Enterprise Threat Protector (ETP) now includes these features and enhancements:

• Security patch upgrades for ETP Client. In an ETP Client configuration, you can select to automatically install security patch upgrades. Security patch upgrades address security vulnerabilities and apply changes that are necessary to support OS updates. If you don’t want to automatically install these updates, like a software upgrade, you can download a patch from ETP, test it, approve it, and select how you want to apply it across your network.

• Revoke ETP Client. If a user reports a lost or compromised device, you can revoke ETP Client on that device. This operation is available in ETP on the Reports tab for ETP Client.

• New policy tab name. The Akamai Security tab in a policy is now called Threat.

These features are now available to organizations that are participating in ETP beta:

• Unclassified traffic. An Unclassified Traffic setting is now available in a policy. A domain is considered unclassified if it does not appear in the AUP, a custom list, or in any threat list maintained by Akamai. As an ETP administrator, you can block this traffic or allow it to bypass ETP Proxy. If you are licensed for ETP Advanced Threat, you can select the Classify action to direct unclassified traffic to ETP Proxy. Depending on the type of proxy you use, this configuration is recommended:
  • For the selective proxy (forwards only risky web traffic), select Bypass.
  • For the full web proxy, select Classify.
    As a result of this enhancement, the Unclassified AUP category is no longer available.

• Enable Forward Proxy removed in policy. The Enable Forward Proxy toggle is no longer shown in a policy. This setting is automatically enabled in the backend when you turn on ETP Proxy.

• Origin Ports. In a policy, the new Origin Ports field allows you to enter the ports and ports ranges that you want to open for the full web proxy. By default, ETP allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

• Enable ETP Client as Proxy policy setting. The new Enable ETP Client as Proxy policy setting allows you to define whether the ETP Client machine is configured as a web proxy. If you choose to make ETP Client a local web proxy, web traffic is directed from the client to ETP Proxy. This setting functions the same as the Configure ETP Client as a local computer web proxy setting in the ETP Client configuration (Utilities > ETP Client > Configuration). Your selection for the Enable ETP Client as Proxy setting takes precedence over the ETP client configuration setting.

• Permission required to access Summary of Proxy Activity and DNS Activity reports. To access the Summary of Proxy Activity and DNS Activity reports, you must be an ETP super administrator or a user who’s assigned a role with the etpRestrictedPageViewRole permission.

• Proxy activity event reporting. If activity on the Proxy Activity report generated an event, the report now shows the Is Event field to indicate whether specific activity is also an event.

• Dashboard shows total number of HTTP and HTTPS activity. The ETP Dashboard now reports the total number of HTTP and HTTPS activity in a summary graph. When a user clicks the provided graph, they are directed to the Proxy Activity report.

• Update to configuring AUP exceptions. ETP now makes it easier for you to find and select the users and groups that can access a blocked category in an Acceptable Use Policy (AUP). To select users, you can search for User IDs in the associated directory and in the search results, select the user. To select groups, you can search for groups and in a drop-down list, select the group.

  If you try to find a user or group that does not exist in the directory, you can add the user or group to the AUP exception. To allow these users and groups to authenticate, you must also add these users and groups to the directory.

Enterprise Threat Protector (ETP) Secure Web Gateway (SWG) now in beta

Features

ETP SWG performs URL filtering and anti-malware scanning on all web traffic. It’s available with any one of these features:

• Proxy chaining. Allows you to forward all web traffic from your existing on-premises proxy server to ETP.  You can enable this feature with the new Enable Forward Proxy and the Trust XFF Header policy settings. The proxy host information that you use to configure traffic forwarding from the on-premises proxy to ETP is shown in the ETP policy. 
• ETP Client 3.0.4. New version of the client that allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ETP license, you can also configure ETP Client to forward only DNS and risky web traffic.

This beta also offers these features:

Authentication policy. An authentication policy defines the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. You can require that users authenticate before accessing a website or you can make authentication optional.  If a user is authenticated, then all web requests are logged in the Proxy Activity report (Monitoring > Activity) with username, group information, and the machine IP address. If a user does not authenticate, the username and group information are not logged. To implement authentication, you must set up: 

• Identity providers. A service that creates, manages, and saves user and group identity information for authentication.  You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, PingOne, and Active Directory Federation Services (AD FS).  In an IdP configuration, you can enable multi-factor authentication, define sessions settings, design the login page, and more.

  Note: If your organization is licensed for Enterprise Application Access (EAA), you can use your existing IdP configuration in ETP. In this situation, make sure you manage the IdP configuration in EAA. Do not modify these settings in the ETP UI to avoid conflicting configuration changes.

• Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported: 
  • Active Directory
  • Lightweight Directory Access Protocol (LDAP)
  • Active Directory Lightweight Directory Services (AD LDS)

  ETP also offers Cloud Directory, an internal Akamai directory that you can use for testing purposes only. 

  The Identity Provider and Directory configuration pages in ETP are available from a new area of the navigation menu called Identity. 

• Identity connectors (Optional). If your directory service is located in a data center that’s not accessible from the Internet, you can deploy an identity connector to grant IdP access to the directory. An identity connector is a virtual appliance that you download from the Utilities page in ETP and deploy behind the firewall in your data centers or hybrid cloud environments.

Proxy Activity. New Proxy Activity tab on the Activity page reports traffic that’s directed to ETP Proxy. You can view data about traffic and events, including the username of the user who made the request, the internal IP address of the user’s machine, and the applied policy action.

DNS Activity. New DNS Activity tab on the Activity page reports DNS traffic that’s directed to ETP. You can view detailed data about traffic such as applied policy action and the internal client IP address. This tab allows administrators to investigate suspicious activity and review requests to a specific domain.

Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported.  In the the ETP threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

Dynamic malware analysis with Sandbox. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:

• Analyzes files that are up to 64 MB in size.  
• Automatically scans files offline (after they are downloaded).
• Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP. 

To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox.  

To try any of these features, contact your Akamai representative. 

Known Issues and Limitations

These limitations apply to this beta release:

• Windows apps are not supported on Windows machines where ETP Client 3.0.4 is installed.
• If a user skips authentication, they are prompted to authenticate every 15 minutes. 
• ETP Client 3.0.4 is not supported on Mac OS X El Capitan.
• If you are setting up Active Directory Federation Services (AD FS) as a third-party SAML identity provider, you must deploy an identity connector and associate it with AD.

These issues are currently known in this beta release: 

Authentication

Issue: When defining the users and groups that can access websites for a blocked AUP category, you must manually enter the user IDs and group names. You cannot provide the username of the user.
Workaround: If you are using a directory service such as Activity Directory, consult the user and group information in your directory service. You can also find the User ID and group name in a Proxy Activity report (Monitoring > Activity).

Identity Providers and Directories

1) Issue: If your organization uses Enterprise Application Access (EAA) or another cloud access solution for enterprise applications, these applications are not accessible when traffic is directed to ETP Proxy.
Workaround: Make sure you enter the domains of your enterprise applications and EAA identity providers in the internal DNS suffixes field of the ETP network configuration.

To do this:

1. In the ETP navigation menu, select Configuration > Utilities.
2. Click the Network Configuration tab.
3. In the DNS suffixes field, enter the full domain of EAA identity providers and enterprise applications.
4. Click Save.

2) Issue: The email address associated with a user in the Cloud Directory is not editable.
Workaround: You can delete the user and add a user with the new email address. If your organization also uses EAA, you can modify the user’s email address in EAA.

3) Issue: When deleting a user in the Cloud Directory, the dialog that confirms the deletion shows inaccurate information about the user’s last login.
Workaround: No workaround is available.   

4) Issue: If a user is deleted from a directory after they authenticate, the user is redirected to the IdP login page 30 minutes after the delete operation occurred.
Workaround: No workaround is available.

5) Issue: Changes to the URL of an identity server in ETP do not take effect for an identity provider that was previously deployed and assigned to a policy. After you deploy the modified identity provider, the change is not recognized by ETP policy.
Workaround: In the policy where this identity provider is assigned, complete these steps:

1. Change the authentication mode to another mode that uses authentication. For example, if this mode is set to Optional, select Require. If this mode is set to Require, select Optional.
2. Save and deploy the policy.
3. Return to the policy.
4. Select the authentication mode that you want to use for the policy.
5. Apply AUP exceptions.
6. Save and deploy the policy.

For detailed instructions on these operations, see the online help.

6) Issue: If you modify an identity provider, you cannot deploy any policy that’s associated with the IdP until the IdP is deployed.
Workaround: Deploy the IdP.

ETP Proxy

1) Issue: A browser error appears to the user when ETP Proxy cannot verify the web server certificate. This occurs if the certificate chain is incomplete or its Certificate Authority (CA) is unknown to Akamai.
Workaround: If users see this error for traffic or websites that you want to allow, add the domain or its IP address to an exception list. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

2) Issue: Mozilla Firefox on Windows does not use the proxy settings or certificates that are on the system.
Workaround: If you configure proxy chaining to direct traffic to ETP Proxy, make sure you configure the on-premises proxy as a proxy connection in the Firefox browser.  To configure proxy settings in Firefox:

1. Click the Open menu button and select Options. 
2. Navigate to Network Settings and click Settings.
3. In the Connection Settings, select Use system proxy settings.
4. Click OK.

Note: On Windows, make sure that you configure Firefox to recognize the trusted root certificates that are in your enterprise Windows certificate store. For more information, see Enable enterprise trusted root certificate in Firefox and Certificate distribution. 

 ETP Client

1) Issue: Users cannot access the Internet when both these conditions apply:

• ETP Client 3.0.4 forwards all web traffic to ETP Proxy
• Pulse Secure VPN uses proxy server settings
  Workaround: In the VPN  tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

2) Issue: If there are more than 40 DNS suffixes configured in the ETP network configuration, ETP Client may be unable to enter “Your device is protected” mode.
Workaround: Instead of adding these domains or DNS suffixes to an ETP network configuration, create a custom exception list with this data. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

Enterprise Threat Protector (ETP) now includes these enhancements:

Deploy custom lists in less than 30 seconds. Like other configuration settings in ETP, you can now deploy custom lists in less than 30 seconds.

Migrate quick lists to custom lists. Quick lists are now discontinued. If you configured an Allow or a Deny quick list, you can migrate this data to custom lists. On the Quick Lists page (Configuration > Quick Lists), click the Migrate Quick Lists button to migrate your quick list data to an Allow custom list and a Deny custom list. Migrated quick lists are added to all policies, allowing you to manage these lists as part of a policy configuration. By default, the migrated Allow list is granted the bypass policy action, while the migrated Deny list is assigned the block policy action.

After migrating quick lists, make sure you deploy all pending changes. Once the migration is complete, the Quick List page is no longer available at your next login.

Note: If your organization never configured quick lists, no action is needed. In this case, the Quick Lists page is no longer available from the navigation menu.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

• Associate locations to a scheduled report configuration. You can now configure a scheduled report to show events based on a location or multiple locations. By default, scheduled reports are configured to show events based on all locations.
• View data and configuration settings available to a tenant administrator. If an ETP super administrator assigns the tenant administrator role, a Filter data by tenant administrator field now allows you to view data and settings available to a tenant administrator. After you specify a tenant administrator in the field and navigate ETP, the filter shows configuration settings and event data based on the locations, policies, and lists the tenant administrator can manage.
• New tab names on the Activity page. The DNS tab is now called the DNS Summary tab, and the Proxy tab is now called the Proxy Summary tab.

Filter events and indicator search results by a specific time

In addition to selecting a specific date or date range, the calendar filter that appears on the Dashboard, Events, Activity, and Indicator Search pages now allows you to specify a start and end time in a 24-hour clock format. This enhancement filters data to show events and domain history changes that occurred within the specified time.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Deploy Security Connector 2.6.0 with Microsoft Hyper-V. In addition to deploying Security Connector with VMware ESXi, you can now download Security Connector 2.6.0 and deploy it with Microsoft Hyper-V. On Hyper-V, you can deploy Security Connector with a PowerShell utility script or manually with a virtual hard disk image file. Administrators can also upgrade to version 2.6.0. Like version 2.5.0, this version allows your organization to direct malicious HTTP and HTTPS requests to Security Connector.

Security Connector health status. The status of Security Connector is now more accurately reported in ETP and in the UI of the Security Connector VM console. A new Health Status page is available from the main menu of the security connector console. On this page, an administrator can view whether Security Connector is in a healthy state or in an unhealthy state due to a failure. If there’s a failure, an administrator can identify the specific operation where it occurred.

New default dimensions on Dashboard for threat events. By default, the dashboard now shows threat event data based on category, threat name, and severity. To show data for other dimensions, click the down arrow that’s associated with a threat event chart and select a new dimension.

Additional threat information now available. ETP administrators and viewers can:

• View the threat name associated with a threat event.
• Filter threat events by its name and severity level. A Threat Name and Severity dimension is available for this purpose.
• Search by the threat name on the Indicator Search page. In the search results, this page shows:
  • A description that details how the threat spreads and impacts a network.
  • Other names for the threat
  • Severity level
  • Threat type. For example, if it’s a worm, trojan, malware, or another threat type.
  • External links to resources on the Internet with more information.
  • A graph that illustrates the number of events generated by the threat in the last 24 hours, 7 days, 30 days, and this month.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Exception Lists. An ETP administrator can now create a list with the domains and IP addresses they want directed to the origin without Transport Layer Security (TLS) decryption or ETP protection. An exception list bypasses ETP Proxy. This feature allows your organization to maintain the privacy of users who access trusted websites with sensitive information. Like a custom list, you create an exception list and assign it to a policy configuration.

Bypass action for Exception Lists. When you add an exception list to a policy, the bypass policy action is automatically assigned to the list. This action resolves requests to the origin IP address. If ETP proxy is enabled, the request is not decrypted with TLS. It is sent directly to the destination web server. While no event is logged on the Event Analysis page for bypassed traffic, domains are logged on the Network Traffic tab of the Activity page.

Client Connector now called ETP Client. Client Connector is now called ETP Client. The tab on the Utilities page and the client configuration settings now refer to the new ETP Client name.

Additional threat information is now available in Enterprise Threat Protector (ETP)

ETP administrators and viewers can now:

• View the threat name associated with a threat event.
• Filter threat events by its name and severity level. A Threat Name and Severity dimension is now available for this purpose.
• Search by the threat name on the Indicator Search page. In the search results, this page shows:
  • A description that details how the threat spreads and impacts a network.
  • Other names for the threat
  • Severity level
  • Threat type. For example, if it’s a worm, trojan, malware, or another threat type.
  • External links to resources on the Internet with more information.
  • A graph that illustrates the number of events generated by the threat in the last 24 hours, 7 days, 30 days, and this month.

This feature is currently in beta.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Security templates now available. An ETP administrator can now apply a security template or a preset template to a policy configuration. This allows administrators to implement best practices when configuring policy actions. It also gives administrators a starting point to defining a policy.

When creating or modifying a policy, you can select one of these templates:

• Strict. Contains settings that block known and most suspected threat categories. This template applies settings that are a best practice for a policy.
• Monitor-only. Logs and reports threats but it does not block them. The Monitor-only template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
• Custom. Let’s you define policy actions for known and suspected threats.

A security template defines settings for threat categories in the Akamai Security tab only.

Updates to delegated and tenant access. A delegated administrator can now:

• Add email address for communication emails and assign communication emails. A delegated administrator can assign these users to any communication email.
• View Security Connector activity.

A tenant administrator can now:

• Add emails address for communication emails and configure these users to receive communication emails for alerts and system issues.
• Schedule a report.
• View and analyze DNS event data on the Dashboard, Event Analysis, and DNS activity pages.

The data in a scheduled report and on these reporting pages are based on the locations the tenant administrator can access.

Source IP now a dimension for DNS activity: On the DNS tab of the Activity page, you can now report the top source IP addresses that generated DNS requests. Source IP is now available as a dimension or data type in all DNS activity menus.

Client Connector version 2.1.0 now in beta.

With Client Connector 2.1.0, administrators can now configure Client Connector to roll back to the previous approved version. Administrators can also allow end users to uninstall Client Connector on Windows machines. To enable these features, new configuration settings are available in Enterprise Threat Protector (ETP):

• Roll Back Client Connector. When enabled and the previous Client Connector version is approved, this setting automatically rolls back a Client Connector upgrade. Rollback is available with Client Connector version 2.1.0. You cannot roll back to a version that is earlier than 2.1.0.

• Allow Uninstall on Windows. When enabled, end users on Windows machines can uninstall Client Connector. If this setting is disabled, the entitlement code is required to uninstall Client Connector.

Client Connector 2.1.0 also includes these updates:

New “Protected by local network” status. When these specific conditions apply, Client Connector now indicates that a machine is protected by the local network:

1. Client Connector cannot send DNS requests to ETP because outbound UDP port 53 is blocked in the company firewall.
2. The DNS resolver in the local network is configured to forward requests to ETP.

New names for configuration settings. New names are now available in ETP for Client Connector configuration settings. The Enable User Control setting is now called Allow Users to Disable Client Connector. The Enable ETP Client setting is now called Enable Client Connector.