Athena: 30.0

Athena (/əˈθiːnə/; Attic Greek: Ἀθηνᾶ, Athēnā, or Ἀθηναία, Athēnaia; Epic: Ἀθηναίη, Athēnaiē; Doric: Ἀθάνα, Athānā) or Athene (/əˈθiːniː/; Ionic: Ἀθήνη, Athēnē), often given the epithet Pallas (/ˈpæləs/; Παλλὰς), is the goddess of wisdom, courage, inspiration, civilization, law and justice, strategic war, mathematics, strength, strategy, the arts, crafts, and skill in ancient Greek religion and mythology. Minerva is the Roman goddess identified with Athena. [ Source: https://en.wikipedia.org/wiki/Athena (2015-03-23 ]

Also the goddess of renewal. [ Source: http://www.scns.com/earthen/other/seanachaidh/godgreece.html (2015-03-23) ]

This release is will be a staged roll-out, initially to customers that have explicitly requested it at http://cyberhound.com/support/request. A notification will then be sent when your site has been scheduled to receive the update.

Recommendation: It is recommended that all existing HTTPS inspection exclusions be recorded, and then removed as many of these will no longer be necessary. When adding in HTTPS exclusions in 30.1, using Access Policies with a custom Category type of Domain List will typically now be the most effective as it supports subdomains. This does however require the application that is attempting to use the internet supports SNI.

30.4.5.4

30.4.5.4

Available for installation by the support team.

Improvements
VPN Improved detection of stale connections in Remote Access and RoamSafe VPNs.
VPN Improved performance of site to site VPN connections.
Firewall Improved performance of Intrusion Protection System.

30.4.5.3

30.4.5.3

Available for installation by the support team.

Resolutions
VPN Resolved an issue where VPNs did not work as expected when used in certain load balancing configurations.
Configuration Corrected an issue where changes to the Welcome Page configuration were not applied as expected.
Email Addressed a compatibility issue with the Thunderbird email client.

30.4.5.2

30.4.5.2

Available for installation by the support team.

Enhancements
Upgrade Optimized the removal of swap space.

30.4.5.1

30.4.5.1

Available for installation by the support team.

Resolutions
Configuration Resolved an issue where a factory reset did not reset the network configuration correctly.
Configuration Corrected an issue where some configuration changes did not persist under certain circumstances.

30.4.5

30.4.5

Available for installation by the support team.

Enhancements
IPsec Performance and stability improvements.
Resolutions
Internet Quotas Correct an issue with incorrect quota allocation when quota configuration changed.
Configuration Resolved an issue that prevented users from selecting a custom intermediate SSL inspection certificate via the UI.
Backup/Restore Ensure that the selected time zone is set correctly when restoring configuration.

30.4.4

30.4.4

Available for installation by the support team.

IPsecImproved detection of stale connections.

Enhancements
IPsec Allow tunnel establishment to gateways that are NATed.
YouTube Video Cache Improved caching of videos watched in Safari on iOS devices.
Web Proxy Enhanced memory and inspection certificate management.
Web Filtering Performance and stability improvements.
Internet Auth Performance and stability improvements.
ClearView Improved scanning of Facebook front page.
Resolutions
ClearView Use custom certificate for Instant Messaging inspection certificate.
Web Filtering Resolve an issue where only the initial results were shown in a Google Images searches with Access Policies -> General -> Enforce SafeSearch enabled.

30.4.3

30.4.3

Available for installation.

Enhancements
802.1X Pass-Through Authentication Performance improvement of Internet authentication.
Site categorisation Memory utilisation improvements.
Database Added the ability to optionally configure the database to reside on a separate disk.
Web Mail Improve capability to handle very large mail boxes.
Resolutions
Firewall Resolved an issue where network connections did not work when using port forwarding over load balanced links.
Configuration Resolved an issue that prevented users from uploading intermediate SSL inspection certificates via the UI.
Configuration Corrected an issue where VLANs could not be deleted via the UI if their parent links had been deleted.
Configuration Resolved an issue where deleted 1:1 NAT entries were not deleted from the firewall configuration.
Backup/Restore Corrected an issue where under certain circumstances a restore operation could fail.

30.4.2.1

30.4.2.1

Available for installation by the support team.

Enhancements
Network Monitoring Performance improvements of log processing.
Administration Improved performance when viewing log files within the user interface.
Resolutions
Network Monitoring The Purge Data button located under Network Monitoring > General now functions as expected.
Internet Quotas Resolve a display issue where session details were not shown correctly on the quota management page within the user interface.
Internet Quotas Correct an issue with rolling quota allocation calculation.

30.4.2

30.4.2

Available for installation by the support team.

New Features and Enhancements
Quotas Performance improvements.
Resolutions
ClearView Changes to ClearView policies will be applied to all services immediately.
Web Interface The restart link button on the link info page has been fixed.
Web Interface The pass-through authentication page now works correctly when 802.11r support is enabled.

30.4.1.1

30.4.1.1

Available for Installation.

Enhancements
Web Interface Changes to access permission checks.

30.4.1

30.4.1

New Features and Enhancements
Proxy Enhanced resilience to better handle certain malformed requests.
Resolutions
RoamSafe VPN Correctly restart IPsec tunnels after a network link failure.
RoamSafe Agent Existing policies (URL Filtering and ClearView) are retained until the update of the agent has been successfully completed.

30.4

30.4

Binary update to the RoamSafe Agent (reboot required).

New Features and Enhancements
Item Details
Web Filtering Classroom Control gives teachers the reassurance that web content they need to access in class will be available to them and their students, without delay and without having to involve the ICT department. This new feature  allows teachers to:

  • Allow only a few websites (e.g. for exams);
  • Block all internet access for the class; and
  • Control internet access for individual students.

Please review our Release Guide to learn more about this feature.

Proxy Changed the behaviour of CONNECT proxy ports default value to forward only ports 80 and 443.
ClearView Added support for brotli encoding.
Resolutions
Administration Corrected an issue with the formatting of some tcpdump output.
ClearView Resolved an issue with the handling of facebook status or wall posts including images.
BIC Agent Resolved an issue where brotli encoded content was not displayed correctly in the browser.

30.2.6

30.2.6

New Features and Enhancements
Item Details
Proxy Improved performance of HTTPS certificate handling.
Web Filtering Improved performance of categorisation local database updates.
Problem Resolutions
Firewall Resolved an issue where blacklisting alerts were not sent under certain circumstances.
Web Interface Resolved an issue where the Bridge Mode configuration page was not accessible in certain configurations.

30.2.5

30.2.5

New Features and Enhancements
Item Details
Proxy Improved performance and scalability.
Roamsafe Added a watchdog function to the Roamsafe Agent configuration manager.
Roamsafe Increased performance of Roamsafe Agent configuration updates.
Problem Resolutions
Roamsafe iOS Allow access to LAN for Roamsafe iOS.
Roamsafe iOS Resolve UI issue with configuration of Roamsafe iOS VPN subnet.

30.2.4.1

30.2.4.1

New Features and Enhancements
Item Details
ClearView Enhancement to ClearView to better handle the Microsoft Lync and Google Hangouts platforms.
Problem Resolutions
Database Adjust some database maintenance tasks to better manage load.

30.2.4

30.2.4

Problem Resolutions
Item Details
Performance Several enhancements have been implemented to improve system performance and reliability.
Proxy Resolved an issue around policy application in direct proxy configurations with disabled SSL inspection.

Athena: 30.0

30.2.3

New Features and Enhancements
Item Details
YouTube Cache Added support for IE11 on Windows 7.
Problem Resolutions
Webmail Added support for larger numbers of email folders.
Firewall New 1:1 NAT rules could not be created in 30.2.x releases.
Proxy Logs Proxy logs appear truncated. This was caused by incorrectly formatted log entries preventing any subsequent log entries from being displayed.
Performance Possible issues caused by malicious traffic.
Quotas Free sites list not correctly applied to certain connections.

30.2.2

New Features and Enhancements
Item Details
RoamSafe for iOS RoamSafe for iOS is an “Always on VPN” solution for iOS 9 (and above) devices in supervised mode. This solution integrates with most MDM solutions and Apple DEP and provides support for web filtering, application control, firewalling and ClearView social media management. Please refer to the CyberHound appliance Help function for details of RoamSafe VPN configuration.
Internet Quota Permissions for Internet Authentication and Internet Quota configuration are now separate and provide better control of which groups are allowed to access these features.
Firewall Added an option Configuration > Advanced > Allow Asymmetric Routing. On most sites, this should be set to “no” in order to ensure that packets with LAN source addresses are properly blocked from being sent out the internet interface, but it will be set to “yes” on existing sites to avoid blocking legitimate traffic on sites which require asymmetric routes.
YouTube Restricted Mode Added support for forcing YouTube Restricted Mode using DNS instead of cookies. This method is harder to circumvent but cannot be used with group exclusions.
Web Filtering Incorporated real time updates of URL categorization.
YouTube Cache Improved playback of embedded YouTube videos in Safari on iOS.
Web proxy Improved the handling of custom certificates for HTTPS inspection.
ClearView Improved handling of Twitter direct messages.
Problem Resolutions
Administration The Proxy Statistics page now shows the web proxy performance information correctly.
Configuration Port forward changes are now correctly applied when clicking the Apply button in Advanced Firewall.
Configuration The RoamSafe Agent > General > Force Login option is now enforced correctly.
Configuration Local interface names are now restored correctly when restoring from a backup.
Email Monitoring Email scanning failures can no longer impact performance of the appliance.
Email Monitoring Resolved an issue where some emails were not quarantined properly.
Web Filtering The WhatsApp web application definition in Access Policies > Web Applications has been corrected.
Webmail Fixed an issue that prevented old mail to be deleted as configured.
Webmail Fixed an issue where mailboxes were not deleted properly.

* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat

30.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
Reporting Resolution Some web links in reports were pointing to a page that no-longer exists. This has been resolved.
Configuration Enhancement Existing settings for network configuration and the RoamSafe* agent will be migrated to our unified configuration framework during the upgrade. This will enable better integration with third-party products in future releases.
IPsec Resolution The IPsec backend has been replaced; the new backend improves stability and interoperability with other IPsec endpoints.
Web Filtering Enhancement Significantly enhance the performance of custom URL filtering lists.
Web Filtering Enhancement New Feature: Lesson Override. See the Lesson Override product page for more details. Please note that this feature is currently not available for the RoamSafe agent.
Large Object Cache Enhancement Enhancements to YouTube caching to improve robustness and broaden device support. The YouTube cache now also provides logs in the web interface.
Web Interface Enhancement Increase resource limits based on available RAM to improve performance and reliability, particularly when there are large numbers of users and requests per second to the web interface and/or reverse proxy.
ClearView Enhancement Improved handling for Facebook user details in ClearView events.
Time zones Resolution Errors that could prevent time zone changes from being applied correctly have been resolved.
Web proxy Enhancement Non-ASCII Unicode characters are now supported in custom proxy.pac files.
Operating System Enhancement In some configurations full file-system checks could be triggered even when not needed. This has been resolved, allowing faster boot times.
CONNECT Proxy Enhancement Detect invalid configurations and warn the user in the web interface.
Internet Quota Resolution Users of the direct proxy could sometimes exceed their quota allocation, this has now been resolved.
Webmail Resolution Changing the sort order in webmail (including email quarantine) was not working, this has now been resolved.
Reporting Resolution Links to web filtering categories in email reports were invalid, this has now been resolved.
Performance Enhancement Database parameters have been changed to improve performance and reduce system load.
ClearView Enhancement Improved support for scanning Google Hangouts messages.
RoamSafe Agent* Enhancement Improved hardware compatibility support for UEFI Secure Boot in Windows 10. This may be needed depending on the manufacturer of the hardware.

* RoamSafe Agent was formerly known as the BIC agent
† ClearView was formerly known as SafeChat

30.1.10.3.1

Item Type Details
Web Proxy Resolution Reduce proxy memory usage and improve stability when free memory is low. Affected sites should request an upgrade from the support team.

30.1.10.2

Item Type Details
Backup Restore Resolution Fix an issue that prevented restoring configuration backups onto a freshly-imaged box.

30.1.10.1

Item Type Details
Proxy Enhancement Include X-Forwarded-For and Via headers in HTTP requests to notify remote servers that the source IP address is shared among many users.

30.1.10

Item Type Details
Database Upgrade Enhancement Upgrade database backend for increased performance and reliability. Existing customer data will be migrated automatically to the new backend as part of the upgrade process.

30.1.9.9

Item Type Details
Web Filtering Enhancement Add support for enforcing Google Safe Search via DNS. This allows google to be excluded from HTTPS inspection as a temporary work around to avoid the Google Captcha while providing search safeguards.

Customers should upgrade to this release if their users experience redirection to Google captcha pages when executing a Google search.

Safe Search can be enabled by selecting “moderate” or “strict” from the Enforce SafeSearch? dropdown in Access Policies > General.

30.1.9.5

Item Type Details
HTTPS inspection Resolution When a HTTPS inspection certificate expires, flush all site certificates that were issued using the old certificate and regenerate with the new one.
SafeChat Archive Resolution When archiving Microsoft Lync messages, provide better error reporting when the Lync database server refuses connections due to low memory.
SMTP server Resolution Make sure internal services running on the CyberHound Solution can still access the SMTP server even when all connections from outside are blocked.
802.1X Pass-Through Authentication Enhancement Default to ignoring 802.1X stop records, to improve compatibility with wireless vendors. Existing settings will not be changed.
BIC Agent (Windows) Enhancement Add workarounds for compatibility with OneDrive.

30.1.9.4

Item Type Details
Internet Auth Resolution Fix errors affecting certain SSH pass-through authentication configurations.

30.1.9.3

Item Type Details
Internet Auth Enhancement Support for SSH pass-through authentication on Mac OS X 10.11 (El Capitan).
Large Object Cache Enhancement Support for Magic Software eTextbook caching.

30.1.9.2

Item Type Details
Firmware Enhancement The latest Firmware for the IBM M4 series platforms is included in this release. The firmware update is applied post the update, and will be activated upon the following reboot.

30.1.9.1

Item Type Details
Kernel Enhancement Upgrade operating system kernel to enhance performance and reliability.
Agent Enhancement Add support for Mac OS X 10.11 (El Capitan).
Network Monitoring Resolution Correctly report data usage of YouTube videos when the YouTube Video Cache is enabled.
YouTube Video Cache Enhancement Add support for a new video format.
YouTube Video Cache Enhancement Better support for Safari on iOS devices.
SSH Pass-Through Authentication Enhancement Work-around for browsers that incorrectly fill out the username and password field in the Pass-Through Authentication configuration screen.
Web Proxy Resolution Proxy IP address access list now only applies to direct proxy mode (similar functionality is provided for transparent proxy users via Access Policies).

30.1.8

Item Type Details
NGFW Enhancement Improvements to the memory handling and performance for the network application detection, allowing tracking and identification of even more connections at once.
SafeChat Enhancement Detailed logging for Yieldbroker capture, providing for easier debugging should the need arise.
Traffic Shaping Enhancement Update the statistics view to remove redundant / inaccurate columns.
Online Help Enhancement A number of improvements and enhancements to the online help.
Email Scanning Resolution Address an issue where some global quarantine folders would not automatically have older emails removed.

30.1.7.2

Major BIC Agent Update, Device Reboot Required

Item Type Details
BIC Agent Enhancement Official release of the BIC agent for release 30. It’s recommended that this BIC update be rolled out slowly as with all major upgrades to ensure full compatibility with all programs in your environment.

30.1.7.1

Item Type Details
Web Categorization Resolution It was found that in situations where the categorization was too fast at returning results, the requester assumed it was invalid, and retried, causing unnecessary delays when performing categorization, this release resolves this issue.

30.1.7

Item Type Details
Internet Auth Enhancement Continuing further back end changes to improved the performance and robustness of the internet auth service.
Archiving Emails Enhancement Use a trick to prevent browsers auto-filling the username and password field on the archive emails screen, making it more obvious when it’s currently blank.
Suggested Policies Enhancement An updated set of suggested policies for SafeChat for commercial and government customers.

30.1.6.1

Item Type Details
Internet Auth Resolution Address an issue where when a user exceeded quota, and logged in again within 15 seconds, the login for that IP would fail.

30.1.6

Item Type Details
Microsoft Lync Enhancement Increase the speed and robustness of the Lync capture service. This requires an upgrade to the server service.
HTTPS Inspection Resolution Accommodate null SSL data payloads, rather than treating this as an error, continue to leave the connection open. This is required for some very specific servers that send empty SSL payloads from time to time.
Internet Auth Enhancement Internal changes to the caching and storage of information to increase performance and reliability of the Internet Auth services.

30.1.5.1

Item Type Details
AD Auth Enhancement The AD Pass-through authentication service now has a lot less logging by default to the Event Viewer. This is interface compatible and is not a required upgrade, but is recommended for all customers using this service.
Net Auth Resolution Accommodate loosing connectivity and other transient errors more gracefully such that authentication continues to work in all situations.

30.1.4

Item Type Details
Web Proxy Enhancement Improved memory handling and more robust support when applying major changes that would require the service to restart.
IPSec Enhancement Update the UI to more accurately reflect the configuration options.

30.1.3.1

Item Type Details
YouTube Cache Resolution Due to recent changes in YouTube, an update has been made to the YouTube cache. This update will also enable the YouTube cache again which was automatically disabled to prevent problems accessing the platform.

30.1.3

Item Type Details
YouTube Restricted Mode Enhancement The text and wording in the CyberHound Solution interface has been updated to reflect the new name for YouTube Safety Mode, it’s now called YouTube Restricted Mode.
Filtering Changes Resolution In some situations clicking Apply Changes didn’t take effect when some changes to filtering and other options were changed, this has been addressed and changes will apply correctly without the need to reboot.
Large Object Cache Enhancement A new option has been added to rate-limit the Large Object Cache download speed. This is still experimental, and will not rate-limit in all situations, however will will to provide a level of control previously unavailable to this specific service.
802.1X Authentication Resolution When responding to packets from an NPS server, a specific response header is required, there was a regression in release 30 that meant this was no longer happening. This has been resolved, and the NPS server should again accept the response packets from the CyberHound Solution.
Internet Auth Enhancement Should there be issues with the internet auth service, more mechanisms have been put in place to identify this, and automatically resolve the issue before users notice.

30.1.2

Item Type Details
Microsoft Lync Archive Enhancement For servers that are very busy or otherwise slow, the connection to the CyberHound could time out during the creation of bundles. The internal timeouts have been increased to minimize the chance of them being hit, and ensure successful delivery.
Email Scanning Enhancement Detect and block another specific form of malformed headers, preventing these entering the network.
BIC Agent Enhancement The BIC Agent will now detect the production release of Windows 10, in preparation for it’s full release 30 build.
1:1 NAT Enhancement Previously a reboot was required on release 30 to apply 1:1 NAT changes, this update removes that need, and allows changes to be applied with the system running.
Email Aliases Resolution An issue was identified where a massive email alias list (typically over 100 recipients) would exceed internal limits, causing delivery to not complete. This has been addressed and the limit on email aliases removed.
Internal Services Enhancement A number of changes have been made to internal services to ensure they are more reliable, and notifications are sent should there be an unexpected issue.

30.1.1

Item Type Details
Internet Authentication Enhancement Some minor updates have been made to Internet Authentication to accelerate logins for users that are already active at an IP address, this can happen when users are roaming between access points and each AP is sending updates to the CyberHound Solution.
Connection Monitoring Resolution There was an issue that prevented the live connection monitoring feature working in all situations in the initial release 30, this has now been resolved.
Logs Resolution An issue with the large object cache logs was identified, this has now been resolved and logs can be viewed again for the large object cache, this includes logs prior to the update.
802.1X Integration Enhancement When receiving packets from AP’s, previously, invalid packets that were correctly signed would be ignored and no reply would be sent. Due to buggy AP’s the CyberHound Solutionwill now reply to a packet that is correctly signed, but then ignore it internally if it is invalid.

30.1

Major BIC Agent Update, Device Reboot Required

Item Type Details
Authentication Enhancement Better manage a subset of users on a massive AD servers (i.e.: more than 10,000 users), by providing a filter for desired users for a specific location by security group. Desired groups for a site can be set under Configuration > Authentication in the AD plugin, there is a new field titled “Active Groups”, which is an optional group filter applied to all lookups.
Web Proxy Enhancement The logging for the web proxy has been enhanced to include a lot more data on each request, including categories, user agent, and matching policy for allow rules. A new detailed log option is available for the Web Proxy logs to access all of this information.
Note: If using automated log parsing tools, these will need to be updated to support this new format.
NGFW Enhancement Decide if HTTPS inspection should be done on a specific request based on the SNI header only (not the IP address) this provides more accurate and faster categorization for “Bypass HTTPS Inspection” policies.
NGFW Enhancement Allow the use of custom domain categories for “Bypass HTTPS Inspection”. This includes the matching of subdomains (e.g.: .example.com to match example.com and all subdomains). This is now the preferred method for HTTPS exclusions, and some of these will be automatically migrated from the configuration screen.
NGFW Enhancement On the Block Activity report, introduce a new protocol column to match what is available in Network Monitoring.
NGFW Enhancement Block the use of the non-standard QUIC protocol by default for all traffic, enforcing the use of standards based web traffic. This option can be set under Access Policies > General.
NGFW Enhancement A new permission level has been introduced to allow for “Test policies and recategorization”. This means users can be given the ability to request a recategorization, without the ability to change policies.
Pipe Plus Enhancement If DNS servers have been configured for a specific link, and force route is now automatically added for each of the DNS servers to push the traffic out that link, removing the need to do this manually.
HTTPS Inspection Enhancement If an upstream SSL certificate changes or is temporarily broken, more rapidly detect this and generate a new local certificate.
Redirection Enhancement For captive portal logins and other redirected pages on HTTPS, use SNI for the certificate generation.
BIC Agent Enhancement Enhanced memory management for big local uploads, minimizing the use of local memory.
BIC Agent Enhancement Better handle the corruption of settings on the agent side, and use a different format to prevent leakage of corruption of settings should this occur.
BIC Agent Enhancement In some instances on Mac OS X, the agent is not notified that the system has come back from sleep, causing traffic to be block for extended periods, use a secondary method to detect this, and more quickly recover when coming back from sleep.
BIC Agent Enhancement Use the newer SHA256 when generating HTTPS inspection certificates.
BIC Agent Enhancement If a reboot is required on the agent, more regularly notify the user that a reboot is required to encourage this to happen sooner.
BIC Agent Resolution When testing policies for the BIC agent under Access Policies, more closely match what would happen on the BIC Agent to provide an accurate representation of the policies that would be applied.
Reporting Resolution When displaying user generated content in a report, if the content is HTML, correctly escape it to prevent display issues.
BYOD Installer Enhancement A new MSI BYOD certificate installer is now available, this is ideal for sites that wish to distribute the certificate installer via group policy. This same installer can run as either a local machine account or a domain admin account, depending on your AD configuration.
Archive Emails Enhancement For archive emails and Symantec EV integration, provide more detailed logs on both success and failure.
Direct Proxy Enhancement Provide the ability to exclude local networks and IP’s from authentication on the direct proxy (in addition to remote servers).
Direct Proxy Enhancement If using automatic proxy configuration, a new field is now available to create a custom proxy.pac file, at the bottom of the Configuration > Web Proxy screen. If this is set, the automatic proxy.pac file is not generated, and the custom one is use instead.
Web Mail Resolution In some views, the ordering by date was not working correctly, this has been addressed.

30 / 30.0.1

This release is a rebuild of the CyberHound Solution core OS to the latest generation enterprise platform. This includes everything from the kernel to the userspace environment.

Item Type Details
CyberHound OS Enhancement A complete rebuild of the core OS, from the base kernel upwards. Providing improved boot times (now 3 times faster), more rapid service restart (50%-95% faster), and support for the latest network technologies.
Web Proxy Enhancement Support for SNI (Server Name Identification) for outbound HTTPS requests. This will provide compatibility for those clients and servers utilizing these extensions.
HTTPS Inspection Enhancement Using the SNI header, the ability to exclude hosts from HTTPS inspection is now possible using wildcards, providing the ability to exclude an entire domain, and all its subdomains in a single rule. This requires the clients to be using SNI to get this benefit.
POP3 Server Enhancement The POP3 server now supports multiple simultaneous logins. Although technically a violation of the RFC, the implementation provides each client with a point in time view, that is then merged at the end of the transaction. This allows for the use of multiple devices that keep the connection open without interference.
DNS Server Change The DNS server will no longer automatically provide forward and reverse DNS lookups for local IPs. For example the reverse of a LAN IP of 1.1.1.1 would yield ip-1-1-1-1.lan, and there would be a forward lookup for the same.