- Current openings

Upgrades

Release notice for Ingate Firewall® 4.6.0 and Ingate SIParator® 4.6.0

Release name:	Ingate Firewall® 4.6.0 Ingate SIParator® 4.6.0
Release date:	2007-11-16

This release supports IDS/IPS for SIP, enhanced Call Admission Control, improved QoS and SRTP, improved performance (for firewalls), and improved failover. Additionally it resolves some security problems, several issues related to SIP, and a few other issues. We recommend that everybody upgrade.

The new version and the user manual can be found at: www.ingate.com/upgrades/

When upgrading an Ingate SIParator running in MEDIAtor mode it is recommended that an updated Windows service is installed on the LCS Access Proxy server. Please contact support@ingate.com if you need to obtain this service.

New SIP Functionality

A framework for Intrusion detection/Intrusion prevention, IDS/IPS, for SIP has been added. It adds support for rate limiting on SIP requests/responses. Additionally it supports installation of Ingate-defined rule sets that will be made available at a later point in time in order to protect against upcoming types of attacks. The IDS/IPS feature is available as an optional module on Firewall and SIParator models with a harddisk. [Tracking ID: 3122]
SIP routing configuration by means of the Dial Plan and the User Routing tables now supports time classes. Using time classes, SIP routing may now be made different for e.g. office hours and other times. [Tracking ID: 1962]
Call Admission control now supports definition of codec bandwidth usage. A table is introduced, including the most common codecs and their bandwidths. The administrator can extend this table with additional codecs. [Tracking ID: 1715]
Call Admission Control now allocates bandwidth for emergency calls from a separate bandwidth pool. [Tracking ID: 2110]
Partial support for MKI (Master Key Index) added to enable interoperability with other SRTP implementations, like Microsoft's. The Ingate can now handle offers with an MKI, as long as they only contain a single key. The Ingate still never sends an MKI in an sdescriptions offer. [Tracking ID: 2336]

New QoS Functionality

The usability of the QoS GUI has been improved. As a consequence the administrator selects between two somewhat different QoS strategies:
- Allocating bandwidth per service type.
- Prioritization per service type.
Note that the Call Admission Control always allocates bandwidth, and that only service types other than SIP media (voice and video) are affected by the above strategies. [Tracking IDs: 1618, 2209, 2747]
Support for ingress traffic shaping has been added. [Tracking ID: 2798]

Other New Functionality

Firewalls can now be changed into a SIParator and vice versa by means of installing a module. Please note that such a transformation will erase most of the configuration of the unit and that downgrading to a previous version before an additional upgrade has been performed will roll back the unit to its previous product type and the old configuration. [Tracking ID: 3278]
The TCP relay now supports a multiple server setup. Thus a relay can be configured to forward packets to a primary server. If that server is down, a secondary server is used. [Tracking ID: 3268]
The well known tools ping and traceroute are now available from the Ingate web GUI. [Tracking ID: 350]
A debug user account type has been added. The debug user is allowed to search the log, obtain packet captures, and generate support reports, but is not allowed to change any configuration. [Tracking ID: 3402]
By default, the "All interfaces" option is selected for packet captures. [Tracking ID: 3333]
Some table and column names in the configuration database are changed, in order to present a more uniform naming in the CLI. CLI files from 4.5.x versions should not be used in the 4.6 version. As a consequence users of the Ingate Startup Tool need to download a new version from the Ingate web site. The possibility of this name change was announced when 4.5.0 was released. From now on, the Ingate CLI will not be changed unless required, merely extended. [Tracking ID: 2573]
Changing SIParator type can now be done via the CLI. [Tracking ID: 3098]
Information about serial number, product model, and software version is now available in a downloaded CLI file. [Tracking ID: 3119]
Rebooting the Ingate unit can now be done via SSH or the serial console. [Tracking ID: 3120]
SIP TLS packet addressed through the Ingate Firewall are now logged. [Tracking ID: 710]
Detailed information about the internal state of the Ingate unit can now be downloaded via the admin program. The same information is available on the builtin.dump page in the web GUI. [Tracking ID: 2556]
The configuration database may now optionally be included in a Support Report. [Tracking ID: 3004]
Information available on the About page in the web GUI is now also available via the admin program, accessible via SSH or the serial console. [Tracking ID: 2019]
It is now possible, but not recommended, to apply the configuration without the need for a confirmation step. This action can be found on the builtin.instant_apply page in the web GUI. [Tracking ID: 3279]
The DHCP client status now includes information about which interface acquired a DHCP IP address. [Tracking ID: 3029]
A single license file can now be used for multiple, named, units. [Tracking ID: 3280]

Performance Enhancements

The performance for data traffic has been improved. This will mainly be a benefit for configurations with many firewall rules and/or many directly connected or routed networks. [Tracking ID: 588]
The time neccessary to detect the need to failover to a standby unit has been decreased from about 30 to about 5 seconds. [Tracking ID 2840]
The performance of the web server, and thus the performance of web GUI, has been improved. [Tracking ID: 3301]
The performance of setting up IPSec tunnels has been improved compared to 4.5.2. [Tracking ID: 3312]
The web server now supports transparent compression of pages, using gzip encoding. This is supported by all common web browsers and can significantly improve GUI performance over low bandwidth links like mobile networks.

Fixed Security Problems

A bug causing certain ICMP packets to be incorrectly accepted has been fixed. [Tracking ID: 3299]
Truncated ICMP/UDP/TCP packets are now logged. [Tracking ID: 3379]
Attempts to log on from non-existing users using the serial console are now logged. [Tracking ID: 3380]
Passwords of administrators with less privileges are no longer stored in clear text. [Tracking ID: 2942]
Restarting the SIP module may have caused media pinholes to be left open. This has now been fixed. [Tracking ID: 702]
SSLv2 support is no longer accepted for https connections to the web GUI of the Ingate unit. [Tracking ID: 1772]

Fixed SRTP-related Problems

A potential buffer overflow in libsrtp has been fixed. [Tracking ID: 3209]
A kernel crash when the RTCP index is much more than expected has been fixed. [Tracking ID: 3273]
Improved parsing of a=crypto lines. All errors are now properly reported in the log. MKI and key lifetimes are no longer ignored. For increased interoperability, trailing whitespaces are now ignored (but a message logged in the log). [Tracking IDs: 3214, 3215, 3236, 3388]
Improved interoperability if the policy allows RTP as well as SRTP: if we offer SRTP and receive an answer that uses RTP, we now accept that answer and set up the call using unencrypted RTP. Similarly, if the answer is labeled "RTP/AVP" instead of "RTP/SAVP" in the SDP but contains "a=crypto" lines, we use those lines and set up the call using SRTP. [Tracking ID: 2610]
Major improvements to SRTP handling of SIP re-INVITEs, spirals and the internal B2BUA. Most scenarios where the same SDP reached the SIP module twice (for example after spiraling to an external SIP proxy, or to an internal B2BUA) would previously fail. [Tracking IDs: 3200, 3144, 3249, 3250, 3258, 3263, 3285]
The SRTCP authentication tag was miscalculated. This has now been fixed. [Tracking ID: 3275]
Fixed session parameter handling. The SIP module does not currently support any session parameters. It now does the expected thing when optional and mandatory session parameters a present in an a=crypto line. Optional session parameters can be ignored, but mandatory session parameters makes it impossible for the SIP module to transcode the media. (If the configuration allows, they can still be present in passthrough media streams.) [Tracking IDs: 3290, 3291, 3292]
Unknown a=crypto suites were not handled properly by the Ingate. This has now been fixed. [Tracking ID: 3383]

Fixed SIP-related Problems

A bug causing the Ingate to add a Session-Expires header even though one already existed (in compact form) has been fixed. [Tracking ID: 3404]
Messages sent over TCP/TLS now always contain the required Content-Length header. [Tracking ID: 2787]
The Ingate unit no longer switches to TCP for large SIP messages when sending to a UA through a remote NAT. [Tracking ID: 2948]
Some configuration parameters for Remote NAT Traversal have changed to improve interoperability with UAs and NATs. [Tracking ID: 3097]
Remote NAT Traversal now uses OPTIONS per default for NAT keep-alive. [Tracking ID: 3197]
A default gateway is no longer required to enable SIP support. [Tracking ID: 3124]
Port values in received Via headers were in some situations changed. This is no longer done since it confuses some UAs. [Tracking ID: 3217]
The Ingate unit no longer sends Authorization headers with missing usernames. [Tracking ID: 3148]
"auth-int" digest authentication proposal is now removed if the SIP message body needs modifications. [Tracking ID: 3284]
We now preserve the Display Name in the From header when acting as a B2BUA. [Tracking ID: 3255]
We no longer produce messages with multiple Timestamp headers when acting as a B2BUA. [Tracking ID: 3269]
Routing of stateless responses has been improved. [Tracking ID: 2955]
When Remote NAT Traversal was used, users' registrations could conflict and messages could be routed to the wrong user. This has been fixed. [Tracking ID: 3304]
An issue where the Content-Length header was incorrectly removed from REGISTER responses has been resolved. [Tracking ID: 3308]
An issue where REFER requests weren't handled in some situations has been fixed. [Tracking ID: 3319]
An issue where sendonly streams where unintentionally blocked has been fixed. [Tracking ID: 3321]
Specifying "*local" in the Local SIP User Database table has never been supported by the SIP module and is now forbidden. [Tracking ID: 3226]

Fixed VPN-related Problems

Port numbers are now (again) displayed on the IPsec status page. [Tracking ID: 2869]
An issue causing PPTP to fail to set up proxy ARP for interfaces with multiple networks has been fixed. This could previously prevent communication between PPTP clients on the same subnet. [Tracking ID: 3277]
An issue where IPsec phase two proposals without PFS could cause the IPsec module to crash has been fixed. Note that due to security reasons PFS is still required to establish a tunnel. [Tracking ID: 3296]
PPTP usernames must now be unique. [Tracking ID: 3334]
Sometimes a PPTP connection could fail such that it was still active but no packets were allowed through. This has now been fixed. [Tracking ID: 3282]
A VLAN issue where ESP packets (IPsec) were sent untagged instead of being tagged as intended has been fixed. [Tracking ID: 3331]

Fixed Failover-related Problems

A race condition that could occur when updating VPN blacklistings has been removed. [Tracking ID: 577]
Broken interfaces on the standby unit now causes the active unit to Alert. [Tracking ID: 629]
Logging of failover events is extended and is now more informative. [Tracking ID: 725]
A bug causing spurious failover to occur when an enabled interface was left unconnected has been fixed. [Tracking ID: 2462]
A bug causing a failover to the second unit when a failover team was created has been fixed. [Tracking ID: 2844]

Removed Functionality

The http rewriting relay has been removed. [Tracking ID: 3000]
Support for transcoding Windows Messenger encryption has been removed. [Tracking ID: 3251]

Known Problems

Known SIP-related Problems

These problems are only relevant if the SIP module is enabled.

Transfer initiated by an internal IP-PBX client between two SIP Trunking (PSTN) clients fails in some scenarios. The Ingate firewall/SIParator does not offer the correct set of codecs in the offer in a REFER-initated INVITE. The problem may be worked around by selecting/configuring a codec common to all elements. This problem only appears if Local REFER handling is active. Ingate will shortly provide a patch that solves this issue. Contact Ingate support to obtain the patch. [Tracking ID: 2993]

Known VPN-related Problems

These problems are only relevant if IPsec is used.

Packets with a destination address that belongs to either end of a tunnel will appear to be encrypted in the log, even when they should not be encrypted. This is a problem with the log only. [Tracking ID: 46]
The local endpoint must be chosen so that it is the address closest to the next-hop router for that peer. This means that mobile clients must always connect via the same interface (typically the interface connected to the Internet). [Tracking ID: 508]

Known Failover-related Problems

This problem is only relevant if failover is used.

Upgrading a failover team is a complex operation. To upgrade it, you must break the team and upgrade each machine in turn. This will require a number of reboots and network outages. See the separate failover upgrade document which is available on the upgrade web. [Tracking ID: 499]