Feature and Behaviour changes
1) No restart on configuration changes
The new proxy will reload its configuration without terminating existing connections. This is very important for environments where many dynamic network objects are used, or where configuration frequently changes.
2) Full support for HTTP 1.1 connection keepalive
The new proxy fully supports HTTP 1.1 keepalive on client and server connections, improving network performance.
3) Added SSO support for "Native mode" AD (Windows) domains
The new proxy supports NTLMv2 and Kerberos authentication protocols when used with Active Directory Single-Sign-On (SSO). Kerberos is much faster than NTLMv2. It is supported in IE7 and Firefox browsers (IE6 only supports NTLMv2). Kerberos is automatically used if available. The are some setup prerequisites - see "Caveats".
4) Removed SSO support for NT4 domains
SSO Support for pure Broadcast/NetBIOS domains running with NT4 as Domain Controller are not supported any longer.
5) Improved network performance
The new proxy uses an IO model that allows for better network performance, up to a 80% increase in requests throughput depending on hardware and content scanning configuration.
Caveats
1) Changes in Domain joining for AD (Windows) domains
Customers upgrading from versions prior to 7.100 MUST re-join the Firewall to the AD domain if they use SSO. In order to join the AD domain, the firewall must find a DC (Domain Controller) machine. In previous versions, this was done with a NetBIOS broadcast. Starting with ASG 7.100, pure AD (native) mode is used, which in turn requires finding the DC with a DNS lookup. There are also more strict requirements on DNS resolution and time differences. The following conditions must be met:
- The time zone on the firewall and the DC must be the same.
- There MUST NOT be a time difference of more than five minutes between the firewall clock and the DC clock.
- The ASG hostname must exist in the AD DNS system.
- The ASG must use the AD DNS as forwarder, or must have a DNS request route for the AD domain which points to the AD DNS server.
2) Domain re-join needed on upgrade
Customers upgrading from versions prior to 7.100 MUST re-join the Firewall to the AD domain if they use SSO. See above for more information.
3) Kerberos support requires proper network setup
In order for opportunistic SSO Kerberos support to work, the clients MUST use the FQDN hostname of the ASG in their proxy settings - using the IP address will not work. NTLMv2 mode is not affected by this requirement, and will automatically be used if it is not met, or if the browser does not support Kerberos authentication.