Perseus: 28.0


Item Type Details
Web Interface Enhancement For customers who have the Netbox web interface on the public internet, prevent the use of SSL cyphers that are venerable to the POODLE SSL attack. This is also enforced for traffic traversing the HTTPS web proxy. Customers on release 29.5 or later also already have this applied.


Major BIC Agent Update, Device Reboot Required

Item Type Details
Core system Enhancement Formal release fixes for GHOST, note that unless specifically requested to not get this update, all sites received this with in 24 hours of the release.
Windows BIC Agent Enhancement Due to security concerns from Microsoft for services performing on device SSL inspection, a new agent is required with a new GUID from Microsoft. Microsoft will shortly be actively removing all drivers that they suspect of problematic SSL inspection that have not been white listed by them. On Windows this will require a reboot to use the new driver.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement The Mac OS BIC agent kernel driver is now signed by a new Apple certificate, as well as other changes to support Mac OS X 10.10 (Yosemite). This also includes automatic re-installation of the BIC Agent post an upgrade from 10.9 to 10.10. Note: in line with Apple’s demonstrated support, 10.6 continues to not be supported.
BIC Agent Resolution In very rare instances, to an internal race condition, the Mac OS BIC Agent would record incorrect data quantities in Network Monitoring.


Item Type Details
Connection Rate Limit Resolution Address an issue where the Connection Rate Limit Whitelist would no longer apply after a reboot. Note: this option should practically never be used to best protect the user experience for all users of the network.


Item Type Details
Firmware Resolution Update specific IBM firmware that can cause a stability problem in some instances.


Item Type Details
Log Files Enhancement For larger sites, allow log files to grow larger to store more history.
URL Override Resolution Use the correct timezone when displaying the set and expired times of URL overrides.
Mac BIC Agent Enhancement Self repair if configuration files become overwritten. This allows for AV tools to potentially remove files, and the system to continue to work, with the active config written to disk as required.
Mini Systems Resolution Honor the selected locked port speed for the Ethernet interfaces. Previously the port would always be auto-negotiate.


Item Type Details
Internet Auth Enhancement Continue to also allow the use of cert.netbox, which will automatically redirect to for customers that link to it from other sources.


Item Type Details
Internet Auth Enhancement Replace the use of the .netbox domain with This provides for a valid SSL certificate into the future for internal domains such as This domain will be used for all Internet Auth authentication, so it is critical that if internal DNS servers are in use, they are using the Netbox rather than going directly to the public internet.


Major BIC Agent Update, Device Reboot Required

Item Type Details
Large Object Cache Enhancement Support an optional additional drive (for some models) for the Large Object Cache. This provides a dedicated storage drive to provide more capacity and performance for the Large Object Cache.
BIC Agent Enhancement Further tamper protections have been introduced for both the Mac and Windows agents.
VMware Update Support for the VMware VMXNET2 NIC’s will be removed in a future release. A daily reminder email will be sent automatically if it is detected that VMXNET2 NIC’s are in use. VMXNET3 NIC’s are the currently recommended and supported interfaces.
Email Scanning Resolution Some PDF files would be detected an plain-text, potentially detecting words in PDF meta-data. This has been resolved.
SafeChat Enhancement Further updates and support for platform changes.

Item Type Details
HTTPS Redirection Resolution If a remote host was blacklisted from redirection due to excessive failures, the redirector would block indefinitely. This resolves this issue and correctly blocks the remote host from further redirects for a few minutes.


Major BIC Agent Update, Device Reboot Required

Item Type Details
HTTPS Inspection Enhancement Google Drive now only supports certificates with an expiry date not containing the century. To accommodate this, all certificates for Google services will be regenerated without the century in the expiry date. (This matches what was introduced in
BIC Agent Enhancement Additional measures to prevent tampering on the BIC Agent for Mac OS X.


Major BIC Agent Update, Device Reboot Required

Item Type Details
Large Object Cache Enhancement The Netbox now supports Microsoft Update (Office and security updates on Windows) as part of the Large Object Cache.
Reverse Proxy Enhancement Support the upload of a separate intermediate certificate bundle for the reverse proxy.
SMTP Delivery Enhancement Support up to 50 remote servers before giving up when delivering an email message, this was previously limited to 5 successive failed hosts before failing.
Internet Auth Enhancement When a user successfully logs in, force disconnect all active connections to the redirector. This will prevent browsers getting redirected back to the login page upon successful login when the browser opens up a TCP connection and leaves it hanging without making a request before login.
Internet Auth Enhancement Detect when a host has gone down during a SSH pass-through look up, and terminate the SSH look up. This prevents the IP from taking a long time to authenticate when it next becomes active.
Web Proxy Enhancement Support custom headers to integrate with Xirrus AP’s from a cloud hosted service, providing secure access, and user identity information transparently to the user and the user device configuration.
URL Filtering Resolution Prevent the entry of specific invalid regular expressions in the user interface.
Network Tools Enhancement Allow the selection of any source IP address (not just interface) for the ping and traceroute tools under Administration > Network Tools.
Home Page Resolution When displaying the time a release was installed on the home page, consider daylight savings, and ensure it displays the correct time.
Agent Enhancement Higher performance processing of massive HTTP uploads
SafeChat Enhancement Provide a generic SMTP email for archiving information to be sent to a corporate archive solution using traditional channels. This can be configured on a schedule (from every 30 minutes to daily), and gathered archive information will be grouped by conversation and emailed to the archive.


Item Type Details
Kernel Enhancement Full 64-bit addressing for all drivers (where applicable) across most platforms, including VMware, iSeries systems and current series mini systems.


Item Type Details
Internet Auth Enhancement Continue to also allow the use of cert.netbox, which will automatically redirect to for customers that link to it from other sources.

Item Type Details
Internet Auth Enhancement Replace the use of the .netbox domain with This provides for a valid SSL certificate into the future for internal domains such as This domain will be used for all Internet Auth authentication, so it is critical that if internal DNS servers are in use, they are using the Netbox rather than going directly to the public internet.

Item Type Details
HTTPS Inspection Enhancement Google Drive now only supports certificates with an expiry date not containing the century. To accommodate this, all certificates for Google services will be regenerated without the century in the expiry date.

Item Type Details
Log Viewing Resolution Address an issue where clicking apply too many times during a longer uptime period could cause the proxy debug logs to stop recording data until the next reboot.

Item Type Details
Out of Office Notification Resolution Resolved an issue where setting an out of office notification would take up to 30 minutes to be configured when setting an email address for the first time when using the local Netbox user database.

Item Type Details
Email Hosting Resolution Resolve an issue where if using user accounts on AD to create mail accounts on the Netbox, if the AD server returned “null” users on a look-up, the account may not be considered valid, so the mail would be delayed.

Major BIC Agent Update, Device Reboot Required

Item Type Details
IPS Alerts Resolution Some IPS alerts may not be emailed (however still displayed on the home page) if they contained unicode usernames.

Major BIC Agent Update, Device Reboot Required

Item Type Details
Content Scanning Enhancement Some updates to the user interface and check processes for more enhanced spam filtering, while minimizing false positives.
Authentication Enhancement More tightly rate-limit the number of simultaneous pass-though authentication requests to limit the impact of CPU load during cryptographic intensive operations.


Item Type Details
Content Scanning Enhancement Several enhancements have been made to the spam filtering features of the Netbox to help improve the spam detection rate.
DHCP Leases Enhancement The DHCP lease time is now globally configurable if using the Netbox DHCP server. This is accessible under Configuration > Advanced > DHCP server lease time.
Authentication Enhancement Various internal changes have been made to the caching used for user authentication and identification that will reduce the number of queries to internal directory servers.

Item Type Details
Authentication Enhancement Manage the case where a single AD server says it is responsible for more than one short domain name via LDAP, by falling back to SMB to get the correct answer if required.


Item Type Details
Proxy Server Resolution Increase the usable cache size for SSL connection pooling to greatly enhance performance for some traffic loads. Previously some specific traffic loads could cause the cache to be constantly replaced with new connections, causing significant CPU overhead.
Traffic Dump Enhancement Allow logging on all interfaces when using the Traffic Dump feature in the Netbox UI.
BYOD Onboarding Enhancement Support ChromeBooks as part of the BYOD onboarding process.
BYOD Onboarding Enhancement Support Windows Surface as part of the BYOD onboarding process.


Item Type Details
Kernel Resolution Address an issue where some NIC hardware/firmware combinations could result in the kernel not releasing operating memory in specific situations.


Item Type Details
Reverse Proxy Enhancement HTTPS sites hosted behind the reverse proxy can now have a automatic redirect put in place so if a user hits the HTTP site, the Netbox will redirect them automatically to the HTTPS site. This is available for all existing entries in the Reverse Proxy configuration.
Web Proxy Enhancement A new field is now available to allow for simple limiting of access to the direct proxy server. This is ideal for when the direct proxy is available on the public internet.


Item Type Details
BYOD Onboarding Enhancement Various improvement have been made to the BYOD SSL Onboarding process and Welcome Page, including moving them to their own sidebar items, configurable expires for “Remember this Device”, network exclusions and per entry removal from the Netbox cache.
Traffic Dump Resolution The correct content type is now set when downloading a raw traffic dump, preventing new line conversion during download.
Redirector Resolution In some situations the unauthenticated cache of users would become corrupt, causing all unauthenticated users to not get redirected automatically. This has been addressed.


Item Type Details
Hardware Enhancement Full support for 10Gbps NIC’s is now provided on new iR systems. Perfect for customers who have access to a 10Gbps internet connection.
Reporting Resolution The automated Large Object Cache reports were recording 0 bytes for all traffic in the nightly reports, this has been addressed and will now record this information correctly.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BYOD Onboarding Enhancement The BYOD Onboarding process has been improved for Mac OS X “Mavericks” devices, taking into account the different behavior of the captive portal vs a standard browser.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BYOD Onboarding New Feature BYOD Onboarding is now available. This simplifies the process for administrators bringing new devices onto the network by automating the detection of new devices, and running users through the process of bringing them on to the network. Please see our page for more information. This is configured under the Internet Auth section of the sidebar.
Welcome Page New Feature A custom welcome page can now be presented to users on a configured basis (e.g.: daily, weekly etc). This can be used to display Acceptable Use Policies, or remind users about upcoming events. It has been designed such that a web developer can redirect the page to an internal server to provide a dynamic experience based on the user account, group membership etc.
The welcome page is configured under Internet Auth and can be edited using a WYSIWYG editor.
Internet Auth New Feature A user can now choose to “Remember this device” when joining a network. The Netbox will then store the MAC/IP address of the device. This way if there is any traffic from the device in the future, it will automatically be logged in as the user. This prevents a user ever having to open a web page on their device before they get connected. Note: This is only applicable if a pass-through service is not already configured such as 802.1X integration.
Internet Auth New Feature There is now the concept of “Guest Networks” where users will not be required to enter a user name and password, rather they will be automatically authenticated to a specified user if joining a guest network.
URL Filtering New Feature Support for SafeSearch. This works completely differently to and is applied in the same way as Google SafeSearch.
URL Filtering New Feature For the custom block page screen, there is now a WYSIWYG editor to allow for simple page editing. For more advanced users, the raw HTML can still also be accessed.
BIC Agent Enhancement For BIC Agent on Mac’s, better manage the case where the Mac is asleep with Power Nap enabled. It has been discovered that with Mavericks in Power Nap mode the device will still generate a reasonable amount of traffic, causing it to trigger the “User without BIC Agent detected” as the BIC agent is not active during Power Nap.
Network Monitoring Enhancement The amount of time data is stored in the Network Monitoring database is now configurable.
Email Scanning Enhancement Allow a single quote character in the sender and recipient address criteria.
Reverse Proxy Enhancement Support non-standard HTTP methods via the reverse proxy (such as MS RPC).
Reverse Proxy Enhancement Log the full path and port of any request that is push via the direct proxy to the Web Management logs to allow for easier debugging.
Mini Hardware Enhancement For recent mini systems, after power is lost, automatically power back on. Previously it would remain off until the power button was manually pressed. This is a firmware update.
System Memory Usage Enhancement Major update and changes to the memory allocation method for most processes to operate faster on with 24 or more CPU’s. This will also reduce the chance of heap fragmentation for busy systems.


Item Type Details
BIC Agent New Feature An agent for unmanaged devices is now available. When this agent is installed (downloaded from BIC Agent > General) a device (rather than a login) is associated with a user. Once installed, before a user can access the internet, they will be required to enter their network credentials. Once this is complete, the device will be assigned to that user, including all policies and reporting information – irrespective of the account the user is logged in as.
Internet Auth New Feature When using the 802.1X cache for pass-through authentication, there is now a delay to allow the RADIUS packet to come in from the access point (configurable, defaulting to 7 seconds). This is ideal for networks that are routed and the access points and controllers have a delay from when the IP is assigned to the device to when the interim update packet is sent.
Internet Auth New Feature When an 802.1X accounting packet is received, the user is now logged in automatically right away (if applicable).
Web Proxy Enhancement Changes have been made to several web proxy configuration options (e.g.: HTTPS Exclusions) so when applying changes, this happens significantly faster, with minimal or no user disruption.
Large Object Cache Enhancement The default largest object size is now automatically calculated to be most of the configured maximum storage, rather than having its own configuration option.
Administration Resolution When requesting an update, in some situations it could take several minutes for the request to come through, this has been addressed.
User Interface Enhancement Several fields have been upgraded to more clearly show the size entered in bytes (e.g.: “10 MB” rather than “10000000”).


Item Type Details
Reverse Proxy Enhancement The Reverse Proxy will no longer verify the CA of an internal HTTPS server, allowing name mis-matches when configuring the reverse proxy to an internal web server.
ESET AV Resolution Resolved a conflict with ESET AV and spam controls on the Netbox for Email Content Scanning.


Item Type Details
Internet Auth Enhancement There is now an option to enable HTTPS redirection to the captured portal for users that do not get authenticated by pass-through auth.
URL Filtering Resolution When attempting to do a URL test when the internet connection is down, and the categorization lookup needs to contact the internet, previously the page would not load, this will now return a categorization error.


Item Type Details
Internet Auth Enhancement More aggressive rate limiting is now applied to the HTTPS redirector for unauthenticated users. This will limit the impact of poorly written applications on the network.
Internet Auth Enhancement The 802.1X cache will always use the most recent update packet for a given MAC or IP when authenticating users when there is more than one available. Previously if more than one user had been given for a MAC or IP address, the selected user was non-deterministic.
BIC Agent Resolution Address an issue where Air Play traffic was treated as HTTP.
BIC Agent Enhanacement The BIC Agent for Mac OS X now has an install and upgrade fail safe such that if the system is rebooted during install, it will attempt to reinstall again upon reboot.


Item Type Details
SafeChat Resolution In some situations it was required that the system be rebooted to enable YouTube Safety mode rather than simply clicking apply. This is resolved in this release.
Reverse Proxy Enhancement It was possible to configure the Reverse Proxy such that it would override all of the web user interface ports, preventing changes to the configuration. This is now an error in the user interface.


Major BIC Agent Update, Device Reboot Required

Item Type Details
Email Scanning Resolution If a action was created to moderate an email (rather than a social media message), then the email would not be scanned. This has been addressed.
BIC Agent Enhancement When logging in to a Mac OS X system with the BIC Agent installed using an AD based network account, there could be extended delays contacting the AD server, causing a slow login. This has been addressed.


Item Type Details
Direct Proxy New Feature It is now possible to authenticate users via the direct proxy using the Internet Authentication pass through services (e.g.: 802.1X). This allows the use of the direct proxy, while not required direct proxy auth, which can be an issue for some applications.
SafeChat New Feature The Netbox can now enforce YouTube Safety Mode. This is configured under URL Filtering > General. YouTube Safety Mode is far less restrictive that YouTube for Education, however it is not as flexible.
URL Override Enhancement There have been several improvements to the URL override feature, including the selection of the time of day of expiry, and the ability to view (and add to reports) the domains that have been overridden, and who entered these overrides.
Internet Auth Enhancement The Internet Auth captive portal will now redirect HTTPS traffic to the login screen. Previously only HTTP traffic would be redirected. This is ideal for sites who have an HTTPS page as their home page in their browser. The redirection will be done using the Netbox HTTPS Inspection CA. If HTTPS inspection is not enabled, this feature will not be enabled.
HTTPS Inspection New Feature There is now a tool available to automatically install the Netbox CA into Google Drive for Windows. This allows the use of Google Drive with HTTPS inspection (as is best practice suggested by Google). To obtain this installer please contact Netbox Blue Support.
URL Filtering Enhancement There are now several new tokens available for the custom block page. Refer to the online help to see these new tokens and their expected values.
Browse Screens Enhancement Various browse screens (Network Monitoring, SafeChat Events and URL Block Activity) now have a new “Group Membership” column. This column will show the groups that the user belongs to at the time the query is run.
AD Plugin Resolution If the configured AD server had a result return size greater than the default, the “Test Settings” would not display the output. The plugin however would still work as expected. The test screen issue has been resolved.
Authentication Enhancement The cache time for directory lookups is now configurable. This means that sites with users who rapidly change groups will be able to change this to a smaller value so the group membership change is noticed sooner. Note if this cache time is reduced there will be additional load on the internal LDAP server.
802.1X Cache Enhancement The rendering of the 802.1X cache screen has been enhanced to make it more readable.
SafeChat Enhancement SafeChat now supports inline web chat in Gmail services.
SafeChat Enhancement SafeChat now supports AOL IM (AIM).
Network Exclusions Enhancement The various exclusions that allow both IP networks, IP addresses, and host names will now apply the specific IP based exclusions first. As some sites have slower DNS, it could take some time in the past to apply DNS exclusions. If they were before the IP exclusions, it would appear the IP exclusions had not come into effect for some time.
Connection Rate limiting Enhancement The alerts for connection rate limiting now show additional information.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement For the Windows BIC Agent, limit the logging to the Event Viewer.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement Work around some bugs in the Sophos AV IFSLSP. There may be an issue for some customers running Sophos AV where networking does not work correctly due to the Sophos AV IFSLSP modifying the network stack and leaving it in an inoperable state. The BIC Agent will now detect this, and resolve it.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement Full support is now provided for Mac OS X 10.9 (“Mavericks”).
Web Filtering Enhancement Web filtering processes have been adjusted to better maximize resources on systems with a CPU count not a power of 2 (e.g.: a hex core system).
Large Object Cache Enhancement The Large Object Cache has been adjusted to cache slightly smaller objects as will be seen with the new method of updates provided by iOS 7 when doing minor version upgrades.
SafeChat Enhancement The “details” screen of a SafeChat event will now show the “Time Seen”, and indicate if it was seen on a BIC Agent.
SMTP Server Enhancement SMTP DSN can now be enabled for those customers that require it. The default is off.
Web Filtering Enhancement The Netbox can provide filtering, including SafeSearch, while still allowing Google Drive across all types of traffic (HTTPS and HTTP), for Windows (with a helper), and Mac OS X.
Internet Auth Resolved It was possible to cause the internet authentication system to become unresponsive if a large number of users (more unique IP’s than the number of users the device licensed for) were to attempt to authenticate at the same time. This has been resolved, and additional requests are queued.
BIC Agent Enhancement If there were a large number of messages or events to be sent to the management server, these would be sent a lot slower than they should have been. This may have been an issue for customers performing SafeChat archiving, with attachments.


Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent New Feature The Windows BIC Agent is now available as an MSI installer. This also simplifies the installation process as the installer is assigned to the Netbox it was downloaded from (as per the Mac agent), requiring no user input during installation, on or off network. BIC Agents will update to this MSI installer automatically, even if they were installed with the old exe installer.
BIC Agent New Feature The BIC Agent has had a significant overhaul to provide full Windows 8 support (including “Modern UI”), and more complete scanning on the Mac agent across all ports. This update will require the user to reboot their system once they have received the update.
BIC Agent New Feature The time the BIC Agent uses can now be forced to match that of the Netbox. This prevents users tampering with the time on their local machine (or changing timezones) to avoid time based policies. The BIC Agent will detect a significant deviation, and then automatically adjust the time it works with to the new setting, and start looking for changes more regularly.
BIC Agent New Feature When doing major upgrades on the BIC Agent where a reboot is required, the reboot window can now be adjusted to suit your organization. The BIC Agent will also now prompt the user more regularly that the need to reboot, and that a reboot has been scheduled and for when it will occur (if they have not already).
BIC Agent Enhancement To minimize filtering errors, there is now an option to not match policies that block on uncategorized connections. As the BIC agent categorizes initial TCP connections before doing SSL inspection (if possible), this will prevent the initial TCP connection getting blocked if the remote domain name is known and categorized. See the online help for more information on this option.
SafeChat New Feature Initial support for Yammer as part of SafeChat is available in this release. Full support will be available in an upcoming release.
HTTP AV New Feature For customers who have HTTP AV filtering, support has been expanded to cover HTTPS traffic, as well as several other improvements to increase reliability.
Reporting Resolved When creating custom reports under Reporting, the preview for the report would not apply the query conditions to the output. This has been resolved.
Web Proxy Resolved The Netbox web proxy will now detect attempts to perform buffer overflow attacks on the Host header. Without this detection it was possible to perform a DoS against the web proxy (this did not actually lead to a successful buffer overflow attack).
Web Proxy Resolved In some configurations, when using SafeChat, the proxy logs no longer recorded the username. This has been resolved.
SafeChat Enhancement When applying policies to Tweets that included sender or recipient matches, in some situations the requests could be very slow, this has been addressed.
SafeChat Enhancement Coverage has been updated for Twitter lists.
SafeChat Enhancement Coverage has been updated for Tweets in slideshows.
SafeChat Enhancement Coverage has been updated for outgoing blocked Gmail message alerts.
SafeChat Enhancement Coverage has been updated for Facebook comments on a photo single page view.
SafeChat Enhancement The Facebook app will now rate limit paging when downloading a lot of data from a profile to prevent hitting Facebook’s API limits.
SafeChat Enhancement Coverage for several LinkedIn features has been updated.


Item Type Details
Reverse Proxy New Feature A new “Reverse Proxy” feature is now available on the Netbox to allow the forwarding of traffic based on HTTP headers to different internal servers. The URL match is on host name and path, and can also translate to and from HTTP and HTTPS. This can be used to replace TMG servers that may be performing this function for exposing internal servers to the internet.
New Connection Ratelimit New Feature When an excessive number of attempted new connections is detected, the Netbox will automatically blacklist that host for a period. The default is 2,000 requests per minute, and blacklisting for 1 minute. This will also alert the administrator. This is to prevent hosts on the network impacting other users or service due to malicious or buggy software.
SafeChat Secure Login New Feature LinkedIn is now supported by the “Secure Login” feature of the Netbox to allow access to LinkedIn profiles and pages based on AD credentials.
BIC Agent Enhancement The BIC Agent > Events screen will now detail more information about the OS the BIC agent is installed on. This includes server pack levels (on Windows), version numbers and if the system is 64 or 32 bit.
Quota API Enhancement The Netbox Quota API will now handle requests for non-Netbox users (eg: users on AD). The syntax and return data is identical as per if it were a Netbox user.
User Passwords Enhancement For users on the Netbox, the password strength now requires a level of “weak” or higher to be set. It is not longer possible to select “No Requirement” as this leads to systems that are compromised too easily.
Authentication Enhancement A new “LDAP only” option is available for the AD plugin. This allows for simpler integration with an AD server behind a firewall where windows RPC calls can’t be made. This will also greatly improve the responsiveness for situations where only the LDAP port is accessible.
URL Filtering Enhancement There have been minor upgrades to the URL filtering back end to allow for even faster categorization of pages.
URL Filtering Resolved When attempting to “Categorise URLs in GET parameter” the search algorithm would occasionally match too much of the URL, leading to not finding domains that would otherwise be picked up. This has been resolved, and embedded domains are now more effectively recognized.
Internet Quotas Enhancement When adding a new quota to a user, the page is now refreshed right away to reflect the users new updated quota values.


Item Type Details
802.1X Authentication Enhancement It is now possible to see the 802.1X authentication cache live under Administration > Network Tools > 802.1X Sessions. This allows for better visibility when diagnosing issues with pass through authentication.
SafeChat Enhancement The SafeChat Archive API now supports returning multiple content types for a single document. This is an extension to the current v2 API.
Date/Time Fields Resolved Some date/time fields would not render in an aligned fashion in some browsers. This has been resolved.
Authentication Enhancement There is a new option under Configuration > Advanced that allows the domain portion of a login to be ignored when doing user lookups. This is for sites who have a different user domain to that reported by their authentication servers. Generally it is highly recommended that this not be used, but is required for some very specific situations.


Item Type Details
SafeChat Enhancement A new permission level has been introduced to allow power moderators access to manage moderation queues, but not manage any rules or criteria for the organization.
SafeChat Resolved Some Unicode data when alerting in SafeChat could result in a blank page, this issue has been resolved.
BIC Agent Enhancement The BIC Agent now attempts a soft reboot, and if this is cancelled for more than 24 hours, a hard reboot is forced to ensure a proper functioning system after a binary update. This allows users more time to delay the reboot.
URL Filtering Enhancement There has been a minor wording update to better reflect the meaning of the “All Groups” drop-down, this now reads “Authenticated Users”.


Item Type Details
URL Filtering Enhancement Work around an issue where Google documentation is incorrect for enforcing SafeSearch. Without this work around, Google Drive does not work correctly when SafeSearch is enabled.


Item Type Details
BIC Agent Resolution For some specific URL’s, in a rare case the BIC agent would perform categorization against the fall back DNS servers rather than the system default, leading to slightly longer categorization times. This has been resolved with this release.


Item Type Details
Update Information New Feature Information about new update availability for your site will now be shown automatically on the Netbox home page as part of the Firmware Version table.
BIC Agent Enhancement The connection between the BIC agent and the Netbox is now more reliable for agents with poor quality connections, allowing for more rapid uploads of events and other data. This will also prevent duplicate events that could occur on some networks.
Web Proxy Enhancement The web proxy will now utilize the disk cache (in addition to RAM) more aggressively for typical web browsing objects. This will also more fully use the allocated storage for caching.
Factory Reset Resolution If a “Factory Reset” was run on a system (this is very rarely done), not all of the default user accounts were created. This has been addressed.

Item Type Details
CONNECT Proxy Enhancement For specific configurations, allow updates to occur more rapidly than would happen previously if using an upstream proxy for connecting to the update server.


Item Type Details
802.1X Pass Through Authentication Enhancement There is now a facility to exclude selected user names from 802.1X pass through authentication. By default all “host\” usernames will be excluded, this list can be configured under Configuration > Advanced > 802.1X Pass Through Authentication Username Exclusions.
SafeChat Enhancement A new SafeChat pattern has been introduced, “Eating Disorders”, for matching this specific type of potential self harm.
URL Filtering Enhancement The warning stating that either an IP address range or a group should be entered for a policy has been removed as there are situations where it is practical to apply a policy to all users of the system.
Proxy Logs Enhancement Further improvements to the proxy logs format, there is a new token for requests that were blocked showing the detail of the reason of the block. Please see the online help for further information
Proxy Logs Resolution In some situations records in the proxy logs could be recorded containing invalid data. Previously this prevented the display of the logs, this has been addressed.
SafeChat Resolution With some specific rule and criteria combinations it was not possible to turn SafeChat on and off, this has been addressed.
URL Filtering Test Enhancement The IP address for the URL Test screen will now automatically be populated with the IP address for the user. This means IP based policies will automatically match for the context of the user doing the test.
Content Scanning Enhancement When creating a new alert email action, the default template will now also include the “$username” token by default.
Network Monitoring Resolution When recording usage data, in some situations the rarely used Network Monitoring > Local Names lookup table would not be used, and only an IP address would be recorded. This has been addressed an the lookup table will now be used for all situations.
Internet Quotas Resolution In some situations where there was traffic going via the direct proxy that did not require authentication, the system attempted to apply quota to the source IP address (rather than the user). This created delays in the processing of data that could lead to lags in user response times in Internet Auth. This has been addressed.


Item Type Details
Monitoring Screens Enhancement Several monitoring screens (including BIC Agent Events, Block Activity and SafeChat events) have a new “Full Name” column. This will extract the users full name from the configured directory service(s) and display the information in the report. This is done in real time as it is displayed to screen, so it will always show what is configured now, rather than when it was logged.
Proxy Statistics Enhancement The username for transparent proxy users will now be displayed for the top proxy users on the Proxy Statistics screen. Previously only the username for the direct proxy users was displayed.
Internet Connection Logs Enhancement The number of currently active managed connections is now logged every minute to the internet connections logs. This is visible under Administration > View Logs, with the verbosity set to high, under the “internet connection” logs. This also shows the maximum number of connections supported on the site.
BIC Agent Enhancement When there was a tampering alert on a BIC Agent that could be repaired, the Netbox will no longer send alerts, rather it will just log them as a BIC Agent Event. This will remove a lot of noise that can be created by AV engines for some customers.
Monitoring Screens Resolution There was an issue on some screens where running a query for content that was “blocked” or “allowed” would not match correctly. This has been addressed and it is now possible to query on this again. This also addresses a related issue where emailed reports would not display the correct status in some instances.
Large Object Cache Enhancement Better compatibility has been introduced for the Adobe and Apple Large Object Cache, previously there were instances where the interaction of the downloads may lead to temporary errors on the client.


Item Type Details
Proxy Logs Enhancement The proxy log format has been changed slightly to make it even easier to parse by a machine. Please refer to the online help for more information on the new format.
HTTPS Inspection Resolution When new generating certificates for an existing site that had HTTPS inspection previously (for example, if the certificate expired or the Site Key changed), the newly generated certificate would not work as expected due to permissions. This is a rare case and has been addressed.
Automated Reports Resolution Some reports could be generated previously that would have an error when displaying “null” data, this has been addressed an the report will generate correctly now (for both email and web reports).
DNS Boundary Redirection Resolution Traffic in some network configurations was not forced to the Netbox DNS server when DNS Boundary Redirection (DBR) was enabled. This has been addressed for all LAN traffic.


Item Type Details
Large Object Cache Enhancement The Large Object Cache now supports caching of Adobe products, including Acrobat, Flash, Creative Suite and Creative Cloud products. This covers both internet installs and updates.
Large Object Cache Enhancement A new report module is now available to provide information on the utilization of the Large Object Cache, including number of bytes saves and storage capacity. This can be added to any scheduled report under Reporting > Reports modify your desired report and add the Large Object Cache Module.
Large Object Cache Enhancement Real time statistics can be viewed for the Large Object Cache under Administration > Proxy Statistics. This gives you a real time view of the efficiency of the cache.
Web Proxy Enhancement More information is now provided to show the top 10 users of the cache. This is an ideal way to quickly narrow down on users making a disproportionate number of requests from the cache, potentially impacting the performance of the LAN. This is typically from buggy applications that retry at full LAN speed.
POP3 Proxy Prescanning Enhancement The POP3 Proxy pre-scanner is rarely used, as such has been removed from the scanning platform. The POP3 Proxy will continue to work as it always has.
Category Web Filtering Enhancement The Category Web Filtering Categorise URLs in GET parameters has been enhanced to better extract embedded URLs.
BIC Agent Enhancement Some changes have been made to better co-exist with anti-virus scanners that do not honor network stack ordering requests. This will stop tampering alerts relating to anti-virus scanners triggering this issue.


Item Type Details
Internet Auth Enhancement A connection ID is now provided in the internet auth logs to make it easier to support environments that may have many new clients per second attempting to connect.
BIC Agent Events Enhancement There are now filter icons for the relevant columns on the BIC Agent Event screen, making it easier to drill down into the activity for a specific user/host etc.
Email Scanning Enhancement Better handle the case when a DNS server responds with invalid data. This is to handle unlikely (but potentially possible) cases where DNS data is corrupted in some way.
POP3 Proxy Resolution Address a case where some specific alert emails provided via the POP3 proxy would be base 64 encoded when rendered in the email client.
Web Filtering Enhancement Minor improvements to the performance of web filtering when using quotas.
Authentication Resolution Better detect when the Netbox get invalid responses from an LDAP server, and drop that connection. Previously there could be many invalid connections kept open, exhausting the connection pool to the LDAP server.
Database Enhancement The internal database for reporting will automatically remove old and out of date data as required.

Item Type Details
Email Scanning Enhancement When receiving an unexpected DNS response to a URL blacklist request from some specific DNS servers, don’t treat it as a match, treat it as invalid. The normal expected behavior is to return no records or a DNS error when there is a problem however some DNS servers are returning an unexpected record. This will prevent false positive matches.

Item Type Details
SafeChat Enhancement More updates have been made to improve the performance of SafeChat, especially for rules that had a group criteria
Internet Auth Fix Address an issue where many failing SSH pass through auth attempts at the same time will stop further pass through requests
Kernel Enhancement Further enhancements for the Hyper-V platform#, handling up to 4GB of RAM and correctly managing upgrades where the same virtual drive device is presented to the operating system via 2 different connections. # – Please note Hyper-V support is limited to 200 users max.
Network Monitoring Enhancement Network monitoring no longer processes all DNS traffic, this will lead to a large performance improvement for sites with massive amounts of outgoing DNS traffic.
Network Monitoring Fix Network Monitoring was not displaying full usage data if the Internet Auth module was not installed, this has been addressed.
Large Object Cache Enhancement Updates have been made to the Large Object Cache to more effectively cache objects from Apple content servers.
Email Scanning Enhancement Better handle malformed URL’s for anti-spam detection.
Web Proxy Enhancement The web proxy maximum log size has been increased to allow for up to 50GB of data stored before older data is removed.
BIC Agent Enhancement On a tampering event, additional information is now included as part of the alert.
NTLM Proxy Auth Fix Address an issue where requests to content that did not require authentication were made over the same TCP connection that had previously been authenticated.
Update Requests Enhancement When an update is scheduled via the user interface (at Administration > Updates), the required packages for the update will automatically downloading right away, to make the update at the schedule complete more quickly.
URL Filtering Fix Address an issue with some Spanish translations that would cause filtering to fail when rendering the block page with category lists for specific categories.
YouTube for Schools Fix The links in the help for YouTube for Schools were moved by Google – these now point to the correct location.

Item Type Details
URL Filtering Enhancement There is a new token, $categories_comma, is now available for the custom URL filtering block page to list the categories as a comma separated list, with no HTML wrapping. This is ideal for including in forms and for other non-HTML tasks.
Reporting Fix An issue was identified for reports where when a report had a sort column that could be graphed, and no graph was requested, the report would generate an error, this has been addressed.
POP3 Proxy Fix In some situations the POP3 proxy would show an error in the logs indicating the proxy pre-scanner had failed. This was the result of an error on remote servers (such as a time out), and now correctly handled.
Firewall Fix For sites that have the firewall disabled (including if it is not an included module), inbound traffic is no longer filtered. This prevents the need for manually opening up the firewall for traffic on the WAN side to be allowed into the LAN.


Item Type Details
SafeChat Enhancement Updated SafeChat protocols so blocking of tweets with images now works correctly.
SafeChat Moderation Enhancement Updated SafeChat protocols to again properly moderate LinkedIn.
POP3 Proxy Fix An issue was identified where the POP3 proxy would not start.
Data Purging Fix When a very large amount of data was purged, on some occasions the purge would not complete.
Email Scanning Enhancement Due to the number of reported false positives for the “Use header IPs to blacklist” test, this feature has been removed as our goal is to have practically zero false positives.
Reporting Fix When reports were sorted by a non-default column, in some circumstances the colors on the table would not match those on the graph.
URL Filtering Fix In some circumstances the $username token would not appear on Custom URL Filtering block pages.
Email Scanning Fix An issue was identified where message stamping could break calendar invites from MS Outlook.


Item Type Details
Proxy Fix Address the case where network monitoring and URL filtering would not show data for traffic that had been logged via the proxy. No data was lost on sites that were using 28.0.6.

Release 28.0.6

Item Type Details
YouTube for Schools Enhancement YouTube for Schools can now be applied based on user group membership, rather than relying on the tools that are provided by Google to do this. Applying policies by group applies not only on site, but also on the BIC Agent when users are off site.
SSL Inspection Enhancement There is now an option to pick from several predefined services to exclude from SSL Inspection. This simplifies the use of non-enterprise ready applications on the network. These services can be access under Configuration > Web proxy > SSL Exclusions.
SafeChat Moderation Enhancement There is now an option to add SafeChat Moderation to automated reports. This will allow managers to get a daily (or weekly etc) report of the items requiring moderation, or items that have recently been moderated as they choose.
Proxy Enhancement There has been an upgrade to the proxy service to provide stability and performance improvements.
SSL Certificates Enhancement A new page is provided to allow the upload of custom SSL certificates for use by the HTTPS interface and SMTP server for organizations who have their on certificate management.
Network Monitoring Fix An issue was identified where usernames that contained non 7-bit ASCII characters were recorded for users accessing the direct proxy, the username was not recorded correctly. This has been addressed.
Internet Auth Enhancement Additional concurrent Internet Auth look-ups will be performed for sites with a larger user count than previously. This will improve performance on average for users when using a slower pass-through method.
Email Scanning Enhancement Due to the number of reported false positives for the Email Scanning Obfuscated URL Detection test, this feature has been removed as our goal is to have practically zero false positives.
CONNECT Proxy Enhancement The CONNECT proxy service now actively checks that both the incoming and outgoing connections are still alive, and will automatically disconnect if either end is not longer contactable.

Release 28.0.5

Item Type Details
BIC Agent Enhancement A new events page is now available for the BIC Agent to allow viewing of events triggered by users of the BIC Agent. This shows login events, in addition to tampering attempts. Additional information is now also provided in alert messages about the system to provide a better understanding of who may be attempting to circumvent the system.
Proxy Logs Enhancement When viewing the detailed proxy logs, the user name will now be displayed for both direct and transparent access if using authentication. This information is also included in the exported logs to allow for additional post processing by third party systems.
Proxy Logs Enhancement The detailed proxy logs will now show the mode of access to the internet (eg: direct or transparent), as well as if the user had the BIC Agent installed (if configured to double filter).
Query Pages Fix Some saved queries could lead to a data error when trying to display some specific combinations of saved reports, this has been addressed.

Release 28.0.4

Item Type Details
SafeChat Enhancement A new data sharing model is now used inside SafeChat to allow for higher performance on very large sites with extremely powerful hardware to ensure the best use of available computing resources.
SafeChat Fix The “Sent Time” data recorded for some Facebook posts is now more correctly displayed based on the available information.
Firewall Rules Enhancement The comments field is now on the same row as each rule, rather than requiring the user to hover over the row to see the comment for a specific rule.

Release 28.0.3

Item Type Details
View Logs Enhancement A new facility to download the Netbox logs as plain text is now available for automated scripts. See the section “Downloading logs for archive purposes” under help ID 190200 for how to access this.
Internet Auth Enhancement Additional detail is provided in the Internet Auth logs for all access attempts. This includes exactly which pass-through service was used for login and logout to assist in diagnosing issues and unexpected outcomes, as well as other additional information.
POP3 Proxy Fix There were instances where the POP3 scanner could be running more often than scheduled, this has been addressed.
Pass-through Auth Enhancement There is a new pass through service available for Windows AD controllers that attempts a slightly different method to find out the currently logged in user. This can be more reliable at detecting the user on the console (depending on the other services running on the PC). Additional configuration is also available for this, see help ID 151007 for more information.
SMTP Queue Lifetime Enhancement Provide a limit to the maximum SMTP queue lifetime to prevent messages sitting in the email queue for (potentially) years with out a bounce message getting sent to the original sender.


Item Type Details
Kernel Enhancement The underlying operating kernel has received a major upgrade, supporting our latest appliance platforms and speed enhancements provided by the latest hardware.
SIP Helpers Enhancement To prevent conflicts with SIP devices that have their own NAT management, there is now an option to enable and disable the SIP NAT helper under Configuration > Advanced.
VMware Tools Enhancement The latest VMware Tools are now automatically installed, including the VMXNET2 and VMXNET3 drivers.
VMware Tools Enhancement Due to a bug with the latest VMware Tools, there is now an option to disable the LRO (Large Receive offload) feature provided as part of the latest VMware tools, this is available under Configuration > Advanced.


Item Type Details
Content Scanning Fix When using an alert message that had high byte characters (ie: non US-ASCII), with tokens value that were also high bytes, the message would not be sent. This has been resolved.
SSH Pass-through Enhancement When detecting who is logged into a host via SSH on a Mac OS X system, better detect who is logged in at the console, and do not consider users/account that may be active via SSH.


Item Type Details
Content Scanning (email) Fix Some alerts that were triggered by replacing the message had incorrect transfer encoding headers, causing base64 data to be displayed in an email client. This has been addressed and the correct headers set for all messages.
URL Filtering Enhancement The default block page (ie: if a custom one has not been entered) will now display the categories that the blocked site belongs to.
ESET AV Fix Allow the uploading of a new license key for freshly installed systems. Previously this would cause an error in the page if a license had never been uploaded in an earlier release.
ESET AV Fix Correctly show the date the last time the definitions were updated. These were always getting updated, however the user interface was not reflecting this correctly.
Clam AV Enhancement Update to the latest version of ClamAV, providing a fix for scanning some attachment types that would prevent a specific email getting through previously.


Item Type Details
IBM Firmware Enhancement Update the firmware for some specific IBM RAID cards to address performance and reliability issues.
URL Filtering Fix Address an issue where some international translations cause a page error when modifying URL filtering policies.
POP3 Proxy Fix Handle specific malformed emails such that they are treated as malformed, and rejected.
URL Filtering Fix Correctly display all category combinations when using the URL test page to look up categories in side, and make new suggestions.
BIC Agent Enhancement When a BIC agent disconnects in an unclean fashion (eg: their internet connection drops), detect this more quickly, reducing load on the server during configuration changes.
DHCP Server Fix Better display and manage hosts with unusual DHCP host names, allowing these to be cleaned up if they are no longer in use.

Release 28.0.2

Item Type Details
URL Filtering Enhancement There is now a facility to customize the block page displayed to users when blocked with URL filtering. This applies to both users on site, and with the BIC agent. This is accessible under URL Filtering > General > Edit URL Filtering block page. Please refer to the online help for more information, and available tokens that can automatically be substituted in the page.
Social Media secure login Enhancement A new module is now available to manage access to Facebook and Twitter accounts. This provides the ability to delegate access to specific users (based on group), with out ever having to provide them with the password to the account. An example use case for this would be for managing access to an organizations Facebook profile, if a user needed to gain access, they could be added to an Active Directory group. If they were to leave the organization, by disabling their AD account, access would be denied to the profile, without having to reissue a new password to all users.
BIC Agent Enhancement Several new tamper detection and healing features have been introduced, primarily to better handle software attempting to modify the running BIC Agent on a Windows system. The most common culprits are Anti-Virus software, this should make the BIC Agent more reliable when interacting with these packages.
Caching proxy Enhancement The caching proxy will now more aggressively cache objects in RAM if the system has large amounts of RAM available. Coupled with the ability to disable the to-disk cache, the caching proxy can cache objects even on very high speed links (ie: 1Gps or bigger) with out a performance impact.
Group deletion Enhancement When deleting groups, rather than the deletion happening right away, the group is marked for deletion, and will be removed at next restart. This is to allow a group to be deleted while it is still in use, which could result in undefined behavior recently.
URL Filtering Enhancement During an unclean shutdown (eg: power loss), from time to time it was possible the URL Filtering DB could become corrupt, and not recover appropriately. This check is now more robust, and will replace the DB if required on start up.
Domain lists Enhancement All of the domain lists in the user interface are now automatically checked for duplicates, and child sub-domains. For some sites this will greatly reduce the number of entries by removing ones that were redundant.
Content Scanning Enhancement The Content Scanning default rules have been updated to reflect our current best practice.
Remove old email Enhancement When the internal job runs that removes old mail from user accounts, rather than going through every user on the system, only active mail boxes are scanned. This will reduce the load during the run time of this job on internal directory services if there are few or no mailboxes.
Content Scanning Fix When scanning incoming traffic via POP3, alerts could sometimes be displayed to the user as a base64 encoded message, and would not be rendered correctly, this has been addressed.
Authentication Enhancement A user configurable option is available to disable the automated Authentication configuration tests. This is accessible under Configuration > Advanced. Please note, if there is a need to use this option, it is likely that the internal directory server is not configured in a recommend way, and may cause other issues. Please read the help text carefully before using this option.
Backups Enhancement Automated backups are now smaller, speeding up update and backup times, and reducing the data transfer required as part of the weekly site backup.

Release 28.0

(including 27.6.5 and 27.7)

Item Type Details
Underlying framework Enhancement Major changes and enhancements have been made to the underlying technology framework to allow for faster more efficient upgrades, and stay ahead of modern technologies. This includes the function to update the core Netbox, SafeChat and BIC Agent releases independently. Moving forwards new releases of SafeChat and the BIC Agent can be rolled out more rapidly as they will no longer be integrated with the underlying Netbox release.
Update requests Enhancement When selecting “Run update” (under Administration > Updates), the Netbox will automatically detect if you are on a newer release (eg: a development release), and update to the latest build of that. If there is no newer release or build available, the Netbox will not update, saving a reboot. This also applies to the SafeChat and BIC Agent releases, which will each be checked independently.
Network monitoring Enhancement Significant changes have been made to the operation of Network Monitoring to better process sites with a massive number of short lived connections (eg: running BitTorrent). This will provide much faster updating of the user interface, and less load on the system when processing this monitoring data.
Content Scanning Enhancement Additional help text and advice is provided on screen to assist in the appropriate selection of actions and criteria.
Administrative logs Enhancement If the internal administrative logs are getting to large, older logs will be deleted automatically, rather than waiting for 30 days. This will avoid situations where large bursts of log data can consume all of the available storage space.
URL filtering Enhancement A new permission level has been introduced that allows for the selection of a “Test URL only” permission. This is for sites who wish to provide specific users with the ability to test URLs against policies only, with out access to any other URL filtering features.
Internet Auth Fix In some situations it was possible a user who was logging in again as the same was logged out when they should not have been, this has been addressed and the session will stay active for the user, even on duplicate login.
802.1x pass through auth Enhancement An additional option is available to only log a user out of a session on a Stop packet only if the IP address is known. Previously if the user was logged in from several devices, all of the sessions would be terminate on a Stop packet if the IP was not provided by the controller.
Authentication Enhancement When authenticating against an Apple Open Directory server, the server would sometimes return the user was at This case is now handled, and the result discarded.
SafeChat Events Fix When adding the “Message Status” column to a report, and attempting to display a line graph, the graph would not display. This issue has been addressed.