonating a user with a client certificate (CR94098)
As an administrator, if you try to use resources assigned to the user who you are trying to impersonate, and that user has a secondary client certificate, the resources will be unavailable to you. To work around this issue, disable the secondary certificate requirement in the master group, and then impersonate the user.
Resource and logon case sensitivity feature (CR94099)
If you enable the logon case sensitivity feature, and you try to impersonate a user, you cannot access the resources assigned to that user. To work around this issue, disable the logon case sensitivity feature.
Client certificate remains on the CRL list (CR94435)
If you delete a user account, the client certificate remains on the FirePass controller and listed in the CRL. The workaround is to manually delete the old client certificate and create a new one.
Administrative realms users and the Admin console (CR94748)
When creating administrative realm users, even if you do not allow editing for all features available, the administrative realm user still has the ability to access and edit all features. There is currently no workaround for this issue.
Java App Tunnels and JRE (CR99293)
Currently, if a client system has an older version of the JRE (version 1.4 or earlier) installed, or if the client machine does not have a JRE installed, and the user navigates to any App Tunnel favorite, a window incorrectly displays the Queued status after the user establishes the connection. Additionally, a client browser may stall or crash if an older version of JRE is installed.
The %username% variable is incorrectly set to domain\username form (CR101860)
If you configure a user name with a backslash, the %username& variable may be set to username\domainname instead.
Java patcher statistics displays incorrect information (CR102729)
If you access the Device Management: Monitoring: System Load screen, you can ignore any statistics you see in this diagram because they are likely to be incorrect.
Java Applet tuning items (CR133952)
Currently, after you create a configuration backup file, and you delete all your Java applet tuning items, and then perform a restore from backup file from the Device Management: Maintenance: Backup/Restore screen, all items are not restored after you restart the FirePass controller.
Sandbox files in Cluster and Failover standby mode (CR136344)
If you have files in the WebDAV sandbox, and you remove those files from the cluster master, the file remains in both the failover standby node, as well as the cluster slave nodes. To workaround this issue, perform a Force Full Sync for both clustering and failover before you remove the files from the cluster slave and failover standby nodes.
Citrix plug-in installation and internet explorer (CR140044)
When you try to install the latest version of the Citrix Online plug-in, your browser may hang. As a workaround, restart internet explorer after installation.
App tunnels with same resource groups (CR84052)
In this version, app tunnels within the same resource group can access hosts defined in each other's ACLs. By assigning an ACL to an application tunnel, you allow the user to access resources defined in the ACL. This is by design. To overcome this limitation, F5 Networks® highly recommends that you write strict rules in ACLs by defining the exact hosts/ports that the application tunnel needs.
DynamicAppTunnel and top level ActiveX controls (CR84893)
You cannot use Dynamic AppTunnel if you disable top Level ActiveX controls, although you can use StaticAppTunnel.
Legacy host connection closes without message indicator (CR85458)
If a legacy host connection is timed out by the host, there are no messages indicating this state on the emulator.
TN5250 client flicker in internet Explorer 7 (CR86020)
If you use TN5250 on Internet Explorer® 7, pressing the F4 key causes the emulator to flicker. As a workaround, press Alt+Enter instead, to enter full-screen mode, or use Internet Explorer® 6.
Mobile E-mail LDAP attribute for display name (CR94317)
When you are sending messages from Mobile e-mail, the external LDAP users Display Name settings appears as empty. There is currently no workaround for this issue.
Citrix Terminal Server and Windows Vista (CR95182)
On Windows® Vista, if you open a Citrix terminal server favorite for the first time, and download the Citrix® ICA client, the following errors display: Error downloading required file and Couldn't connect to the terminal server Citrix. To work around this issue, pre-deploy the Citrix® client, and install the Citrix® certificate into the F5 trusted storage for Installer Service.
Incorrect port handling for Java app tunnels (CR100193)
Creating a JavaAppTunnel with a port ranges less than 1024 causes the tunnels to not start.
Java AppTunnels favorite, Java exception (CR100651)
When a user tries to start any Java AppTunnels favorite, the following Java exception message appears in the Java console: java.ioFileNotFoundException. However, the exception message does not appear if the Java console is closed. This exception does not affect the functionality of the Java AppTunnels feature.
Java Terminal Server fails to display correctly on Firefox (CR103082)
If you are using a Firefox browser on a Mac®, the Java terminal server intermittently fails to display correctly. There is no workaround for this issue.
Application tunnel with Vista SP1 and Windows 7 (CR133308)
Currently, using the mount command in a static application tunnel fails with a network path not found error. As a workaround:
PDF files, Windows Vista, and locked browser (CR135656)
In this version, a runtime error occurs if you try to view a PDF file through a web application tunnel when you enable the Lock Browser option, and you are using Acrobat Reader version 9.2 or 9.3 on a Windows Vista® machine.
Java-based tunnels on Windows 7 (CR139675)
Java-based tunnels (Static Application Tunnel) fail to add appropriate host entries on Windows® 7. As a result, subsequent applications using those hostnames fails to redirect
to the appropriate loopback address.
RADIUS accounting with numeric values (CR52636)
When you configure RADIUS accounting, you must enter a string value as the RADIUS secret on both the RADIUS server and the FirePass controller to receive stop messages when you log out.
Domain password for Active Directory (CR91201)
If you use two-factor authentication with a secondary Active Directory server, and verification against the domain password fails, then the FirePass controller incorrectly reports an error code against the primary authentication method instead of against the domain password.
Password recovery with special characters (CR93339)
If a user logon password contains special characters, such as an underscore, and the password recovery feature is enabled, any attempts by the user to recover the lost password through answering a challenge question results in an error.
Password retrieval and challenge questions (CR93343)
If you did not configure the password recovery feature, and a user attempts to recover his password, the system fails to display an error message, and the system does not log any attempt by the user retrieving the password. The workaround is to create challenge questions when you enable the password recovery feature.
RSA SecurID and sdconf.rec file (CR104668)
If a FirePass using RSA SecurID authentication suddenly starts sending a large volume of UDP packets, check that you have uploaded the correct sdconf.rec file to the RSA SecurID Server configuration (on the Device Management : Configuration : RSA SecurID screen, click Configure a New RSA SecurID Server).
Fetch list for Active Directory groups (CR139437)
Active Directory group mapping fails for Active Directory groups with samAccountName != CN if it is configured from a fetch list result. The workaround is to manually configure the group CN name instead of using samAccountName from the fetch list result.
Dynamic Group Mapping with Active Directory (CR140476)
In this version, if userprincipalname = samaccountname, and you use nested groups, dynamic group mapping fails if the user's group is not the PrimaryGroup.
Client troubleshooting utility refresh issue (CR140877)
Currently, if you install F5 components and click the Refresh button on the client troubleshooting utility, the icons do not change, although the utility displays some of the installed components and their states. To workaround this issue, close and re-open the utility.
MS Terminal Services and Remote Desktop Connection client (CR76834)
As part of the Terminal Services SSL VPN feature, F5 Networks® ships a redistributable Microsoft® Remote Desktop Connection web client component. The full Remote Desktop Connection client 6.0 is packaged (and licensed) differently from Remote Desktop Web Connection. As a result, you cannot easily extract ActiveX control related content from the full Remote Desktop Connection client. Because there are several interdependent files and registry settings, to install these executables the user must complete the installation wizard.
SSL VPN client and Windows Mobile (CR85401)
If you install an SSL VPN client for Windows® Mobile 5 on a device where the client has a previous version installed, the old client is uninstalled, but the upgrade does not occur. There is currently no workaround for this issue.
Windows Mobile version 5 and 6 with Network Access (CR94803)
When users log on to the FirePass controller using either Windows® Mobile version 5 or 6, information about multiple resources or favorites does not appear on their webtop, despite the fact that multiple resources were created for network access. There is currently no mechanism to select a favorite for Windows Mobile 5 and 6.
Standalone client displays numeric characters in place of user name and password (CR100188)
There are no references to special handling of numeric characters on either the server or client side. To work around this issue, administrators should select an appropriate character set when logging on to the Admin console.
Limitations with 2000 ACLs (CR102547)
You may experience an impact with memory and performance if you use more than 2000 ACLs in your network. To work around this issue, use fewer than 2000 ACLs in your network environment.
Configuring network access with local address (CR114765)
If you configure IP address as 184.108.40.206 from Device Management: Configuration: Network Configuration, synchronization fails when you establish a network access tunnel because the FirePass network access PPP tunnel may occasionally use 220.127.116.11 as a local address. In other words, Firepass uses 18.104.22.168 as a self IP address for VPN connections and cannot communicate with other hosts with that same particular address. The workaround is to avoid using IP address 22.214.171.124 on any interfaces.
Network access session with MAC client (CR135664-1)
Currently, with MAC clients, after the session expires, a popup windows displays Connection dropped instead of redirecting the user to a logout page.
Files signed with custom certificates and InstallerService (CR141093)
Currently, you cannot establish network access connections if urxhost.cab files or other files are signed with custom certificates, and that the custom certificates are not available in the F5FirePassRoot machine certificate store.
Windows Mobile and EDGE client (CR141541)
Currently, if you are using Windows® Mobile, the UI mode agent does not recognize the BIG-IP® Edge client. As a workaround, in your pre-logn sequence, make sure to set the Logon Allowed Page for both PocketPC and Standalone modes simultaneously to establish network access connection through the BIG-IP® Edge client.
Outlook feature and SharePoint Calendar 2007 or SharePoint Events 2003 (CR73239)
If you attempt to connect to Microsoft Outlook® using either SharePoint Calendar or SharePoint Events, the connection fails. There is currently no workaround for this issue.
PocketPC and Backout/Logout links in cookieless mode (CR84898)
Web Application using cookieless mode does not display both backout and logout links on the Pocket PC.
Java patcher and Jar packages (CR85710)
Java patcher may fail to re-sign itself to some Jar packages. As a result, a Jar file may fail to execute after going through reverse proxy. As a work around, add the URL of the Jar file to the Portal Access: Web Application: Content Processing: Java Byte code Rewriting field. Once this is done, no rewriting will be attempted by the FirePass controller on this Jar package and re-signing to the Jar package will not be necessary.
Unexpected error displays using Portal Access (CR87191)
The error message: This page contains both secure and nonsecure items. Do you want to display nonsecure items displays when you use Portal Access and encounter this message: <iframe scr="about:blank"></iframe> from the Portal Access: Reverse Proxy screen. You can safely ignore this message.
Citrix full access mode with File Access Security feature (CR93456)
When you configure a Citrix® Terminal Server favorite with the FirePass options Separate Window with Menu (citrix only) and Redirect Local Resources and Redirect Local Audio enabled, and the Citrix server is configured to prompt for file access, the File Access Security screen is displayed behind the new Citrix window. This prevents the user from seeing it, so they cannot respond to the file access security question. There is currently no workaround for this issue.
Outlook Web Access with MIME control and reverse proxy (CR97313)
Installing MIME with Microsoft® Outlook Web Access may cause unexpected errors to occur. We recommend that you do not install MIME with Outlook Web Access when using reverse proxy.
Web applications with Portal Access (CR98728)
properly escape all instances of backslash (\), and then remove the escape before the file is served to the browser.
Citrix and single sign-on (CR99067)
If you use Citrix® Presentation Server V4.5, single sign-on to the server fails the first time the favorite is selected. After the failed first attempt, single sign-on will succeed on the second attempt.
Cookies limitation on the FirePass controller (CR100072)
You cannot add websites with cookie manipulation exceeding 252 URL patterns. Doing so causes the FirePass controller to stop adding cookies.
User interface displays inconsistently in Portal Access (CR102059)
If you navigate to the Portal Access: Resources screen, and select a resource group, the Windows file tab does not appear. However, if you navigate to Users: Groups: ResourceGroup, and select a resource group, the Windows file tab appears.
Uninstall FirePass controller and ActiveX components and Internet Explorer (CR71261, CR102032)
When you enable the option Uninstall FirePass client components or the option Uninstall ActiveX components downloaded during FirePass session, or both, on the Users: Endpoint Security: Post-logon Actions screen, and the users are using the Internet Explorer®, the ActiveX or FirePass controller client components are not uninstalled for 15 minutes after the session ends.
Home tab on NTLM authentication screen (CR136527)
Currently, the authentication page that displays when NTLM authentication is used with portal access displays the Home/Logout tab, even when hometab injection is disabled. This issue occurs only when the Open in new window option is enabled.
Obfuscate cleartext cookies (CR140789)
Currently, when you disable the option Obfuscate cleartext cookies from Portal Access: Web Applications: Content Processing : Global Settings, some functionality in Domino Web Access may not work correctly through the reverse proxy. For example, users may not be able to send messages.
OWA through reverse proxy (CR141046)
Currently, if you log in OWA through reverse proxy, and try to add files while you access your Calendar to create a new meeting, add a To-Do note, and such, it adds only the first file while adding subsequent files fails.
Pre-logon fails to detect Windows hotfix with a period in the name (CR62452)
When the system is doing pre logon inspection, if you attempt to check for the existence of a Windows hotfix, the process fails if the hotfix name contains a period. A workaround is to use the Registry key check.
Cluster load balancing and collected data during a pre-logon sequence check (CR70817)
Logging on for administrative users does not work under the following conditions:
Cache cleaner feature and Firefox (CR75115)
Although the cache cleaner feature can clean temporary folders, the recycle bin, and monitor user activity timeout, it does not clean the Firefox browser cache. There is currently no workaround for this issue.
Protected workspace, Microsoft Outlook 2003, and Microsoft Word attachments (CR83079)
Microsoft Outlook® 2003 running in protected workspace fails to open Microsoft Word documents. For more information, refer to the Microsoft Knowledge Base at http://support.microsoft.com/kb/817878
CheckOS inspector and correct rule (CR100183)
If upgrading to FirePass 6.0.3., you must enter the correct rule in order for the OS checker feature to recognize Mac® OS. The correct rule is OR session.os.platform=="MacOSX".
Prelogons applied twice in cluster environment (CR104612)
During a cluster environment process of deployment, the prelogon sequence runs twice for the end-user. To work around this issue, when you deploy clustering, make sure to install a valid SSL server certificate.
Custom templates in a cluster/failover environment (CR103888)
Using the Windows Group Policy feature, you can define custom group policy templates. However, you cannot synchronize those templates across a cluster/failover node. For example, when you select a custom template in a pre-logon sequence, and try to synchronize the pre-logon sequence across the nodes, the pre-logon sequence only connects to the master node. If connection falls back to the secondary node, a denied page appears. For a workaround, you must synchronize the pre-logon sequence, and upload the policy file on each node in the cluster/failover.
HTML help not displaying correctly (CR125362)
In this version, the windows group policy online help page displays incorrect formatting on Firefox version 3.5. Onscreen, a light blue box appears that obscures some of the text. As a result, some of the text in the help becomes unreadable.
Windows Vista logon integration credentials (CR74375)
On Windows® Vista™, users must enter their logon credentials twice, once to establish a VPN connection to the FirePass controller, and the second time to log on to their Windows® system.
Enable logging does not work on Windows Vista (CR74840)
The View log option does not display correct logging information on Windows® Vista. There is currently no workaround for this issue.
Character limitations with Windows Vista standalone client (CR78170)
When creating a network access favorite, you cannot use the following characters when creating names for your favorites: \ / : * ? < >. This is also true if you use Japanese characters as part of the name. Doing so causes the error message Unknown RAS error to appear.
Erroneous message in Internet Explorer (CR100756)
The message Page contains both secure and nonsecure items may occasionally appear in the Internet Explorer®. You can safely ignore these messages.
Internet Explorer 8 and minimize to tray option (CR121944-2)
Currently, if you use Internet Explorer 8, the minimize to tray option for the web client does not work through the window context menu, task bar icon context menu, nor by using the minimize button. It works only through the F5 tray icon context menu.
Client proxy settings (CR135562)
Currently, proxy settings are not used when ProxySettingsPerUser is disabled.
Exported prelogon zip files with Safari (CR138696)
Currently, we do not support Safari on admin pages. If you export a pre-login file, you must use FireFox instead.
Idle timeout events and reauthentication warnings (CR70439)
Currently, certain actions can cause a user's FirePass session to timeout without the user receiving a reauthentication warning. There is no workaround for this issue.
Cluster and user names with special characters (CR70818)
When you disable load balancing in a cluster, the system does not redirect users to the master node if their user names contain special characters.
Backup file and user session lockout (CR72007)
When you restore a backup file, the new user lockout option is disabled even though you might have enabled it previously. To view this option, navigate to the Device Management : Maintenance : User Session Lockout screen, and locate the “Lockout new user sessions” setting.
Automated virus update and restoring a backup configuration (CR73973)
You cannot restore the automatic virus database update setting from a backup file. To view this option, navigate to the Portal Access -> Content Inspection screen, select the Antivirus tab, and scroll to the Virus Database Update area.
Console Access Security settings are not backed up/restored (CR84930)
In the Admin console, Device Management-> Security ->Console Access Security The settings: “Enable Password for maintenance console”, and “Disable Maintenance SSH Access” are Not restored when a backup is restored on the controller.
Client certification package notification (CR88992)
If you set two email address in your email notification configuration for client certification, the email notification fails to reach the recipient. To configure this feature properly, follow these steps:
Webtop favorites listing displays oddly (CR91964)
If you create more than four groups of favorites, and you configure three columns using the Tools: Webtop Settings: Favorite panel: Columns screen, the two columns on the left are used, while the third column is left blank. As a result, the favorites listing scrolls off the screen rather than displaying in the third column.
Upgrading to a newer version of the OPSWAT ActiveX control (CR102501)
During upgrade, the OPSWAT ActiveX does not properly unload. To work around this issue, either restart your system after you install the new version, or close the Internet Explorer® instance access your FirePass server, and start Internet Explorer again to access the new FirePass server.
Session timeouts and multiple webtop windows (CR106904)
If a user opens two or more FirePass webtop windows, the inactivity timeout countdown may not display correctly, and timeouts may not occur at the correct time.
FirePass VE failover IP address (CR140485)
Firepass VE failover pair might not work correctly in highly loaded ESX/vSphere environments. As a result, the failover IP address may be inaccessible from other subnets.
Cookies support with iPod 3.1.3 (CR141560)
Check for cookies support fails while the logon page loads if the user browses OWA 2010 through FirePass' web applications on iPod version 3.1.3. A message: Please enable cookie for this Web site displays. However, if the user browses OWA 2010 directly, the check for cookie support is successful.
SharePoint, Excel, and reverse proxy (CR50925-1)
You cannot export an Excel spreadsheet through the FirePass controllers' reverse proxy.
FirePass Virtual Edition and VMware ESX (CR140161)
Currently, you cannot configure FirePass® Virtual Edition with NFS storage on VMware® ESX.
Update from previous FirePass releases to FirePass 7.0 (CR139546-1)
In this version, if you install or update the Installer Service from previous FirePass releases, and then use Firefox® to connect to a FirePass controller running version 7.0, some components may not get updated. As a workaround, use Internet Explorer to update your components, or install the components separately.
Upgrading to FirePass 6.1 or 7.0 from previous releases (CR140469)
Currently, when upgrading to FirePass version 6.1.0 with the DNS-Cache option enabled on the FirePass system, the system may begin to generate a large number of repeated DNS requests. In addition you may see multiple instances of the following error message in your system logs : Kernel.Warning F5-Primary kernel: NET: 109 . Refer to SOL11423 at SOL11423: Upgrading to 6.1.0 may trigger a high number of repeated DNS requests.
[ Top ]
For additional information, please visit http://www.f5.com.
All other product and company names herein may be trademarks of their respective owners.
This product protected by U.S. Patent 7,277,436. Other patents pending.