UpgradesRelease notice for Ingate Firewall® 6.4.1 and Ingate SIParator® 6.4.1
| Release name: |
Ingate Firewall® 6.4.1
Ingate SIParator® 6.4.1 |
The new version can be found here
Release notice for Ingate SIParator(R)/Firewall(R) 6.4.1
Release name: Ingate SIParator(R)/Firewall(R) 6.4.1
Release date: June 20, 2022
The new version and documentation can be found at:
https://account.ingate.com/
This is a minor release with new features and enhancements.
We recommend everyone to upgrade.
License Server synchronization
The license server synchronization is a feature that makes your unit report
all installed licenses to the Ingate license server when having Internet
connection. This ensures that all licenses have been installed correctly and
facilitates for Ingate support. In future releases it will also be possible to
withdraw and move licenses that you have installed on your unit.
The license server synchronization is an optional feature, you will be asked
about enabling it when upgrading. It is also possible to enable
it later under Administration > License Server.
THE NEW FUNCTIONS AND FEATURES IN VERSION 6.4.X ARE:
* Support for Automated Deployment of X.509 Certificates Using the ACME Protocol
The Automatic Certificate Management Environment protocol allows the
Ingate SIParator to e.g. use Let's Encrypt certificates that are both free
and automatically renewed every third month, eliminating the need to manually
buy and install SSL certificates that nowadays are frequently used for secure
TLS connections.
Any certificate provider supporting the ACME protocol can be used.
* Advanced Client License (ACL) - A New Ingate Per User or Per Seat License
This license makes SIPoWS (SIP over WebSocket, RFC 7118) available[*] for
implementing third party WebRTC browser clients, typically using JsSIP, and
also adds the advanced and flexible HTTP Services described below, which are
much more than ordinary HTTP Reverse Proxy functions. *[Previously discussed
SIPoWS licensing models are discarded]
* HTTP Support for File Repositories, Load Balancing and CONNECT Tunnels
A repository defines storage for local and/or remote files available for
download via HTTP. Requests to remote HTTP servers can be load-balanced
using different schemes and algorithms. HTTP CONNECT tunnels to the
Ingate SIParator are firewalled to specific servers (typically on an
enterprise LAN).
These functions are used by a major PBX vendor for supporting Teleworkers
(SIP phone users behind remote NAT/firewalls over the Internet) over MTLS
connections with every additional TCP based feature, automatic configuration,
and upgrades as if the PBX vendor's phone appliances were connected on the
enterprise LAN.
* Splitter for Single Port (typically port 443) Usage of HTTP and Any WebSocket Traffic
The configuration of this WebSocket splitter allows selection of various
WebSocket protocols to be handled locally and/or remotely.
Plain HTTP/HTTPS traffic using the same port is also handled separately.
This makes the Ingate SIParator® the ideal border element for a wide range of
voice and video applications, including and beyond SIP and WebRTC.
The Ingate SIParator will both be the load balancing firewall for the application
webserver(s) of a protected LAN for the voice and video service and on the same
public IP address, on port 443, support RFC 7118 SIPoWSS (as well as SIP over
TLS/MTLS on port 5061) at the same time doing all its media related NAT/firewall
SBC handling, as well as supporting TURN and Ingate's QTURN (re-TURN proxy).
Media using RTP, SDES-SRTP, DTLS-SRTP for SIP and WebRTC are fully supported.
* BYE to REFER Agent for Advanced SIP Call Control
Converts BYEs in a SIP dialog to REFERs.
See "BYE to REFER" in the Ingate Reference Guide for more information.
INTRODUCED IN THIS PARTICULAR GENERAL AVAILABLE 6.4.1 RELEASE
* SIP *************************************************************************
*** Introducing Advanced Client Licenses (ACL).
Required for SIP over WebSocket registrations (WebRTC).
*** Added the option to enable and configure ContactRouteTag based routing under
SIP Services -> Interoperability. (For a vendor-specific SIP handling.)
*** Make "SIP Signaling Access Control" a per port setting called "Allow From/To".
The global setting has been moved into the "SIP Signaling Ports" table in
the column "Allow From/To".
This allows to use different network sets on different transports.
*** DTLS-SRTP now uses self-generated certificates instead of user supplied.
This also solves a DTLS problem when changing media ports in mid-call.
*** Fixed IPv6 media packet length check. Could cause one way media.
*** Fixed IPv6 regex substitution in the Dial Plan.
*** Don't add rtcp-mux if stripped using "Strip SDP Lines".
*** Add missing Content-Length header if converting 183 to 180, and 100rel.
*** Correct order of internal SDP attributes. Could malform the SDP.
*** Discard NAPTR records containing an unsupported service.
*** WebSocket: A WebSocket Secure handshake could fail in a specific scenario.
*** WebSocket: Ping/Pongs were not always being sent.
*** Call Control: Fixed From header manipulation together with the B2BUA.
*** Call Control: Add option curl_conn_no_reuse.
Creates a new connection for each http request.
See the Ingate Reference Guide for more information.
*** B2BUA: Fixed SDP min address on transfer.
When using the B2BUA to convert a REFER to INVITE, we replace any
sendonly/inactive attributes when creating the new INVITE SDP from the last
known offer. However, we didn't handle the case when c= contains a min
address (0.0.0.0/::).
*** Added support for converting BYE to REFER in the Dial Plan.
See "BYE to REFER" in the Ingate Reference Guide for more information.
*** Added support for User Routing Forward Action "RegSequence".
Like "Sequence" but registrations are handled in parallel.
*** Add ;b2buafwdref dial plan parameter.
Like ;b2bua but will forward REFERs through the B2BUA.
*** SipTrunk: Fix match when route incoming based on To.
When using the trunk setting "Route incoming based on" "To header",
the match was based on the modified To header instead of the
original one.
*** B2BUA: Fix 100rel handling.
Information about an endpoints 100rel support could be lost and cause
follow-up errors in other scenarios, e.g. media encryption.
* Other ***********************************************************************
*** Added support for automated deployment of X.509 certificates using the
ACME (Automatic Certificate Management Environment) protocol.
This feature is configured in the tab
Basic Configuration -> ACME
*** Added support for Storage Repositories and HTTP CONNECT Tunnels.
This feature is configured in the tab
HTTP Services -> Storage and Tunnels
A repository defines storage for local and/or remote files available for
download via HTTP. Requests to remote HTTP servers can be load-balanced
using different schemes/algorithms.
*** Added support for managing WebSocket and HTTP traffic.
This feature is configured in the tab
HTTP Services -> WebSockets and HTTP
Configuration allows one to select which WebSocket protocols that should
be handled locally and/or which should be handled remotely. It's also
possible to use this configuration context to separate plain HTTP
traffic from WebSocket traffic.
*** Improved functionality in the snmp facility.
New features/enhancements include:
* Mapping of certificate details to a username.
* The counter memSysAvail (1.3.6.1.4.1.2021.4.27.0).
* TLSv1.2 and DTLS1.2.
*** Improved functionality in the syslog facility.
New features/enhancements include:
* Extend syslog config to use its built-in templates.
* Extend syslog config to use byte count aka OCF: Octet Counted Framing.
*** Allow DOS line endings when importing PEM certificates.
*** Output SHA-256 certificate fingerprint information in the Certificates tab.
*** Output certificate Signature Algorithm information in the Certificates tab.
*** Added the option to be able to reset the TTL (IPv4) and HL (IPv6) for
media packets. The value can be set to 64 or 128.
*** HTTP REST API enhancements.
New features/enhancements include:
* The command 'sip-status', and the SDK method sip_status() which will
mirror the content found in the tab SIP Traffic -> Status.
* The command 'flush-logins', and the SDK method flush_logins() which
will log out all logged in admin users.
* The command 'restart-sip', and the SDK method restart_sip() which
will restart the SIP module and remove all state, like registrations.
|
