Security Connector 2.6.8 is now available for upgrade and functions as a DNS proxy (beta)

Depending on your configuration, Security Connector 2.6.8 now acts as a DNS proxy and a DNS sinkhole. When used as a DNS proxy, Security Connector is an internal DNS resolver that forwards traffic to Enterprise Threat Protector for resolution. With the DNS proxy, you identity the machine that’s making the request. The DNS proxy detects the internal client IP address and internal hostname.

DNS Proxy is currently in beta. To participate in the beta, contact your Akamai representative.

Security Connector 2.6.8 also includes fixes to DNS sinkhole functionality. These updates are available when you upgrade or deploy Security Connector.

For more information on DNS proxy, including setup and best practices, see the Security Connector Setup and Configuration Guide or the online help.

Enterprise Application Access (EAA) 06/22/20 software release

EAA Client Versions

• EAA Client for Windows/macOS: version 2.0.3.1b7852fe

• EAA Client mobile app for iOS: version 0.99

Akamai EAA New Features

Certificate validation for origin servers: Administrators can enable or disable certificate validation for specific directories, web Applications, SSH Applications, and RDP Applications. Origin server certificate validation must be enabled for such applications and directories that are used in production environments with HTTPS/LDAPS. For more information, see Certificate-based validation of origin servers

Akamai EAA End of Support

With this release, Akamai Enterprise Application Access is officially announcing the end of support for Ubuntu 14.04 LTS based connectors. Customers are required to migrate to Ubuntu 18.04 LTS based connectors for continued service. For more information, see Enterprise Application Access Connector Migration  

Known Limitations

EAA and EAA Client Limitations

• Browser-based SSH applications in EAA currently supports only RSA and DSA keys for key verification.

• Origin server certificate validation for HTTPS applications does not support SAN (Subject Alternative Name) of the type - IP address.

• Origin server certificate used to validate servers mentioned in the load balancing groups of URL path polices will use the certificate specified in the general settings screen.

• If a user’s password is reset outside of EAA, the user might get a 556 error while accessing NTLM applications during an active session. Refreshing the page will prompt the user to enter the new password and after successful authentication, the user will be granted access to the application.

• Modifying an IP based tunnel-type client-access application may make it inaccessible from a 1.x EAA Client. The workaround will be to upgrade to the 2.x EAA Client.

• Silent installation of EAA Client cannot be done on a Windows 7 Enterprise 32 bit machine. The workaround is to perform a manual installation.

• If you are using Outlook on a Windows machine, and you switch EAA Client from Wi-Fi to LAN or hotspot and back to Wi-Fi within 30 seconds, Outlook will be stuck in connecting state. The workaround is to quit Outlook and launch again.

• If you have Oracle Virtualbox installed on Windows 7 machine, EAA Client works intermittently.

• On-premise detection does not work if the DNS is manually modified on the machine’s network adapter’s interface. As a work-around, log out and log back into the EAA Client.

• In Windows, on-premise detection uses DNS addresses from all interfaces to resolve hostnames. If there are any disabled interfaces, it triggers false on-premise detection. As a work-around, you should clear the DNS configuration for disabled interfaces.

• The EAA administrator cannot customize the Enterprise DNS application URL.

• You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.

Device Posture Limitations

• When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.

• From the Device Posture Dashboard, when you click on the Internet Explorer, the report doesn’t correctly populate. A workaround is to go to the Device Posture > Reports and then select Browser > Internet Explorer from the advanced filters, to see the list of devices.

• If you refresh the browser while editing ACLs with device risks or device posture settings, the configured values may disappear from the UI only. To recover the view, navigate to any other screen and return.

• Using the EAA Client mobile app on mobile iOS devices to log into an IdP with a private self-signed certificate is not supported.

• When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when re-directed to the EAA Client mobile app login screen.

• If you login to an application that has Device Posture controls, using EAA Client mobile app, you may be denied access for the first time. Subsequent access using the retry button or accessing any other application should work.

• If you log into the EAA Client mobile app using Safari, Device Posture might not work. The user might have to log out and then log back into the EAA Client mobile app. Or log in to EAA Client mobile app with the QR code.

• Device Posture based ACLs are not supported if an application has a user-facing mechanism set to either certificate only or basic authentication. The access to the application is blocked; the workaround is to remove the device posture ACLs from the application or to change the authentication mechanism to form.

• On mobile devices, if you switch out of the EAA Client mobile app before completing registration, the application stops working. Return to the EAA Client mobile app and complete registration.

• On the macOS platform, the OS last update time field incorrectly displays the last time the OS was checked for updates instead of the last time the OS was updated. This does not impact functionality.

• After a silent install of the EAA Client on Windows machines, the “User Id” field may be incorrect. This issue can be corrected by restarting the EAA Client or rebooting the system.

Enterprise Threat Protector (ETP) now includes these enhancements:

• Allow action for risky and file sharing domains. With the Allow action, traffic is directed to its destination unless ETP Client is deployed on the user’s machine. If ETP Client is set up for the full web proxy, traffic is directed to the proxy. This action is useful to organizations that want to forward some user traffic to ETP Proxy while still allowing other users to access content directly. 

• Updated user interface to manage a delegated or tenant administrator. If your organization uses the delegated or tenant access feature, a new user interface now makes it easier for ETP super administrators to find users who are assigned the delegated or tenant administrator role.

ETP Client 3.1.1 is now available

This release resolves issues in ETP Client. To support the client with ETP Proxy, you can now:

• Manually configure Mozilla Firefox to use system proxy settings. This process requires that you create a JSON file and distribute it across your organization.
• Configure an exemption in the Microsoft Edge browser to allow ETP Client connections.

For more information, see ETP Client Configuration Guide or the Enterprise Threat Protector online help.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

• Proxy authorization. In an ETP policy, the new Proxy Authorization option allows ETP Proxy to authorize connections from the on-premises proxy in a proxy chaining configuration. Proxy credentials that you configure in ETP and in the on-premises proxy are used to authenticate traffic from the on-premises proxy. In ETP, you create these credentials on the Proxy Credentials tab of the Utilities page. You must then configure these same credentials in the on-premises proxy.

  Note: This feature is not available by default. To use this feature, contact your Akamai representative.

• ETP Proxy Certificate expiration. ETP now sends an email notification when the TLS man-in-the-middle (MITM) certificate you uploaded or generated for ETP Proxy is about to expire. An administrator that’s set to receive communication emails for system issues will now receive a reminder to update the certificate when it expires in 30 days or less.

• New name for ETP Client configuration setting. The Automatic security patch upgrade setting is now called Automatic Upgrades for Critical Patches. If you enable this setting, ETP automatically upgrades ETP Client to fix security vulnerabilities and major issues in ETP Client.

• New name for CDN Optimization policy setting. The CDN Optimization setting is now called Forward Public IP to Origin. This setting forwards the user’s public IP address to authoritative DNS servers and web servers, and it identifies the geolocation of clients. This setting applies to both DNS and HTTP traffic.

• PingOne available as an identity provider type. If your organization is licensed for ETP only, you can now create a PingOne identity provider (IdP). Previously, you could only add and manage a PingOne IdP if your organization was also licensed for Enterprise Application Access.

Enterprise Threat Protector Secure Web Gateway (SWG) is now available

You can configure ETP Proxy as a Secure Web Gateway (SWG) that performs URL filtering, anti-malware scanning, and applies acceptable use policies to each user. To do this, you’ll need to send all web traffic to ETP Proxy. 

The full web proxy is available with these features:

• Proxy chaining. Directs all HTTP and HTTPS traffic from your organization’s on-premises proxy to ETP Proxy. As part of this feature, you enable specific settings in a policy and configure your on-premises proxy to forward traffic to ETP.  This feature is currently in beta. For more information, contact your Akamai representative.
• ETP Client.  ETP Client 3.0.4 or later allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. 

With the full web proxy, you can further use the following features to secure website access and prevent users from accessing malicious content: 

Authentication. You can define the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. 

To implement authentication, you must also set up: 

• Identity providers. A service that creates, manages, and saves user and group identity information for authentication. You can create an identity provider in ETP or integrate Okta or a third-party SAML IdP. Supported third-party SAML IdPs include Microsoft Active Directory Federation Services (AD FS) and Microsoft Azure AD. In an identity provider (IdP) configuration, you can enable multi-factor authentication, define session settings, design the login page, and more.
  Note: If your organization is licensed for Enterprise Application Access (EAA), you can create a PingOne identity service. You can also use your existing IdP configuration in ETP. However, make sure that you use EAA to manage IdPs that were created in the EAA product. Do not modify these settings in the ETP UI to avoid conflicting configuration changes. 

• Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported: 
  • Active Directory
  • Lightweight Directory Access Protocol (LDAP)
  • Active Directory Lightweight Directory Services (AD LDS)
    ETP also offers Cloud Directory, an internal Akamai directory that you can use for testing purposes only. 

• Identity connectors. An identity connector is a virtual appliance that you download from the Utilities page in ETP and deploy behind the firewall in your data centers or hybrid cloud environments. You associate an identity connector to a directory. It allows ETP to synchronize with your directory service.

To use these features for authentication, contact your Akamai representative.

Scan unclassified traffic. In a policy, you can define an action for unclassified domains. Unclassified domains do not appear in any ETP list, such as a threat category list, custom lists, or the acceptable use policy (AUP). If the Classify action is selected for unclassified traffic, ETP Proxy scans and analyzes domains. After this analysis is completed, the traffic is assigned a category and a corresponding policy action.

Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported.  In the ETP threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

Dynamic malware analysis in a Sandbox environment. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:

• Analyzes files that are up to 64 MB in size.  
• Automatically scans files offline (after they are downloaded).
• Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP. 

To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox. 

ETP includes reports where you can view detailed information about traffic.

• DNS Activity. Shows data on DNS traffic that’s directed to ETP or ETP Proxy.  This report allows you to:
  • Investigate suspicious activity.
  • Review requests made to a specific domain.
  • Check activity from a specific client internal IP address or machine name.
  • Troubleshoot a failed request based on connection ID or client request ID.

• Proxy Summary. Includes the total number of proxy transactions and the top transactions based on policy action, autonomous system name, client port, destination IP, destination port, domain, geolocation, source IP address, and more.

• Proxy Activity.  Shows the traffic that’s directed to ETP Proxy. This report shows the requested domain, internal IP address of the user’s machine, the username of the user who made the request, the action that was applied to traffic, and more.

These reports are available to super administrators and users who are assigned a specific role permission.

 Known Issues

These issues are currently known in this release: 

1) Issue: When ETP Client is installed on machines, users cannot access the Internet when both these conditions apply:

• ETP Client 3.0.4 or later forwards all web traffic to ETP Proxy.
• Pulse Secure VPN uses proxy server settings.

Workaround: In the VPN  tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

2) Issue: Universal Windows Platform apps downloaded from the Microsoft Windows store are not supported on machines where ETP Client is installed.
Workaround: No workaround is available.

3) Issue: If you upgrade ETP Client version 2.1.0 to version 3.0.4 or later, an upgrade notification incorrectly indicates that the client will upgrade to version 2.0.7.
Workaround: Continue with the upgrade process. ETP correctly upgrades the client to version 3.0.4 or later.

 4) Issue: ETP Proxy may block the domains or URLs to bot or web application firewall services.
Workaround. To make sure these services bypass ETP Proxy, add the domains to an exception list. Akamai is actively working to resolve this issue and add ETP Proxy support for these services. 

Enterprise Threat Protector (ETP) now includes these features and enhancements:

• Security patch upgrades for ETP Client. In an ETP Client configuration, you can select to automatically install security patch upgrades. Security patch upgrades address security vulnerabilities and apply changes that are necessary to support OS updates. If you don’t want to automatically install these updates, like a software upgrade, you can download a patch from ETP, test it, approve it, and select how you want to apply it across your network.

• Revoke ETP Client. If a user reports a lost or compromised device, you can revoke ETP Client on that device. This operation is available in ETP on the Reports tab for ETP Client.

• New policy tab name. The Akamai Security tab in a policy is now called Threat.

These features are now available to organizations that are participating in ETP beta:

• Unclassified traffic. An Unclassified Traffic setting is now available in a policy. A domain is considered unclassified if it does not appear in the AUP, a custom list, or in any threat list maintained by Akamai. As an ETP administrator, you can block this traffic or allow it to bypass ETP Proxy. If you are licensed for ETP Advanced Threat, you can select the Classify action to direct unclassified traffic to ETP Proxy. Depending on the type of proxy you use, this configuration is recommended:
  • For the selective proxy (forwards only risky web traffic), select Bypass.
  • For the full web proxy, select Classify.
    As a result of this enhancement, the Unclassified AUP category is no longer available.

• Enable Forward Proxy removed in policy. The Enable Forward Proxy toggle is no longer shown in a policy. This setting is automatically enabled in the backend when you turn on ETP Proxy.

• Origin Ports. In a policy, the new Origin Ports field allows you to enter the ports and ports ranges that you want to open for the full web proxy. By default, ETP allows connections to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

• Enable ETP Client as Proxy policy setting. The new Enable ETP Client as Proxy policy setting allows you to define whether the ETP Client machine is configured as a web proxy. If you choose to make ETP Client a local web proxy, web traffic is directed from the client to ETP Proxy. This setting functions the same as the Configure ETP Client as a local computer web proxy setting in the ETP Client configuration (Utilities > ETP Client > Configuration). Your selection for the Enable ETP Client as Proxy setting takes precedence over the ETP client configuration setting.

• Permission required to access Summary of Proxy Activity and DNS Activity reports. To access the Summary of Proxy Activity and DNS Activity reports, you must be an ETP super administrator or a user who’s assigned a role with the etpRestrictedPageViewRole permission.

• Proxy activity event reporting. If activity on the Proxy Activity report generated an event, the report now shows the Is Event field to indicate whether specific activity is also an event.

• Dashboard shows total number of HTTP and HTTPS activity. The ETP Dashboard now reports the total number of HTTP and HTTPS activity in a summary graph. When a user clicks the provided graph, they are directed to the Proxy Activity report.

• Update to configuring AUP exceptions. ETP now makes it easier for you to find and select the users and groups that can access a blocked category in an Acceptable Use Policy (AUP). To select users, you can search for User IDs in the associated directory and in the search results, select the user. To select groups, you can search for groups and in a drop-down list, select the group.

  If you try to find a user or group that does not exist in the directory, you can add the user or group to the AUP exception. To allow these users and groups to authenticate, you must also add these users and groups to the directory.

Enterprise Application Access (EAA) 03/23/20 software release

Akamai EAA New Features

Block Users. It allows the EAA Identity administrator to kill all existing sessions and prevent new sessions for the specified user within five to ten minutes. Blocked users can be  unblocked if required. Works on Akamai identity provider and third party IdPs like Okta or Azure AD.

MFA Recovery code. When end-users forget to bring their 2nd-factor device this can be used as a fallback mechanism to allow validated users to access the login portal. This will work only with Akamai MFA that is part of an Akamai IdP.

Connector in-place upgrades. When an updated connector package is available, such as a patch to address security vulnerabilities, admins can now  update the connector without having to roll out new connectors. Admins can choose the connector to apply the patch. Please note, customers are advised to use 2+ connectors per application or directory. You should upgrade one connector at a time, which will ensure disruption is minimal. Connector update packages will be tested by EAA.

  Akamai EAA Client New Features

Device Posture New Features. With Device Posture (DP) you can improve your application security. DP collects signals about a device via the EAA client, the EAA mobile app for iOS, or integrations with Enterprise Threat Protector (ETP) or VMware Carbon Black (ETP and VMware Carbon Black licenses required). Admins then configure rules to classify devices into low, medium, or high risk tiers or, optionally, into risk tags. Risk tiers or tags can be used as criteria along with Enterprise Application access control rules, thus improving application security. DP includes a full set of device inventory and device posture reporting tools.

Mac OS X 10.15 Catalina Support. The EAA client (including Device Posture capabilities) will be supported on Catalina, which is Apple’s newest Mac operating system.

Windows 10 Home Edition Support. The EAA client (including Device Posture capabilities) will be supported on Microsoft’s Windows 10 Home Edition.

TunnelApp 2.0. Tunnel App 2.0 eliminates the need for admins to configure access for several applications individually, which becomes a tedious task for customers having many applications. With this new feature, admins can configure several destinations under the same client-application in tunnel mode. Multiple destination definitions can be combined, such as FQDN wildcard with * syntax, IPv4 CIDR block, protocol support for UDP, TCP or both, and port selection using range or multiple port/range. This application pooling capability saves time and reduces the chance of any error.

Silent Install Improvements. Admins can install or upgrade the EAA client on many machines using software deployment/patch management solutions, such as KACE, SCCM/Intune, and JAMF. During this process, end-users will no longer need to click on download and configure the EAA client.

Enterprise DNS. The EAA client will intercept PTR (pointer records) and SRV (service records) queries and forward it to the enterprise’s DNS server. This supports Kerberos based authentication, which requires DNS SRV to work.  

Known Limitations

EAA and EAA Client Limitations

• No warning is displayed when you modify an existing IP based tunnel-type client-access application by adding or deleting IP addresses.

• Silent installation of EAA Client cannot be done on a Windows 7 Enterprise 32 bit machine. Work around is to perform a manual installation.

• If you are using Outlook on a Windows machine, and you switch EAA Client from Wi-Fi to LAN or hotspot and back to Wi-Fi within 30 seconds, Outlook will be stuck in connecting state. The workaround is to quit Outlook and launch again.

• If you have Oracle Virtualbox installed on Windows 7 machine, EAA Client works intermittently.

• On-premise detection does not work if the DNS is manually modified on the machine’s network adapter’s interface. As a work-around, log out and log back into the EAA Client.

• In Windows, on-premise detection uses DNS addresses from all interfaces to resolve hostnames. If there are any disabled interfaces, it triggers false on-premise detection. As a work-around, you should clear the DNS configuration for disabled interfaces.

• The EAA administrator cannot customize the Enterprise DNS application URL.

• You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.

Device Posture Limitations

• Device Posture sends signals only when you are logged into the EAA Client mobile app or desktop app.

• On mobile devices, if you switch out of the EAA Client app before completing registration, the application stops working.

• Device Posture does not work if applications have a form-based user-facing or certificate-based user-facing authentication.

• When using the EAA Client mobile app with a third-party IdP, if you experience a browser session timeout, you will see the erroneous device posture remediation message “Ensure your EAA Client is installed or configured correctly. Device posture not found” and is re-directed to the Akamai IdP. Users should logout of the Akamai IdP and device posture should work properly.

• After a silent install of the EAA Client on Windows machines, the “User Id” field may be incorrect. This issue can be corrected by restarting the EAA Client or rebooting the system.

• Device Posture anti-malware detection may display the same anti-malware signal multiple times. This does not impact functionality.

• On macOS platform, the OS last update time field incorrectly displays the last time the OS was checked for updates instead of the last time the OS was updated. This does not impact to functionality.

• When updating from Windows EAA Client version 1.x.x, the OSQUERY directory and files may not be deleted. They can be safely removed when running Windows EAA Client version 2.0.0.

• If you login to an application that has Device Posture controls, using EAA Client mobile app, you maybe be denied access for the first time. Subsequent access using the retry button or accessing any other application should work.

• If you log into the EAA Client mobile app, using Safari, Device Posture might not work. The user might have to log out and then log back into the EAA Client. Or log in to EAA mobile app with the QR code.

Enterprise Threat Protector (ETP) Secure Web Gateway (SWG) now in beta

Features

ETP SWG performs URL filtering and anti-malware scanning on all web traffic. It’s available with any one of these features:

• Proxy chaining. Allows you to forward all web traffic from your existing on-premises proxy server to ETP.  You can enable this feature with the new Enable Forward Proxy and the Trust XFF Header policy settings. The proxy host information that you use to configure traffic forwarding from the on-premises proxy to ETP is shown in the ETP policy. 
• ETP Client 3.0.4. New version of the client that allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ETP license, you can also configure ETP Client to forward only DNS and risky web traffic.

This beta also offers these features:

Authentication policy. An authentication policy defines the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. You can require that users authenticate before accessing a website or you can make authentication optional.  If a user is authenticated, then all web requests are logged in the Proxy Activity report (Monitoring > Activity) with username, group information, and the machine IP address. If a user does not authenticate, the username and group information are not logged. To implement authentication, you must set up: 

• Identity providers. A service that creates, manages, and saves user and group identity information for authentication.  You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, PingOne, and Active Directory Federation Services (AD FS).  In an IdP configuration, you can enable multi-factor authentication, define sessions settings, design the login page, and more.

  Note: If your organization is licensed for Enterprise Application Access (EAA), you can use your existing IdP configuration in ETP. In this situation, make sure you manage the IdP configuration in EAA. Do not modify these settings in the ETP UI to avoid conflicting configuration changes.

• Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported: 
  • Active Directory
  • Lightweight Directory Access Protocol (LDAP)
  • Active Directory Lightweight Directory Services (AD LDS)

  ETP also offers Cloud Directory, an internal Akamai directory that you can use for testing purposes only. 

  The Identity Provider and Directory configuration pages in ETP are available from a new area of the navigation menu called Identity. 

• Identity connectors (Optional). If your directory service is located in a data center that’s not accessible from the Internet, you can deploy an identity connector to grant IdP access to the directory. An identity connector is a virtual appliance that you download from the Utilities page in ETP and deploy behind the firewall in your data centers or hybrid cloud environments.

Proxy Activity. New Proxy Activity tab on the Activity page reports traffic that’s directed to ETP Proxy. You can view data about traffic and events, including the username of the user who made the request, the internal IP address of the user’s machine, and the applied policy action.

DNS Activity. New DNS Activity tab on the Activity page reports DNS traffic that’s directed to ETP. You can view detailed data about traffic such as applied policy action and the internal client IP address. This tab allows administrators to investigate suspicious activity and review requests to a specific domain.

Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported.  In the the ETP threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

Dynamic malware analysis with Sandbox. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:

• Analyzes files that are up to 64 MB in size.  
• Automatically scans files offline (after they are downloaded).
• Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP. 

To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox.  

To try any of these features, contact your Akamai representative. 

Known Issues and Limitations

These limitations apply to this beta release:

• Windows apps are not supported on Windows machines where ETP Client 3.0.4 is installed.
• If a user skips authentication, they are prompted to authenticate every 15 minutes. 
• ETP Client 3.0.4 is not supported on Mac OS X El Capitan.
• If you are setting up Active Directory Federation Services (AD FS) as a third-party SAML identity provider, you must deploy an identity connector and associate it with AD.

These issues are currently known in this beta release: 

Authentication

Issue: When defining the users and groups that can access websites for a blocked AUP category, you must manually enter the user IDs and group names. You cannot provide the username of the user.
Workaround: If you are using a directory service such as Activity Directory, consult the user and group information in your directory service. You can also find the User ID and group name in a Proxy Activity report (Monitoring > Activity).

Identity Providers and Directories

1) Issue: If your organization uses Enterprise Application Access (EAA) or another cloud access solution for enterprise applications, these applications are not accessible when traffic is directed to ETP Proxy.
Workaround: Make sure you enter the domains of your enterprise applications and EAA identity providers in the internal DNS suffixes field of the ETP network configuration.

To do this:

1. In the ETP navigation menu, select Configuration > Utilities.
2. Click the Network Configuration tab.
3. In the DNS suffixes field, enter the full domain of EAA identity providers and enterprise applications.
4. Click Save.

2) Issue: The email address associated with a user in the Cloud Directory is not editable.
Workaround: You can delete the user and add a user with the new email address. If your organization also uses EAA, you can modify the user’s email address in EAA.

3) Issue: When deleting a user in the Cloud Directory, the dialog that confirms the deletion shows inaccurate information about the user’s last login.
Workaround: No workaround is available.   

4) Issue: If a user is deleted from a directory after they authenticate, the user is redirected to the IdP login page 30 minutes after the delete operation occurred.
Workaround: No workaround is available.

5) Issue: Changes to the URL of an identity server in ETP do not take effect for an identity provider that was previously deployed and assigned to a policy. After you deploy the modified identity provider, the change is not recognized by ETP policy.
Workaround: In the policy where this identity provider is assigned, complete these steps:

1. Change the authentication mode to another mode that uses authentication. For example, if this mode is set to Optional, select Require. If this mode is set to Require, select Optional.
2. Save and deploy the policy.
3. Return to the policy.
4. Select the authentication mode that you want to use for the policy.
5. Apply AUP exceptions.
6. Save and deploy the policy.

For detailed instructions on these operations, see the online help.

6) Issue: If you modify an identity provider, you cannot deploy any policy that’s associated with the IdP until the IdP is deployed.
Workaround: Deploy the IdP.

ETP Proxy

1) Issue: A browser error appears to the user when ETP Proxy cannot verify the web server certificate. This occurs if the certificate chain is incomplete or its Certificate Authority (CA) is unknown to Akamai.
Workaround: If users see this error for traffic or websites that you want to allow, add the domain or its IP address to an exception list. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

2) Issue: Mozilla Firefox on Windows does not use the proxy settings or certificates that are on the system.
Workaround: If you configure proxy chaining to direct traffic to ETP Proxy, make sure you configure the on-premises proxy as a proxy connection in the Firefox browser.  To configure proxy settings in Firefox:

1. Click the Open menu button and select Options. 
2. Navigate to Network Settings and click Settings.
3. In the Connection Settings, select Use system proxy settings.
4. Click OK.

Note: On Windows, make sure that you configure Firefox to recognize the trusted root certificates that are in your enterprise Windows certificate store. For more information, see Enable enterprise trusted root certificate in Firefox and Certificate distribution. 

 ETP Client

1) Issue: Users cannot access the Internet when both these conditions apply:

• ETP Client 3.0.4 forwards all web traffic to ETP Proxy
• Pulse Secure VPN uses proxy server settings
  Workaround: In the VPN  tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

2) Issue: If there are more than 40 DNS suffixes configured in the ETP network configuration, ETP Client may be unable to enter “Your device is protected” mode.
Workaround: Instead of adding these domains or DNS suffixes to an ETP network configuration, create a custom exception list with this data. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

Enterprise Threat Protector (ETP) now includes these enhancements:

Deploy custom lists in less than 30 seconds. Like other configuration settings in ETP, you can now deploy custom lists in less than 30 seconds.

Migrate quick lists to custom lists. Quick lists are now discontinued. If you configured an Allow or a Deny quick list, you can migrate this data to custom lists. On the Quick Lists page (Configuration > Quick Lists), click the Migrate Quick Lists button to migrate your quick list data to an Allow custom list and a Deny custom list. Migrated quick lists are added to all policies, allowing you to manage these lists as part of a policy configuration. By default, the migrated Allow list is granted the bypass policy action, while the migrated Deny list is assigned the block policy action.

After migrating quick lists, make sure you deploy all pending changes. Once the migration is complete, the Quick List page is no longer available at your next login.

Note: If your organization never configured quick lists, no action is needed. In this case, the Quick Lists page is no longer available from the navigation menu.