Description
Announcing ExOS 6.4
NOTES:
- It is recommended that you use 6.4.3
- This release includes all changes from 6.3.12
- No 32-bit images are provided. 6.4 will not be supported on 32-bit hardware.
Platforms:
- 2061, 4010, 4061, 6060, 6062, 8060, 8062, 10060, 10062, Virtual
Supported upgrade versions:
- 6.0, 6.1, 6.3
Link to download the update:
Notices:
- If you are using SSL acceleration, read the known issues below before upgrading. There are configurations changes needed. Please see: http://support.exinda.com/topic/configure-an-ssl-acceleration-server-with-sni - This has been fixed in 6.4.0 Update 1
- If you are upgrading to ExOS 6.4 from ExOS 5.x or earlier:
- This upgrade is not supported. Please upgrade to ExOS 6.3 first.
- New ports will need to be opened in any firewalls sitting between two accelerating Exindas to take full advantage of the new features.
- The SSL acceleration configuration distribution feature uses TCP port 8018. This port needs to be open between appliances for this feature to operate correctly.
- The new community feature use TCP port 8017. This port needs to be open between appliances for acceleration to operate correctly.
- In order to accelerate to appliances running versions prior to 6.4 the community compatibility option needs to be enabled.
- Encrypted volumes will work in version 6.3.0 and newer. If you enable disk encryption you will not be able to downgrade to versions prior to 6.3.0.
- New images for the Virtual appliances are not yet available. To install a new virtual appliance running 6.4.0, please first install 6.3.0 and upgrade to 6.4.0.
- When updating to 6.4 from a previous version, there is an upgrade of all the data stored on the appliance. This update process may take up to 24 hours depending on the amount of data stored on the appliance and the type of appliance. While this upgrade is happening, the charts will show "no data available". You can check the status of the data update on the Dashboard -> System page.
If you are running a release prior to 6.1 and your existing RAM usage, as seen on the "Monitor / System / Ram Usage" graph, is over 80%, then upgrading may cause your appliance to be pushed beyond its capabilities. Contract Exinda to inquire if a RAM upgrade kit is available for your platform before upgrading to 6.3. It is highly recommended that 6.3 only be installed on appliances with 4GB of RAM or higher.
Major Features:
Improved SMBv2 acceleration performance [B-01629]
SMBv2 acceleration performance has been improved significantly on the warm pass where the object cache is no longer fresh. This will happen if a change is made to the file on the server from a different location. No configuration changes are necessary to take advantage of this new capability.
Improved MAPI acceleration performance. [B-01431, B-01484]
When Accelerating MAPI traffic the reduction due to Wan Memory has been improved. Small matcher no longer needs to be used for Accelerating MAPI.
Encrypted MAPI Alerting. [B-01506]
The system now alerts when it detects encrypted MAPI traffic. The traffic will be sent through unaltered. No acceleration is attempted. If you have encrypted MAPI and need to disable MAPI acceleration you can do so by using the following CLI:command: no acceleration mapi enable
High availability (HA) for x800 [APP-7732, APP-5685, APP-7680]
When using a cluster of appliances in a high availability configuration the processing of acceleration connections will bedistributed over the cluster.Data stored by Wan Memory on any appliance within the cluster will be sent to other Wan Memory devices in the cluster for storage.Traffic that is leaving via one appliance in the cluster but returning via another member of the cluster (asymmetrically routed) will now be accelerated correctly.Some members of the cluster may optionally not participate in acceleration. This can be used to have inline appliances provided monitoring only while redirecting all traffic to be accelerated to one or more out of line appliances."show redirect-mappings" and "show appliances" CLI commands added to display HA redirect mappings and cluster appliances.For more information please refer to the How To Guide:
SSL configuration distribution [APP-6128]
Configuration for SSL acceleration services created on one appliance will be automatically distributed to all other appliances in the community.All SSL acceleration configuration, including certificates and private keys, will only need to be performed on the appliance that is closest to the server. All the other appliances will automatically receive and activate this same configuration.If you are installing 6.4.0 and not 6.4.0 Update 1, please see the following support article for an important configuration change that needs to take place to continue accelerating SSL connections:This has been fixed in 6.4.0 Update 1.
URL logging [APP-2584]
Optional ability to log the full URL and associated information such as packet and byte counts, IP addresses, destination port and start and end times, for all HTTP connections.The number of days that the information is collected may be configured. This feature is not enabled by default.This information is only available via the external SQL interface. For more information please refer to the How To Guide:
Disk encryption [APP-6127]
Optional support for encryption of the Wan Memory, cifs and edge cache data stores. You can find the controls for disk encryption in the WUI on the System-> Setup-> Storage page.
Support for PBR single interface acceleration [APP-7266]
Support for acceleration and monitoring via single interface using policy based routing configuration on an attached router with the ability to send traffic back to this router over the same interface after processing.Optional support for VRRP (virtual router redundancy protocol) as part of the PBR integration.Can be used instead of or in conjunction with bridge based acceleration and monitoring.For more information please refer to the How To Guide:
WUI schedules management [APP-7031]
Scheduled jobs can now be managed via the WUI. This simplifies the process of scheduling pre-population, tcpdumps, re-boots, upgrades and other operations. Create and Manage schedules in the WUI on the Objects-> Schedules page. Once you have created named schedules they can be used in other parts of the configuration.
Pre-population scheduler integration [APP-6897]
The pre-population WUI configuration has been extended to incorporate the management of schedules to execute the jobs at scheduled times. The pre-population WUI can be found on the System-> Optimization-> Pre Population page.
Automatic Baseline of Application Performance Scoring (APS). [B-01466]
The system is now capable of monitoring application traffic for an hour, a day or a week to deduce the proper values for the APS object. This allows the creation of an APS without the customer having to figure out the proper values to use. APS objects can be created on the Objects-> Service Levels-> Application Performance Score page. Click on the online help to learn more about the new baseline feature.The cli command 'monitor apm transaction normalize' now accepts a value of 0 (zero) which disables normalization. This is useful for monitoring small packet protocols such as RDP and Citrix. If these are the most important applications to monitor, then use this command to disable normalization, which will produce proper values for these protocols.
New community [APP-5661]
A new community to manage and track other appliances has been added.This reduces the CPU load and network connections created by community when large communities are present. This also greatly simplifies the replacement or upgrades of existing community members due to hardware upgrades or support replacements.If you will be running a mixed pre-6.4 and 6.4 environment for any length of time you should enable the backwards compatibility mode on your 6.4 appliances. You can do that in the WUI by going to the System-> Optimization-> Community page and enable "Support versions (pre v6.4.0) Enabled" check box.
Improved SSL acceleration capabilities:
Please refer to the updated How To Guide:
- Support for CA certificate validation methods [APP-4537]
- Allows a specific CA or the full set of CAs to be used to validate server supplied certificates. Includes support for full path validation of chained certificates. This is located in the WUI on the System-> Optimization-> SSL page
- This release and all future releases include a set of public CA certificates in a default installation [APP-4538]
- This allows for CA validation against public certificate authorities without the need to explicitly load those CA certificates.
- Support for OCSP validation of server supplied certificates [APP-7333]
- Allow for validation of certificates using OCSP either via manually configured OCSP server or via the OCSP servers specified via the AIA extensions in the certificates.
- Extended cli certification information to show expiration information [APP-7193]
- The expiration status is now also visible via the cli
- Send intermediate CA certificates to the client [APP-7027]
- Send any required intermediate CA certificates to the clients to allow them to validate the server certificate without the need to have the intermediate CA certificates loaded.
- Provide separated certificate views on the wui [APP-4539]
- Separate views are provided to allow viewing just the CA certificates, just the normal certificates or all certificates to make it easier to locate certificates of the specified type.
- Support certificate generation [APP-7028]
- Support on appliance certificate and private key generation for use with SSL acceleration to make it easier to deploy and test ssl acceleration without the need for a separate certificate authority.
- Enable exporting appliance certificates [APP-7449]
- The appliance certificates (but not private keys) may be exported from the wui in order to allow them to be loaded into other devices
- Support for client side certificate for SSL [APP-6709]
- SSL configuration may now include a client certificate which will be presented to the server as the authentication certificate.
- Support for SNI certificates in SSL acceleration. [APP-4064]
- Enable support for multiple SSL services using the same IP and port via the SNI (Server Name Indication) SSL/TLS extension. This allows multiple certificates to be configured for a single server, with SNI being used to select which certificate during SSL session negotiation.
Edge Cache Performance improvements [APP-7580,D-01401]
Edge Cache now monitors the system performance and determines if a connection would be better served by going directly to the Content Server or waiting for resources to potentially serve the content from cache. As a result, Edge Cache can be used in environments where the cacheable content throughput is higher than the stated platform capability for Edge Cache.Edge Cache also has a higher connection count capability with this release.
AD client improvements [APP-8167]
A new version of the Active Director client has been released with 6.4.0. This version is 1.1.0. The improvements include:For more information, please refer to:
- The AD client no longer needs to be installed on the Domain Controller. It can be installed on a member server instead.
- The AD client no longer sends information on startup about users who are disabled in your Domain Controller.
http://www.exinda.com/downloads/active-directory-6.4.pdfThis version of the client can also be used with previous versions of the appliance. You can download the client from this link:http://updates.exinda.com/adclient/ExindaADSetup-v1.1.0.msiCore networking improvements [APP-6310]
- PRR-SSRB (Proportional rate reduction with slow start reduction bound) has replaced the rate halving algorithm. Proportional Rate Reduction (PPR) and related algorithms to improve the accuracy of the amount of data sent by TCP during loss recovery.
- Increased the initial congestion window size to 10 packets and increased the default initial receive window to improve the latency and performance of high bandwidth connections.
- Added multi queue support for vmware para-virtual nics to provided for better multicore CPU scaling.
Base platform improvements [APP-6744]
A large number of updates to the base platform, providing:
- Security fixes to base components
- Improvements to malformed cookie handling
- Performance improvements
- Large number of improvements to the TACACS+ support
- Large number of improvements to the SNMP support
Minor improvements:
- Released in 6.4.0 Update 1 (6.4.0.2137)
- Application Performance Score adds Non-normalized Delays [B-01660]
- The Application Performance Score feature tracks Network and Server delay. In previous versions, these delays were normalized for a 1KB packet size. In some cases where the protocol used small packets, this normalization resulted in delays that were larger than they should have been. With this version, the user has the ability to select normalized or non-normalized delays to use as part of the APS score.
- If you would like to use non-normalized delays instead of normalized delays, then leave the normalized delay entry fields blank. All blank fields in an APS do not contribute to the overall performance score.
- Virtual Circuit PDF reports now have the option to show percent utilization [B-01871]
- The PDF report for the Virtual Circuit traffic mix now has the ability to show percent utilization rather than absolute bandwidth. This is beneficial when the report is being viewed to determine how much of the circuit is being used rather than the absolute amount of traffic flowing over the circuit.
- Released in 6.4.0
- Permit IPv4 vs IPv6 separation by allowing the creation of network objects with subnets '0.0.0.0/0' (ipv4) and '::/0' (ipv6) [APP-7667]
- Filtering all IPv4 or all IPv6 traffic is now possible. This can be achieved by creating a network object of '0.0.0.0/0' to match all IPv4 traffic, or a network object of '::/0' to match all IPv6 traffic.
- Include the maximum, in addition to the average, on the SLA graphs [APP-7239]
- The SLA graphs on the WUI and reports previously only showed the average. The maximum is now displayed in addition to the average to make it easier to see why an SLA alert triggered.
- Allow tcpdumps to be performed from a scheduled job [APP-7541]
- Allow the tcpdump cli command to be executed from the job scheduler. With the scheduler now available on the WUI this makes it possible to schedule captures at specific times.
- Indicate database status on the system dashboard [APP-7716]
- The status the monitoring database is now show in the system dashboard. This will indicate when the database is unavailable due to upgrade or downgrade operations being in progress.
- Support for multiple subnets in a single PDF report [APP-2276]
- Multiple subnets can be selected for inclusion in PDF reports.
- Increase maximum cacheable object size in edge cache to better handle windows and apple updates [APP-7762]
- The default and maximum object size that can be cached has been increased and additional expiry rules have been added to enable better caching of operating system updates.
- Support for SMTP authentication [APP-7438]
- Authenticated SMTP servers are now supported for emailing reports and alerts.
- Added the option to show user information in realtime display [APP-4623]
- The user information that was previously only visible on the WUI realtime pages is now also available via the cli realtime commands.
- Added percentile lines to the 'Monitor -> Interfaces' graphs. [APP-2492]
- The option to display a percentile line is now available for the throughput and packets per second graphs.
Bug fixes and minor improvements:
- Released in 6.4.0 Update 1 (6.4.0.2137)
- [D-01662] system: fixed a system crash that occurred when the system was under heavy load of a vulnerability scanner.
- [D-01571] Recently Youtube made a change to their system that caused Exinda's caching of Youtube videos to return the incorrect video. This has been addressed.
- [B-01859] SSL Configuration may break after the upgrade to 6.4.0. This known issue from 6.4.0 has been resolved.
- [D-01437] reporting: On the SLA graphs under Monitor -> Service Levels -> Network Response (SLA), the latency average (blue line) is being reported as Mbps instead of ms.
- [D-01450] Fixed a bug where PDF Reports can't be created in the WUI
- Released in 6.4.0
- [APP-8167] active directory: Update the embedded AD client to 1.1.0
- [APP-6061] network objects: Don't permit renaming when referred to by an APS or Application
- [APP-7649] wui: Show the window size when selecting the TCP window scaling factor
- [APP-6893] wui: Permit APM and APS objects with quotes in the name to be deleted
- [APP-6853] wui: Log page navigation does not work if the filter contains an '='
- [APP-2922] wui: Enable proxy to be configured in the basic wizard
- [APP-1879] wui: Pre-fill fields with common values when creating an SLA
- [APP-2500] wui: Subnet graphs do not appear when subnet name contains punctuation characters
- [APP-2626] wui: Ensure all PDF and print links work when objects contain punctuation characters
- [APP-6891] system: Clean out files under /var more frequently
- [APP-6590] system: Allow VLANs on a bridge to be re-created on system restart
- [APP-7066] system: Permit management access via a VLAN on a bridge to work
- [APP-7123] lsmd: Make lsmd work if the bridge is disabled on boot and then enabled at a later stage
- [APP-7007] ha: Ensure edge cache configuration is replicated
- [APP-6850] wizard: Cannot edit existing optimiser related value
- [APP-5750] monitoring: Enable bridge direction alert for IPv6 traffic
- [APP-5096] monitoring: Enable DCERPC (mapi, dfs etc) support for IPv6 traffic
- [APP-4667] reporting: Fix graph titles for specified WAN interfaces
- [APP-1230] reporting: Improve titles for all on-demand PDF reports
- [D-01241] system: Added support to change the kernel code dump level in case we need to reduce the size of the core. Default is 17,31. When the 'core' option is selected, both a dmesg and a core are produced
- [D-01200] acceleration smb: Fixed issue NetCache Filers and our acceleration
- [APP-8093] collectord: voip Ð Improved the accuracy of the MOS score values
- [D-01211, APP-8187] adaptive response: Fixed issue with rules being applied to external network objects
- [B-01588] classification: Improved L7 classifications. See below for the set of improvements.
L7 Classification Improvements:
- New protocols:
- Google with subtypes 'Drive', 'Plus', 'Docs', 'Cloud' & 'Encrypted', CyberGhost, SPDY, HTTP subtype 'Video' & 'Audio'
- New applications:
- Box, Vippie, SkyDrive, Adobe Creative Cloud, LinkedIn
- Improved detections:
- Skype, Tango, Goober, Viber, Thunder, Paltalk, Quicktime, SSL, RTP/RTCP, LDAP, eBuddy, Steam, IM+, ooVoo, HTTP, YourFreedom, Spotify, Yahoo, QQ
- Improved application detections:
Known Issues:
- [D-01437] reporting: On the SLA graphs under Monitor -> Service Levels -> Network Response (SLA), the latency average (blue line) is being reported as Mbps instead of ms.
- [D-01469] VLAN tag rewriting through policy rules does not rewrite the tag.
- [D-01514] The Subnet report may show the wrong bytes received or sent from each subnet when not sorted by name.
- The work around is to sort subnets by name. This can be controlled on the System-> Setup-> Monitoring page. Select "Sort Subnets by Name". This is disabled by default.
- [D-01519] In some circumstances accelerating MAPI connections would cause clients using the encrypted MAPI protocol to experience disconnections from the server.
- [D-01535] system: If Asymmetric Flow alerts are enabled and there are many simultaneous asymmetric flows, the collection engine may experience a process crash. The result will be a larger than usual spike in the traffic graphs when the collection engine restarts. Traffic will continue to be processes properly.
- [D-01541] mapi: under certain circumstances the mapi acceleration component would get stuck in a loop and would consume a lot of CPU resources. It would also stop being able to accelerate further MAPI traffic.
- [D-01595] When UltraSurf is being blocked, it looks for another transport mechanism to use to get through the Exinda. One of the mechanisms that is used is HTTPs. When this happens UltraSurf no longer gets recognized as UltraSurf. As a result it starts to get through the Exinda blocking rules because it is no longer UltraSurf traffic. One work around for this behaviour is to throttle the traffic to some small trickle rather than block it outright. Another work around is to build a rule using the HTTPs common name.
- [D-01596] shaping: enabling Global QoS on license levels higher than 2 Gb/s yields poor performance.
- [D-01622] APS: the APS score may show a very large loss % (greater than 100%) in some circumstances. This happens when there are packet retransmissions with corrupted packets.
- [D-01656] When accelerating traffic to or from a FreeBSD based system, the timestamps of the TCP packets will not be updated in a manner that is acceptable to FreeBSD. This causes FreeBSD to reject the packets, resulting in slow traffic between the FreeBSD system and the client or server it is communicating to. There is a work around. Please contact Support at www.exinda.com/Support for assistance with the work around.
- [D-01724] SSL Acceleration: The SSL process is sending a lot of data throughout the day to all the peers in an acceleration community. This shows up as ExindaSSL traffic.
- [APP-7426] pre-population: NTLMv2 authentication for HTTP is not supported
- [APP-3275] monitoring: Graphs/tables show data for "last 60 minutes" show "this hour" in the drill-down reports.
- [APP-668] cli: command completion does not work for names with multiple words (that contain a space). e.g. show policy my policy