SonicWALL Aventail SSL VPN Support

SECURE REMOTE ACCESS

End of Support Schedule for SonicWALL Aventail SSL VPN Software Version Support
The following table describes the End of Support (EOS) schedule for the SonicWALL Aventail SSL VPN software version support. Software support is provided only to those customers with an active SonicWALL Support contract. SonicWALL encourages all customers to remain on the latest maintenance release of a fully supported version. Keeping up with the latest maintenance release offers a proactive model for avoiding known issues and allows your organization to take advantage of all the resolutions provided in the latest maintenance release. SonicWALL will hotfix or provide patches to customers based on the latest maintained software release. Major Release Version 9.0 Minor Releases Release Type General Availability Date 1/2008 4/2008 11/2008 1/2009 5/2009 10/2009 12/2008 03/2009 07/2009 11/2009 03/2010 08/2010 12/2010* 12/2009 08/2010 10/2010 Development Support Until Level 1 and 2 Support Until 4/2010 4/2010 4/2010 4/2010 4/2010 4/2010 03/2011 03/2011 03/2011 03/2011 03/2011 10/2011* 10/2011* 08/2012* 08/2012* 10/2012*
9.0.0 9.0.1 9.0.2 9.0.3 9.0.4 9.0.5
Early Release General Release Maintenance Release Maintenance Release Maintenance Release Maintenance Release Early Release General Release Maintenance Release Maintenance Release Maintenance Release Maintenance Release Maintenance Release Early Release Early Release General Release
4/2008 4/2010 4/2010 4/2010 4/2010 4/2010 03/2009 03/2011 03/2011 03/2011 03/2011 10/2011* 10/2011* 08/2010* 10/2010* 10/2012*
10.0.0 10.0.1 10.0.2 10.0.3 10.0.4 10.0.5 10.0.6

10.5.0 10.5.1 10.5.2

* Target date, which is subject to change.
General SonicWALL Aventail SSL VPN EOS Policy
Support for any major or minor release will be limited to 24 months past the release date of the General Release (GR) version. Our policy requires customers with a SonicWALL Aventail appliance running on an Early Release (ER) version to upgrade as soon as possible to the General Release. We advise customers to consider this when choosing between an Early Release version and a General Release version. The intent of this policy is to give customers 24 months from the release of the General Release versions to evaluate subsequent releases.
End of Support Schedule for EX-SSL VPN Software Version Support
Once a new Maintenance Release (MR) version is released, the prior Maintenance Release version of that major/minor release drops from development support.
Development Support Policy
In order to extend development support to a reported support issue, SonicWALL requires the appliance be on the latest maintenance update of the supported major/minor release. This is required because all patches provided for resolution are based on the latest maintenance update. Basing all patches on the latest maintenance release ensures our customers receive a high-quality comprehensive resolution for their issue. In order to ensure the integrity of a development provided solution, the data captured for root cause analysis and solution design must also be based on the latest maintenance update. This may require a customer to upgrade to the latest maintenance release of a supported major/minor release before a clear problem definition can be provided.

Definitions

Version Numbering (Major/Minor/Maintenance Release) Our releases are numbered in the form of X.Y.Z (e.g. 10.5.2). The X defines the Major Feature release number (or major upgrade when it changes), the Y defines the Minor Feature number (or minor upgrade when it changes), and the Z defines the Maintenance Update version. Early Release (ER) Early Release versions are new major or minor feature releases that have gone through a beta release, but have had limited production testing by customers. With an Early Release, customers are encouraged to test the release in a lab environment prior to rolling into a production environment. Early Release versions are entitled to full development support to any customer with a valid support contract. However, development support for Early Release versions will be discontinued once the General Release version is released. Customers are expected to upgrade to the General Release version in order to receive development support. General Release (GR) General Release versions have gone through a Beta Release and Early Release and generally will follow within 3-4 months of the Early Release version. Any customer with an Early Release version will be expected to migrate to the General Release version in order to receive development support. Support for General Releases is limited to 24 months from the release of the GR version. Example: The release of the 10.5.2 General Release was October 2010. SonicWALL will provide Level 1 and Level 2 support for 24 months, or through October 2012. Maintenance Release (MR) Maintenance Release versions incorporate maintenance updates for all supported releases into a regularly scheduled maintenance release schedule. Customers will be expected to migrate to the latest Maintenance Release version in order to receive development support. Maintenance Release versions do not include any new features. SonicWALL Engineering will only produce Maintenance Release versions for supported firmware versions. Once a firmware version reaches the End of Level 1 & 2 Support date there will no longer be any new Maintenance Release versions. General Availability Date This is the date at which the product was available to all customers via the MySonicWALL.com Web site. End of Development Support At this level of support, SonicWALL Global Support Engineers will use any existing patch or work-around to assist in troubleshooting/resolving the issue. No further development support is available at this stage of a release. If development assistance is required to analyze or resolve an issue, customers need to upgrade to a supported Maintenance Release.

End of Tier 1 and 2 Support If you are reporting an issue for a version that is past the date of Level 1 and 2 Support, you must upgrade to a supported release before the SonicWALL Global Support team can assist with the reported issue. SonicWALL Global Support will provide assistance in upgrading to a supported release. Self-service is available from the MySonicWALL.com Web site for releases at this level.

Release Notes

Secure Remote Access SonicWALL Aventail E-Class SRA EX-Series 10.5.2

Platform Compatibility

The SonicWALL Aventail E-Class SRA EX-Series 10.5.2 release is supported on the following SonicWALL appliances: SonicWALL Aventail E-Class SRA EX7000 SonicWALL Aventail E-Class SRA EX6000 SonicWALL Aventail E-Class SRA EX-2500 SonicWALL Aventail E-Class SRA EX-1600 SonicWALL Aventail E-Class SRA EX-750 On 64-bit Windows Vista and Windows 7 systems, this release has been tested on and supports 32-bit Internet Explorer 7 and 8. On Windows 7 SP1 (32-bit and 64-bit), this release has been tested on and supports Safari 5.0.x.
Upgrading from Earlier Versions
If you are upgrading a SonicWALL Aventail E-Class SRA EX-Series appliance to version 10.5.2 from an earlier release, be sure to consult the upgrade instructions in the SonicWALL Aventail Upgrade Guide for detailed information. Youll find a copy of this document on the MySonicWALL Web site (www.mysonicwall.com).

Release Caveats

1. The OPSWAT Secure Desktop Emulator is currently provided as a beta-quality release and has a number of known issues. Details about this feature are provided in the next section. 2. The 10.5.X release series will be the last release with support for OnDemand Dynamic Mode, which is a proxy based agent deployed through the WorkPlace portal. It is important to note that the OnDemand Proxy Agent has two configurations: Dynamic Mode and Mapped Mode. The Mapped Mode use case is still supported, and only Dynamic Mode support is being removed. We recommend customers who still have OnDemand Dynamic mode configured through the WorkPlace portal consider the OnDemand Tunnel agent as an alternative. The OnDemand Tunnel agent offers superior performance and platform coverage over OnDemand Dynamic mode, while requiring identical installation requirements.
Whats New in This Release?
This version of the Aventail SonicWALL E-Class SRA EX-Series software includes the following new and enhanced features: Virtual Assist Provides administrators and helpdesk technicians with the capability to assist remote employees and users with technical assistance issues. Technicians are able to control a users desktop and system at a distance, which provides an efficient and economical method to provide targeted technical support. Users can also request Virtual Assist sessions through the WorkPlace portal. Web Policy and SSO Tunnel Support This tunnel URL filtering feature enforces URL-based rules within VPN tunnel sessions. This feature not only provides more effective security, but also allows the use of Single Sign-On (SSO) for Web applications accessed via a tunnel.
SonicWALL Aventail E-Class SRA EX-Series 10.5.2 Release Notes

232-001932-00 Rev A

iPhone, iPad, Android and Symbian Support ActiveSync for Exchange Extends SonicWALLs clientless ActiveSync support for Exchange email to mobile devices that are becoming popular choices for corporate mail. This feature also leverages the devices ID capability to link the device to a single user, providing a first layer of end-point control. Password Management for Sun and Novell Directory Servers Provides support to Novell and Sun LDAP servers for improved password management. This new feature calls upon the Policy server to probe and predetermine the directory server and the applicable version. End users will be able to enter LDAP credentials and be notified through the appliance when their password needs to be changed due to expiration or backend policies, and will then allow users to change the password. The following server versions are supported: o Sun Java System Directory Server Enterprise Edition (DSEE) 7.0 o Novell eDirectory 8.8 SP5 Extension Configurations in Management UI A new page has been added to the Maintenance section of the AMC management interface to allow simple configurations to be completed for extensions. This new feature assists administrators in making configuration adjustments that appear in maintenance releases or hotfixes, and allows for the configuration of arbitrary key-value pairs. OPSWAT Secure Desktop Emulator (SDE) Provides VPN administrators with an additional end-point data protection tool that prevents end users from copying or moving data from an end-point system to other locations that have not been qualified for security clearance. When a client device is classified into a zone that requires the desktop emulator, the emulator will automatically deploy for the user. The Secure Desktop Emulator is available as a beta-quality feature for the following platforms: o Windows XP SP3 or later o Windows Vista SP2 or later (32-bit, 64-bit) o Windows 7 (32-bit, 64-bit) o Windows 7 SP1 (32-bit, 64-bit) o Windows 2008 Server Note: SonicWALL recommends using Java with Internet Explorer when using SDE. Cache Cleaner (also known as OPSWAT CC) Provides VPN administrators with an end-point data protection tool to ensure data downloaded or accessed during a session is functionally wiped from the users system. This feature removes Web browser information, such as cookies, browsing history, and stored passwords upon termination of the session. The Cache Cleaner (OPSWAT) is supported on the following platforms: o Windows XP SP3 or later o Windows Vista SP2 or later (32-bit, 64-bit) o Windows 7 (32-bit, 64-bit) o Windows 2008 Server o Mac OS X 10.5 (Leopard) o Mac OS X 10.6 (Snow Leopard) (32-bit, 64-bit)

Known Issues

This section describes known issues for this release. The issues are organized into the following categories: AMC Configuration..... 3 Cache Cleaner (OPSWAT CC)..... 3 Connect Mobile...... 8 Connect Tunnel..... 8 End Point Control...... 10 ExtraWeb...... 12 OnDemand Proxy..... 12 OnDemand Tunnel..... 12 OPSWAT Secure Desktop Emulator (SDE)... 12 Platform/Operating System.... 14 Policy Server..... 14 Virtual Assist..... 15 Web Translation..... 16 WorkPlace..... 16

AMC Configuration

Symptom AMC displays no results for searches resulting in a large number of matches. Condition / Workaround Occurs when a search for users or groups on an external directory that results in more than 1,000 matches (on a Windows 2000 server) or 1,500 matches (on a Windows 2003 server). Issue 61955
Cache Cleaner (OPSWAT CC)
Symptom Cache Cleaner clears all items including nonsession history, passwords, and form data from cache history against policy. Condition / Workaround Occurs when users are connecting through an Internet Explorer 8 or Firefox browser, even when Protected Mode is turned off in IE and when the "Clear session items only" policy option is enabled in AMC. Occurs when users on a system with Cache Cleaner enabled close out of a browsing session. Cache Cleaner clears all items from the cache, even when clearing scope is set to "Clear session items only" in AMC. Occurs on a Mac OS X 10.6.3 client system with Safari or on a Windows XP SP3 client system with Internet Explorer 8 and Protected Mode turned off. Occurs when clicking Logout in WorkPlace with Cache Cleaner running, while using Windows 7 or Vista SP2 with an Internet Explorer 8 browser with Protected Mode turned on. Workaround: Turn Protected Mode off. Issue 94097, 88556
Cache Cleaner clears all items from cache history against session-only policy.

90104, 89001

Cache Cleaner causes Internet Explorer to close and then reopen a tab, resulting in a warning saying This tab has been recovered.
Cache Cleaner does not clear the browser cache history despite a clear all items policy.
Occurs when users log in to WorkPlace with Cache Cleaner enabled, use the browser to access various Web sites, then log out of WorkPlace and close the browser, and then launch the browser again after Cache Cleaner exits. Cache Cleaner does not clear all items from the cache, although the clearing scope is set to "Clear all items" in AMC. Occurs on a 64 bit Windows Vista SP2 client system with Internet Explorer 8 and Protected Mode turned on. Workaround: Turn Protected Mode off in IE. Occurs on 32-bit and 64-bit Window 7 and Vista SP2 client systems when using Internet Explorer with Protected Mode turned on. Workaround: Turn Protected Mode off in IE. Occurs when using Internet Explorer 8 or a Firefox browser on a Windows XP SP3 client system. A delay of 53 seconds has been observed.

The tray icon for Cache Cleaner is not displayed on the client system.
Cache Cleaner is slow to release memory and exit after user logout.
Cache Cleaner Comparison This table lists differences in behavior between the OPSWAT Cache Cleaner and the Symantec Cache Cleaner that was included in previous releases. # 1 Features Supported platforms Symantec (Sygate) Cache Cleaner Windows XP SP2 (32 bit) Windows 2000, 2003 Macintosh 10.3.9 and 10.4.9 OPSWAT Cache Cleaner Windows XP SP3 (32 bit) Vista SP2 (32/64) Windows7 (32/64) Windows 2003, 2008 (32/64) Macintosh 10.x Internet Explorer 6, 7 and 8 FF 2, 3.0 and 3.5 Safari 3.0 and 4.0 (Mac) No Not supported in Safari (Mac) Yes (Mostly) Instead of clearing session specific typed-URLs and cookies, all of the typed-URLs and cookies are wiped. No. This feature has been removed. Instead, when the user chooses to logout from WorkPlace, a prompt states all browser windows will close. The client initiates a wipe but continues to run until the browser windows are closed explicitly. OPSWAT provides system-wide DPA. OPSWAT monitors and wipes data in all supported browsers (Internet Explorer and Firefox) and not necessarily that of provisioning-browser.

Supported browsers

Internet Explorer (IE) 6 and 7 Firefox (FF) 1.5 and 2.0 Safari 1.2 and 2.0 (Mac) Yes Yes Yes
Clearing Browser data Form data Download history Support Session scope
Close all browser windows at startup

Post -timeout interval

Wipe scope
The client closes browsers and then initiates a complete wipe and terminates. Data in the context of the provisioning browser is wiped. For example: If the Cache Cleaner is loaded within Internet Explorer (IE), then at the end, CC only wipes data specific to IE. However, data in another supported browser (Firefox) is unmodified.
OPSWAT Cache Cleaner Deployment Issues The following tables contain known issues and deployment results provided by OPSWAT for the Cache Cleaner when using Internet Explorer in certain environments. Key to colors and abbreviations: IE Internet Explorer PM JRE RED GREEN Protected Mode Java Runtime Environment Failed to wipe Successful wipe

Launching via Applet The following table outlines the issues that the Cache Cleaner will encounter based on different environments: JRE < JRE 6, update 10 PM ON data IE 7 PM ON Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords JRE >= JRE 6, update 10 PM ON data Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords

IE 7 PM OFF

Cache Cookies History Typed Addresses Passwords

IE 8 PM ON

IE 8 PM OFF
Launching via ActiveX The following table outlines the issues that the Cache Cleaner will encounter based on different environment setups on Windows Vista: PM ON data IE 7 PM ON Cache Cookies History Typed Addresses Passwords PM OFF data Cache Cookies History Typed Addresses Passwords

IE7 PM OFF

IE8 PM ON

IE8 PM OFF

Connect Mobile
Symptom Installing or uninstalling Connect Mobile on a hand held device can fail. Condition / Workaround Occurs when Trend Micro Mobile Security realtime scanning and virus detection is enabled on the device. Workaround: Disable real-time scanning before installing or uninstalling Connect Mobile. Issue 60183

Connect Tunnel

Symptom While URL Filtering is enabled, an illegal, rejected HTTP stream lets certain DENY rules fail open, allowing the rule to be circumvented and content retrieved from the back-end server. Condition / Workaround Occurs when URL Filtering is enabled, a DENY rule exists for a specific URL resource, and an HTTP request is sent using an illegal HTTP construct that is rejected by the SonicWALL Aventail HTTP scanner, but is supported by a Web server. Workaround: Craft policy in accordance with best practices, using ALLOW rules to grant access to specific resources followed by a broad DENY rule disallowing access to all others. Note: Check the Knowledge Portal (on MySonicWALL under Support) for current hotfixes that resolve specific instances of this issue, and apply them before enabling URL Filtering. Occurs when a private network uses a proxy for its LAN systems. When Connect Tunnel is used on public networks, it attempts to use that private LAN proxy. The problem is that an increasing number of ISP's are resolving names that have no resolution to a default site (usually advertising related). When the unresolved name does falsely resolve to an IP address, the client then attempts to load the PAC file from the resolved address. Of course, none is forthcoming, so a long timeout ensues on every new Connect Tunnel connection. Occurs because, on Mac clients, the System proxy configuration information is detected only when Connect Tunnel is started. If the proxy information is modified when Connect Tunnel is already running, the changes will not be reflected, and Connect Tunnel will not prompt for authentication and will not establish the connection. Workaround: Close and re-launch Connect Tunnel after modifying proxy information. Issue 94535

Proxy configuration on a private network leads to long Connect Tunnel connection times on some public networks.
On Mac OS clients, Connect Tunnel fails to determine outbound proxy settings when it is already launched.
Connect Tunnel fails without an error message when connecting to the 32-bit Connect Tunnel client on a 64-bit machine.
Occurs when the 32-bit Connect Tunnel client is installed on a system running Mac OS X Snow Leopard (v10.6) and the system is rebooted in 64-bit mode. Workaround: Upgrade earlier versions of the client to the current version of the universal (64-bit and 32-bit) Connect Tunnel client for Mac OS X 10.6 and later on machines running 64-bit Mac OS X Snow Leopard. Occurs when logins are attempted after the number of users logging in to the appliance reaches the licensed limit. At issue is the license count on the appliance, not the system capabilities of the client device. Occurs when traffic to local networks is redirected through a remote proxy with "Redirect All Non Local Mode", and can be observed by users when Connect Tunnel is enabled and the users are logged into the appliance. Occurs on a Macintosh device when you switch to a network that requires authentication. For example, if a user is connected to the appliance using a wired connection and changes to a wireless access point that requires authentication, the previous connection cannot be re-established; the user must manually log in to the appliance. Occurs on both Internet Explorer (IE) and Firefox (FF) browsers when a user configures proxy settings. Occurs when you provision Connect Tunnel from WorkPlace and the user downloads and installs the client, which normally creates an icon on the users desktop. If the client device is a computer running a Linux operating system and a different person logs in to it, no desktop icon for Connect Tunnel will be visible. Workaround: One workaround is to bring up the command window (press ALT+F2), and then type the path to the Connect Tunnel program. Alternatively, you could create an icon on the desktop for the Connect Tunnel program. In Redhat or Fedora, for example, you would right-click on the desktop and select Create Launcher, and then browse to the Connect Tunnel application.
A misleading error message is displayed: VPN Connection Failed. Access denied. The required system capabilities are not present, enabled, or current. Local resources are sometimes directed through an internal proxy server.
Tunnel clients are unable to reconnect over an access point that requires authentication.

In Redirect All mode, the Internet is accessible if proxy settings are configured on browsers. The desktop icon for Connect Tunnel in WorkPlace is not present for all Linux users.
When using dial-up and remote proxy for the connection to the Internet, Internet browsing might not traverse the remote proxy.
Occurs when you use a dial-up connection to the Internet, and the community to which you are assigned is configured for remote proxy. This applies regardless of whether the remote proxy was configured manually or using a.pac file. Workaround: In Connect Tunnel, make sure the dial-up connection is specified on the Properties page. Select the 'Establish this connection first' check box and specify a connection in the dropdown list. (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.) Occurs when Internet Explorer is configured to use an outbound HTTP proxy server and Connect Tunnel attempts to access the appliance using that proxy server. If the proxy is available, the client connection will succeed. However, if the proxy server is unavailable, the client will not fall back to sending traffic through the default route, causing the connection to the appliance to fail. Workaround: Remove the proxy setting from the browser. Occurs when the Connect tunnel client is configured (by an administrator or user) to access the appliance using the FQDN or virtual IP address for a custom WorkPlace site. Workaround: Configure the client to access the appliance using the FQDN or IP address contained in the appliance's main certificate.
Cannot access the appliance if specified proxy server is unavailable.
Cannot access the appliance using the FQDN/VIP for a WorkPlace site. The Connect tunnel client displays the message, "The device is not in a valid state to perform this request."

End Point Control

Symptom Smartphone ActiveSync users are classified to the default or quarantine zone even when the smartphone device ID or serial number is configured as a user attribute in the Active Directory server. Condition / Workaround Occurs when the device ID in the user attribute does not include the specific prefix such as Appl or droid that is sent in the POST message when the smartphone connects to the appliance. Workaround: View the POST message in the appliance log, and use the device ID value shown there for the AD user attribute. Occurs when a user launches a Secure Desktop Emulator session through the Firefox Web browser. The browser window displays a "waiting" message, even once the SDE session has begun. Occurs when a user successfully removes the Secure Desktop Emulator plug-in using the Internet Explorer browser tools options. Issue 93443
Browser window does not close after launching a Secure Desktop Emulator session.

An incorrect MS VC++ run-time error may be displayed by Internet Explorer.
Occurs when a user logs out of WorkPlace within an Internet Explorer browser when the Cache Cleaner was enabled, and then successfully removes the Cache Cleaner Control Class plug-in. Occurs because Symantec OnDemand Protection is not supported in versions 10.5.x. Workaround: Before upgrading to 10.5.x from 10.0.x and earlier versions, disable Symantec OnDemand Protection for all End Point Control Zones. Occurs when the equipment ID was typed using lower case letters when creating the device profile, and then the user attempts to login from a machine whose equipment ID matches the ID in the device profile except that it contains upper case letters. Workaround: Use capital letters when entering the equipment ID into the device profile. Occurs when a device profile contains a combination of a hard coded equipment ID and user attributes, and the user logs in using an unregistered device. When selected, the Match profile if user has no registered devices check box is applicable when the user has no devices registered in the back end AD or LDAP server and there are no hard coded devices in the device profile. Occurs when a root certificate is imported to the appliance and configured as a device profile for either the Mac OS or Linux platform, then the zone is created including the device profile with persistent EPC enabled, and the zone is added to a realm. The client certificate is imported to the client Firefox browser and the user authenticates to the realm, but is classified to the default zone. The zone classification fails because the appliance is not integrated with the certificate store for the operating system or the browser. Occurs when a Windows device profile is configured on the appliance to check for a certain client certificate on a user's device in either the machine or user store. On an end point device running Windows Vista, the machine store cannot be opened for a user who does not have Windows administrator rights, and the search for the client certificate fails.
Upgrading to 10.5.x from 10.0.x and previous versions with SODP enabled will fail.
Zone classification can fail in certain cases, preventing the user from logging in.
Zone classification fails when a device profile combines values and the Match profile if user has no registered devices check box is selected.
Zone classification fails with certificate device profile on Linux and Mac machines. The client is relegated to the default zone rather than the intended zone.
Zone classification fails for a user who does not have Windows administrator rights. The user is classified to the default or quarantine zone.

ExtraWeb

Symptom The Safari browser stops responding when accessing Web sites that use applets. Condition / Workaround Occurs after logging in to the appliance in a Safari 4.0.5 browser on a machine running Mac OS X 10.5.8, and accepting the certificate prompts. The certificate prompts show header values instead of strings, which appears to be a browser issue. This issue can occur on all Web sites that use applets. Issue 89190

OnDemand Proxy

Symptom The first time a user installs OnDemand proxy, OnDemand proxy might not redirect all connections. Condition / Workaround Occurs for connections to unqualified names that are fewer than 16 characters in length, which are not redirected if DNS cannot resolve them. This can happen if no DNS suffix is configured on the system. Workaround: Reboot the system. When DNS fails, WINS or WINS Broadcast is used, but WINS cannot perform name resolution until the system has been rebooted. Issue 60633

OnDemand Tunnel

Symptom OnDemand Tunnel upgrade appears to work using two different appliances, but activation fails with an error that there is no phonebook. Condition / Workaround Occurs when a non-administrator installs OnDemand Tunnel on a Windows system, and when subsequent upgrades are performed using different appliances. Workaround: Install OnDemand Tunnel when logged in as an administrator. Upgrade from the same appliance, as administrator or non-administrator. Issue 71411
OPSWAT Secure Desktop Emulator (SDE)
Symptom Web resources are not accessible using the Web Proxy Client (EWPCA) and OnDemand Proxy in the Secure Desktop Emulator. Condition / Workaround Occurs when there is already a proxy (.pac file or auto configuration) defined in the Internet Explorer or Firefox browser and the user attempts to modify the preset proxy settings in the secure desktop. Workaround: Use OnDemand Tunnel agent or use a manual proxy. Access Web resources using an alias or a custom access option such as a hostname or port mapped URL. Occurs when using a 32-bit Windows 7 machine using Internet Explorer 8 and Java, either when starting it in IE8 with no other browsers running, or when IE8 is running and then Firefox is launched and the user attempts to start Secure Desktop Emulator in Firefox. Workaround: Press the F5 key to refresh the browser and then SDE starts. Issue 91956, 91954, 91946, 91942
Secure Desktop Emulator does not always start on the first attempt.
The rundll.exe process stops responding for a user accessing a realm that uses Secure Desktop Emulator.
Occurs when the user logs in for the first time to the SDE realm from a freshly installed Vista SP2 32-bit machine with Internet Explorer 8 and User Access Control (UAC) turned on. Workaround: Log in again, as subsequent logons do not have the problem. Occurs when a network drive is mapped to a network share while in a Secure Desktop Emulator session. Workaround: Exit the SDE session and launch a new SDE session. Occurs when an Internet Explorer and/or Firefox browser was open when SDE was launched, and SDE closed the browsers. Occurs when using ActiveX for provisioning on 32-bit and 64-bit machines running Windows Vista SP2 and on 32-bit machines running Windows 7, with User Access Control (UAC) turned on. Workaround: Turn UAC off or use Java with Internet Explorer for provisioning and activating agents. Occurs when any application is installed while in a Secure Desktop Emulator session and then the session is ended. Occurs when in a Secure Desktop Emulator virtual desktop on 64-bit machines running Vista SP2 with User Access Control either on or off, and on Windows 7 machines with User Access Control turned off. Workaround: Turn UAC on for 32-bit Windows 7 machines and use 32-bit Vista SP2 with UAC either on or off. Occurs when using a 32-bit machine running Windows 7 and Internet Explorer 8 with User Access Control turned off. This problem occurs because SDE is unable to properly load ActiveX. Workaround: Manually exit the secure desktop by accessing the tray icon and clicking Exit. Occurs when a user enables printing out of the Secure Desktop Emulator, and attempts to print from Notepad on a system running Windows 7. Workaround: In these instances, the user can print from Microsoft Word, and then try printing from Notepad. Print support for 64-bit systems running Windows Vista or Windows 7 may be developed for future releases.

Policy Server

Symptom Group affinity checking is not successfully completed with certain authentication scheme combinations. Condition / Workaround Occurs when PKI is configured as the primary authentication scheme, and Active Directory, LDAP, or RADIUS is configured as the secondary authentication. Workaround: Remove the secondary authentication. Issue 90434

Virtual Assist

Symptom The Help button incorrectly displays Windows help. The Virtual Assist session sometimes stops responding. The technician application stops responding in certain conditions. Condition / Workaround Occurs on Mac OS X when the Help button is clicked. Occurs on Mac OS X when closing the browser window where the initial Virtual Assist session was launched. Occurs on Mac OS X after an ungraceful exit if the browser is closed before the application exits. Workaround: Exit the application first, then close the browser. Occurs on Mac OS X when the technician application shows the last screen of the Mac system even after ending support. Occurs when the technician PC is running Windows Vista SP2 with Internet Explorer 8, the customer PC is running Windows XP SP3 with Internet Explorer 8, the technician clicks Reboot Customer PC, and the customer provides their credentials. Workaround: The customer logs back into the wait queue on a new ticket either by entering the authentication code or by responding to an invitation sent when the technician creates a new ticket. Occurs when a technician has both a Windowsclient customer and a Mac-client customer waiting for service in the Virtual Assist queue, and the technician services the Windows customer and then attempts to service the same Windows customer again after a re-queue. Occurs on Mac OS X when the client application is not terminated when the technician re-queues the customer. Occurs on Mac OS X when the technician selects the option to end support (Stop or Remove). Occurs when a customer accepts an invitation to join the Virtual Assist queue for service when it is full, which prompts to try back later, and then tries to use the same invitation link to join the queue after a space opens up. Occurs when a technician initiates a Virtual Assist session with a customer, and selects the fullscreen mode option to view the client's screen. Workaround: The technician and user should each move their mouse to refresh the VNC connection. Occurs when the client or customer attempts to send numerous files to the technician's system at one time, using the file transfer tool. Issue 94630 94629

Cannot cancel installation of Aventail Access Manager.
Certificate authentication process stalls during login to WorkPlace.

Resolved Issues

This section describes resolved issues for this release. The five-digit numbers in brackets are internal tracking IDs. The issues are organized into the following categories: AMC Configuration..... 17 Authentication...... 17 Cache Cleaner (OPSWAT CC)..... 17 Certificates...... 18 Connect Tunnel (CT)..... 18 End Point Control (EPC)..... 19 ExtraWeb...... 19 Logging...... 20 OnDemand Proxy..... 20 OPSWAT Secure Desktop Emulator (SDE)... 20 Platform/Operating System.... 21 Policy Server..... 22 Provisioning..... 22 WorkPlace..... 23
Symptom AMC displays Unknown for some entries in the unregistered devices log table. Condition / Workaround Occurs because activeSyncMobile enumeration is missing from the platform row in the MySQL database equipmentIdentifier table. Issue 93530

Authentication

Symptom After authentication, a message is displayed which says "Your password will expire in -24626 days (Numbers appear randomly generated). Users not in Active Directory are incorrectly granted access for rule with Dynamic Group Expression. One Time Password user login session does not timeout after 15 minutes. Condition / Workaround Occurs when Active Directory is misconfigured and is giving incorrect timestamps. Occurs when using RADIUS as primary authentication with Active Directory group affinity check enabled. Occurs when the user is inactive for 15 minutes or more. Issue 93749
Symptom Cache Cleaner cannot be disabled on a Mac OS X 10.6 machine. Condition / Workaround Occurs when the CC system tray icon is rightclicked and the Disable option is selected. Upon exit, CC still removes all session related information. This occurs when logged into WorkPlace on a Mac OS X Snow Leopard system with a Safari 4.0 browser. Issue 88991
Cache Cleaner is not provisioned on some platforms when Secure Desktop Emulator is configured.
Occurs on non-Windows client machines when Secure Desktop Emulator (SDE) has been enabled in the appliance configuration. SDE is not supported on non-Windows platforms, so to maintain legacy support, CC needs to be provisioned.

Certificates

Symptom PKI authentication through Connect Tunnel with a chained certificate fails and displays an Access Denied message. Condition / Workaround Occurs when the PKI server is configured with the primary CA, the sec1 intermediate CA, which is issued by the primary CA, is installed in the client machine browser, and then Connect Tunnel is installed and a login is attempted with a secondary user certificate issued by the sec1 CA. Occurs when using multiple certificates and the common name (cn) field is identical. Issue 93921

Only one certificate is displayed when a user is prompted to choose among multiple certificates.

Connect Tunnel (CT)

Symptom Remote Internet Proxy does not always work. Connect Tunnel client picks the wrong one among multiple client certificates with the same common name and eventually authentication fails. The Connect Tunnel system tray icon takes a couple of minutes to respond, soon after Connect Tunnel connects. Authentication fields are grayed out on Windows 7 after installing Connect Tunnel with the ngsetup.ini file. Connect Tunnel Windows 7 users cannot get to any destination without a route, although other clients can. Connect Tunnel retains the fallback connection profile after disconnecting, instead of reverting to the primary appliance connection profile. Condition / Workaround Occurs when the PAC file is sent as chunkencoded stream. Occurs when multiple valid certificates are imported on the client machine's browser in such a way that two client certificates have the same common name but are issued by different CAs. Occurs when an internal recurring EPC request times out, causing the delay. Occurs when logged into Windows 7 as a nonadministrator, after installing Connect Tunnel while logged in as an administrator and then logging out. Occurs when using split tunnels. Issue 92559 92005
Occurs when Connect Tunnel connects to the fallback appliance when the primary appliance is not available, and then there is an unexpected disconnect to the fallback connection (client machine loses Internet connectivity or secondary appliance becomes unreachable). Occurs when the unit has just been upgraded from an older version of firmware to a newer version of firmware.
Connect Tunnel fails to automatically re-establish a connection after trying to connect to a unit.

End Point Control (EPC)

Symptom Users fall back to the default zone for the first time with iPhone ActiveSync. Mac/Linux Client libraries and AMC need upgrade to OPSWAT version 3.4.15.1. Windows Client libraries and AMC need upgrade to OPSWAT version 3.4.15.1. Advanced EPC for Mac users classifies users incorrectly to the default zone. Condition / Workaround Occurs when setting up ActiveSync on the iPhone (3G, 3GS & 4) and attempting to do the initial sync using GPRS. Occurs when running older OPSWAT versions. Occurs when running older OPSWAT versions. Occurs when several AntiVirus definitions are used in the EPC profile assigned to the EPC zone, and the AntiVirus installed on the Mac client machine is not the first one declared inside the EPC profile. Occurs when the realm is configured to allow OnDemand tunnel along with an EPC check for McAfee Enterprise Antivirus and a domain check with approximately 15 NetBIOS Domain names are specified in the profile. Occurs on the initial request because the Equipment ID is empty. Subsequent requests include the Equipment ID and are properly classified. Issue 93870

Provisioning

Symptom ActiveX Control format string overflow allows remote exploitation in which an attacker can execute arbitrary code within the security context of the targeted user. Condition / Workaround Occurs when logging input data like team or configuration string. Issue 91522
Symptom Bookmarks saved by anonymous users are not displayed in WorkPlace. Condition / Workaround Occurs when users are logged in to WorkPlace using the NULL authentication realm. Any bookmarks that they create and save will not display on the WorkPlace home page. Occurs when protection is needed against Slowloris attacks. Slowloris can cause a Denial of Service (DoS) by sending partial HTTP requests to Web servers. These partial requests consume unusual amounts of resources (in the form of open connections), which cause Apache, and other Web servers, to be monopolized quickly. Workaround: Users can enable a configuration extension mechanism, "mod_qos". This module does provide Quality-of-Service for web applications running on Apache servers, and may affect performance in some cases. Users must enable this module extension mechanism, as it is not implemented by default in version 10.5.2. Occurs on a computer that is running Microsoft Windows XP SP2. Workaround: Install the KB884020 update patch from the Microsoft site: http://support.microsoft.com/kb/884020/ Issue 91903, 90819
Users must enable a module extension mechanism for protection against Slowloris HTTP Denial of Service attacks.
OnDemand access agent and other programs that connect to IP addresses that are in the loopback address range (127.0.0.x) to redirect and secure traffic through the appliance may display an error message that says that you cannot establish a connection.
Technical Documentation and the Knowledge Portal
Check the SonicWALL Customer Support Knowledge Portal, available when you log in to MySonicWALL, for information and hotfixes that are relevant to your appliance. Technical documentation is available on the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/Support.html
______________________ Last updated: 10/7/2010