Enterprise Threat Protector (ETP) now includes these features and enhancements:

New user interface for a policy. A new user interface is now available for a policy configuration. Administrators can now more easily assign a policy action and the response that’s delivered to users. These changes apply:

• For an Akamai security category and a list in a policy, separate menus are provided to assign an action, the response to users, and a security connector.
• If you select the Block action, you can then select the block type in the Response to User menu. In this menu, you can select Error Page, a specific custom response, or if ETP Proxy is disabled, you can also select Refused Response. These settings allow you to apply the actions that were formerly called Block – Error Page, Custom – Response, and Block – DNS.
• To assign a Security Connector, you select the Block action and the Error Page response. After this is done, you can select a security connector from the Security Connector menu. These settings allow you to apply the action that was formerly called Block – Sinkhole. If you don’t want to assign a Security Connector to an Error Page response, in the Security Connector menu, you can select None.
• The Allow policy action is now available for custom lists and top-level domain (TLD) lists only.
• You can apply the same policy settings to all known and suspected threats associated with an Akamai security category, a custom list, or a TLD list.

For more information about configuring a policy, see the online help.

Security Connector 2.5.0 now in beta. Security Connector version 2.5.0 is now in beta and available for upgrade or download. This version allows your organization to direct malicious HTTP and HTTPS requests to Security Connector. To try version 2.5.0, contact your Akamai representative.

Enterprise Application Access (EAA) 04/05/19 software release

The release includes new features, performance improvements, and bug fixes for EAA and EAA Client Connector products.

New features and performance improvements

EAA Connector migration:

Enterprise Application Access (EAA) connector migration. EAA connectors running on Ubuntu version 18.04 LTS is available for deployment. Akamai is requesting customers to upgrade the connectors to this release for increased security and better performance. Connectors running on Ubuntu version 14.04 LTS will be end-of-life on April 30, 2019. After this date, no security patches will be available. See Enterprise Application Access Connector Migration for best practices and migration process.

Identity capability improvements:

Responsive Mobile UI for identity provider (IdP). User can login to the IdP login portal from tablet or mobile device for better productivity.

Favorite Apps in login Portal. You can customize EAA login portal by moving the frequently accessed applications to the favorites section of the IdP login portal.

OIDC/Oauth 2.0 for Internal Apps. OpenID Connect 1.0 (OIDC) is a federated protocol that provides an identity layer that is built upon OAuth 2.0. It enables clients (applications or user agents, relying party) to verify the identity of the end user based on the authentication performed by the authorization server, or OpenID provider.

Chase Referral Support for Active Directory (AD). Organizations can have multiple Active Directory (AD) domains for different geographical regions. To sync all of the users in all groups, EAA has the global catalog server option.

Dashboard 2.0 Reports. EAA administrator can drill down to obtain detailed reports by clicking the hyperlinks on the dashboard.

New Splunk app for Admin Events. Splunk app now has access log events as well as admin events.

Access the EAA Management Portal from Control Center. Enterprise Application Access (EAA) Management Portal is accessible from the Control Center. You can manage groups and properties for your Akamai accounts and monitor, configure, resolve, and plan your products from the menu.

Login Portal languages. An EAA administrator can customize the text that appears in the Login Portal’s welcome banner, page title, legal disclaimer, username hint, password change label and new user signup label field. EAA supports text in English, German, French, Spanish, Japanese, Italian and Chinese.

Customize the Login Portal tab name in the browser. User can change the browser tab name for the Login Portal. The default tab name for the login portal of the IdP is Login in the browser window.

EAA Client Connector Enhancements:

Support for Apple Mojave OS. The EAA Client Connector runs on these operating systems (OS): * Microsoft Windows 7 or Windows 10 Enterprise (32-bit and 64-bit) * Apple macOS 10.11 El Capitan, macOS 10.12 Sierra, 10.13 High Sierra, or 10.14 Mojave

See network diagnostics in client skin. The Run Diagnostics function examines the status of the installation, connectivity, components, and configuration downloads from the EAA solution. Green check marks indicate success and red X marks indicate failure.

Save logs to local hard disk. EAA Client Connector allows the end user to save and also send a zipped version of the logs, device ID and version to the EAA administrator. The administrator can provide this information to Akamai support for troubleshooting.

Changes to configuration on-boarding. The configuration is manual to enhance security posture of the client.

Display client logs in Admin portal. The admin can click on View Logs to view all of the log types: INFO, DEBUG, and ERROR. To check a specific type of log, click Level and select the log types you want to view.

Common Interface File System (CIFS) Support. CIFS is supported in EAA Client Connector.

Self-Upgrade of EAA Client Connector. Users can check for updates in the client, and perform a self-upgrade if necessary.

Bug Fixes

Italian Email Notification enhancements. Added Italian language support email and SMS MFA templates.

Discovered apps performance improvements. Discovered apps page in client dashboard has faster performance.

Active Directory (AD) Group Search Improvement. AD group search performance is improved when admin searches for groups. Admins see faster results with less latency.

Software Design Kit (SDK) Improvements. Added all application related functionality, IdP deployment capability to the SDK.

Support for mixed IP environments. This release adds better support for both IPv4 and IPv6 environments. EAA Client Connector will fallback to IPv4, if IPv6 support is incorrectly configured in user network.

Known limitations

• When upgrading EAA Client Connector from beta to LA release (retaining the configuration), IdP page shows “reconfigure” as an option because IdP tokens have changed. It is a benign condition. This status will remain on the IdP page until the user clicks the reconfigure option and gets the new IdP token added for the LA release.This does not affect new seeding or configuration.
• When client is in disconnected state, status of the IdP page on first refresh incorrectly says “client is not installed”, the second refresh displays the right status that “client is not running”.
• When configuring the EAA Client Connector for the first time, clicking the diagnostics button may result in a configuration error while the TCP apps being configured. This is because EAA Client Connector diagnostics does not distinguish TCP with tunnel apps. As soon as all the tcp apps configured are started, all checks in diagnostics will become green. This only affects first time configuration.
• Changing MFA Helpdesk email: When the helpdesk email option is changed in System - Settings (for MFA), only the default IdP prompts to redeploy.  Any other IdP’s that have MFA enabled do not prompt “Ready for Deployment”. These can be deployed manually, but this may cause confusion for customers.
• IdP Configuring max session duration: When max session duration is configured to be less than Idle expiry – IdP deployment will fail.
• IdP portal rendering issues: When logged in user resizes the IdP portal browser window, users may experience these issues: a) EAA client download button will disappear. b) MFA registration buttons won’t work. c) User account actions such as ‘account settings, logout and change password’ will come as mobile browser.
• EAA Client Connector upgrade on Windows 7 or Windows 10: When trying to reinstall EAA Client Connector on an existing installation, upgrade may fail in cases with this error:  “There has been an error. Could not kill process with pid [pid]”. This is due to Windows OS locking the old processes. Work around is to try again and re-run the upgrade of EAA Client Connector.
• EAA Client Connector and IdP interaction: If the user closes the auth form by mistake during the authentication, user then has click re-authenticate/sync button.
• IdP default POP and configuration: When admin changes POP of the default IdP instance, corresponding directory configuration won’t be deployed the newly selected IdP POP. Customer admins can reach out Akamai support to correct the problem.
• EAA Client Connector does not support domains that use non-ASCII characters (EAAC003)
• EAA Client Connector intercepts traffic based on fully qualified domain names (FQDN) only (EAAC005)
• EAA Client Connector user interface language only supports English (EAAC012)
• EAA Client Connector may not work with forward proxies in the network (EAAC013)
• EAA Client Connector does not support Kerberos authentication (EAAC014)
• EAA Client Connector does not support Service Records (SRV) in a Domain Name System (DNS). Applications like Microsoft Exchange, which rely on this, require a VPN or corporate network.The EAA Client Connector can then access the application (EAAC022)
• EAA Client Connector does not support Extensible Messaging and Presence Protocol (XMPP) in DNS. The Pidgin application, which relies on this, requires a VPN or corporate network for this initial setup. The EAA Client Connector can then access the application (EAAC023). 
• File transfer protocol (FTP) does not work with EAA Client Connector. To work around this issue, modify the FTP server settings to select an external IP address of the firewall (or server external IP address). Provide an unroutable loopback IP like 127.50.100.1. Now the FTP client can use the server hostname instead of IP (EAAC024). 
• Client-access applications are not supported with docker-based connectors. (EAAC025)
• EAA Client Connector is not supported on macOS 10.13 High Sierra with case- sensitive Apple File System (APFS) (EAAC026)
• When an ACL rule is set to deny a user access to a client-access application, and if that user tries to access the application, the EAA Client Connector will only update the denied user’s eeaclient.log with a generic 403 error message (EAAC027)
• For tunnel-type client-access applications, if the application server is running multiple applications on the same IP address, same port, and using the same protocol, the access control list (ACL) rules might not be applied reliably and there is a vulnerability (EAAC028)
• VoIP applications like Skype have not been tested on EAA Client Connector and may have performance issues (EAAC029)
• EAA Client Connector will not work when Nmap Project’s packet sniffing (and sending) library (NPCAP) loopback adaptor is installed on a Windows machine (EAAC035). 
• The macOS firewall rule allowing EAA Client Connector traffic may be removed on Mac machines. When the machine reboots, users need to click Allow when prompted to accept incoming connections (EAAC037). 
• When you first install the EAA Client Connector on Windows, a Windows Security dialog prompts to install the network TAP driver. Click Install. Silent installation may be impacted by this limitation. To resolve the issue, deploy the TAP driver certificate before the silent install command line (EAAC040).
• EAA Client Connector zipped log files contains an empty akamai_dpclient.log. It can be ignored by user. (EAAC041)

Client Connector version 2.0.5 is now available

If you previously installed version 2.0.4 on end-user machines, you can upgrade Client Connector to version 2.0.5 or allow end users to upgrade the software. This new version of Client Connector is also available for download in Enterprise Threat Protector.

Version 2.0.5 includes:

New diagnostic tool. In the advanced Client Connector settings, end users can run the diagnostic tool to create a file that’s used by Akamai Support for troubleshooting purposes. The compressed or archive file contains logs, details of DNS queries, system configuration information, and network connection data. An IT administrator provides this file to Akamai Support when there’s an issue with Client Connector.
Minor bug fixes. This update resolves minor bugs in Client Connector version 2.0.4.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

New CSV files available for locations. On the Locations page, an administrator can now download a CSV file that lists all locations. An administrator can also now delete many locations in one operation by uploading a CSV that contains the locations they want to delete.

Custom list assignment for delegated and strict delegated administrators. A super administrator can now assign custom lists to a delegated administrator or a strict delegated administrator.

A delegated administrator can:

• create new custom lists
• manage the custom lists that are assigned to them
• associate these custom lists to a policy that they created or are allowed to manage

A strict delegated administrator can perform these operations as well. However, they cannot view the custom lists that they do not have permission to manage.

New user interface for scheduled reports. Administrators can now more easily create and manage settings associated with scheduled reports.

Dynamic DNS for locations (limited availability). Location page now indicates when the dynamic DNS domain associated with a location configuration is invalid or does not resolve to a valid IP address. If an administrator or ETP user is configured to receive communication emails about system issues, an administrator receives an email that lists locations with invalid DNS entries. An administrator can also generate a CSV that shows locations with these errors.

This feature continues to be in limited availability. For more information, contact your Akamai representative.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Update to custom lists in a policy. All custom and top-level domains lists are no longer included in a policy configuration by default. Administrators can now assign individual lists to a policy.

New user interface for Custom Lists. A new user interface is available on the Custom Lists page (Configuration > Lists). In the new design, administrators can now associate domains and IP addresses to a custom list when creating the list. Likewise, administrators can now add top-level domains when creating a top-level domains list.

Strict delegated access. When enabled for an organization, an ETP super administrator can assign a strict delegated administrator role and the locations and policies the delegated administrator is allowed to manage. A delegated administrator with restricted access can:

• create locations and policies
• manage assigned location and policies
• view events and other reporting data based on the locations and policies they can access

A strict delegated administrator cannot view locations and policies they did not create. They also cannot view other configuration areas of the product such as the Utilities page.

Support for dynamic DNS in limited availability. Dynamic DNS for a location configuration is now in limited availability. When enabled for an organization, an administrator can configure a location with a persistent DNS hostname that resolves to dynamic IP addresses. To enable this feature, contact your Akamai representative.

Enterprise Threat Protector now protects your network from threats that target HTTP and HTTPS traffic

These features are available:

• ETP Proxy. Proxy server that intercepts suspicious HTTP and HTTPS traffic, examines the full URL in a request, and determines which websites are safe for end users to access. You can enable this feature in a policy configuration (Configuration > Policies). When ETP Proxy is enabled, you can select an action for risky domains and file sharing domains. Risky domains are domains that may be a threat because they are newly registered or discovered. File sharing domains are domains for file sharing applications or services.

• URL-based Threat Intelligence. ETP Proxy inspects the URL and, based on the policy configuration, blocks traffic that’s known to be a security threat. ETP can block traffic to a specific URL without blocking the entire domain. A new Classify policy action is also available for custom lists, risky domains, and file sharing domains. When a threat is detected, the Classify action assigns the corresponding policy action in the Akamai Security tab.

• HTTPS Traffic Analysis. ETP Proxy requires that you create an Akamai certificate or generate a certificate signing request that’s signed by your organization’s certificate authority (CA). These certificates function as TLS certificates for the ETP proxy to intercept suspicious traffic. If you are creating an Akamai certificate, you must install the root certificate on end-user machines. The certificate feature is available on the Utilities page (Configuration > Utilities > Certificates).

• Inline Payload Analysis. Feature offered with ETP Advanced Threat that enables ETP Proxy to scan downloadable content on a risky website or in a file sharing application. Multiple static analysis engines are used to scan documents and executables for zero-day threats and other attacks that are typically undetected by antivirus engines.

• New Reporting pages. New pages are available for reviewing ETP Proxy activity (Monitoring > Activity > Proxy) and network traffic that’s directed to ETP (Monitoring > Activity > Network Traffic).

• New Acceptable Use Policy (AUP). New categories and detailed subcategories are available in a policy configuration for administrators to control access to websites or specific website content.

Enterprise Application Access (EAA) 10/26/18 software release

The release includes new features, performance improvements, and EAA component bug fixes.

New features and performance improvements

User experience improvements: Login Portal (end-user) customization

  Italian Language support. The end-user portal can be configured to display content in Italian. Once enabled, the browser’s language settings are used to determine the language being displayed, and users can override the language being selected.

Customization for help desk email addresses. The help desk email address found under EAA Management Portal > System > Settings can be customized to any address the organization chooses and all references to help desk will point to the new address provided.

Organization name customization in MFA notifications. All MFA notifications are sent from “Akamai” today. This release will provide customers with the capability to customize the Organization name presented in MFA notifications.

URL for new user sign up. An optional field can be exposed in the end-user Login Portal that allows EAA administrators to customize the URL for new users to sign up.

Customization for application headers. EAA supports sending LDAP attributes as a custom header for applications.

Email Notification On/Off. EAA supports the ability to toggle system email notifications on or off from the EAA Management Portal.

Identity capability improvements

Support for Integrated Windows Authentication (IWA). IWA allows end users to single sign on to their apps by virtue of logging into their device (desktop SSO). This feature can be leveraged when users are on a trusted network. EAA supports multiple operational modes for IWA.

Authentication only based on client certificates. Provides an SSO-like experience without the need of username and passwords. Users are logged into the IdP on presenting a valid certificate.

WS-Federation with SAML 1.1 support. WS-Federation and SAML 1.1 support facilitates SAML authentication to Sharepoint.

Multi-auth support per PCI-DSS guidance. PCI-DSS 3.2 defines multi-auth capability to require traversal through all factors of authentication before a success or failure is revealed at login. EAA supports multi-auth as part of the TOTP based mutli-factor authentication workflow, which provides additional protection against brute force attacks.

Enhancements with third party IdP integration using EAA’s identity access aware capabilities

Support for EAA user workplace with third party IdP (eg.Shibboleth). EAA admins can present the EAA user workspace in conjunction with third party IdPs.

Authorization for third party IdP. Ability to leverage group information in policies when using third party IdPs, and an updated IdP deployment workflow.

EAA Management Portal Dashboard enhancements

The new dashboard provides a tiled view with actionable widgets. New tiles include OS/Browser distribution, login failure details, and user activity details.

Application off-loading when on trusted (on-prem) networks

Allows customers to define trusted networks on the basis of subnets within the IdP. When traffic comes in from a user inside a trusted network, admins can optionally allow the data path to flow directly through without being proxied via EAA. In such scenarios, EAA will still handle the authentication flow.

SIEM updates

Expanded information is provided to Splunk via the EAA Splunk app. Updates include information on response times, login event details, and resource IDs. There is no change required on the Splunk application available on Splunkbase.

Reporting enhancements

EAA users can query for a report without selecting any query parameters. EAA supports these new preset reports,

• Applications Accessed
• Applications Failed login
• Login Failure Details
• Unique Users Count

Known limitations

Italian Language Support. The EAA remote-desktop aide and EAA Management Portal will continue to display content in English regardless of language selection.

Application Templates. SaaS apps cannot have profiles assigned at this time. Only access applications can have profiles assigned.

Certificate Limitations. When an existing CA certificate is updated, applications using this certificate are not marked for deployment.

Application Off-loading when on trusted (on-prem) networks. Only web applications are supported at this time; VNC/RDP/SSH application profiles are not currently supported.

Report enhancements. IdP URL will not be shown for the Applications Accessed and Applications Failed preset reports.

IWA Error. If a user performs a save on the Advanced Settings page and goes to the deployment page they may receive an error on the IWA field if there are changes to another previously enabled IWA. The work-around is to hard-reload the browser to clear the error.

Bug fixes

These bugs were addressed and resolved in this release,

Text and displays in the EAA Management Portal

• Increased the size of the the external hostname configuration field in the  EAA Management Portal > Preview Configuration tab.
• Status tab is now Diagnostics
• Moved the sync option in the ‘Status’ tab to the ‘Advanced’ tab
• Removed the ‘Diagnostic Tools’ from the tray
• Reduced the size of the window on the EAA Management Portal > Settings page

InstallBuilder Package Code

Added support for InstallBuilder Package Code signing for MacOS and Windows 64 bit.

Client Connector version 2.0.4 is now in beta and available for download. This version of Client Connector protects end-user machines that are on or off the corporate network.

If your organization previously installed version 1.3.1, you can upgrade to 2.0.4. To download and test 2.0.4:

1. In the Enterprise Threat Protector (ETP) navigation menu, select Configuration > Utilities.
2. Click the Client Connector tab.
3. From the Versions Management tab, hover over Client Connector version 2.0.4 for a Windows or Mac operating system and click the download icon.

After testing and approving the connector, an administrator can choose to force an upgrade on end-user machines or allow end users to initiate an upgrade. For more information, see the ETP online help or the Enterprise Threat Protector Client Connector Configuration Guide.

In a policy configuration, new categories and detailed subcategories are available for ETP administrators to control the websites and content that end users can access in the corporate network.

ETP now includes a new and improved user interface when configuring or modifying a location or policy. On the Locations or Policies pages, administrators can also now search for locations or policies.

Client Connector area of the Utilities page now includes a new Reports subtab that contains more data about Client Connectors. In addition to pie charts that show errors and installed Client Connectors, a table is now available to show device information, software version, and the current status of installed Client Connectors. Administrators can also filter this data based on time, such as the most current data or data that was reported in the last day or month.

ETP super administrators can now assign the delegated administrator role to ETP users. When enabled for your organization, this feature is available from the Delegated Access tab on the Utilities page (Configuration > Utilities). To enable this feature, contact your Akamai representative.

ETP super administrators can now assign specific locations to alert notification recipients. This allows administrators to define the locations that these recipients can receive information about. When enabled, this feature is available from the Communication tab of the Utilities page (Configuration > Utilities). To enable this feature, contact your Akamai representative.

When ETP Proxy is enabled, you can select to allow or examine risky domains and file sharing domains. Risky domains are domains that may be a threat because they are newly registered or discovered. File sharing domains are domains of file sharing applications or services. You can select to Allow or Classify traffic to these domains.

The Classify action examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL. You can assign the Classify action to custom lists, risky domains, and file sharing domains.

ETP Proxy requires that you create an Akamai certificate or generate a certificate signing request to submit a subordinate certificate that’s signed by your organization’s certificate authority (CA). These certificates function as TLS certificates for the ETP proxy to intercept suspicious traffic. ETP now allows you to generate and submit certificates in binary (.der) format.

If ETP Proxy is enabled, administrators can select different logging levels to define some of the data that’s reported for HTTP or HTTPS traffic in ETP. This setting is available in a policy configuration. The default logging mode provides details that’s most helpful for investigating events.

ETP now includes a delegated administrator role. After this role is assigned to a user in Luna Control Center, an ETP super administrator can grant a delegated administrator access to specific locations and policies, allowing the delegated administrator to manage assigned locations and policies.

A delegated administrator can:  

• Add new locations and policies
• Deploy configuration changes that they applied or were applied to the locations and policies they manage
• View settings associated with most configuration features in ETP, such as custom lists and quick lists
• Schedule a report. Report results show data based on locations a delegated administrator can access
• View and analyze event and activity data based on assigned locations
• Download Client Connector and view reporting data that’s associated with Client Connector installations
• Grant or revoke Akamai Support Access

An ETP super administrator can assign a delegated administrator access to locations or policies on the new Delegated Access tab of the Utilities page (Configuration > Utilities). This tab is available to ETP super administrators only.

A new deploy window is available for configuration changes that are pending deployment. Prior to this release, there were different deployment options for custom lists, quick lists, policies, and locations. In this release, a Pending Changes tab is available on the right side of the configuration pages. ETP administrators click this tab to view all submitted configuration changes that are not yet deployed to the ETP network. Administrators can select specific changes they want to deploy or they can deploy all changes. Information about changes is also listed, such as what changed and who made the change.  The Pending Changes window also offers:

• A revert option to undo or delete a pending change. Any change that is reverted returns a configuration to its last deployed state.
• When deploying a change, administrators can comment on the changes they are deploying. These comments appear in the new Deployment History tab on the Utilities page.

ETP now allows super administrators to rotate a Client Connector entitlement code in case the original entitlement code is compromised. If alerts are detected within a five minute period of sending out an alert notification, users are now notified about these additional alerts after the five minutes. Prior to this release, users were not notified about the alerts that occurred during this period.  The ETP reporting pages include the following improvements:

• Filter Editor now appears at the top of page when a user scrolls past it. This ensures that Filter settings are always accessible to users who are analyzing data on the Event Analysis and Activity pages.
• Report viewers can filter data based on whether there is a correlation between security connector events and threat events.
• A menu with convenient options is available from certain fields on the Event Details window. For example, if a user clicks a Resolved IP address,  a menu appears with actions for this data such as adding the IP address to the Include filter.
• New Detection Method dimension is available to show events that were detected at the time of access (inline) or were discovered later in log data based on behavior (lookback).