Upgrades

Release notice for Ingate Firewall® 6.0.3 and Ingate SIParator® 6.0.3

The new version can be found here

Release notice for Ingate Firewall(R) 6.0.3 and Ingate SIParator(R) 6.0.3

Release name: Ingate Firewall(R) 6.0.3
              Ingate SIParator(R) 6.0.3
Release date: November 13, 2017

The new version and User Manuals can be found at:
https://www.ingate.com/Upgrades.php

This is a minor release with stability improvements.
We recommend everybody to upgrade.

6.0.X Ingate Firewall(R)/Ingate SIParator(R) was a major release with new
functions, features, security, enhancements and improvements
as well as integrated earlier customer-requested patches.
All currently supported hardware (not the old FW1190/S19), and the
Software SIParator/Firewall (after switching hypervisor support to 64 bit, in
case of the previous 32 bit). We recommend everybody to upgrade.

THE MAJOR 6.0.X NEW FUNCTIONS AND FEATURES ARE:

* WebSockets and Secure WebSockets WS/WSS are now supported for SIP Transport
allowing web browser based SIP clients and popular often open ports 80 for HTTP
and 443 for HTTPS to be used.

* A general high capacity media proxy supporting transcoding of WebRTC type of
media (DTLS-SRTP) to SIP type of media (RTP/SRTP), using ICE or not, and
RTCP-MUX termination. 

This allows the SIParator (including its SIP Proxy and SIP Registrar etc.) to
be used in demanding WebRTC to/from SIP Gateway services with over 10 000 voice
media sessions capacity, currently only limited by CCS session licenses (which
may change). (TURN Support and more WebRTC related functions are in progress.)

* Full IPv6 support, for SIP and other functionality including VPN and general
firewall functions.

* All Transports: UDP, TCP, TLS, WS, WSS can independently be used for SIP
signaling passing the SIParator SIP Proxy Interfaces, using IPv4 or IPv6.

* Media is independently converted between IPv6 and IPv4 (through the media
proxy), if required.

* Further strengthening the already powerful firewall data and SIP security and
protection capabilities, especially for large cloud SIP and WebRTC services
where TLS and WSS are used:
- CPU saturation protection and multi core SSL initialization offload (very
resilient for DOS/DDOS attacks).
- Brute Force SIP Authentication protection now also active with
SIParator/Firewall in SIP Proxy pass-through mode and protection enhanced by
silence timer. 
- Enhanced SIP IDS/IPS protection, with installed and customer extendable rule
pack and SIP signaling rate limiting in two levels (IP address and regular
expression match, allowing enterprises with many users signaling from the same
IP address). 

This magnitude increase in protection and privacy of SIP and WebRTC signaling,
combined with up to 20,000 media sessions or 10,000 WebRTC – SIP transcoding
media sessions (as well as built-in SIP registrar for 100 thousands of users),
makes the SIParator ideal for the largest cloud services. 

The SIParator GUI Help texts may reveal further details.

Below are the notes for the 6.0.2 --> 6.0.3 improvements only.
The notes for the above described 5.0.11 --> 6.0.1 enhancements are found
here.

* General changes *****************************************************

*** Updated Linux Kernel.


* SIP related issues **************************************************

*** Also send REGISTER to SIP Trunk fallback domain.
    The domains are automatically monitored using SIP OPTIONS.
    Registration can be disabled by adding ;no-reg to each domain name or
    IP address in the Service Provider Domain field on the SIP Trunk page.
    Monitoring can also be disabled by adding ;no-mon.
    [Tracking ID: 4969]

*** B2BUA now adhere to the Retry-After header in 500 responses.
    [Tracking ID: 5487]

*** Strip crypto info in SDP AVP profiles when using the
    Require TLS setting.

*** Fix RTCP port allocation during re-INVITE if the RTCP attribute
    is used. 

*** Fix parsing of monitored IPv6 URIs.

*** Do round-robin in DNS Override irrespective of Modify RURI setting.

*** Fix ICE handling together with the B2BUA.

*** Fix RTCP-MUX handling during re-INVITE.

 
* Other issues ********************************************************

*** Add support for Intel x710 Gbit network card

*** Add support for cloud service Google Cloud Platform

*** The DHCP client now supports and uses the option
    'rfc3442-classless-static-routes'.

*** Fix traceback in maillogger program.
    [Tracking ID: 5492]

*** Add missing 'data_ports' column in upgrade scripts.

*** Request line without CR rejected by Hurricane Electric Dynamic DNS.
    [Tracking ID: 5490]