Security Connector 2.7.5 is now available and functions as an HTTP Forwarder (beta)

You can now configure Security Connector 2.7.5 as an in-network proxy that forwards web traffic to ETP Proxy. Depending on your network topology or requirements, you can set up HTTP Forwarder as an explicit or transparent proxy.

• Explicit proxy. Configuration where enterprise devices forward web traffic to HTTP Forwarder. This mode requires that you configure HTTP Forwarder as the proxy on user devices. You can create a proxy auto-configuration (PAC) file, or you can use your organization’s management tool to modify the device proxy settings.

• Transparent proxy. Configuration where the router is set to forward web traffic to HTTP Forwarder. An administrator uses policy-based routing rules on their organization’s router to do so. Unlike the explicit proxy, the transparent proxy does not require that you modify settings on user devices.

HTTP Forwarder is currently in beta. Security Connector 2.7.5 also includes a number of bug fixes to DNS Forwarder. These updates are available when you upgrade or deploy version 2.7.5.

EAA Client only - December 2021 Patch release

EAA Client Versions

• EAA Client for Windows: version 2.6.1
• EAA Client for macOS: version 2.6.1
• EAA Client mobile app for iOS: version 2.1.0
• EAA Client mobile app for Android: version 2.1.0

EAA Client Operating System Support.

The EAA Client 2.6.1 adds support to these operating systems: Microsoft Windows 11, Apple macOS 10.12 (Monterey). The EAA Client leverages Rosetta translation so a single binary can be used for both Intel-based and Apple M1-based devices.

Fixed customer bugs.

• EAA Client fixes silent install issues when used with ETP Client.
• EAA Client fetches the correct Carbon Black device ID with Carbon Black sensor version 3.7. on Windows.

Enterprise Threat Protector (ETP) now includes these updates:

• Legacy UI End of Life. The legacy ETP user interface has reached its end of life and is no longer supported. To use ETP, make sure you access Enterprise Center from the Control Center menu. ETP features are available from the Threat Protection menu in the Enterprise Center navigation.

• Local breakout for bypass domains. The Local Breakout for Bypass Domains policy setting directs domains that are configured for bypass from the branch or enterprise network to the origin. This option is enabled by default. Disable this setting if your network does not have a direct route Internet and cannot access the origin.

• Save and deploy your configurations. When configuring or modifying a policy, list, or location, you can now select the Save and Deploy option. This option automatically saves settings and deploys them to the ETP network. While this option allows you to easily deploy a configuration or update, an administrator can still use the Pending Changes list to deploy changes that are saved only.

• TLS 1.3 Support. ETP Proxy now supports TLS 1.3.

• Multi-tenancy. You can give your customers access to ETP without purchasing a separate product license. You can create a tenant for each customer and assign tenant administrators to it. A tenant administrator can create and manage ETP components within their tenant, such as policies, lists, locations, certificates, ETP Clients, and more.

  As a super administrator, you can now:

  • Select the policy that you want copied and applied to the Unidentified Location Policy in the tenant.
  • Select whether the tenant will inherit the error page settings from your configuration of ETP.
  • Delete a tenant. This operation removes all configuration settings and components such as policies, locations, lists, and more. The tenant administrator who was assigned to the tenant is no longer associated with it.

This release also includes these ETP Client updates:

• Enable Walled Garden. The new Walled Garden Exceptions policy setting allows you to block all traffic when ETP Client is in an Unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as walled garden exceptions in the ETP network configuration. This setting also makes ETP Client the device web proxy. As a result, Yes is automatically selected in a policy for Overwrite Device Proxy Settings.
• Disable Client. You can enable this setting in a policy to disable the client in the location or locations that are associated with the policy.

ETP Client 3.6.0 is now available

A new version of the ETP desktop client is now available. ETP Client 3.6.0 supports Windows 11 and macOS Monterey. For a full list of supported operating systems, see the ETP documentation.

This update also resolves a security vulnerability and a number of issues, including the following:

• ETP Client reports showed an incorrect status for the client.
• A connectivity issue with ETP Proxy caused it and the client to be completely unresponsive.
• An internal IP request was intercepted by ETP Proxy before it was directed to the enterprise resolver. This issue has been fixed to ensure that internal IP requests are sent directly to the origin.

New navigation and enhanced dashboard now available in Enterprise Center

Enterprise Center now offers a new navigation that organizes features and settings by enterprise product. Enterprise Threat Protector (ETP) administrators can now access all configuration settings and reports from the Threat Protection area of the navigation menu. If your organization is also licensed for the Enterprise Application Access (EAA) or Multi-Factor Authentication (MFA) products, you can access EAA features from the Application Access area of the menu and MFA features from the Multi-Factor Authentication navigation area.

The Enterprise Center dashboard has also been enhanced in this update to let you easily add new, predefined widgets for your enterprise product. For ETP, you can easily create a dashboard that can monitor events, activity, risky applications, application operations, ETP Client downloads, and more. For more information, see the ETP product documentation.

Multi-tenancy is now available in Enterprise Threat Protector (ETP)

With multi-tenancy, a Managed Security Service Provider (MSSP) can give their customers separate access to ETP without purchasing separate product licenses. You can create a tenant for each customer and assign administrators to each tenant. A tenant administrator can create and manage ETP components within their tenant, such as policies, lists, locations, certificates, ETP Clients, and more.

Multi-tenancy can also be used by administrators who want to test new versions of ETP Client and upgrade the client for a specific group of users. You can do this by creating a tenant that represents a group. You may need to create a separate location for these users or consider the policy that’s assigned to the Off-Network ETP Clients location. You can then approve, configure auto-upgrade, and activate ETP Client within that tenant.

For more information on multi-tenancy, see the ETP documentation.

Enterprise Application Access (EAA) November 2021 software release

EAA Client Versions

• EAA Client for Windows: version 2.6.0
• EAA Client for macOS: version 2.6.0
• EAA Client mobile app for iOS: version 2.1.0
• EAA Client mobile app for Android: version 2.1.0

Akamai EAA New Features

Okta SCIM Integration. You can provision users and user group memberships from Okta (AD) to EAA Directory using the System for Cross-domain Identity Management (SCIM) 2.0.

Enterprise DNS request onboarding improvement. The EAA Client intelligently onboards DNS SRV (Service) and DNS PTR (Pointer) requests. DNS SRV (Service) requests are onboarded when the target (hostname) in a request matches a DNS suffix configured in an EAA DNS Application. DNS PTR (Pointer) requests are onboarded when the IP in the request matches the destination IP specified in an EAA Client Application.

New Attributes in Access Logs. Additional attributes have been added to the access logs: Connector IP (clientless access only), Connector ID (clientless access only), Connector Source Port (clientless access only), Device UUID, Access Control that Denied Access, Bytes In and Bytes Out.

Health Monitoring APIs. APIs for connector and application health monitoring are available.

EAA SDK Deprecation. The EAA SDK is being deprecated and support for the EAA SDK will end July 2022. Customers using the EAA SDK should switch to the EAA Open APIs.

Strict validation of SCIM Attribute Mappings. EAA will perform strict validation of attributes that it receives in the SCIM payload. If the SCIM payload has attributes that have not been mapped in the EAA SCIM Directory, then the EAA SCIM service will respond with an error.

EAA Client Operating System Support.

The EAA Client 2.6.0 supports these operating systems: Microsoft Windows 7, current Microsoft supported versions of Windows 10 x86(32-bit) and x64(64-bit), Apple macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur). The EAA Client leverages Rosetta translation so a single binary can be used for both Intel-based and Apple M1-based devices.

  Akamai EAA End of Support/Service for EAA Client.

EAA Client version 2.2.0, 2.3.0, 2.3.1 End of Service / Support - From February 28, 2022, Akamai will no longer support EAA Client versions 2.2.0. From April 30, 2022, Akamai will no longer support EAA Client versions 2.3.0 and 2.3.1. These are the last dates to receive any support for these product versions. After these dates, these versions are obsolete and no support will be available.

Product Migration - For customers using EAA Client versions prior to 2.4.0, migrating to newer EAA Client versions, will require the older EAA Client to be uninstalled before the newer EAA Client is installed.

When moving to EAA Client version 2.1.0 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations.

• EAA SCIM directory does not support password mapping. Users with password attributes configured in Okta are not synced to EAA.
• EAA browser-based RDP application is not compatible with the latest Chrome (Version 94.0.4606.71)
• In EAA, for the Okta SCIM directory, the users displayed include both active and inactive users. Okta doesn’t send delete requests but only deactivates users. This causes a mismatch in the user count between the Okta (SCIM source) and EAA SCIM directory (SCIM target).
• ​If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.

Fixed customer bugs.

• User diagnostics had discrepancies while showing user data for a given time range. This has been fixed.
• User diagnostics shows data in bytes, kilobytes, megabytes, and gigabytes correctly.
• The default instance type for the Azure connector is changed to Standard_F4s_v2.
• EAA connector for Azure supports managed disk option.
• Duplicate users are not seen when you change organizational unit (OU) in groups.
• Group membership changes are considered in ACLs (access control list) when used for app access for a SAML identity provider.

New version of ETP mobile client is now available

The Enterprise Threat Protector (ETP) mobile client is now in limited availability and supports bring your own device (BYOD). With BYOD, end users can activate ETP Client on their personal devices without using the enterprise-wide entitlement code.

The following applies in this update:

• After the client is installed, the user is prompted to activate the client with a one-time activation code (OTAC). If the user does not have this code, the client lets users request it. The activation code and a link to activate the client on the device is emailed to the authorized user’s corporate email address.
• To email activation codes, administrators must configure authorized corporate domains in Enterprise Center. Administrators should not provide email domains that are associated with public email providers and therefore, accessible to unauthorized users.
• From Enterprise Center, administrators can send users an email invitation that contains the activation code. Administrators can also choose to generate a CSV file with activation codes and manually distribute these codes to users offline. After the activation codes are generated, they are valid for one week (7 days).
• When generating an OTAC in Enterprise Center, administrators should specify the user’s email address or a user ID in the User’s List. This allows administrators to associate events with the users who trigger them. This email address or user ID appears in the Device Owner dimension that’s available in ETP event and activity reports.
• While users provide an activation code or use the deep link in the email to activate the client on their device, the entitlement code is still supported for administrators. Administrators can enter this code when performing client installations.

The new mobile client version is available for download in the Apple App store and Google Play. For more information on BYOD and distributing the mobile client, see the ETP documentation.

Enterprise Threat Protector (ETP) Client 3.5.0 is now available

A new version of ETP desktop client is now available. This update includes bug fixes, as well as a feature that is in limited availability. Make sure you upgrade clients to this new version. If your enterprise is using version 3.4, upgrade the client or force an automatic upgrade to version 3.5.

This feature is now in limited availability:

• Walled Garden. You can use ETP Client to allow Internet access only to a specific set of domains.

To try this feature, contact your Akamai representative.

Enterprise Threat Protector (ETP) Release, August 18, 2021

The following updates are included in this release:

New Risky Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

Option to remove a risk level from a policy. When configuring application visibility and control (AVC) and an acceptable use policy (AUP), an administrator can now remove a risk level from the policy configuration.

File hash exception lists. File hash lists are now called file hash exception lists.

Bug fixes and UI enhancements. This release includes updates to the user interface and bug fixes.  
 
Important: The ETP legacy user interface will reach its end of life in December 2021. Please use the new Enterprise Center user interface to complete all your ETP operations.  
 
The following features are currently in beta:

Sub-locations. You can now configure sub-locations for ETP locations. A sub-location can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address as the parent location. This feature allows you to apply different policies to your sub-locations and in turn, define more granular access.

Local breakout for bypass domains. The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. Disable this option if your network does not have a direct route Internet and cannot access these origins.

Changes to ETP policy logic. These updates include:

• Prioritization of custom exception and block lists. If the domain, IP address, or URL found in a custom block or exception list is also found in Akamai Security lists, the Microsoft 365 list, or in an AUP and AVC configuration, the policy action associated with the custom exception or block list takes priority.

• Updated handling of policy conflicts. In addition to prioritizing the policy action of a custom exception or block list, the following also applies:

  • If the same domain with different suffix lengths is specified in multiple custom lists (for example, in multiple block or exception lists) or in multiple ETP lists (for example, in multiple acceptable use policies), ETP enforces the policy action assigned to the longest address.
  • If the same domain, IP address, or URL is configured in multiple custom lists or in multiple ETP lists with conflicting policy actions, ETP selects the action based on this priority:
    1. Bypass
    2. Block
    3. Monitor
    4. Classify
    5. Allow

 
To try any of these beta features, contact your Akamai representative.