Guest

Cisco Cloud Web Security

Release Note for Cisco Cloud Web Security Connector, Release 3.0

Table of Contents

Release Notes for Cisco Cloud Web Security Connector, Release 3.0

Introduction

Downloading the Latest Version of Cisco Cloud Web Security Connector

New Features in Release 3.0.1.9

New Features in Release 3.0.1.7

New Features in Release 3.0.1.2

New Features in Release 3.0.1.1

New Features in Release 3.0.1.0

New Features in Release 3.0.0.3

New Features in Release 3.0.0.2

New Features in Release 3.0.0.1

New Features in Release 3.0.0.0

System Requirements

Caveats

Cisco Cloud Web Security Connector 3.0.1.9 Caveats

Caveats Resolved by Release 3.0.1.9

Open Caveats in Release 3.0.1.9

Cisco Cloud Web Security Connector 3.0.1.7 Caveats

Caveats Resolved by Release 3.0.1.7

Open Caveats in Release 3.0.1.7

Cisco Cloud Web Security Connector 3.0.1.2 Caveats

Caveats Resolved by Release 3.0.1.2

Open Caveats in Release 3.0.1.2

Cisco Cloud Web Security Connector 3.0.1.1 Caveats

Caveats Resolved by Release 3.0.1.1

Open Caveats in Release 3.0.1.1

Cisco Cloud Web Security Connector 3.0.1.0 Caveats

Caveats Resolved by Release 3.0.1.0

Open Caveats in Release 3.0.1.0

Cisco Cloud Web Security Connector 3.0.0.3 Caveats

Caveats Resolved by Release 3.0.0.3

Open Caveats in Release 3.0.0.3

Cisco Cloud Web Security Connector 3.0.0.2 Caveats

Caveats Resolved by Release 3.0.0.2

Open Caveats in Release 3.0.0.2

Cisco Cloud Web Security Connector 3.0.0.1 Caveats

Caveats Resolved by Release 3.0.0.1

Open Caveats in Release 3.0.0.1

Cisco Cloud Web Security Connector 3.0.0.0 Caveats

Caveats Resolved by Release 3.0.0.0

Open Caveats in Release 3.0.0.0

Related Documentation

Release Notes for Cisco Cloud Web Security Connector, Release 3.0

Last Updated: October 27, 2014

This document includes the following sections:

Introduction

These release notes are for the following releases:

  • Cisco Cloud Web Security Connector 3.0.1.9
  • Cisco Cloud Web Security Connector 3.0.1.7
  • Cisco Cloud Web Security Connector 3.0.1.2
  • Cisco Cloud Web Security Connector 3.0.1.1
  • Cisco Cloud Web Security Connector 3.0.1.0
  • Cisco Cloud Web Security Connector 3.0.0.3
  • Cisco Cloud Web Security Connector 3.0.0.2
  • Cisco Cloud Web Security Connector 3.0.0.1
  • Cisco Cloud Web Security Connector 3.0.0.0

Downloading the Latest Version of Cisco Cloud Web Security Connector

To download the latest version of Cisco Cloud Web Security Connector, you must be a registered user of Cisco Cloud Web Security. To obtain the Cisco Cloud Web Security Connector software, follow these steps:


Step 1 Follow this link to the Cisco ScanCenter login page:
https://scancenter.scansafe.com/portal/admin/login.jsp

Step 2 Enter your Cisco Cloud Web Security credentials.

Step 3 Click the Admin tab.

Step 4 In the Downloads menu, click the required version of Connector (Windows or Linux).

Step 5 Follow the instructions in the Connector Administrator Guide, Release 3.0 to install the package.


 

New Features in Release 3.0.1.9

Cisco Cloud Web Security Connector 3.0.1.9 is a maintenance release that resolves the list of caveats in Table 2 . This release reverts the default behavior of domain name mapping to that of release 3.0.1.2.

New Features in Release 3.0.1.7

Cisco Cloud Web Security Connector 3.0.1.7 is a maintenance release that resolves the list of caveats in Table 3 . This release adds support for Oracle Java 7 and Windows Server 2012 R2. This release drops support for Microsoft ISA 2000.

New Features in Release 3.0.1.2

Cisco Cloud Web Security Connector 3.0.1.2 is a maintenance release that resolves the list of caveats in Table 4 . This release adds support for Windows Server 2012. This release is compatible with Red Hat Enterprise Linux / CentOS versions 5.4 and 6.x.


Note Connector 3.0.1.2 does not support 64-bit Java on 64-bit Linux. Customers who are using this configuration are advised to switch to 32-bit Java before upgrading to Connector 3.0.1.2.


When using Connector, the following actions are now supported.

  • Download files greater than 4GB through Microsoft TMG 2010.
  • Preemptive basic authentication.
  • Forwarding traffic directly to the destination server either by default or as a failover if the proxy server is unavailable.
  • User lookup by User Principal Name (UPN).
  • Bind to a specific IP address before connecting to a Cloud Web Security proxy server.

Microsoft Sharepoint and applications that start NTLM handshake on non-persistent connections are now supported by Connector.


Note If you are using Microsoft Forefront TMG 2010, you must upgrade to Forefront TMG 2010 SP1 before upgrading to Cloud Web Security Connector 3.0.1.2.


New Features in Release 3.0.1.1

Cisco Cloud Web Security Connector 3.0.1.1 is a maintenance release that resolves the list of caveats in Table 5 . This release does not introduce any new features.

New Features in Release 3.0.1.0

Cisco Cloud Web Security Connector 3.0.1.0 is a maintenance release that resolves the list of caveats in Table 7 . Connector 3.0.1.0 removes the limit of 250 concurrent SSL connections to the proxy server.

New Features in Release 3.0.0.3

Cisco Cloud Web Security Connector 3.0.0.3 is a maintenance release that resolves the list of caveats in Table 9 . This release does not introduce any new features.

New Features in Release 3.0.0.2

Cisco Cloud Web Security Connector 3.0.0.2 is a maintenance release that resolves the list of caveats in Table 11 . This release does not introduce any new features.

New Features in Release 3.0.0.1

Cisco Cloud Web Security Connector 3.0.0.1 is a maintenance release that resolves the list of caveats in Table 13 . This release does not introduce any new features.

New Features in Release 3.0.0.0

Cisco Cloud Web Security Connector 3.0.0.0 resolves the list of caveats in Table 15 . This release introduces support for NTLM pass-through.

System Requirements

Cisco Cloud Web Security Connector is a lightweight server application that enables granular policy and reporting in Cisco Cloud Web Security. Connector can support up to 2,000 seats.

Cisco recommends deploying Cloud Web Security Connector on a Cisco UCS C210 M2 server. For further information see http://www.cisco.com/en/US/products/ps10889/index.html . If you are using a different server, it should have at least a dual core CPU with 4GB of RAM.


Note Cisco Cloud Web Security Connector is not supported in virtualized environments. Multiple instances of Connector on a single server are not supported.


The following sections show the supported Windows and Linux versions.

Windows Versions

  • Windows Server 2012 R2 x64 (64-bit)
  • Windows Server 2008 R2 x64 (64-bit)
  • Windows Server 2008 x86 (32-bit) and x64 (64-bit)
  • Windows Server 2003 R2 x86 (32-bit)
  • Windows Server 2003 x86 (32-bit)

Note Cisco Cloud Web Security Connector is not supported on Windows Server 2012 x64 (64-bit).


Linux Versions

  • Red Hat Enterprise Linux 6 x86 (32-bit) and x64 (64-bit).
  • CentOS 6 x86 (32-bit) and x64 (64-bit).
  • Red Hat Enterprise Linux 5 x86 (32-bit) and x64 (64-bit).
  • CentOS 5 x86 (32-bit) and x64 (64-bit).

Note Red Hat Enterprise Linux 7 and CentOS 7 are not currently supported.


 

Table 1 Recommended Minimum Hardware by Operating System and Supported Seats

OS
CPU
RAM
Seats

RHEL/CentOS 6(32-bit x86 and 64-bit x64)

Dual core Xeon 3Ghz

4GB

10,000

RHEL/CentOS 5 (32-bit x86 and 64-bit x64)

Dual core Xeon 3Ghz

4GB

10,000

Windows Server 2012 R2 (64-bit x64)

Dual core Xeon 3Ghz

4GB

2,500

Windows Server 2012 (64-bit x64)

Dual core Xeon 3Ghz

4GB

2,500

Windows Server 2008 R2 (64-bit x64)

Dual core Xeon 3Ghz

4GB

2,500

Windows Server 2008 (32-bit x86 and 64-bit x64)

Dual core Xeon 3Ghz

4GB

2,500

Windows Server 2003 R2 (32-bit x86)

Dual core Xeon 3Ghz

4GB

2,000

Windows Server 2003 (32-bit x86)

Dual core Xeon 3Ghz

4GB

2,000

Caveats

Caveats describe unexpected behavior or defects in Cisco software releases.

Cisco Cloud Web Security Connector 3.0.1.9 Caveats

Caveats Resolved by Release 3.0.1.9

Table 3 lists the caveats that Cisco Cloud Web Security Connector 3.0.1.9 resolves.

Table 2 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.1.9

ID
Headline

CWSSSC-3

Invalid groups names after upgrading to Connector 3.0.1.7.

BUG-3597

Connector 3.0.1.7 prompting end users for login credentials when browsing.

Open Caveats in Release 3.0.1.9

There are no known unresolved caveats in Cisco Cloud Web Security Connector 3.0.1.9.

Cisco Cloud Web Security Connector 3.0.1.7 Caveats

Caveats Resolved by Release 3.0.1.7

Table 3 lists the caveats that Cisco Cloud Web Security Connector 3.0.1.7 resolves.

Table 3 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.1.7

ID
Headline

BUG-2979

Downgrade error message to a warning.

BUG-2988

Handle leak in ISA/TMG plug-in.

BUG-2996

Home page exception causes loss of granularity.

BUG-3002

Connector does not properly handle the response to an HTTP HEAD request.

BUG-3014

File downloaded through Connector has 13 KB missing.

BUG-3018

Requests can be sent to the wrong port over a persistent connection.

BUG-3206

PDF download ends up with “0” size only via Connector.

BUG-3227

Random loss of granularity.

BUG-3260

Removed an obsolete ISA/TMG configuration option from Connector installer for Windows.

EE-45

Fixed negative value in connector running time.

EE-82

Fixed null point exception occurs frequently in store request headers state.

EE-105

Remove CWS headers from incoming HTTP request messages.

EE-117

Secure renegotiation support.

EE-124

Configurable domain name mapping.

EE-134

Add a third LDAP sever to Connector.

EE-146

Add system local average to the Connector performance log.

EE-152

Do not allow a local account on a client machine to be used to gain the group memberships of a domain with a similar user name.

EE-158

Upgrade to Java 7.

EE-184

Remove ISA 2000 option from installer.

EE-187

Connector NTLM authentication (do not use LocalResponseFailoverNtlmResource by default).

EE-203

Switched off JMX.

Open Caveats in Release 3.0.1.7

There are no known unresolved caveats in Cisco Cloud Web Security Connector 3.0.1.7.

Cisco Cloud Web Security Connector 3.0.1.2 Caveats

Caveats Resolved by Release 3.0.1.2

Table 4 lists the caveats that Cisco Cloud Web Security Connector 3.0.1.2 resolves.

Table 4 Caveats resolved by Cisco Cloud Web Security Connector 3.0.1.2

ID
Headline

BUG-2860

Accept lack of boundary value for multi part Content-Type

EE-66

Add support in Connector for Expect header and 100 (Continue) status code.

EE-132

Option to use the Client IP from the X-Forwarded-For header if it exists in the HTTP request message.

EE-129

NTLM settings are not retained in Connector Configuration Wizard.

EE-135

log4j prints XML parsing warning message.

EE-137

Connector requires periodic restart when primaryProyType=SSL

EE-143

NTLM cache key causes frequent authentication against Active Directory.

Open Caveats in Release 3.0.1.2

There are no known unresolved caveats in Cisco Cloud Web Security Connector 3.0.1.2.

Cisco Cloud Web Security Connector 3.0.1.1 Caveats

Caveats Resolved by Release 3.0.1.1

Table 5 lists the caveats that Cisco Cloud Web Security Connector 3.0.1.1 resolves.

Table 5 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.1.1

ID
Headline

EE-125

Group Lookup Settings not populated in Connector installation Wizard

EE-115

Add thread keepalive configuration property for the thread pool

EE-116

Support NTLMv2 for user identification only

EE-122

Add existing groupInclude property to the default agent.properties file

Open Caveats in Release 3.0.1.1

Table 6 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.1.1.

Table 6 Caveats Open in Cisco Cloud Web Security Connector 3.0.1.1

ID
Headline

EE-66

Add support in Connector for Expect header and 100 (Continue) status code.

Cisco Cloud Web Security Connector 3.0.1.0 Caveats

Caveats Resolved by Release 3.0.1.0

Table 7 lists the caveats that Cisco Cloud Web Security Connector 3.0.1.0 resolves.

Table 7 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.1.0

ID
Headline

BUG-2333

Support downloading files larger than 4GB through Connector and TMG 2010.

BUG-2345

Connector fails to start on new versions of Linux.

BUG-2352

Support Preemptive Basic Authentication.

BUG-2428

HTTP requests not handled properly when a user name is not provided during NTLM authentication.

BUG-2440

Basic Authentication Pass-Through not supported.

BUG-2453

AUP looping when persistent connections are enabled.

BUG-2523

Enable Connector to forward all traffic directly to destination Web server either as default configuration or as failover if Scanning Proxy is unreachable.

BUG-2565

Support user lookup by User Principal Name (UPN).

BUG-2688

Authentication pop up with Citrix.

BUG-2712

Add support in Connector for applications that start NTLM handshake on non-persistent connections, for example SharePoint.

BUG-2759

Connector does not enable SO_REUSEADDR before attempting to bind the server socket to port 8080.

EE-73

Do not forward an unexpected Proxy-Authorization header directly to an origin server.

EE-102

Provide option to bind to a specific IP address before opening a connection to the proxy.

EE-118

Remove 250 SSL Connection Limit

Open Caveats in Release 3.0.1.0

Table 8 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.1.0.

Table 8 Caveats Open in Cisco Cloud Web Security Connector 3.0.1.0

ID
Headline

EE-66

Add support in Connector for Expect header and 100 (Continue) status code.

Cisco Cloud Web Security Connector 3.0.0.3 Caveats

Caveats Resolved by Release 3.0.0.3

Table 9 lists the caveats that Cisco Cloud Web Security Connector 3.0.0.3 resolves.

 

Table 9 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.0.3

ID
Headline

BUG-2565

Connector losing granularity after LDAP server being taken off line and comes back on line.

EE-86

Provide full user granularity when the Connector is configured for persistent connections and basic auth using generic LDAP.

Open Caveats in Release 3.0.0.3

Table 10 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.0.3.

 

Table 10 Caveats Open in Cisco Cloud Web Security Connector 3.0.0.3

ID
Headline

BUG-2440

Basic Authentication Pass-Through not supported.

BUG-2345

Connector fails to start on new versions of Linux.

BUG-2523

Requests sent to the wrong server when primaryProxy=DIRECT in agent.properties.

Cisco Cloud Web Security Connector 3.0.0.2 Caveats

Caveats Resolved by Release 3.0.0.2

Table 11 lists the caveats that Cisco Cloud Web Security Connector 3.0.0.2 resolves.

 

Table 11 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.0.2

ID
Headline

EE-67

Provide full user granularity when the Connector is configured for persistent connections and NTLM.

Open Caveats in Release 3.0.0.2

Table 12 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.0.2.

 

Table 12 Open Caveats in Cisco Cloud Web Security Connector 3.0.0.2

ID
Headline

BUG-2565

Connector losing granularity after LDAP server being taken off line and comes back on line.

BUG-2440

Basic Authentication Pass-through to Origin Server not working with Connector versions 3.0.0.0 and above.

BUG-2345

Connector fails to start on RedHat / CentOS Linux versions greater than 5.4.

BUG-2523

Connector should not send requests to the wrong server when filtering service is bypassed completely (by setting primaryProxy=Direct in agent.properties).

Cisco Cloud Web Security Connector 3.0.0.1 Caveats

Caveats Resolved by Release 3.0.0.1

Table 13 lists the caveats that Cisco Cloud Web Security Connector 3.0.0.1 resolves.

 

Table 13 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.0.1

ID
Headline

BUG-2464

Fixed intermittent loss of granularity problem.

Open Caveats in Release 3.0.0.1

Table 14 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.0.1.

 

Table 14 Caveats Open in Cisco Cloud Web Security Connector 3.0.0.1

ID
Headline

EE-67

Provide full user granularity (not just internal IP) for all HTTP requests

BUG-2565

Connector losing granularity after LDAP server being taken off line and comes back on line.

BUG-2440

Basic Authentication Pass-through to Origin Server not working with Connector versions 3.0.0.0 and above.

BUG-2345

Connector fails to start on RedHat / CentOS Linux versions greater than 5.4.

BUG-2523

Connector should not send requests to the wrong server when filtering service is bypassed completely (by setting primaryProxy=Direct in agent.properties).

Cisco Cloud Web Security Connector 3.0.0.0 Caveats

Caveats Resolved by Release 3.0.0.0

Table 15 lists the caveats that Cisco Cloud Web Security Connector 3.0.0.0 resolves.

 

Table 15 Caveats Resolved by Cisco Cloud Web Security Connector 3.0.0.0

ID
Headline

SS-13434

NTLM Pass-through to Origin Server not working with Connector.

SS-13344

Changed companyId property type from int to long.

BUG-2277

Fixed failover to secondary proxy over an SSL connection.

BUG-2263

Find security groups when CN and sAMAccountName do not match.

BUG-2331

Gracefully recover when the Content-Length header is missing.

EE-7

Added support for CIDR format IP address ranges in "ntlmIpExceptions" property.

EE-8

Support wildcards in the "groupInclude" property.

EE-10

Support connectorId configuration property that appears in the telemetry data.

EE-37

Flush output stream after each write. (Part of WebEx fix.)

EE-39

Improve logging during startup to help troubleshoot issues.

EE-41

Trim trailing white space from the license key property to avoid problems during startup.

Open Caveats in Release 3.0.0.0

Table 16 lists the caveats that are unresolved in Cisco Cloud Web Security Connector 3.0.0.0.

 

Table 16 Caveats Open in Cisco Cloud Web Security Connector 3.0.0.0

ID
Headline

BUG-2464

Intermittent loss of granularity problem.

EE-67

Provide full user granularity (not just internal IP) for all HTTP requests

BUG-2565

Connector losing granularity after LDAP server being taken off line and comes back on line.

BUG-2440

Basic Authentication Pass-through to Origin Server not working with Connector versions 3.0.0.0 and above.

BUG-2345

Connector fails to start on RedHat / CentOS Linux versions greater than 5.4.

BUG-2523

Connector should not send requests to the wrong server when filtering service is bypassed completely (by setting primaryProxy=Direct in agent.properties).

Related Documentation

For more information, see the following documents: