Mercury 29.0

Mercury: 29.0

Mercury (ˈmɜrkjʉri/; Latin: Mercurius) is a major Roman god, being one of the Dii Consentes within the ancient Roman pantheon. He is the patron god of financial gain, commerce, eloquence (and thus poetry), messages/communication (including divination), travelers, boundaries, luck, trickery and thieves; he is also the guide of souls to the underworld. [ Source: http://en.wikipedia.org/wiki/Mercury_(mythology) (2014-09-14) ]

Note: This update has some major changes to the way policies, including URL filtering and firewall rules are created and managed to make things simpler and easier to understand. Please see here for some short videos showing how to modify policies and test policies. We have also provided some information here on how the policy migration works and any caveats to be aware of. The automatic migration is designed to preserve the existing behavior, however the new policy UI provides a much more flexible set of options, meaning that the policy set can be greatly simplified (this is often a great time to also review your policies to make sure they match what is now appropriate to your user community as this often changes over time).

Mercury: 29.0

29.6.9

Item Type Details
YouTube Cache Enhancement Updates to the YouTube cache for the latest YouTube changes. These are major changes requiring a full update. This update will also re-enable YouTube caching automatically if it was automatically disabled due to issues with the changes several days ago.

29.6.8

Item Type Details
Large Object Cache Resolution In some situations when an upstream proxy was configured, it was not used for all traffic from the Large Object Cache and Content Acceleration Platform, this has been addressed.

29.6.7

Item Type Details
YouTube Caching Enhancement Now adds in support for caching viewpure.com.
YouTube Caching Resolution Weekly and longer reports now correctly include a daily summary of the cache effectiveness.

29.6.6

Item Type Details
BIC Agent Resolution Don’t perform HTTPS inspection on traffic if it is to a LAN IP address, and would not be filtered based on the destination port set under “Minimum port for scanning private IP traffic”.
BIC Agent Enhancement Cache failed lookups for a short period to minimize the number of categorization lookups during an error state.
YouTube Cache Enhancement Further improvement for handling of YouTube traffic, and managing failure cases more efficiently. Also address weekly reporting issues in the YouTube cache report.
HTTPS Exclusions Resolution When clearing out IP addresses or networks for both local and remote HTTPS exclusions, when these changes applied, they will now be removed right away.

29.6.5

Item Type Details
Reports Resolution When clicking through on categories, correctly show the category name, rather than the category ID.
CyberHound VPN Resolution When making changes to local interfaces, if changes were not also made to the VPN, an apply changes would not cause the VPN to read the new configuration until the system was rebooted. This has been addressed, and changes to the local interfaces will now be identified by the VPN.

29.6.4

Item Type Details
UI API Integration Enhancement The SafeChat module is no longer required to allow the UI API to be integrated with other solutions.
Schedule Updates Enhancement When scheduling an update for a future date and time, the success or failure in the communication progress is shown on screen.
Authentication Enhancement Support for Apple Open Directory 10.10 is provided by not requiring a user “disabled” attribute to be set to “0” (as per previous releases). If this attribute is not supplied by the server, it is treated as an enabled user.
SafeChat Archive Enhancement More extensive logging is available when sending messages via the SafeChat SMTP message archive to allow for easier debugging.
SafeChat Enhancement Minor improvements and platform support.

29.6.3

Item Type Details
NGFW Enhancement Improve performance of the NGFW for traffic heading directly to local services by not double scanning for application matching.
MS Lync Enhancement Provide feedback to the user if there is a problem writing to the registry when saving a configuration change on the client service.

29.6.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement There is a new option to change the mode of existing agents from unmanaged to managed and vice-versa. This is ideal for customers where the requirement has changed over time as it removes the need to redeploy the BIC Agent. If a user’s mode is changed, it will be visible to them upon their next reboot.
SafeChat Enhancement A new pattern has been introduced to help identify Radicalisation and Extremism.
Internet Authentication Enhancement When caching 802.1X session ID’s, also track the source AP for the site and its unique identifier. This is for those AP’s that violate the standard and do not provide a unique session ID, causing duplicates and clashes in the cache.
YouTube Cache Enhancement Minor improvements to for compatibility with the current range of players and browsers.

29.6.1

Item Type Details
BIC Agent Enhancement When configuring a forced reboot window, allow this to be up to 2 weeks, rather than the previous 24 hours. Users will continue to be regularly prompted to reboot when they are ready.
NGFW UI Resolution When several people are modifying policies and testing policies simultaneously, it could result in the corruption of the cached used to send configuration back to the web interface (the back end system would be OK). This has been addressed.
Internet Authentication Resolution When listing all active 802.1X RADIUS sessions in the UI, if any host or username had a non-ASCII character, the list would not be displayed (although the cache worked correctly). This has been resolved, and the cache can be viewed again in the web interface.

29.6

Major BIC Agent Update, Device Reboot Required

Item Type Details
YouTube Cache New Feature The integration of our new YouTube Cache. This premium module provides the ability to cache YouTube content transparently on site, providing massive performance enhancements for those organizations on bandwidth constrained links.
BIC Agent Enhancement Due to security concerns from Microsoft for services performing on device SSL inspection, a new agent is required with a new GUID from Microsoft. Microsoft will shortly be actively removing all drivers that they suspect of problematic SSL inspection that have not been white listed by them. On Windows this will require a reboot to use the new driver. This will also update the SSL inspection certificate for each user, after the reboot this will automatically be installed, so no user action is required.
NGFW UI Resolution On some browsers, when setting a time for 12PM, when the page was reloaded the display on the widget would show AM, this has been resolved.
Upstream Proxy Resolution When using an upstream proxy, always force all traffic for localnetwork.zone to use the local interface, and not push it to the upstream proxy.
NGFW Enhancement When creating a custom category that is built on a domain list, do not require the domains to be lower case. The back end will now automatically match in a case insensitive manner.
BIC Agent Resolution Previously when a system had its time set to the future, logs would not be recorded until that time was reached. This has been addressed, and future dates are still stored with in 60 seconds.
Category Web Filtering Enhancement When an upstream DNS server is broken or performing poorly, treat this as a remote error rather than a local error, and rely on the local cache more heavily.
Category Web Filtering Resolution In some environments requesting a change in categorization did not work, this has been addressed.
Web Proxy Enhancement Remove advertised support of the “QUIC” protocol as many Google Chrome browsers appear to be using this experimental protocol even when not enabled. This will prevent Chrome from attempting to use QUIC on a network that does not allow it.
Internet Auth Enhancement New API method to allow real time calls to find out who is logged in at a specific IP address.
Internet Auth Enhancement When a user logs in from a new IP address, refresh the group membership for the user. Previously the group membership was used from any existing sessions if available.
Network Tools Enhancement When doing a TCP Connection test, clearly show why the connection was closed when timing out vs the remote end actively closing the connection.
LiveView Enhancement If not using a total quota for quota enforcement, the next data based quota will be displayed to the user in the LiveView screen.
LiveView Resolution For low resolution screens, the legend would sometimes be cut off when displayed to the user, this has been addressed.
Traffic Shaping Resolution For some configurations Traffic Shaping was not applying all the filters, this has been addressed.
Authentication Resolution For customers running the Remote CyberHound Authentication plugin, some releases of 29 did not work as expected, this has been addressed if both ends are on the same release.
Authentication Enhancement The CyberHound RADIUS accounting based authentication service will now reply to RADIUS requests, including the Proxy-State field if set. This is required for some NPS setups.
Bridge Mode Enhancement Systems in Bridge Mode will now have STP enabled after this update.
Quotas Enhancement A new quota of “Unlimited” can be allocated to a group, and the wording for the other quotas has been updated to further clarify what will happen to the users quota.
Connection Rate-limiting Resolution For LAN based attacks, the source IP was not reliably black listed, causing unnecessary load on the system. This has been addressed.

29.5.3.2

Item Type Details
NGFW Resolution Correct an issue where in specific situations a layer of filtering may become automatically excluded if all criteria do not apply in the context, causing the rule to be skipped.

29.5.3.1

Item Type Details
Usage Logging Resolution In specific load situations, primarily on VMware where the load is external to the virtual appliance, there could be a back log of monitoring data because the response time from the CPU was higher than expected.
CONNECT Proxy Enhancement More enhancements to handle high load on an upstream proxy server where connections are dropped mid-transaction.

29.5.3

Item Type Details
SafeChat Resolution When adding a time based or regular expression criteria to an existing policy set, it would not reliably get exported to agents.
Connection Management Resolution When making configuration changes with out rebooting to an interface with multiple IP addresses and multiple routes, there is a rare Linux bug that may cause the new IP’s to not be assigned. An internal work around is now in place to address this.

29.5.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
BYOD Installer Resolution The BYOD Installer for Windows and Mac OS had an error that would affect some configurations preventing correct installation of the certificate that was introduced in 29.5.

29.5.1

Major BIC Agent Update, Device Reboot Required

Item Type Details
CONNECT Proxy Enhancement Support higher connection loads in the CONNECT Proxy and improves reliability in these high load situations – especially when the upstream proxy is having trouble coping with the load.
Web Filtering Enhancement Tuning for modern (larger) systems to maximise system performance.

29.5

Major BIC Agent Update, Device Reboot Required

Item Type Details
Lync Alerting & Archiving Enhancement Microsoft Lync is now supported in SafeChat for alerting and archiving of content to supported archive targets (including SMTP) for customers with the SafeChat module.
NGFW UI Enhancement The Custom IP Lists now support pasting of multiple IP addresses into a field. It will then automatically then expand this out into a row for each IP address or network. This allows for simple pasting of a number of IP addresses or networks very quickly and easily.
NGFW UI Enhancement A number of minor improvements to simplify the NGFW UI and make it more forgiving for various data entry fields, including durations and time ranges. Blacklist durations can now be set up to 2 weeks.
Web Proxy Enhancement If using SSL inspection (recommended), ensure outgoing connections can not be subjected to a POODLE attack.
SafeChat Enhancement A number of improvements in platform support and coverage of additional interactions for supported platforms.
Network Monitoring Enhancement Don’t log traffic if it is coming from an IP address that is not yet authenticated.
Network Monitoring Resolution Address an issue where some content was not logged if the CyberHound Solution was deployed in bridge mode.
BYOD Onboarding Resolution Sometimes the IP address of a user running through the BYOD on-boarding process was not recorded, this has been resolved.
BIC Agent Enhancement Usernames with spaces are now supported on Mac OSX. Note: It is not possible to create usernames with spaces using native tools, the device must be connected to a directory server with usernames with spaces to allow this to happen. It is recommended that usernames with spaces never be used on any platform.
Botnet Blocking Resolution Allow alerts to be switched off when blocking attempts to access known botnets.
ClamAV Enhancement ClamAV updates will now automatically use a configured HTTP proxy if configured rather than going directly out to the internet.
SafeChat Enhancement AOL AIM is now supported on the agent with SafeChat.
SMTP Server Enhancement Automatically stop accepting emails if available storage is running low.

29.4.4

Item Type Details
Authentication Enhancement Manage the situation where an appliance needs to join an AD domain with local read-only domain controllers, and remote read/write controllers for NTLM based authentication.

29.4.3

Item Type Details
Access Policies Enhancement Change some wording and category descriptions to further clarify the categories, and where to access items in the UI.
Backup Restore Resolution Fully update and import policies when a backup from release 28 is restored to a system with release 29.
Authentication Resolution When listing users from a remote AD server, and there is a large number of users, prevent the TCP/IP socket from waiting indefinitely for data.

29.4.2

Item Type Details
Block Activity Enhancement Support browsing to the old URL paths to provide compatibility with older reports.
Authentication Caching Enhancement The user and group authentication cache can now be extended longer than 1 day. There is also a facility to flush the user and group cache should the need arise, without restarting any services.
Upstream Proxy Resolution No longer require SSL inspection to be turned on to use an upstream proxy.

29.4.1

Item Type Details
Access Policies Enhancement Update text and ordering of categories for further clarity.
LiveView Enhancement Live View is now also supported for direct proxy connections, allowing users real-time feedback on their usage vs the average.
LiveView Enhancement Consolidation of categories to make the graphs easier to read.
Test Policies Enhancement Framing of the “Test Policies” page is now supported to allow simple framing of the page into existing intranets, portals, and similar use cases.
Connect Proxy Enhancement Better handle the case when an upstream proxy server becomes unresponsive; only stop affected, rather than all, connections.

29.4

Major BIC Agent Update, Device Reboot Required

Item Type Details
LiveView Enhancement A new user portal to show expanded information about a users activity compared to the organization average, called LiveView.
BIC Agent Enhancement Support for the now release Mac OS X v10.10 (Yosemite) platform.
Remove VPN Resolution An update to the VPN server to improve reliability for the latest Windows updates.

29.3.2.1

Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement Support for the BIC agent to use the latest network policy framework on both Mac and Windows.

29.3.2

Item Type Details
Access Policies Enhancement More flexibility for application control, including allowing applications, unlimited application groups, and an explicit “unknown” application type.
Access Policies Enhancement The change history for Access Policies is now automatically truncated after 30 days to prevent the history growing forever.

29.3.1

Item Type Details
BIC Agent Enhancement When using the BIC Agent for unmanaged devices, when redirected to the login screen for the first time, if the page was an HTTP(S) request, it will be shown on the login screen.
Access Policies Enhancement Minor UI improvements.
Access Policies Enhancement Further performance enhancements.
Connection Management Enhancement When an alerts is sent because a link comes up or goes down, the time of the event is now included in the email body.

29.3

Item Type Details
Access Policies Enhancement Major upgrades to the automatic policy migration from existing firewall and URL filtering policies. This is the first supported upgrade release for customers.
Access Policies Enhanecment Additional performance improvements to the policy matching engine.
Other Enhancement Numerous other improvements to the UI, performance and back end system to further capitalise on the new NGFW framework.

29.1

Item Type Details
Kernel Enhancement The core CyberHound Solution operating system kernel has had a major overhaul to accommodate extreamly fast application matching, enhanced hardware support and other performance improvements.
URL Filtering & Firewall Policies Enhancement All URL Filtering and outbound firewall rules have been merged into a new AJAX interface, providing a powerful a easy to understand “Who, When & What” criteria set.