Multi-Tech RouteFinder VPN Family (RF660VPN) Contents ======== - Introduction - Hardware Description - How to perform Live Update - Revision History - Support Options - Copyrights and Trademarks Introduction ============ This document provides procedures on how to perform update. It also include information regarding all the changes and fixes within the product. Should there be any further recommendations, please contact with the Local Multi-Tech Systems office listed as below. Hardware Description ==================== RF660VPN Hardware description : ------------------------------- - Firewall / VPN with 10/100 Mbps LAN, WAN and DMZ ports How to perform Live Update ========================== - Make sure your RouteFinder is on the internet - Webadmin into the RouteFinder - Click on Tracking - Click on Update Services - Click on Start button for the Update System - Click on Update-Livelog for the status of the update - Make sure the livelog shows "RPM RF660-x-xx installation successful" before perform any other tasks in Webadmin - Click on the Home to make sure the new version is displayed. Revisions History ================= Changes and Bug Fixes in Version 3.02 (March 19, 2003) ====================================================== NOTE: After update 3.02 is completed, if you have DNS proxy enable, you must disable and enable DNS Proxy manually. Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. If Virus Scanner is enabled, the REDIRECT rule for POP3 Virus Scanner will be moved to the first position in the DNAT chain. Changes: -------- 1. Special characters are allowed in the passwords for Root user, SSH user, Webadmin user, PPP, PPPoE, CVS, other users (in user authentication page), and RADIUS secret. 2. Before stopping IPSec, the Pluto database is cleared of all connections. 3. Packet Filters - Added a configurable option to enable / disable logging of packets that are destined to the RF660 and are discarded. This will allow packet filter livelog to display all the packets that are being dropped 4. Logon page - The logo and version number in the initial logon page can be displayed / hidden with a configurable option in the Administration -> Web Admin page. Fixes: ------ 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. 0 was not allowed in the 2nd and 3rd positions of the IP address for Gateway, WINS address, SAM PDC, SAM BDC, SMTP Proxy->SMTP routes. Fixed it. 3. Fixed a validation problem for Accepted Incoming Domains in SMTP Proxy. 4. Services: - In Services page, the source port for DNS and SSH has been changed from 1024:65535 to 1:65535. - While editing a service and changing the protocol, the ports will vanish. Fixed this problem. Now, for TCP, UDP, TCP+UDP is a group and AH, ESP is a group – if the services is edited and the protocol is changed within a group, the source port and destination port fields or the SPI values will remain intact - Changed the alert message displayed if the service name added already exists in the services / service groups lists. 5. After update 3.01, PPTP had to be restarted from web GUI for adding users in the local database. Fixed the problem. 6. If DHCP client is not able to get an IP address, after it finishes trying, the IPSec route for eth1 was getting removed. Fixed it. 7. Virus Scanner - Two separate controls have been added for - SMTP Virus scanner - POP3 Virus scanner in the Proxies->SMTP Proxy->Virus Scanner section. 8. POP3 Virus Scanner’s redirection rule has been made such that it will have high precedence over DNAT rules. (It will always get added in the first position) 9. After update 3.01, the ownership of the ICMP services file was changed. So, while adding ICMP services, error messages were getting displayed. Fixed it. 10. Version Control - Clearing the options was not being allowed. Now it is allowed. 11. PPPoE is enabled and it is not able to get an IP address. Now, restart the box. After coming up, the gateway and IP address for WAN entries in the Network Setup are in non-editable format. Also, while monitor is trying to get an IP address, at those times, the gateway and WAN entries will be in non-editable format. 12. Factory default values changed for the above. The IPTable rule file in factory default did not have entry for the SQUID_DROP chain. Added it. Also, if it is not there already in IPTables, it will get added now. The entry for POP3VSCAN was not there in the factory default process status file. Added it. Changes and Bug Fixes in Version 3.01 (March 3, 2003) ===================================================== Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- - PPTP daemon will be restarted. All the existing connections will be brought down. - DHCP client will be restarted. - SurfControl server will be restarted. - Existing IPSec connections with Local Subnet as ‘Any’ or ‘none’ Remote Subnet as Any will be removed. - After this update, only one authentication type can be selected for HTTP Proxy and SOCKS Proxy authentication. So if 2 or 3 authentication types have been selected already (before the update), the first authentication type alone will be enabled and the others will be disabled. So, HTTP Proxy and SOCKS proxy will be restarted. - ICMP Packet filter rules with the following codes will be removed Network Unreachable - Protocol Unreachable. - This is because, already if there is any rule added, it would not have got really added in the IPTable rules. - ICMP Packet filter rules with the following codes will be removed - time-stamp-request - time-stamp-reply - network-unreachable -> host-isolated as they are obsolete. - Existing Network Intrusion Detection rules with Destination IP Address as ‘Any’ will be removed. Changes: -------- 1. SARG report generation has been moved from cron.fivemins to cron.hourly 2. PPTP - Static IP address assignment support for users. 3. Networks & Services - Services - The Protocol “ANY” has been removed from the Services page. This is because, already a static service ‘Any’ is there with ports 1-65535. There is no meaning having one more user-defined service with protocol “Any”. If protocol is “Any”, then the port numbers configured will not have any meaning. 4. IPSec - When adding new or editing existing IPsec connection, connections cannot be added with Local LAN = Any, local LAN = none or Remote LAN = Any anymore. 5. HTTP Proxy - HTTP proxy authentication will now allow only ONE type (local or Radius or SAM) 6. SOCKS Proxy - SOCKS proxy authentication will allow only ONE type (local or Radius or SAM) 7. Network Intrusion Detection - The entry Any from the Destination list box has been removed. This is because, it adds up to logging a lot of messages and the box becomes very slow. 8. DNAT - ‘Any’ has been removed from the pre-destination network. 9. Backup - The length of the comment field in the backup page has been limited to 100 characters Fixes: ------ 1. Statistics & Logs – SMTP Proxy - If you select from left side menu once and click again on same (SMTP proxy) it will give error. Fixed this. 2. URL Categorization filters – a memory leakage problem has been fixed. 3. URL Categorization filters - The check for memory percentage has been removed from the five minutes cron job. 4. PPTP - PPP CPU % was going high if client disconnect is not proper. After that, no other connection will be allowed. Fixed this problem. 5. PPTP – An extra log option has been removed from /var/chroot-pptp/etc/ppp/options file. 6. Networks & Services – Services - Click on edit of one service and then again click on edit of another service to edit the next service. The new edited second service becomes the first service. Fixed this problem. 7. Network Groups / Service Groups - The same service / network was not getting added in two different groups. Now it can be added. 8. System Updates - If no update is to be done, the message shown in the update livelog is wrong. Also, if the signature check for any rpm fails, the update was going on in an infinite loop. Fixed these problems. 9. System Updates - After a system update, File Integrity Check Module was sending a mail, it is not supposed to send. Fixed it. 10. Virus Update - After the update from 2.94a to 3.0, the virus update date and time were not getting displayed in the web GUI. Fixed it. 11. SSH - If there are SSH connections to the box, and if main sshd gets killed, self monitor was not restarting sshd. Fixed it. 12. IPSec - If for some reason Pluto gets killed, monitor should be able to restart IPSec 13. Log rotate – The virus scanner’s log file kavscan.rpt has been included in logrotate. 14. Packet Filters - Packet filter rule with service as "ICMP as Network Unreachable and Protocol Unreachable" was not getting added. Fixed this. 15. Packet Filters – Packet filter rules with ICMP time-stamp-request, time-stamp-reply, network-unreachable -> host-isolated were not getting added as they have become obsolete. Removed those options from the Services page itself. 16. DHCP client - If the IP address is changed during renewal, the configuration files were not getting updated properly. Fixed it. 17. Web Admin Site Certificate – Now, spaces are allowed for State, City, Company, Organization unit. 18. Web GUI - The GUI has been made faster as File Integrity Check calls have been optimized. 19. Backup – The version file has been added in backup. 20. Backup - After importing backup, the folder /home/multiweb was getting deleted. Fixed this problem. 21. Backup - If comment is not given while taking backup (from the web GUI), the importing of that backup file was giving a version error. Fixed it. 22. Backup - After the number of backup files to be kept in the firewall reaches the maximum number configured, and then if the date is changed to past, the subsequent backups were failing. Fixed this. 23. Certain domains were not getting added in the Accepted Incoming Domains field – Fixed the validation problem. 24. 0s were not getting accepted in the 2nd or 3rd fields of the WINS IP address – Fixed the validation problem. 25. DNS Proxy – The admin mail id in the default zone file has been changed to admin@yourdomain.com. 26. POP3 Virus Scanner - Included POP3 Virus scanner in self monitor 27. Packet Filters – ICMP – ICMP on firewall - If ICMP is disabled for LAN or DMZ, DROP rules were getting added for WAN also. Fixed this. 28. Changes in factory default for the above. Also, after restoring factory default, the /home/multiweb directory was getting deleted. Fixed it. Support Options =============== For technical support, you may contact your authorized Multi-Tech Systems distributor, dealer or the following Multi-Tech Systems branch offices. U.S.A. Web Site: www.multitecch.com FTP Site: ftp.multitech.com Tel: +1(763)785-3500 Fax: +1(763)785-9874 U.K. Tel: +44(118)959-7774 Fax: +44(118)959-7775 France Tel: +33(1)6461-0981 Fax: +33(1)6461-0971 India Tel: +91(11)6174-634 Fax: +91(11)410-5968 Copyrights, Trademarks ====================== All documents and software provided herewith are Copyright (c) 2003 Multi-Tech Systems. All rights reserved. MS, Windows, Windows 95, Windows NT are tradenames of Microsoft Corporation. Other trademarks or tradenames used herein are properties of the respective owners.