TMWS On-Premises Gateway Release Notes

Enhancement of some URL category names in Japanese

Improves the accuracy of some URL category names shown on the Japanese notification pages for URL access.

None

N/A

Root CA certificate verification enhancement

Enhances the mechanism for verifying the TMWS root CA certificate to prevent the incorrect warning for expired certificate when users access legitimate websites.

Performance enhancement for HTTP2

Provides faster and better performance for accessing websites through HTTP2.

Fixes scan module crash

This version resolves the issue that a scan module in the on-premises gateway crashes unexpectedly.

Fixes product log download error

This version resolves the issue that some product log packages downloaded do not contain any files.

Operating system upgrade

Upgrades the operating system running the on-premises gateway from CentOS 7 to Rocky Linux 9.

Web Reputation Services query enhancement

Enhances the mechanism for querying the Web Reputation Services to prevent occasional connection timeout.

Kerberos authentication compatibility

Supports the encryption type RC4-HMAC-NT for Kerberos authentication when you upgrade from a previous on-premises gateway version to the current version. RC4-HMAC-NT is disabled by default on the operating system Rocky Linux 9.

If you install this on-premises gateway version directly, RC4-HMAC-NT is not supported.

Trend Micro engine upgrade

Upgrades the related detection engines to the latest versions.

Fixes incorrect upgrade status

This version resolves the issue that occasionally the on-premises gateway upgrade status is reported to the TMWS cloud as successful while the upgrade actually fails.

Fixes CRL-related issues

This version resolves the following issues related to the certificate revocation list (CRL):

• A large CRL causes the proxy service to take a long time to reboot.

• Frequent CRL updates causes unnecessary system resource usage.

• Unused CRL entries occupy too much storage resources.

OpenSSL upgrade

Upgrades OpenSSL to fix the vulnerabilities CVE-2023-0466, CVE-2023-0465, CVE-2023-0286, CVE-2022-4304, and CVE-2023-0215.

More granular error codes for upgrade

Adds more error codes to indicate errors that occur during the TMWS on-premises gateway upgrade to facilitate troubleshooting.

Fixes failure to upload TMWS event data to Trend Vision One

This hotfix resolves the problem that the TMWS on-premises gateway failed to upload event data to show in the Trend Vision One console.

Fixes a data cleanup issue

This hotfix resolves the problem that the TMWS on-premises gateway did not automatically clean up some log data even when the disk usage threshold was reached.

None

N/A

Improves metrics log generation mechanism

This hotfix enhances the mechanism for generating metrics logs to resolve the performance issue of the TMWS on-premises gateway.

Upgrades the Sudo version

This hotfix upgrades the Sudo version to resolve the vulnerability CVE-2023-22809.

Third-party library upgrade

Upgrades third-party libraries to resolve vulnerability issues.

Nginx upgrade

Upgrades Nginx from 1.16.1 to 1.20.1 to resolve a remote code execution vulnerability.

Upgrades the ixEngine and pattern files

This hotfix upgrades the ixEngine and pattern files to the latest.

Fixes the dump file rotation issue

This hotfix solves the issue that the TMWS on-premises gateway cannot rotate dump files.

Changes the threshold for sending data to the client

This hotfix reduces the threshold for the TMWS on-premises gateway to start sending data to the client from 512,000 bytes to 10,000 bytes.

Fixes the slow loading of Google Maps image tiles

This hotfix solves the issue that the client loads Google Maps image tiles very slowly after receiving data from the TMWS on-premises gateway.

Fixes the issue of sending empty certificates for some websites

This hotfix solves the problem that the TMWS on-premises gateway returns empty certificates to the client when the client attempts to visit some websites.

Updates the ActiveUpdate module

This hotfix updates ActiveUpdate to resolve the problem that its server certificate is about to expire.

None

N/A

Upgrades the Python-Crypto module

This hotfix upgrades the Python-Crypto module for enhanced security.

Shows a UTC timestamp for the rt field in CEF access logs

This hotfix solves the problem that the rt field does not show as a UTC timestamp in the CEF access logs generated using mapping type 2.

Enhances DNS server switchover mechanism

This hotfix reduces the time for switching from a faulty DNS server to a normal one.

None

N/A

Use FQDN to access the CRS server

This hotfix solves the problem that the TMWS on-premises gateway uses a dynamic IP address instead of an FQDN when accessing the Cloud service Reputation Service (CRS) server through a system proxy.

Display the "Dynamic DNS" URL filtering category correctly

This hotfix solves the problem that the URL filtering category "Dynamic DNS" is displayed as "N/A" in logs and user notifications.

None

N/A

Upgrade CentOS Linux

This hotfix upgrades CentOS Linux to fix a variety of vulnerabilities.

Upgrade Nginx

This hotfix upgrades Nginx to the latest stable version.

Upgrade OpenSSL

This hotfix upgrades OpenSSL.

Change the raw log storage path

This hotfix changes the path for storing raw logs to provide larger storage space.

Fix a Polkit vulnerability

This hotfix solves the Polkit privilege escalation vulnerability (CVE-2021-4034).

Fix an auto-tunneling error

This hotfix solves the problem that the TMWS on-premises gateway still adds domains to the Tunneled Domain List while auto tunneling is disabled.

Fix a debug logging error

This hotfix solves the problem that the TMWS on-premise gateway records HTTPS access failure in debug logs while the HTTPS access is successful.

Add the block reason to specific logs

This hotfix solves the problem that when an item matches a cloud access rule that applies to all categories and has the action set to Block, the recorded log does not include the block reason.

Optimize the DNS switchover mechanism

This hotfix optimizes the condition for switching between primary and secondary DNS servers to improve DNS switchover performance.

Disable unused TCP/UDP ports

This hotfix disables unused TCP/UDP ports of the TMWS on-premises gateway to enhance security.

TCP supported as a protocol for syslog forwarding

Allows you to select TCP, in addition to UDP, as the protocol for forwarding syslog messages from on-premises gateways to the syslog server.

None

N/A

None

N/A

Fix the failure of HTTP2 link file download

This hotfix solves the problem that HTTP2 link file download fails sometimes.

Allow inserting the authentication portal domain into any field of the content-security-policy header

This hotfix allows inserting the authentication portal domain into any field of the content-security-policy header to prevent CSP from blocking user access.

None

N/A

Fix the InfoSec issues

This hotfix solves the InfoSec issues related to the on-premises gateway web console.

Allow authentication method changes to take effect immediately

This hotfix solves the problem that authentication method changes cannot take effect immediately.

Ensure the true file type can be identified for executable files

This hotfix solves the problem that the true file type cannot be identified for small executable files when the file name extension is capitalized.

Purge temporary files generated in log processing

This hotfix solves the problem that the disk space of the on-premises gateway server is fully occupied by temporary files generated in log processing, causing the on-premises gateway not to work properly.

Allow self-signed single-tier server certificates to take effect after being added as trusted CA certificates

This hotfix solves the problem that self-signed single-tier server certificates can be added as trusted CA certificates on the management console but cannot take effect.

None

N/A

Increase the download speed of the on-premises gateway installation package

This hotfix enables the customer to download the installation package at a faster speed of 10 MB/s from the previous 125 KB/s.

Non support for insecure encryption algorithms

Supports only the Ciphers AES-128 CTR, AES-192 CTR, and AES-256 CTR encryption algorithms when using the web console on a TLS-enabled client, to avoid an information disclosure vulnerability due to the use of insecure encryption algorithms.

Support port forwarding for HTTPS traffic

This hotfix solves the problem that port forwarding does not support HTTPS traffic on the on-premises gateway.

Fix the unavailability of bandwidth control rules

This hotfix solves the problem that bandwidth control rules for the on-premises gateway do not take effect after configured.

Fix improper status display of the diagnostics web page

This hotfix solves the problem that the diagnostics web page does not show the correct connection status after the user refreshes the page.

Support for host name in upstream proxy configuration

This hotfix solves the problem that the customer cannot specify the host name when configuring an upstream proxy server for the on-premises gateway.

Support to replace the CA certificate for decryption with the customer's own certificate

Allows the customer to use their own CA certificate, instead of the default TMWS root CA certificate, in HTTPS decryption rules to decrypt HTTPS traffic on the on-premises gateway. Customers can perform the replacement from the command line.

For more information, see step 4 in Configuring A Decryption Rule.

Increase the download speed of the on-premises gateway installation package

This hotfix enables the customer to download the installation package at a faster speed of 10 MB/s from the previous 125 KB/s.

Enhance safe search engine integration

This hotfix refines the support for search safety on YouTube, and adds two new URLs for safe image and video search on Yahoo! Japan.

On-premises gateway to support ICAP mode

Supports working in either the forward proxy mode (the existing mode) or ICAP mode. You can deploy your on-premises gateway in ICAP mode if you already have an ICAP client on your network and want it to pass web traffic to TMWS for scanning.

Non support for TLS v1.1, AES-128 CBC, and 3DES CBC encryption

Disables TLS v1.1, AES-128 CBC, and 3DES CBC encryption. You need to use a web browser or SSH client that follows TLS v1.2 or later to log on to the on-premises gateway web console.

Fix a vulnerability issue

This hotfix provides an improved solution to the vulnerability issue of weak password storage on the on-premises gateway.

Enhance safe search engine integration

This hotfix provides enhanced integration with supported safe search engines to adapt to third-party API updates.

None

N/A

Increase the download speed of the on-premises gateway installation package

This hotfix enables the customer to download the installation package at a faster speed of 10 MB/s from the previous 125 KB/s.

None

N/A

Fix several vulnerability issues

This hotfix solves several vulnerability issues on on-premises gateways, which includes command injection due to unauthenticated remote code execution and weak password storage.

None

N/A

Fix a TMWS scanner issue

This hotfix solves a TMWS scanner issue which ensures that TMWS can work properly.

Improvement in on-premises gateway registration

Provides a registration option on the web console to let the administrator decide whether to replace an existing on-premises gateway with the new one for authentication setting and security policy reuse when they have the same display name.

Support for the UEFI boot firmware

Lets the customer choose to use the UEFI firmware to boot the device during installation.

New web console user interface

Redesigns the on-premises gateway web console with a new user interface layout.

Admin password change on the web console logon page

Provides an option on the logon page of the on-premises gateway web console to let the administrator change the logon password.

Fix the issue that the log upload setting change does not apply to an offline on-premises gateway when the gateway goes online.

This hotfix ensures that when the log upload setting is changed on the TMWS management console, it can apply to an on-premises gateway in offline status after it is rebooted and connected to the TMWS cloud.

None

N/A

Fix the issue that web pages with a long HTTP/HTTPS response header could not be displayed properly

This hotfix solves the problem that web pages having a very long HTTP/HTTPS response header show blank after the response goes through the on-premises gateway.

On-premises gateway log upload control

Adds an option under Log Analysis to control whether on-premises gateways send logs generated on them to the TMWS cloud.

Four features provisioned for the Standard license

Makes four Advanced license features available for Standard license customers: Predictive Machine Learning, Role-based access control Operator role, Custom Defense, syslog forwarding for both the cloud and on-premises.

None

N/A

None

N/A

Fix the issue of the on-premises gateway sending useless query requests to the TMWS cloud

This hotfix solves the problem that the on-premises gateway sends many useless query requests to the TMWS cloud, which prevents both the cloud and the on-premises gateway from working improperly.

Custom Defense

Integrates your on-premises gateway with Trend Micro Deep Discovery™ Analyzer (DDAn) deployed within your organization to defend against custom-defense APT attacks from malicious programs through HTTP/HTTPS traffic.

Target domain traffic control

Creates target domain groups that contain one or multiple domains, and then adds them into cloud access rules to control the access to these domains on your corporate network. This enables TMWS to provide more fine-grained scan and control on users' web traffic.

Fix the YouTube resource identification issue

This hotfix ensures that HTTP requests towards YouTube resources can be recognized by TMWS.

Fix the issue of inaccessibility to domains in the HTTP Content-Security-Policy response header

This hotfix ensures that the domains specified in the HTTP Content-Security-Policy response header are accessible by the client browser.

Fix the issue of improper handling of "=" in syslog content variable values

This hotfix ensures that TMWS can escape the "=" symbol contained in the variable values of syslog content.

Product renaming to Trend Micro Web Security (TMWS)

Changes the product name from InterScan Web Security as a Service (IWSaaS) to Trend Micro Web Security (TMWS) for marketing purposes.

Syslog enhancement

Provides one more type of CEF syslog key-value pair mapping to allow TMWS to forward log messages to an external syslog server in a customizable structured format.

Cloud application access control

Creates cloud application access sets that contain one or multiple cloud applications, and then adds them into cloud access rules to control the access to these cloud applications on your corporate network.

Fix the issue of product feature incompatibility for Microsoft Office 365 services

This hotfix ensures that the Azure AD authentication method and the Cloud Service Filter feature can co-work for Microsoft Office 365 services.

Fix the issue of insufficient disk space in the directory /var/iwss/ddaaas_tmp due to an infinite loop

This hotfix solves the problem that the DDAaaS client loop endlessly processes a same file, which avoids the disk space of the directory /var/iwss/ddaaas_tmp from running out.

Fix the issue of access log upload failure after log rotation

This hotfix prevents the file permission from being changed during log rotation, which ensures successful access log upload.

Fix the issue of the display of an incorrect version number after on-premises gateway upgrade

This hotfix ensures that the latest version number of an on-premises gateway can display properly on the TMWS management console after the gateway is upgraded.

Fix the issue of failure in certificate file uploads from on-premises gateway to cloud

This hotfix ensures the required settings and execute permissions of the SSL mgmt client deamon so that it can successfully upload the certificate files generated on the on-premises gateway to the TMWS cloud.

None

N/A

Fix the issue of HTTPS connection creation failure

This hotfix ensures that the on-premises gateway can wait to start the HTTPS connection creation after it receives the complete “CONNECT” request, which avoids the connection creation failure in some special situations at the client end.

Fix the issue of no log query results

This hotfix adds protection to prevent the permission on the debug log file from being altered unexpectedly, which ensures that logs generated on the on-premises gateway can be successfully queried.

Fix the issue of on-premises gateway unavailability in a geographical change

This hotfix allows the on-premises gateway to always send a regional FQDN rather than a global FQDN when it is being registered to the TMWS cloud, which ensures its availability on the cloud in the case of a geographical change.

Fix the issue of excessively high memory usage by the SSLMgmt daemon

This hotfix lowers the memory usage of the SSLMgmt daemon, which avoids the daemon from being terminated by the system due to excessive memory consumption.

Fix the issue of CDT failure in collecting product configuration files

This hotfix ensures that the CDT can successfully collect product configuration files when there are too many files in the configuration folder.

Fix the issue of incorrect CEF syslog format encoding

This hotfix resolves the back-end encoding issue to ensure that the back-end system can follow the standard CEF syslog format upon the input by the administrator on the console.