UpgradesRelease notice for Ingate Firewall® 6.4.2 and Ingate SIParator® 6.4.2
| Release name: |
Ingate Firewall® 6.4.2
Ingate SIParator® 6.4.2 |
The new version can be found here
Release notice for Ingate SIParator(R)/Firewall(R) 6.4.2
Release name: Ingate SIParator(R)/Firewall(R) 6.4.2
Release date: March 13, 2023
The new version and documentation can be found at:
https://account.ingate.com/
This is a bug fix release with important stability and security improvements.
We recommend everyone to upgrade.
License Server synchronization
The license server synchronization is a feature that makes your unit report
all installed licenses to the Ingate license server when having Internet
connection. This ensures that all licenses have been installed correctly and
facilitates for Ingate support. In future releases it will also be possible to
withdraw and move licenses that you have installed on your unit.
The license server synchronization is an optional feature, you will be asked
about enabling it when upgrading. It is also possible to enable
it later under Administration > License Server.
THE NEW FUNCTIONS AND FEATURES IN VERSION 6.4.X ARE:
* Support for Automated Deployment of X.509 Certificates Using the ACME Protocol
The Automatic Certificate Management Environment protocol allows the
Ingate SIParator to e.g. use Let's Encrypt certificates that are both free
and automatically renewed every third month, eliminating the need to manually
buy and install SSL certificates that nowadays are frequently used for secure
TLS connections.
Any certificate provider supporting the ACME protocol can be used.
* Advanced Client License (ACL) - A New Ingate Per User or Per Seat License
This license makes SIPoWS (SIP over WebSocket, RFC 7118) available[*] for
implementing third party WebRTC browser clients, typically using JsSIP, and
also adds the advanced and flexible HTTP Services described below, which are
much more than ordinary HTTP Reverse Proxy functions. *[Previously discussed
SIPoWS licensing models are discarded]
* HTTP Support for File Repositories, Load Balancing and CONNECT Tunnels
A repository defines storage for local and/or remote files available for
download via HTTP. Requests to remote HTTP servers can be load-balanced
using different schemes and algorithms. HTTP CONNECT tunnels to the
Ingate SIParator are firewalled to specific servers (typically on an
enterprise LAN).
These functions are used by a major PBX vendor for supporting Teleworkers
(SIP phone users behind remote NAT/firewalls over the Internet) over MTLS
connections with every additional TCP based feature, automatic configuration,
and upgrades as if the PBX vendor's phone appliances were connected on the
enterprise LAN.
* Splitter for Single Port (typically port 443) Usage of HTTP and Any WebSocket Traffic
The configuration of this WebSocket splitter allows selection of various
WebSocket protocols to be handled locally and/or remotely.
Plain HTTP/HTTPS traffic using the same port is also handled separately.
This makes the Ingate SIParator® the ideal border element for a wide range of
voice and video applications, including and beyond SIP and WebRTC.
The Ingate SIParator will both be the load balancing firewall for the application
webserver(s) of a protected LAN for the voice and video service and on the same
public IP address, on port 443, support RFC 7118 SIPoWSS (as well as SIP over
TLS/MTLS on port 5061) at the same time doing all its media related NAT/firewall
SBC handling, as well as supporting TURN and Ingate's QTURN (re-TURN proxy).
Media using RTP, SDES-SRTP, DTLS-SRTP for SIP and WebRTC are fully supported.
* BYE to REFER Agent for Advanced SIP Call Control
Converts BYEs in a SIP dialog to REFERs.
See "BYE to REFER" in the Ingate Reference Guide for more information.
INTRODUCED IN THIS PARTICULAR 6.4.2 RELEASE
* SIP *****************************************************************
*** Apply DNS Override settings after Dial Plan and SIP Trunk.
Before only the address was looked up, now also apply the settings.
*** Fix curl with absolute XPATHs in Dial Plan.
*** SIP Trunk: Fix setting "From header domain" : "External IP address".
Didn't always return an external IP address.
Didn't work for IPv6.
*** SIP Trunk: Fix single optional variable substitutions.
Using a single $([...]) expression, always resulted in the empty
string.
*** SIP Trunk: Fix port in TLS Contact when using alias IP address.
The port became 5060 instead of 5061.
*** SIP Trunk: Fix outgoing call when Service Domain equals Trunk ID.
The call was routed back to the PBX instead of to the ITSP.
* Other ***************************************************************
*** Fix base64 handling of eAB HMACKEY for ACME certs.
*** Improve support for running on the Azure cloud service.
The Azure agent was updated to a recent and supported version.
*** Add support for hardware models 956 (S95 rev G) and 974 (S97 rev E).
*** Fix error when clicking the QoS tab on units without the SIP module.
* VPN & IPsec *********************************************************
*** Support single address MODECFG pools.
*** Improve XAUTH MODECFG error checks.
* Only allow one network in the referenced Network and Computer
group (the IP Range).
* Don't allow a referenced Network and Computer group (the IP
Range) to have an interface specified.
* Remove checks that disabled the use of IPv6.
*** Show assigned virtual IP as Remote ID in IPsec Status tab.
If a client has acquired a virtual IP address, show that one
as the Remote ID.
*** Check that the MODECFG IP Range is not too big.
*** Don't allow a network to cover more then one local network.
A selected MODECFG IP range cannot cover more then one
directly connected network.
*** Catch exception when failing to add a virtual IP pool.
*** Fix a possible traceback when adding an IPsec rule.
*** Restrict allowed characters for certain column values.
The 'IPsec Peers' column 'Name' and the 'Local Extended Authentication
Database' column 'Username' are used as section name/key identifiers
in the configuration. Allow all printable ASCII characters except
. , : { } = " # \n \t and space.
|
