What's new 

Improved network diagnostic utilities

The Blue Cedar Connect Gateway includes diagnostic utilities to help you validate proper gateway configuration (during gateway setup) and debug network connectivity issues (during troubleshooting). Release 4.3.3 of the Connect Gateway includes improved network diagnostic utilities, including the ability to specify a source IP address. Use a source address to enable the gateway to emulate a Blue Cedar-secured mobile app trying to reach a resource in the backend network. This means you can check both mobile client connectivity as well as gateway connectivity from the gateway. 

  • dns-lookup: Replaces the deprecated nslookup command and adds ability to specify a source address.
  • ping: Adds ability to specify a source address
  • traceroute: Adds ability to specify a source address
  • test-web-request: Adds ability for test-web-request to specify a source address.

For more information about diagnostic troubleshooting using these commands, see Network testing and diagnostic procedures.

Resolved issues

Resolved in Connect Gateway 4.3.3

ItemDescription
BCC-357Fixed an issue with authentication provider search order ​to allow any of these combinations of auth-providers to be in the same auth-group.
  • Radius and OAuth
  • Web-auth and OAuth
  • LDAP and OAuth
BCC-295Fixed an issue where a user has a defined non-default authentication group and then deletes that non-default authentication group, and is no longer able to perform SCEP certificate enrollment.
BCC-347Fixed an issue with authentication provider search order to allow Active Directory authentication and OAuth to be in the same auth-group.

Resolved in Connect Gateway 4.3.2

ItemDescription
BCC-268Fixed an issue where publicly trusted root certs were not being loaded for requests initiated from the gateway.
BCC-332Fixed an issue where credentials were logged in cleartext.

Resolved in Connect Gateway 4.3.1

ItemDescription
BCC-286Fixed an issue with address pools when changing pool-type
BCC-324Updated logging to include the public IP address of the client in Session START and STOP. See Gateway log contents for details.

Resolved in Connect Gateway 4.3.0

ItemDescription
BCC-266​Fixed an issue where the Gateway did not produce a proper SCEP request. The UPN was not seen in the SCEP certificate's SAN UPN field when configured. For the UPN, make sure to set "use_san_uri" to "false" and %UPN%.
BCC-293Fixed an issue when the CRL size is set to 0 in the config. A cache size of 0 now skips the cache, and a new CRL is always downloaded and processed if available.
BCC-297Fixed an issue where the Gateway didn't handle the certificate revocation list (CRL) properly in a SCEP certificate containing an LDAP URL as its first CRL entry. In this case, if the Gateway was not configured for LDAP, it would produce an error and not process the rest of the CRL. It now skips the LDAP entry unless an "ldap-base-url" is set.
BCC-308Fixed an issue where the apphealth probe would still show "ike" admin state as up even if no IKE connections were open on the Gateway.


Open issues/limitations

  • Note that you can only use one network utility (ping, traceroute, dns-lookup, or test-web-request) with a source IP address at a time when testing mobile client connectivity issues. For example, if you run ping on one open terminal, and try to run traceroute simultaneously on another terminal for that gateway, the network commands fail. (BCC-378)
  • After upgrading the gateway, DNS may be out of sync with the configuration. This is only an issue for the first upgrade after 4.3.1. To resolve this, use this command in operational mode:

    > request reboot-system
    BASH
  • You cannot currently modify a trusted certificate. To work around this limitation, first delete the certificate and add a new one. See Configuring AAA Public Key Infrastructure.
  • The gateway does not yet support the ability to add additional interfaces.
  • The gateway does not yet support the ability to configure network inactivity timeout.
  • Certificate enrollment is not currently supported with OAuth authentication.
  • The "auto" mode under the "ports" configuration is experimental.

Documentation

Online documentation is available at https://apollo.bluecedar.com/connect-gateway-doc