Introduction
LogonBox is pleased to announce the immediate availability of LogonBox VPN 2.4.10.
This release includes performance improvements relating to account unlocks and syncing large numbers of users as well as some security updates on the Web UI.
Performance improvements
If a sync contains large numbers of groups (over 10,000 or so), LogonBox could be very slow for some operations.
Therefore we have added a number of improvements to address this, such as adding some missing indexes to the database as well as optimising how we write user properties on a sync so we can avoid excessive database reads of group relationships.
It is now possible to not synchronise groups at all if you are not likely to manage them from LogonBox. This can speed up syncs significantly.
Security Updates
A number of security updates have been added:
- CSR signature algorithm for SSL Certificates has been upgraded to SHA512WithRSA
- JQuery has been updated to version 3.7.1 to address potential vulnerabilities
- Added CSP headers to initial root redirect page /. Previously these headers were only on the end page you were redirected to.
- Added option to turn off Gzip compression of web pages as another mitigation for the BREACH vulnerability
- Calls to the password generator API now require an authenticated session.
Synchronise Schedules for sub-tenants
It is now possible to alter synchronise/reconcile schedules separately for any sub-tenants/realms again.
Upgrade Instructions
You can directly upgrade from the web UI or the operating system.
To upgrade from the web UI, log on to your admin account, navigate to Server Status from the main dashboard, and click Update. If you have Updates, Features & Licensing->Update Prompt turned on, you may also be prompted automatically upon login.
To upgrade from the operating system:
On Windows – download the new installer, run the installer, and follow the prompts.
On a LogonBox VM – from a shell, type in:
apt update apt upgrade
If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:
https://docs.logonbox.com/app/manpage/en/article/6172513
Our support team will upgrade Cloud customers over the coming week.
Changes
Here is a summary of the changes in this release.
Features
- Can now alter AD sync schedules again in sub-tenants.
- CSR signature algorithm for SSL Certificates has been upgraded to SHA512WithRSA
- JQuery has been updated to version 3.7.1 to address potential vulnerabilities
- Added CSP headers to initial root redirect page /
- Added option to turn off Gzip compression of web pages as another mitigiation for the BREACH vulnerability
- Calls to the password generator API now require an authenticated session.
- Added an index to a database table to improve performance when reading AD groups.
- Option added to Group filter mode for AD – Disable Group Support. This can significantly speed up syncs on large AD domains if you’re not interested in managing groups via LogonBox.
- Optimised user property writing during synchronization to avoid excessive database reads of group relationships
Bugs
- Users can no longer authenticate when Cache Passwords is set and their account is locked
- Mitigation added for BREACH vulnerability, random bytes can now be written to any gzipped web response
- When using Azure/O365, when a user logs off LogonBox, this now will log the user off Azure as expected
- Server log file should log significantly fewer lines when large numbers of groups are excluded in a sync, resulting in much smaller log file
- Fixed a display order issue with Captcha authentication module when it is placed at the beginning of an authentication flow
- Fixed incorrect message with the free license which suggested the server was not entitled to updates
- Added some missing database cascades which could stop roles from being deleted
- Duo authentications should no longer end up in an auth loop if Duo bypass MFA is enabled
- Fixed a memory leak relating to Roles when large amounts of users or groups are present