Business Suite Policy Manager Changelog
This thread is a changelog for the WithSecure Policy Manager and Policy Manager Proxy products.
📝 Click here to see the most recent change log and bookmark the discussion to be notified of any updates.
Comments
-
WithSecure Policy Manager 16.00 and WithSecure Policy Manager Proxy 16.00
Policy Manager is an on-premise application providing a central location for managing security applications across different operating systems.
Policy Manager can be used for:
- setting and distributing security policies,
- installing application software to local and remote systems,
- monitoring the activities of all systems in the enterprise for compliance with corporate policies and centralized control
Policy Manager and Policy Manager Proxy support following operating systems
Microsoft Windows:
- Windows 10 (64-bit), not recommended for the Policy Manager Server
- Windows 11 (64-bit), not recommended for the Policy Manager Server
- Windows Server 2012 R2; Essentials, Standard or Datacenter editions
- Windows Server 2016; Essentials, Standard or Datacenter editions
- Windows Server 2019; Essentials, Standard or Datacenter editions (Server Core is not supported)
- Microsoft Windows Server 2022; Essentials, Standard, or Datacenter editions
Linux (only 64-bit versions of all distributions listed are supported):
- AlmaLinux 8.5
- CentOS 7, 8
- CentOS Stream 8
- Debian GNU Linux 9, 10
- openSUSE Leap 43, 15
- Oracle Linux 8
- Red Hat Enterprise Linux 6, 7, 8
- SUSE Linux Enterprise Server 11, 12, 15
- SUSE Linux Enterprise Desktop 11, 12, 15
- Ubuntu 16.04, 18.04, 20.04
Note: see user guides for full list of system requirements.
Changes in this release
New domain names
As of version 16 managed clients are now using new backends to function. In case external network connections are controlled in the company, please allow all connections to *.fsapi.com or white-list this list explicitly:
- guts2.fsapi.com
- guts2-old.fsapi.com
- corp-reg.fsapi.com
- api.doorman.fsapi.com
- baseguard.doorman.fsapi.com
- a.karma.sc2.fsapi.com
- restmc.mind.sc2.fsapi.com
Policy Manager server address in Root domain
It is now required to have Policy Manager server address defined at the Root domain level. It is still possible to override values for subdomains, i.e. Policy Manager host has specific alias for certain location.
New Windows MSI
Windows editions of Policy Manager and Policy Manager Proxy are now using MSI for installation.
New directories
New directories and registry keys are now used for both Policy Manager and Policy Manager Proxy
- Program files location: C:\Program Files\WithSecure\Policy Manager\
- Program data location: C:\ProgramData\WithSecure\NS\Policy Manager\
- Registry: HKLM\SOFTWARE\WithSecure\Policy Manager
If you use KB instructions written for earlier versions of the Policy Manager (i.e. requiring additional_java_args overrides) adjust locations correspondingly.
MSI arguments
By default Policy Manager MSI always installs both Policy Manager Console and Policy Manager Server. In case Server is not required and you are installing Console to connect to remote Server, use 'NOSERVER' MSI argument overridden to ‘true’, for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi NOSERVER=true
If you wish to override destination directory for the installation, use 'TARGETDIR' MSI argument to override it, for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi TARGETDIR=C:\CustomDirectory
Changes in services names
Main Policy Manager and Policy Manager Proxy services are now called wspms (WithSecure Policy Manager).
F-Secure Automatic Update Server service is no longer used, there is no replacement service.
New features and improvements
- Ultimate mode – managed clients without direct internet connection are now able to proxy Karma lookups through the connected Policy Manager.
- EOLed products notification – if used version of the client software has reached the end-of-life, admin will get the corresponding warning in the Policy Manager Console.
- Added an option to export domain policies to prepare environment for migration to Elements.
- Added an option to configure Web Content Control alerts per category.
- Added an option to disable alerts for certain Application control rules.
- Added an option to change sample submit URL in browser block pages.
- Added an option to include the blocked URLs in all alerts.
- Separate toggle to activate EDR subscription – it is now possible to keep Sensor subscription entered, but not activated at the target device.
- Business Suite + EDR installation experience is now improved.
- WithSecure Firewall has a new feature to allow certain rules and groups of rules when "disable all rules" option is selected. It's useful if you want, for instance, to disable all rules except Network Discovery.
- User specific environment variables (i.e. %LOCALAPPDATA%, %USERPROFILE%) are now supported in Firewall rules.
- Remove unnecessary built-in inbound Firewall rules.
- Premium features are now marked in the Policy Manager Console’s editors.
- Enriched info for scanning alerts.
- Added an option to show Effective exclusions to end users.
- The whole URL for the malicious/suspicious/harmful links is now included to alerts.
- New application control rule is now added on top of the profile (instead of the end).
- The list of possible malware scanning actions for the inserted USB devices has been extended
Bug fixes:
- Fixed inability to renew Policy Manager Proxy certificate in some cases.
- Isolate/release operations behavior is now fixed.
- Not all alerts forwarded to the QRADAR issue is now fixed.
- Memory leak on policy generation is now fixed.
- GUTS2 cache corruption leading to inability to start PMS is now fixed.
- Automatic Database Backup logic is now fixed.
- Username in now shown in DataGuard alerts.
Dropped functionality:
- Policy Manager no longer supports running database on MySQL 5.5, 5.6.
- Support for clients 13.x and older is now removed. FSAUS (F-Secure Automatic Update Server) service is no longer installed.
Limitations
- After the Policy Manager upgrade to version 16.00, automatic Firewall rule for Policy Manager ports created by Server Security 14.10 and newer will stop functioning. You would need to create corresponding Firewall rule manually or upgrade Server Security to version 16.00 and install HF 16.00HF1 to allow external connections to Policy Manager ports.
0 -
WithSecure Policy Manager 16.01 and WithSecure Policy Manager Proxy 16.01
Changes in this release
New MSI arguments support is added.
If the Policy Manager or Policy Manager Proxy host does not have a direct internet connection, specify the HTTP proxy configuration as 'PROXY_SERVER' MSI argument for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi PROXY_SERVER=http://proxy.example.com:8080
Use percent encoding for any reserved URI characters in the user name or password. For example, if the password is ab%cd, you need to enter it as follows:http://user:ab%25cd@proxy.example.com:8080
Installation improvements:
- non-default installation directories are now supported for upgrades.
- service stop hangling during upgrade is now improved.
- web reporting shortcut is now created.
Push-installation issue is now fixed.
Scanning reports not being opened from the Console is now fixed.
Tool to import malware definitions in isolated networks is now called import-definition-updates.
Additional troubleshooting information is now collected with wsdiag.
0