Enterprise Application Access (EAA) 07/26/19 software release

Akamai EAA Client New Features

IPv4-based access for tunnel applications. EAA Client extends zero trust access functionality to access applications defined by IPv4 addresses. 

Captive portal detection. EAA Client detects the presence of captive portals and gracefully reconnects when network connectivity is established. 

On-premises network detection. Based on network policies configured by an EAA administrator, EAA Client can detect if a user is on-premises. In this situation, the client allows direct access to enterprise applications that bypass access through the proxy.

Akamai EAA Client Usability Improvements

Client menu simplification. The EAA Client menu is now more intuitive and includes tooltips to guide end users. The Setting menu provides improved logging capabilities. New settings names and menu organization allows users to complete advanced operations more easily. These operations include checking diagnostics, viewing the network type and status, accessing the synchronize and reset functions, and downloading the latest version of the client software.

Known Limitations

EAA Client

• After you upgrade to the latest version of EAA Client (version 1.3.X), you cannot downgrade to the previous version (version 1.2.X). Rolling back to version 1.2.X requires that you uninstall version 1.3.X and reinstall version 1.2.X of the EAA Client.

• You will not be able to configure the EAA Client from the IdP login portal on a Microsoft EDGE browser. Use alternative browser like Chrome.

• When connecting to a captive portal on a Mac, the captive portal may block all outgoing traffic. In this situation, the client shows that the network type is NONE. EAA Client cannot reliably detect whether the end user is on a public network or a captive portal.

• When the user is connected to both trusted and untrusted networks on two different networks, EAA Client inconsistently detects whether the user is on a trusted network or a public network.

• The identity provider (IdP) name may not appear in the EAA Client. To resolve this issue, quit and restart the EAA Client.

• On macOS, clicking logout in the client may cause all menu options to gray out. To resolve this issue, open the Activity Monitor application in the Utilities folder of the Mac. Select EAA Client and then click the quit icon. In the dialog that appears, select Force Quit.

• When adding multiple IPv4 addresses to a “Tunnel” type application, you are limited to adding a maximum of 214 IPv4 addresses to an application. If you have more than 214 addresses, you must add additional tunnel applications as needed.

Enterprise Application Access

• When accessing an application, an IdP session is not saved between browser tabs on these versions of Microsoft Edge and Internet Explorer: Microsoft EdgeHTML: 17.17134, Microsoft Edge: 42.17134.10, IE: 11.590.17143. If a user opens a new tab in these browsers, they are prompted to enter their Login Portal credentials again.

• When using the Login Portal with a Microsoft Edge or Internet Explorer browser, a user may experience multiple UI issues such as long loading times, the favorite icon (heart symbol) not appearing, and more.

• If you open the print dialog in a remote desktop protocol (RDP) server session and you then click the desktop before making your selections, the dialog may disappear. To workaround this issue, you must open the print dialog again.

• If only DNS server settings are changed in network interfaces, on-premise network monitoring may not detect that the network type has changed from or to a trusted network.

• When there are multiple data centers that have the same network configuration, connectors assigned to these data centers should not be associated to a single tunnel application.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Exception Lists. An ETP administrator can now create a list with the domains and IP addresses they want directed to the origin without Transport Layer Security (TLS) decryption or ETP protection. An exception list bypasses ETP Proxy. This feature allows your organization to maintain the privacy of users who access trusted websites with sensitive information. Like a custom list, you create an exception list and assign it to a policy configuration.

Bypass action for Exception Lists. When you add an exception list to a policy, the bypass policy action is automatically assigned to the list. This action resolves requests to the origin IP address. If ETP proxy is enabled, the request is not decrypted with TLS. It is sent directly to the destination web server. While no event is logged on the Event Analysis page for bypassed traffic, domains are logged on the Network Traffic tab of the Activity page.

Client Connector now called ETP Client. Client Connector is now called ETP Client. The tab on the Utilities page and the client configuration settings now refer to the new ETP Client name.

Additional threat information is now available in Enterprise Threat Protector (ETP)

ETP administrators and viewers can now:

• View the threat name associated with a threat event.
• Filter threat events by its name and severity level. A Threat Name and Severity dimension is now available for this purpose.
• Search by the threat name on the Indicator Search page. In the search results, this page shows:
  • A description that details how the threat spreads and impacts a network.
  • Other names for the threat
  • Severity level
  • Threat type. For example, if it’s a worm, trojan, malware, or another threat type.
  • External links to resources on the Internet with more information.
  • A graph that illustrates the number of events generated by the threat in the last 24 hours, 7 days, 30 days, and this month.

This feature is currently in beta.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Security templates now available. An ETP administrator can now apply a security template or a preset template to a policy configuration. This allows administrators to implement best practices when configuring policy actions. It also gives administrators a starting point to defining a policy.

When creating or modifying a policy, you can select one of these templates:

• Strict. Contains settings that block known and most suspected threat categories. This template applies settings that are a best practice for a policy.
• Monitor-only. Logs and reports threats but it does not block them. The Monitor-only template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
• Custom. Let’s you define policy actions for known and suspected threats.

A security template defines settings for threat categories in the Akamai Security tab only.

Updates to delegated and tenant access. A delegated administrator can now:

• Add email address for communication emails and assign communication emails. A delegated administrator can assign these users to any communication email.
• View Security Connector activity.

A tenant administrator can now:

• Add emails address for communication emails and configure these users to receive communication emails for alerts and system issues.
• Schedule a report.
• View and analyze DNS event data on the Dashboard, Event Analysis, and DNS activity pages.

The data in a scheduled report and on these reporting pages are based on the locations the tenant administrator can access.

Source IP now a dimension for DNS activity: On the DNS tab of the Activity page, you can now report the top source IP addresses that generated DNS requests. Source IP is now available as a dimension or data type in all DNS activity menus.

Client Connector version 2.1.0 now in beta.

With Client Connector 2.1.0, administrators can now configure Client Connector to roll back to the previous approved version. Administrators can also allow end users to uninstall Client Connector on Windows machines. To enable these features, new configuration settings are available in Enterprise Threat Protector (ETP):

• Roll Back Client Connector. When enabled and the previous Client Connector version is approved, this setting automatically rolls back a Client Connector upgrade. Rollback is available with Client Connector version 2.1.0. You cannot roll back to a version that is earlier than 2.1.0.

• Allow Uninstall on Windows. When enabled, end users on Windows machines can uninstall Client Connector. If this setting is disabled, the entitlement code is required to uninstall Client Connector.

Client Connector 2.1.0 also includes these updates:

New “Protected by local network” status. When these specific conditions apply, Client Connector now indicates that a machine is protected by the local network:

1. Client Connector cannot send DNS requests to ETP because outbound UDP port 53 is blocked in the company firewall.
2. The DNS resolver in the local network is configured to forward requests to ETP.

New names for configuration settings. New names are now available in ETP for Client Connector configuration settings. The Enable User Control setting is now called Allow Users to Disable Client Connector. The Enable ETP Client setting is now called Enable Client Connector.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

New Acceptable Use Policy (AUP) categories. New AUP categories are available for administrators to control access to content. These categories include:

• Finance & Investing. Category for websites that allow users to manage finances and investments.
• Healthcare. Category for websites related to human health.
• IP Telephony. Category for websites that allow users to make phone calls through the Internet.

Bypass action for AUP in beta. If ETP Proxy is enabled and your organization takes part in this beta, you can now select the bypass action for each AUP category or subcategory. The bypass action directs traffic to the origin IP address. It also bypasses the ETP proxy and TLS decryption.

Tenant access now available. An ETP super administrator can now enable tenant access and assign the tenant administrator role. This feature can be used by Managed Service Providers (MSP) to restrict and separate access of individual customers. A tenant administrator can:

• create locations, policies, and custom lists
• manage assigned location, policies, and custom lists
• view events and other reporting data based on the locations they can access

A tenant administrator cannot view locations, policies, and custom lists they did not create. They also cannot view other configuration areas of ETP such as the Utilities page. In previous releases, this administrator was called a strict delegated administrator.

New policy settings tab. A Settings tab is now available when creating or modifying a policy. This tab contains settings for ETP Proxy, inline payload analysis, browsing restrictions, and more. On the policy configuration page, these settings were previously part of the right pane that includes the policy name, description, and assigned locations.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

New user interface for a policy. A new user interface is now available for a policy configuration. Administrators can now more easily assign a policy action and the response that’s delivered to users. These changes apply:

• For an Akamai security category and a list in a policy, separate menus are provided to assign an action, the response to users, and a security connector.
• If you select the Block action, you can then select the block type in the Response to User menu. In this menu, you can select Error Page, a specific custom response, or if ETP Proxy is disabled, you can also select Refused Response. These settings allow you to apply the actions that were formerly called Block – Error Page, Custom – Response, and Block – DNS.
• To assign a Security Connector, you select the Block action and the Error Page response. After this is done, you can select a security connector from the Security Connector menu. These settings allow you to apply the action that was formerly called Block – Sinkhole. If you don’t want to assign a Security Connector to an Error Page response, in the Security Connector menu, you can select None.
• The Allow policy action is now available for custom lists and top-level domain (TLD) lists only.
• You can apply the same policy settings to all known and suspected threats associated with an Akamai security category, a custom list, or a TLD list.

For more information about configuring a policy, see the online help.

Security Connector 2.5.0 now in beta. Security Connector version 2.5.0 is now in beta and available for upgrade or download. This version allows your organization to direct malicious HTTP and HTTPS requests to Security Connector. To try version 2.5.0, contact your Akamai representative.

Enterprise Application Access (EAA) 04/05/19 software release

The release includes new features, performance improvements, and bug fixes for EAA and EAA Client Connector products.

New features and performance improvements

EAA Connector migration:

Enterprise Application Access (EAA) connector migration. EAA connectors running on Ubuntu version 18.04 LTS is available for deployment. It provides increased security and better performance. Customers should migrate the connectors to run on Ubuntu 18.04 LTS before August 2019. See Enterprise Application Access Connector Migration for best practices and migration process.

Identity capability improvements:

Responsive Mobile UI for identity provider (IdP). User can login to the IdP login portal from tablet or mobile device for better productivity.

Favorite Apps in login Portal. You can customize EAA login portal by moving the frequently accessed applications to the favorites section of the IdP login portal.

OIDC/Oauth 2.0 for Internal Apps. OpenID Connect 1.0 (OIDC) is a federated protocol that provides an identity layer that is built upon OAuth 2.0. It enables clients (applications or user agents, relying party) to verify the identity of the end user based on the authentication performed by the authorization server, or OpenID provider.

Chase Referral Support for Active Directory (AD). Organizations can have multiple Active Directory (AD) domains for different geographical regions. To sync all of the users in all groups, EAA has the global catalog server option.

Dashboard 2.0 Reports. EAA administrator can drill down to obtain detailed reports by clicking the hyperlinks on the dashboard.

New Splunk app for Admin Events. Splunk app now has access log events as well as admin events.

Access the EAA Management Portal from Control Center. Enterprise Application Access (EAA) Management Portal is accessible from the Control Center. You can manage groups and properties for your Akamai accounts and monitor, configure, resolve, and plan your products from the menu.

Login Portal languages. An EAA administrator can customize the text that appears in the Login Portal’s welcome banner, page title, legal disclaimer, username hint, password change label and new user signup label field. EAA supports text in English, German, French, Spanish, Japanese, Italian and Chinese.

Customize the Login Portal tab name in the browser. User can change the browser tab name for the Login Portal. The default tab name for the login portal of the IdP is Login in the browser window.

EAA Client Connector Enhancements:

Support for Apple Mojave OS. The EAA Client Connector runs on these operating systems (OS): * Microsoft Windows 7 or Windows 10 Enterprise (32-bit and 64-bit) * Apple macOS 10.11 El Capitan, macOS 10.12 Sierra, 10.13 High Sierra, or 10.14 Mojave

See network diagnostics in client skin. The Run Diagnostics function examines the status of the installation, connectivity, components, and configuration downloads from the EAA solution. Green check marks indicate success and red X marks indicate failure.

Save logs to local hard disk. EAA Client Connector allows the end user to save and also send a zipped version of the logs, device ID and version to the EAA administrator. The administrator can provide this information to Akamai support for troubleshooting.

Changes to configuration on-boarding. The configuration is manual to enhance security posture of the client.

Display client logs in Admin portal. The admin can click on View Logs to view all of the log types: INFO, DEBUG, and ERROR. To check a specific type of log, click Level and select the log types you want to view.

Common Interface File System (CIFS) Support. CIFS is supported in EAA Client Connector.

Self-Upgrade of EAA Client Connector. Users can check for updates in the client, and perform a self-upgrade if necessary.

Bug Fixes

Italian Email Notification enhancements. Added Italian language support email and SMS MFA templates.

Discovered apps performance improvements. Discovered apps page in client dashboard has faster performance.

Active Directory (AD) Group Search Improvement. AD group search performance is improved when admin searches for groups. Admins see faster results with less latency.

Software Design Kit (SDK) Improvements. Added all application related functionality, IdP deployment capability to the SDK.

Support for mixed IP environments. This release adds better support for both IPv4 and IPv6 environments. EAA Client Connector will fallback to IPv4, if IPv6 support is incorrectly configured in user network.

Known limitations

• When upgrading EAA Client Connector from beta to LA release (retaining the configuration), IdP page shows “reconfigure” as an option because IdP tokens have changed. It is a benign condition. This status will remain on the IdP page until the user clicks the reconfigure option and gets the new IdP token added for the LA release.This does not affect new seeding or configuration.
• When client is in disconnected state, status of the IdP page on first refresh incorrectly says “client is not installed”, the second refresh displays the right status that “client is not running”.
• When configuring the EAA Client Connector for the first time, clicking the diagnostics button may result in a configuration error while the TCP apps being configured. This is because EAA Client Connector diagnostics does not distinguish TCP with tunnel apps. As soon as all the tcp apps configured are started, all checks in diagnostics will become green. This only affects first time configuration.
• Changing MFA Helpdesk email: When the helpdesk email option is changed in System - Settings (for MFA), only the default IdP prompts to redeploy.  Any other IdP’s that have MFA enabled do not prompt “Ready for Deployment”. These can be deployed manually, but this may cause confusion for customers.
• IdP Configuring max session duration: When max session duration is configured to be less than Idle expiry – IdP deployment will fail.
• IdP portal rendering issues: When logged in user resizes the IdP portal browser window, users may experience these issues: a) EAA client download button will disappear. b) MFA registration buttons won’t work. c) User account actions such as ‘account settings, logout and change password’ will come as mobile browser.
• EAA Client Connector upgrade on Windows 7 or Windows 10: When trying to reinstall EAA Client Connector on an existing installation, upgrade may fail in cases with this error:  “There has been an error. Could not kill process with pid [pid]”. This is due to Windows OS locking the old processes. Work around is to try again and re-run the upgrade of EAA Client Connector.
• EAA Client Connector and IdP interaction: If the user closes the auth form by mistake during the authentication, user then has click re-authenticate/sync button.
• IdP default POP and configuration: When admin changes POP of the default IdP instance, corresponding directory configuration won’t be deployed the newly selected IdP POP. Customer admins can reach out Akamai support to correct the problem.
• EAA Client Connector does not support domains that use non-ASCII characters (EAAC003)
• EAA Client Connector intercepts traffic based on fully qualified domain names (FQDN) only (EAAC005)
• EAA Client Connector user interface language only supports English (EAAC012)
• EAA Client Connector may not work with forward proxies in the network (EAAC013)
• EAA Client Connector does not support Kerberos authentication (EAAC014)
• EAA Client Connector does not support Service Records (SRV) in a Domain Name System (DNS). Applications like Microsoft Exchange, which rely on this, require a VPN or corporate network.The EAA Client Connector can then access the application (EAAC022)
• EAA Client Connector does not support Extensible Messaging and Presence Protocol (XMPP) in DNS. The Pidgin application, which relies on this, requires a VPN or corporate network for this initial setup. The EAA Client Connector can then access the application (EAAC023). 
• File transfer protocol (FTP) does not work with EAA Client Connector. To work around this issue, modify the FTP server settings to select an external IP address of the firewall (or server external IP address). Provide an unroutable loopback IP like 127.50.100.1. Now the FTP client can use the server hostname instead of IP (EAAC024). 
• Client-access applications are not supported with docker-based connectors. (EAAC025)
• EAA Client Connector is not supported on macOS 10.13 High Sierra with case- sensitive Apple File System (APFS) (EAAC026)
• When an ACL rule is set to deny a user access to a client-access application, and if that user tries to access the application, the EAA Client Connector will only update the denied user’s eeaclient.log with a generic 403 error message (EAAC027)
• For tunnel-type client-access applications, if the application server is running multiple applications on the same IP address, same port, and using the same protocol, the access control list (ACL) rules might not be applied reliably and there is a vulnerability (EAAC028)
• VoIP applications like Skype have not been tested on EAA Client Connector and may have performance issues (EAAC029)
• EAA Client Connector will not work when Nmap Project’s packet sniffing (and sending) library (NPCAP) loopback adaptor is installed on a Windows machine (EAAC035). 
• The macOS firewall rule allowing EAA Client Connector traffic may be removed on Mac machines. When the machine reboots, users need to click Allow when prompted to accept incoming connections (EAAC037). 
• When you first install the EAA Client Connector on Windows, a Windows Security dialog prompts to install the network TAP driver. Click Install. Silent installation may be impacted by this limitation. To resolve the issue, deploy the TAP driver certificate before the silent install command line (EAAC040).
• EAA Client Connector zipped log files contains an empty akamai_dpclient.log. It can be ignored by user. (EAAC041)

Client Connector version 2.0.5 is now available

If you previously installed version 2.0.4 on end-user machines, you can upgrade Client Connector to version 2.0.5 or allow end users to upgrade the software. This new version of Client Connector is also available for download in Enterprise Threat Protector.

Version 2.0.5 includes:

New diagnostic tool. In the advanced Client Connector settings, end users can run the diagnostic tool to create a file that’s used by Akamai Support for troubleshooting purposes. The compressed or archive file contains logs, details of DNS queries, system configuration information, and network connection data. An IT administrator provides this file to Akamai Support when there’s an issue with Client Connector.
Minor bug fixes. This update resolves minor bugs in Client Connector version 2.0.4.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

New CSV files available for locations. On the Locations page, an administrator can now download a CSV file that lists all locations. An administrator can also now delete many locations in one operation by uploading a CSV that contains the locations they want to delete.

Custom list assignment for delegated and strict delegated administrators. A super administrator can now assign custom lists to a delegated administrator or a strict delegated administrator.

A delegated administrator can:

• create new custom lists
• manage the custom lists that are assigned to them
• associate these custom lists to a policy that they created or are allowed to manage

A strict delegated administrator can perform these operations as well. However, they cannot view the custom lists that they do not have permission to manage.

New user interface for scheduled reports. Administrators can now more easily create and manage settings associated with scheduled reports.

Dynamic DNS for locations (limited availability). Location page now indicates when the dynamic DNS domain associated with a location configuration is invalid or does not resolve to a valid IP address. If an administrator or ETP user is configured to receive communication emails about system issues, an administrator receives an email that lists locations with invalid DNS entries. An administrator can also generate a CSV that shows locations with these errors.

This feature continues to be in limited availability. For more information, contact your Akamai representative.