secure remote access sonicwall aventail e-class sra ex...

Secure Remote Access SonicWALL Aventail E-Class SRA EX-Series 10.6.0

SonicWALL Aventail E-Class SRA EX-Series 10.6.0 Release Notes 232-002040-00 Rev A

Release Notes

Contents Platform Compatibility ................................................................................................................................................... 1 Upgrading from Earlier Versions ................................................................................................................................... 1 Release Caveats ........................................................................................................................................................... 1 What’s New in This Release? ....................................................................................................................................... 2 Known Issues ................................................................................................................................................................ 6 Resolved Issues .......................................................................................................................................................... 22 Technical Documentation and the Knowledge Portal ................................................................................................. 26

Platform Compatibility The SonicWALL Aventail E-Class SRA EX-Series 10.6.0 release is supported on the following SonicWALL appliances:

SonicWALL Aventail E-Class SRA EX9000 SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-750 SonicWALL Aventail E-Class SRA Virtual Appliance

Upgrading from Earlier Versions Note: Windows machines running version 10.6.0 clients should be used with SRA EX-Series appliances running one of the following versions:

10.6.0 10.5.4 10.0.7

If 10.6.0 clients are used with appliances running 10.5.3/10.0.6 or earlier, zone classification will fail when connecting, and the user will be put in the default zone.

If you are upgrading a SonicWALL Aventail E-Class SRA EX-Series appliance to version 10.6.0 from an earlier release, be sure to consult the upgrade instructions in the SonicWALL Aventail Upgrade Guide for detailed information. You’ll find a copy of this document on the MySonicWALL Web site (www.mysonicwall.com).

Release Caveats The 10.5.X release series was the last release with support for OnDemand Dynamic Mode, which is a proxy based agent deployed through the WorkPlace portal. It is important to note that the OnDemand Proxy Agent has two configurations: Dynamic Mode and Mapped Mode. The Mapped Mode use case is still supported, and only Dynamic Mode support is being removed.

We recommend customers who still have OnDemand Dynamic mode configured through the WorkPlace portal consider the OnDemand Tunnel agent as an alternative. The OnDemand Tunnel agent offers superior performance and platform coverage over OnDemand Dynamic mode, with identical installation requirements.

http://www.mysonicwall.com/

2


Release Notes

What’s New in This Release? This version of the Aventail SonicWALL E-Class SRA EX-Series software includes the following new and enhanced features:

• Local User Authentication Enhancements – In version 10.6.0, additional functionality allows the appliance to be used as an authentication server, providing a viable alternative to off-box authentication servers like Active Directory and LDAP. The local authentication server on the appliance is enhanced with the following capabilities:

o Password management capabilities such as password expiration and user ability to change passwords.

o One Time Password can be used for local users. o Device ID is supported for users. o Local groups are supported and can be used in access rules. o User and group management capabilities allow admin to see user logins, sessions, and other

information. o AMC Administrative group can be a local group. o Realms can use the appliance local auth store as the authentication server.

• AMC Authentication – Version 10.6.0 provides the ability to use external authentication mechanisms to authenticate AMC users. This allows groups defined on an Active Directory server (or other type of authentication server) for administrative roles to be leveraged and mapped to admin roles and used to authorize administrators in AMC. Policies defined for these groups, such as password aging, will apply to AMC administrators.

With this enhancement, two-factor or chained authentication can be specified for the appliance administrator. The administrator can associate a remote user or group with an admin role in AMC. Role checking is performed in the order displayed in AMC, and the admin can assign a user to a role that does not allow administrative access to the appliance, even when the user is a member of the same group.

An indicator in the administrators list shows which administrators are currently logged in to AMC, along with IP address and group member information.

The following authentication server types are supported for remote administrators and admin groups:

o Active Directory o Active Directory Tree o LDAP username/password o RADIUS o Local authentication store on the appliance

• One-Time Password Enhancements – In version 10.6.0, the One-Time Password feature is enhanced with new functionality. The subject line and message contents of the OTP email can be customized, including the use of languages other than English. Replacement variables can be used to indicate where in the message the actual password will display. The administrator can specify the type of password generated by the appliance from the following options:

o Alphabetic (default) o Alpha-numeric o Numeric

The length of the generated password can be specified. The default length is 8 characters, the minimum length is 4, and the maximum length is 20.

3


Release Notes

A “test” button is added in the OTP configuration area. When pressed, AMC prompts the admin for an Active Directory or LDAP username to use for the test. Optionally, the admin can manually enter an email address for the test. AMC will then generate a password using the specified options, compose an email message with the specified options, and send an email to the specified email address(es). Failures are displayed to the admin, such as errors connecting to the SMTP server, or errors communicating with the AD/LDAP server or looking up the specified user on the AD/LDAP server.

At runtime, the OTP email message is constructed using the specified template and the replacement variables are replaced with their corresponding content. The generated password contains the type and number of characters specified in AMC. If there is a secondary email address attribute, the OTP email message is sent to both the primary and secondary addresses. The WorkPlace page or tunnel client displays both email addresses to which the password was mailed.

• SNMP Improvements (SNMPv3) – Version 10.6.0 supports Simple Network Management Protocol Version 3 (SNMPv3), which addresses the security deficiencies in both SNMPv1 and SNMPv2. The addition of SNMPv3 functionality does not change the management information that is reported by the appliance.

The administrator can enable either SNMPv2 or SNMPv3, or can disable SNMP. When SNMPv3 is enabled, secure authentication is provided by the SHA algorithm, while the AES algorithm is used to encrypt and decrypt SNMP messages.

The EX-Series supports a subset of SNMPv3 functionality, designed to utilize the security benefits of the protocol while minimizing administrative complexity. Certain non-critical capabilities of SNMPv3 are not supported. For example, although SNMPv3 is capable of supporting multiple “users” on an agent system, AMC supports a single user with read-only access to the entire management data tree. Two passwords are configurable, one for authentication and the other for encryption.

The administrator can enable/disable all traps via a checkbox and can configure an explicit list of hosts, defined by their IP addresses, to which traps will be sent. When SNMPv3 is enabled, traps are sent with the SNMPv3 engine ID of the appliance. This value is generated automatically by the appliance and is not configurable. Because the administrator will have to use this value when configuring trap receivers, it is displayed in AMC as a hexadecimal value in the form “0x<engine ID>”.

• Virtual Assist Enhancements – New Virtual Assist features in version 10.6.0 include client applications for both customers and technicians, additional technician tools, and support for unattended mode. Both technicians and end users can download and install the Virtual Assist Client application by clicking a single link in WorkPlace.

For customers, the application provides a way to enter the name or IP address of the support server, the assistance code, and the ticket number. Once the customer is in the queue, the application provides a way to add details about the problem. Once connected to a technician, the customer can end the remote assist session, initiate and respond to instant messages with the technician, and use the client system as normal to demonstrate the issues to the technician.

For technicians, the application asks for user name and password, and then opens the technician view with a toolbar at the top. The technician app also provides a ticket queue view.

New tools include View menu options for refreshing the customer screen, scaling, color depth, and classic layout. Tool menu options include file transfer, chat, reboot, reboot to SafeMode, and switch to unattended mode. The Commands menu options include get PC control, request full control, active screen selection, open remote system info window, open remote task manager window, send Ctrl+Alt+Delete, open remote Start window, and send Alt+Tab to the customer system.

The unattended mode option allows the technician to have access to the customer computer while the customer is away from it.

Due to the differences from previous Virtual Assist functionality, both the customer and technician will need to run the same version of the Virtual Assist client, while connected to an EX-Series appliance running 10.6.0.

4


Release Notes

• RADIUS Authentication Timeout Support – To support two-factor authentication for RADIUS compatible servers or vendors requiring a longer authentication timeout, AMC in version 10.6.0 allows the administrator to configure the RADIUS timeout value in seconds. The default is 60 seconds, which is not long enough to complete the authentication process in some cases.

For example, one such vendor is PhoneFactor, which provides a phone-based tokenless two-factor authentication system that can be integrated with VPN appliances using RADIUS. When a user logs into their company’s VPN, a RADIUS request is made to the PhoneFactor Agent, which acts as a RADIUS proxy server. It first validates the user name and password with the target RADIUS server before initiating a PhoneFactor authentication. Depending on the configuration, PhoneFactor either calls the user or sends a text message containing a one-time passcode. If called, the user answers the call and presses # or enters a PIN. For a text message, the user replies to the text message with the passcode (or the passcode and a PIN) to authenticate.

• OCSP (Online Certificate Status Protocol) Support – In version 10.6.0, OCSP is supported. OCSP responders, or servers, take the certificate from a client, evaluate it and give back a response defining the certificate as valid, revoked, or unknown. Using an OCSP responder requires less configuration and maintenance than using hierarchical CRL servers for each level of the Certificate Authority (CA) chain, especially in large enterprises.

The AMC administrator can configure an OCSP server or use the option for retrieving the OCSP responder URL from the certificate.

The AMC admin imports the OCSP server’s signing key on the appliance for digital signature verification, and configures a realm with PKI authentication that has OCSP enabled.

When end users authenticate to this realm by providing a certificate trusted by our appliance (as configured in AMC), the certificate is verified against the trusted CA list for that realm and submitted to a selected OCSP responder (as configured in AMC).

The OCSP response is received and verified for integrity. If the response indicates that the certificate is valid, the user is successfully authenticated. If the status is “revoked” the authentication will be denied. In case of error or “unknown” or if the OCSP responder is not available, the authentication is successful provided that the “allow users if OCSP is down or status is unknown” checkbox is selected.

• Workplace and Connect Tunnel AUP – In version 10.6.0, AMC provides a mechanism to create a customized message or Acceptable Use Policy (AUP) and display it for Connect Tunnel agents as well as WorkPlace users before initiating any kind of remote access session. These messages or AUPs can be customized for each realm, and are displayed prior to granting any access to the user. The user must click OK or Accept to proceed.

• Fallback Exchange Servers – Version 10.6.0 provides a way to configure a secondary Exchange server which can be used in case the primary server is unavailable. This feature is especially useful for ActiveSync users, who are typically remote and depending on their smartphones for email access.

Large enterprises or service providers often have redundant Exchange servers already deployed in their network. This feature allows them to take advantage of this redundancy and configure the appliance to seamlessly divert ActiveSync traffic from primary to secondary in case of repeated “timed out” requests.

AMC provides configuration of a secondary Exchange server along with the primary, as part of Edit Resource > Exchange ActiveSync options. Both primary and secondary servers configured must depend on the same Authentication server and have appropriate certificates which the end users devices can trust.

5


Release Notes

• Secure Virtual Desktop and Cache Cleaner Updated Platform/Browser Support – In SonicWALL Aventail version 10.6.0, the following browsers and operating systems are supported when utilizing OPSWAT Cache Cleaner or OPSWAT Secure Virtual Desktop:

o Internet Explorer 7, 8, and 9 o Firefox 3.x and 4.0 o Safari 4.x and 5.0 o Windows 7 SP1 o Sun JRE 6 update 22 or higher

• Windows 7 SP1 (32-bit/64-bit) Support – The following 32-bit and 64-bit Windows 7 releases are supported in version 10.6.0:

o Windows 7 SP1 Professional o Windows 7 SP1 Ultimate o Windows 7 SP1 Enterprise o Windows 7 SP1 Home Premium

All testing with Windows 7 was done with Windows 7 Professional. Other editions of Windows 7 are expected to be compatible with the appliance software, with no issues.

The following versions of Windows 7 SP1 are not supported:

o Windows 7 SP1 Starter (Netbooks, possibly only 32-bit) o Windows 7 SP1 Home Basic

• Mac OS X 10.7 (Lion) – SonicWALL Aventail version 10.6.0 is compatible with Mac OS X 10.7 (32-bit and 64-bit). Full support is planned in SonicWALL Aventail version 10.6.1.

• Windows Phone 7 – SonicWALL Aventail version 10.6.0 is compatible with Windows Phone 7 for ActiveSync and Web access. Full support is planned in SonicWALL Aventail version 10.6.1.

• Safari 5.0 on Mac OS X 10.6 (Snow Leopard) – SonicWALL Aventail version 10.6.0 supports Safari 5.0 on Mac OS X 10.6 (32-bit and 64-bit).

• Firefox 5.0 and 4.0 on Windows and Linux – SonicWALL Aventail version 10.6.0 supports Mozilla Firefox 5.0 and 4.0 on Windows and Linux systems (32-bit and 64-bit).

• Internet Explorer 9 on Windows 7 and Vista – SonicWALL Aventail version 10.6.0 supports Internet Explorer 9.0 on Windows 7 and Vista systems (32-bit and 64-bit).

6


Release Notes

Known Issues

This section describes known issues for this release. The issues are organized into the following categories:

AMC Configuration .................................................................................................................................................... 6 Authentication ............................................................................................................................................................ 6 Cache Cleaner (OPSWAT)........................................................................................................................................ 7 Connect Mobile........................................................................................................................................................ 10 Connect Tunnel ....................................................................................................................................................... 10 End Point Control..................................................................................................................................................... 13 ExtraWeb ................................................................................................................................................................. 14 Native Access Modules ........................................................................................................................................... 15 OnDemand Proxy Agent – Dynamic Mode.............................................................................................................. 15 Secure Virtual Desktop (OPSWAT)......................................................................................................................... 16 Platform/Operating System...................................................................................................................................... 17 Policy Server............................................................................................................................................................ 18 Virtual Assist ............................................................................................................................................................ 18 Web Translation....................................................................................................................................................... 20 WorkPlace................................................................................................................................................................ 21

AMC Configuration Symptom Condition / Workaround Issue An administrator is allowed to enable both Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) for a certificate authority (CA) certificate.

Occurs when an administrator imports a CA certificate and then enables OCSP and CRL. The AMC should ensure that only one of OCSP or CRL is enabled, not both.

100922

Cache Cleaner performs cleanup and exits within 2 minutes after being started by a user login to WorkPlace. Cleanup and exit are shown in the tooltip and in Task Manager.

Occurs when enabling Cache Cleaner (CC) with End Inactive User Connections set to the 'Never' option on the Configure Data Protection page. The Secure Virtual Desktop works fine when End Inactive User Connections are set to the 'Never' option.

98162

AMC displays no results for searches resulting in a large number of matches.

Occurs when a search for users or groups on an external directory that results in more than 1,000 matches (on a Windows 2000 server) or 1,500 matches (on a Windows 2003 server).

61955

Authentication Symptom Condition / Workaround Issue The error message, “An error occurred during the logout process. Please close your browser” is displayed when logging out of WorkPlace.

Occurs when using a CA Siteminder Identity Provider (IDP) for authentication, and when logged into two EX-Series appliances via WorkPlace using two instances of Internet Explorer, and then clicking Logout on one instance. When one appliance provides signed SAML messages, including the logout response, and the other appliance is not enabled for signing, the error message is displayed.

108087

7


Release Notes

Symptom Condition / Workaround Issue The user is prompted twice for the username and password when logging in.

Occurs when logging in to a realm configured for combined authentication with an Acceptable Use Policy (AUP) enabled. The second credentials prompt appears after accepting the AUP. Workaround: Enter the username and password again when prompted.

108059

AMC does not ask the admin to authenticate using external or local auth store credentials.

Occurs when the appliance license expires, such as expiration of the default evaluation license, and AMC is unable to connect to the Policy Server to get the authentication prompts. Workaround: Log in as superuser (admin/root) and apply a valid license.

107563

Cache Cleaner (OPSWAT) Symptom Condition / Workaround Issue Cache Cleaner clears all items including non-session history, passwords, and form data from cache history against policy.

Occurs when users are connecting through Internet Explorer 8 or Firefox, even when Protected Mode is turned off in IE and the "Clear session items only" option is enabled in AMC.

94097, 88556

Cache Cleaner clears all items from cache history against session-only policy.

Occurs when users on a system with Cache Cleaner enabled close a browsing session. Cache Cleaner clears all items from the cache, even when "Clear session items only" is enabled in AMC. Occurs on a Mac OS X 10.6.3 with Safari or on a Windows XP SP3 client system with Internet Explorer 8 and Protected Mode turned off.

90104, 89001

An incorrect MS VC++ run-time error may be displayed by Internet Explorer.

Occurs when a user logs out of WorkPlace within an Internet Explorer browser when the Cache Cleaner was enabled, and then successfully removes the Cache Cleaner Control Class plug-in.

88563

Cache Cleaner does not clear the browser cache history despite a clear all items policy.

Occurs when users log in to WorkPlace with Cache Cleaner enabled, use the browser to access various Web sites, then log out of WorkPlace and close the browser, and then launch the browser again after Cache Cleaner exits. Cache Cleaner does not clear all items from the cache, although the clearing scope is set to "Clear all items" in AMC. Occurs on a 64 bit Windows Vista SP2 client system with Internet Explorer 8 and Protected Mode turned on. Workaround: Turn Protected Mode off in IE.

88507

8


Release Notes

OPSWAT Cache Cleaner Deployment Issues

The following tables contain known issues and deployment results provided by OPSWAT for the Cache Cleaner when using Internet Explorer in certain environments.

Key to colors and abbreviations: IE Internet Explorer PM Protected Mode JRE Java Runtime Environment RED Failed to wipe GREEN Successful wipe

Launching via Applet

The following table outlines the issues that the Cache Cleaner will encounter based on different environments:

JRE < JRE 6, update 10 JRE >= JRE 6, update 10

PM ON data PM OFF data PM ON data PM OFF data

IE 7 PM ON

Cache Cookies History Typed Addresses Passwords




IE 7 PM OFF





IE 8 IE 9 PM ON





IE 8 IE 9 PM OFF





9


Release Notes

Launching via ActiveX

The following table outlines the issues that the Cache Cleaner will encounter based on different environment setups on Windows Vista:

PM ON data PM OFF data IE 7 PM ON



IE 7 PM OFF



IE 8 IE 9 PM ON



IE 8 IE 9 PM OFF



Additional Browser Support for Data Cleanup

Although Form Data and Download History do not appear in the above tables, some deletion of these types of data is supported by Cache Cleaner, depending on the browser.

• Form Data is defined as stored data such as the shipping address a customer enters on a shopping website. Passwords are handled separately from Form Data.

• Download History is distinct from History or Typed Addresses. Download History is defined as all the representation of browser download history. History is defined as all of the browsing history, such as all of the websites that were visited.

On Windows, Internet Explorer 7, 8, and 9, and Firefox 4.x support deletion of Form Data.

On Windows, Firefox 3.x supports deletion of Form Data and Download History.

On Mac OS, Safari 3.x, 4.x, and 5.x support deletion of Form Data and Download History.

10


Release Notes

Connect Mobile Symptom Condition / Workaround Issue Connecting to the appliance with Connect Mobile can result in a “winsock” error.

Occurs when the Connect Mobile client is installed using cmsetup.exe. Workaround: Install Client Hotfix 001 for 10.6.0, and then install the Connect Mobile client.

109362

Installing or uninstalling Connect Mobile on a hand held device can fail.

Occurs when Trend Micro Mobile Security real-time scanning and virus detection is enabled on the device. Workaround: Disable real-time scanning before installing or uninstalling Connect Mobile.

60183

Connect Tunnel Symptom Condition / Workaround Issue Connect Tunnel and Aventail Access Manager do not install correctly on a system running Windows Embedded Operating System. Aventail Access Manager installation displays an error message.

Occurs when running Windows XP Embedded OS on a client machine and then attempting to install Connect Tunnel or Aventail Access Manager from WorkPlace. Workaround: Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) on the Embedded OS machine, then log in to WorkPlace and install AAM or Connect Tunnel.

108228

Connect Tunnel falls back to the fallback server instead of denying access to a user, as configured in an Access Control List (ACL).

Occurs when both a fallback server and an ACL are configured in AMC. The ACL denies access to any resource for a specific user. When the user launches Connect Tunnel and tries to connect to the appliance, Connect Tunnel falls back to the fallback server configured instead of denying access.

106946

Connect Tunnel will not work on Linux machines with newer versions of OpenSSL.

Occurs when you install Connect Tunnel for Linux on a Linux distribution that only has OpenSSL >= 1.0.0 installed. Workaround: Install a compatibility package for your given Linux distribution with OpenSSL 0.9.7 or 0.9.8. Then uninstall and re-install Connect Tunnel.

101277

Connect Tunnel public key infrastructure (PKI) authentication does not work with imported certificates.

Occurs when a certificate is imported through certmgr.msc and then Connect Tunnel is used on a Windows machine. An error message is displayed: Access to the remote network was denied. Please verify that you entered your credentials correctly and try again, or contact your support personnel. Workaround: Directly install the client certificate.

102954

The client may experience the error message “A server operation has exceeded its timeout value” during an attempt to reconnect using Connect Tunnel, but the second attempt works fine.

Occurs when connecting to the appliance using Connect Tunnel from a Windows 7 computer with no service pack upgrades, after the computer has been in a suspended state. This only happens when Encapsulated Security Payload is enabled because it’s timed out by EVPN.

96988

11


Release Notes

Symptom Condition / Workaround Issue While URL Filtering is enabled, an illegal, rejected HTTP stream lets certain DENY rules fail open, allowing the rule to be circumvented and content retrieved from the back-end server.

Occurs when URL Filtering is enabled, a DENY rule exists for a specific URL resource, and an HTTP request is sent using an illegal HTTP construct that is rejected by the SonicWALL Aventail HTTP scanner, but is supported by a Web server. Workaround: Craft policy in accordance with best practices, using ALLOW rules to grant access to specific resources followed by a broad DENY rule disallowing access to all others. Note: Check the Knowledge Portal (on MySonicWALL under Support) for current hotfixes that resolve specific instances of this issue, and apply them before enabling URL Filtering.

94535

Proxy configuration on a private network leads to long Connect Tunnel connection times on some public networks.

Occurs when a private network uses a proxy for its LAN systems. When Connect Tunnel is used on public networks, it attempts to use that private LAN proxy. The problem is that an increasing number of ISP's are resolving names that have no resolution to a default site (usually advertising related). When the unresolved name does falsely resolve to an IP address, the client then attempts to load the PAC file from the resolved address. Of course, none is forthcoming, so a long timeout ensues on every new Connect Tunnel connection.

94424

On Mac OS clients, Connect Tunnel fails to determine outbound proxy settings when it is already launched.

Occurs because, on Mac clients, the System proxy configuration information is detected only when Connect Tunnel is started. If the proxy information is modified when Connect Tunnel is already running, the changes will not be reflected, and Connect Tunnel will not prompt for authentication and will not establish the connection. Workaround: Close and re-launch Connect Tunnel after modifying proxy information.

84422

Local resources are sometimes directed through an internal proxy server.

Occurs when traffic to local networks is redirected through a remote proxy with "Redirect All Non Local Mode", and can be observed by users when Connect Tunnel is enabled and the users are logged into the appliance.

63247

Tunnel clients are unable to reconnect over an access point that requires authentication.

Occurs on a Macintosh device when you switch to a network that requires authentication. For example, if a user is connected to the appliance using a wired connection and changes to a wireless access point that requires authentication, the previous connection cannot be re-established; the user must manually log in to the appliance.

61730

In Redirect All mode, the Internet is accessible if proxy settings are configured on browsers.

Occurs on both Internet Explorer and Firefox browsers when a user configures proxy settings.

61605

12


Release Notes

Symptom Condition / Workaround Issue The desktop icon for Connect Tunnel in WorkPlace is not present for all Linux users.

Occurs when you provision Connect Tunnel from WorkPlace and the user downloads and installs the client, which normally creates an icon on the users desktop. If the client device is a computer running a Linux operating system and a different person logs in to it, no desktop icon for Connect Tunnel will be visible. Workaround: One workaround is to bring up the command window (press ALT+F2), and then type the path to the Connect Tunnel program. Alternatively, you could create an icon on the desktop for the Connect Tunnel program. In Redhat or Fedora, for example, you would right-click on the desktop and select Create Launcher, and then browse to the Connect Tunnel application.

61167

When using dial-up and remote proxy for the connection to the Internet, Internet browsing might not traverse the remote proxy.

Occurs when you use a dial-up connection to the Internet, and the community to which you are assigned is configured for remote proxy. This applies regardless of whether the remote proxy was configured manually or using a .pac file. Workaround: In Connect Tunnel, make sure the dial-up connection is specified on the Properties page. Select the 'Establish this connection first' check box and specify a connection in the drop-down list. (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.)

61056

Cannot access the appliance if specified proxy server is unavailable.

Occurs when Internet Explorer is configured to use an outbound HTTP proxy server and Connect Tunnel attempts to access the appliance using that proxy server. If the proxy is available, the client connection will succeed. However, if the proxy server is unavailable, the client will not fall back to sending traffic through the default route, causing the connection to the appliance to fail. Workaround: Remove the proxy setting from the browser.

60912

Cannot access the appliance using the FQDN/VIP for a WorkPlace site. The Connect tunnel client displays the message, "The device is not in a valid state to perform this request."

Occurs when the Connect tunnel client is configured (by an administrator or user) to access the appliance using the FQDN or virtual IP address for a custom WorkPlace site. Workaround: Configure the client to access the appliance using the FQDN or IP address contained in the appliance's main certificate.

59902

13


Release Notes

End Point Control Symptom Condition / Workaround Issue Cache Cleaner is not used as an automatic fallback if Secure Virtual Desktop does not load.

Occurs when Secure Virtual Desktop fails to load on Windows client machines.

107801

A Recurring EPC popup window is displayed after clicking the Exit button of Secure Virtual Desktop (SVD).

Occurs when you launch an application such as Notepad, which is also configured to be recurring in a standard zone realm with SVD enabled, then log into WorkPlace to the Recurring Notepad realm. The popup is displayed after clicking Exit in SVD, and then closing Notepad.

106586

Smartphone ActiveSync users are classified to the default or quarantine zone even when the smartphone device ID or serial number is configured as a user attribute in the Active Directory server.

Occurs when the device ID in the user attribute does not include the specific prefix such as “Appl” or “droid” that is sent in the POST message when the smartphone connects to the appliance. Workaround: View the POST message in the appliance log, and use the device ID value shown there for the AD user attribute.

93443

Upgrading to 10.6.0 or 10.5.x from 10.0.x with Symantec OnDemand Protection enabled will fail.

Occurs because Symantec OnDemand Protection is not supported in versions 10.6.0 or 10.5.x. Workaround: Before upgrading to 10.6.0 or 10.5.x from 10.0.x, disable Symantec OnDemand Protection for all End Point Control Zones.

88186

Zone classification can fail in certain cases, preventing the user from logging in.

Occurs when the equipment ID was typed using lower case letters when creating the device profile, and then the user attempts to login from a machine whose equipment ID matches the ID in the device profile except that it contains upper case letters. Workaround: Use capital letters when entering the equipment ID into the device profile.

82465

Zone classification fails when a device profile combines values and the “Match profile if user has no registered devices” check box is selected.

Occurs when a device profile contains a combination of a hard coded equipment ID and user attributes, and the user logs in using an unregistered device. When selected, the “Match profile if user has no registered devices” check box is applicable when the user has no devices registered in the back end AD or LDAP server and there are no hard coded devices in the device profile.

81851

14


Release Notes

Symptom Condition / Workaround Issue Zone classification fails with certificate device profile on Linux and Mac machines. The client is relegated to the default zone rather than the intended zone.

Occurs when a root certificate is imported to the appliance and configured as a device profile for either the Mac OS or Linux platform, then the zone is created including the device profile with persistent EPC enabled, and the zone is added to a realm. The client certificate is imported to the client Firefox browser and the user authenticates to the realm, but is classified to the default zone. The zone classification fails because the appliance is not integrated with the certificate store for the operating system or the browser.

69625

Zone classification fails for a user who does not have Windows administrator rights. The user is classified to the default or quarantine zone.

Occurs when a Windows device profile is configured on the appliance to check for a certain client certificate on a user's device in either the machine or user store. On an end point device running Windows Vista, the machine store cannot be opened for a user who does not have Windows administrator rights, and the search for the client certificate fails.

61578

ExtraWeb Symptom Condition / Workaround Issue ExtraWeb attempts to enforce EPC on EPC-incapable devices and tries to install the Windows Mobile EPC component on non-Windows Mobile devices.

Occurs when EPC is enabled on the appliance, and a user connects to Mobile Workplace from an iPad or Android device.

107813

Internet Explorer displays a “Page cannot be displayed error”, and Firefox displays “ssl_error_handshake_failure_alert” messages after attempting to log in to WorkPlace.

Occurs when attempting to log in to WorkPlace using PKI authentication with no client certificates installed on the IE9 or FF 4.0.X browser.

102952

The Safari browser stops responding when accessing Web sites that use applets.

Occurs after logging in to the appliance in a Safari 4.0.5 browser on a machine running Mac OS X 10.5.8, and accepting the certificate prompts. The certificate prompts show header values instead of strings, which appears to be a browser issue. This issue can occur on all Web sites that use applets.

89190

15


Release Notes

Native Access Modules Symptom Condition / Workaround Issue VMware View client installation displays an error.

Occurs when attempting to install the VMware View client (32-bit) from WorkPlace on a 64-bit Windows machine. Workaround: Install the 64-bit View client manually rather than via WorkPlace, and then create a virtual desktop shortcut to it in WorkPlace.

107998

The user is prompted to enter the host IP address for an RDP session even if the IP is specified in the .rdp file.

Occurs when the .rdp file uploaded in AMC was saved in UTF-16LE encoding. Workaround: Open the .rdp file in any Unicode supported editor, such as PSPad or EditPlus, change the file encoding to UTF-8 and save the file. For PSPad, select Format > UTF-8 and then save. For EditPlus, select Document > File Encoding > Change File Encoding... > UTF-8 and then save.

107817

Users cannot access WorkPlace NAM shortcuts with EWPCA (Web Proxy Agent) on Windows 7 using Internet Explorer 9. Users are redirected to the authentication page when clicking the Help or Network Explorer links in WorkPlace. Users are not always redirected to the logout page after clicking Logout in WorkPlace. WorkPlace does not display a confirmation dialog box after the user clicks the 'X' to close the browser.

Occurs when using a Windows 7 client machine with Internet Explorer 9 to access WorkPlace. With an EWPCA realm enabled in AMC, using a Windows 7 machine to access WorkPlace shortcuts to NAM resources (such as an RDP shortcut to a host) or to network shares opens a new window with the realm selection page instead of redirecting to the target host. This occurs because IE does not pass session cookies to Extraweb if the request falls into a different zone. When the cookies are missing in HTTP requests, Extraweb opens the user authentication page. Workaround: In IE, add the WorkPlace site URL to "Trusted sites" in Internet Options > Security. Access WorkPlace in a new IE window, and then click on the shortcut.

103267

OnDemand Proxy Agent – Dynamic Mode Symptom Condition / Workaround Issue OnDemand Dynamic Mode is no longer supported as of the10.6.0 release. OnDemand Dynamic Mode is a proxy based agent deployed through the WorkPlace portal.

Occurs because the 10.5.x release series was the last release with support for OnDemand Dynamic Mode. Note that the OnDemand Proxy Agent has two configurations: Dynamic Mode and Mapped Mode. The Mapped Mode use case is still supported, and only Dynamic Mode support is being removed. Workaround: Use Mapped Mode or configure the OnDemand Tunnel agent as an alternative. The OnDemand Tunnel agent offers superior performance and platform coverage over OnDemand Dynamic mode, with identical installation requirements.

108175

16


Release Notes

Secure Virtual Desktop (OPSWAT) Symptom Condition / Workaround Issue Secure Virtual Desktop displays a “Session Terminated” dialog box, but does not exit if the user does not click OK. The WorkPlace session exits properly.

Occurs when running Secure Virtual Desktop and recurring EPC finds a change in the system status that triggers the SDE session to exit.

97901

The rundll.exe process stops responding for a user accessing a realm that uses Secure Virtual Desktop.

Occurs when the user logs in for the first time to the SDE realm from a freshly installed Vista SP2 32-bit machine with Internet Explorer 8 and User Access Control (UAC) turned on. Workaround: Log in again, as subsequent logons do not have the problem.

91369

Opening an Internet Explorer or Firefox browser after exiting Secure Virtual Desktop results in a warning that the last browsing session closed unexpectedly.

Occurs when an Internet Explorer and/or Firefox browser was open when SDE was launched, and SDE closed the browsers.

91067

The Virtual Desktop background image continues to display after logging off.

Occurs when running windows 7, creating a realm with Translated Mode and SDE enabled, and accessing the WP using the same realm. Allow the agents to install and provision. Once the Virtual Desktop is created, click on 'Start'->'Log off'. Try to connect to the same client using the same user (but do not access the appliance).

90794

Users cannot print from Notepad on Windows 7 and an error message is displayed.

Occurs when a user enables printing out of the Secure Virtual Desktop, and attempts to print from Notepad on a system running Windows 7. Workaround: In these instances, the user can print from Microsoft Word, and then try printing from Notepad. Print support for 64-bit systems running Windows Vista or Windows 7 may be developed for future releases.

90759

Secure Virtual Desktop does not remove installed applications when it terminates. The application can still be used on the computer, outside of SDE.

Occurs when any application is installed while in a Secure Virtual Desktop session and then the session is ended.

90349

The client may experience error messages: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." After clicking OK, the message “Unspecified Error” is displayed by explorer.exe.

Occurs when running Secure Virtual Desktop, then right clicking on the virtual desktop and selecting “Personalize”. This is a known issue with Microsoft Explorer.

90036

Browser window does not close after launching a Secure Virtual Desktop session.

Occurs when a user launches a Secure Virtual Desktop session through the Firefox Web browser. The browser window displays a "waiting" message, even once the SDE session has begun.

90016

An incorrect MS VC++ run-time error may be displayed by Internet Explorer.

Occurs when a user successfully removes the Secure Virtual Desktop plug-in using the Internet Explorer browser tools options.

90015

17


Release Notes

Platform/Operating System Symptom Condition / Workaround Issue In split tunnel mode, file shares are not always redirected to the appliance. Traffic bound for resources defined on the appliance is redirected through the tunnel, and all other traffic is routed as normal.

Occurs when using Connect tunnel on a Vista computer and an appliance in split tunnel mode. File share access—which uses the SMB protocol—may not be redirected properly if there is a conflicting resource on both the remote and local networks. For example, if Connect tunnel is started on a network at 192.168.144.0/24 and there is a resource at 192.168.144.100, a user who is trying to access a share on a remote network at 192.168.144.100 may get connected to 192.168.144.100 on the local network instead. On the Vista operating system, SMB does not use the appliance's routing table directly, but issues connects on different interfaces simultaneously: whichever connection succeeds first is the one that is subsequently used (even if the routing table on the appliance prescribes something else). In this example, if the 192.168.144.0/24 interface connects first, then access to the resource at 192.168.144.100 will not be redirected.

63383

The Access Manager component fails to properly install on Windows 7 platform clients, causing a dialog box prompt to display a request for the insertion of a smart card.

Occurs because the certificate is not being properly imported in Internet Explorer on Windows 7 systems. Workaround: Mark certificate keys as exportable.

85698

SonicWALL Aventail EX7000 and EX6000 appliances refuse to boot during re-imaging.

Occurs when a USB device is inserted into the appliance. During the re-imaging process, appliances boot from the internal hard drive instead of a compact flash card. Workaround: Before rebooting an EX7000 or EX6000 appliance, remove any USB devices.

76435

18


Release Notes

Policy Server

Symptom Condition / Workaround Issue The Policy Server checks and verifies only the first certificate in the list sent by the client in the process of zone classification based on client certificates. Zone classification sometimes succeeds and sometimes fails.

Occurs when a standard zone is defined with a client certificate as device profile (for Windows or Mac OS X) by selecting a CA certificate for which CRL/OCSP is enabled, then a user logs in to the appliance using ExtraWeb/Connect Tunnel from a client PC with multiple client certificates (some good and some revoked) installed which are issued from the same CA. Workaround: Remove unused, expired, or revoked certificates from the client machine.

106989

OCSP response verification fails if a root CA is not configured.

Occurs when a user certificate is issued from an intermediate CA and PKI authentication is configured to use only the intermediate CA. That is, OCSP is enabled with the trust intermediate CA certificate option. Workaround: Use the root CA instead of the intermediate CA when configuring the PKI authentication server.

103132

Group affinity checking is not successfully completed with certain authentication scheme combinations.

Occurs when PKI is configured as the primary authentication scheme, and Active Directory, LDAP, or RADIUS is configured as the secondary authentication. Workaround: Remove the secondary authentication.

90434

Virtual Assist Symptom Condition / Workaround Issue The Technician application can become unresponsive when attempting to service a customer request for assistance.

Occurs when the technician sends an invitation to the customer, but then the customer initiates a separate request for assistance and the technician attempts to service it. Workaround: The customer can kill any Virtual Assist applications, such as those that show the queue or allow the customer to enter the Server Name/IP address, and then click on the invitation URL.

108061

On some browsers, the browser does not close after the user clicks Yes in the confirmation dialog that is prompting the user to close it.

Occurs when the user clicks a Virtual Assist invitation link and is provisioned with the Virtual Assist client, and then is prompted to close the provisioning browser window.

107982

19


Release Notes

Symptom Condition / Workaround Issue Control of the customer computer might not be transferred to the technician even when the customer clicks OK to allow it.

Occurs when the following sequence of events takes place: 1. With the technician in Active Mode, the customer is prompted to allow a file transfer to the technician’s computer. 2. Customer clicks OK, causing the mode to change to View Only Mode and the file transfer to begin. 3. Before the file transfer completes, the technician clicks on the customer desktop in his VA client viewer, causing a prompt to the customer to ‘Allow technician control of your system’. 4. Customer clicks OK, but control is not transferred to the technician.

101999

The Help button incorrectly displays Windows help.

Occurs on Mac OS X when the Help button is clicked.

94630

The Virtual Assist session sometimes stops responding.

Occurs on Mac OS X when closing the browser window where the initial Virtual Assist session was launched.

94629

The technician application stops responding in certain conditions.

Occurs on Mac OS X after an ungraceful exit if the browser is closed before the application exits. Workaround: Exit the application first, then close the browser.

94627

The technician application sometimes stops responding.

Occurs on Mac OS X when the technician application shows the last screen of the Mac system even after ending support.

94626

The customer system reboots and then displays an error message about incorrect parameters. The technician cannot reconnect with the customer.

Occurs when the technician PC is running Windows Vista SP2 with Internet Explorer 8, the customer PC is running Windows XP SP3 with Internet Explorer 8, the technician clicks “Reboot Customer PC”, and the customer provides their credentials. Workaround: The customer logs back into the wait queue on a new ticket either by entering the authentication code or by responding to an invitation sent when the technician creates a new ticket.

91774

The Safari browser stops responding after a technician attempts to service a re-queued Windows customer.

Occurs when a technician has both a Windows-client customer and a Mac-client customer waiting for service in the Virtual Assist queue, and the technician services the Windows customer and then attempts to service the same Windows customer again after a re-queue.

90634

The technician cannot start the service for the customer again after re-queue.

Occurs on Mac OS X when the client application is not terminated when the technician re-queues the customer.

90511

20


Release Notes

Symptom Condition / Workaround Issue Cannot use the same user name to log in as a technician for approximately six minutes.

Occurs on Mac OS X when the technician selects the option to end support (Stop or Remove).

90510

A customer cannot use an invitation link to join the queue until after six minutes.

Occurs when a customer accepts an invitation to join the Virtual Assist queue for service when it is full, which prompts to try back later, and then tries to use the same invitation link to join the queue after a space opens up.

89674

The technician's screen may momentarily go blank the first time the technician attempts to view the customer screen.

Occurs when a technician initiates a Virtual Assist session with a customer, and selects the full-screen mode option to view the client's screen. Workaround: The technician and user should each move their mouse to refresh the VNC connection.

88498

During a Virtual Assist support session, Virtual Assist may stop responding while transferring files.

Occurs when the client or customer attempts to send numerous files to the technician's system at one time, using the file transfer tool.

88628

Web Translation Symptom Condition / Workaround Issue The body of an email in Outlook Web Access 2010 sometimes displays as a blank page.

Occurs when logged into a realm configured to use URL Translation with form based authentication; occurs on Windows XP SP3 with IE8, and Mac OS 10.6.4 with Safari.

101799

Domino Web Access 8.5 does not work in a realm using only URL Translation.

Occurs when Domino Web Access is used while logged into a realm configured to use URL Translation. Workaround: In the Web Proxy Options area of the Add/Edit Resources page, configure Domino Web Access 8.5 as a URL Resource using a custom host name (FQDN) and port.

103348

Edited layout is not reflected on Domino Web Access home page after saving the selected layout.

Occurs when using port mapped or host name mapped access for Domino Web Access, and the user edits the layout of the page. Workaround: Click the Refresh button to display the new layout.

83358

Using the Windows Explorer style view on SharePoint causes a long delay and then fails.

Occurs when Explorer View is clicked to view a document library on a backend SharePoint server (2003/2007) while logged in through the EX-Series appliance. This is a known limitation due to SharePoint use of built-in URLs with proprietary components. Workaround: Use other views that provide tables and columns.

60916

21


Release Notes

WorkPlace Symptom Condition / Workaround Issue Aventail Access Manager, the provisioning and EPC component for Windows, does not download and install correctly. Connect Tunnel can also have installation problems.

Occurs when attempting to access a WorkPlace portal that is hosted on appliances in cluster mode, while using a BSNL data card for the Internet connection. Workaround: Uninstall Aventail Access Manager and all related components from Program Files, and also delete the epi.msi and epiMsibootstrapper.exe from the %temp% folder on your machine. Then, access WorkPlace and allow AAM to download and install.

109025

Clicking OK on a “File Size Exceeded” window closes the window without returning to the folder.

Occurs when a user is logged into WorkPlace using Internet Explorer 8, and attempts to upload a file exceeding the size limit. When the user clicks OK, the warning window sometimes closes without returning the user to the folder containing the file to upload. Workaround: Use another type of browser or a different version of Internet Explorer.

83150

Cannot cancel installation of Aventail Access Manager.

Occurs when a file download dialog opens during installation of Aventail Access Manager. If the user clicks Cancel in this dialog box, the Aventail Access Manager Web page does not display any navigation buttons. Workaround: Refresh the browser, and the buttons used to select the installation options will display.

61369

Certificate authentication process stalls during login to WorkPlace.

Occurs when you attempt to log in to a realm that requires a client certificate when connecting to WorkPlace using Internet Explorer on a PDA that is running Windows Mobile 5. Workaround: Click the Next button.

61269

22


Release Notes

Resolved Issues This section describes resolved issues for this release. The five-digit numbers in brackets are internal tracking IDs. The issues are organized into the following categories:

ActiveSync ............................................................................................................................................................... 22 Authentication .......................................................................................................................................................... 22 Cache Cleaner......................................................................................................................................................... 22 Connect Tunnel ....................................................................................................................................................... 23 Certificates............................................................................................................................................................... 23 End Point Control..................................................................................................................................................... 23 ExtraWeb ................................................................................................................................................................. 23 Logging .................................................................................................................................................................... 24 Secure Virtual Desktop ............................................................................................................................................ 24 Security .................................................................................................................................................................... 25 System..................................................................................................................................................................... 25 Upgrading/Migration ................................................................................................................................................ 25

ActiveSync Symptom Condition / Workaround Issue Some Windows mobile devices cannot connect to ActiveSync via the appliance.

Occurs when attempting to connect to the ActiveSync service with a Windows Phone 7 or Windows Mobile 6.5 device.

107106

The appliance uses two licensed sessions for the same phone/user ActiveSync access. One licensed session handles ActiveSync commands, and the other only runs Ping.

Occurs when a specific send/receive option is configured on HTC EVO Droid phones which makes the phone use a Push type of mail synchronization called “As items arrive”.

102645

Authentication Symptom Condition / Workaround Issue RSA Cleartrust authentication results in a login failed message from the appliance.

Occurs when logging in via Extraweb to a realm that uses an RSA authentication server, and entering credentials in the RSA Cleartrust page.

103553

Cache Cleaner Symptom Condition / Workaround Issue Cache Cleaner causes Internet Explorer to close and then reopen a tab, resulting in a warning saying “This tab has been recovered.”

Occurs when clicking Logout in WorkPlace with Cache Cleaner running, while using Windows 7 or Vista SP2 with an Internet Explorer 8 browser with Protected Mode turned on. Workaround: Turn Protected Mode off.

89956

The tray icon for Cache Cleaner is not displayed on the client system.

Occurs on 32-bit and 64-bit Window 7 and Vista SP2 client systems when using Internet Explorer with Protected Mode turned on. Workaround: Turn Protected Mode off in IE.

88453

Cache Cleaner is slow to release memory and exit after user logout.

Occurs when using Internet Explorer 8 or Firefox on a Windows XP SP3 client system. A delay of 53 seconds has been observed.

88364

23


Release Notes

Connect Tunnel Symptom Condition / Workaround Issue Opening the Connect Tunnel properties window causes Windows Explorer to stop working, and the CT properties do not display the host IP address or realm.

Occurs when OnDemand Tunnel is launched on a 64-bit Windows SP1 machine, and then the user installs Connect Tunnel from WorkPlace and launches it, then opens the CT properties.

107719

Connect Tunnel activation fails on Mac and Linux systems when certificate authentication is enabled.

Occurs when LDAP and PKI certificates are configured. Connect Tunnel should be able to successfully connect when LDAP and PKI certificates are enabled.

102744

A misleading error message is displayed: “VPN Connection Failed. Access denied. The required system capabilities are not present, enabled, or current.”

Occurs when logins are attempted after the number of users logging in to the appliance reaches the licensed limit. At issue is the license count on the appliance, not the system capabilities of the client device.

77107

Certificates Symptom Condition / Workaround Issue For certain customers using Firefox 4.0 and higher with Certificate Authentication, end-users may fail to authenticate with a Mozilla error 'ssl_error_renegotiation_not_allowed'.

Occurs due to a behavioral change by Mozilla in Firefox 4.0 and newer, requiring support for RFC 5746. Workaround: Include the appliance hostname(s) in the 'security.ssl.renego_unrestricted_hosts' configuration parameter. This allows certificate authentication to succeed, and does not pose any additional risk to the end-user, administrator, or appliance. SonicWALL does not support renegotiation in general in the 10.0.X and 10.5.X firmware line, and as such is not vulnerable to CVE-2009-3555.

97120

End Point Control Symptom Condition / Workaround Issue Fallback to Java for Secure Virtual Desktop (SDE) or Cache Cleaner (CC) deployment takes several minutes and can result in an error.

Occurs when using Internet Explorer and the user logs into a realm in which Translation and SDE are enabled, and does nothing when prompted to allow the ActiveX SDE installation. After more than 4 minutes, the browser attempts to install SDE using Java, but the installation takes a long time and can fail. CPU usage is very high. Also occurs with CC in place of SDE.

107514

Mac OS users cannot login to WorkPlace and see the error message, “Your session has been idle too long. Please close your browser and log in again.”

Occurs when using Mac OS 10.6.x with Safari 5 or Firefox 4, and Connect Tunnel client access is restricted for EPC zones.

101058

24


Release Notes

Symptom Condition / Workaround Issue Connect Tunnel users are sometimes disconnected. This can occur at an interval of about 45 minutes.

Occurs when Recurring EPC is enabled and RADIUS is being used for authentication.

95166

End point control check for NOD32 Antivirus DAT fails from certain operating systems. When the DAT check is disabled, the end point control check works fine.

Occurs when using Japanese Windows XP SP2 with Internet Explorer 6.

78797

ExtraWeb Symptom Condition / Workaround Issue Warning messages seen every 8 minutes on the appliance: “Warning <date/time> No Policy Variable Value found for Variable <variable name>”.

Occurs when using ExtraWeb with Translation for access, and Active Directory is configured as a backend server for authentication. The configuration contains two variables which are seen in the warning message in place of <variable name>

99811

Access to a Custom FQDN resource does not proceed beyond the registering computer process.

Occurs when a URL resource with Web proxy option is configured to use Custom FQDN, and the resource is accessed from an external location.

98995

Logging Symptom Condition / Workaround Issue Messages being sent from the appliance to a remote syslog server are taking too much disk space, causing difficulty in monitoring VPN sessions.

Occurs when another firewall cluster sends a lot of broadcast packets for cluster synchronization using source IP addresses of all zeros, and MAC addresses of mostly zeros. To the SonicWALL appliance, these look suspicious and are sent to the syslog server. Resolved with a CEM setting available in the advanced Maintenance page, through SonicWALL Support.

89566

Secure Virtual Desktop Symptom Condition / Workaround Issue Secure Virtual Desktop (SVD) launches only for an administrator account.

Occurs when a non-admin user logs into a realm enabled with SVD, and, on Windows 7, is prompted for admin credentials during SVD agent installation. The admin credentials must be entered to proceed, and the resulting virtual desktop session is for the administrator account. On Windows XP, the SVD deployment fails without requesting admin credentials.

105970

25


Release Notes

Security Symptom Condition / Workaround Issue A possible Click-Jacking vulnerability exists in the Apache Web server.

Occurs when running a Sunera vulnerability scan and SAMEORIGIN is not set in the header response. The resolution prevents the vulnerability by default, but allows the previous behavior for special cases with a CEM setting available in the advanced Maintenance page, through SonicWALL Support.

104542

A secure attribute is missing in some cookies set by the appliance, potentially exposing data stored in the cookies.

Occurs when some of the cookies set while accessing WorkPlace are not marked 'secure'.

63365

System Symptom Condition / Workaround Issue The appliance becomes unresponsive. Occurs when the operating system is performing

some internal synchronization and hits a rare set of conditions.

100606

Upgrading/Migration Symptom Condition / Workaround Issue After upgrading an appliance to 10.6.0, the hostname can be missing (set to nothing).

Occurs when the original hostname contains an underscore ‘_’, which is not supported, and AMC allows the migration to proceed, rather than returning an error during importation of the configuration settings.

105976

26


Release Notes

Technical Documentation and the Knowledge Portal Check the SonicWALL Customer Support Knowledge Portal, available when you log in to MySonicWALL, for information and hotfixes that are relevant to your appliance.

Technical documentation is available on the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/Support.html

______________________

Last updated: 11/4/2011

http://www.sonicwall.com/us/Support.html

secure remote access sonicwall aventail e-class sra ex...

Documents