Enterprise Threat Protector (ETP) now includes these features and enhancements:

Bulks Actions in Enterprise Center. The Enterprise Center user interface for ETP now allows you to complete some operations in bulk. These operations include:

• Deploying multiple identity providers
• Deleting multiple identity providers
• Deleting multiple identity connectors
• Enabling or disabling remote debugging for identity connectors

New ETP Status Page. To improve communications during service incidents, Akamai has created a public status page for ETP. Customers may subscribe to service impact notifications through email, text, or Slack. To subscribe, go to https://etp.status.akamai.com/.

Improved Enterprise Center Experience. The Enterprise Center experience now shows resource usage statistics for locations, policies, lists, and more.

Enhanced Monitor policy action. With the Monitor policy action, requests resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP. If ETP Proxy is set up as a full web proxy, traffic is forwarded to ETP Proxy where it’s scanned by multiple anti-malware engines. If a threat is detected, then the user is unable to access the URL or website they requested.

Minor changes and fixes. A number of minor changes and bug fixes are included in this release to improve the usability of the product.

Secure DNS Forwarder is now generally available with Security Connector 2.7.0

In addition to functioning as a DNS sinkhole, Security Connector can now act as a DNS forwarder that directs traffic to Enterprise Threat Protector (ETP) for resolution. Secure DNS Forwarder detects the internal client IP address and the internal hostname of the client machine. It also protects connections to ETP with DNS over TLS (DoT).

In the Security Connector console, a new menu is now available for DNS Forwarder. You can:

• View traffic statistics about connections that are directed from DNS Forwarder to ETP.
• View the health status of DNS Forwarder
• Enable or disable DNS Forwarder. By default, DNS Forwarder is enabled.
• Temporarily enable query and response logging in your enterprise for Akamai to investigate and troubleshoot an issue.
• Change the DNS Forwarder port. By default, DNS Forwarder uses outbound TCP port 443. However, you can choose to use outbound TCP port 853.
• Configure a local DNS server. If your organization’s corporate DNS server is not recursive and is used for internal domains only, you can configure it as a local DNS server for DNS Forwarder. This configuration sets the DNS server that you configured in the Security Connector setup as a fallback server in case ETP is not reachable. If you apply a local DNS server configuration, you can then set the Security Connector DNS name server to use the ETP DNS server IP addresses.

ETP also now includes new reporting dimensions to show the internal client IP address and the internal hostname of the user’s machine.

Note the following:

• When you upgrade Security Connector, the virtual machine will temporarily hop to version 2.6.9 before it upgrades to version 2.7.0. This upgrade process also restarts your virtual machine twice. Make sure you do not interrupt this upgrade process. If you find that Security Connector is stuck on version 2.6.9, contact Akamai Support.
• If you intend to use DNS Forwarder, the virtual machine requires 4 GB of RAM and can be increased to 8 GB. If you don’t intend to use Security Connector as a DNS Forwarder, 2 GB of RAM is enough for the Security Connector virtual machine.

For more information about this update, see the online help or the Security Connector Setup and Configuration Guide.

Application visibility and control (AVC) is now in beta

If your organization is participating in the AVC beta, you can now control access to web applications. You can define default policy behavior, or you can create a policy that is based on risk level, acceptable use policy (AUP) categories, category operations, applications, or specific operations for an application. You assign actions to each area of the AVC policy. As you configure each component, the detailed settings you set take precedence over more general settings. For example, the policy action you apply to an application takes precedence over an action that’s applied to its corresponding category or category operation.

You can also select the users and groups that can access a blocked web application and perform specific operations in the application. AVC supports the following ETP setups:

• ETP DNS. If ETP Proxy is not enabled, you can still control access to applications based on the application’s domain and IP address.
• ETP Secure Web Gateway. If ETP Proxy is enabled and configured as a full web proxy, you can control access to applications based on URLs, domains, IP addresses, and other attributes.

For more information, see the online help. To participate in the beta, contact your Akamai representative.

Known Issues and Limitations

Issue: Depending on the domain that’s used to access Google Gmail, an allow action for Gmail may not override a block action with a user exception to the Web-Based Email category. It also may not override the Very High risk level.

Workaround: There is currently no workaround.

Mac OS 11 (Big Sur) Support for ETP Client

Apple has announced the general availability of macOS Big Sur (version 11.0) across its platforms starting November 12, 2020.

Akamai has been working closely in the Apple Developer Network to validate the ETP Client with various Apple Developer builds. As a result, the ETP Client 3.2.1 will install in macOS Big Sur-based environments. However, full qualification is only possible once the production release of macOS Big Sur is made available.

Following Apple’s announcement today, Akamai will undertake a final round of testing on macOS Big Sur to ensure that ETP Client 3.2.1 is fully qualified. Once the testing is complete, Akamai will update appropriate Client release notes to reflect this.

ETP Clients below 3.2.1 will not support Big Sur. Customers using ETP Client who wish to run macOS Big Sur must upgrade to corresponding supported Client versions when they have been fully qualified.

See macOS Big Sur for more information.

Mac OS 11 (Big Sur) Support for EAA Client

Apple has announced the general availability of macOS Big Sur (version 11.0) across its platforms starting November 12, 2020.

Akamai has been working closely in the Apple Developer Network to validate the EAA Client with various Apple Developer builds. As a result, the EAA Client 2.1.2 will install in macOS Big Sur-based environments. However, full qualification is only possible once the production release of macOS Big Sur is made available.

Following Apple’s announcement today, Akamai will undertake a final round of testing on macOS Big Sur to ensure that EAA Client 2.1.2 is fully qualified. Once the testing is complete, Akamai will update appropriate Client release notes to reflect this.

EAA Client versions below 2.1.2 will not support Big Sur. Customers using EAA Client who wish to run macOS Big Sur must upgrade to corresponding supported Client versions when they have been fully qualified.

See macOS Big Sur for more information.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Custom Headers. In a policy, you can now configure custom headers to control access to software as a service (SaaS) applications. You can use this feature to require that users access only your organization’s account of the application. To use this feature, your organization must be licensed for ETP Advanced Threat and configure ETP Proxy as a full web proxy. For more information, see the online help.

Block Unscannable Files. You can enable the Block Unscannable Files option in a policy to block files that cannot be scanned by ETP Proxy as part of inline payload analysis. These files include encrypted or password protected files. If this option is disabled, these files are not scanned by ETP Proxy.

Custom List Updates. Custom lists now include these changes:

• If the block action is assigned to a custom list, you can select the users and groups that are exceptions to the block action. This means that selected users and groups can access a blocked website from the list after they successfully authenticate. To select users and groups for the exception, the policy must be enabled for authentication and have an associated identity provider.
• After you create a custom list, you can no longer modify the category that’s assigned to the list.

New Name for ETP Client Setting in Policy. The “Enable ETP Client as Proxy” setting is now called “Overwrite Device Proxy Settings.”

Identity Provider Deployment. In the new Enterprise Center user interface, you can now deploy an identity provider (IdP) within the IdP configuration. A new button now appears beside the deployment status when the IdP is ready for deployment. This button also appears if there is a failure that requires you to redeploy the IdP.

ETP Client 3.2.2 for Windows is now available for download

A new version of ETP Client for Windows is now available. This release includes fixes to a number of issues. Make sure you download this version or upgrade your clients on Windows.

Enterprise Threat Protector (ETP) now includes these enhancements:

Overlay groups and organizational units (OUs) in a directory configuration. When configuring groups in a directory, an administrator can now import organizational units from a directory and add overlay groups. Overlay groups allow administrators to add groups to ETP without modifying their external directory configuration. Like any directory group, an administrator can select an overlay group or an OU when configuring exceptions to an Acceptable Use Policy (AUP).

New and updated AUP categories. New and enhanced AUP categories and subcategories are now available. You can allow or block these categories in a new or existing AUP. If a policy blocks a category that’s now discontinued, ETP allows you to confirm the block action to a suggested new category.

Make sure that you log in to ETP to review your policy and confirm any suggested change to an AUP. Discontinued AUP categories are not supported after January 31, 2021.

For a detailed list of categories, including new, updated, and discontinued categories, see the online help.

The following additional features are also now available in an AUP:

• Bypass action for an AUP category. If ETP Proxy is enabled, you can select the bypass action to ensure websites in a specific category bypass ETP Proxy. You may want to select the bypass action for categories that are associated with sensitive information such as the Finance & Investing and the Healthcare categories.
• Select a custom response in an AUP. If ETP Proxy is not enabled, you can now assign custom responses to blocked AUP categories. This enhancement allows you to direct AUP traffic to resources of your choice.

Security Connector added as dimension to DNS Activity report. The DNS Activity report now shows the Security Connector name when DNS traffic was detected by Security Connector.

DNS Proxy is now called DNS Forwarder. If you are participating in the Security Connector beta with version 2.6.8, the DNS Proxy feature is now called DNS Forwarder. The Security Connector console user interface still includes the DNS Proxy name; however, this name will be updated in an upcoming release.

This release also includes minor user interface improvements, including new tabs on the identity provider and directory configuration pages that better organize settings.

Enterprise Application Access (EAA) 10/23/2020 software release

EAA Client Versions

• EAA Client for Windows/macOS: version 2.1.2

• EAA Client mobile app for iOS: version 1.0

• EAA Client mobile app for Android: version 1.0

Akamai EAA New Features

User diagnostics and troubleshooting. End-user diagnostics workflow can be used by administrators to quickly diagnose and find the root-cause for commonly faced issues during application access. Designed as a workflow, customers provide the username, identity provider (IdP URL) accessed, a time window, and devices used. The retrieved data includes the top applications accessed by the user, ACL and authorization policies violated by the user and network performance as viewed from within the EAA service.

Connector health monitoring. The connector health monitoring widget has been significantly upgraded in this release. The load indicator on the connector card provides a simple “stop-light” view on its health. The performance tab provides rich information like state of system resources, nature of EAA dial-outs, as well as number of active connections per connector are now available for each connector that is active.

Application configuration versioning. Starting with this release, the EAA service supports application configuration versioning. Administrators can automatically roll back to a previous version where possible, and easily compare different configuration versions and identify changes.

Bypass of Multi-factor authentication. Administrators can enable bypass MFA criteria like a managed device check or a corporate network IP check, to determine if MFA is prompted for end-users during the sign-in process. Corporate gateway subnet verification is used to determine if a request from the corporate network. Client certificate (User Store) validation is used to determine if a device is managed.

EAA APIs. The Open API documentation provides better API segmentation, clearer documentation for the user, group, application, IdP, directory, and includes Device Posture API.

Support for customer configurable ciphers. Allows the administrator to select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. It can be configured in the advanced settings within an application’s configuration.

Crowdstrike Integration for Device Posture. Customers using Crowdstrike Falcon Error Detection and Response (EDR) can enable EAA to check the Crowdstrike cloud to validate the health and validity of the Falcon sensor on the device. This can be used as a device posture signal which can be used for application access control rules (ACL).

Device Posture checks device certificate validity. Administrators can enable a new device posture signal to confirm the presence of a valid device certificate on the device. A valid certificate helps EAA distinguish an organization’s owned and managed device from others, and can also be used as a signal for an ACL for applications.

VMware Carbon Black for Device Posture. An updated API from VMware has been integrated with Device posture to provide an additional layer of security and protection between Akamai EAA cloud and VMware Carbon Black cloud communication.

Identity provider username in Device Posture reports. Device Posture reports show the identity provider (IdP) username that is present in authentication login sessions, correlating device posture signal to the user.

Akamai EAA End of Support

EAA Client

With this release, Akamai is announcing the end of support for all EAA 1.x.x Clients. Customers using 1.x.x Clients are requested to migrate to 2.1.2 Clients. When you upgrade to EAA Client 2.1.2, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. The recommended upgrade procedure for the 2.1.2 release is to directly upgrade over the existing 2.0.x installations. If the user is running a 1.x version of the EAA Client they must uninstall it before installing version 2.1.2. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations

• User diagnostics do not show Device Posture ACL policy violations for access-applications (clientless apps).

• User diagnostics do not show browser-based SSH, bookmark, or SaaS applications.

• User diagnostics is not supported on Internet Explorer version 11 due to unsupported fonts.

• Connector health monitoring is not supported on Internet Explorer version 11 due to unsupported fonts.

• Integrated Windows Authentication (IWA) fails intermittently while accessing from a new browser session and the identity provider (IdP) will prompt for form-based authentication. Authentication will succeed if we refresh the browser session or open the IdP URL in a new tab.

• If you access an application that has bypass MFA criteria set to certification validation check enabled and appropriate settings are done, you are redirected to the identity provider login portal after authentication. The user should then access the application from the login portal.

• Bypass MFA feature is not supported when the “Certificate Identity is Username” field is unchecked in the General settings of the identity provider and Device is Managed is used as a Bypass MFA criteria. Users will be prompted for MFA.

Device Posture limitations.

• When you use the EAA Client mobile app on Android devices when logging into an IdP from either a Chrome browser or via the QR code, if the user switches apps before the configuration is complete, it may cause the EAA Client to crash.

• When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when redirected to the EAA Client mobile app login screen.

• When you install the EAA Client on Windows and open EAA Client, navigate to Device Posture > Signals, the username is the admin’s name and not the current user name. The workaround is to quit and restart the EAA Client.

• When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.

• EAA Client mobile app on an Android device works only if Chromium-based Browser (Chrome, Samsung browser, Microsoft Edge) is set as the default browser. On other browsers, users will see a remediation message, “Ensure EAA client is installed or configured correctly”.

• When you use the EAA Client app on iOS 14, iPadOS 14 devices and Safari is not the default browser, users will see a remediation message, “Ensure EAA client is installed or configured correctly” when accessing a web app from the browser.

• When you use the EAA Client app on iOS devices for authorization to a third-party IdP with or without MFA, the user is stuck in the authorization loop process (user accesses third-party IdP URL on iOS browser, OS opens EAA Client app, the user completes authorization and MFA, the user is redirected back to the browser again, OS opens EAA Client app again, loop repeats).

• When you use the EAA Client mobile app on iOS devices to log into an Akamai IdP, you may be directed to the EAA Client and are prompted to log in again using the in-app browser window. After you enter login credentials, the app may hang with a loading screen and a spinner. To recover, you must close and reopen the EAA Client application. Then, you must log out of the IdP using the browser and log in again to the IdP via the mobile browser a second time. Third-party IdPs are not affected and can be used with QR code or the Safari browser.

Fixed customer bugs.

• Tunnel-type client-access application sessions are terminated within 5 minutes for a user, who is blocked by block user functionality.

• Tunnel-type client-access applications can be saved when login credentials are used with Firefox Lockwise.

• Tunnel-type client-access applications have a case-sensitivity check for application hostnames.

• User and groups sync improvements for better integration between Okta IdP and Active-Directory.

• Client Details reports have been increased up to 10000 records.

• “Use sticky cookies for connectors” for tunnel-type client-access applications with “TCP optimization” enabled is supported.

• False EAA client upgrade notifications have been resolved.

• Added pagination support for the Groups page under Active Directory.

• Any custom application inside the RDP application window is not maximized any more.

• SSH Audit report download support is extended from three months to one year.

Try Enterprise Threat Protector (ETP) with the new Enterprise Center interface

The new interface offers the following:

• A new navigation that makes it easy for you and other administrators to find ETP features and reports.
• An improved and more interactive dashboard where you define custom widgets. Widgets allow you to configure the data that’s shown in a dashboard and the overall presentation of this data.
• A new workflow that guides you through the process of setting up major features in ETP. This includes DNS security, the selective proxy, the full web proxy, and identity providers.
• New placement of features that are found on the Utilities page of the original interface. These features are now accessible in more logical areas of the navigation. For example, ETP Client and Security Connector are now accessible from the new Clients and Connectors navigation area.
• All event and activity reports are now on separate pages and are accessible from the new Threat Analytics navigation area.
• The ability to clear the DNS cache. ETP DNS servers cache domains to quickly resolve requests. If a domain resolves to a new IP address, you can clear the domain from the ETP DNS server to resolve the domain to the correct IP address. This feature is only available in Enterprise Center.

You can access the new interface from a banner that appears in ETP.

 To learn more about Enterprise Center, see the ETP online help.