LogonBox VPN 2.4.5 – Now Available

Windows two-factor authentication

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox VPN 2.4.5.
This release includes significant performance improvements to some database calls, greater control over when you can sync your users and changes to OTP email storage.

This release also introduces the ability to purchase licenses directly from within the product and now supports recurring subscriptions on a monthly or annual basis.

ACTION REQUIRED: You must review the OTP section below if you currently use the One-Time Password over email feature.

Significant UI performance improvements

By necessity, a busy LogonBox server will make several database calls, many of which are duplicate queries.
We have improved our database caching for these repeated queries, which has boosted UI responsiveness by roughly 500-600% in some instances (most notably on the Users page).

User Synchronization/Reconcile changes

User synchronization times are now more flexible than before. Previously, you could only configure x minutes between each partial sync and how many partial syncs there are before running a full one.
The scheduler now allows more flexibility for some often asked-for use cases (for example, only running a full sync once per day).

To do this, LogonBox now uses quartz cron expressions for the reconcile periods and has split this into two separate configurations, one for the partial syncs and the other for the full.
The default reconcile time is still every 4 hours, but with a cron expression, you now have much more control over your reconciles. (for example, if you wanted the syncs at the top of the hour or at a set time of day, this is now easy).

These new settings are available in User Directory->Configure User Database->Advanced->Schedule.

The default for the partial syncs (Reconcile Schedule Expression) is 0 0 0/4 * * ? (every 4 hours at the top of the hour)
The default for the full syncs (Full Reconcile Schedule Expression) is 0 0 20 * * ? (at 8 pm every day)

For more information on formatting a cron expression, please see here: https://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html.

Changes to OTP via email

Previously, any specific configuration you wanted to apply to OTP via Email was via an edit button on the One Time Password authentication module.
There were situations where the server could not read this configuration at this granular level, so the OTP configuration has moved into the realm level.
This change means you now configure OTP settings in one area, which then applies to OTP on all Authentication Flows you have configured for.
This change aligns the OTP configuration with SMS and Duo, which already worked this way.
You can now find the OTP configuration in Authentication Flows->Authentication Options->OTP and Authentication Flows->Authentication Options->OTP Code.
ACTION REQUIRED: If you are using OTP for email authentication, you MUST review this configuration to ensure it is correct, as it was impossible to migrate the configuration from the individual authentication modules.
While discussing OTP, it is worth clarifying two settings and how they interact, as not all combinations of these options make sense.
These settings are ‘Use Directory Email’ and ‘Save Email to Directory’.
Use Directory Email Save Email to Directory Expected functionality
ON OFF Will use the user’s email from your user directory. The system will ask for a user to enter an email if no email exists, but it will never save this email. Therefore, the user cannot set up their profile if no email is in the directory. We do not recommend using this combination.
ON ON Will use the user’s email from your user directory; the system will ask a user to enter an email if no email exists and save it back to the directory. This combination is the most common use case.
OFF OFF Will not use email from the directory. Instead, the service will prompt users to set an email and save it locally in LogonBox. This combination is the second common use case.
OFF ON This combination of settings does not make sense, and we do not recommend this combination.

 

Licensing changes

New installations can now buy, upgrade and manage an ongoing subscription from within the main UI. Existing licenses will not immediately be synchronised, if you want to manage a license previously purchased from us via this new method please contact us and we can get your box connected to the new license server

When you need to upgrade, our system will automatically calculate the upgrade price, applying any upgrade discount automatically for a hassle-free upgrade.

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on with your admin account, navigate to Server Status from the main dashboard and click Update. You may also be prompted automatically on login if you have Updates, Features & Licensing->Update Prompt turned on.

To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.

On a LogonBox VM – from a shell, type in:

apt update
apt upgrade

If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will upgrade Cloud customers over the coming week.

Changes

Here is a summary of the changes in this release.

Features

  • Various libraries updated to address vulnerability reports (commons-io, apache-tika, spring-framework, PostgreSQL (driver), metadata-extractor).
  • Improvements to remote realm synchronization. Now scheduled to run at certain fixed times (using cron expressions) instead of intervals. Active directory has two schedules, one for partial and one for full.
  • Significant performance improvements, mainly more database caching and fixing faulty caching (e.g. broken negative caching).
  • There is a new cache status page on System Configuration->Caches.
  • Sessions are now transient. If you restart a server, all sessions will be invalidated.
  • Improvements to the job status page with meaningful job names.
  • ON/OFF switch element changed to a different library to address a vulnerability scan report.
  • Added a new task for Start Reconcile for use in Automations and Triggers.
  • One Time Password configuration has been pulled into a single realm setting rather than per authentication module.
  • Enable NAT on all local interfaces by default, but allow this configuration to be changed. (System Configuration->VPN->NAT Interfaces).
  • Site-to-site configurations now by default will not publish routes between sites, isolating them. Previous open access behaviour can be re-enabled in VPN configuration (VPN->Configuration->Share User Allowed Ips).
  • VPN Client now has the version numbers in the executables.

Bugs

    • Browser was not caching user icons on the User Database page.
    • Show user status dates in the system or user-configured timezone.
    • Fixed start-up order of encryption services, which may fail, particularly on 2.3 -> 2.4 upgrades.
    • Delegated access to users now shows the correct users when using the “Users not logged on in 30 days” filter.
    • Could not edit non-AD attributes when AD was in read-only mode.
    • Various missing text localization keys added.
    • Removed Excessive popup notification messages when sessions are invalidated.
    • Fixed a problem with the Azure login module integration.
    • SMS delivery was broken in some places; now fixed.
    • Fixed a database cascade issue with shared password resources.
    • Could not change graph type in perfmon extension dashboard.
    • Some “flash” error notifications were being incorrectly suppressed.
    • Fixed issue with firstName missing in message when sent to additional contact.
    • Account linking messages were not working.
    • Fixed an issue where a user could register only one Yubikey on a system from the user profile completion wizard.
    • If configuration help text contained hyperlinks, changing the associated field would turn the link text back into raw HTML.
    • Password last changed time now displayed in local server timezone.
    • Reconcile hashes should no longer get out of sync and cause unnecessary full reconcile cache rebuilds.
    • Fixed an issue where a group ID was being used in place of a user ID on reconciles, which would invalidate the cache.
    • One Time Password authentication should now correctly save email addresses to the directory if the option Save to Directory is turned on.
    • Can now edit allowed IPs on a user again (because active directory is in read only mode).
    • Fixed an issue where the VPN port was not being added for the firewall configuration when a local ufw firewall was enabled.