30.2.3
New Features and Enhancements | |
---|---|
Item | Details |
YouTube Cache | Added support for IE11 on Windows 7. |
Problem Resolutions | |
Webmail | Added support for larger numbers of email folders. |
Firewall | New 1:1 NAT rules could not be created in 30.2.x releases. |
Proxy Logs | Proxy logs appear truncated. This was caused by incorrectly formatted log entries preventing any subsequent log entries from being displayed. |
Performance | Possible issues caused by malicious traffic. |
Quotas | Free sites list not correctly applied to certain connections. |
30.2.2
New Features and Enhancements | |
---|---|
Item | Details |
RoamSafe for iOS | RoamSafe for iOS is an “Always on VPN” solution for iOS 9 (and above) devices in supervised mode. This solution integrates with most MDM solutions and Apple DEP and provides support for web filtering, application control, firewalling and ClearView† social media management. Please refer to the CyberHound appliance Help function for details of RoamSafe VPN configuration. |
Internet Quota | Permissions for Internet Authentication and Internet Quota configuration are now separate and provide better control of which groups are allowed to access these features. |
Firewall | Added an option Configuration > Advanced > Allow Asymmetric Routing. On most sites, this should be set to “no” in order to ensure that packets with LAN source addresses are properly blocked from being sent out the internet interface, but it will be set to “yes” on existing sites to avoid blocking legitimate traffic on sites which require asymmetric routes. | YouTube Restricted Mode | Added support for forcing YouTube Restricted Mode using DNS instead of cookies. This method is harder to circumvent but cannot be used with group exclusions. |
Web Filtering | Incorporated real time updates of URL categorization. |
YouTube Cache | Improved playback of embedded YouTube videos in Safari on iOS. |
Web proxy | Improved the handling of custom certificates for HTTPS inspection. |
ClearView† | Improved handling of Twitter direct messages. |
Problem Resolutions | |
Administration | The Proxy Statistics page now shows the web proxy performance information correctly. |
Configuration | Port forward changes are now correctly applied when clicking the Apply button in Advanced Firewall. |
Configuration | The RoamSafe Agent > General > Force Login option is now enforced correctly. |
Configuration | Local interface names are now restored correctly when restoring from a backup. |
Email Monitoring | Email scanning failures can no longer impact performance of the appliance. |
Email Monitoring | Resolved an issue where some emails were not quarantined properly. |
Web Filtering | The WhatsApp web application definition in Access Policies > Web Applications has been corrected. |
Webmail | Fixed an issue that prevented old mail to be deleted as configured. |
Webmail | Fixed an issue where mailboxes were not deleted properly. |
* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat
30.2
Major BIC Agent Update, Device Reboot Required
Item | Type | Details |
---|---|---|
Reporting | Resolution | Some web links in reports were pointing to a page that no-longer exists. This has been resolved. |
Configuration | Enhancement | Existing settings for network configuration and the RoamSafe* agent will be migrated to our unified configuration framework during the upgrade. This will enable better integration with third-party products in future releases. |
IPsec | Resolution | The IPsec backend has been replaced; the new backend improves stability and interoperability with other IPsec endpoints. |
Web Filtering | Enhancement | Significantly enhance the performance of custom URL filtering lists. |
Web Filtering | Enhancement | New Feature: Lesson Override. See the Lesson Override product page for more details. Please note that this feature is currently not available for the RoamSafe agent. |
Large Object Cache | Enhancement | Enhancements to YouTube caching to improve robustness and broaden device support. The YouTube cache now also provides logs in the web interface. |
Web Interface | Enhancement | Increase resource limits based on available RAM to improve performance and reliability, particularly when there are large numbers of users and requests per second to the web interface and/or reverse proxy. |
ClearView† | Enhancement | Improved handling for Facebook user details in ClearView† events. |
Time zones | Resolution | Errors that could prevent time zone changes from being applied correctly have been resolved. |
Web proxy | Enhancement | Non-ASCII Unicode characters are now supported in custom proxy.pac files. |
Operating System | Enhancement | In some configurations full file-system checks could be triggered even when not needed. This has been resolved, allowing faster boot times. |
CONNECT Proxy | Enhancement | Detect invalid configurations and warn the user in the web interface. |
Internet Quota | Resolution | Users of the direct proxy could sometimes exceed their quota allocation, this has now been resolved. |
Webmail | Resolution | Changing the sort order in webmail (including email quarantine) was not working, this has now been resolved. |
Reporting | Resolution | Links to web filtering categories in email reports were invalid, this has now been resolved. |
Performance | Enhancement | Database parameters have been changed to improve performance and reduce system load. |
ClearView† | Enhancement | Improved support for scanning Google Hangouts messages. |
RoamSafe Agent* | Enhancement | Improved hardware compatibility support for UEFI Secure Boot in Windows 10. This may be needed depending on the manufacturer of the hardware. |
* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat
30.1.10.3.1
Item | Type | Details |
---|---|---|
Web Proxy | Resolution | Reduce proxy memory usage and improve stability when free memory is low. Affected sites should request an upgrade from the support team. |
30.1.10.2
Item | Type | Details |
---|---|---|
Backup Restore | Resolution | Fix an issue that prevented restoring configuration backups onto a freshly-imaged box. |
30.1.10.1
Item | Type | Details |
---|---|---|
Proxy | Enhancement | Include X-Forwarded-For and Via headers in HTTP requests to notify remote servers that the source IP address is shared among many users. |
30.1.10
Item | Type | Details |
---|---|---|
Database Upgrade | Enhancement | Upgrade database backend for increased performance and reliability. Existing customer data will be migrated automatically to the new backend as part of the upgrade process. |
30.1.9.9
Item | Type | Details |
---|---|---|
Web Filtering | Enhancement | Add support for enforcing Google Safe Search via DNS. This allows google to be excluded from HTTPS inspection as a temporary work around to avoid the Google Captcha while providing search safeguards.
Customers should upgrade to this release if their users experience redirection to Google captcha pages when executing a Google search. Safe Search can be enabled by selecting “moderate” or “strict” from the Enforce SafeSearch? dropdown in Access Policies > General. |
30.1.9.5
Item | Type | Details |
---|---|---|
HTTPS inspection | Resolution | When a HTTPS inspection certificate expires, flush all site certificates that were issued using the old certificate and regenerate with the new one. |
SafeChat Archive | Resolution | When archiving Microsoft Lync messages, provide better error reporting when the Lync database server refuses connections due to low memory. |
SMTP server | Resolution | Make sure internal services running on the CyberHound Solution can still access the SMTP server even when all connections from outside are blocked. |
802.1X Pass-Through Authentication | Enhancement | Default to ignoring 802.1X stop records, to improve compatibility with wireless vendors. Existing settings will not be changed. |
BIC Agent (Windows) | Enhancement | Add workarounds for compatibility with OneDrive. |
30.1.9.4
Item | Type | Details |
---|---|---|
Internet Auth | Resolution | Fix errors affecting certain SSH pass-through authentication configurations. |
30.1.9.3
Item | Type | Details |
---|---|---|
Internet Auth | Enhancement | Support for SSH pass-through authentication on Mac OS X 10.11 (El Capitan). |
Large Object Cache | Enhancement | Support for Magic Software eTextbook caching. |
30.1.9.2
Item | Type | Details |
---|---|---|
Firmware | Enhancement | The latest Firmware for the IBM M4 series platforms is included in this release. The firmware update is applied post the update, and will be activated upon the following reboot. |
30.1.9.1
Item | Type | Details |
---|---|---|
Kernel | Enhancement | Upgrade operating system kernel to enhance performance and reliability. |
Agent | Enhancement | Add support for Mac OS X 10.11 (El Capitan). |
Network Monitoring | Resolution | Correctly report data usage of YouTube videos when the YouTube Video Cache is enabled. |
YouTube Video Cache | Enhancement | Add support for a new video format. |
YouTube Video Cache | Enhancement | Better support for Safari on iOS devices. |
SSH Pass-Through Authentication | Enhancement | Work-around for browsers that incorrectly fill out the username and password field in the Pass-Through Authentication configuration screen. |
Web Proxy | Resolution | Proxy IP address access list now only applies to direct proxy mode (similar functionality is provided for transparent proxy users via Access Policies). |
30.1.8
Item | Type | Details |
---|---|---|
NGFW | Enhancement | Improvements to the memory handling and performance for the network application detection, allowing tracking and identification of even more connections at once. |
SafeChat | Enhancement | Detailed logging for Yieldbroker capture, providing for easier debugging should the need arise. |
Traffic Shaping | Enhancement | Update the statistics view to remove redundant / inaccurate columns. |
Online Help | Enhancement | A number of improvements and enhancements to the online help. |
Email Scanning | Resolution | Address an issue where some global quarantine folders would not automatically have older emails removed. |
30.1.7.2
Major BIC Agent Update, Device Reboot Required
Item | Type | Details |
---|---|---|
BIC Agent | Enhancement | Official release of the BIC agent for release 30. It’s recommended that this BIC update be rolled out slowly as with all major upgrades to ensure full compatibility with all programs in your environment. |
30.1.7.1
Item | Type | Details |
---|---|---|
Web Categorization | Resolution | It was found that in situations where the categorization was too fast at returning results, the requester assumed it was invalid, and retried, causing unnecessary delays when performing categorization, this release resolves this issue. |
30.1.7
Item | Type | Details |
---|---|---|
Internet Auth | Enhancement | Continuing further back end changes to improved the performance and robustness of the internet auth service. |
Archiving Emails | Enhancement | Use a trick to prevent browsers auto-filling the username and password field on the archive emails screen, making it more obvious when it’s currently blank. |
Suggested Policies | Enhancement | An updated set of suggested policies for SafeChat for commercial and government customers. |
30.1.6.1
Item | Type | Details |
---|---|---|
Internet Auth | Resolution | Address an issue where when a user exceeded quota, and logged in again within 15 seconds, the login for that IP would fail. |
30.1.6
Item | Type | Details |
---|---|---|
Microsoft Lync | Enhancement | Increase the speed and robustness of the Lync capture service. This requires an upgrade to the server service. |
HTTPS Inspection | Resolution | Accommodate null SSL data payloads, rather than treating this as an error, continue to leave the connection open. This is required for some very specific servers that send empty SSL payloads from time to time. |
Internet Auth | Enhancement | Internal changes to the caching and storage of information to increase performance and reliability of the Internet Auth services. |
30.1.5.1
Item | Type | Details |
---|---|---|
AD Auth | Enhancement | The AD Pass-through authentication service now has a lot less logging by default to the Event Viewer. This is interface compatible and is not a required upgrade, but is recommended for all customers using this service. |
Net Auth | Resolution | Accommodate loosing connectivity and other transient errors more gracefully such that authentication continues to work in all situations. |
30.1.4
Item | Type | Details |
---|---|---|
Web Proxy | Enhancement | Improved memory handling and more robust support when applying major changes that would require the service to restart. |
IPSec | Enhancement | Update the UI to more accurately reflect the configuration options. |
30.1.3.1
Item | Type | Details |
---|---|---|
YouTube Cache | Resolution | Due to recent changes in YouTube, an update has been made to the YouTube cache. This update will also enable the YouTube cache again which was automatically disabled to prevent problems accessing the platform. |
30.1.3
Item | Type | Details |
---|---|---|
YouTube Restricted Mode | Enhancement | The text and wording in the CyberHound Solution interface has been updated to reflect the new name for YouTube Safety Mode, it’s now called YouTube Restricted Mode. |
Filtering Changes | Resolution | In some situations clicking Apply Changes didn’t take effect when some changes to filtering and other options were changed, this has been addressed and changes will apply correctly without the need to reboot. |
Large Object Cache | Enhancement | A new option has been added to rate-limit the Large Object Cache download speed. This is still experimental, and will not rate-limit in all situations, however will will to provide a level of control previously unavailable to this specific service. |
802.1X Authentication | Resolution | When responding to packets from an NPS server, a specific response header is required, there was a regression in release 30 that meant this was no longer happening. This has been resolved, and the NPS server should again accept the response packets from the CyberHound Solution. |
Internet Auth | Enhancement | Should there be issues with the internet auth service, more mechanisms have been put in place to identify this, and automatically resolve the issue before users notice. |
30.1.2
Item | Type | Details |
---|---|---|
Microsoft Lync Archive | Enhancement | For servers that are very busy or otherwise slow, the connection to the CyberHound could time out during the creation of bundles. The internal timeouts have been increased to minimize the chance of them being hit, and ensure successful delivery. |
Email Scanning | Enhancement | Detect and block another specific form of malformed headers, preventing these entering the network. |
BIC Agent | Enhancement | The BIC Agent will now detect the production release of Windows 10, in preparation for it’s full release 30 build. |
1:1 NAT | Enhancement | Previously a reboot was required on release 30 to apply 1:1 NAT changes, this update removes that need, and allows changes to be applied with the system running. |
Email Aliases | Resolution | An issue was identified where a massive email alias list (typically over 100 recipients) would exceed internal limits, causing delivery to not complete. This has been addressed and the limit on email aliases removed. |
Internal Services | Enhancement | A number of changes have been made to internal services to ensure they are more reliable, and notifications are sent should there be an unexpected issue. |
30.1.1
Item | Type | Details |
---|---|---|
Internet Authentication | Enhancement | Some minor updates have been made to Internet Authentication to accelerate logins for users that are already active at an IP address, this can happen when users are roaming between access points and each AP is sending updates to the CyberHound Solution. |
Connection Monitoring | Resolution | There was an issue that prevented the live connection monitoring feature working in all situations in the initial release 30, this has now been resolved. |
Logs | Resolution | An issue with the large object cache logs was identified, this has now been resolved and logs can be viewed again for the large object cache, this includes logs prior to the update. |
802.1X Integration | Enhancement | When receiving packets from AP’s, previously, invalid packets that were correctly signed would be ignored and no reply would be sent. Due to buggy AP’s the CyberHound Solutionwill now reply to a packet that is correctly signed, but then ignore it internally if it is invalid. |
30.1
Major BIC Agent Update, Device Reboot Required
Item | Type | Details |
---|---|---|
Authentication | Enhancement | Better manage a subset of users on a massive AD servers (i.e.: more than 10,000 users), by providing a filter for desired users for a specific location by security group. Desired groups for a site can be set under Configuration > Authentication in the AD plugin, there is a new field titled “Active Groups”, which is an optional group filter applied to all lookups. |
Web Proxy | Enhancement | The logging for the web proxy has been enhanced to include a lot more data on each request, including categories, user agent, and matching policy for allow rules. A new detailed log option is available for the Web Proxy logs to access all of this information. Note: If using automated log parsing tools, these will need to be updated to support this new format. |
NGFW | Enhancement | Decide if HTTPS inspection should be done on a specific request based on the SNI header only (not the IP address) this provides more accurate and faster categorization for “Bypass HTTPS Inspection” policies. |
NGFW | Enhancement | Allow the use of custom domain categories for “Bypass HTTPS Inspection”. This includes the matching of subdomains (e.g.: .example.com to match example.com and all subdomains). This is now the preferred method for HTTPS exclusions, and some of these will be automatically migrated from the configuration screen. |
NGFW | Enhancement | On the Block Activity report, introduce a new protocol column to match what is available in Network Monitoring. |
NGFW | Enhancement | Block the use of the non-standard QUIC protocol by default for all traffic, enforcing the use of standards based web traffic. This option can be set under Access Policies > General. |
NGFW | Enhancement | A new permission level has been introduced to allow for “Test policies and recategorization”. This means users can be given the ability to request a recategorization, without the ability to change policies. |
Pipe Plus | Enhancement | If DNS servers have been configured for a specific link, and force route is now automatically added for each of the DNS servers to push the traffic out that link, removing the need to do this manually. |
HTTPS Inspection | Enhancement | If an upstream SSL certificate changes or is temporarily broken, more rapidly detect this and generate a new local certificate. |
Redirection | Enhancement | For captive portal logins and other redirected pages on HTTPS, use SNI for the certificate generation. |
BIC Agent | Enhancement | Enhanced memory management for big local uploads, minimizing the use of local memory. |
BIC Agent | Enhancement | Better handle the corruption of settings on the agent side, and use a different format to prevent leakage of corruption of settings should this occur. |
BIC Agent | Enhancement | In some instances on Mac OS X, the agent is not notified that the system has come back from sleep, causing traffic to be block for extended periods, use a secondary method to detect this, and more quickly recover when coming back from sleep. |
BIC Agent | Enhancement | Use the newer SHA256 when generating HTTPS inspection certificates. |
BIC Agent | Enhancement | If a reboot is required on the agent, more regularly notify the user that a reboot is required to encourage this to happen sooner. |
BIC Agent | Resolution | When testing policies for the BIC agent under Access Policies, more closely match what would happen on the BIC Agent to provide an accurate representation of the policies that would be applied. |
Reporting | Resolution | When displaying user generated content in a report, if the content is HTML, correctly escape it to prevent display issues. |
BYOD Installer | Enhancement | A new MSI BYOD certificate installer is now available, this is ideal for sites that wish to distribute the certificate installer via group policy. This same installer can run as either a local machine account or a domain admin account, depending on your AD configuration. |
Archive Emails | Enhancement | For archive emails and Symantec EV integration, provide more detailed logs on both success and failure. |
Direct Proxy | Enhancement | Provide the ability to exclude local networks and IP’s from authentication on the direct proxy (in addition to remote servers). |
Direct Proxy | Enhancement | If using automatic proxy configuration, a new field is now available to create a custom proxy.pac file, at the bottom of the Configuration > Web Proxy screen. If this is set, the automatic proxy.pac file is not generated, and the custom one is use instead. |
Web Mail | Resolution | In some views, the ordering by date was not working correctly, this has been addressed. |
30 / 30.0.1
This release is a rebuild of the CyberHound Solution core OS to the latest generation enterprise platform. This includes everything from the kernel to the userspace environment.
Item | Type | Details |
---|---|---|
CyberHound OS | Enhancement | A complete rebuild of the core OS, from the base kernel upwards. Providing improved boot times (now 3 times faster), more rapid service restart (50%-95% faster), and support for the latest network technologies. |
Web Proxy | Enhancement | Support for SNI (Server Name Identification) for outbound HTTPS requests. This will provide compatibility for those clients and servers utilizing these extensions. |
HTTPS Inspection | Enhancement | Using the SNI header, the ability to exclude hosts from HTTPS inspection is now possible using wildcards, providing the ability to exclude an entire domain, and all its subdomains in a single rule. This requires the clients to be using SNI to get this benefit. |
POP3 Server | Enhancement | The POP3 server now supports multiple simultaneous logins. Although technically a violation of the RFC, the implementation provides each client with a point in time view, that is then merged at the end of the transaction. This allows for the use of multiple devices that keep the connection open without interference. |
DNS Server | Change | The DNS server will no longer automatically provide forward and reverse DNS lookups for local IPs. For example the reverse of a LAN IP of 1.1.1.1 would yield ip-1-1-1-1.lan, and there would be a forward lookup for the same. |