conpal LAN Crypt 4.00.2
Administration release notes
conpal LAN Crypt 4.00.2
is in focus a maintenance release. If stated otherwise the release notes for
LAN Crypt 4.00.1 remain valid.
Please note the LAN
Crypt 4.00.2 Client release notes.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Bugfixes in 4.00.2
Manuals, documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information will
be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
conpal LAN Crypt 4.00.1 Administration release notes
Please note the LAN Crypt 4.00.1 Client release
notes.
Requirements
The below listed platforms are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809
(RS5), 1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in
conpal LAN Crypt Admin release 4.00.1
- Windows 10 20H2 support
- Add translations for error message on unsupported OS (LC-1251)
Changes in
4.00.1
·
Now the MiniFilter can handle the
setting of the tab „Client-API“. No separate script
necessary anymore. (LC-690) (LC-1216)
Bugfixes in
4.00.1
- Updated helpfiles (LC-84, LC-645, LC-801,
LC-1421)
- Client-API-Dll can handle long
pathnames now (LC-1454)
- Findkey shows keys to unauthorized SOs/Find Keys
Degradation (LC-1384)
- Key wrapping could not be
disabled (LC-1231)
- Missing link in English
helpfile (LC-1290)
- Branding (LC-935)
- Freeze-after-certificate-creation-cancel
(LC-1246)
- cleared profile not loaded
(LC-1427)
- Create certificates dialog now
finishes the progress even if some users already have a certificate.
(LC-1467)
- Fix search filter crash (LC-1463)
- Branding topics (LC-1518)
createtables branding (LC-698)
- GPO context sensitive help (LC-1236).
Manuals,
documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information will
be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
conpal LAN Crypt 4.00.0 Administration release notes
Please note the LAN Crypt 4.00.0 Client release
notes.
conpal LAN Crypt is the successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97 Administration was the initial release of conpal
for the Administration. It contained fixes and hotfixes of the previous
SafeGuard LAN Crypt 3.90 Administration, but almost no functional enhancements.
In sense of operating systems and databases additional versions were supported
and support for some operating systems and databases have been dropped.
conpal LAN Crypt 4.00 Administration is a significant rework of the
Administration, focused on improvements in operational speed and laying the
ground for a complete replacement of the API functionality by a faster and more
modern approach. It is reworked bottom up, including the cryptographic base.
Some new functions, like SHA2 support for LAN Crypt generated certificates,
have been added.
Novell and Windows 7 support has been dropped, Oracle support for more current
databases has been added. Current operating systems are supported.
In addition new client capabilities can be managed.
Please note that we have invested considerable effort in the continuity
of the product. A migration of 3.9x databases requires minimal effort.
Mixed environments of older and current clients are supported (please refer to
section operation).
Manuals,
documentation and support
At https://support.conpal.de registered customers
with active maintenance contracts get access to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_400_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_400_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_400_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
Requirements
The below listed platforms are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 Build 1803, 1809,
1903, 1909, 2004 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Microsoft SQL Server 2012 SP4
Microsoft SQL Server 2016 SP2
Microsoft SQL Server 2017
Microsoft SQL Server 2019
Azure SQL has been verified to be functional with LAN Crypt administration 3.97
and 4.0 LAN Crypt 4.0 provides the ability to logon using the active directory
interactive authentication. LAN Crypt 3.97 does not support this type of
authentication.
Oracle 12 and Oracle 19 are supported, whereas SQL Server remains LAN Crypt’s
preferred database.
A LAN Crypt database created under LAN Crypt 3.90 or 3.97 must be
updated in advance using "CreateTables.exe %ODBCName% m u" for use
under LAN Crypt 4.00 Administration. The createtables tool provides a help
message for specifics regarding e.g. Oracle.
Upgrade
For an upgrade-installation you can find additional information in the
user manual.
An upgrade installation of the administration is supported from conpal LAN Crypt
3.97 (recommended) and SafeGuard LAN Crypt 3.90.
Migration of older versions is not supported, but technically possible, we
recommend to make use of Professional services in such
cases.
New in
conpal LAN Crypt Administration release 4.00.0
- Windows Server 2019 is now
supported
- Microsoft SQL Server 2019 is
now supported
- Oracle 19 and Oracle 12 are
supported, whereas SQL Server remains LAN Crypt’s preferred database
- Support for policies for
Removables, Opticals, Local Volumes, Boot Volume and Network Shares - to
be executed on v4 Clients
- Integration of earlier patches
for LAN Crypt
- SHA2 support for LAN Crypt
generated certificates (*SO, User)
Operation of
LAN Crypt 4.00 administrative environments
A
mixed operation of LAN Crypt v4 Admin and LAN Crypt v3.x Admin is not
supported.
It is
possible to run a v3.97 Admin with v4 Clients and v3 Clients.
It is
possible to run a v4.00 Admin with v4 Clients and v3 Clients.
XML
is the only supported policy file format of v4.00 Admin and v4.00 Clients.
New
profile files are created by v4.00, with sections for v3 and v4 Clients.
The
new encryption rules for Removables, Opticals etc are transported in the new
section.
Once
new rules have been created with v4.00, it is no longer possible to create
profiles with a v3 Admin. Doing so would potentially have negative effects on
the client.
Changes
- Integration of new
cryptographic libraries in Admin and Client (for security reasons)
- Renewal of 3rd party
libraries (for security reasons)
- Integration of a new random
number generator (for security reasons)
- Significant improvement of
administrative tasks in large installations
- All in all, the optimizations
carried out are clearly noticeable in many areas. This concerns both the
API and the management program. Since central points have been optimized,
the overall system has become faster. Individual areas with optimizations
have become dramatically faster.
- Reduction of database
accesses: In many functions the access to the database has been drastically
reduced.
- Improvement SQL Indexes:
- New indices were added
specifically when a clearly measurable improvement in performance was
achieved.
- Improvement in processing
algorithms:
- Internally, functions have
been structurally revised to achieve better throughput. In particular, double reading of identical data
records has been removed in many places.
- In
order to use parallelization optimally, at least 4 cores should be
available on the computer. More cores do not provide much performance
improvement at the moment.
- When creating certificates
for large groups, more cores are also used well and up to 12 cores are
advantageous. Based on our measurements and configurations we recommend
6-8 cores.
- Beginning with V4.00.0, the
functions that process many individual orders in one order are
parallelized. Examples are the creation of certificates and profiles.
- Examples for the
parallelisation of certificate creation are reading the database,
creating keys, and writing the certificates. Here, these steps function
as in a pipeline, so to speak. Another example is the creation of
profiles. Here, too, the tasks are treated like a pipeline with the
substeps reading the database information, preparing the XML profile,
signing profiles, compressing, and writing profiles. The subareas are
well separated and the runtime for larger groups has been approximately
halved in our test environments.
- Optimization of memory
management:
At central points, the memory handling was improved and optimized. These
optimizations were clearly measurable, but only lead to small improvements in
relation to database accesses.
- Optimization of functions:
Many functions have been technically revised internally for better
maintainability and performance.
- SQL Express is no longer
supplied with the distribution. It can be downloaded directly from the
Microsoft site.
- Due to security improvements in
LAN Crypt 4.00 a warning appears, when weak algorithms are selected (XOR,
DES, 3DES, IDEA). (LC-957, LC-958, LC-1056)
For continuity reasons (e.g. backup) such
algorithms are not prohibited.
For the selection of XOR this is reinforced, and the SO must also have
the right to define GUIDs for new keys to be able to select this algorithm.
- Certificates are generated with
SHA2 instead of SHA1 (LC-336)
- XTS-AES is the default
encryption algorithm in LAN Crypt 4.00
- Support for other databases and
operating systems than the ones mentioned has been dropped
- The usage of the Client API
must be configured in the Administration and – in case the minifilter is
used on client-side - the included script to enable permissions for
specific applications has to be adopted and
executed on the client-side
- Changed behaviour regarding
client API permissions for security improvement:
Long path names are now default for client API configuration. For
convenience reasons short names are internally completed by searching some protected paths,
when program names are configured without path information. The client will
search in the following directories:
LAN Crypt Install Dir\Shared\ (non-recursive)
CSIDL_SYSTEM (typical C:\Windows\System32, non-recursive)
CSIDL_WINDOWS (typical C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES (typical C:\Program Files, recursive)
If an EXE file with the specified name is found, the full path will be
internally added.
Other pathes are now untrusted for short file names. (LC-690)
- Group policy configuration is
also possible with administrative templates. The support for adm has been
dropped. The admx template files are located in
the config folder of the product package. Please see http://msdn.microsoft.com/en-us/library/bb530196.aspx for information on how the files have to be installed.
- Import from a Novell directory
has not been supported since v3.90. Other Novell functionality is now as
well not supported and will not be functional in the administration.
- Additional API functions have
been added
- The EULA has been updated (for
German, English and French)
- The 3rd parties’
inventory has been consolidated and updated
- Admin does not start with
"Selected users and certificates” anymore (but this behaviour can be
configured. (LC-844)
Bugfixes
- Recovery key handling
fixed. (LC-434)
- Password file: missing carriage
return (LC-247)
- Preselected button and triggered action on <Enter> don't
match while creating groups (LC-213)
- Wrong error message when trying
to build profiles with expired certificates (LC-194)
Known issues
- The detailed description text
in the admin log for the action Create profile is erroneously truncated
after the first character (LC-1227)
- Explicit rules for file extensions
are not executed correctly by the minifilter. The Minifilter does not
execute rules like *.ext correctly for encryption and ignore rules. As a
workaround, we recommend to add an additional
rule like *\*.ext. Having both rules, *.ext and *\*.ext active, works as
well for V3.9x and V4.0 clients
- MSO smart card login fails on
WS2012 R2 (LC-1120):
In Windows Server 2012 R2, SO logon with certificate on smart card is
not possible. According to our tests, this is the only supported operating
system with this limitation.
- Deleting nested groups requires
a relatively large amount of memory and can lead to instability.
Therefore, we recommend not to nest more than 200 groups into each other.
(LC-527)
- Network errors:
If the network connection to the SQL server, or to a LDAP source, is
broken during LAN Crypt administration, the LAN Crypt Administration must
be closed and restarted (after the network problem is fixed).
- Entering very long data into
LAN Crypt dialogues (e.g. configuring trusted
applications or virus-scanners) might lead to crashes of the
administration console. In addition these data is
not are not saved in the configuration database (LC-570)
- Simultaneous administration:
If more than one SO is working with the LAN Crypt database at the same
time, problems can occur. We recommend a regular manual refresh in that
case.
- admx do not recognize new
placeholders for unhandled devices (LC-1201)
- If the new placeholders for
Unhandled Devices are selected in the LAN Crypt node of the gpme, they
are not displayed in the administrative template and therefore cannot be
managed there.
- LDAP import and
synchronization:
- If objects are imported from a
domain, you must specify the domain name and not the computer name in the
server configuration!
When configuring server logon data in central settings you should either
only enter the domain name as server name or add the domain name as an
alias.
- On the root level (e.g. domain), only 999 objects are displayed and
imported.
- Page controls have to be enabled on the LDAP server.
- Certificate store:
LAN Crypt only supports certificates in one of the user certificate
stores. It does not support certificates in machine stores.
- Installation on 64-bit
operating systems:
LAN Crypt Administration is installed on 64-bit operating systems, therefore the following has to be considered:
- ODBC administration:
The ODBC connection used by LAN Crypt Administration has
to be configured using the 32-bit ODBC Data Source
Administrator (%WINDIR%\SysWOW64\odbcad32.exe or use the shortcut in
the start menu).
Remark: The shortcut in the LAN Crypt start menu is not displayed on
Windows Server 2012. Please use the shortcut ODBC Data Sources (32-bit) available in
Administrative Tools
instead.
- Group policy plugin:
The group policy plugin to administer LAN Crypt is not shown in the
Windows group policy editor. To administer the LAN Crypt policies, the
32-bit Group Policy Editor has to be used
(%WINDIR%\SysWOW64\gpedit.msc for local policies or
%WINDIR%\SysWOW64\gpme.msc for Active Directory policies or use the
shortcut in the start menu).
As an alternative the administrative templates can be used which are
stored in the config folder of the product package.
- Scripting API:
The scripting API is only available for 32-bit applications. If a Visual
Basic-Script is started which uses the LAN Crypt scripting API, it has to be started from the 32-bit Windows Scripting
Host (%WINDIR%\SysWOW64\cscript.exe or %WINDIR%\SysWOW64\wscript.exe).
- Firewall settings:
If the Microsoft SQL Server database is located on another machine, please
ensure that the firewall is configured correctly. Additional information
can be found here: http://msdn.microsoft.com/en-us/library/cc646023.aspx.
- To operate LAN Crypt clients as
a service, additional configuration steps are needed. Please contact
support for further details.
- For performance (testing) in
VMware VMs, it is recommended not to configure more CPUs than the host has
available. Scaling should be done by the number of cores (i.e. not 2 CPU & 2 cores, better 1 CPU & 4
cores if only 1 host CPU is available).
- GPO context sensitive help:
For the operation of the Group Policies (GPO settings) there is
documentation available in the side panel of the console. There is also a
context sensitive help (sglcconfig040x.chm.) available. In version 4.00.0, the old
version without rebranding was erroneously integrated into the setup. This
version is technically almost correct but may still contain incorrect
references to SafeGuard or outdated license information. If necessary, an
updated version can be obtained from Support a few days after release and
will be included in later deliveries. To update, this must then be copied
to %\Windows\Help (LC-1236).
- The rebranding of Sophos SafeGuard
to conpal is comprehensive but may inadvertently be incomplete.