File: WHATSNEW.TXT Product: FEC Secure IPSec Client Version: Version 2.00 Funkwerk Enterprise Communications GmbH -------------------------------------------------------------------------------- Latest Release Info, IPSec Client under Windows 2000/XP/Vista -------------------------------------------------------------------------------- New features of version 2.00 relative to version 1.30 -------------------------------------------------------------------------------- 1. Support of Windows Vista With version 2.0 of the NCP Secure Entry Client in addition to the operating systems Windows 2000 and Windows XP, Windows Vista is also supported. The Client user interface has been visually adapted to the Windows Vista operating system without changing the relationship between the icons and the functional sequence of connection set-up and authentication. Installation of the Client software 2.0 under Microsoft Vista requires a license key for this version. This software cannot be operated under an older license key. 2. Multi-function card In the "Connection" monitor menu, the menu item "Multi-function Card" is displayed if a multifunction card is inserted, and if it has been detected by the Client. (New additions to the set of supported multifunction cards are: The integrated card of the Lenova notebook (Sierra chipset) starting with version 1.31 and Vodafone Easybox USB adapter for UMTS/GPRS.) The following functions are executed via the "Multifunction card" menu item: - Network search - Activate UMTS or GPRS - Enter or change SIM PIN A PIN dialog for entering the SIM PIN is always displayed if the media type "UMTS/GPRS" has been configured in a profile, and if a multifunciton card that the Client detects has been inserted. In addition, the functions "Network search", and "Activate UMTS or GPRS", can also be triggered via the field for graphic display of the signal strength. This field is opened automatically if you select a profile with the connection type "UMTS/GPRS" from the profile settings. 3. WLAN panel Undepending on the connection medium of the current link profile, in the Monitor menu "window" under "Show WLAN status", you can open or close a separate field for graphic display of WLAN field strength, if a WLAN configuration has been activated in the the Monitor menu, "Configuration", under "WLAN settings". A button [...] in this panel takes you directly to the configuration field of the "WLAN settings". If a multifunction card has been configured, then the menu item "WLAN panel" is not active. 4. UDP filtering You can set a UDP filter in the configuration field "Options" in the Firewall settings of the Monitor menu. In the default setting when you start the Client (independent of the Firewall) UDP packets will be filtered out so that a connection to the Client PC from the outside is not possible. If you start an application with server function on the Client PC, which is based on UDP data transfer (e. g. terminal applications or NTP), then this default setting can have a disturbing effect on data communication. Consequently this default setting can be switched off, or it can be limited to UDP packets of unknown networks. Always: Default setting. In this switch position when you start the Client no UDP packets reach the Client PC. Only for unknown networks: In this switch position UPD filtering will discard all packets from unknown networks. Off: If the filter is switched off, all UDP packets reach the Client PC. This setting should only be used if problems occur with an application. 5. Operation Systems The actual version 8.31 and further versions of the Secure Client will only be tested for the Windows systems Windows 2000 and Windwos XP. The full functionallity of the client software under Windows NT or Windwos 98/95 can not be garanted. 6. Concerning Installation of the Client Starting with version 2.31 the Client will be installed in the program directory of the operating system (programs\Funkwerk Secure IPSec Client) for a new installation. For an update in addition the path is used that was entered for the last installation. 7. New UMTS/GPRS cards Lenovo Notebook integrated Card (Sierra chipset). 8. Deleting the Phonebook The Client's personal firewall can be opened or deactivated under certain circumstances, if the Client's phonebook has been inadvertently deleted. Starting with version 1.31 it is no longer possible for the user to delete the phonebook. Even after an update to this version and later saving of the telephone book, it is no longer possible for the user to delete the phonebook. 9. Support for UDP Encapsulation If UDP encapsulation is used then the port can be freely selected. Standard for IPSec with UPD is port 4500, for IPSec without UDP it is port 500. The NCP Gateway automatically detects UDP encapsulation. The parameter is located under: Configuration / Phonebook / IPSec Options / Use UDP encapsulation 10. EAP Access Data from Certificate For EAP-TLS (with certificate) now the EAP user name can be directly referenced from the certificate configuration. The following content of the configured certificate can be used by entering the appropriate placeholders in the EAP configuration: Commonname : %CERT_CN% E-mail : %CERT_EMAIL% After configuration of the certificate these placeholders are entered in the monitor menu under: Configuration / EAP Options / User ID and Password. 11. EAP Authentication You can specify whether EAP authentication will only be executed via WLAN cards, LAN cards, or via all network cards, in the "EAP Options" of the Monitor menu. The setting made here applies globally for all phonebook entries. In an activation box the EAP authentication can be set as follows. - Deactivated - For all network cards - Only for WLAN cards - Only for LAN cards 12. EAP Authentication before Destination Selection when using Gina Under the "Logon Options" in the Monitor menu the parameter "Execute EAP authentication before destination selection" has been added. If this parameter is activated then EAP authentication will be executed prior to the destination dialog in Gina and the system will ask for the necessary PIN, regardless of whether EAP will be required for subsequent dial-in. This parameter can be used, for example, if the NCP Gina will only be used for EAP authentication, without setting up a connection to destination system (use as a pure EAP client). 13. EAP for WPA Encryption In the Monitor menu under "Configuration / WLAN Profiles", the option "EAP" can be added under "Key Management" for WPA encryption. The prerequisite in this case is that a certificate must have been configured. Regardless of the EAP configuration, EAP with certificate is always used here. 14. Certificate Verification for HTTP Authentication with Script From this point on incoming certificates can be also be verified with HTTP authentication. For this the variable CACERTDIR must have been set in the script. In addition WEB server certificate content can also be verified. Additional variables are available in this regard: CACERTVERIFY_SUBJECT : Checks the content of the subject (e.g. cn=WEB Server 1) CACERTVERIFY_ISSUER : Checks the content of the issuer CACERTVERIFY_FINGERPRINT : Checks the MD5 fingerprint of the issuer certificate If the content of the variable does not agree with the entered certificate, then the SSL connection will not be established and a log message will be output in the Monitor. 15. Extension of IPSec Hash Algorithms The algorithms SHA 256, SHA 384, and SHA 512 bit can be used for authentication for both the IKE policies as well as for the IPSec policies. You can make this setting in the Monitor menu under: IPSec / ...Policies / Recommendations / Authentication 16. Application Execution for specific Phonebook Entry Programs can be entered in the configuration menu of the monitor under "Connection control / Ext. Applications" that will be started automatically after the connection is setup. In addition these applications that will be executed can also be linked to a specific phonebook entry. The dialog from which the available destinations can be selected has a combo box. 17. WLAN automation With version 1.31 intelligent WLAN automation is available which enables the appropriate profile to be used for the actual existing WLAN, in background. WLAN automation is configured with the Monitor menu under "Configuration / WLAN Settings" and the sub-item "WLAN Profile". Under "WLAN Profile / General" you can choose "Manual" or "Automatic" for a selected profile. In the "WLAN Settings" under "WLAN Profile" select the profile with which a connection will be setup to the access point. Other than the profile selected here, there are other profiles that can be used for dialing into the access point, if these have been configured with the connection type "Automatic", and if the function "Use profiles with automatic connection type for connection setup" has been activated in the "WLAN" settings. In other words, multiple profiles have been created with the connection type "Automatic" and if the function "Use profiles with automatic connection type for connection setup" is used then the last selected profile will be referenced for a possible connection setup. If the SSID does not match, so that a connection to the access point cannot be setup with this profile, then subsequently the profiles that have been referenced as "automatically" configured will be referenced for the connection setup and the appropriate SSID will be used. 18. HotSpot Logon Hotspot logon is executed via the Monitor menu "Connection / Hotspot Logon". After this menu option has been selected different connection messages will be displayed on the screen: - If the user is already connected to the Internet he will be connected with the start page http://www.ncp.de. A window with the following message will appear: "You are already connected to the Internet. Hotspot logon is not necessary or has already been executed." This text can be changed by the administrator by entering the address of a different HTML start page in the form "http://www.mycompagnie.de/error.html". And the text of error.html is changed accordingly. - If the user is not yet logged on, then a window will be displayed requesting the user to enter user ID and password for logon to the hotspot operator. - If the user has not reached a website, then the Microsoft error message "...not found" will be displayed. The configuration for hotspot logon is executed via the Monitor menu "Configuration / Hotspot Logon". The following settings are possible: - "Use standard browser for hotspot logon" is the default setting. If the check mark is removed from the checkbox then a different browser can be specified in the form: %PROGDIR%\Mozilla\Firefox\firefox.exe. In addition the MD5 hash value of the browser exe file can be determined and entered in the "MD5 Hash" field. In this manner the system ensures that a hotspot connection is only realized with this browser. - Under "Start Page / Address" the start page described above is entered in the form: http://www.mycompagnie.de/error.html. Configuration via the Management System is possible starting with version 1.04 build 9. 19. A Project Logo can be added in the Client The logo is displayed in a panel of the Client over the entire width of the Monitor at the very bottom. An ini file (ProjectLogo.ini) must be created for the logo, where the following can be entered: - Project logo for small fonts - Project logo for large fonts - Info text (ToolTip) if the cursor is positioned on the logo - HTML file if there is mouse click on the logo. For the installation a "ProjectLogo.ini" is copied into the installation directory that contains further explanations for creating the logo. New features of version 1.30 relative to version 1.10 -------------------------------------------------------------------------------- 1. New Connection Types We have added two new connections types for the Client the Phonebook's "Destination system" parameter field: - WLAN - Automatic media detection WLAN: Configuring a destination system with connection type WLAN enables direct activation and configuration of the WLAN card. Installation of the management software can be dispensed with (only under Windows 2000/XP). Automatic media detection: This connection type can be implemented if different connection types are used in alternation. If this is the case, the client automatically detects the connection types that are currently available, and then selects the fastest of these. 2. Integrated WLAN Configuration for Windows 2000/XP Under Windows 2000/XP the WLAN adapter can be operated with the connection type "WLAN". In the monitor menu the special "WLAN settings" menu item is displayed where the access data for the wireless network can be saved in a profile. If this "WLAN configuration" is activated, then the management tool of the WLAN card, or the Microsoft tool must be deactivated. Alternatively the management tool of the WLAN card or the Microsoft tool can be used as well. The tools that are not activated must be deactivated. If the connection type WLAN is set for the destination system in the phonebook, then under the graphic field of the Client Monitor an additional area is shown where the field strength and the WLAN network are displayed. Please read the description of the parameters "Connection type" in the section "Configuration parameters / Phonebook", and the appendix "Mobile computing via GPRS / UMTS / WLAN", prior to configuring the WLAN settings. If WPA is used with EAP (TLS), then the EAP options must be activated in the configuration menu of the monitor and a certificate must be configured (in the monitor menu under "Configuration / Certificates"). 3. Automatic Media Detection On the basis of a pre-configured destination system, those connection types that are currently available for the Client PC are detected and implemented, and if multiple alternative transmission paths are available, the fastest will be selected automatically. The connection type priority is specified in the following sequence in a search routine: 1. LAN, 2. WLAN, 3. DSL, 4. UMTS/GPRS, 5. ISDN, 6. MODEM. The configuration is executed in the Phonebook with the connection type "Automatic media detection" under "Destination system". If desired, all destination systems for the VPN gateway that are pre-configured for this Client PC can be assigned to this automatic media detection. This renders manual selection of a medium (UMTS, DSL, ISDN, MODEM) from the Phonebook entries superfluous. Input data for the connection to the ISP are transferred from the available Phonebook entries in a manner that is transparent for the user. 4. Available Communication Media The purpose of this window is only to inform the user about the available link types an the currently used link type. On the basis of a pre-configured destination system, those link types that are currently available for the Client PC are detected and implemented, and if multiple alternative transmission paths are available, the fastest will be selected automatically. The available link types are displayed with yellow signal lamps and the automatically selected with a green signal lamp. For configuration purposes note the description of "Automatic Media Detection" in the parameterfolder "Destination System" of the phonebook. 5. Licensing Licensing no longer occurs via the popup menu, now it is executed via the Monitor menu option "Help / License Data and Activiation". The software version implemented, and possibly the licensed version with serial number, are shown under the menu option " License Data and Activiation" in the monitor. If the software is used as a test version then the remaining validity period is displayed in the popup. In order to use a valid full version that is not subject to time restrictions, the software must be released with the license key and serial number received. The licensing process for the software requires your acceptance of the license conditions, which can be viewed via mouse click. License key and serial number can be entered after you have clicked on the activation button. Now the license data can be entered either online or offline via an assistant. In the offline variant, a file that is generated after entering license key and serial number must be sent to the NCP web server, and the activation key that is displayed on the website must be noted. This activation key can be entered in the licensing window of the Monitor menu at a later point in time. In the online variant, an assistant forwards the licensing data to the web server immediately after entry and thus the software is immediately released. 6. Friendly Net Detection (FND) FND enables the NCP Secure Enterprise Client to automatically detect whether it is in a Friendly Net (FN) or not. Integrated intelligent automation mechanisms in the Personal Firewall automatically replace manual interventions. The administrator can define what constitutes an FN in the Firewall settings of the Monitor. The monitor indicates the presence of a FN by displaying the Firewall Icon in green. A Friendly Net Detection Server (FNDS) is required; this is an NCP software component that must be installed in a network that is defined as "Friendly Net". The FNDS is authenticated via EAP or EAP-TLS. The user does not have to worry about setting the Personal Firewall. The NCP Secure Enterprise Client dynamically accesses a suitable firewall policy depending on the communication environment. Unintentional use of incorrect firewall configurations, and thus attacks on the corporate network are prevented. To increase redundancy the IP address of a second FND server can be entered after the first IP address, after a comma. The IP address of the first available FND server will be selected automatically for friendly net detection. 7. The Range of supported Smart Cards has been extended The following smart cards are supported directly via the PC/SC or CT-API interface: - Signtrust - NetKey 2000 - TC Trust (CardOS M4) - Telesec PKS SigG 8. Status Display of the Endpoint Policy and Friendly Net Detection If endpoint security policies are used between Client and VPN gateway, then the policy icon is displayed while the connection is being set-up. During verification of the policy after the connection has been set up it is displayed with a yellow check mark, if the policies are satisfied, it is displayed with a green check mark, if the policies are not satisfied then the policy icon is displayed with a red check mark. If a Friendly Net (e.g. corporate network) has been defined by the administrator, and the Secure Client accesses this Friendly Net, then the Firewall icon is displayed in green. Friendly Net detection is configured in the monitor configuration menu under "Firewall settings / Friendly Nets", either by specifying static network routes, or by activating the automatic detection of the Friendly Nets. See the description under "Firewall settings / Configuration field - Friendly Nets" for more information. 9. External Applications Use this connection management configuration field in the monitor menu to start applications or batch files, depending on the Client Monitor. In a more extensive configuration you can determine when the application will be started: - Prior to starting the connection setup (precon) - After starting the connection setup (postcon) - After starting the connection disconnect(discon) The wait function "Wait until application has been executed and ended" can be relevant if a series of batch files will be executed one after the other. 10. External Applications before Windows Logon You can also start external applications (console applications or batch files, no Windows programs) with the NCP Gina via the menu item "Logon options" in the monitor menu "Configuration". - Prior to starting the connection setup (precon) - After starting the connection setup (postcon) In addition, the application can be started depending on the connection type of the destination system that is selected in the Gina dialog. The application always starts if the connection type "All" has been selected. "Wait for domain preparation (postdom)" means that after the initialization period, the application will be started immediately prior to domain logon. The wait function "Wait until application has been executed and ended" can then be relevant if a series of batch files will be executed one after the other. 11. Dialog and Installation of the NCP Gina The NCP Gina dialogs can be hidden via the Monitor menu without de-installing the Gina. Thus Gina concatenations that may possibly be necessary for the respective work environment remain intact. If you want to display the Gina dialog, then note that the NCP Gina must be installed in any case. This can be done in three ways: - With the software installation, here the system asks the user if he wants to use the Windows logon via the NCP Gina. If yes, it will be installed. - Retroactive installation is possible via the command line interface rwscmd.exe, likewise retroactive de-installation is also possible. - The Gina is also installed if an appropriate phonebook is provided via Secure Enterprise Management. The standard situation is that EAP authentication takes place prior to establishing the connection to the VPN gateway. If EAP will be used without subsequently setting up a connection via the Client (pure EAP Client) then this function must be activated. If EAP with certificate is implemented, then the PIN dialog for authentication appears on the network components. Thereafter the destination can be selected. If the function is not activated then EAP authentication will only be executed after the destination has been selected. 12. Allow HotSpot Logon for External Dialers If this function is activated, then hotspot logon can be executed via an external dialer. You must call the command line interface rwscmd.exe for this. (See the description in the "Services" Appendix in this manual for more information in this regard!) With the command rwscmd /logonhotspot [Timeout] The firewall will be released for ports 80 (HTTP) and 443 (HTTPS). This generates a dynamic rule that allows data traffic for this hotspot logon, until the transferred timeout (in seconds) has elapsed. 13. Initialization Time after Network Logon Windows may require a certain initialization time between network logon and domain logon. This preparation time for the domain logon can be activated and set here. The Windows logon will only be executed after the connection setup after the initialization time set here. The standard value is 45 seconds and can be changed as needed. 14. New Parameter Field in the Phonebook "Authentication before VPN" This parameter field only appears if the connection type "LAN" or "WLAN" has been configured for the destination system, or if an external dialer is used, or if the destination system has been configured for automatic media detection. Please read the description of the "Destination / connection type" parameter field, for more information in this regard. 15. New Parameter Field in the Phonebook "HTTP Authentication" HTTP authentication allows automatic, script-driven logon for mobile users at hotspots (DSL as well). For a link with the connection type WLAN the HTTP logon is not switched on in the phonebook! Instead, activation of this function causes the authentication data from the WLAN settings in the Monitor menu to be used for this destination system. If the access point executes an HTTP redirect, then user name and password entry is not necessary in a browser window. Instead the authentication data are entered here. Authentication is executed via an appropriate script. Examples are in the installation directory ncple\scripts\sample. For connection type WLAN the authentication data for the hotspot are transferred from the WLAN settings. The user sets up the connection to the hotspot automatically if the HTTP application is activated. A message box informs the user that there are charges for this connection and that he accepts the contract conditions of the hotspot operator. 16. Support for UDP Encapsulation (Port 4500) If UDP encapsulation is used then the port can be freely selected. Standard for IPSec with UPD is port 4500, for IPSec without UDP port 500. The NCP Gateway detects the UDP encapsulation automatically. 17. Voice over IP (VoIP) setting priorities If the Client is used for communication with Voice over IP, then this function "Voice over IP (VoIP) setting priorities" (in the phonebook under "Line Management") should be activated in order to send and receive the voice data without delay and without distortion. 18. Support of multi-function cards for UMTS/GPRS If a multi-function card for UMTS/GPRS is installed, then an additional field appears with the connection type "GPRS/UMTS". This field shows field strength, connection type (UMTS or GPRS), and the network. In addition, the current connection type can be switched and the network can be changed. 19. Menu item for SIM PIN entry for multi-function cards The menu for the multi-function card has been extended with the "SIM PIN Entry" option. The menu option is only active if the SIM PIN has not been configured, or if it has not been entered. 20. PIN handling for SIM has been reworked PIN handling for the SIM has been completely reworked to support the multi- function card (UMTS/GPRS). The necessary request for PIN or PUK entry is automatic. If entry of the PIN/PUK is interrupted, then it can be called later, via the menu. In addition, the current PIN or SIM can be changed via the menu. 21. Configuration correction for the SIM PIN for UMTS/GPRS If the SIM PIN of the multi-function card has been entered incorrectly, then there is a request to enter the PIN when a connection is set-up, which then is corrected in the configuration. 22. Extension of the display for the field strength of multi-function cards The field strength is also displayed with percentage values in the field for the multi-function card, in addition to the graphic bar level display. 23. Log file for a multi-function card If a multi-function card for UMTS/GPRS is installed, then a log file is written in the log directory of the Secure Client, with the following columns. 1st Column: Time 2nd Column: Current field strength 3rd Column: Average field strength of the last minute 4th Column: Average field strength of the last 5 minutes 5th Column: Average field strength of the last 10 minutes 6th Column: Current network type (UMTS or GPRS) 7th Column: Current network An entry is created every 10 seconds; however the entries are only written to the file every 5 minutes. A log file is created with the name "mfc.log" for each day. The log files for the last 7 days are saved. 24. Log entry when setting up a connection (reason for the set-up) If an existing connection is disconnected, then the system writes a log entry in the Client's logbook citing the reason why the connection was disconnected. 25. Log entry when disconnecting a connection (field strength status) If an existing connection is disconnected, then the system writes a log entry in the Client's logbook citing the last field strength status values for UMTS/GPRS. 26. "MAC address" parameter in the firewall rules The parameter, "MAC address", has been removed in the rules under "General" in the firewall settings. New features of version 1.10 relative to version 1.0 -------------------------------------------------------------------------------- 1. Installation directory In the user-defined installation you can select any installation directory for the software. This is particularly important if the user will have no rights on the system root directory. 2. Firewall The Personal Firewall can be set in the "Configuration" monitor menu, and it is a fixed component of the Secure Client. All firewall mechanisms are optimized for Remote Access applications and are activated when the computer is started. This means that in contrast to VPN solutions with autonomous firewall, the teleworkstation is already protected against attacks before actual VPN utilization. The Personal Firewall also offers complete protection of the end device, even if the client software is deactivated. All firewall rules can be centrally specified by the administrator, and compliance with these rules can be forced. The prerequisite in this case is the central NCP Secure Enterprise Management system, which is used to configure the Client, which can be permanently specified as unchangeable for the user. 3. Automatic hotspot logon NCP has permanently integrated the Personal Firewall in the Secure Client software in order to protect the Remote Client against any kind of attack in every phase of the connection set-up in WLANs and hotspots, without the user having to do anything. It has intelligent automated processes for secure hotspot logon. Functional description: If a user with his end device is in receiving range of a public WLAN, then he selects the menu option "Hotspot Logon". The Client then searches the hotspot automatically and opens the website for the logon procedure in the standard browser. After successfully entering the access data and release by the operator, the VPN connection can be established to corporate headquarters, for instance, and the user can securely communicate, as he would on an office workstation. To keep the PC invulnerable at all times when logging onto the WLAN, the firewall dynamically releases the ports for http or https for logon or logoff. Logoff at the hot spot free. In this process data traffic is only possible with the hotspot server of the operator. Non-requested data packets are rejected. In this manner the system guarantees that a public WLAN will only be used for the VPN connection to the central data network and that there is no direct Internet access. Direct communication to the Internet bypassing the VPN tunnel is impossible due to the previously described dynamic firewall rules that are set automatically by the integrated Personal Firewall of the NCP Secure Client. Please note: proxy settings that may have been entered must be adapted or deactivated for logon via the standard browser at the hotspot. If hotspot logon has not been executed by the NCP Secure Client then this fact is communicated to the user through the message "Hotspot could not be found". In such a case you must determine whether a general problem exists in conjunction with the mechanisms implemented by NCP relative to this hotspot operator. 4. Import of configuration data With the function "Profile Import" in the configuration menu of the monitor profile settings can be imported by the client. The profile settings to be imported can be created as INI-file by the destination system or edited by hand. You will find the files IMPORT_D.TXT and IMPORT_E.TXT in the installation directory for example. In those files the syntax and the values of the parameters are described. 5. Compression type Deflate The compression type Deflate is now supported. In the phonebook the parameter "Use IP compression" under "IPSec Settings" is displayed. Using this function both methods, LZS and Deflate, are negotiated. 6. In the phonebook under "IP Address assignment" you enter the domain name. 7. Using multiple Soft Certificates on one Client PC If you want to set up PC-sharing for multiple users, who each use a separate certificate, then you can configure this in the main menu of the Client Monitor under "Configuration - Certificates - User Certificate". Under "User Certificate" you must switch on the "Activate Soft Certificate Selection" menu item, and you must select a "Certificate Path". If this path has been created previously, then you can select this path via the Select button. (C:\WINNT\ncple\usercert, for example). The various user certificates must then be created under this path. If these settings are saved with "OK", then the certificate list will appear under the graphic field of the monitor, with the list of all user certificates saved under the certificate path (for instance user1 to user4). If the user has selected his soft certificate (user2 for instance) and has established a connection to the central VPN gateway, then he must first enter his PIN. Then the connection to the destination system will be established. 8. Using EAP 802.1x For WLAN and switches supporting port authentication the client supports EAP- MD5/TLS. This makes it unneccessary to install a separate EAP client. EAP-MD5: UserId/Password authentication is supported and the possibility exists to get the UserId/Password from the certificate used for the VPN connections. EAP-TLS: Certificates are used and are taken from the NCP certificate configuration. EAPOL KEY (Dynamic WEP key ) is supported. 9. Statefull Packet Inspection Stateful Packet Inspection is always activated. This means, for non-VPN connections to provider SPI (Statefull Packet Inspection) is now always enabled. 10. XAUTH protocol Changed the XAUTH protocol for use with NETSCREEN and OTP. -------------------------------------------------------------------------------- For further information please consult the Web-Site: www.funkwerk-ec.com -------------------------------------------------------------------------------- Funkwerk Enterprise Communications GmbH, Nuremberg, Germany 02/27/2007