conpal LAN Crypt 4.2.0
Administration release notes
conpal LAN Crypt 4.2.0
is a feature release that also comes with improved security functionality and
several bugfixes. New features:
- Malware Protection
- OneDrive Settings package
- LAN Crypt 2Go Key Import
- Adding Multiple Encryption Groups to a
User
- Bypass Rules Deployment
- Multiple Virus Scanner Configurations
- PreventPlainFilesPath Option
- New Operating Systems Support
- Additional Database Support
- API extensions
- Localization Support for MFA
- Client Performance Improvements
- HTML-Based Client Help
- On-Premise OneNote Support
- Search field for groups
- Network filter installation without
network interruption
- Detail work on icons, dialogs and error
messages
- LCA 64-bit .NET API
- Several enhancements for .NET API
- Support of Server-Side Copy
- DsStateCache for caching unencrypted
files
- Renewal of assigned certificates
Please note the LAN
Crypt 4.2.0 Client release notes.
Older release notes for LAN Crypt remain valid, if not stated otherwise.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 1809 (LTSC), 20H2, 21H2, 21H2 (LTSC), 22H2
|
|
Pro/Enterprise
versions of Windows 11 21H2, 22H2
|
|
Windows
Server 2019
|
|
Windows
Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and
Desktop 7 1912 LTSR CU2
on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
|
Please
note:
MS SQL Server
2017 has a Mainstream Support End Date of Oct 11, 2022 and will
therefore not be supported by LAN Crypt Administration v4.2.0. MS SQL Server 2019 and
2022 are supported.
Oracle 8,9 and 12 will not be supported by LAN Crypt Administration v4.2.0. Oracle 19 is supported.
|
If a LAN Crypt Client (LCC) shall be used in
combination with LAN Crypt Admin (LCA), it requires a LAN Crypt Client of the
same version. Otherwise, when deinstalling the LCC, the LCA does not work
anymore. It is required, to use a client of the same version (LC-1546).
Mixed operation of old and new versions of LCA on the
same database is not supported (LC-3152).
New in conpal LAN Crypt Administration
release 4.2.0
- LAN Crypt 2Go Key
Import: Key value, GUID, name and encryption algorithm can be imported
from a file encrypted with LC2Go. This enables the LAN Crypt client to
read and decrypt files encrypted by LC2Go with a password and vice versa
(LC-2859).
- Additional security function – no plain file access on removables:
Malware import protection for removables (external USB sticks or HDD) with
a single rule by disallowing plain file access on external storage devices
(LC-2861).
- Adding multiple encryption groups to a
user at once. Groups can be selected directly from the users' properties
menu (LC-1027).
- Search field for Groups in tree
view for MMC added (LC-145).
- Bypass rules can now be deployed with
the profile. Although bypass rules should only be considered in very rare
cases and only after contacting conpal support, they can be deployed via a
profile instead of registry settings and GPO for simplified deployment
(LC-2864, LC-2991, LC-3079, LC-3045, LC-3080). Please note: LAN Crypt
Administration API does not support creation or validation of bypass
rules. Conflicts of ignore and bypass rules are possible (LC-3096).
- Enable configuration of multiple Virus Scanners without delay when
profile is loaded. The configured AV process needs to either run during
profile loading or be configured with a full path. Wildcards can now be
used as part of the path (LC-2925).
- PreventPlainFilesPath policy added to ADMX. This
setting prevents that plain files are created in defined network paths or
on mapped drives if no conpal LAN Crypt user profile has been loaded yet,
or the user does not have one (LC-1492).
- Oracle support in .NET API (LC-2912)
- LCA 64-bit .NET API (LC-2692)
- Support of
Windows 10 and Windows 11 – 22H2, and MS
SQL Server 2022
Changes in conpal LAN Crypt Administration release 4.2.0
- Assignment of certificates
associated with the "MS Base Cryptographic Provider v1.0" is now
prevented (LC-2642).
- Enable configuration of
multiple Virus Scanners without delay when profile is loaded, see
documentation of the modified operation mode (LC-2925)
- The setting “Only SO with the
‘Generate profile’ right can generate keys (keys without a value are not
permitted)” is now activated by default, so that new keys are always
created with random values as default if no key value has been specified
(LC-2544).
- Recovery key: Tabular
representation changed to simple field. Only one recovery key is now
supported (LC-339, LC-2727).
- Limitation of string length:
renaming SO, MSO Wizard (Name and E-Mail) (LC-597, LC-796, LC-988)
- Renew certificates for multiple
users who already have certificates assigned: New checkbox added to
existing wizard to allow "Create new Certificates (even if there are
already existing ones)". This option was also added to the
corresponding API functions. (LC-2817).
- Import function of intermediate and root certificates stores these
certificates in the correct certificate stores now (LC-2611)
- Necessary permissions for
CreateTables.exe reduced (LC-2690).
- Updated
Windows start menu folder names. Changed to “conpal LAN Crypt
Administration” and “conpal LAN Crypt Client” (LC-1261).
- Change of the build numbering (LC-2927).
- Product icons modified (LC-2860).
- Embedded libraries updated
(LC-3035).
- .NET-API now requires an additional parameter for Database.Logon().
Sample scripts show proper functionality (LC-2965).
- CreateTables: Oracle 8, 9 and 12 support is removed (LC-3074).
- CreateTables now accepts password for ODBC connection from command
line (LC-2795).
Bugfixes in conpal LAN Crypt
Administration release 4.2.0
- Assistant for Recovery Key
with/without ESKM - settings, cache and dialog options fixed (LC-2382,
LC-2746, LC-2747, LC-2748).
- .NET API: CreateCertificate(UserName)
and Certificates.CreateCertificate(UserName) created a .p12 with a
wrong name and wrong certificate details. Creating certificates for a
group instead of a user did not show this error. Now login names are
correctly used (LC-2701).
- Wrong translation in the German
settings corrected (LC-3051).
- Translations for LAN Crypt
Japanese language version (LC-2906, LC-2897, LC-2882).
- LCA Help "question
mark" and F1 key in Central Settings work now (LC-394).
- Certificate import issues fixed
(e.g., when administrative rights where required for import of user
certificates) (LC-3006).
- The MSO wizard allows several
parent windows to open the folder selection file dialog to save profile
and security keys. This caused a crash in some circumstances (LC-787).
- In certain scenarios the
private keys from imported MSO certificates could not be found for logon.
This is now fixed (LC-2806).
- Adding or deleting a large
number of users at once from a user group, clicking on Apply and then
Cancel caused LAN Crypt to crash (LC-2899, LC-2913).
- Crash during LDAP certificate
assignment when entering long texts has been fixed (LC-605).
- Enforcement of unique Server
and alias names (LC-2919).
- Certificate status information
after certificate generation fixed (LC-739).
- Recovery option: If a higher
value than the number of existing additional SO was entered in the
"Additional authorization" setting, a warning appeared that
could only be confirmed with OK. After that, the entered value was applied
anyway. In the worst case, this could lead to the MSO being locked out,
which can only be undone using the recovery key. To solve this, a Cancel
button was added (LC-804).
- If a user belongs to several
groups and identical paths for rules are created in these groups, the
profile is not created with a message. There the path information was
missing (LC-1481).
- Creating a user profile with
user properties outside the maximum allowed character length is correctly
aborted, but the next profile creation within the maximum allowed
character length resulted in the same error. This has been fixed
(LC-2930).
- Create user: Input field length
limited (LC-795)
- CreateTables: Update for Oracle
now works correctly (LC-2943).
- If certificates are added to
users via the CertAssign wizard, the correct number of assigned
certificates is now displayed (LC-1456).
- Corrected error message when
creating users within a group but canceling the dialog (LC-192).
- WinNT import: Special scenarios
caused errors/crashes. User can be imported now. There is a remaining limitation
regarding E-Mail-addresses (LC-2502).
- Start menu cascaded incorrectly
(LC-3073).
- GPO handle overflow in “Cached
policy file lifetime” setting fixed (LC-552).
- null-pointer crash during
profile creation fixed (LC-2751).
- The 3rd party inventory
"3rd_party_software.pdf" is present and up to date in the LCA
and LCC deployment folders. The "3rd_party_software.pdf"
installed with the LC product is missing an entry:
- "libkmip/BSD license"
(LC-2696).
- KeyValue is not set when
Default key is created. The manual is updated with more specific
information in the key tab/key value section (LC-2544).
- When IP addresses are used for
generating rules, several conditions must be taken into consideration to
avoid wrong execution. Correct syntax is required for IP rules, otherwise
they will not be ignored by the registry setting RemoveDomainFromRules
functionality (LC-1483, LC-2454).
- LAN Crypt Administration/MMC
sometimes crashes when deleting groups created by C# example script (LC-
2268).
- The message ‘Path unknown’ is
displayed incorrectly when importing users with anonymous LDAP
authentication. User import is not possible in this session afterwards
(LC-2931).
- MMC
crash can occur, if profiles are created in a group tree with more than 80
groups nested into each other (LC-3193).
Manuals, documentation and support
At https://support.conpal.de
registered customers with active maintenance contracts
get access to downloads, documentation and knowledge items.
The administration contains
an extensive context sensitive help. This information will be available in form
of a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/ja/admin/lc_420_ahjpn.pdf in Japanese language, at
https://help.lancrypt.com/docs/admin/de/ in German language, at
https://help.lancrypt.com/docs/admin/en/ in English language and at
https://help.lancrypt.com/docs/admin/fr/ in French language.
API documentation can be
obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
Updates for the
context-sensitive help are made available via our support portal if necessary.
conpal LAN Crypt 4.1.2
Administration release notes
conpal LAN Crypt 4.1.2 is
a Japanese language version and available by our partner in Japan only. It is
functional identical to LAN Crypt 4.1.1.
Please refer to the conpal LAN Crypt 4.1.1 part of the release notes.
Older
release notes for LAN Crypt remain valid, if not stated otherwise.
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to
downloads,documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/ja/admin/lc_412_ahjpn.pdf in Japanese language,
at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in English language and
at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in French language. Please
note, the French manual will be published delayed, for the time being use the
English manual.
conpal LAN Crypt 4.1.1
Administration release notes
conpal LAN Crypt 4.1.1
is a maintenance release, there are no new features included.
Please refer to the conpal LAN Crypt 4.1.0 part of the release notes.
Older
release notes for LAN Crypt 4.00.x remain valid, if not stated otherwise.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise Versions of Windows 10 1809 (LTSC), 20H2, 21H1, 21H2,
Windows 11
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
If a LAN Crypt Client (LCC) shall be used in
combination with LAN Crypt Admin (LCA), it requires a LAN Crypt Client of the
same version. Otherwise, when deinstalling the LCC, the LCA does not work
anymore. It is required, to use a client of the same version (LC-1546).
Bugfixes in conpal LAN Crypt
Administration, Release 4.1.1
- Recovery key does now work with "1 of 1" key assignment.
Fix works as well for KMIP server (LC-2724)
- Corrupt MAC for database with multifactor authentication can now be
repaired (LC-2577)
- Virtual Smart Card: Cancel the dialog for PIN entry now does not
attempt smart card logon anymore (LC-2408)
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to
downloads,documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in English language and
at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in French language. Please
note, the French manual will be published delayed, for the time being use the
English manual
Updates for the
context-sensitive help are made available via our support portal if necessary.
conpal LAN Crypt 4.1.0
Administration release notes
conpal LAN Crypt 4.1.0
comes with support for new operating systems new functionality, improved
security functionality and new features
e.g.
·
Richer support for SGN/SafeGuard Fileshare customers
·
Portable file encryption
·
Minifilter with caching capabilities for SMB network shares
·
New .NET Administration API
·
Client API login with user context
·
LAN Crypt-Service functionality
·
Manipulation protection for processes
·
Multi factor Authentication based on 3rd party technology
·
Interoperation with Azure technologies (like Azure SQL)
·
Oracle 19 Support
The Legacyfilter has
been abandoned, but is still supported with the 4.00.x version of the product.
If not stated otherwise
the older release notes for LAN Crypt 4.00.3, 4.00.2, 4.00.1 and 4.00 remain
valid.
Please note the LAN
Crypt 4.1.0 Client release notes.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise Versions of Windows 10 1809 (LTSC), 1909 (19H2), 20H2,
21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
If a LAN Crypt Client (LCC) shall be used in
combination with LAN Crypt Admin (LCA), it requires a LAN Crypt Client of the
same version. Otherwise, when deinstalling the LCC, the LCA does not work
anymore. It is required, to use a client of the same version (LC-1546).
New in conpal LAN Crypt Administration
release 4.1.0
- Support for SGN/SafeGuard FileShare keys. In
combination with a key export and a key import tool Fileshare encrypted
files can be handled by conpal LAN Crypt Client 4.00.3 or newer with Minifilter.
The LAN Crypt Administration 4.00.3 or newer is required for the key
import.
- New
.NET API: Provision of the existing V4.0 API as .NET library (A compilable
C++/CLI project ‘LCNetApi’ ), including a C# test project that calls some
of these functions as examples (LC-1472). Please also have a look at the
section .NET API in these release notes.
- Administration
capabilities for clientside Multifactor Authentication of the 3rd
party technology of inWebo
Changes in 4.1.0
- Sometimes LAN
Crypt 3.97, or 4.00 clients cannot find user certificates, if the profile
was created with LAN Crypt Administration 4.00.x before 4.00.3. The client
cannot load the profile with the error message: `User certificate not
found` (LC-2010)
LAN Crypt 4.1 Administration generates profiles, which do not lead to that
error.
- msiexec: When LAN Crypt packages are installed, the packagename for the
userapplication is now corrected to ´UserApplication` instead of client.
The AddLocal parameter is named ’UserApplication’ instead of ’Client’
(LC-2214)
- Performance improvements in the wizard for
certificate allocation (LC-1708, LC-745).
- Performance improvements when loading objects,
e.g. when WIN-NT domain names are appended with characters (LC-664).
- Boost
library removed for better maintenance of security relevant functions
(LC-474).
- The LAN Crypt certificates are changed to conpal branding
(LC-1265).
- Algorithm names are now consistent in client and admin (LC-952).
- Trusted Vendor behaves
differently in v4 with respect to expired certificates. In LCA v4 there is
a new check so that expired certificates can no longer be used. When
importing a certificate from a cer file (in the Trusted Vendors tab), an
error message now appears if that cert has expired. When using an exe file,
the validity is (apparently) not currently checked. Certs can be added to
Trusted Vendors from the exe, even if they are invalid. This makes sense
if, for example, a three year old program is to be added. However, the
behavior is different between import from *.exe and from *.cer and
therefore documented (LC-1114).
Bugfixes in 4.1.0
- A SO was able to log on to the administration, when logging was
enabled, but not possible (LC-1683).
- The limitation of the manual input of the key GUID to 16 bytes did
not work reliably (LC-1157).
- The action ‘ Find key’ was
selectable, although SO had no right for the administration of keys
(LC-1284).
- Crash when expanding groups in deep tree structure (LC-1684).
- Text correction: Error message
Additional authorization. (LC-927, LC-1291).
- Text correction: Additional
Authorization - If a value is specified for the number of SOs required for
additional authorization that is higher than the amount of additional SOs
that are created, a warning appeared, the warning text was not correct
(LC-1201).
- When editing a LC group structure with a minimum depth of 25
subgroups, LCA crashed when creating new rules via the "conpal LAN
Crypt Encrypting Rules and Tags" tab (LC-1430).
- AD imports from too large OUs failed (LC-1460).
- If a long directory name was entered in the LC Admin during
certificate assignment from file, a buffer overflow occurs internally
(LC-1055).
- Crash on certificate assignment with wrong data type. Assigning a
certificate from a file using the Certificate Wizard sometimes causd LCA
to crash if binary files (e.g. P12 files) were used (LC-1404).
- Robustness for handling of special characters has been improved
(e.g. for the certificate import wizard) (LC-1445).
- If CreateTables was called with an invalid ODBC name, an unhelpful
error message appeared (LC-1873).
- Upgrade installation LCA and LCC v3 -> v4: MSI
ProductCode did not match with Registry ProductCode (LC-1324).
- When cancelling the import of
the Active Directory in the Certificate Assignment Wizard, the LCA console
would freeze, while the process was running. (LC-576).
- Crash when copying / moving
large tree structures (LC-675).
- Admin RecoveryKey was processed
internally without transaction backup (LC-341).
- Profile creation wizard behaved
differently when called in different places (In total user overview, in
user list within a group) (LC-819).
- If LAN Crypt logging was
enabled, but the log table got corrupted, no SO could log in anymore. As a
fix the MSO now can log on to LCA despite a MAC error in logging, disable
logging and repairing the MAC (LC-190).
- GPME - Crash if input for
locations was too long. It concerned Location for Security Officer certificates,
Location for policy files, Location for key files (LC-724).
New known issues
- LAN Crypt uses CSP (Cryptographic Service Provider) to access
smartcards. Containers are not specified during access. Therefore,
conflicts can occur when using several smartcard readers on one machine,
especially if a smartcard is inserted in several readers and
"identical" certificates / containers are present there
(LC-1121).
- When LAN Crypt Administration v3 and LAN Crypt client v4.x are
installed on the same machine, the deinstallation of the LAN Crypt Client
leads to improper function, because the connection to LCSERVN.EXE is not
available anymore (LC-1546).
It is strongly recommended, to install the same client versions with the
administration (v4 LCA and v4 LCC).
- Not really new, but important: The default database, not the master
database shall be used, when creating the LAN Crypt database (LC-84), see
the section 3.2. in the manual.
- The VisualStudio runtime might not be available on some machines.
In this case e.g. deinstallation of the product might not be possible.
https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
https://aka.ms/vs/17/release/vc_redist.x86.exe
https://aka.ms/vs/17/release/vc_redist.x64.exe
- CreateTables.exe still offers options for Oracle 8,9, and 12, even
though they are not anymore supported.
.NET API (LC-2437)
- When using the .Net Admin API,
if you receive the following message when initializing the Admin API, a
package reference must be included in your project:
Message:
The type initializer for 'Microsoft.Win32.Registry' threw an exception.
Registry is not supported on this platform.
Necessary reference:
<PackageReference Include="Microsoft.Win32.Registry"
Version="5.0.0" />
§
If
you do not perform a product installation when using the .Net Admin API on the
server and distribute the DLLs yourself, the registry entry for the
installation directory must be set accordingly by you, otherwise dependent DLLs
will not be found at runtime.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\conpal\LAN Crypt\Admin\Setup
Value: InstallDir, Type REG_SZ
Example: c:\Program Files
(x86)\conpal\LAN Crypt\Administration
- Due to the 32 bit DLLs used,
the dotnet SDK must also be installed in the x86 variant.
- The example program
StartFirstHere is set up for dotnet core 3.1. If you use dotnet 6.0, you
have to change the TargetFramework entry to ‘net6.0’ in the project file
‘StartFirstHere.csproj’.
- When using the sample programs,
the path to the API dlls in the respective script must be adjusted for an
LCA installation outside the conpal default path.
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to
downloads,documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_410_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_410_aheng.pdf in English language and
at
https://docs.lancrypt.com/fr/admin/lc_410_ahfra.pdf in French language. Please
note, the French manual will be published delayed, for the time being use the
English manual
Updates for the
context-sensitive help are made available via our support portal if necessary.
conpal LAN Crypt 4.00.3
Administration release notes
conpal LAN Crypt 4.00.3
Admin comes with support for new operating systems and for SGN/SafeGuard
Fileshare. If not stated otherwise the older release notes for LAN Crypt
4.00.2, 4.00.1 and 4.00 remain valid.
Please note the LAN
Crypt 4.00.3 Client release notes.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise, 21H2 pro/Enterprise, Windows 11 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in conpal LAN Crypt Client release
4.00.3
- Windows 11 support
- Windows 10 21H2 support
- Support
for SGN/SafeGuard FileShare keys. In combination with a key export and an
key import tool Fileshare encrypted files can be handled by conpal LAN
Crypt 4.00.3 Client with Minifilter. The LAN Crypt Administration 4.00.3
is required for the key import.
Changes in 4.00.3
- LAN Crypt 3.97, or 4.00 Client cannot find user certificate if
profile was created with LAN Crypt Administration 4.00.x before 4.00.3,
client cannot load the profile with the error message: " User
certificate not found (LC-2010)
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance contracts get access to
downloads,documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and
at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the
context-sensitive help are made available via our support portal if necessary.
conpal LAN Crypt 4.00.2
Administration release notes
conpal LAN Crypt 4.00.2
is in focus a maintenance release. If stated otherwise the release notes for
LAN Crypt 4.00.1 remain valid.
Please note the LAN
Crypt 4.00.2 Client release notes.
Requirements
The below listed platforms are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Bugfixes in 4.00.2
Manuals, documentation and
support
At
https://support.conpal.de registered customers with
active maintenance contracts get access to downloads,documentation and
knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in
French language.
Updates for the
context-sensitive help are made available via our support portal if necessary.
conpal LAN Crypt 4.00.1 Administration release notes
Please
note the LAN Crypt
4.00.1 Client release notes.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809 (RS5),
1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in conpal LAN Crypt Admin release 4.00.1
- Windows 10 20H2 support
- Add translations for error message on
unsupported OS (LC-1251)
Changes in 4.00.1
·
Now
the MiniFilter can handle the setting of the tab „Client-API“. No separate
script necessary anymore. (LC-690)
(LC-1216)
Bugfixes in 4.00.1
- Updated helpfiles (LC-84, LC-645, LC-801,
LC-1421)
- Client-API-Dll
can handle long pathnames now (LC-1454)
- Findkey shows keys to unauthorized
SOs/Find Keys Degradation (LC-1384)
- Key wrapping
could not be disabled (LC-1231)
- Missing
link in English helpfile (LC-1290)
- Branding
(LC-935)
- Freeze-after-certificate-creation-cancel
(LC-1246)
- cleared
profile not loaded (LC-1427)
- Create
certificates dialog now finishes the progress even if some users already
have a certificate. (LC-1467)
- Fix
search filter crash (LC-1463)
- Branding
topics (LC-1518) createtables branding (LC-698)
- GPO context sensitive help (LC-1236).
Manuals, documentation and support
At
https://support.conpal.de registered customers with
active maintenance contracts get access to downloads,documentation and
knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in
French language.
Updates for the context-sensitive
help are made available via our support portal if necessary.
conpal LAN Crypt 4.00.0 Administration release notes
Please
note the LAN Crypt
4.00.0 Client release notes.
conpal LAN Crypt is the
successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97
Administration was the initial release of conpal for the Administration. It
contained fixes and hotfixes of the previous SafeGuard LAN Crypt 3.90
Administration, but almost no functional enhancements. In sense of operating
systems and databases additional versions were supported and support for some
operating systems and databases have been dropped.
conpal LAN Crypt 4.00
Administration is a significant rework of the Administration, focused on
improvements in operational speed and laying the ground for a complete
replacement of the API functionality by a faster and more modern approach. It
is reworked bottom up, including the cryptographic base.
Some new functions, like SHA2 support for LAN Crypt generated certificates,
have been added.
Novell and Windows 7 support has been dropped, Oracle support for more current
databases has been added. Current operating systems are supported.
In addition new client capabilities can be managed.
Please note that we have
invested considerable effort in the continuity of the product. A migration of
3.9x databases requires minimal effort.
Mixed environments of older and current clients are supported (please refer to
section operation).
Manuals, documentation and support
At
https://support.conpal.de registered customers with
active maintenance contracts get access to downloads,documentation and
knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_400_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_400_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_400_ahfra.pdf in
French language.
Updates for the
context-sensitive help are made available via our support portal if necessary.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 Build 1803, 1809,
1903, 1909, 2004 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Microsoft SQL Server 2012 SP4
Microsoft SQL Server 2016 SP2
Microsoft SQL Server 2017
Microsoft SQL Server 2019
Azure SQL has been verified to be functional with LAN Crypt administration 3.97
and 4.0 LAN Crypt 4.0 provides the ability to logon using the active directory
interactive authentication. LAN Crypt 3.97 does not support this type of
authentication.
Oracle 12 and Oracle 19 are supported, whereas SQL Server remains LAN Crypt’s
preferred database.
A LAN Crypt database created
under LAN Crypt 3.90 or 3.97 must be updated in advance using
"CreateTables.exe %ODBCName% m u" for use under LAN Crypt 4.00
Administration. The createtables tool provides a help message for specifics
regarding e.g. Oracle.
Upgrade
For an upgrade-installation
you can find additional information in the user manual.
An upgrade installation of the administration is supported from conpal LAN
Crypt 3.97 (recommended) and SafeGuard LAN Crypt 3.90.
Migration of older versions is not supported, but technically possible, we
recommend to make use of Professional services in such cases.
New in conpal LAN Crypt Administration release 4.00.0
- Windows
Server 2019 is now supported
- Microsoft
SQL Server 2019 is now supported
- Oracle
19 and Oracle 12 are supported, whereas SQL Server remains LAN Crypt’s
preferred database
- Support
for policies for Removables, Opticals, Local Volumes, Boot Volume and
Network Shares - to be executed on v4 Clients
- Integration
of earlier patches for LAN Crypt
- SHA2
support for LAN Crypt generated certificates (*SO, User)
Operation of LAN Crypt 4.00 administrative
environments
A mixed operation of LAN Crypt v4 Admin and LAN
Crypt v3.x Admin is not supported.
It is possible to run a v3.97 Admin with v4
Clients and v3 Clients.
It is possible to run a v4.00 Admin with v4
Clients and v3 Clients.
XML is the only supported policy file format of
v4.00 Admin and v4.00 Clients.
New profile files are created by v4.00, with
sections for v3 and v4 Clients.
The new encryption rules for Removables,
Opticals etc are transported in the new section.
Once new rules have been created with v4.00, it
is no longer possible to create profiles with a v3 Admin. Doing so would
potentially have negative effects on the client.
Changes
- Integration
of new cryptographic libraries in Admin and Client (for security reasons)
- Renewal
of 3rd party libraries (for security reasons)
- Integration
of a new random number generator (for security reasons)
- Significant
improvement of administrative tasks in large installations
- All in all, the optimizations carried out are
clearly noticeable in many areas. This concerns both the API and the
management program. Since central points have been optimized, the overall
system has become faster. Individual areas with optimizations have become
dramatically faster.
- Reduction of database accesses: In many
functions the access to the database has been drastically reduced.
- Improvement SQL Indexes:
- New indices were added specifically when a
clearly measurable improvement in performance was achieved.
- Improvement in processing algorithms:
- Internally, functions have been structurally
revised to achieve better throughput. In particular, double reading of
identical data records has been removed in many places.
- In order to use parallelization optimally, at
least 4 cores should be available on the computer. More cores do not
provide much performance improvement at the moment.
- When creating certificates for large groups,
more cores are also used well and up to 12 cores are advantageous. Based
on our measurements and configurations we recommend 6-8 cores.
- Beginning with V4.00.0, the functions that
process many individual orders in one order are parallelized. Examples
are the creation of certificates and profiles.
- Examples for the parallelisation of certificate
creation are reading the database, creating keys, and writing the
certificates. Here, these steps function as in a pipeline, so to speak.
Another example is the creation of profiles. Here, too, the tasks are
treated like a pipeline with the substeps reading the database
information, preparing the XML profile, signing profiles, compressing,
and writing profiles. The subareas are well separated and the runtime
for larger groups has been approximately halved in our test
environments.
- Optimization of memory management:
At central points, the memory
handling was improved and optimized. These optimizations were clearly
measurable, but only lead to small improvements in relation to database
accesses.
- Optimization of functions:
Many functions have been technically revised internally for better
maintainability and performance.
- SQL
Express is no longer supplied with the distribution. It can be downloaded
directly from the Microsoft site.
- Due to
security improvements in LAN Crypt 4.00 a warning appears, when weak
algorithms are selected (XOR, DES, 3DES, IDEA). (LC-957, LC-958, LC-1056)
For continuity reasons (e.g.
backup) such algorithms are not prohibited.
For the selection of XOR this
is reinforced, and the SO must also have the right to define GUIDs for new keys
to be able to select this algorithm.
- Certificates
are generated with SHA2 instead of SHA1 (LC-336)
- XTS-AES
is the default encryption algorithm in LAN Crypt 4.00
- Support
for other databases and operating systems than the ones mentioned has been
dropped
- The
usage of the Client API must be configured in the Administration and – in
case the minifilter is used on client-side - the included script to enable
permissions for specific applications has to be adopted and executed on
the client-side
- Changed
behaviour regarding client API permissions for security improvement:
Long path names are now
default for client API configuration. For convenience reasons short names are
internally completed by searching some
protected paths, when program names are configured without path
information. The client will search in the following directories:
LAN Crypt Install Dir\Shared\
(non-recursive)
CSIDL_SYSTEM (typical
C:\Windows\System32, non-recursive)
CSIDL_WINDOWS (typical C:\Windows,
non-recursive)
CSIDL_PROGRAM_FILES (typical
C:\Program Files, recursive)
If an EXE file with the
specified name is found, the full path will be internally added.
Other pathes are now untrusted
for short file names. (LC-690)
- Group
policy configuration is also possible with administrative templates. The
support for adm has been dropped. The admx template files are located in
the config folder of the product package. Please see http://msdn.microsoft.com/en-us/library/bb530196.aspx for information on how
the files have to be installed.
- Import
from a Novell directory has not been supported since v3.90. Other Novell
functionality is now as well not supported and will not be functional in
the administration.
- Additional
API functions have been added
- The
EULA has been updated (for German, English and French)
- The 3rd
parties’ inventory has been consolidated and updated
- Admin does
not start with "Selected users and certificates” anymore (but this
behaviour can be configured. (LC-844)
Bugfixes
- Recovery
key handling fixed. (LC-434)
- Password
file: missing carriage return (LC-247)
- Preselected
button and triggered action on <Enter> don't match while creating
groups (LC-213)
- Wrong
error message when trying to build profiles with expired certificates
(LC-194)
Known issues
- The
detailed description text in the admin log for the action Create profile
is erroneously truncated after the first character (LC-1227)
- Explicit
rules for file extensions are not executed correctly by the minifilter.
The Minifilter does not execute rules like *.ext correctly for encryption
and ignore rules. As a workaround, we recommend to add an additional rule
like *\*.ext. Having both rules, *.ext and *\*.ext active, works as well
for V3.9x and V4.0 clients
- MSO
smart card login fails on WS2012 R2 (LC-1120):
In Windows Server 2012 R2, SO
logon with certificate on smart card is not possible. According to our tests,
this is the only supported operating system with this limitation.
- Deleting
nested groups requires a relatively large amount of memory and can lead to
instability. Therefore, we recommend not to nest more than 200 groups into
each other. (LC-527)
- Network
errors:
If the network connection to the SQL server, or to a LDAP source, is
broken during LAN Crypt administration, the LAN Crypt Administration must
be closed and restarted (after the network problem is fixed).
- Entering
very long data into LAN Crypt dialogues (e.g. configuring trusted
applications or virus-scanners) might lead to crashes of the
administration console. In addition these data is not are not saved in the
configuration database (LC-570)
- Simultaneous
administration:
If more than one SO is working with the LAN Crypt database at the same
time, problems can occur. We recommend a regular manual refresh in that
case.
- admx do
not recognize new placeholders for unhandled devices (LC-1201)
- If the new placeholders for Unhandled Devices
are selected in the LAN Crypt node of the gpme, they are not displayed in
the administrative template and therefore cannot be managed there.
- LDAP
import and synchronization:
- If objects are imported from a domain, you must
specify the domain name and not the computer name in the server
configuration!
When configuring server logon data in central settings you should either
only enter the domain name as server name or add the domain name as an
alias.
- On the root level (e.g. domain), only 999
objects are displayed and imported.
- Page controls have to be enabled on the LDAP
server.
- Certificate
store:
LAN Crypt only supports certificates in one of the user certificate
stores. It does not support certificates in machine stores.
- Installation
on 64-bit operating systems:
LAN Crypt Administration is installed on 64-bit operating systems,
therefore the following has to be considered:
- ODBC administration:
The ODBC connection used by LAN Crypt Administration has to be configured
using the 32-bit ODBC Data Source Administrator
(%WINDIR%\SysWOW64\odbcad32.exe or use the shortcut in the start menu).
Remark: The shortcut in the LAN Crypt start menu is not displayed on
Windows Server 2012. Please use the shortcut ODBC Data Sources (32-bit) available in
Administrative Tools
instead.
- Group policy plugin:
The group policy plugin to administer LAN Crypt is not shown in the
Windows group policy editor. To administer the LAN Crypt policies, the
32-bit Group Policy Editor has to be used (%WINDIR%\SysWOW64\gpedit.msc
for local policies or %WINDIR%\SysWOW64\gpme.msc for Active Directory
policies or use the shortcut in the start menu).
As an alternative the administrative templates can be used which are
stored in the config folder of the product package.
- Scripting API:
The scripting API is only available for 32-bit applications. If a Visual
Basic-Script is started which uses the LAN Crypt scripting API, it has to
be started from the 32-bit Windows Scripting Host
(%WINDIR%\SysWOW64\cscript.exe or %WINDIR%\SysWOW64\wscript.exe).
- Firewall
settings:
If the Microsoft SQL Server database is located on another machine, please
ensure that the firewall is configured correctly. Additional information
can be found here: http://msdn.microsoft.com/en-us/library/cc646023.aspx.
- To
operate LAN Crypt clients as a service, additional configuration steps are
needed. Please contact support for further details.
- For performance
(testing) in VMware VMs, it is recommended not to configure more CPUs than
the host has available. Scaling should be done by the number of cores
(i.e. not 2 CPU & 2 cores, better 1 CPU & 4 cores if only 1 host
CPU is available).
- GPO
context sensitive help:
For the operation of the Group Policies (GPO settings) there is
documentation available in the side panel of the console. There is also a
context sensitive help (sglcconfig040x.chm.) available. In version
4.00.0, the old version without
rebranding was erroneously integrated into the setup. This version is
technically almost correct but may still contain incorrect references to
SafeGuard or outdated license information. If necessary, an updated
version can be obtained from Support a few days after release and will be
included in later deliveries. To update, this must then be copied to
%\Windows\Help (LC-1236).
- The
rebranding of Sophos SafeGuard to conpal is comprehensive but may
inadvertently be incomplete.