ISL Conference Proxy 4.4.1837.102 with modules for Windows and Linux (2019-03-13)

 

On 13th of March the following was released: 

  • ISL Conference Proxy 4.4.1837.102 for Windows 32bit (Platform=win32, Revision=01342ac63bd789cad3ee25df42177e0220a87773, release_date=2019-03-07, req_os_version=0x06000000-0x7fffffff)
  • ISL Conference Proxy 4.4.1837.102 for for Windows 64bit (Platform=win64, Revision=01342ac63bd789cad3ee25df42177e0220a87773, release_date=2019-03-07, req_os_version=0x06000000-0x7fffffff)
  • ISL Conference Proxy 4.4.1837.102 for for Linux 32bit (Platform=linux, Revision=01342ac63bd789cad3ee25df42177e0220a87773, release_date=2019-03-07, req_os_version=0x0206170000-0xffffffffff)
  • ISL Conference Proxy 4.4.1837.102 for for Linux 64bit (Platform=linux64, Revision=01342ac63bd789cad3ee25df42177e0220a87773, release_date=2019-03-07, req_os_version=0x0206170000-0xffffffffff)

Modules

  • Core Login 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773)
  • DNS Server 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773)
  • ISL AlwaysOn 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773)
  • ISL Groop 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773)
  • ISL Light 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773)
  • ISL Pronto 4.4.1837.102 (release_date=2019-03-07, revision=01342ac63bd789cad3ee25df42177e0220a87773

Update availability

All updates, except translations, have release date set to 2019-03-07. Your ESS will need to be  same or higher to be able to update your server. This release is  available to all countries except Japan.

Upgrading to new version

This are server side updates so hosted service users do not need to do anything.

Server license users please check Upgrading Server License

Improvements

ISL Conference Proxy - Core - enable login throttle on /conf (SECURITY) [ISLCONFPROXY-1637] More

Description

User authentication throttling was added to /conf web administration login. UA throttling for both username and IP address is performed in its own scope, so regular users cannot maliciously disable admin accounts on the regular login page /users/main/login.html or application login. The throttling settings were kept the same for both admin and regular user scope in Security section for simplicity.

ISL Conference Proxy - Core - Force download for files in /conf (SECURITY) [ISLCONFPROXY-1807] More

Description

File storage and some other debugging pages file downloads are now marked as untrusted (forced to download by default) to prevent XSS exploits.

ISL Conference Proxy - Core - Patch jQuery 1.12.4 CVE-2015-9251 (SECURITY) [ISLCONFPROXY-1872] More

Description

jQuery 1.12.4 shipped with ISL Conference Proxy was patched with a fix for CVE-2015-9251. See more information in https://github.com/jquery/jquery/issues/2432#issuecomment-403761229 

ISL Conference Proxy - Core - Upgrade OpenSSL to 1.0.2r (SECURITY) [ISLCONFPROXY-1883] More

Description

OpenSSL library was updated to version 1.0.2r due to security vulnerabilities.

ISL Pronto - Module - Force download chat transcripts in /conf (SECURITY) [ISLPRONTO-1245] More

Description

Chat transcripts in /conf are now marked as untrusted (forced to download by default) to prevent future potential XSS exploits.

ISL AlwaysOn - Module - skip limit check within domain and only domain limitation (FEATURE) [ISLALWAYSON-1429] More

Description

When migrating ISL AlwaysOn computer to a user in same domain and new user uses only domain limitation, the limitation calculation is not needed. Before the limitation was calculated for target user.

ISL Conference Proxy - Core / Core Login - SAML 2.0 web support (FEATURE) [ISLCONFPROXY-644] More

Description

Single sign-on SAML 2.0 web support was added to ISL Conference Proxy and Core Login module. Login is fully replaced with external SAML identity provider. New settings in "Security":

  • "Open URL after logout": opens this URL after logout is clicked, useful for login portal integration
  • "Enable single sign-on SAML": when enabled, login.html will redirect to identity provider login portal
  • "SAML service provider PEM cert file", "SAML service provider PEM key file": generate certificate and key with (where www.example.com is ICP's domain name):
    openssl genrsa -out sso_saml_sp.key -aes128 2048 openssl req -x509 -key sso_saml_sp.key -out sso_saml_sp.cert -days 3650 -subj "/CN=www.example.com"
  • "SAML service provider PEM key file passphrase": passphrase used to create key
  • "SAML identity provider XML metadata file": save identity provider's XML metadata file into "sso_saml_idp.xml", available at https://adfsserver/FederationMetadata/2007-06/FederationMetadata.xml in case of Windows Server 2012 R2 AD FS
  • "SAML authenticate on every login": users will always need to enter credentials on identity provider's login portal, no by default
  • "SAML login settings rules ([[rule...], ...])": login rules that are specific to every identity provider implementation, two new commands were added to general login rules engine documented in ISLCONFPROXY-1640:
    • ["key-from-attr", "KEY", "SAMLATTR"]: SAML attribute will be saved in user account KEY
    • ["groups-from-attr", "SAMLATTR"]: SAML attribute will be used as groups in other expressions

ICP's service provider metadata is available at https://server/sso/saml/sp/metadata.xml

The simplest possible SAML login settings rules using subject name ID as username (make sure that domain sso exists):

[ ["key", "domain", "sso"] ,["key-from-attr", "username", "$SubjectNameID"] ]

SAML login settings rules for Windows Server 2012 R2 AD FS:

[ ["key", "domain", "sso"] ,["key-from-attr", "username", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 ,["key", "user_profile::password", "0"] ,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
 ,["key", "user_profile::name", "0"] ,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 ,["key", "user_profile::email", "0"] ,["groups-from-attr", "http://schemas.xmlsoap.org/claims/Group"]
]

ISL Conference Proxy - Core - Expose reject remote ipc clients hefa flag (FEATURE) [ISLCONFPROXY-1607] More

Description

Remote ipc clients connecting to named pipes are now rejected. Change only effects Windows platform.

ISL Conference Proxy - Core - External groups setting mapper (FEATURE) [ISLCONFPROXY-1640] More

Description

Setting "Security / External authenticator login settings rules" was added to configure mapping of external group membership information to ISL Conference Proxy user account settings. Setting is a JSON array of rules "[rule, ...]" executed one by one sequentially. The rules are executed when the user logs in. Available rules:

  • ["key", "KEY", "VALUE"] - set KEY=VALUE
  • ["in-group", "GROUPEXPR", ...] - conditionally execute ... if the user is in GROUPEXPR
  • ["key-group-list", "KEY", "GROUPEXPR_PREFIX"] - set KEY=vector of groups
  • ["key-group-list-comma", "KEY", "GROUPEXPR_PREFIX"] - set KEY=comma separated list of groups

GROUPEXPR: list of tag:attribute:value
GROUPEXPR_PREFIX: prefix filter, usually set to tag:attribute:

SL Conference Proxy - Core - Add user_admin_domain, admin_edit_users_domain, admin_edit_groups_domain (FEATURE) [ISLCONFPROXY-1684] More

Description

Added new settings to ISL Conference Proxy for upcoming release of CoreAdmin module. New settings are:

  • User is Domain Admin
  • User can create, edit and delete users if he is Domain Admin
  • User can create, edit and delete user groups if he is Domain Admin

ISL Conference Proxy - Core / Core Login - Web login for apps (FEATURE) [ISLCONFPROXY-1812] More

Description

Application web login was added to login dialog protocol. Applications will open external web browser where ICP login session will be passed back to the application. Application web login is enforced when one of the following settings is enabled:

  • "Security > Enable single sign-on SAML"
  • "Security > Force application web login"

Two methods of passing the login information back to application are supported:

  • localport: opens a GET request to "http://127.0.0.1:<randomport>/__appweblogin__?response=<token>"
    • localport variant in legacy mode (IE, Safari): navigates to "http://127.0.0.1:<randomport>/__appweblogin__?response=<token>&mode=webpage", a blank browser window will try to close itself (works in IE)
  • urlscheme: opens <a href="<urlscheme>://<icpserveraddress>/__appweblogin__?response=<token>">, urlscheme is application specific (issc4635 in case of ISL Light), on mobile with secure "in-app" browser feature, the tab should get closed automatically

[PREVIEW] ISL Conference Proxy - Core Login - Add intermediate Done view for restore stored login methods (FEATURE) [ISLCONFPROXY-1837] More

Description

After user restores his 2FA methods, he will be redirected to a "Done" page. "Done" button was now also replaced with "Login" button.

Flags for this ticket are disabled by default.

ISL Conference Proxy - Core Login - Disable 2FA web pages when SAML is enabled (FEATURE)  [ISLCONFPROXY-1839] More

Description

New settings added: "Security / Enable single sign-on SAML". When this setting is enabled, login.html will redirect user to identity provider login portal.

ISL Conference Proxy - Core/Windows - Append .dmp.debug_info into .dmp (FEATURE) [ISLCONFPROXY-1864] More

Description

Windows .dmp crash file will contain the debug info necessary to open it in Visual Studio. .dmp.debug_info is not generated anymore, so it is now similar to Linux core files which also contain embedded debug info.

ISL Conference Proxy - Module DNS - DiG log reproduce EDNS0 queries (FEATURE) [ISLCONFPROXY-1866] More

Description

DiG log (setting "Enable DiG log file") was improved to support EDNS0 queries. Supported dig flags:

  • +noedns, +edns=VERSION
  • +bufsize=SIZE
  • +[no]dnssec
  • cookies via +ednsopt=10:HEX
  • +subnet=IP/MASK via +ednsopt=8:HEX

ISL Conference Proxy - Core - Add googles reCAPTCHA to login (FEATURE) [ISLCONFPROXY-1867] More

Description

Added googles reCAPTCHA to ICP login flow. If captcha configured utils/login/dialog/1 webapi will require valid captcha response to authenticate user (utils/login/1 and sso dont need doesn't).

To enable captcha checks define:

  • Google ReCAPTCHA secrets and keys
  • enable v3

Also new counters were added:

  • CAPTCHA:queue - number of running queries to google
  • CAPTCHA:valid - number of total valid captchas
  • CAPTCHA:failed - number of total failed captchas
  • CAPTCHA:objects - number of captcha objects

ISL Conference Proxy - Core - improve webapi2 login logs (FEATURE) [ISLCONFPROXY-1868] More

Description

Hag logs were expanded with origin tags and more info about webapi2 params. Origin tags will enable us to better define fail2ban filters. Changes:

  • webapi2 protocol now includes origin tags: key value pairs that are shown on edge hag logs
  • webapi2 utils/login/dialog/1 now reports also scode
  • login webapis now expose input username and resolved user_id in origin tags

[PREVIEW] ISL Conference Proxy - Core - Setting to enable/disable forgot password email (FEATURE) [ISLCONFPROXY-1873] More

Description

Setting was added to "General > Security":

  • "Enable forgotten password procedure" (default: Yes)

If "Enable forgotten password procedure" is set to No or "Enable single sign-on SAML" is set to Yes then:

  • there will be no forgot password URL in login dialog
  • WebAPI2 calls will always fail:
    • utils/password/forgot/1
    • utils/password/forgot/users/list/1
    • utils/password/forgot/change/1
    • utils/password/forgot/cancel/1

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - Login permission for downloads (FEATURE) [ISLCONFPROXY-1875] More

Description

Setting was added to "Security" ("General" and accounts):

  • "View downloads" (default: Yes)

To protect Downloads page for logged in users, set:

  • "View downloads" to No (allow override) for server
  • "View downloads" to Yes for domain or user

To remove Downloads page and link completely, set:

  • "View downloads" to No (deny override) for server

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - Encrypt change email/password login args (FEATURE) [ISLCONFPROXY-1876] More

Description

Change password and change email buttons in user profile page now encrypt args URL query parameter to hide personal data. Login dialog handler now supports "use_public_code_for":"PUBLIC_CODE:username,email" arg so account information does not need to be passed through client.

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - Allow empty (none) timezone in utils/account/property/set/1 (FEATURE) [ISLCONFPROXY-1879] More

Description

WebAPI2 method utils/account/property/set/1 now allows empty timezone to be set, which indicated auto-detect.

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - Remove post_token from URLs in users pages (FEATURE)  [ISLCONFPROXY-1882] More

Description

Logout and change language were changed to pass "post_token" in POST request content instead of URL.

Flags for this ticket are disabled by default.

ISL Groop - Module - Add email body parameter to islgroop/sessions/email/send/1 webapi (FEATURE) [ISLGROOP-994] More

Description

Added parameter email_body_html parameter to islgroop/sessions/email/send/1 webapi method, so that ICP can use it to send ISL Groop invites. Before _utils/email/1/ webapi method was used.

ISL Light - Module - close half-connected sessions after some period (FEATURE) [ISLLIGHT-5148] More

Description

ISL Light session that is in half-connected state will be closed after defined period. Half connected sessions are session with only client or desk in session. The time is calculated based on last transferred byte. By default max half-connected isl light session is 8 days.

[PREVIEW] ISL Light - Module - Use ISL Light instead of ISL Light Desk when starting and resuming sessions (FEATURE) [ISLLIGHT-5220] More

Description

When requesting a supporter link to start a new session through isllight/session/start/1, the response included a session start link that invoked ISL Light Desk.
A new webapi2 call isllight/session/start/2 has been added and its response includes a session start link that invokes ISL Light, with a fallback to ISL Light Desk.

When attempting to transfer a session to a supporter or to invite a supporter to a session, the resulting link invoked ISL Light Desk.
The resulting session transfer or session invite link now invokes ISL Light, with a fallback to ISL Light Desk.

Flags for this ticket are disabled by default.

[PREVIEW] ISL Pronto - Module - Secure cookie attribute (FEATURE) [ISLPRONTO-1275] More

Description

Cookies are now marked "Secure" (will not be sent in http:// connections) for secure chats (started with https:// URL).

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - No feedback if user change his email address - Recode profile page to use webapi (FEATURE) [ISLCONFPROXY-1059] More

Description

In previous version, if user changed his email, there wasn't any feedback. This was now redesigned so that users should get feedback when changing email in their profile.

The defect was fixed.

Flags for this ticket are disabled by default.

ISL Conference Proxy - Core - Profile permissions do not inherit correctly (DEFECT) [ISLCONFPROXY-1649] More

Description

In previous version, permission inheritance was wrong for profile permissions (No - deny override was not effective before). This was now redesigned so that correct permission inheritance is now used for profile permissions. Affected profile permissions are: name, nickname, password, email, time zone, last language.

The defect was fixed.

ISL Conference Proxy - Core - Prevent login for user object where domain object was deleted (DEFECT) [ISLCONFPROXY-1729] More

Description

In previous version, it was possible to create user in domain, and delete that domain, without deleting users that were part of this domain. When this users tried to login, the login succeeded which shouldn't. This was now redesigned, so that login is disabled (error should say Incorrect username or password) for this kind of users.

The defect was fixed.

[PREVIEW] ISL Conference Proxy - Core Login - Move call to action from link to button (DEFECT) [ISLCONFPROXY-1834] More

Description

In previous versions user had to click on a link to perform re-login after successfully configuring 2-step verification. Call to action has been moved from link to Login button to simplify the GUI.

The defect was fixed.

[PREVIEW] ISL Conference Proxy - Core Login - Perform get request for logout so cookie is cleared (DEFECT) [ISLCONFPROXY-1835] More

Description

In previous version CoreLogin module performed call utils/logout/1 webapi to perform logout. However, this call did not reset the cookie. This was now redesigned so that CoreLogin performs a get request to users/main/logout with post token, and this request will also reset the cookie and consequently it will also redirect user to login screen.

The defect was fixed.

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core Login - Disable 2FA buttons should appear on same line (DEFECT) [ISLCONFPROXY-1852] More

Description

In previous version when disabling 2FA, buttons appeared in multiple lines. This was now redesigned so that buttons now appear on same row.

The defect was fixed.

Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - Check for empty hex ID (DEFECT) [ISLCONFPROXY-1869] More

Description

In case of empty rows in file table a javascript exception was thrown and the ISL Pronto settings page would not load. Settings reader now ignores empty rows so exception is no longer thrown.


The defect was fixed.


Flags for this ticket are disabled by default.

[PREVIEW] ISL Conference Proxy - Core - /conf/action/restart backward compat support (DEFECT)  [ISLCONFPROXY-1885] More

Description

Flag 2018-08-16 ISLCONFPROXY-1766 moduleapps flags conf gui causes "Execute" button in PostgreSQL installation page to not restart ISL Conference Proxy. This was now redesigned so that "Execute" button will now restart ISL Conference Proxy.

The defect was fixed.

Flags for this ticket are disabled by default.

ISL Pronto - Module - Profile permissions do not inherit correctly (DEFECT) [ISLPRONTO-1109] More

Description

Correct permission inheritance is now used for profile permissions (No - deny override was not effective before). Affected profile permissions are: link to photo.

[PREVIEW] ISL Pronto - Module - Fix deadlock from INC-1524 by retaining lock when iterating over supporters (DEFECT) [ISLPRONTO-1230] More

Description

In some cases ISL Pronto module could trigger a deadlock due to invalid memindex_mt iteration. Iteration has been deprecated and replaced with a callback implementation which should prevent any further deadlocks.

The defect was fixed.

Flags for this ticket is disabled by default.


Was this article helpful?