******************************************************************************** Product brand: Secomea Version: 11.4.624462023 Release type: Release ******************************************************************************** ================================================================================ GateManager 8250 Server ================================================================================ -------------------------------------------------- New features and enhancements: -------------------------------------------------- RD-6364: Add TLS 1.3 support for GTA to HTTPS agents. It is now possible to perform GTA to devices that require TLS 1.3. RD-6688: Add TLS 1.3 support to web server. GM web server now supports TLS version 1.3. RD-6799: Include SM serial in alert-mail.txt header by default. GM name and SM serial number is now included in alert mail. RD-6863: UI toggle for switching between Local Time and UTC in GM GUI. Checkbox in form of a slider has been added to the top bar to allow user to show displayed times as UTC. RD-6988: Clarify usage of GM "max audit log age" setting. Added hint explaining that "max audit log age" has to be >=30 or 0 (infinite) Disallowed setting of the "max audit log" to invalid values Displayed the "max audit log age" in the Customer Domain Summary RD-7034: New corporate visual identity (CVI) to GM, LM web UI. Logos and images updated for Secomea's new Corporate Visual Identity. RD-7067: If Azure is configured with SAML SSO, GateManager won't fetch the complete list of keys. GateManager wouldn't get all public keys if Azure has been configured with keys specific to a tenant and application. This has been fixed. RD-7078: Include endpoint or domain information in browser tab name for GtA RDP sessions. For guacamole-based in-browser GTA, browser's tab name is extended to contain agent's name. RD-7106: Change default paths for GM server.conf. Default paths have been changed: "GUACD shares" to /usr/share/SFT/files, "GTA Session Recording Path" to /usr/share/SFT/recordings and "Web Temporary File Path" to /usr/share/SFT/tmp. RD-7109: Setting "Web Temporary File Path" is changable in the GUI, but will not be created by GateManager. It was possible to change "Web Temporary File Path" in the GUI, but that path was not created by the server. This has been fixed. -------------------------------------------------- Bug fixes: -------------------------------------------------- RD-6436: Close GTA on Logout/Exit default settings are out-of-sync. "Close GTA on Logout/Exit" default values of GM and LM were not synchronized. This is now fixed. RD-6511: Usability issues for Custom Roles tweaks. The Custom Roles settings for Basic Administrator and Domain Observer roles had a few deficiencies that reduced their usability: - Even when assigned the "j" capability (Join/Unjoin/Edit Groups), these roles couldn't see the groups. Groups are now always visible (with or without this capability). - Even with "C" (All Account capabilities) assigned, other administrator accounts were not visible. This has been fixed. - With "d" capability (Create/Move/Delete domains), the roles could create new domains alright, but were unable to give those domains meaningful names. The "d" capability now admits "Edit" right as well, so domains can be renamed. RD-6536: Some emails are invalid in GateManager when using special characters. Now allowing the use of apostrophe in the name part of an email address (before @). RD-6763: Renew password on own account doesn't work. Renew Password on own account should be disabled due to the "Change Password" function under "My Account". This has been fixed. RD-6805: Missing GM mail log on Debian 12.5. On Debian 12.5 the GM mail log was missing. This has been fixed. RD-6879: Auto-enable setting should be cleared when account is manually enabled. Enabling a previously disabled user account didn't clear auto-enable date in the database. This has been fixed. RD-6925: CRM API for account disabling/enabling is inconsistent with what's allowed in the GUI. CRM API endpoints /crm/enable/account and /crm/disable/account were inconsistent with what's allowed in the GUI. This has been fixed. RD-6926: Inconsistent output of /crm/get/account for some combinations of auto-enable and auto-disable. In reply to /crm/get/account, "disabled" status is always added now. Field "enable", corresponding to auto-enable time, is added when this time is set. RD-6928: RDP issue with pre-configured username/password that contains special characters. GTA to agents configured with non-ASCII characters in the password would fail. This has been fixed (by either SM or GM firmware upgrade). RD-6947: GM is crashing with "Lock assert failed". When listing Reguests for Access to devices that were not accessible for the approving account, GM would crash with a "Lock assert failed - R1 W0" message in the system log. This has been fixed. RD-6950: Visual bugs in Request for Access. Spurious popups were shown to the requester if RFA object was moved out of RFA domain. This has been fixed. GUI allowed changing state of request for access to an object no longer in a RFA domain. This has been fixed. RD-6951: Secure File Transfer does not allow parentheses in file name. Upload of files with parentheses in their name to RDP file share from within GM portal would fail with an "invalid file name" error message. This has been fixed. RD-6966: GM crashes on /crm/all/grants when printing a domain grant. GateManager crashed when /crm/all/grants was issued while domain RFA records were present. This has been fixed. RD-6977: CRM API request to /crm/update/account resets "Always Grant Remote Access" flag. CRM API request to /crm/update/account reset "Always Grant Remote Access" flag. This has been fixed. RD-6980: DCM disabled in newly created Customer Domains on Private GMs. On a private GateManager, newly created Customer Domains (or existing domains that were changed to Customer Domains) would have DCM disabled. This was partially fixed in release 11.2 (RD-6626), but that fix required GM to be restarted to take effect. This has now been fixed without requiring restart. RD-6982: RfA scheduled in the future never works. Request for Access grant handling has been extended to handle this scenario. RD-7028: Conversion of auto-enable date from string to broken-down time may by wrong in /crm/disable/account. It could happen that a call to /crm/get/account returned "auto-enable" date different that has been previously set with /crm/disable/account. This has been fixed. RD-7035: RDP issue with pre-configured username/password that contains special characters. GTA to agents configured with non-ASCII characters in the password would fail. This has been fixed (by either SM or GM firmware upgrade). RD-7054: /crm/verify/account returns ok in some cases when it should fail. If account authentification is certificate + password, the /cerm/verify/account request will fail (as expected) when no cert is supplied. However, if authentification is certificate + password + sms, the request would succeed even though no certificate was supplied. Depending on frontend implementation, this could potentially reduce MFA with one of the factors (password and sms were still required). This has been fixed. RD-7062: Date is offset when making a Request For Access far in the future. Time limit added to date time picker widget. Manual validation added to text fields for Request for Access time date. RD-7073: /crm/goto/agent lacks support for Guacamole VNC. VNC sessions opened via /crm/goto/agent were always opened in the legacy (noVNC) in-browser viewer; there was no way to have them open in Guacamole, which is required for session recording. Default is now to open in Guacamole. If for some reason the legacy viewer is preferred instead, this can be selected by including "app":"novnc" in the CRM request. RD-7074: /crm/goto/agent using noVNC viewer lacks password support. VNC sessions started via /crm/goto/agent using legacy (noVNC) viewer lacked support for cases where a password was pre-configured on the agent, so the user would need to know the password by other means. This is now handled transparently, without users having to know the password. -------------------------------------------------- Security advisories: -------------------------------------------------- - -------------------------------------------------------------------------------- Upgrade instructions can be found here: https://kb.secomea.com/docs/upgrade-gatemanager-firmware -------------------------------------------------------------------------------- ================================================================================ SiteManager and SiteManager Embedded ================================================================================ -------------------------------------------------- New features and enhancements: -------------------------------------------------- RD-6987: Certify DCM Cumolocity integration. DCM Cumulocity data server is certified by Cumulocity. RD-7039: Add DCM settings option to enable journaling for DCM SSF database. Add option to enable journalling for the DCM database for better resilience against power loss. RD-7069: Add APN to the known APN list of a SiteManager. apn.vianova.it (MCC 222, MNC 49) has been added to the list of known APNs. RD-7090: Show a DCM config warning if DCM is stored on internal flash. Show a warning on hardware SiteManagers if DCM stores the database on internal flash memory. -------------------------------------------------- Bug fixes: -------------------------------------------------- RD-6667: SSF Reset on powerloss. Fix an issue where DCM would reset the database on powerloss. RD-7055: SiteManager doesn't drop bound TLS when changing GateManager. In rare cases, moving a SM from one GM to another would fail with an "Incorrect GateManager server certificate" log message. This has been fixed. RD-7105: DCM GUI does not show correct status on troubleshoot page. Fix an issue where the MQTT dataserver status would always show as unknown on the SiteManager troubleshoot page. -------------------------------------------------- Security advisories: -------------------------------------------------- - -------------------------------------------------------------------------------- Upgrade instructions can be found here: https://kb.secomea.com/docs/en/upgrade-sitemanager-firmware -------------------------------------------------------------------------------- ================================================================================ LinkManager Windows Client ================================================================================ -------------------------------------------------- New features and enhancements: -------------------------------------------------- RD-7034: New corporate visual identity (CVI) to GM, LM web UI. Logos and images updated for Secomea's new Corporate Visual Identity. -------------------------------------------------- Bug fixes: -------------------------------------------------- RD-7030: Windows 11 complains about LinkManager Service being interactive. On Windows 11, an error would be logged in the Windows Event Log about LinkManager Service being marked as interactive, and that it might not function properly. This didn't actually cause any functional errors, as the service doesn't need to (and isn't designed to be) interactive. It is no longer marked as such, so the false error will no longer be logged. -------------------------------------------------- Security advisories: -------------------------------------------------- - -------------------------------------------------------------------------------- Upgrade instructions can be found here: https://kb.secomea.com/docs/en/upgrading-linkmanager-to-the-newest-version -------------------------------------------------------------------------------- ******************************************************************************** End ********************************************************************************