Blue Cedar Connect Gateway 4.3.x Release Notes
What's new in 4.3.4
4.3.4 is a maintenance release with no new functionality. Please see the Resolved issues below for details.
Note: 4.3.4 is provided only as an upgrade file, please refer to the "Upgrading Blue Cedar Connect Gateway" for instructions. If you require the Connect Gateway virtual image, please download the appropriate 4.3.3 .ova file from the downloads website and upgrade to version 4.3.4.
Resolved issues
Resolved in Connect Gateway 4.3.4
| Item | Description |
|---|---|
| SPT-2645 | Fix a timing issue where the IKE configuration was given an empty list of IP address pools. |
What's new in 4.3.3
Improved network diagnostic utilities
The Blue Cedar Connect Gateway includes diagnostic utilities to help you validate proper gateway configuration (during gateway setup) and debug network connectivity issues (during troubleshooting). Release 4.3.3 of the Connect Gateway includes improved network diagnostic utilities, including the ability to specify a source IP address. Use a source address to enable the gateway to emulate a Blue Cedar-secured mobile app trying to reach a resource in the backend network. This means you can check both mobile client connectivity as well as gateway connectivity from the gateway.
- dns-lookup: Replaces the deprecated nslookup command and adds ability to specify a source address.
- ping: Adds ability to specify a source address
- traceroute: Adds ability to specify a source address
- test-web-request: Adds ability for test-web-request to specify a source address.
For more information about diagnostic troubleshooting using these commands, see Network testing and diagnostic procedures.
Resolved in Connect Gateway 4.3.3
| Item | Description |
|---|---|
| BCC-357 | Fixed an issue with authentication provider search order to allow any of these combinations of auth-providers to be in the same auth-group.
|
| BCC-295 | Fixed an issue where a user has a defined non-default authentication group and then deletes that non-default authentication group, and is no longer able to perform SCEP certificate enrollment. |
| BCC-347 | Fixed an issue with authentication provider search order to allow Active Directory authentication and OAuth to be in the same auth-group. |
Resolved in Connect Gateway 4.3.2
| Item | Description |
|---|---|
| BCC-268 | Fixed an issue where publicly trusted root certs were not being loaded for requests initiated from the gateway. |
| BCC-332 | Fixed an issue where credentials were logged in cleartext. |
Resolved in Connect Gateway 4.3.1
| Item | Description |
|---|---|
| BCC-286 | Fixed an issue with address pools when changing pool-type |
| BCC-324 | Updated logging to include the public IP address of the client in Session START and STOP. See Gateway log contents for details. |
Resolved in Connect Gateway 4.3.0
| Item | Description |
|---|---|
| BCC-266 | Fixed an issue where the Gateway did not produce a proper SCEP request. The UPN was not seen in the SCEP certificate's SAN UPN field when configured. For the UPN, make sure to set "use_san_uri" to "false" and %UPN%. |
| BCC-293 | Fixed an issue when the CRL size is set to 0 in the config. A cache size of 0 now skips the cache, and a new CRL is always downloaded and processed if available. |
| BCC-297 | Fixed an issue where the Gateway didn't handle the certificate revocation list (CRL) properly in a SCEP certificate containing an LDAP URL as its first CRL entry. In this case, if the Gateway was not configured for LDAP, it would produce an error and not process the rest of the CRL. It now skips the LDAP entry unless an "ldap-base-url" is set. |
| BCC-308 | Fixed an issue where the apphealth probe would still show "ike" admin state as up even if no IKE connections were open on the Gateway. |
Open issues/limitations
- Note that you can only use one network utility (ping, traceroute, dns-lookup, or test-web-request) with a source IP address at a time when testing mobile client connectivity issues. For example, if you run ping on one open terminal, and try to run traceroute simultaneously on another terminal for that gateway, the network commands fail. (BCC-378)
After upgrading the gateway, DNS may be out of sync with the configuration. This is only an issue for the first upgrade after 4.3.1. To resolve this, use this command in operational mode:
BASH> request reboot-system- You cannot currently modify a trusted certificate. To work around this limitation, first delete the certificate and add a new one. See Configuring AAA Public Key Infrastructure.
- The gateway does not yet support the ability to add additional interfaces.
- The gateway does not yet support the ability to configure network inactivity timeout.
- Certificate enrollment is not currently supported with OAuth authentication.
- The "auto" mode under the "ports" configuration is experimental.
Documentation
Online documentation is available at https://apollo.bluecedar.com/connect-gateway-doc