**************************************************************************** Software Release: Secomea RDM 4.3 - public release Release Date: 2010-08-31 **************************************************************************** (c) Copyright 2010, Secomea A/S. All rights reserved. **************************************************************************** Scope and production information **************************************************************************** This is Secomea Remote Device Management release 4.3 build 10352. This release note describes changes since release 4.2 build 10186 and corresponding GateManager release 4.2.10183.207. Please refer to the older release notes for further information. Products covered: --------------------------------------------------- GateManager 8250 (Software version) LinkManager 6041 (Software version) SiteManager 2029 (Hardware with UMTS interface) SiteManager 2129 (Hardware with UMTS interface) SiteManager 2034 (Hardware with dual DEV interfaces) SiteManager 2134 (Hardware with dual DEV interfaces) SiteManager 3034 (Hardware with DIN mount and 4-port switch) SiteManager 3134 (Hardware with DIN mount and 4-port switch) SiteManager 6040 (Software version, external agent support) SiteManager 6240 (Software version, internal agent support) Version and Build numbers: ------------------------------------------------------- GateManager Server software version 4.3.10352.208 GateManager Console installer version 4.3.10352.208 GateManager Proxy software version 4.3.10352 LinkManager Installers version 4.3.0.10352 SiteManager firmware version 4.3 build 10352 SiteManager Soft Installer version 4.3.0.10352 SiteManager PC Installers version 4.3.0.10352 **************************************************************************** 1. Highlights of this release **************************************************************************** - Support for LinkManager Instant Access User Certificates which greatly simplifies installation and setup of new LinkManagers. - LinkManager can now show disconnected and blocked devices. - SiteManager 3000 now supports up to four DEV interface groups. - SiteManager 2x29 models now support SMS wakeup for UMTS interface. - GateManager connection can now be controlled externally via the INPUT1 terminal on the SiteManager 3000 models. - Improved FTP handling in LinkManager and SiteManager. **************************************************************************** 2. New features and improvements. **************************************************************************** All Products ---------------------------------- - SiteManagers and LinkManager have a new TCP and UDP "ping" facility. (#4020) - End-to-end FTP protocol support between LinkManager and SiteManager has been reworked, so that only active ports are actually relayed. (#3502) Also, connecting to an FTP server in a remote device is now possible from multiple LinkManagers at the same time (the exclusive use is no longer required). However, if a device has an FTP client which must connect to an FTP server on the LinkManager PC, the device still need to be exclusive use, as there is no other way to know which LinkManager it wants to talk to. GateManager ---------------------------------- - The "Product Bindings" functionality has been eliminated from GateManager, so all appliances product types are now available in all domains. (#4012) - GateManager now supports "LinkManager Instant Access" certificates. A LinkManager Instant Access Certificate (with file type .lmc) is now generated for users with the "LinkManager user" role, and includes the address of the GateManager server, the proper domain token for the LinkManager, and a corresponding floating registration license. (#4037) Furthermore, using Instant Access certificate will make the GateManager auto-approve the LinkManager using the domain token provided in the certificate (which defaults to the same domain as the home domain of the LinkManager User account). Note that attachment is only temporary in the GateManager (shown by red !); if attachment was permanent, LinkManager would not move around based on the certificate's domain token -- to stop this, GateManager administrator must attach the LinkManager to a specific domain. - GateManager now includes a complete set of pre-defined roles, suitable for most uses. - A LinkManager Instant Access certificate cannot be used to log into the GateManager Console. - GateManager can now issue "Guest Certificates" which are only valid for a limited period of time (from 1 day to 6 months). - GateManager can now "apply configuration profile" without attaching profile to appliance. (#4083) - GateManager now uses separate mail subject and message body templates for GateManager Certificates and LinkManager Certificates, and for permanent certificates, temporary (guest) certificates and certificate renewal messages. This allow the messages to give specific rather than generic instructions. The following template are in /usr/local/gatemanager/templates directory: * certificate-mail.txt, certificate-subject.txt New permanent GM certificate (cert. install instructions) * guest-certificate-mail.txt, guest-certificate-subject.txt New temporary GM certificate (cert. install instructions, expire info) * renew-certificate-mail.txt, renew-certificate-subject.txt Renewed GM certificate (cert. update instructions, expire info) * linkmanager-mail.txt, linkmanager-subject.txt New permanent LM certificate (LM + cert install instructions) * guest-linkmanager-mail.txt, guest-linkmanager-subject.txt New temporary LM certificate (LM + install instructions, expire info) * renew-linkmanager-mail.txt, renew-linkmanager-subject.txt Renewed LM certificate (cert update instructions, expire info) * renew-info.txt Text about renewal corresponding to {5} field in other templates. The {5} field inserts content of renew-info.txt file (message telling that a message will be sent 1 month before certificate expires) - or nothing if new certificate expires in less than one month. * expired-certificate-mail.txt, expired-certificate-subject.txt Mail about "certificate will expire in 1 month". * mail-certificate-bcc.txt If this file contains a valid email address, that address will receive a blind-copy of all certificate mails (as specified above) sent by the GateManager server. (#4108) * hostname.txt Readable server name that is used in certificate mail bodies and as from-line in alert and certificate mails. - The relay.conf file may now include "base" relay domains as well as "derived" relay domains. (#3893) A base domain [:relay XXX] defines a new relay domain from scratch. One or more derived domains [YYY] may follow a base domain, and inherits all settings from the base domain that are not specified explicitly in the derived domain. So it is now possible to specify, say, just a logo for a specific domain. The previous meaning of the [YYY] line as a "trust domain" is changed to [:pin YYY]. A domain section may also include a [:pin] section which is then equivalent to [:pin YYY] for the current relay domain. Please see updated relay.conf-sample file for details. - You can now upload and view logo files via the GateManager web gui. (#4055) - SiteManager Plugin now supports INPUT1 and INPUT2 alert values corresponding to the two input ports on SiteManager 3000 models. - Changes to the auto_approve and auto_approve_all functionality: Aliases "auto_attach" and "auto_attach_all" can be used for the parameters. Now, auto_approve_all also applies to agents, meaning that they will be available in LinkManager even when NOT actually attached (!) in GateManager. Per-domain auto_approve setting now controls whether agents should actually be attached in GM. Setting auto_approve_all=3 is equivalent to setting auto_approve_all=2 and auto_approve=1 in all domains. Setting auto_approve=-1 in a domain means NEVER auto-approve anything in that domain (even if auto_approve_all is set). If auto_approve is set in TARGET domain (or auto_approve_all=3) when moving/attaching a SiteManager in GateManager, un-attached agents of that SiteManager are now automatically attached to same domain as the SiteManager. If the SiteManager domain token is unknown, agents of that SiteManager are not auto attach in GateManager even if auto_approve(_all) is set. Doing that would prevent moving the agents later when SiteManager is attached to a proper domain. When auto_approve_all=1, a SiteManager connected to the GateManager, but using an unknown domain token is now shown in LinkManager as connected (green tick) with a "red ?" marker, indicating to the LinkManager user that the SiteManager is present, but not accessible for remote management. - When saving a configuration backup, the backup date is now used as the suggested filename, and the suggested file type is .xml when the configuration data is in XML format, and .txt otherwise. (#4121) LinkManager ---------------------------------- - LinkManager changes for Instant Access Certificate support: . The LinkManager installation wizard has been optimized for the new LinkManager Instant Access Certificates (.lmc files). . When an Instant Access certificate is used for login, the included GateManager settings will silently overwrite the corresponding GateManager parameters on the GateManager > General page. . The appliance name will be set to the LinkManager User account name. - LinkManager Console will now display the expiration date for time-limited "Guest Certificates". - LinkManager now automatically tries the current Windows proxy settings - including WPAD - when connecting to the GateManager. (#3797, #4048) - Now, a LinkManager never connects to the GateManager server until the user logs in on the LinkManager Console -- also when using a fixed registration license. However, connection setup has been optimized, so typically the LinkManager will connect to GateManager in approximately 2 seconds. Specifically, this means that the LinkManager tray icon will now show as "red line in green circle" when user is not logged in. - LinkManager Console improvements: . Empty domains and disconnected appliances/devices can now be shown. (#3881) By default, this information is still not shown, but a [Show all] button in left and right panel will reveal the omitted information (if any). If domain is known to be empty (no "appliances icon"), clicking on the domain will automatically show disconnected devices in right panel (if any). . Active domain is now highlighted in left panel (light green background). . New [Expand All] button in left panel to expand the whole domain tree. . The Console now shows an "Unknown service" icon (green question mark) if a device supports a Go To Appliance service which is not defined on the LinkManager. The [Services] button is now available also in connected state, to make it easy to define new services. (#3276) - LinkManager will now show devices with a yellow X icon instead of the green V to indicate "device is up but access is blocked by operator". This happens when SiteManager Remote Management is set to "Heartbeats Only" and INPUT1 is OFF (SM 3xxx) - or no INPUT1 exists (SM 2xxx). - A LinkManager user can no longer do "Go To Appliance" to another LinkManager. - The "Setups" button on the LinkManager Console has been removed. Since Instant Access certificates include the GateManager server address, LinkManager now directly supports connecting to multiple GateManagers. Instead, a new "Connections" button is now available on the "Certificates" page which allows defining and associating one or more "Connection Setups" with a certificate. Existing GateManager Setups are automatically converted to corresponding Connection Setups associated with the relevant certificates. If an Instant Access certificate is installed on an existing LinkManager with old-style certificates, the current GateManager settings (address, domain token, etc) are automatically saved as a new [Default] connection setup which is associated with the old-style certificate, so it will continue to work as before. A connection setup may specify: . the GateManager address and domain token for old (non-Instant Access) certificates, or . just proxy settings for connecting to the GateManager using an Instant Access certificate (by leaving GateManager address, domain token, and appliance name fields empty), or . a GateManager address which will then override the GateManager address contained in an Instant Access certificate. SiteManager ---------------------------------- - Support for separate DEV2, DEV3, DEV4 ports on SiteManager 3034 and 3134. If a DEV port is set to Separation mode, it will behave in (almost) all aspects just as the DEV1 port, with separate IP address, subnet, etc. If a DEV port is in Bridge mode (the default), it will be bridged to the previous separate DEV port. This means that the following eight combinations exists (the ports listed in parentheses are in bridge mode): - One port group (default): 1+(2+3+4) - Two port groups: 1|2+(3+4), 1+(2)|3+(4), 1+(2+3)|4 - Three port groups: 1|2|3+(4), 1|2+(3)|4, 1+(2)|3|4 - Four port groups: 1|2|3|4 - Support for reading INPUT ports on SM3xxx has been added. On GateManager > General page, there are new "Input X Action" drop downs which allows using INPUT 1 and 2 as ALARM sources for GM (corresponding alerts values on GM are named INPUT1 and INPUT2). INPUT 1 can also be set to value "Toggle Remote Management" (the default) which works together with "Remote Management" setting like this: | Remote Management setting INPUT1 | ENABLE HB ONLY DISABLE ------------------------------------- OPEN | FULL HB OFF CLOSED | OFF FULL FULL Where FULL = enable full remote management, HB = heartbeats only (LinkManager access blocked) OFF = disable remote management (GateManager not connected) So with the default settings, full remote management is enabled, but if you close INPUT1, SiteManager will disconnect from GateManager. - Support for controlling output ports on SiteManager 3xxx: New System > I/O page shows current input port status and allows you to view and toggle the status of the output ports. Notice that output port state is preserved over a system restart. - SiteManager for SM 2x29 models now support an "SMS Wakeup" functionality. Please read the "Using SiteManager SMS Wakeup" application note before deploying the SMS Wakeup functionality in production environments. - SiteManager will now automatically try to use the default gateway as a web proxy - including WPAD - when connecting to the GateManager. (#3372, #3960) - SiteManager WPAD PAC file now includes rules suitable for making a LinkManager connect via the SiteManager's web proxy relay functionality. (#3797) - SiteManager will now report unknown server relay and web proxy target names. (#4015) Device Agents ---------------------------------- - New Vendor Agents: Control Techniques LAN agent. Eaton Moeller HMI agent. Yaskawa NS600 Indexer (serial port). Generic Shared Folder agent. - Enhanced Vendor Agents (improved operability): B&R Ethernet agent now includes VNC support. ESA panel agent now includes FTP support. Omron LAN agents now include FTP support. Omron Serial agent now has a CPM compatibility mode option. Siemens PPI serial agent now has a "Fixed Speed" setting which means that you can set the PLC to run at 19200 baud at the SiteManager, but program the S7 program to run at 9600 baud. This "trick" - and optimizations on the LinkManager Virtual COM port - makes the S7 program more tolerant to end-to-end latency on the serial communication. **************************************************************************** 3. Bug Fixes. **************************************************************************** GateManager ---------------------------------- - The selection dialog for role icons now shows the correct icons. - If an appliances was deleted from GateManager when it was not attached, it would not be attached correctly next time it connects. (#3643) - Agents were not always auto attached (if requested) after a SiteManager was manually attached to domain by GateManager operator. - Agents that attached to GateManager Proxy before it had synchronized with GateManager Server did not show in LinkManager console. (#4068) - If ext_public_addr configuration parameter (config or proxy.conf) is a valid hostname, copy it to ext_public_hostname if that parameter is not set. (#3994) - Some "certificate will expire in one month" notifications were not sent. (#4191) NOTE: Any missing notifications are still lingering in the GateManager database, so after the upgrade, you (and your users) may receive some old notification emails for accounts which have expired a long time ago. - Searching for an appliance in the GateManager Console will now compare the entered string to both the Appliance name and the Serial Number, independent of the current view settings. (#4087) - You can now also use the search function to search for a Domain ID. This is useful for identifying the owner of a domain for which an Instant Access license has been created. - Restarting the GateManager Proxy or Server via the "Restart" commands in GateManager Console, or via the Adminitrator WEB GUI would not cleanup internal system state correctly, so the newly started proxy or server would not function correctly (#4076). - The "service gatemanager start" command will now start the server before the proxy, allowing the server to become fully operational before appliances start to attach to the system, causing less stress on the system at startup. - Go to Appliance is no longer allowed for unattached appliances (#4115). - Group Alert module fixes / improvements: . Per-domain UP and DOWN settings didn't work correctly. . SENDTO didn't work without a MAILTO in same domain. . Align syntax with relay.conf file; [DOM] now means DOM only, while [DOM*] means domain DOM and all its subdomains. . Reset alert status for known appliances when moved to another domain, and when a new matching alert group is added to alerts.conf. Send an "UP" message immediately for affected appliances if connected. (#4075) . A {domain} escape in mail subject inserts current alert domain. (#4073) . There is a new SKIP action for a domain alert group to disable all alerts in that domain (and its subdomains if specified). - Using comma, semicolon, or equal in a domain name is not allowed, but this restriction was not checked when creating or renaming a domain. (#4137) LinkManager ---------------------------------- - Give proper error message (instead of "error: 7") if connection to a device is rejected because exclusive access is needed - and tell who is already connected (#3634) - The LinkManager Console was sometimes messed up after a session timeout. (#3957) - A newly installed LinkManager would sometimes not make installed VNC or RDP services available on GateManager first time it was started. (#3430) SiteManager ----------------------------------- - Speed up SiteManager boot time for large flash memory sizes. (#3956) - Combining the short-form .NN for a device target address with a port number, as in .12:8000 didn't work. (#3707) **************************************************************************** 4. Upgrade information. **************************************************************************** All Software Products ----------------------------------- - Please notice that all Software products - LinkManager, SiteManager Soft, SiteManager PC, and GateManager Console - must be upgraded by running the corresponding Installer program using an administrator account. GateManager ---------------------------------- - All "Admin" settings on the GM Administrator Web GUI are reset to their default values when you upgrade the GateManager server. After the upgrade, the old settings are still available in the /px/web/admin.old/globals.conf file, from which you can copy/merge the old customizations into the active configuration in the /px/web/admin/globals.conf file. LinkManager 6041 ----------------------------------- - LinkManager comes with its own virtual "LinkManager Adapter" network driver, which is installed and setup by the LinkManager Installer. On Windows XP, this driver is installed silently, but on Windows Vista and Windows 7 you will have to confirm the installation of the adapter. When upgrading a LinkManager 3.7 or older, the LinkManager Installer automatically migrates all configuration and certificates from the VMware based installation. Once upgraded to 4.0 or newer, you cannot downgrade the LinkManager to an older version. - First time you start LinkManager after the upgrade (or after a new installation), you may be prompted to accept the installation of Secomea's CA certificate as a trusted root certificate. You should allow this to prevent Windows from looking for new COM port drivers (it won't find any) each time you establish a serial connection. - The firmware file id for LinkManager has changed from v41 to v6041 to reflect the change from VMware based (v41) to non-VMware based (v6041). SiteManager PC 6240 ----------------------------------- - SiteManager PC comes with its own virtual "SiteManager Adapter" network driver, which is installed and setup by the SiteManager PC Installer. On Windows XP, this driver is installed silently, but on Windows Vista and Windows 7 you will have to confirm the installation of the adapter. SiteManager Soft 6040 ----------------------------------- - SiteManager Soft requires VMware to operate, also after the update. - To upgrade an existing SiteManager Soft, you must run the SiteManager Soft Installer program. Just upgrading the firmware file is not possible, as the firmware file id for SiteManager Soft has changed from v40 to v6040. SiteManager 2xxx ----------------------------------- - Due to changes to the flash memory handling on SiteManager 2xxx, it is only possible to downgrade from this firmware release to a firmware release 4.1 build 9454 or newer. Device Agents ----------------------------------- - Previously installed standard agents are automatically removed when you upgrade to this firmware which includes all of the standard agents. - This means that you will need to reinstall the agents if you downgrade to a firmware release older than 4.0. **************************************************************************** 5. Known issues or limitations **************************************************************************** - GateManager Console (Java application) may shutdown unexpectedly. This problem happens to several Java-based applications due to a conflict with a Samsung LCD monitor utility called Multiscreen. This utility supposedly hooks into the Windows display drivers in a non-complient way which can cause Java applications to fail when trying to update the display. If you encounter this type of error and you use the Samsung Multiscreen utility, disabling or exiting the Multiscreen utility (via its Tray icon) will resolve the issue. - Due to new restrictions on secure web-site certificate authentication, Internet Explorer 7, Firefox 3, or newer may prevent you from accessing https based services via the LinkManager's Go To Appliance functionality in the non-activated state (Domain view). This is because the Go To Appliance function uses a different IP address than the actual IP address of the remote device, so the browser suspects that the target device's certificate (typically self-signed) may be a forgery. There is no easy way to get around this problem, so you will have to follow the somewhat tedious procedure of your browser to bypass the warnings and connect to the device anyway. Note: You should not store the certificate permanently in Firefox 3. - SiteManager Soft currently does not run as a service under Windows 7 64 bit OS. Instead it must be started in User mode, by adding it to the Startup folder. - Please note that using the PPI option require optimal bandwidth for both the LinkManager and the SiteManager. This is due to the PPI protocol and Step7 software per design does not take into account the delays (latency) that may occur when relaying the communication over long distances. **************************************************************************** 6. Special notes for GateManager Owners **************************************************************************** In the following table, the "Revision" field column is the text you must enter when you add a firmware file to the Appliance Products repository: Product Firmware file "Revision" field ---------------- ---------------------- ---------------------- SiteManager 2029 v29_10352.ffs oper:v29_10352 SiteManager 2129 v2129_10352.ffs oper:v2129_10352 SiteManager 2034 v34_10352.ffs oper:v34_10352 SiteManager 2134 v2134_10352.ffs oper:v2134_10352 SiteManager 3034 v3034_10352.ffs oper:v3034_10352 SiteManager 3134 v3134_10352.ffs oper:v3134_10352 SiteManager 6040 (*) oper:v6040_10352 SiteManager 6240 (*) oper:v6240_10352 LinkManager 6041 (*) oper:v6041_10352 Agents (**) agent:v09_xxxx_10352 (*) LinkManager and SiteManager Soft/PC cannot be upgraded from GateManager; to upgrade, run the relevant Installer program. (**) Agents are included in the base firmware, so there are no separate agent firmware files. Agent firmware versions shown in the "Revision" field follows the build number of the base firmware. **************************************************************************** END ****************************************************************************