The latest AccessEnforcer release comes loaded with a bunch of features building on AccessEnforcer v5.0.0 enhancements. We think you’ll like these new changes; let’s start first with RDP options.
Gatekeeper RDP Options
Early Gatekeeper users: You asked for it, you got it! Based on popular demand we are excited to introduce Gatekeeper support for RDP options in AccessEnforcer v5.0.1. RDP options allow you to set the screen size, choose the monitors, allow sounds from the remote computer to be played on the local computer, sync the clipboards, and more.
These options are easily accessible via the new cogwheel icon next to the device icon:
These options are stored locally on the browser/device that you use to access the RDP host. For example, suppose you use Gatekeeper to RDP to the Windows Server from home using your souped-up Windows workstation with three ultrawide monitors. With Gatekeeper RDP options, you can tell Gatekeeper via RDP options to use all three monitors if you wish.
Of course one of the great things about Gatekeeper is that you can use it with virtually any device. If you also connect to that same Windows Server from an iPhone, you can keep separate RDP options locally on your iPhone. After all, we’re pretty sure there is no iPhone with three screens, at least for now!
This way you can have options that are specific to the browser/device that you’re connecting from, and won’t have to reconfigure them every time.
Gatekeeper SSH Options
Similar to RDP options, if you set up an SSH rule in Gatekeeper, you will also see the same cogwheel icon. Instead of screen size and audio options though, you’ll see a prompt for the desired username that you would like to use for the SSH connection:
When connecting to that SSH server from that point forward you will get a convenient ssh:// link which you can use to spawn your SSH client if your OS supports it:
We’re constantly trying to make it easy for you and your end users, and hope that you like these new RDP and SSH options!
It’s Alive! Introducing the Gatekeeper Status Check
Yet another cool feature we added is a status check. Gatekeeper now does a quick status check to confirm if the destination hosts are reachable before enabling the Connect button for your end users. If they are reachable from AccessEnforcer, their icons turn green like this:
If they are not reachable, their icons will be grey.
With this feature, you and your end users won’t have to guess if the system you’re trying to connect to is accessible or not. It will also help you troubleshoot if the RDP or SSH service is running on the destination host, or if any host-based firewall rules are blocking the connection.
It’s yet another way we strive to make things easy!
The “Detect Encryption Settings” Magic Button!
When you set up Gatekeeper, one thing you have to figure out is the encryption settings that your Active Directory server supports. This is needed for Gatekeeper to establish a secure connection with AD.
But as we all know, figuring out encryption is like trying to decipher a bowl of alphabet soup — is it TLS? STARTTLS? Or something else? Furthermore which port of the AD server provides encryption? This often involves a bunch of trial and error before you finally arrive at the correct cryptographic incantation that makes everything work.
Wouldn’t it be nice if there’s a button that you could just press that could figure all that cryptogobbledygook out for you? Your wish is our command!
Try the Detect Encryption Settings button on the Gatekeeper Portals page. Press it, and abracadabra! The highest negotiated encryption settings combination of your AD server are automatically set for your portal.
Who says magic doesn’t exist in real life? 😄
Web-based interfaces are everywhere these days, and they’re usually (but not always) powered by HTTPS. We are proud that the AccessEnforcer GUI has been powered by HTTPS from the very first unit we ever shipped; we have never shipped with an insecure HTTP-based GUI ever!
However, HTTPS-based interfaces require certificates — as a result, we have to ship AccessEnforcer units with self-signed certificates since it is infeasible to know the final DNS name that the AccessEnforcer will use in the field. This unfortunately meant that our users had to go through the process of obtaining a proper signed certificate from a trusted CA, which can be a time-consuming process.
But that changes today! AccessEnforcer v5.0.1 supports obtaining certificates from Let’s Encrypt™, enabling a fully-signed and trusted HTTPS connection to your AccessEnforcer interface with literally the click of a button! This new feature is available at the new Setup > Network > Domain Names and Certificates page. All you need to do is to add your AccessEnforcer DNS name, say ae.abcproservices.com, check Domain name is used for AccessEnforcer UI, and press Save.
Next, all you have to do is press the Request Let’s Encrypt™ Certificates button, and you’re done!
After you set up the Let’s Encrypt certificate, it will automatically renew itself. There is no maintenance needed after that.
As you can see, it’s as easy as it gets!
So if you’ve been holding off from getting a proper certificate for your AccessEnforcer due to the hassle, we encourage you to give this new feature a whirl and let us know what you think!
Geo Fence Alerts Now in Reports
We introduced Geo Fence in AccessEnforcer v5.0.0. In this release we made improvements so that the counts of Geo Fence alerts are now included in the daily/weekly PDF (and CSV and Excel) reports from the AccessEnforcer.
If you look at the new reports you will notice new rows under “Network Alerts”:
Geo Fence alerting IP addresses are also now counted under “top alerting IP addresses”:
Geo Fence continues to be an eye-opener for many users because it exposes the massive amount of unseen probes and attacks from hostile sources in various countries. This is an easy way to communicate the value of AccessEnforcer to your end users. If you have not enabled Geo Fence, we highly encourage you to do so!
Quick Tip: Whenever possible, it is much better to use Geo Fence to allow access from only a small list of countries that you wish to allow, rather than blocking many countries. This enables Geo Fence to process a smaller set of IPs, thus resulting in better performance.
Boosting the Boot Speed by 2x-5.5x
We received reports in the field that v5.0.0 boot speed was rather slow. We’re not happy when you’re not happy, so we rolled up our sleeves and got straight to work.
In the software development world, there’s a developer mantra that goes: “Make it work, make it right, make it fast”. We have spent a lot of time making things work and making them right on the AccessEnforcer boot process — in this release it was time to make it fast!
We analyzed the entire boot process over and over and meticulously collected timing data. Then we identified the bottlenecks and brainstormed and implemented ways to remove them or speed them up. No stone was left unturned — we looked at the startup times for the network initialization process, underlying firewall rules, outbound filtering rules, port forwarding rules, the DHCP server, IPsec VPN, and so on and so forth, and we optimized them all.
The end result? Boot speed is now up to 2 to 5.5 times faster compared to v5.0.0 depending on the AccessEnforcer model and how your AccessEnforcer is configured.
But that’s not all! We have also taken the opportunity to rearrange how boot is done so that your end users on the LAN can get on the Internet as early as possible. This way even when the system has not fully finished booting, end users are able to safely get online because the components that are responsible for outbound Internet access are already up and running.
Yet another benefit of speeding up the startup time of various components is that runtime performance has been improved as well.
We made a bunch of improvements to the GUI:
Critical System Alert – System Booting. This message is an additional benefit of the boot speed project. The login page will indicate if AccessEnforcer is booting so that you are aware that some components may not yet be ready and passing traffic. You can proceed to login to the system to see the details regarding the boot process.
Quick Tip: DO NOT POWER OFF THE SYSTEM when this System Booting message is displayed. Any power cycle of the system during this boot phase may required advanced troubleshooting, a full system restore or other significant service disruptions.
GUI progress bar. The new boot process also makes it possible for us to provide a progress bar to show you when boot will complete:
System Status Page. The System Status page has been substantially improved (you should notice right away after login):
- Optimized System Status page. The System Status page is faster to load than before. Similar to the boot process, we analyzed the internals and made changes to speed it up so that the user experience is now smoother than before.
- CalyptixVPN status fix. We fixed a bug on the System Status page that incorrectly shows that CalyptixVPN is disabled when it is actually enabled.
Gatekeeper. We have made two Gatekeeper-related GUI changes:
- Improved invitation flow. After inviting users, the Gatekeeper administrative interface now provides a convenient link for you to continue to setup Gatekeeper rules.
- Logout attempts. Logouts from the Gatekeeper End User Interface are now logged on the Gatekeeper Login Attempts page.
- Gatekeeper Rules. The Gatekeeper Rules table is now sortable.
DHCP Server GUI. The DHCP server GUI was improved as follows:
- DHCP options and reservations. The DHCP Options and DHCP Reservations tables are now sortable and feature an inline search/filter feature to quickly find the option or reservation you need to check for or delete.
- DHCP reservation fix. We fixed a bug that prevented the DHCP server from starting when certain reservations are specified.
More Fixes and Improvements
Last but not least, here are some other fixes that we made:
- IDS/IPS restore fix. We fixed a bug that prevented the IDS/IPS engine from starting when a backup file with a Talos oinkcode is restored onto a freshly built AccessEnforcer.
- IPsec failover fixes. We improved the IPsec failover implementation and fixed a few bugs that could prevent failover from occurring.
- SNMP Agent reliability fix. We made a reliability fix to the SNMP Agent.
- Removal of POP3 Filter. The POP3 filter, which has been deprecated since v4.0, has been removed.
We hope you enjoy this release of AccessEnforcer! We truly value your trust in what we do, and will strive to earn your business every day.
One more thing — while not related to this release, we have a new YouTube channel now! We currently have Gatekeeper videos hosted there and will work on more. Be sure to subscribe so that you’ll know when we add more videos in the future!