What's new in 4.9.0?

Role-based administration and Active Directory integration

Administration user permissions are now defined in a role rather than as part of a user account, and Active Directory groups can be linked to Gateway roles allowing much simpler management of large numbers of administration users.

Additional guidance on Certificate Authority certificate upload

When uploading a Certificate Authority (CA) certificateA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked., validation checks are performed on the certificate and credentials. If a CA certificate is found to be invalid, error or warning messages are displayed for guidance, detailing the reason the validation failed. If you receive warnings on your CA certificate upload, you can proceed with the upload if you wish. However, if you receive error messages, the errors must be resolved before you can continue. Potential reasons for failed validation include:

Errors

incorrect pass phrase
incorrect format or corrupted certificate
invalid or expired certificate
mismatched certificate and private keys
certificate is not a CA certificate

Warnings

missing or incorrect key usage

See Uploading a Certificate Authority certificate for more information.

Consolidation of HTTPS event logging

All HTTPS event logging has been consolidated into the Decryption Service log. The HTTPS CA Server log, which is now redundant, has been removed.

See Logs for more information.

HTTPS Policy Certificate Verification

Verification of HTTPS certificates has been improved and simplified to conform to up-to-date security standards. You can configure the Gateway to block access to sites using expired, invalid, or untrusted certificates. Matching of the certificates against the site hostname has been enhanced to conform to current Internet standards. Specifically, name matching is performed against the Subject Alternative Name (SAN) in preference to the Common Name (CN) of a certificate. See HTTPS Certificate Verification for more information.

Certificate Caching

The Web Gateway dynamically generates a certificate for connecting clients. A certificate is generated for each site visited. Before a certificate is generated, the Web Gateway checks the cache to ensure that a certificate has not been already generated for this site. You can set the maximum number of cached certificates, which defaults to 100,000. The cache contents are reset at midnight daily and can also be manually reset.

See Certificate caching for more information.

Certificate revocation checks

The system now proactively checks for revoked intermediate Certificate Authority certificates. The service refreshes the revocation list periodically and if the list download fails more than 5 times in a row, the Downloading certificate revocation list failed too many times alarm is raised. See System Alarms for more information.

Removal of printer information in Sanitize Document Content

Enabling the Infrastructure information check box, in the What to Look For? panel of the Sanitize Document Content rule, configures the Gateway to remove printer information. See Sanitization for more information.

Sanitization and redaction bypass for signed documents

You can now configure the Gateway to bypass sanitization or redaction content rules if a signed document is encountered. A new What to Look For? clause enables you to bypass any of the following content rules: Redact text, Sanitize Active Content, or Sanitize Document Content.