Document Sample
232-001486-50_Rev_C_Release_Notes_v9_0_2 Powered By Docstoc
					                                         Release Notes
Secure Remote Access                     SonicWALL Aventail E-Class SRA EX-Series v9.0.2

 What’s New in v9.0.2?
 Known Issues
 Technical Documentation

 What’s New in v9.0.2?
 Version 9.0.2 includes improved interoperation with Windows Vista, and increased performance and stability. For
 new users this release also means different hardware. Like previous hardware in the SonicWALL Aventail line, the
 new E-Class Secure Remote Access models are organized by deployment size and type:

     •    SRA EX7000—Like the EX-2500, this model is for up to 2,000 concurrent users and can be used in an
          HA pair
     •    SRA EX6000—Like the EX-1600, this model is for up to 250 users and can be used in an HA pair
 The EX-750 has not changed and is intended for smaller deployments of up to 50 users.
 The two new hardware models include the following:
     •    Rails (in kit, not attached)
     •    Standard IEC 60320 C13 to NEMA 15 USA only power cords
     •    Crossover cable (a network cable that crosses the transmit and receive lines)
     •    1 GB Ethernet ports
     •    2 USB ports
     •    80 GB SATA hard drive
 The E-Class SRA models differ most in terms of processor power, RAM, network ports, and power supply:
                                              SRA EX7000               SRA EX6000
         Regulatory Model/Type                 1RK15-059                1RK20-05A
         Intel processor                 Core2 Duo 2.1GHz CPU      Celeron 2.0GHz CPU
         RAM                                 2Gig DDR533              1Gig DDR533
         PCIe Gig network ports               6 (5 + 1 HA)             4 (3 + 1 HA)
         Power supply                      Dual hot swappable              Fixed

    • The speed of the serial connection to the appliance in the v9.0.2 hardware is now 115,200 baud, up from
        9600 baud.
     •    The small LCD screen on the front control panel for the E-Class SRA models lights up when the appliance
          is on, but remains blank: this is normal and can be ignored.
     •    The control panel also has a series of LED indicators for power, test, alarm, and the hard disk drive. After
          the appliance starts the indicators labeled TEST and ALARM remain lit: this does not indicate an error and
          can be safely ignored.

 SonicWALL Aventail E-Class SRA EX-Series v9.0.2
 Part number 232-001486-50_Rev_C
                                          Release Notes

Known Issues
This section describes the known issues for the firmware for this release. The five-digit numbers in brackets are
internal tracking IDs.

Platform/Operating System
Microsoft Vista Operating System
Note: Earlier versions of the Aventail software (prior to v8.9.0) will not work with the Vista operating system.

 Users cannot connect using a Web browser with SSL v3 protocol [34905]
 DESCRIPTION        Vista users will not be able to connect to the appliance using a Web browser if the protocol for
                    encrypting traffic is set to Use SSL v3 protocol only.
 SOLUTION           Change the protocol for encrypting traffic: on the Configure SSL Encryption page in AMC,
                    select either TLS v1.0 protocol or Use both protocols.

 WorkPlace client provisioning fails with IE7 on Vista because Protected Mode is disabled [35003]
 DESCRIPTION        If IE7 is launched by right-clicking the IE icon and selecting Run as administrator, or if the
                    browser is launched with administrative privileges from another application (which is what
                    happens during client provisioning), Protected Mode is disabled. The result is that Aventail
                    Access Manager is successfully installed, but the client is not.

 Web proxy service agents fail to activate if Kaspersky Internet security suite is running [35108/35315]
 DESCRIPTION        On a Vista Ultimate computer using IE7, Aventail agents that use the Web proxy service (which
                    manages HTTP and TCP/IP connects from Web browsers, Aventail OnDemand, and Connect
                    Mobile) fail to activate if the Kaspersky Internet security suite is running. This antivirus program
                    will not allow Aventail .jar files to be installed, resulting in exceptions in the Java Console.

 Network shares are not accessible using a virtual IP address [35358]
 DESCRIPTION        If you run either of the tunnel clients in split tunnel mode (where traffic bound for resources
                    defined in AMC is redirected through the tunnel), you will not have access to network file shares
                    if you are running the Microsoft Vista operating system.

 Outlook Web Access Exchange 2003: Not able to type in new mail window [35471]
 DESCRIPTION        If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client
                    computer running Vista, you may be unable to compose a message.
 SOLUTION           Refer to the following Microsoft knowledgebase article for instructions on installing a patch on
                    your Microsoft Exchange Server 2003 that addresses this issue:

 Outlook Web Access Exchange 2003 & 2007: Cannot attach image files [35514]
 DESCRIPTION        If you are using Windows Internet Explorer 7.0 and Microsoft OWA Exchange 2003 on a client
                    computer running Vista, you may be unable to attach an image file to a message if your browser
                    is in protected mode.
 SOLUTION           You have two options to address this issue: either add Outlook Web Access to your list of
                    trusted sites, or turn off protected mode.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 Outlook Web Access Exchange 2003: Script error while composing a message [35521]
 DESCRIPTION        If you are running Internet Explorer 6, you may see the following error message when you
                    compose a message using OWA Exchange 2003:
                    “A problem with this web page might prevent it from being displayed properly or functioning
                    properly….” This is due to an issue with IE6 that is described in the Microsoft knowledgebase:
 SOLUTION           To fix this problem, go to the Microsoft Web site and install the most current cumulative security
                    update for Internet Explorer 6:

 AAM fails if User Account Control (UAC) is disabled [35557]
 DESCRIPTION        Aventail Access Manager (AAM) enables you to provision users with EPC and access agents
                    when they log in to WorkPlace. The User Account Control (UAC) feature of the Vista operating
                    system alerts users to security-related conditions. AAM cannot run properly (even if it is
                    installed) if UAC is disabled. This is a known issue that is scheduled to be fixed in Internet
                    Explorer 8.0.
 SOLUTION           Enable UAC.

 IE7 fails to use Translated Web when ActiveX and Java are disabled [35560]
 DESCRIPTION        If ActiveX and Java are both disabled on a client computer running Vista, the user will see a
                    script error and be unable to access WorkPlace. (Normally, Workplace would revert to
                    Translated Web mode.) This error occurs only if Java is installed, but disabled.

 Driver warning dialog box during Connect tunnel installation [35582]
 DESCRIPTION        On a computer running Vista SP1, a Windows Security alert box appears during installation of
                    Connect tunnel, prompting the user to install the Aventail device software. (This is not an issue
                    in the current release of Vista.)
 SOLUTION           Users should click Install to continue Connect tunnel installation; they will not be reprompted.

 In split tunnel mode, file shares are not always redirected to the appliance [35812]
 DESCRIPTION        In split tunnel mode, traffic bound for resources defined on the appliance is redirected through
                    the tunnel, and all other traffic is routed as normal. With Connect tunnel on a Vista computer and
                    an appliance in split tunnel mode, file share access—which uses the SMB protocol—may not be
                    redirected properly if there is a conflicting resource on both the remote and local networks.
                    For example, if Connect tunnel is started on a network at and there is a
                    resource at, a user who is trying to access a share on a remote network at
           may get connected to on the local network instead.
                    On the Vista operating system, SMB does not use the appliance's routing table directly, but
                    issues connects on different interfaces simultaneously: whichever connect succeeds first is the
                    one that is subsequently used (even if the routing table on the appliance prescribes something
                    else). In this example, if the interface connects first, then access to the
                    resource at will not be redirected.

 Agent provisioning works only if UAC is disabled [68887]
 DESCRIPTION        The User Account Control (UAC) feature of the Vista operating system alerts users to
                    security-related conditions. If you are running Vista Ultimate SP1, agent provisioning works
                    only when UAC is disabled.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes
Windows XP SP2

 Windows XP SP2 users must install the KB884020 update from Microsoft [34171]
 DESCRIPTION        On a computer that is running Microsoft Windows XP SP2, programs that connect to IP
                    addresses that are in the loopback address range may not work as expected. For example, you
                    may receive an error message that says that you cannot establish a connection. The
                    OnDemand access agent is in this category: it uses the local loopback address ( to
                    redirect and secure traffic through the appliance.
 SOLUTION           Customers should install this patch from the Microsoft site:

Connect Tunnel
 Cannot access the appliance using the FQDN/VIP for a WorkPlace site [32324]
 DESCRIPTION        If the Connect tunnel client is configured (by an administrator or user) to access the appliance
                    using the FQDN or virtual IP address for a custom WorkPlace site, it displays a message
                    reading “The device is not in a valid state to perform this request.” (If you access protected
                    resources directly using Connect tunnel—in other words, without using WorkPlace—this is not
                    an issue.)
 SOLUTION           Configure the client to access the appliance using the FQDN or IP address contained in the
                    appliance’s main certificate.

 Cannot access the appliance if specified proxy server is unavailable [32355]
 DESCRIPTION        If Internet Explorer is configured to use an outbound HTTP proxy server, Connect tunnel will
                    attempt to access the appliance using that proxy server. If the proxy is available, the client
                    connection will succeed. However, if the proxy server is unavailable, the client will not fall back
                    to sending traffic through the default route, causing the connection to the appliance to fail.
 SOLUTION           Remove the proxy setting from the browser.

 Macintosh and Linux clients lack support for null authentication [32670]
 DESCRIPTION        Specifying None as the authentication server for a realm allows unauthenticated, open access to
                    the realm and its resources; it’s used in the rare cases in which an administrator chooses to use
                    alternate means (a client certificate, for example) to determine whether a device should be
                    trusted. This feature is not supported on the Macintosh and Linux clients.

 Connect tunnel fails to establish the connection when Sygate Personal Firewall is enabled. [32760]
 DESCRIPTION        Using Sygate Personal Firewall 5.6 with default settings, Connect tunnel can establish a VPN
                    tunnel, but then closes it with an error message (“The transport connection was aborted by the
                    local system”).
 SOLUTION           Add an “Allow” rule to Sygate Personal Firewall that allows connections to (a
                    multicast address used by IGMP, the Internet Group Multicast Protocol). Once this rule is added,
                    Connect tunnel can successfully establish the tunnel and connections are allowed. You must
                    also configure Sygate Personal Firewall to allow the following processes to access the network
                    when prompted during/after tunnel establishment:
                       • explorer.exe
                       • svchost.exe
                       • csrss.exe
                       • ngvpnmgr.exe

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 Appliance accessible from Connect tunnel even when not explicitly provisioned [33337]
 DESCRIPTION        If the appliance is configured with an IP address pool, a user with the Connect tunnel client is
                    able to connect to the appliance, even if the tunnel client is not explicitly deployed to that user.
                    For example, you might set up a realm with two communities:
                       • An “Employees” community that deploys the Connect tunnel
                       • A “Partners” community that uses translated Web access
                    If a user in the “Partners” community manages to obtain the Connect tunnel client and provides
                    valid authentication credentials, he could use the tunnel client to access resources. (Policy rules
                    still control what resources the partner has access to, but the access method is not what the
                    appliance administrator intended.)

 Using dial-up and remote proxy for the connection to the Internet [33485]
 DESCRIPTION        If you use a dial-up connection to the Internet, and the community to which you are assigned is
                    configured for remote proxy, Internet browsing may not traverse the remote proxy (this applies
                    regardless of whether the remote proxy was configured manually or using a .pac file).
 SOLUTION           In Connect tunnel, make sure the dial-up connection is specified on the Properties page: select
                    the Establish this connection first check box and specify a connection in the drop-down list.
                    (If you use OnDemand tunnel, there is no equivalent way to specify the connection properties.)

 Desktop icon for Connect tunnel in WorkPlace not present for all Linux users [33591]
 DESCRIPTION        When you provision Connect tunnel from WorkPlace and the user downloads and installs the
                    client, an icon is normally created on the user’s desktop. If the client device is a computer
                    running a Linux operating system and a different person logs in to it, no desktop icon for
                    Connect tunnel will be visible.
 SOLUTION           One workaround is to bring up the command window (press ALT+F2), and then type the path to
                    the Connect tunnel program. Alternatively, you could create an icon on the desktop for the
                    Connect tunnel program. In Redhat or Fedora, for example, you would right-click on the desktop
                    and select Create Launcher, and then browse to the Connect tunnel application.

 Internet is accessible using Firefox in redirect all mode if proxy settings are configured on both IE/Firefox
 browsers [34026]
 DESCRIPTION        When configuring the tunnel clients, you must specify a redirection mode, which determines how
                    client traffic is redirected to the appliance. In redirect all mode, traffic is redirected through the
                    tunnel regardless of how resources are defined in AMC. This works in Internet Explorer, which
                    honors the device's Windows Proxy Settings. Mozilla Firefox, on the other hand, ignores the
                    interface-specific proxy settings and just sends all traffic out the proxy server.

 Certificate selection dialog includes certificates that are not trusted by appliance [34088]
 DESCRIPTION        The list of client certificates in Internet Explorer includes ones that are trusted and untrusted by
                    the Aventail appliance.

 Tunnel clients unable to reconnect over an access point that requires authentication [34153]
 DESCRIPTION        On a Macintosh device, the VPN tunnel cannot be re-established when you switch to a network
                    that requires authentication. For example, if a user is connected to the appliance using a wired
                    connection and changes to a wireless access point that requires authentication, the previous
                    connection cannot be re-established; the user must manually log in to the appliance.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 A realm with international characters must be selected from the Browse Login Groups dialog box [34159]
 DESCRIPTION        A realm that you create in AMC can be given a name that includes extended ASCII or double-
                    byte characters (for example, “Berliner Bär”). When a user logs in to a WorkPlace realm that
                    includes these characters, and then installs Connect tunnel, he or she will not be able to
                    establish a VPN connection to the realm shown in the Properties dialog box.
 SOLUTION           Users must follow these steps to work around this issue:
                    1. Make sure you are not yet connected to the VPN using Connect tunnel.
                    2. In the Aventail Connect login dialog box, click Properties.
                    3. Click the General tab, and then click Change. The Browse Login Groups dialog box
                       appears and displays the list of login groups.
                    4. Select the name of the login group (in this case, “Berliner Bär”).

 Error: “An incompatible version of this product is already installed” [34253]
 DESCRIPTION        The setup programs for the Connect tunnel and OnDemand tunnel clients do not allow you to
                    install software updates that use different language resources. If a localized release of the
                    tunnel client is installed, for example, a subsequent upgrade to an English-only release will
                    display an error message (“An incompatible version of this product is already installed. Please
                    remove it using Add/Remove Programs in the Windows Control Panel, and then try again”).
 SOLUTION           If you receive this error message while installing a release of one of the tunnel clients, use the
                    Windows Add/Remove Programs utility to remove the current client, and then run setup again.

 Connect tunnel v 8.9.0 fails after upgrade to Vista operating system [33650/35308]
 DESCRIPTION        If a user has installed Connect tunnel v8.9.0 on Windows XP/SP2, and then upgrades the
                    operating system to Windows Vista, Connect tunnel will not run.
 SOLUTION           Manually uninstall Connect tunnel and then re-install it after you’ve upgraded to Windows Vista.

 Forced software update in WorkPlace takes longer than expected [35319/35350]
 DESCRIPTION        In version 8.7 and later, you can configure Connect tunnel to be automatically updated (if
                    necessary) when it is provisioned from Aventail WorkPlace. Users connecting to a version 8.9.0
                    appliance may report that the process takes longer than expected, especially on a computer
                    running Windows Vista. This is normal (the signature with the trust authority is being verified)
                    and will only occur during the first connection to the updated appliance.

 “Redirect all mode” and an internal proxy server [35675]
 DESCRIPTION        In redirect all mode, appliance traffic is redirected through the VPN tunnel regardless of how
                    resources are defined in AMC. In this mode you can also configure traffic bound for the Internet
                    to be redirected through an internal proxy server when the VPN connection is active.

                    Windows Connect tunnel traffic that should not be proxied must be explicitly excluded. On the
                    Network Tunnel Client Settings page in AMC, type the host names, IP addresses, or domain
                    names of any resources that you do not want redirected through the proxy server.

 Auto-update of localized clients to 9.0.0 fails [35806]
 DESCRIPTION        You can ensure that users running the Windows version of the Connect tunnel client have the
                    most recent version of the client by enabling automatic software updating. This auto-update
                    feature, however, does not work for updating the Japanese or Korean Connect tunnel from
                    v8.8.1 or v8.9.0 to 9.0.0.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 Macintosh client installation package in AMC supports OS X 10.5 [64116]
 DESCRIPTION        Version 9.0 supports Macintosh OS X 10.5. The Client Installation Packages page in AMC
                    (available from Agent Configuration in the main navigation menu) incorrectly lists Macintosh
                    OS X 10.4.x.

OnDemand Tunnel
Note: Issue 34253 above applies to both the Connect tunnel and OnDemand tunnel clients.

 HTTPS traffic routed through proxy in clustered configuration [33296]
 DESCRIPTION        If a Firefox browser is configured to use an HTTP proxy, OnDemand tunnel (configured in
                    redirect-all mode) incorrectly routes HTTPS traffic through the proxy when the appliance is
                    running in a clustered configuration. When accessing a stand-alone appliance, the client ignores
                    the HTTP proxy setting and properly routes HTTPS traffic based on the proxy settings
                    configured in Firefox.

 Script error in WorkPlace when a remote proxy is manually configured for a community [33925]
 DESCRIPTION        When an Internet Explorer user logs in to WorkPlace and is classified into a community that
                    requires OnDemand tunnel, he or she will encounter a script error if a remote proxy server (for
                    access to the Internet) has been manually configured for that community.

 V9.0 client fails to downgrade to v8.9 when started from a v8.9 WorkPlace [64120]
 DESCRIPTION        When a user logs in to WorkPlace using a v8.9 appliance, and he or she is assigned to a
                    community that requires OnDemand tunnel, the client computer will be provisioned with v8.9 of
                    both Aventail Access Manager (AAM) and OnDemand tunnel. If the user logs in to an appliance
                    running v9.0 and installs Connect tunnel, v9.0 of both AAM and Connect tunnel are provisioned.
                    This is normal behavior.
                    If this same user then logs in to the original v8.9 appliance, AAM is successfully downgraded to
                    v8.9, but OnDemand tunnel remains at v9.0 and therefore fails to activate.

Connect Mobile
 Trend Micro Mobile Security real-time scanning prevents Connect Mobile installation [32601]
 DESCRIPTION        Trend Micro Mobile Security performs automatic, real-time scanning and virus detection on
                    handhelds. If real-time scanning is enabled, installing or uninstalling Connect Mobile will fail.
 SOLUTION           Disable real-time scanning before installing or uninstalling Connect Mobile.

 Small form factor devices placed in a Quarantine zone must open a new browser window [33198]
 DESCRIPTION        If a user logs in to WorkPlace with a small form factor device and his device profile is a match
                    for a Quarantine zone, he cannot log in again by clicking the Return to login page button or the
                    Web browser’s Back button.
 SOLUTION           To log in again, the user must re-enter the WorkPlace URL in the browser (Pocket Internet
                    Explorer): You can also use AMC to place small form
                    factor devices in a different kind of zone (the Default zone, or a Standard or Deny zone) using a
                    device profile.

 Switching to a different VPN appliance requires rebooting the mobile device [64097]
 DESCRIPTION        If you switch to a different appliance while using Connect Mobile, authentication proceeds
                    normally, but resources are unreachable.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                         Release Notes
 SOLUTION           To resolve this problem you must reboot your device; simply closing the Connect Mobile
                    program or logging out will not be enough.

OnDemand Proxy
 Standard URLs are not accessible after accessing port-mapped OnDemand URL [32309]
 DESCRIPTION        After using OnDemand to access a port-mapped URL resource, standard WorkPlace URLs (that
                    are not port-mapped) may be inaccessible for a few minutes.
 SOLUTION           To work around the problem, define the local port-mapped listener using something other than
                    port 80 (for example, port 8080). Alternatively, users can wait a few minutes before accessing
                    the URL.

 Problems accessing network shares over OnDemand proxy [32798]
 DESCRIPTION        When using OnDemand proxy to browse a Windows network, shared network resources are not
 SOLUTION           If network share access is required, use Connect tunnel, OnDemand tunnel, or Connect proxy.

 OnDemand proxy may not redirect all connections when DNS fails [32868]
 DESCRIPTION        The first time a user installs OnDemand proxy, connections to unqualified names that are fewer
                    than 16 characters in length are not redirected if DNS cannot resolve them. DNS might be
                    unable to resolve them if, for example, no DNS suffix is configured on the system. When DNS
                    fails, WINS or WINS Broadcast is used, but WINS cannot perform name resolution until the
                    system has been rebooted.

 Browser ‘Back’ and ‘Forward’ buttons are disabled [33758]
 DESCRIPTION        The Web proxy service manages HTTP and TCP/IP connections from Web browsers and
                    Aventail OnDemand. Windows Internet Explorer users will not be able to use the browser’s
                    Back and Forward buttons for navigation if Web proxy service is activated.

 Unable to uninstall AAM from Windows if client switches between version 8.6.1 and 8.9.0 appliances
 DESCRIPTION        If you connect to a version 8.6.1 appliance using a computer running Windows XP or Windows
                    2000, and then later connect to a version 8.9.0 appliance, you will see an error message if you
                    try to uninstall Aventail Access Manager ("Another application has exclusive access to the file
                    C:\Documents and Settings\All Users\Application Data\Aventail\logfiles\odxsp.log. Please shut
                    down all other applications, then click Retry").
 SOLUTION           Once you reboot your client computer you will be able to uninstall Aventail Access Manager.

 OnDemand Proxy must be reinstalled if users upgrade from Vista to Vista SP1 [68628]
 DESCRIPTION        OnDemand proxy users who upgrade from Vista to Vista SP1 will see an error when they try to
                    access WorkPlace.
 SOLUTION           OnDemand proxy users who want to upgrade from Vista to Vista SP1 must uninstall their
                    current copy of OnDemand proxy. Uninstalling OnDemand proxy can be done before or after the
                    upgrade to Vista SP1. Reinstalling OnDemand should be done after the Vista upgrade; it will
                    happen automatically the next time users access WorkPlace.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

End Point Control
 EPC Quarantine zone classification fails after proxy server is specified in Internet Explorer [33347]
 DESCRIPTION        If you create a community in which the “fallback” option for client devices that do not match any
                    zones is a Quarantine zone, and you then specify a proxy server for outbound access to the
                    Internet in Internet Explorer, subsequent connection requests that should be quarantined will fall
                    through to the Default zone instead.

 EPC zone classification fails after remediation steps are taken [33374]
 DESCRIPTION        If a user is running Firefox and his device is classified into a Quarantine zone, he may find the
                    device placed in the Default zone (rather than a Standard zone) if he fails to close his original
                    WorkPlace session after completing the remediation steps outlined in the Quarantine zone.
 SOLUTION           To work around this issue, the user should close the Firefox browser window after taking the
                    remediation steps and start a new session.

 Device profile specifying a client certificate in the machine store fails for non-privileged user [34170]
 DESCRIPTION        A Windows device profile can be set up that checks for the presence of a certain client
                    certificate on a user's device in either the machine or user store. The machine store cannot be
                    opened, however, for a user who does not have Windows administrator rights. The search for
                    the client certificate therefore fails and the user is classified into whatever you have configured
                    as the fallback zone (a Quarantine zone or the Default zone).

 Zone classification fails on Traditional Chinese OS with AV “PC-cillin 2006” [34471]
 DESCRIPTION        If you are using a Traditional Chinese version of Windows XP Professional and you have a
                    device profile that specifies the Chinese version of the antivirus program PC-cillin 2006 from
                    Trend Micro, Inc., zone classification will fail.

 Zone classification fails with Norton Antivirus [35535]
 DESCRIPTION        An issue in version v8.9.0 resulted in a mismatch between a device profile attribute (Norton
                    Antivirus) and the antivirus product it was intended to detect (Norton Internet Security 2007).
 SOLUTION           If you have an existing (pre-v9.0.0) device profile that references Norton Antivirus in order to
                    check for the presence of Norton Internet Security 2007, change the profile so that it checks for
                    Norton Internet Security (Symantec Corporation) instead.

Aventail Cache Control/Aventail Secure Desktop
 ACC does not work on Red Hat Enterprise Linux Workstation 4.0 [29301/30608]
 DESCRIPTION        Aventail Cache Control does not load properly on Red Hat Enterprise Linux Workstation 4.0
                    systems using the Firefox browser. The system requirements for Linux include Linux Red Hat
                    9.0, Enterprise Server 3, Fedora (core 3), and Mozilla 1.2 or later.

 Browser windows don’t close properly when ACC is being installed on a Macintosh [32800]
 DESCRIPTION        If multiple browser windows are open when a Macintosh user installs Aventail Cache Control,
                    they remain active. (They should instead close during installation.)

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 Incorrect error message is displayed with installation problems on Macintosh [32801]
 DESCRIPTION        If Aventail Cache Control cannot install to the specified folder on a Macintosh system, it displays
                    the message “ACC is getting downloaded, please wait.”
 SOLUTION           Ensure that the folder /usr/bin exists on the Macintosh computer and then try again.

 Session-related URL not removed from cache in Safari [32952]
 DESCRIPTION        When a user logs out of WorkPlace using a Safari Web browser, Aventail Cache Control does
                    not remove the session-related URL from the cache.
 SOLUTION           Instead of clicking Log out in WorkPlace, the user should close the Safari Web browser window
                    in which WorkPlace is running.

 Data is cleared when ACC is temporarily disabled [33216/33230]
 DESCRIPTION        If a user logs in to a realm that requires Aventail Cache Control, accesses a Web site, and then
                    disables cache control manually, all of his Web browser data (URLs, browser history, and
                    cache) is deleted, even the data collected while Aventail Cache Control was disabled.

 Inactivity timeout is not honored if the client is placed in standby mode [33670]
 DESCRIPTION        You can specify a timeout period for the Aventail data protection agents (Aventail Cache Control
                    or Aventail Secure Desktop), after which inactive user connections are automatically terminated
                    and data is removed from the client. However, if the client is in standby mode, the inactivity
                    period is not reached and the session remains active.

 Citrix ActiveX agent cannot be run together with ASD [33829]
 DESCRIPTION        On Internet Explorer, the Aventail Secure Desktop blocks the ability to download and execute
                    ActiveX controls. In this case, the Citrix Java applet is used instead, if it is has been uploaded
                    through the Aventail Management Console.

 Accessing WTS resource terminates ASD [34895/35310]
 DESCRIPTION        After installing Aventail Access Manager, users who access a graphical terminal shortcut (using
                    Windows Terminal Services) in a realm that requires Aventail Secure Desktop are prompted to
                    accept a Java prompt in a new window. Once they do this, however, ASD terminates and all of
                    the browser windows are closed.
                    This problem occurs only with new installation of Aventail Access Manager. If a user has
                    accessed the Aventail appliance and installed AAM from a realm that does not require ASD,
                    graphical terminal shortcuts will work as expected.

 Microsoft Remote Assistance does not work with ASD [35333/35349]
 DESCRIPTION        Aventail Secure Desktop is incompatible with Remote Assistance, a Microsoft Windows
                    technology that enables Windows XP users to help each other over the Internet. Users who are
                    running ASD and try to open Remote Assistance will see an error message (“A Program Could
                    not Start”).

 User inactivity timeout ignored in ASD [35691]
 DESCRIPTION        In ASD, you can set an inactivity timer that is triggered when no keyboard or mouse activity is
                    detected; when the configured timeout length is reached, the session is ended. This timeout can
                    be set in the ASD Configuration Manager, or the Configure Community page in AMC. In
                    v9.0.0, these ASD inactivity settings are ignored.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                          Release Notes

 On Vista OS, closing browser window results in error [65564]
 DESCRIPTION        When a user logs in to WorkPlace and runs ASD, the OnDemand Proxy access agent is
                    successfully activated. After logging out of WorkPlace, ASD behaves properly, removing the
                    browser's cache and history. But after closing the browser the user sees the follow error
                    message: “Windows Host Process (Rundll 32) has stopped working.” You can safely dismiss
                    this message.

Aventail WorkPlace
 Unable to access Web resources on Firefox browser with proxy server [32558]
 DESCRIPTION        Neither OnDemand proxy (in dynamic mode) nor OnDemand tunnel is able to modify proxy
                    settings in Firefox. As a result, Firefox tries to access WorkPlace links directly through its
                    original proxy, which fails because the links are no longer translated.

 “Use SSL v3 protocol only” causes provisioning and WorkPlace session problems [33408]
 DESCRIPTION        Setting traffic encryption on the Aventail appliance to Use SSL v3 protocol only has the
                    following effect:
                       • The Connect tunnel client cannot be provisioned from Workplace and connections to an
                         OnDemand port-mapped realm will fail.
                       • For access agents using Java, the WorkPlace Details link doesn’t work.
                       • Users may see an SSLException message (“Received fatal alert: bad_record_mac”).

 SOLUTION           Select Use TLS v1 protocol only or Use both protocols on the Configure SSL Encryption
                    page in AMC. Note, however, that selecting Use TLS v1 protocol only prevents Aventail
                    Connect proxy users from accessing the appliance.

 Certificate authentication process stalls during login to WorkPlace [33694]
 DESCRIPTION        When you connect to WorkPlace using Internet Explorer on a PDA that is running Windows
                    Mobile 5, and you attempt to log in to a realm that requires a client certificate, the session
                    appears to stall.
 SOLUTION           Click the Next button.

 Terminal shortcuts must be launched twice with Macintosh OS X v10.3 [34962/35312]
 DESCRIPTION        If you have shortcuts for graphical terminal agents configured in WorkPlace (for access to
                    terminal server resources), a Macintosh OS X version 10.3 user will see a blank window the first
                    time he or she tries to launch the shortcut. On the second try the shortcut will work correctly.

 DNS servers that resolve only internal addresses cause login delays [35189/35191]
 DESCRIPTION        During login, the Aventail appliance does a DNS lookup on IP addresses and subnets to
                    determine whether a hostname matches (for example) an item in an access list rule. If your DNS
                    server is not configured to resolve any external addresses, just internal ones, the login will
                    succeed but can take a couple of minutes.

 Cannot cancel installation of Aventail Access Manager [35360]
 DESCRIPTION        During installation of Aventail Access Manager (the provisioning and EPC component for
                    Windows), a file download dialog opens. If the user clicks Cancel in this dialog box, the Aventail
                    Access Manager Web page does not display any navigation buttons.

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C
                                         Release Notes

 WorkPlace home page appears when the browser is refreshed [35671]
 DESCRIPTION        If you refresh your browser in WorkPlace you should see the “confirm logoff” page. If you are
                    running Mozilla Firefox, or Safari on a Linux or Macintosh operating system, you will
                    instead see the WorkPlace home page.

AMC Configuration
 WorkPlace site with “Custom host name only” retains its original domain name [33366]
 DESCRIPTION        If you create a WorkPlace site and specify just a custom host name for it (rather than an FQDN),
                    the site’s FQDN uses the domain name of the appliance. If this configuration is later imported to
                    an appliance with a different domain name using the Partial configuration option, the FQDN of
                    your site remains the same (instead of adopting the new domain name).
 SOLUTION           In AMC, click Save on the Configure WorkPlace Site page for the site and then apply your
                    change. The new domain name is automatically used.

 Searching for user/groups is limited to 1,000 or 1,500 entries [34382]
 DESCRIPTION        A search for users or groups on an external directory that results in more than 1,000 matches
                    (on a Windows 2000 server) or 1,500 matches (on a Windows 2003 server) will display no
                    results in AMC.

Technical Documentation and the Knowledge Portal
The Installation and Administration Guide and the online help for the Aventail Management Console are current in
terms of the v9.0.2 firmware, but do not describe the new hardware models; for a description of the new models see
the Quick Start Guide in your product box. Technical documentation is available on the SonicWALL Technical
Documentation Online Library:

Check the SonicWALL Customer Support Knowledge Portal, available when you log in to MySonicWALL, for
information and hotfixes that are relevant to your appliance.
Last updated: 9/16/2008

SonicWALL Aventail E-Class SRA EX-Series v9.0.2
Part number 232-001486-50_Rev_C

Shared By: