New version of ETP mobile client is now available

The Enterprise Threat Protector (ETP) mobile client is now in limited availability and supports bring your own device (BYOD). With BYOD, end users can activate ETP Client on their personal devices without using the enterprise-wide entitlement code.

The following applies in this update:

• After the client is installed, the user is prompted to activate the client with a one-time activation code (OTAC). If the user does not have this code, the client lets users request it. The activation code and a link to activate the client on the device is emailed to the authorized user’s corporate email address.
• To email activation codes, administrators must configure authorized corporate domains in Enterprise Center. Administrators should not provide email domains that are associated with public email providers and therefore, accessible to unauthorized users.
• From Enterprise Center, administrators can send users an email invitation that contains the activation code. Administrators can also choose to generate a CSV file with activation codes and manually distribute these codes to users offline. After the activation codes are generated, they are valid for one week (7 days).
• When generating an OTAC in Enterprise Center, administrators should specify the user’s email address or a user ID in the User’s List. This allows administrators to associate events with the users who trigger them. This email address or user ID appears in the Device Owner dimension that’s available in ETP event and activity reports.
• While users provide an activation code or use the deep link in the email to activate the client on their device, the entitlement code is still supported for administrators. Administrators can enter this code when performing client installations.

The new mobile client version is available for download in the Apple App store and Google Play. For more information on BYOD and distributing the mobile client, see the ETP documentation.

Enterprise Threat Protector (ETP) Client 3.5.0 is now available

A new version of ETP desktop client is now available. This update includes bug fixes, as well as a feature that is in limited availability. Make sure you upgrade clients to this new version. If your enterprise is using version 3.4, upgrade the client or force an automatic upgrade to version 3.5.

This feature is now in limited availability:

• Walled Garden. You can use ETP Client to allow Internet access only to a specific set of domains.

To try this feature, contact your Akamai representative.

Enterprise Threat Protector (ETP) Release, August 18, 2021

The following updates are included in this release:

New Risky Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

Option to remove a risk level from a policy. When configuring application visibility and control (AVC) and an acceptable use policy (AUP), an administrator can now remove a risk level from the policy configuration.

File hash exception lists. File hash lists are now called file hash exception lists.

Bug fixes and UI enhancements. This release includes updates to the user interface and bug fixes.  
 
Important: The ETP legacy user interface will reach its end of life in December 2021. Please use the new Enterprise Center user interface to complete all your ETP operations.  
 
The following features are currently in beta:

Sub-locations. You can now configure sub-locations for ETP locations. A sub-location can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address as the parent location. This feature allows you to apply different policies to your sub-locations and in turn, define more granular access.

Local breakout for bypass domains. The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. Disable this option if your network does not have a direct route Internet and cannot access these origins.

Changes to ETP policy logic. These updates include:

• Prioritization of custom exception and block lists. If the domain, IP address, or URL found in a custom block or exception list is also found in Akamai Security lists, the Microsoft 365 list, or in an AUP and AVC configuration, the policy action associated with the custom exception or block list takes priority.

• Updated handling of policy conflicts. In addition to prioritizing the policy action of a custom exception or block list, the following also applies:

  • If the same domain with different suffix lengths is specified in multiple custom lists (for example, in multiple block or exception lists) or in multiple ETP lists (for example, in multiple acceptable use policies), ETP enforces the policy action assigned to the longest address.
  • If the same domain, IP address, or URL is configured in multiple custom lists or in multiple ETP lists with conflicting policy actions, ETP selects the action based on this priority:
    1. Bypass
    2. Block
    3. Monitor
    4. Classify
    5. Allow

 
To try any of these beta features, contact your Akamai representative.

Enterprise Threat Protector (ETP) Release, July 7, 2021

The following features and enhancements are now available:

• Deploy individual lists. If a list is ready for deployment, an administrator can now select the specific lists they are allowed to manage and would like to deploy. Before this update, a deploy operation would publish all lists that the administrator was permitted to manage.
• New filters and dimensions added to DNS Summary and Proxy Summary reports. New filter criteria and dimensions for access control are now available in the DNS Summary and Proxy Summary activity reports.
• Scheduled Reports Enhancements. You can now schedule reports for access control events, as well as threat events. Additionally, you can schedule a report for DNS Summary or Proxy Summary activity data. The DNS Summary and Proxy Summary scheduled reports show the top activity based on ETP reporting dimensions such as location, domain, geographical region, and more.  
• Updated firewall hostname for DoT. The Security Connector DNS Forwarder and ETP Client now use the *.akaetp.net hostname for DNS-over-TLS (DoT) connections. Make sure you update your firewall, on-premise proxy, and allowlists to use this hostname with outbound TCP port 443 or 853. Note: For ETP Client, the port you must allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. For DNS Forwarder, the port you must allow depends on the port configured in Security Connector for a DNS Forwarder configuration.

The following features are currently in beta:

• Sublocations. An administrator can now configure sublocations for ETP locations. A sublocation can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address. This feature allows you to apply different policies to your sublocations and in turn, define more granular access.
• New Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

To participate in the beta of these features, contact your Akamai representative.

Enterprise Threat Protector (ETP) Client 3.4.0 is now available

A new version of the ETP desktop client is now available. This release contains the following updates:

Bring Your Own Device (BYOD) Support. ETP Client 3.4.0 can now protect a user’s personal computer or laptop. A new installation process allows users to activate ETP Client on their personal machines without using the enterprise-wide entitlement code. The following applies in this update:

• After the client is installed on the user’s machine, the user is prompted to activate the client with a one-time activation code (OTAC). If the user does not have this code, the client lets users request it. The activation code is emailed to the authorized user’s corporate email address.
• To email activation codes, administrators must configure authorized corporate domains in Enterprise Center. Administrators should not provide email domains that are associated with unauthorized users.
• From Enterprise Center, administrators can send users an email invitation that contains the activation code. Administrators can also choose to generate a CSV file with activation codes and manually distribute these codes to users. After the activation codes are generated, they are valid for one week (7 days).
• When generating an OTAC in Enterprise Center, administrators should specify the user’s email address in the User’s List. This allows administrators to easily associate events with the users who trigger them. This email address appears in the new Device Owner dimension that’s available in ETP event and activity reports.
• End users are not prompted for an entitlement code during the installation of the client. The entitlement code is used by administrators only. After installing ETP Client with the user interface, administrators enter the entitlement code in the ETP Client interface. Installations that are performed with the command line can still use the entitlement code.

ETP Client Access Logs. New log files provide detailed information on all ETP Client traffic. These logs are formatted to make them easier for analysis. These CSV files are available in the client Log directory:

• etp_Proxy_Access.csv: Contains logs of web traffic forwarded from ETP Client to ETP Proxy. Log data includes the time that activity occurred, ID associated with the request, requested domain, and more.
• etp_Client_Access.csv: Contains logs of DNS traffic forwarded from ETP Client to ETP DNS resolvers. Log data includes the time that activity occurred, ID associated with the request, whether DNS over TLS (DoT) or DNS over UDP was used, and more.

When a log file reaches 40 MB, an index value is appended to the filename and a new log file is created with the original filename. These logs can be used by your organization to review requests and troubleshoot technical issues. Administrative privileges are required to view these logs.

Note: These logs contain all traffic, including logs for private browsing. Make sure these logs are handled securely to maintain the user’s privacy.

ETP Client is enabled for logging by default. However, administrators can disable logging in Enterprise Center.

Support for Apple M1 chip. ETP Client now supports Mac computers with the Apple M1 chip.

Enterprise Threat Protector (ETP) Release June 1, 2021

The following new features are now available:

• Application Visibility and Control. This feature is available in all ETP editions and allows your organization to grant or block access to specific applications based on risk, category, or application type. Additionally, if your organization is licensed for ETP Standard or Advanced Threat editions, you can define the application operations that you want to allow or block.

• Data Loss Prevention (DLP). Akamai is restarting the Data Loss Prevention beta in response to findings in the first beta. The DLP engine is now improved to better support Google Drive. DLP also now automatically bypasses applications that encrypt data, which previously resulted in false positives. Please note that you can still block any application using the Application Visibility and Control feature.

• Mobile ETP Client Support. Clients to allow ETP policies to be enforced for Apple IoS, Android, and Chromebook devices are now available. This capability also enables you to easily add protection to unmanaged devices.

• File Type Blocking. Customers may now block specific types of files from being downloaded.

• End of Support For ETP UI. The classic ETP UI is now no longer supported and all functionality has been migrated to the Enterprise Center. Please update your bookmarks accordingly.

The following features are currently in beta:

• Scheduled Reports Enhancements. You can now schedule reports for all Acceptable Use Policy (AUP) violations in addition to threats. Additionally, you can schedule Summary Proxy Activity and DNS activity reports on a daily or weekly basis.

Minor changes and fixes. This release includes a number of minor changes and bug fixes to improve the usability of the product.

Please note that legacy AUP categories are now no longer supported. Please migrate to the new categories if you have not done so already.

Enterprise Threat Protector (ETP) Client Version 3.3.2

A new version of the ETP Client is now available. This release contains a number of bug fixes, including improved support for Static DNS configurations in machines, a minor IPv6 support fix, and fixes to DNS-Over-TLS handling.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Policy Deprecations. Based on updates to external threat feeds, ETP now alerts you to needed deprecations of policy actions that are defined for applications, categories, and operations. When you display the policy in the UI, a window indicates the needed deprecations. You can then confirm the deprecations and deploy the policy update.

Bypass Microsoft 365 Traffic. The Optimize Microsoft 365 Traffic option on the policy Settings tab has been changed to Bypass Microsoft 365 Traffic. Select this setting to bypass all Microsoft 365 traffic. NOTE: Any policy actions defined for Microsoft 365 applications, categories, or operations are ignored if you enable the Bypass Microsoft 365 Traffic field on the policy’s Setting tab.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Bulks Actions in Enterprise Center. The Enterprise Center user interface for ETP now allows you to complete some operations in bulk. These operations include:

• Deploying multiple identity providers
• Deleting multiple identity providers
• Deleting multiple identity connectors
• Enabling or disabling remote debugging for identity connectors

New ETP Status Page. To improve communications during service incidents, Akamai has created a public status page for ETP. Customers may subscribe to service impact notifications through email, text, or Slack. To subscribe, go to https://etp.status.akamai.com/.

Improved Enterprise Center Experience. The Enterprise Center experience now shows resource usage statistics for locations, policies, lists, and more.

Enhanced Monitor policy action. With the Monitor policy action, requests resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP. If ETP Proxy is set up as a full web proxy, traffic is forwarded to ETP Proxy where it’s scanned by multiple anti-malware engines. If a threat is detected, then the user is unable to access the URL or website they requested.

Minor changes and fixes. A number of minor changes and bug fixes are included in this release to improve the usability of the product.

Secure DNS Forwarder is now generally available with Security Connector 2.7.0

In addition to functioning as a DNS sinkhole, Security Connector can now act as a DNS forwarder that directs traffic to Enterprise Threat Protector (ETP) for resolution. Secure DNS Forwarder detects the internal client IP address and the internal hostname of the client machine. It also protects connections to ETP with DNS over TLS (DoT).

In the Security Connector console, a new menu is now available for DNS Forwarder. You can:

• View traffic statistics about connections that are directed from DNS Forwarder to ETP.
• View the health status of DNS Forwarder
• Enable or disable DNS Forwarder. By default, DNS Forwarder is enabled.
• Temporarily enable query and response logging in your enterprise for Akamai to investigate and troubleshoot an issue.
• Change the DNS Forwarder port. By default, DNS Forwarder uses outbound TCP port 443. However, you can choose to use outbound TCP port 853.
• Configure a local DNS server. If your organization’s corporate DNS server is not recursive and is used for internal domains only, you can configure it as a local DNS server for DNS Forwarder. This configuration sets the DNS server that you configured in the Security Connector setup as a fallback server in case ETP is not reachable. If you apply a local DNS server configuration, you can then set the Security Connector DNS name server to use the ETP DNS server IP addresses.

ETP also now includes new reporting dimensions to show the internal client IP address and the internal hostname of the user’s machine.

Note the following:

• When you upgrade Security Connector, the virtual machine will temporarily hop to version 2.6.9 before it upgrades to version 2.7.0. This upgrade process also restarts your virtual machine twice. Make sure you do not interrupt this upgrade process. If you find that Security Connector is stuck on version 2.6.9, contact Akamai Support.
• If you intend to use DNS Forwarder, the virtual machine requires 4 GB of RAM and can be increased to 8 GB. If you don’t intend to use Security Connector as a DNS Forwarder, 2 GB of RAM is enough for the Security Connector virtual machine.

For more information about this update, see the online help or the Security Connector Setup and Configuration Guide.