UpgradesRelease notice for Ingate Firewall® 6.4.3 and Ingate SIParator® 6.4.3
| Release name: |
Ingate Firewall® 6.4.3
Ingate SIParator® 6.4.3 |
The new version can be found here
Release notice for Ingate SIParator(R)/Firewall(R) 6.4.3
Release name: Ingate SIParator(R)/Firewall(R) 6.4.3
Release date: January 04, 2024
The new version and documentation can be found at:
https://account.ingate.com/
This is a bug fix release with important stability and security improvements.
We recommend everyone to upgrade.
License Server synchronization
The license server synchronization is a feature that makes your unit report
all installed licenses to the Ingate license server when having Internet
connection. This ensures that all licenses have been installed correctly and
facilitates for Ingate support. In future releases it will also be possible to
withdraw and move licenses that you have installed on your unit.
The license server synchronization is an optional feature, you will be asked
about enabling it when upgrading. It is also possible to enable
it later under Administration > License Server.
THE NEW FUNCTIONS AND FEATURES IN VERSION 6.4.X ARE:
* Support for Automated Deployment of X.509 Certificates Using the ACME Protocol
The Automatic Certificate Management Environment protocol allows the
Ingate SIParator to e.g. use Let's Encrypt certificates that are both free
and automatically renewed every third month, eliminating the need to manually
buy and install SSL certificates that nowadays are frequently used for secure
TLS connections.
Any certificate provider supporting the ACME protocol can be used.
* Advanced Client License (ACL) - A New Ingate Per User or Per Seat License
This license makes SIPoWS (SIP over WebSocket, RFC 7118) available[*] for
implementing third party WebRTC browser clients, typically using JsSIP, and
also adds the advanced and flexible HTTP Services described below, which are
much more than ordinary HTTP Reverse Proxy functions. *[Previously discussed
SIPoWS licensing models are discarded]
* HTTP Support for File Repositories, Load Balancing and CONNECT Tunnels
A repository defines storage for local and/or remote files available for
download via HTTP. Requests to remote HTTP servers can be load-balanced
using different schemes and algorithms. HTTP CONNECT tunnels to the
Ingate SIParator are firewalled to specific servers (typically on an
enterprise LAN).
These functions are used by a major PBX vendor for supporting Teleworkers
(SIP phone users behind remote NAT/firewalls over the Internet) over MTLS
connections with every additional TCP based feature, automatic configuration,
and upgrades as if the PBX vendor’s phone appliances were connected on the
enterprise LAN.
* Splitter for Single Port (typically port 443) Usage of HTTP and Any WebSocket Traffic
The configuration of this WebSocket splitter allows selection of various
WebSocket protocols to be handled locally and/or remotely.
Plain HTTP/HTTPS traffic using the same port is also handled separately.
This makes the Ingate SIParator® the ideal border element for a wide range of
voice and video applications, including and beyond SIP and WebRTC.
The Ingate SIParator will both be the load balancing firewall for the application
webserver(s) of a protected LAN for the voice and video service and on the same
public IP address, on port 443, support RFC 7118 SIPoWSS (as well as SIP over
TLS/MTLS on port 5061) at the same time doing all its media related NAT/firewall
SBC handling, as well as supporting TURN and Ingate’s QTURN (re-TURN proxy).
Media using RTP, SDES-SRTP, DTLS-SRTP for SIP and WebRTC are fully supported.
* BYE to REFER Agent for Advanced SIP Call Control
Converts BYEs in a SIP dialog to REFERs.
See "BYE to REFER" in the Ingate Reference Guide for more information.
INTRODUCED IN THIS PARTICULAR 6.4.3 RELEASE
* SIP *****************************************************************
*** Fixed repeated stale nonce registration attempts.
*** Fixed RTCP port leak on rejected media encryption.
*** Fix memory corruption on high load.
*** Fix memory leak when reconfiguring with new SIP signaling ports.
*** ICE: Improved implementation.
*** SIP Trunk: Fixed restrict to calls from IPv6.
*** SIP Trunk: Fixed incoming to trunk registration.
*** SIP Trunk: Fixed use alias IP address when sending.
*** SIP Trunk: Fixed DNS override after the SIP Trunk.
*** Dial Plan: Add ;privacy="off" to regexp forward. (strips privacy headers).
*** Dial Plan: Try next sub-row when curl receives a sip_response_code=5xx.
*** B2BUA: Improved implementation of "Reuse port numbers even when IP has changed".
*** B2BUA: Add From display name during re-INVITEs.
*** B2BUA: Fixes together with DNS Override.
*** B2BUA: Spiral scenario didn't always go through B2BUA.
*** B2BUA: Fixed hold on transfer in spiraled media encryption scenario.
*** Media proxy: Handle media destination change on re-INVITE with "Reuse port numbers".
* GUI *****************************************************************
*** SIP Status: Disable tables when standby.
*** SIP Status: Don't output IDS/IPS if not enabled.
* VPN & IPsec *********************************************************
*** Increase Netlink sockets' receive buffer size.
During re-configuration, netlink events/messages from the kernel destined for the
IKE daemon could be dropped. This could happen if there were a lot of interfaces and
addresses configured. Increase the buffer size in order to mitigate this issue.
*** Remove installed 'traps' when terminating a tunnel.
If an IPsec peer had 'Dead Peer Detection' enabled and the action was 'Trap', installed
traps by the IKE daemon would not be removed when the tunnel/peer was disabled/removed in
configuration. Make sure that any associated installed traps are removed when a tunnel
is terminated.
*** Add IPsec related kernel debug information to the "IPsec debug" log class.
*** Use the CHILD_SA 'uniqueid' to identify a tunnel instance.
Prior to this fix the 'reqid' was used to identify an instance. However, it could change
in a way that made the VPN daemon not able to correctly identify instances.
*** Fix a performance issue when adding/deleting firewall rules in the VPN daemon.
Add and delete rules in "batch mode". If there are *a lot* of rules, this fix
will improve the performance significantly.
*** Set the MTU to 1400 on IPsec routes installed by the IKE daemon.
This will fix fragmentation issues in certain scenarios.
*** Make secret/info set to '-' work with 'Trusted CA'.
When set to '-' all available CA certificates found in the table 'IPsec CA Certificates'
should be loaded. Prior to this fix, no certificates were loaded.
* Other ***************************************************************
*** Add support for turning off block device runtime power management.
In order to avoid intermittent latencies when reading from the flash on hardware 97,
disable "sleep/suspend" on that block device.
|
