Netsweeper 7.2.1 EA is now available for early adopters. We have been very active working on our Active-Active WebAdmin project, changing the architecture of our system to allow multiple active WebAdmin systems to work together to provide greater performance, scaling, and improved redundancy. The 7.2.1 EA release gives customers the ability to test out our progress and see where we are going in the 7.2.1 release. It is important to remember that if you are upgrading, the WebAdmin, Reporter, and Deny Page servers must remain the same version. Netsweeper is not recommending any production systems be upgraded to the 7.2.1 EA release, but customers are encouraged to start looking at the changes we are making. The 7.2.2 release will be the first release customers will be able to setup an Active-Active WebAdmin and start using in a production environment as some key elements are missing from the 7.2.1 EA build.
If you have any questions or concerns about planning an upgrade to this release, please contact Netsweeper Technical Support support@netsweeper.com.
This release is available on both EL6 and on EL8. The 7.2 release will continue to port the product to EL8. Over the course of the 7.2 release cycle, we will be finalizing the EL8 release. Moving forward to Netsweeper 8.x releases, we will no longer be releasing new features for the EL6 builds. Netsweeper will continue to provide security fixes to the EL6 builds but will not provide new features to the EL6 based release. Customers are expected to plan a migration to EL8 between now and 2023 if they desire the new features we are introducing.
Netsweeper 7.2.1 New Features
Routes Advertising Service
- New Routes Advertising Service templates added for EL8 OpenBGP, instead of QUAGGA
Radius
- Radius integration is split into two services for EL8: Radius for service provided by FreeRadius, and NSRadius for Netsweeper Radius Log Parser
SSL/TLS
- A new 'Secure SSL Connection TO Config Database' checkbox is used to enable the SSL connection from the WebAdmin to the database, so transmitted data is encrypted.
- All Protocols have been updated to use SSL/TLS in the Policy Service.
Active-Active WebAdmin
- SAML SSO configuration for Active-Active WebAdmin added to the database
- WebAdmin now has a default certificate and key for SAML login
Deny Pages
- You can browse for or drop an image to insert it into the Deny Page
- Deny Pages now generated on all WebAdmin servers by the Up2Date service
Up2Date
- WebAdmin configuration files are now generated by the Up2Date service on each WebAdmin
Client Filter
- Exception List header rewrite support for Chrome Client Filter to allow YouTube restricted or moderate mode to be enforced via Exception List
- Policy Service protocol support for https, httpsi, ssl, ssli added to the Client Filter allowing secure communication between the client and server.
Policy Service
- The Policy Service will now parse either http:// or https:// liger events
- Parsing and support for the policy service URL has been added
Upgrades
- All upgrades are now done over HTTPS to the https://repo.netsweeper.com repository
Downloads
To download the latest release, please use the following links:
EL 6 -> http://repo.netsweeper.com/netsweeper-el6-x86_64-7.2.1-1.iso (md5) (sha256)
EL 8 -> http://repo.netsweeper.com/netsweeper-el8-x86_64-7.2.1-1.iso (md5) (sha256)
Change Log 7.2.1
Ticket |
Description |
23491 |
BUG: Generating a Certificate Authority for NSProxy would fail without an error message. |
23530 |
FEATURE: PHP Session data is now stored in the database. |
23540 |
BUG: The /sbin/ifup-local, which is linked to nsupdateissue, did not run on CentOS8 and the issue did not get the IP addresses of the machine. |
23644 |
BUG: The letsencrypt SSL certificate process did not make the httpd reload of the SSL certificates after a successful update was completed. |
23699 |
FEATURE: OpenBGP instead of QUAGGA is used for EL8 for the Routes Advertising Service. New RAS templates: 'Open BGP' and 'Open BGP Online' Templates have been added. |
23706 |
FEATURE: Configuration for freeradius has been added in the EL8 release. Netsweeper Radius integration has been split into two services: Radius for service provided by FreeRadius, and NSRadius for Netsweeper Radius Log Parser to manage WebAdmin Radius Accounts, Groups, and Users. |
23718 |
UPDATE: The kickstart file has been reviewed and updated. |
23808 |
SECURITY: Base operating system RPM packages have been sourced from Oracle Linux 8 and Oracle Linux 6 providing long term support for security and package updates faster than the CentOS variant of RHEL provided. |
24388 |
FEATURE: Duplicate keyword entry logs have been changed from 'Error' to 'Debug'. |
24393 |
BUG: Gzipped CSV files for Reports did not work correctly on Chrome. Browser detection has been added for major browsers. |
24408 |
BUG: Loggertest would fail when sending a log entry to a remote logger with a great amount of screenshot data. |
24439 |
BUG: Profile Manager Timezone Settings did not allow the user to select time settings to manage the profiles. |
24443 |
BUG: There was an invalid keylength for the Let's Encrypt SSL certificate in EL8. The keylength input has been removed. It is 4096 all the time. |
24470 |
BUG: There was a failure to validate the signature for SAML authentication. |
24471 |
BUG: SAML authentication would fail due to the Chrome SameSite cookie policy. |
24476 |
BUG: A warning was added for an invalid option format in nsupgrade. |
24479 |
BUG: The default timezone was 'UTC' and not the timezone set during install. |
24488 |
FEATURE: All Protocols have been updated to use SSL/TLS in the Policy Service. |
24498 |
BUG: Deleting a Report Instance did not create a WebAdmin Log. |
24499 |
BUG: Importing List entries displayed the wrong 'Edited at' time stamp. |
24509 |
BUG: NSProxy could abort when serving a Deny Page for a corrupt SSL request. |
24511 |
BUG: The List Search Filter did not work correctly. |
24512 |
BUG: Continuous Reports data output everything as zero. |
24520 |
BUG: The Quick Report 'Denied Request Log Report' would never finish loading. |
24524 |
BUG: There were Policy Service stability issues in the 7.1.7 release. |
24527 |
BUG: For EL 8, the nginx config did not have the proper timeout setting. |
24531 |
SECURITY: All rpm files are now signed and enforced signed checking on upgrade for both the EL6 and EL8 releases. |
24532 |
FEATURE: Web Upgrade no longer mangles the /etc/yum.repos.d and leaves the management to ns_repos, ns_webupgrade 7.1.8. |
24535 |
SECURITY: Netsweeper Security updates of upstream packages from Enterprise Linux 6 for 7.2.1 have been added. |
24539 |
BUG: PHP warnings have been fixed for EL8. |
24540 |
BUG: NSRoutes would stop loading a cache line over 8192 bytes causing subnet corruption for IPv6 to /32 and additional problems |
24541 |
FEATURE: The PF_RING and Bridge kernel have been updated to the new kernel-2.6.32-754.35.1.el6.x86_64. |
24551 |
FEATURE: The EL8 kernel has been upgraded to kernel-4.18.0-305.7.1 including upgrades to pf_ring and the bridge drivers. |
24552 |
BUG: There was a database error with adding a new host. |
24558 |
BUG: There was an upgrade failure after clustering. |
24565 |
BUG: Web Upgrade in 7.1.8 did not cleanup the repo after it was changed. This has been fixed in Web Upgrade 7.2.1. |
24575 |
FEATURE: SAML SSO configuration for Active-Active WebAdmin has been added to the database. |
24577 |
FEATURE: Deny Pages are now generated on all WebAdmin servers by the Up2Date service. |
24578 |
FEATURE: WebAdmin configuration files are now generated by the Up2Date service on each WebAdmin. |
24588 |
FEATURE: Exception List header rewrite support has been added to the Chrome Client Filter. This allows for the YouTube restricted or moderate mode to be enforced via the Exception List. |
24590 |
BUG: Improvements for URL Lists have been added for the MacOS Client Filter. |
24598 |
BUG: In the Client Filter, the 'Request a Review of the Denied URL' link did not send an email. |
24608 |
FEATURE: The EL8 network stack did not load the rule-INT and route-INT which Netsweeper makes great use of. We have added a new script /etc/NetworkManager/dispatcher.d/40-sysrouterule which will load and process these networking rules and routes for all interfaces. |
24615 |
BUG: Deny Pages on the Policies page could not be deleted. |
24616 |
BUG: Both httpd and nginx could be enabled on the install of Netsweeper 7 on EL8. This has been fixed. Netsweeper 7.2.1, by default, uses nginx due to problems with Apache and chunked encoded http POST data causing WAgent calls to fail. |
24617 |
BUG: URL Lists did not support hashing on some platforms. Default hashing has been defined to make sure all platforms support URL List hashing functionality. |
24618 |
FEATURE: New parsing and support for the policy service URL has been added. This allows us to prefix the policy service with http:// https:// ssl:// ssli:// httpsi:// and other schemes to define the type of connection to create for the policy service. Policy service support for https or SSL will be included in the 7.2 GA release. |
24627 |
BUG: The Logs LIVE page would display an error in the WebAdmin interface when out of memory in the merge verification screens. |
24630 |
BUG: There was an inability to delete Request Servers in EL8. |
24638 |
BUG: An error was causing display problems for 'Request Logs'. |
24640 |
FEATURE: All upgrades are now done over HTTPS to the https://repo.netsweeper.com repository. |
24662 |
BUG: The RDNS could crash at shutdown. |
24677 |
FEATURE: All Report Types can now be filtered by 'Status' and Scheduled Reports can be filtered by 'Interval' using Advanced Filters. |
24681 |
BUG: Having a different directory for the Reporter temporary files that are mounted on a different file system would cause the Reporter to stop. Having the temporary file storage on a different file system is still unsupported, however, it will not cause the Reporter to stop. |
24696 |
BUG: The Policy Server would not add a Header to HTTP for the Client Filter causing connections to close for every policy request. A connection keepalive has been added. |
24700 |
FEATURE: Policy Service protocol support for https, httpsi, ssl, ssli has been added to the Client Filter. This allows for secure communication between the client and server. |
24703 |
BUG: During the build process of ns_backup RPM file, the /tmp directory was used and not the RPM_BUILD_ROOT. |
24706 |
FEATURE: There is now the ability to extend Up2Date to call php modules to generate client-side configuration based on webdb calls. |
24707 |
BUG: A broken libwebdb call could leave a cache.generating file which would delay the future webdb calls by 10 seconds while we attempt to wait for it to be entirely generated. A tmp file check has been added. If the temp.geneating file does not change sizes in 1 second, assume total failure. |
24710 |
UPDATE: Squid and Enterprise Filter have been removed from EL8. |
24713 |
BUG: The nginx service did not allow letsencrypt to access the WebAdmin server. |
24714 |
FEATURE: Deny Page images are no longer uploaded using a file manager and are instead generated by the Up2Date service on each WebAdmin. New functionality allows you to browse for or drop an image and then insert it into the Deny Page. |
24717 |
BUG: Starting the nsd or nsproxy service on EL8 would cause nginx to start which is not a hard requirement for these services when configured with a remote WebAdmin. |
24718 |
BUG: There was a rendering display issue in the data feed for Live Logs, leading to an error. |
24720 |
FEATURE: The modules.yaml in EL8 would always break the modularity, causing installations errors. We now generate our own modules.yaml for injection into the dnf repository. |
24728 |
BUG: Logging out of SAML auth logging in Chrome could cause an error page to appear. |
24738 |
FEATURE: MariaDB Galera Clustering has been enabled. |
24745 |
FEATURE: Default ports are set for httpsi/https/http if no default port is specified for endpoint schemes. |
24753 |
SECURITY: systemd had rpcbind open by default and it is not required. |
24768 |
FEATURE: Improvements have been made to libwebdb for support of the Up2Date service and serializing the WebAdmin configuration and deny pages to multiple servers. |
24771 |
FEATURE: The Policy Service will now parse either http:// or https:// liger events in the 7.2.0 release. |
24772 |
FEATURE: The WebAdmin now supports SSL/TLS connectivity for the database for secure DB connectivity. There is a new 'Secure SSL Connection TO Config Database' checkbox added to the 'Database Configuration' section of WebAdmin Settings. It is used to enable the SSL connection from the WebAdmin to the database, so the transmitted data is encrypted. |
24774 |
SECURITY: The Policy Service is now configured for perfect forward secrecy. |
24776 |
FEATURE: The gssproxy.service has been disabled on install for EL8. |
24779 |
BUG: nsupgrade now shows the help by default. |
24802 |
FEATURE: The WebAdmin Login Disabled setting has been removed since it is not saved into the settings local or nsup2d. |
24805 |
BUG: The WebAdmin Logs to Request Log functionality did not always log the correct date/time. |
24808 |
BUG: NSProxy would crash if Deny Page Type was changed to a 400, 404, 500 and other deny page types. This rare problem has been resolved. |
24809 |
SECURITY: Improved WebAdmin security has been added as the web server no longer needs to write files and the configuration is replicated via the Up2Date service. Configuration files no longer adjusted by web service user. |
24811 |
BUG: Google CECPQ2 post-quantum key-agreement enabled, which sends the Client Key in the Client Hello, caused problem parsing the Server Name Indicator for Capture Modules and Enterprise Filter installs. |