Enhancement:

• Selective application of “SameSite” cookie attributes.  We recently enhanced the AMD Cookie-based Token Authentication functionality to maintain compatibility with Google’s updates to their SameSite Cookie attribute, with Chrome version 80 and later. With this new change, Akamai is more selective when explicitly setting the “SameSite=None” and “Secure” attributes for token cookies. Akamai identifies cross-site requests by looking for the presence of the “Origin” header and sets the “SameSite=None” and “Secure” attributes only if this request header is present.

Script Management Updates

• Renamed the Go To Testing button to Test suggestions and added it to the Dashboard to enable direct access to the functionality. 
• The transfer size of scripts now displays as KBs if the size is greater than 1024 bytes. 

The latest update for the Case Management release includes:

• Indirect customer using the Prolexic product can now view and update managed security support cases.
• Bug fixes.

Enhancements in Identity and Access Management Application

• If the account administrator updates the account’s max inactivity policy for users to a more restrictive one, users that have not logged into Akamai Control Center that would be marked as inactive according to the new policy will be given an extension of 10 days to log into Akamai Control Center.
• The role “IDM: Settings - Admin Access” has been removed from Identity Management as it was not in use. 
• A new role “IDM: Resource Manager - Read Only Access” is now available and allows users with this role to see the resources tab in read-only version.
• You can now transfer ownership of API clients that may be attached to inactive users.
• Some bug fixes.

Enterprise Threat Protector (ETP) Secure Web Gateway (SWG) now in beta

Features

ETP SWG performs URL filtering and anti-malware scanning on all web traffic. It’s available with any one of these features:

• Proxy chaining. Allows you to forward all web traffic from your existing on-premises proxy server to ETP.  You can enable this feature with the new Enable Forward Proxy and the Trust XFF Header policy settings. The proxy host information that you use to configure traffic forwarding from the on-premises proxy to ETP is shown in the ETP policy. 
• ETP Client 3.0.4. New version of the client that allows you to forward web traffic from user machines to ETP. You can configure ETP Client as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ETP license, you can also configure ETP Client to forward only DNS and risky web traffic.

This beta also offers these features:

Authentication policy. An authentication policy defines the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. You can require that users authenticate before accessing a website or you can make authentication optional.  If a user is authenticated, then all web requests are logged in the Proxy Activity report (Monitoring > Activity) with username, group information, and the machine IP address. If a user does not authenticate, the username and group information are not logged. To implement authentication, you must set up: 

• Identity providers. A service that creates, manages, and saves user and group identity information for authentication.  You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, PingOne, and Active Directory Federation Services (AD FS).  In an IdP configuration, you can enable multi-factor authentication, define sessions settings, design the login page, and more.

  Note: If your organization is licensed for Enterprise Application Access (EAA), you can use your existing IdP configuration in ETP. In this situation, make sure you manage the IdP configuration in EAA. Do not modify these settings in the ETP UI to avoid conflicting configuration changes.

• Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported: 
  • Active Directory
  • Lightweight Directory Access Protocol (LDAP)
  • Active Directory Lightweight Directory Services (AD LDS)

  ETP also offers Cloud Directory, an internal Akamai directory that you can use for testing purposes only. 

  The Identity Provider and Directory configuration pages in ETP are available from a new area of the navigation menu called Identity. 

• Identity connectors (Optional). If your directory service is located in a data center that’s not accessible from the Internet, you can deploy an identity connector to grant IdP access to the directory. An identity connector is a virtual appliance that you download from the Utilities page in ETP and deploy behind the firewall in your data centers or hybrid cloud environments.

Proxy Activity. New Proxy Activity tab on the Activity page reports traffic that’s directed to ETP Proxy. You can view data about traffic and events, including the username of the user who made the request, the internal IP address of the user’s machine, and the applied policy action.

DNS Activity. New DNS Activity tab on the Activity page reports DNS traffic that’s directed to ETP. You can view detailed data about traffic such as applied policy action and the internal client IP address. This tab allows administrators to investigate suspicious activity and review requests to a specific domain.

Static malware analysis for large files. Allows ETP to scan files that are 5 MB to 2 GB in size. ETP scans these files after they are downloaded. If ETP detects malware, a threat event is reported.  In the the ETP threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

Dynamic malware analysis with Sandbox. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:

• Analyzes files that are up to 64 MB in size.  
• Automatically scans files offline (after they are downloaded).
• Publishes a deep scan report in ETP when it detects a threat. You can download the report in PDF format from the corresponding event in ETP. 

To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox.  

To try any of these features, contact your Akamai representative. 

Known Issues and Limitations

These limitations apply to this beta release:

• Windows apps are not supported on Windows machines where ETP Client 3.0.4 is installed.
• If a user skips authentication, they are prompted to authenticate every 15 minutes. 
• ETP Client 3.0.4 is not supported on Mac OS X El Capitan.
• If you are setting up Active Directory Federation Services (AD FS) as a third-party SAML identity provider, you must deploy an identity connector and associate it with AD.

These issues are currently known in this beta release: 

Authentication

Issue: When defining the users and groups that can access websites for a blocked AUP category, you must manually enter the user IDs and group names. You cannot provide the username of the user.
Workaround: If you are using a directory service such as Activity Directory, consult the user and group information in your directory service. You can also find the User ID and group name in a Proxy Activity report (Monitoring > Activity).

Identity Providers and Directories

1) Issue: If your organization uses Enterprise Application Access (EAA) or another cloud access solution for enterprise applications, these applications are not accessible when traffic is directed to ETP Proxy.
Workaround: Make sure you enter the domains of your enterprise applications and EAA identity providers in the internal DNS suffixes field of the ETP network configuration.

To do this:

1. In the ETP navigation menu, select Configuration > Utilities.
2. Click the Network Configuration tab.
3. In the DNS suffixes field, enter the full domain of EAA identity providers and enterprise applications.
4. Click Save.

2) Issue: The email address associated with a user in the Cloud Directory is not editable.
Workaround: You can delete the user and add a user with the new email address. If your organization also uses EAA, you can modify the user’s email address in EAA.

3) Issue: When deleting a user in the Cloud Directory, the dialog that confirms the deletion shows inaccurate information about the user’s last login.
Workaround: No workaround is available.   

4) Issue: If a user is deleted from a directory after they authenticate, the user is redirected to the IdP login page 30 minutes after the delete operation occurred.
Workaround: No workaround is available.

5) Issue: Changes to the URL of an identity server in ETP do not take effect for an identity provider that was previously deployed and assigned to a policy. After you deploy the modified identity provider, the change is not recognized by ETP policy.
Workaround: In the policy where this identity provider is assigned, complete these steps:

1. Change the authentication mode to another mode that uses authentication. For example, if this mode is set to Optional, select Require. If this mode is set to Require, select Optional.
2. Save and deploy the policy.
3. Return to the policy.
4. Select the authentication mode that you want to use for the policy.
5. Apply AUP exceptions.
6. Save and deploy the policy.

For detailed instructions on these operations, see the online help.

6) Issue: If you modify an identity provider, you cannot deploy any policy that’s associated with the IdP until the IdP is deployed.
Workaround: Deploy the IdP.

ETP Proxy

1) Issue: A browser error appears to the user when ETP Proxy cannot verify the web server certificate. This occurs if the certificate chain is incomplete or its Certificate Authority (CA) is unknown to Akamai.
Workaround: If users see this error for traffic or websites that you want to allow, add the domain or its IP address to an exception list. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

2) Issue: Mozilla Firefox on Windows does not use the proxy settings or certificates that are on the system.
Workaround: If you configure proxy chaining to direct traffic to ETP Proxy, make sure you configure the on-premises proxy as a proxy connection in the Firefox browser.  To configure proxy settings in Firefox:

1. Click the Open menu button and select Options. 
2. Navigate to Network Settings and click Settings.
3. In the Connection Settings, select Use system proxy settings.
4. Click OK.

Note: On Windows, make sure that you configure Firefox to recognize the trusted root certificates that are in your enterprise Windows certificate store. For more information, see Enable enterprise trusted root certificate in Firefox and Certificate distribution. 

 ETP Client

1) Issue: Users cannot access the Internet when both these conditions apply:

• ETP Client 3.0.4 forwards all web traffic to ETP Proxy
• Pulse Secure VPN uses proxy server settings
  Workaround: In the VPN  tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

2) Issue: If there are more than 40 DNS suffixes configured in the ETP network configuration, ETP Client may be unable to enter “Your device is protected” mode.
Workaround: Instead of adding these domains or DNS suffixes to an ETP network configuration, create a custom exception list with this data. Exception lists bypass ETP Proxy. For more information on exception lists, see Exception lists. To create an exception list, see Create an exception list.

Enhancement:

• Support for Google Chrome’s changes regarding “SameSite” cookie attributes.  We’ve enhanced the AMD Cookie-based Token Authentication functionality to maintain compatibility with Google’s updates to their SameSite Cookie attribute with Chrome version 80 and later. With this change, Akamai explicitly sets the SameSite attribute for token cookies to use the values “None” and “Secure.” This allows the applicable cookie token to be sent to Akamai without playback interruption when using Chrome. For non-secure (HTTP) traffic, there is no change to how the session token is set in a cookie.

The latest update for API Gateway includes the following features, enhancements, and bug fixes:

New Features:

• Easily configure inbound and outbound traffic paths and routing with Origin Routing.
• “What’s New” section in Luna displays information about new features as they become available.
• HTTP methods now have 3 states to more clearly indicate status: inactive, activated on production, or activated on staging.
• HTTP methods are now color-coded to indicate which method(s) are selected.
• You will now be notified through a pop-up window when a Gateway policy has been successfully activated on the network.
• The access control group (ACG) for every key collection will now be displayed.
• You may now use a key collection (instead of an individual key) to enable the Gateway throttling feature.

Enhancements:

• Endpoints may no longer be activated without a defined hostname.
• Very long resource paths are now always visible in the UI.
• API Gateway will now honor cache settings as configured in Property Manager, unless caching is also configured in API Gateway. If configured in API Gateway, the Gateway settings override the Property Manager settings.

Bug fixes:

• Reimporting an API in API Definitions inadvertently replaced existing hostnames.
• Swagger import was failing for some use cases.
• Endpoint activation issues have been resolved.
• Fixed a problem where selecting too many methods resulted in a request being denied.
• Fixed a problem with the X-Throttling-Limit HTTP header to ensure it will always be sent to the client.

The latest update to mPulse includes the following features:

• mPulse Enterprise customers can now designate apps as “Lite” apps for specific properties. Find out more about Lite Apps for Enterprise Tenants.
• Automatic Page Groups (APG) uses URL regular expressions to automatically create logical page groups for new mPulse apps. Learn more about Automatic Page Groups.

The latest update to mPulse includes the following enhancements:

• The mPulse Query API ‘metrics-by-dimension’ query type now supports custom dimensions as inputs to the ‘dimension’ parameter.
• Added support for Edge Mobile on iOS and Android.

The latest update to mPulse includes the following bug fixes:

• Fixed an issue that caused SVG dimension errors to appear in the console when timing data for a resource had a negative value.
• Fixed an issue of mPulse failing to collect beacons that contained a dash in their AMP Session ID.
• Fixed an issue where mPulse was not detecting changes to custom metric definitions.
• Fixed an issue where dimension values were not appearing correctly in filtered search results.
• Fixed an issue related to the breakdown of data for regions within a country.
• Fixed an issue that caused charts to appear distorted when resized.

Release Notes:  Property Manager

New Features:

• Cache Tag Visibility.  A new Property Manager behavior that lets you control when cache tag headers are returned for debugging purposes.  Purge by cache tags let you group content and purge unique objects via the purge API.  See Purge content by cache tag for more details.
• Edge Hostname Limits.  In mid-February we will start to enforce platform safety limits on the number of edge hostnames you can create via Property Manager or PAPI. Until that time, the limit is not enforced, but you will see a status message in the Property Manager UI and in PAPI showing you how many edge hostnames you have remaining. If you are close to, or over, the limit, we encourage you to access the Edge hostnames application in Control Center and remove any unused edge hostnames you may have. You can also reach out to your account team to request a limit increase.

Bug Fixes:

• Miscellaneous bug fixes and performance improvements.

Bug Fix:

Chunked Transfer Encoding for Uncompressed content requests: With this release, we fixed an issue that caused playback issues with any device that requested uncompressed content, typically manifests and text subtitle files larger than 32 KB in size. This content is now delivered using chunked transfer encoding to clients which prevents playback issues. You might have experienced this issue if all the following conditions existed:

• Your AMD property configuration was created or modified after November 8th, 2019.
• Video on Demand (VOD) is the configured delivery mode.

For more information, contact your Akamai account representative.