The Netsweeper 7.2.10 GA release is now available. This is the last EL6 release planned for Netsweeper. The 7.2.10 GA release allows customers to start their migration to EL8. The 7.2 release bring Active-Active WebAdmin functionality, allowing customers to use multiple WebAdmin servers pointed to a clustered database. The 7.2 release also provides customers with many security improvements for the EL8 based product. All customers should start planning their 7.2 migration to the EL8 based product over the next year. EL6 extended support expires on June 30th, 2024, giving all our customers 2 years to migrate and transition to the Netsweeper EL8 based product.
The Netsweeper 7.2 release is the last release available on both EL6 and EL8. Moving forward, Netsweeper will only be making new features available on the EL8 platform. Customers are expected to transition from EL6 to EL8 using the Netsweeper 7.2 product. Netsweeper will continue to provide security fixes to the EL6 builds but will not provide new features to the EL6 based release.
Summary of 7.2 New Features
Security
- Improved security of the Netsweeper installed product for the EL8 installation added
- Locked down and added improved security features for the EL8 based Netsweeper installation
OS Level Complex Passwords
- Admins now forced to change their OS Level password on EL 8 installs
- Password now must expire in 90 days and the admin cannot change it again within 7 days
- A new password cannot be the same as the previous 5 passwords
WebAdmin Features
- Active-Active WebAdmin systems support pointed to a single clustered database
- SAML SSO configuration for Active-Active WebAdmin added to the database
- WebAdmin now has a default certificate and key for SAML login
- Directory Sync can now be run on multiple Active-Active WebAdmin servers at the same time
- Per domain Directory Sync Interval or Timing and logging level added
- Directory Sync fields for Status, Sync Server, Sync Time, and Last Sync Date added to accommodate Multi Server Directory Sync
- WebAdmin Backup allows selection of WebAdmin servers based on the WebAdmin URL in Security Labels
- Refactored to use the hostname of the server and not the IP
- Reporter will not run Reports on a database that has not yet been upgraded
- Directory Sync does not run unless the database version matches the version required by the DirSync service
- A new 'Secure SSL Connection TO Config Database' checkbox is used to enable the SSL connection from the WebAdmin to the database, so transmitted data is encrypted.
- WebAdmin Status window (EL 8) shows the version, current time, and CA Certificate information
- All upgrades are now done over HTTPS to the https://repo.netsweeper.com repository
- Database only upgraded when user logs in to the WebAdmin or forced with webadminctl dbupgrade
- WebAdmin now displays error when WebAdmin version does not match database version
- First Name, Last Name, and Email have been added for the Client functionality (WebDB, Policy Service, WAgent, DirSync, Import/Export) as well as Logging and Reporting
- WebAdmin Settings now loads from external applications to support loading settings, passwords, and other settings from external secure systems
- Users can override WebAdmin Settings in settings_override.php allowing for external systems to do queries to load settings
- Added new report instance export format CSV (UTF16), that supports Unicode characters
- Supports 'File' URLs that do not contain a hostname making it possible to use URLs like file:///app.exe
- 'Module Name' added to the Request Part List processing so when Client Filter sends the 'Module Name' it will be possible to Allow or Deny
- 'No Action' added to List 'Restrict Actions' that allows a user to add a URL that is basically 'Not found'
- 'Client Module Name' added to 'Trace Request' allowing users to debug Module Name processing steps
Security Labels
- Security Labels updated to work with Active-Active WebAdmin
- 'Security Labels' interface added to associate a host server with the database
- Can associate multiple servers with a single WebAdmin database (Previously WebAdmin could only be active on a single host or system at a time)
- Support for Active-Active WebAdmin hosts serving content from the same database
Directory Sync
- Active-Active Directory Sync enabled to apply WebAdmin URL and server validation settings
- New WebAdmin Settings for Active-Active Directory Sync: 'WebAdmin Dirsync URL' and 'WebAdmin Dirsync Server Validation Disabled'
- Validates the accessibility of WebAdmin APIs before running synchronization
- Azure Active Directory can now synchronize with Microsoft Graph SDK and Microsoft Authentication Library. DirSync type based on the Microsoft Graph SDK with MSAL4J for Azure Directory.
- DirSync now supports TLS/SSL connectivity to the database
Deny Pages
- Can browse for or drop an image and insert it into Deny Page
- Deny Pages now generated on all WebAdmin servers by the Up2Date service
Up2Date Service
- WebAdmin configuration files now generated by the Up2Date service on each WebAdmin
- Up2Date Files page removed as the new Up2Date service no longer copies specific files or directories but generates files for all WebAdmin servers
- Logs the module that are running, possibly the time taken to run the module for logging purposes
- Logs modules that are running to show progress
- Translations now published with Up2Date
Client Filter
- Work has been done in the 7.2 release along with the Netsweeper Client Filter 9.0.0
- 'Client ConfigEdit' and 'Client Exception Lists' added to 'Client Filter Settings' in the WebAdmin
- Exception List header rewrite support for Chrome Client Filter to allow YouTube restricted or moderate mode to be enforced via Exception List
- Policy Service protocol support for https, httpsi, ssl, ssli added to the Client Filter allowing secure communication between the client and server
- WebAdmin can push an Exception List for the Client Filter along with Config Edit branding settings
- 'Platform' attribute added to WebAdmin Brand Settings for different Windows and MacOS releases
- Client Filter Brand can 'optionally' specify a Brand in the Client Filter Configuration
- Thinclient protocol version 002 implemented that allows for 'Module Name' to be passed for policy processing in the Client Filter 9.0.0 and above
- New Client Filter Brand permissions added for SysOps to perform Client Filter Settings Brand Management
- Uninstall Key Generator option moved to 'Client Filter Settings' allowing per Brand key generation
- 'Mode' option has been added to the Uninstall Key Generator to Profile Manager and Roaming User Service mode as both can get an uninstall key generated
- Client Filter Settings order of precedence has been fixed in nsd.conf, default brand in WebAdmin, specific brand, and finally the specific brand with platform defined
- nMonitor Config settings added to the WebAdmin Client Filter Settings
Policy Service
- The Policy Service now parses either http:// or https:// Client Filter events.
- Parsing and support for the policy service URL has been added.
- All Protocols have been updated to use SSL/TLS in the Policy Service
- Logging can now extract the organization part from the Client name or Group name
Radius
- New Routes Advertising Service templates added for EL8 OpenBGP, instead of QUAGGA
- Radius integration is split into two services for EL8: Radius for service provided by FreeRadius, and NSRadius for Netsweeper Radius Log Parser
See also: All Netsweeper 7.2 New Features and What's New in Netsweeper Documentation
Change Log 7.2.10
Ticket | Type | Description |
24212 | UPDATE: | Workstation Agent and Radius logging are now disabled, by default, in the 'Disable WebAdmin Logging Sections' of WebAdmin Settings. |
25707 | BUG: | The command for remoteadmin APIs was being double escaped. |
25833 | UPDATE: | Enterprise Service and Squid have been removed from the EL 8 releases. |
25841 | SECURITY: | The liger_webadmin_url has been changed, in Policy Server Settings, from http:// to https:// on port :8080. |
25911 | FEATURE: | The CSP header for upgrade-insecure-requests header has been added so the liger_webadmin_url is always https. |
25926 | UPDATE: | The policy_auth_redirect_all_protocols_enabled setting in Policy Server Settings, by default, is now disabled. |
25936 | BUG: | WebAdmin APIs failed to clean up expired Clients properly due to an incorrect timezone. |
25951 | BUG: | Using Create Report to create a report from a template injects a null time value that breaks the Report. |
25952 | BUG: | the 'Create Local List' button did not work properly in EL 6. |
25953 | SECURITY: | Two cross site scripting problems in the WebAdmin, identified by Polaris, have been fixed. |
25957 | BUG: | A JavaScript error for menu search has been fixed. |
25961 | BUG: | nsup2date generated WebAdmin logs on the remote system which may not have had the database configured properly. |
25963 | BUG: | Directory Sync does not properly Sync to some Azure Directories due to memory limit. |
25965 | BUG: | DirSync removed Groups without confirming the resync permissions. |
25973 | BUG: | DirSync failed to make a connection to the WebAdmin if its WebAdmin API URL used the HTTP protocol. |
25974 | SECURITY: | There was an undefined variable PHP error related to DirSync. |
25984 | BUG: | The EL8 Radius Parser did not remove the radius log file after processing. |
25985 | SECURITY: | A WebAdmin log message has been added when the Category Manager publishes a Category Revision. |
25987 | BUG: | group_create_ext API has been removed. |
25988 | BUG: | A duplicate local network entry in the Brand settings would be logged as a memory allocation error and not a duplicate entry error. |
25989 | BUG: | When generating categories.php in nsup2d we merge categories from all revisions. |
25991 | SECURITY: | Fix 7 MED Polaris reported issues for the policy service. |
25995 | SECURITY: | CSV File export can export Excel functions starting with -+= in a cell. |