We released public ASG V7 ISO and VMWare images for everyone who is interested. The images will allow an installation of ASG V7 BETA on PC or VMware, all features and functions enabled.
Please check out the huge list of new features:
- Active/Active Clustering, SSL VPN
- Ethernet Link Aggregation
- OSPF Routing
- TACACS+ authentication
- OpenPGP and S/MIME email encryption
- FTP Proxy
- IM/P2P Control
- Multi-admin support and tracking
- End-user self service portal
- Customizable system messages
For a quick overview: there is a V7 BETA demo server at https://v7demo.astaro.com (This is a very long announcement… please scroll down to the end for download instructions)
Enhanced GUI & Usability Improvements
By using advanced HTTP technologies like AJAX, the V7 WebAdmin interface has been completely redesigned now providing a new look & feel, a lot of usability improvements and now working much faster then previous WebAdmin versions. Among others it includes the following improvements:
- new dashboard views for quick overview about system modules and resources, security applications, active tasks (e.g. configuration), and functions.
- Multiple multi-admin support, which allows multiple admins to work at the same time on ASG V7.
- Allows creating new network objects from any point within WebAdmin without the need to jump between submenus.
This new portal provides many new self servicing capabilities for each individual end user therefore reducing the burden for the administrator significantly. Through the portal each end user can access his:
- Mail manager for managing his quarantined mail objects (release, whitelist,…) and defining his POP3 accounts
- Remote access manager for one-click downloads of complete VPN client packages (software, setup and certificates) for IPSec and SSL.
- POP3 prefetch configuration for individual en-/disabling of this new mode.
Customizable end user messages
Administrators can now individually customize and localize all notifications, HTTP-Status/Error pages, messages and mails that are viewed by end user (not admin) to individual needs and rules. E.g. the header of a “Content Blocked” page is customizable with logo/banner and with some descriptive text. The content is customizable within subject and description, the details are not customizable (depend on the context). All end user messages (especially the customizable parts) support multiple languages (utf8/unicode compatible).
A new GUI allows configuring for each notification if the administrator wants to receive it or if it should be silently dropped. This provides administrators with easier control of the alerts and notification he is interested in.
The Astaro cluster solution provides active/active high availability as well as state-of-the art scalability based on Astaro's self developed patent pending technology. The cluster distributes cost-intense tasks like content scanning, IPSec and intrusion protection to multiple nodes without the need for an external load balancer, thus providing effective and flexible speed-up. For each task a total throughput of 1GBit/s is targeted for the cluster. A cluster can consist of up to 10 units (1 master, 1 slave, 8 nodes). The master distributes workload among slave and nodes. The slave takes over duty from master in case of master failure. Firewall applications only run on master.
VoIP optimized QoS support
Allows for granular definition of policies for bandwidth usage. Provides better support for applications that need specific quality of service levels for delay and throughput (such as real-time applications). Customer can define rules to specify min/max uplink/downlink bandwidth depending on “traffic selector”. Traffic selectors are traffic types depending on parameters like connection, service, host, packet length as well as specific TCP and QoS flags (ToS/Type of Service, DSCP/DiffServ Code Points) set in the packet. Most of these traffic selectors will be pre-defined and selectable from a list.
SSL VPN with Client
Enhances security and ease of use for mobile users by adding SSL VPN gateway capabilities. OpenVPN client allows using most applications remotely via the VPNs including native MS Office and file sharing (in contrast to other SSL solutions without client which only support web based applications). To make installation of the extra client as easy as possible we have created a new end user portal where the user can login and then download his customized ssl vpn client package which includes software, certificates and configuration handled by a simple One-Click installation routine. A single access profile is supported for remote users which avoids extra configuration effort for SSL and IPSec VPN.
Ethernet Link Aggregation (Port Trunking, Bonding…)
Allows aggregation of up to four (physical) Ethernet connections into one (logical). This can be used to increase network throughput as well as reliability e.g. by connecting the ASG Ethernet interfaces to different redundant switches. The implementation will be based on the IEEE 802.3ad recommendation.
Dynamic OSPF Routing
Allows for automatic distribution of network routes, i.e. an automatic recognition of the network topology without the need to define static routing on each firewall or router. OSPF is probably the most widely used interior gateway protocol today and provides many advantages compared with the older RIP protocol. V7 implements OSPFv2 according to RFC 2328 including MD5 and plain text password authentication
Zero Latency/ Zero Configuration HA
ASG V7 also provides an improved HA concept (“active-passive”, “hot standby”). The takeover time after a failure has been reduced to less than 2 seconds (compared to one minute or more in previous versions). Additionally to packet filter connection synchronization (which is already present in ASGV6) all IPSec tunnels are now also being synchronized. Therefore road warriors as well as remote VPN gateways do not need to re-establish IPSec tunnels after a takeover. Also, quarantined objects are synchronized. The V7 HA functionality also provides an „automatic setup” (zero configuration) mode which configures the unit automatically for HA depending on whether it finds a master or slave unit on a specific interface (the HA port).
Improved VoIP security via enhanced H.323 Helper
H.323 connection tracking helper now supports all combinations of signalling and data channels when using H.323 protocols. This provides enhanced security as only the required firewall ports will be opened during the conversation. This feature is included under the new main WebAdmin menu VoIP Security
Provides more fine grained configuration options for the DNS proxy (e.g. Split DNS, host configuration, additional DynDNS settings)
TACACS+ authentication support
Allows authentication of ASG users against servers using the Cisco TACACS+ authentication protocol
VPN configuration for network groups
Allows creation of VPN tunnels between groups of local and remote sub-networks. Makes VPN configuration easier by avoiding separate tunnel creation for each single combination of local/remote subnets.
Configurable DSL reconnect
Allows to specify a time at which the DLS connection (PPPoE, PPPoA) should be dis-/reconnected to prevent a network interruption during working hours. We also offer a button in webadmin to force an immediate reconnection (in V6 there is a fixed, unconfigurable delay of 900 seconds before the next reconnect will be initiated)
OpenPGP & S/MIME Email encyption / decryption with SMTP proxy
Provides world's first transparent encryption, decryption, and digital signatures of e-mails within an UTM gateway. Supports OpenPGP & S/MIME including certificate/key handling and content scanning for incoming mails. Enhances e-mail security significantly and allows usage of e-mail encryption even by small companies not having advanced skills in security technology.
Daily Email Report
The daily spam digest has been improved to not only include information about quarantined (SMTP) spam but about all messages (SMTP and POP3) that have been blocked or quarantined in any way e.g. by RBL, blacklists, detected viruses, phishing etc.. Users can click on any entry to release the message or to whitelist the sender from being checked by the Antispam module for the future. Users will only get one single digest for all email addresses they use. In addition if the message was send to a mailing list each recipient can release the mail individually. The layout/content of the report is also customizable as many other notifications (see feature Customizable end user messages).
This is a new mode in addition to the current POP3 proxy mode. If this mode is turned on the proxy polls periodically the POP3 server for new messages. If a new message has arrived it will be scanned and stored into a local database on the ASG. When a client tries to fetch new mails it communicates only with the proxy and receives new messages only if it was scanned and stored in the database. As this mode allows scanning of messages well before they are requested by the client, the client receives them much faster and timeout problems through the introduced scanning process will be eliminated. This allows also putting POP3 spam messages into the daily email report.
Foreign Charsets support for SMTP and POP3
Shows properly decoded subject lines with correct charset in replacement messages. Until now subjects encoded with foreign charsets are not readable,e.g like this: “=?ISO-8859-1?B?SWYgeW91IGNhbiByZWFkIHRoaXMgeW8=?= =?ISO-8859-2?B?dSB1bmRlcnN0YW5kIHRoZSBleGFtcGxlLg==?=” .
Customizable Email Footer
Allows customers adding a “virus checked” footer to every e-mail that goes through the system and which is successfully scanned for viruses, especially for those e-mails that include attachments. This enhances the security level and improves visibility about performed e-mail checks for e-mail recipient. Furthermore a customizable disclaimer footer can be added to each email in order to outline that the content of this email is only intended for the recipient of the email.
Transparent FTP Proxy
Up until now file transfers over FTP were only scanned by the ASG if the FTP was initiated over a Web Browser (FTP over HTTP) The new transparent FTP proxy is now able to handle „native” FTP connections as well (e.g. command line or graphical FTP clients, like WS-FTP, CuteFTP etc.). therefore allowing transparent scanning and filtering of malicious content (viruses, expression lists, extension filter) within all FTP traffic
Instant Messaging and Peer-to-Peer Management
In addition to filtering all e-mail and web traffic, Astaro Security Gateway will now also monitor Instant Messaging traffic such as ICQ, AOL, MSN and Skype as well as Peer-to-Peer filesharing traffic such as Bittorrent and Kazaa. Administrators can restrict the usage of these tools, protecting their company from dangers posed by viruses and malware as well as legal implications and the potential damage to their reputation
Improved HTTP Proxy Performance
The performance of the HTTP proxy has been significantly enhanced (up to 100%). Beside these features ASG V7 BETA also includes many smaller enhancements and usability improvements as well as bug fixes.
Limitations and hints
With the provided ISO image there maybe some limitations (remember: it's a BETA :-):
- Please check the Known Issue List (KIL) before you test ASG V7 BETA!
- ASG V7 BETA will not be supported via Astaro's support teams therefore you should not use it within productive environments.
- To provide feedback about any issues found please use the procedures outlined below.
- The BETA version also includes some additional debug code and is not performance optimized yet.
- An ASG V7 manual will be available with the GA release.
- Online Help is already available however still may contain some gaps.
- It is not possible to import configuration backup files from ASG V6 into ASG V7 BETA. The ASG V7 BETA includes a test license with unlimited users and all features activated. There is no need to request a new or special license.
Astaro minimum recommendation for V7 BETA installations:
- Intel Pentium III 900 MHz
- 256MB RAM
- 10 GB hard disk drive and above.
Best performance results running on:
- Dual Xeon or Athlon
- 2GB RAM
- 36 GB SCSI 15krpm hard disk drive and above.
For proved hardware components please check our Hardware Compatibility List (HCL) at: http://www.astaro.com/lists/HCL-ASG-V7.txt
ASG V7 BETA might also be tested within VMWare virtual environments, such as VMWare Server, VMWare ESX Server, VMWare Workstation or VMWare Player, by using a pre-configured/pre-installed ASG ISO called VMWare Virtual Appliance. This ISO provides the same functionality as the standard ASG. The ASG V7 BETA Virtual Appliance can be downloaded from the servers listed below.
Supported web browser
Astaro Security Gateway V7 WebAdmin will support the following browser/platform combinations:
MS Windows 2000/XP/Vista
- IE6 or higher (including IE7)
- Mozilla Firefox 1.5 or higher
- Mozilla Firefox 1.5 or higher
- Safari 2.0.3 or higher
- Mozilla Firefox 1.5 or higher
ISO image asl-6.800-060630-1.iso
size: 370 MB (370,403,328 Byte) md5sum: af0699ee5844dd7bba9d6d02f7724b66
FTP server: – Germany – US – US 2 – Australian Mirror – Austria Mirror – Japanese Mirror
HTTP server: – Germany – US – US 2 – Australian Mirror – Austria Mirror – Japanese Mirror
(If you are not familiar with BitTorrent, please check out this detailed description: http://en.wikipedia.org/wiki/Bittorrent). Search for “how to burn” on our Knowledge Base if you have trouble to burn a CD from the ISO image.
If you want to provide feedback or want to discuss any of the ASG V7 BETA features you should post it on our User Bulletin Board in the “BETA Version” forum. Please take care to add always(!) the version you refer to (e.g. “[6.818] problem with POP3 proxy in pre-fetch mode“). Alternatively if you want to provide feedback, problem reports and comments directly to the Astaro R&D team you can also send it to V7Beta@astaro.com. If you have feedback to our documentation (Online Help) please send it to firstname.lastname@example.org. We greatly appreciate your input, comments and suggestions! Astaro is trying to build the security solutions that you need and is continuously enhancing the Astaro Security Gateway functionality.
Therefore in addition to the features listed above we are currently also working on the following features, which also will be included within the final ASG V7 version:
- Initial Setup Wizard
- Overall Reporting / Executive Report redesign/ Status Displaying
- Recognition rate for IM/P2P traffic
- LDAP browsing for eDirectory Browser
- Performance optimization depending on RAM/CPU/Disk
- QoS/Packetfilter beautification
- full ACC support
- POP3 prefetch configuration and management
- NTLM Singel Sign On
- LDAP browser for eDirectory
- HTTP content removal
There is also a demo server to check the new GUI: https://v7demo.astaro.com
Thx in advance for your tests!
Your Astaro R&D team
The original article/video can be found at Public ASG V7 BETA released