|
What's New in Mobility XE Version 8.0
Before Upgrading
The Mobility XE version 8.0 client and server
setup software was designed to allow for a brand new installation or to upgrade
an existing installation. When upgrading from a previous version of the
Mobility XE client or server, the Mobility XE version 8.0 setup software can
only be used to upgrade (e.g. overinstall) on Mobility XE version 6.7 or
later. If you are running a version of the Mobility XE client or server
prior to version 6.7, you must first upgrade to version 6.7 prior to upgrading
to version 8.0.
Version 8.0 also requires Level 4 license
keys. If you upgrade from a previous version of Mobility XE, your Level 2
(Mobility XE version 6.x) or Level 3 (Mobility XE version 7.x) permanent
license keys will be converted to temporary (time-limited) Level 4 license
keys. Only customers with Premium Maintenance agreements or those who pay
for the upgrade will be granted permanent Level 4 license keys. The only
way to restore a Mobility XE server pool that has been upgraded to version 8.0
is by restoring system backups for the Mobility warehouse and Mobility servers
that were made prior to upgrading.
Clients prior to version 6.7 will automatically be
disconnected from a version 8.0 or later Mobility server. And version 8.0
clients will be disconnected from a version of the Mobility XE server prior to
6.7.
Major Features & Changes
New Mobile Network Access Control (NAC) Module
There is a new Network Access Control (NAC) Module
that lets administrators control which mobile devices are allowed to connect to
the Mobility server based on their compliance to customizable configuration
policies. The NAC Module bolsters remote access security by ensuring that
only “healthy” mobile devices are allowed to connect to the
Mobility XE server and access corporate resources.
The NAC Module is an optional component for
Mobility XE 8.0. Both the Mobility server and client must be running
Mobility XE 8.0 for the NAC Module to function.
Details
Mobility system administrators write NAC policies
and subscribe groups, classes, devices, or users to them. The policies
are automatically pushed down to and evaluated on the device before any data
transmissions are allowed through the VPN tunnel. NAC policies are
evaluated when the device is started/booted, when the device attempts to
connect to the Mobility XE 8.0 server, and they are reevaluated every 5 minutes
even after a device is allowed to connect. The NAC Module is supported on
all client operating systems, including Windows Mobile devices.
Based on their compliance with the NAC policy, the
Mobility server can allow, warn, disconnect, or quarantine the mobile
device. In addition, the NAC Module integrates with the Policy Module to
allow for and enforce remediation on the client device. For example, if a
device fails a NAC policy check, it can automatically trigger the Policy Module
to restrict access to a specific application or subnet.
There is an easy-to-use one-screen NAC Wizard that
allows administrators to create the most common rules with just a few
clicks. And an advanced interface provides administrators maximum
flexibility and customization. NAC rules support inspecting attributes
and configurations related to anti-virus, anti-spyware, firewalls, Windows
Update status, running processes, installed files, operating system versions,
the Mobility XE client version, and registry keys. The Mobility client
API (nmclapi.dll) also now supports a new function call that allows external
programs and processes to integrate directly with the NAC Module. The NAC
Module automatically recognizes common antivirus, firewall products and anti-spyware
products.
Pricing for the Network Access Control Module will
be released to the retail channel thirty days prior to general
availability. Customers with a current Premium Maintenance Agreement can
elect to receive the NAC Module at no additional charge. The NAC Module
will carry an additional licensing fee for new customers and customers with a
current Standard Maintenance Agreement.
Policy Management Module Additions and Improvements
QoS Action Optimized for Real-time Applications in Policy Management Module
QoS rules in the Policy Management Module have
been enhanced to provide better support for real-time applications. As a
result, voice and video quality are significantly improved in networks where
there is high packet loss, high latency, or jitter.
The “Set quality of service parameters for
[applications | addresses | ports]” action has been significantly
enhanced to provide better support for real-time applications. Based on
its settings, this action now automatically uses Packet Loss Recovery (PLR) to
automatically replace missing or lost packets in real-time application
transmissions without having to re-request/re-transmit them. This
alleviates many of the negative effects from packet loss and ameliorates many
of the problems caused by high latency and jitter. As a result, when
running real-time applications—like voice-over-IP, video, web
conferencing, and instant messaging—Mobility XE 8.0 can maintain a much
higher quality in transmissions and communications, even on wireless networks.
In lab testing, the PLR functionality has been able to maintain call
quality—a Mean Opinion Scores (MOS) above 2.5—with as high as 70%
packet loss. MOS generally drops below 2.5 with only 10% or 20% packet
loss when using a traditional IPSec or SSL VPN.
The QoS action comes with a revised and simplified
set of preconfigured settings tuned specifically for different types of
applications, including high-priority TCP applications, voice, video,
best-effort, and background. In addition, individual parameters for each
setting are customizable. Packet Loss Recovery (PLR) is only available
for real-time applications running over the UDP protocol.
Pricing for the Policy Module is unchanged from
previous version of Mobility. Customers who previously purchased the
Policy Module and who have a current Premium Maintenance Agreement will receive
the Policy Module updates at no additional charge. There is a license fee
for the Policy Module for new customers and new seats purchased, and an upgrade
fee for customers with a current Standard Maintenance Agreement.
New Registry Key/Value Condition in Policy Management Module
A new condition in the Policy Management Module
checks for the existence and compares the value of Windows registry keys.
Using the new registry key condition, administrators can write rules that are
more flexible integrating with applications and more aware of the Windows
operating environment.
New External Key/Value Condition in Policy Management Module
A new condition in the Policy Management Module
can be set by the Mobility client API (nmclapi.dll) or the tellmes command line
utility. Using either tool can set a variable name and value that can then be
checked and compared as a rule condition. The External Key/Value
condition is complementary to the Registry Key/Value condition, in that it
allows administrators to write rules that can identify and integrate with other
applications and processes.
New Network Access Control (NAC) Status Condition in Policy Management
Module
There is a new NAC Failure Action condition in the
Policy Management Module that allows the Policy Management Module to integrate
with the NAC Module. For example, the condition can be used to restrict
access to IP addresses or a more limited set of applications if a Mobility
client device does not fully comply with the NAC policy.
Better Integration between Rule Sets and Rules
The Policy Management Module now starts out by
default on the Rule Sets page, and it is now possible to create new rules when
editing a rule set. The changes facilitate a more natural workflow,
making it easier to create policies without requiring administrators to move
back-and-forth between rule creation and rule set creation.
Other Features, Changes and Bug Fixes
Mobility XE Certified for Scalability and Capacity on VMware ESX
Mobility XE 8.0 is now fully supported, including
full capacity and scalability, when running in VMware ESX environments. VMware
ESX must be configured to provide comparable “virtual” resources to
the system requirements for Mobility XE when running on dedicated,
non-virtualized hardware. A TechNote detailing recommendation
configuration of VMware ESX for Mobility XE is available in the technical
support area of the NetMotion Wireless corporate website.
Support for Windows Mobile 6.1
In addition to previous versions of Windows
Mobile, the Mobility XE version 8.0 client also supports the Windows Mobile 6.1
platform.
Support for RSA SecurID Software Tokens on Windows Mobile (010653)
RSA SecurID software tokens are now also supported
on Windows Mobile devices, in addition to our other supported client platforms.
Support for user-specified locations when installing the Mobility XE client
on Windows CE devices (08132)
When installing the Mobility XE client to a
Windows CE device, the setup program now provides the option to specify the
location of Drive and Path for the installation files. As a result,
Windows CE installations can be more successful without additional user
intervention.
Clarified Connectivity Requirements for Zones and Geographically-dispersed
Server Pool Components
Connectivity requirements between server pool
components—Mobility servers and Mobility warehouses, including
replicas—have been clarified. At a minimum, Mobility servers and
warehouse need access to all other pool components with a 10 Mbps link that has
150 ms or less round-trip latency. Previously, the minimum requirement
for pool component connectivity was 100Mbs and “Low Latency”.
Large deployments seeking to get maximum performance and scalability should
improve the minimum bandwidth and latency as much as possible. (See
“Guidelines for Supported
Mobility Deployments” for further details.)
Simplified Mobility Console Menu System
The Mobility console menu system has been revised
and simplified to better group and organize the top-level choices available to
administrators.
Client Session Details Now Shows Running Applications (08607)
When viewing session details for a particular
device, there is a new column in the Network Process List (Mobility console
> Connection List > Session Details) that shows which applications are
running.
Ability to Filter out Example Rules and Rule Sets (08567)
There is a new “No Examples” filter
available on the Policy Management and NAC Module screens that allow
administrators to view a list of policies that is not cluttered with Example policies.
Ability to Add Port Ranges to QoS Rules (07896)
The Policy Module in Mobility XE 8.0 includes the
ability to specify a range of ports for voice or other real-time traffic.
Easier to Determine Live and Disconnected Interfaces (08250 & 08254)
It is now easier to determine when an interface
listed in Mobility Client Properties (Details tab) is active. Interfaces
that are active are displayed as ‘up’ and it is easy to distinguish
between a current live interface and a disconnected one.
Client's Active Interface Displayed in the Mobility Console (008770)
Drilling down on a device in the connection list
on the Mobility console now displays the active interface name in addition to
speed when displaying the session details.
Active Interface Displayed on Mobility Client ‘Connecting’
Dialog (008254)
When logging on, the Mobility client
‘Connecting’ dialog now more clearly shows which interface the
client is using. This can be useful information if the user is
experiencing problems connecting to the Mobility server.
Bypassing Displays Warning About Encryption Loss (008451)
Bypassing the Mobility client now pops up a dialog
warning users that encryption will stop and any data received or sent by the
device may be intercepted.
Updated the Mobility Console to Support Java Version 6.0 (008419)
In some situations the Mobility console would
display “JNI exception: EXCEPTION_ACCESS_VIOLATION”. Moving to Java
version 6.0 resolved many of these instances.
Resolved Failure When Exceeding Passthrough List Limit (006908)
If too many addresses were added to the
Passthrough List setting in the Mobility console, none of the addresses were
propagated to the Mobility clients and there was no error message notifying the
administrator of the failure.
Now, when the maximum number of addresses in the
Passthrough List is exceeded, the Mobility console displays a warning message
explaining the problem. If you require more addresses in the list than
are supported (between 6 and 10 depending on how they are defined), they can be
added using the Policy Management Module.
Resolved Inability to Remove Devices After Server Upgrade (007736)
Fixed a problem that, in some situations,
prevented administrators from deleting previously registered devices, after
upgrading (overinstalling) the Mobility XE server.
Resolved Logon Failure When Running Wave Embassy Security Center Software
on the Mobility XE Client Device (007886)
The Mobility XE 8.0 client has been modified to
recognize Wave's GINA and authentication package and allow authentication to
proceed normally. When using Wave Embassy Security Center's
software with the Windows Logon > Enable Secure Windows Logon feature
checked on devices running previous versions of the Mobility XE client, the
Mobility client was unable to successfully logon. The Wave Embassy Trust
Suite for Dell 1.0 came preinstalled on many Dell laptop models.
Resolved Problem with Stranded Devices When Renaming Device Class (008098)
Fixed a problem that could strand device licenses
used by devices in a device class if the device class was renamed.
Resolved Connection Conflict with HP Credential Manager is Enabled (008188)
Resolved a conflict with the HP Credential Manager
that prevented the Mobility client from establishing a connection.
Resolved Security Warning When Using a Policy to Open a Remote File
(008346)
In previous versions of Mobility running on
Windows 2000, Windows XP, or Windows Vista, using Policy to execute a file
accessible via a UNC would generate a warning ‘Open File -Security
Warning’ dialog, asking the user to confirm whether or not to run the
software. The warning dialog has been suppressed allowing these types of policy
actions to run reliably and without user intervention.
Resolved Errors When Using Square Brackets (“[“ or
“]”) in the Rule Names (008400)
Saving a rule with square brackets “[“
or “]” in its name would cause an error. The Mobility console
now validates and prevents invalid characters in the rule name.
Resolved Inability to ActiveSync Psion Teklogix WorkAbout Pro Handheld
(008463)
Fixed a problem where ActiveSync did not work on
the Psion Teklogix WorkAbout Pro device, when the Mobility client was connected
or in Bypass.
Resolved Incorrect Device Count on Mobility Server (008577)
Fixed a problem that caused incorrect display of
the registered device on the Client Status page in the Mobility Console. Wait
times are shorter now when moving devices into device classes.
Reconciled Time Zones Used When Displaying Connected Time and Registered
Time in Client Status (008614)
Connected Time for registered devices was being
displayed on the Mobility console using the local time, but the Registered Time
was using the warehouse's GMT time. Both times are now displayed in the local
standard time of the servers.
Fixed Remote Assistance Calls Initiated from Windows Vista or Windows XP
(009071)
Remote assistance worked in most cases except when
calls were initiated from Vista to XP, regardless of whether the client is
connected or bypassed.
Fixed Client Network Failover When Using Policy to Override Interface
Speeds (009099)
Fixed a problem where the Client Network Failover
feature would not switch to the interface with the fastest speed if the
interface’s speed had been overridden by a policy rule and the Mobility
client had two different interfaces with differing interface speeds.
Fixed Device Registration Conflicts (Duplicate nmwUniqueHWId) with Devices
Using SATA Drives (009108)
We fixed a problem where we were not creating
unique device PIDs because the devices had the same serial hardware
number. This problem has been seen on Panasonic Toughbook CF-29, CF-30,
CF-71 devices, some Dell laptops, and other devices with SATA hard drives.
Fixed MS Communicator Failure on Windows Mobile (010762)
Fixed a problem where Microsoft Office
Communicator would fail when running on Windows Mobile also running the
Mobility client software.
Hardware and Software Requirements
Mobility XE Small Deployment Server System
• Processor: x86-compatible Pentium 4
processor, 2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2 (Service Pack
2), Microsoft Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000
Server (Service Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 2 GB free, minimum.
• Browser (with JavaScript enabled): Internet Explorer v7, Internet
Explorer v6, Firefox 2.0.
The Mobility XE small deployment server system installs both Mobility server
and Mobility warehouse on one machine. It is intended for pilot programs and
small deployments with under 400 users.
Stand-alone Mobility Server
• Processor: x86-compatible Pentium 4,
2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2 (Service Pack
2), Microsoft Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000 Server
(Service Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 1GB free, minimum.
• Browser (with JavaScript enabled): Internet Explorer v7, Internet
Explorer v6, Firefox 2.0.
• For RSA SecurID user authentication: RSA Authentication Agent
version 6.0 or higher.
Stand-alone Mobility warehouse
• Processor: x86-compatible Pentium 4, 2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2, Microsoft
Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000 Server (Service
Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 3 GB for a pool of four or fewer Mobility servers. 5
GB for a pool of five or more Mobility servers.
Mobility Client for Windows Vista, Windows XP, Windows XP Tablet or Windows
2000
• Operating system: Microsoft Windows
Vista (Business, Enterprise, or Ultimate Edition), Microsoft Windows XP
(Service Pack 2), Microsoft Windows XP Tablet (Service Pack 2), or Microsoft
Windows 2000 Professional (Service Pack 4).
• Disk space: 10 MB free.
• Mobility XE online help requires a web browser that supports HTML
4.0, JavaS¬cript 1.2, and CSS1 or higher.
Mobility client for Windows Mobile
• Processor: StrongARM 1100 or compatible processor (e.g., XScale).
• Operating system: Microsoft Windows Mobile 6.0 (Classic, Standard,
or Profes¬sional), Microsoft Windows Mobile 5.0 for Smartphone or Pocket PC,
Microsoft Windows Mobile 2003 for Pocket PC, Microsoft Windows CE version 5.0,
or Microsoft Windows CE version 4.2.
- See Technical Note 1515 on our web site (www.netmotionwireless.com) for a
current list of tested device types and processors.
• Storage memory: 3 MB free on Windows Mobile for Pocket PC devices,
or 7 MB free on Windows Mobile for Smartphone.
• ActiveSync installation requires ActiveSync v. 4.1 or greater.
• Network requirements: To integrate Mobility XE into a
wireless network environment, you must have at least one of the following:
- A wireless LAN adapter installed on a mobile device and wireless
access points installed on the wired network.
- A wireless WAN device installed on a
mobile system and available wireless WAN service (for example, an account with
a service provider).
- A modem installed on a mobile device and available dial-up service.
• Server components should be installed on workgroup or domain
machines. Mobility XE does not support servers installed on domain controllers.
• For subnet roaming, DHCP services must be available on the
network.
Advance End of Life Notice for Mobility XE Version 6.7
NetMotion Wireless has announced the end-of-life
(EOL) for NetMotion Mobility XE version 6.7 will occur eighteen months from
now. Effective December 31, 2009, customers who want to continue
receiving technical support must upgrade to Mobility XE version 7.x or a later
version. Until December 31, 2009, customers with maintenance contracts will
continue to receive support. Until it is discontinued, any NetMotion
Wireless customers can upgrade without charge to Mobility XE version 6.7 from
any previous version of Mobility XE.
Specific EOL announcements for any later versions
will be issued at least 12 months in advance of their end-of-life effective
date.
Advance Notice of Intent to Discontinue EAP-MD5 Support
Mobility XE version 8.0 is the last release that
will support the EAP-MD5 authentication method. EAP-MD5 has long been
considered an “at-risk” authentication method due to security
weaknesses (collision attacks and increased exposure to man-in-the-middle attacks).
Because attacks on EAP-MD5 are no longer theoretical in nature, NetMotion
Wireless has determined that it is unwise to continue support for the algorithm
in our products.
If you are currently using EAP-MD5 authentication
with Mobility XE, we strongly encourage you to migrate to one of the other
available authentication methods as soon as possible. To determine if
your Mobility XE system is affected, log in to the Mobility console, click on
Server Settings, and then click on the ‘Authentication –
Protocol’ setting. If ‘RADIUS – MD5’ is selected,
you should plan to change to one of the alternate settings as soon as possible.
We will continue to support RADIUS authentication using the LEAP method and the
PEAP with EAP-GTC or EAP-NTLMv2 inner methods. Support for additional EAP
authentication methods is also planned for upcoming releases.
Note that starting with Windows Vista, Microsoft
also discontinued support for EAP-MD5 (see http://support.microsoft.com/kb/922574),
and many other security vendors have already discontinued their support for the
protocol. There is also great deal of searchable information on the
Internet about EAP-MD5’s security weaknesses.
Advance Notice of Intent to Discontinue Support for the MS Windows 2000
Server Operating System
Support for Windows 2000 Server will be deprecated
in the next Mobility XE release, planned for later this year. Customers
should plan to upgrade their Mobility XE server infrastructure to Windows
Server 2003 SP2.
Advance Notice of Intent to Discontinue Support for the MS Windows 2000
Professional Operating System
Support for Windows 2000 Professional will be
deprecated in the next Mobility XE release, planned for later this year.
Customers should plan to upgrade their Mobility XE client devices to Windows XP
or Windows Vista.
Advance Notice of Intent to Discontinue Support for the MS Windows Mobile
2003 (Pocket PC 2003) Operating System
Support for Windows Mobile 2003 (a.k.a. Pocket PC
2003) will be deprecated in the next release Mobility XE release, planned for
later this year.
|
