9.506 is released. 
Maybe we could use this thread for reporting successful updated system and maybe not so many bugs. Who wants to be first to update? :-)
This thread was automatically locked due to age.
9.506 is released.
Maybe we could use this thread for reporting successful updated system and maybe not so many bugs. Who wants to be first to update? :-)
Updated HA-Cluster (SG230), no issues till now. Using proxy standard mode with AD, some IPSEC, REDs, mail protection.
-
Thanks for the link. On the same page I found this: (translated from German by Google)
"Attention, there are problems in HA mode in the ESXi environment. After updating from 9.505-4 to 9.506-2, certain VM servers (the VMs running on the same host where the Passive UTM VM was running) were no longer accessible on the network! Only after shutting down the "passive" node were they suddenly reachable again. Rebuilding the HA did not help. I had to rest again on 9.505-4, then everything went OK again. I wait for the first time 1-2 updates, then we'll see :)"
I posted the following workaround there that might work. This applies to VMs in HA running on the same host.
How to resolve issues with Virtual UTMs configured for High Availability:
1. Login to the UTM console as root.
2. Enter the following command to determine if HA virtual_mac is enabled:
cc get ha advanced virtual_mac
3. If the output is 1, you can disable it by entering the following:
cc set ha advanced virtual_mac 0
4. Restart all virtual UTMs.
Please let us know if this worked.
Cheers - Bob
WAF is broken for me.
It affects Windows 7 clients using Outlook 2010 connecting to Exchange 2010.
Other combinations like Windows 10, or Outlook 2013 work fine.
TLS 1 is required somewhere in this chain.
|
9.505-4 added a TLS Verion dropdown that allowed you to pick you Min. TLS level. 9.506-2 removed the option. I have an open support ticket, do not have a work around yet.
I was sent this as a workaround:
It doesn't seem to apply since the lines Sophos references to change no longer exist in the file. |
Hope this helps,
Ron
Latest Update from Sophos Support.
If I understood correctly.
TLS 1 support has been removed.
After you do: cc set reverse_proxy min_tls 1
Check the result with: grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
Now is WAF still "broken" for that one situation?
Note that this probably is not supported and that you should upgrade your software to eliminate its dependence on TLSv1. After upgrading, use the trick above to set the value back to 1.1.
Cheers - Bob
After you do: cc set reverse_proxy min_tls 1
Check the result with: grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
Now is WAF still "broken" for that one situation?
Note that this probably is not supported and that you should upgrade your software to eliminate its dependence on TLSv1. After upgrading, use the trick above to set the value back to 1.1.
Cheers - Bob
Bob,
You are my HERO today!
My clients are connecting again.
Now maybe after a couple of hours outage, I can get them to get their software upgraded...
The main issue is I told them they had until April 2018 to fix this as that is the PCI compliance deadline for TLS 1.
I didn't comprehend this line in the change log:
Fix [NUTM-8806]: [WAF] Issue with TLS settings for virtual webserver
Meant removal of TLS 1...
Thanks,
Ron
My bad.
TLS 1 is still there you just need to know what screen to access.
Advanced vs Virtual Webserver/Edit Screen.
Thanks,
Ron
