Enterprise Threat Protector (ETP) now includes these features and enhancements:

Policy Deprecations. Based on updates to external threat feeds, ETP now alerts you to needed deprecations of policy actions that are defined for applications, categories, and operations. When you display the policy in the UI, a window indicates the needed deprecations. You can then confirm the deprecations and deploy the policy update.

Bypass Microsoft 365 Traffic. The Optimize Microsoft 365 Traffic option on the policy Settings tab has been changed to Bypass Microsoft 365 Traffic. Select this setting to bypass all Microsoft 365 traffic. NOTE: Any policy actions defined for Microsoft 365 applications, categories, or operations are ignored if you enable the Bypass Microsoft 365 Traffic field on the policy’s Setting tab.

Akamai MFA LA 29/03/2021 release

Akamai MFA, a workforce MFA service, helps customers to strengthen their Zero Trust security posture by securely establishing trust in a user before allowing access to protected applications and resources. Akamai MFA features a unique authentication factor, Akamai’s phish proof push, that combines the security provided by FIDO2 with the ease of use of the familiar push notification. Akamai MFA can be integrated with Akamai’s EAA IDP, Okta, Microsoft Azure AD (with ADFS), and Shibboleth identity providers as well as with UNIX platforms (for MFA with SSH) and Windows RDP servers for Windows Logon. Automated user provisioning can be accomplished using the SCIM framework. A full suite of authentication factors is supported to address any use case. Akamai MFA operates on the Akamai Intelligent Edge platform and is centrally managed using Enterprise Center on Akamai Control Center. See the Admin Guide and the User Guide to learn more.

Supported browsers and versions

• Firefox 87.0

• Google Chrome 89.0.4389.90

• Microsoft Edge 89.0.774.57

• Safari 14.0.3

Internet Explorer is not yet supported.

Supported mobile devices

• iOS 12 and above (iPad, iPhone, iPod Touch)

• Android 7 and above (phones and tablets)

Supported integrations

• ADFS integration supports Microsoft ADFS on Windows Server 2016.

• Integration with Akamai EAA IdP requires that both EAA and Akamai MFA are on the same contract.

• Okta integration supports Custom IdP factor authentication as an integration point. You have to contact Okta to enable this early access feature.

• Shibboleth integration supports Shibboleth version 4.0.1.

• Akamai MFA Unix PAM supports the following distribution versions: CentOS 5, 6, 7/8, Red Hat 5, 6, 7/8, Ubuntu 14, and 16/18/20.

• Akamai MFA Windows Logon plugin supports Windows 10 (64 bit) and Windows Server 2016.

Akamai MFA (Beta3) 03/03/2021 release

Akamai MFA New Features

Role-based access controls for administrators. With Akamai MFA role-based access control, you can empower admins by giving them access privileges they need and ensure that your enterprise data is protected.

Akamai MFA mobile app and browser extensions are now available via the App Store and Google Play Store. You can download the Akamai MFA mobile app and pair your device with the selected browser to provide your logins with strong, phish-proof authentication. See Installation Help.  

New Policy UI. With the updated user experience, you gain an immediate insight into the all configured policies and restrictions. You can flexibly assign policies to integrations, groups and users, which lets you apply fine-grained access control over your protected resources. With device policies, you can ensure that the end user’s authentication device is secure and has not been compromised. Akamai MFA also supports iOS DeviceCheck and Android SafetyNet, which lets you confirm the authenticity of the Akamai MFA mobile app and the overall device.

EAA Client 2.3.0 patch release - 1/27/2021

EAA Client Versions * EAA Client for Windows/macOS: version 2.3.0.21012201

Akamai EAA Client 2.3.0 New Features

Big Sur support This version of EAA Client fully supports Big Sur (MacOS 11.0) on Intel based processors.

Known limitations * Customers using this EAA Client patch release on the macOS platform will see ‘empty’ values for Process Name and Process Path fields in Client Details Preset Report (EAA Management portal > Reports > Activity > Preset Reports, Select Report > Client Detail) and Discovered Apps User Report (EAA Management portal > Clients > Discovered Apps, Provide a date range, select any App, click Users). If you are using device posture, the remediation message may not have the Process Name for client-access apps.

Bug fixes for EAA Client * Device Posture supports Carbon Black Sensor 3.5.1 version.

• Device Posture supports the Crowdstrike Falcon sensor v6.14 version.

• When you open EAA Client, the complete OS name is shown for macOS Big Sur. Earlier it was just macOS.

• When there are many TCP-type or IP-based client-access applications using the same Identity provider, Run Diagnostics results were not meaningful. It has been fixed.

• DNS SRV records are supported on macOS.

• Resolved issues with SRV records on Windows for Enterprise DNS.

• Bogus EAA Client notifications have been suppressed.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Bulks Actions in Enterprise Center. The Enterprise Center user interface for ETP now allows you to complete some operations in bulk. These operations include:

• Deploying multiple identity providers
• Deleting multiple identity providers
• Deleting multiple identity connectors
• Enabling or disabling remote debugging for identity connectors

New ETP Status Page. To improve communications during service incidents, Akamai has created a public status page for ETP. Customers may subscribe to service impact notifications through email, text, or Slack. To subscribe, go to https://etp.status.akamai.com/.

Improved Enterprise Center Experience. The Enterprise Center experience now shows resource usage statistics for locations, policies, lists, and more.

Enhanced Monitor policy action. With the Monitor policy action, requests resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP. If ETP Proxy is set up as a full web proxy, traffic is forwarded to ETP Proxy where it’s scanned by multiple anti-malware engines. If a threat is detected, then the user is unable to access the URL or website they requested.

Minor changes and fixes. A number of minor changes and bug fixes are included in this release to improve the usability of the product.

Secure DNS Forwarder is now generally available with Security Connector 2.7.0

In addition to functioning as a DNS sinkhole, Security Connector can now act as a DNS forwarder that directs traffic to Enterprise Threat Protector (ETP) for resolution. Secure DNS Forwarder detects the internal client IP address and the internal hostname of the client machine. It also protects connections to ETP with DNS over TLS (DoT).

In the Security Connector console, a new menu is now available for DNS Forwarder. You can:

• View traffic statistics about connections that are directed from DNS Forwarder to ETP.
• View the health status of DNS Forwarder
• Enable or disable DNS Forwarder. By default, DNS Forwarder is enabled.
• Temporarily enable query and response logging in your enterprise for Akamai to investigate and troubleshoot an issue.
• Change the DNS Forwarder port. By default, DNS Forwarder uses outbound TCP port 443. However, you can choose to use outbound TCP port 853.
• Configure a local DNS server. If your organization’s corporate DNS server is not recursive and is used for internal domains only, you can configure it as a local DNS server for DNS Forwarder. This configuration sets the DNS server that you configured in the Security Connector setup as a fallback server in case ETP is not reachable. If you apply a local DNS server configuration, you can then set the Security Connector DNS name server to use the ETP DNS server IP addresses.

ETP also now includes new reporting dimensions to show the internal client IP address and the internal hostname of the user’s machine.

Note the following:

• When you upgrade Security Connector, the virtual machine will temporarily hop to version 2.6.9 before it upgrades to version 2.7.0. This upgrade process also restarts your virtual machine twice. Make sure you do not interrupt this upgrade process. If you find that Security Connector is stuck on version 2.6.9, contact Akamai Support.
• If you intend to use DNS Forwarder, the virtual machine requires 4 GB of RAM and can be increased to 8 GB. If you don’t intend to use Security Connector as a DNS Forwarder, 2 GB of RAM is enough for the Security Connector virtual machine.

For more information about this update, see the online help or the Security Connector Setup and Configuration Guide.

Application visibility and control (AVC) is now in beta

If your organization is participating in the AVC beta, you can now control access to web applications. You can define default policy behavior, or you can create a policy that is based on risk level, acceptable use policy (AUP) categories, category operations, applications, or specific operations for an application. You assign actions to each area of the AVC policy. As you configure each component, the detailed settings you set take precedence over more general settings. For example, the policy action you apply to an application takes precedence over an action that’s applied to its corresponding category or category operation.

You can also select the users and groups that can access a blocked web application and perform specific operations in the application. AVC supports the following ETP setups:

• ETP DNS. If ETP Proxy is not enabled, you can still control access to applications based on the application’s domain and IP address.
• ETP Secure Web Gateway. If ETP Proxy is enabled and configured as a full web proxy, you can control access to applications based on URLs, domains, IP addresses, and other attributes.

For more information, see the online help. To participate in the beta, contact your Akamai representative.

Known Issues and Limitations

Issue: Depending on the domain that’s used to access Google Gmail, an allow action for Gmail may not override a block action with a user exception to the Web-Based Email category. It also may not override the Very High risk level.

Workaround: There is currently no workaround.

Mac OS 11 (Big Sur) Support for ETP Client

Apple has announced the general availability of macOS Big Sur (version 11.0) across its platforms starting November 12, 2020.

Akamai has been working closely in the Apple Developer Network to validate the ETP Client with various Apple Developer builds. As a result, the ETP Client 3.2.1 will install in macOS Big Sur-based environments. However, full qualification is only possible once the production release of macOS Big Sur is made available.

Following Apple’s announcement today, Akamai will undertake a final round of testing on macOS Big Sur to ensure that ETP Client 3.2.1 is fully qualified. Once the testing is complete, Akamai will update appropriate Client release notes to reflect this.

ETP Clients below 3.2.1 will not support Big Sur. Customers using ETP Client who wish to run macOS Big Sur must upgrade to corresponding supported Client versions when they have been fully qualified.

See macOS Big Sur for more information.

Mac OS 11 (Big Sur) Support for EAA Client

Apple has announced the general availability of macOS Big Sur (version 11.0) across its platforms starting November 12, 2020.

Akamai has been working closely in the Apple Developer Network to validate the EAA Client with various Apple Developer builds. As a result, the EAA Client 2.1.2 will install in macOS Big Sur-based environments. However, full qualification is only possible once the production release of macOS Big Sur is made available.

Following Apple’s announcement today, Akamai will undertake a final round of testing on macOS Big Sur to ensure that EAA Client 2.1.2 is fully qualified. Once the testing is complete, Akamai will update appropriate Client release notes to reflect this.

EAA Client versions below 2.1.2 will not support Big Sur. Customers using EAA Client who wish to run macOS Big Sur must upgrade to corresponding supported Client versions when they have been fully qualified.

See macOS Big Sur for more information.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Custom Headers. In a policy, you can now configure custom headers to control access to software as a service (SaaS) applications. You can use this feature to require that users access only your organization’s account of the application. To use this feature, your organization must be licensed for ETP Advanced Threat and configure ETP Proxy as a full web proxy. For more information, see the online help.

Block Unscannable Files. You can enable the Block Unscannable Files option in a policy to block files that cannot be scanned by ETP Proxy as part of inline payload analysis. These files include encrypted or password protected files. If this option is disabled, these files are not scanned by ETP Proxy.

Custom List Updates. Custom lists now include these changes:

• If the block action is assigned to a custom list, you can select the users and groups that are exceptions to the block action. This means that selected users and groups can access a blocked website from the list after they successfully authenticate. To select users and groups for the exception, the policy must be enabled for authentication and have an associated identity provider.
• After you create a custom list, you can no longer modify the category that’s assigned to the list.

New Name for ETP Client Setting in Policy. The “Enable ETP Client as Proxy” setting is now called “Overwrite Device Proxy Settings.”

Identity Provider Deployment. In the new Enterprise Center user interface, you can now deploy an identity provider (IdP) within the IdP configuration. A new button now appears beside the deployment status when the IdP is ready for deployment. This button also appears if there is a failure that requires you to redeploy the IdP.