LogonBox VPN 2.4.8 – Now Available

Windows two-factor authentication


LogonBox is pleased to announce the immediate availability of LogonBox VPN 2.4.8.

This release includes further performance improvements to some database calls (which were previously only available via a system property), as well as some further improvements to other database calls.

More granular system permissions are now available for managing the LogonBox Authenticator.

More performance improvements

The most commonly called database query has been improved by a factor of 100, which will reduce CPU load on a busy system.

This new feature is now enabled by default in this release, so all systems can take advantage of these improvements. 

While we were working on performance, some further improvements were identified and optimised, resulting in a noticeable improvement in page load times on servers with many users.

New permissions

LogonBox has always had a very granular set of permissions when rights, so you can target only the permissions you want to grant. One area where such granular permission did not exist was the right to display the LogonBox Authenticator QR code for end users. This new permission (Authenticator Personal) has been added.

Password generator

LogonBox has a password generator available during password resets. It automatically suggests a strong password that meets the password requirements.

It is now possible to disable this feature if you do not want this to happen.

Vulnerability scan updates

We have done the following in this release to resolve some reports from vulnerability scans.

  • The logging framework for the Callback Service has been moved from Log4J to Reload4J to resolve this being flagged in vulnerability scans. The service was not susceptible to any reported vulnerabilities, but this change should stop scanners from reporting this as a false positive.
  • The HTTP Strict-Transport-Security preload directive has been added to all requests. This isn’t technically required, as our HTTP interface only redirects to HTTPS, but adding this directive will stop vulnerability scanners from reporting on this unnecessarily.

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on to your admin account, navigate to Server Status from the main dashboard, and click Update. If you have Updates, Features & Licensing->Update Prompt turned on, you may also be prompted automatically upon login.


To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.


On a LogonBox VM – from a shell, type in:

apt update
apt upgrade


If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:


Our support team will upgrade Cloud customers over the coming week.



Here is a summary of the changes in this release.


  • Significant performance improvements to some database calls.
  • The database improvement that was added in 2.4.6 as an optional property is now the new default, so all customers will benefit from the most commonly called database query being improved by a factor of 100, which will reduce CPU load significantly on a busy system.
  • Added a new permission, Authenticator Personal. This enables the LogonBox Authenticator setup in a user’s My Credentials page.
  • Moved logging framework for Callback Service from Log4J to Reload4J to resolve vulnerability report (was not susceptible to the vulnerability, but this will stop vuln scanners reporting a potential issue).
  • Added HTTP Strict-Transport-Security preload directive to all requests. This isn’t technically required as our HTTP interface is only there to redrect to HTTPS, but adding this directive will stop vulnerability scanners complaining about this missing item.
  • An admin can now reset a user’s profile state for Duo credentials from the User Directory page.
  • Added hints to the text fields for Security Questions on the profile setup wizard to make it clear that a user needs to set and confirm an answer.
  • SMS messaging now accepts HTTP 202 responses, which some messaging providers use.
  • Added new account locked event when we detect an AD account has become locked.
  • VPN clients are now excluded from the concurrent sessions notifications check to stop the popup on a VPN client.


    • On browser windows less than 1100 pixels wide, the user list in User Directory now displays as expected rather than getting pushed down the page.
    • Add All, Remove All and Reset actions in multi-select fields are now correctly showing as buttons rather than links and have a consistent text size.
    • The column filter on the Users page had a blank entry. This is now correctly named after the Actions tab and shows/hides the Actions column.
    • Features can now be removed again from Updates, Features & Licensing.
    • The setup prompt for the LogonBox Authenticator QR code now has the app store icons below it correctly justified.
    • Removing a Role from a user in the Roles tab when a user object has been expanded with the + button now works again.
    • If an AD user is locked, you can no longer log into LogonBox if you have Cache Passwords turned on.
    • Fixed an issue with registering a ToTP authenticator (Microsoft, Google, Authy) on a sub-realm if using the Realm Selector dropdown. This now registers correctly again.
    • Fixed prompts for PIN on profile completion wizard which was not happening if User Selective 2FA was also in use.
    • Altered server log rolling so that logs roll over once per day as they used to. A bug was introduced with the Log4J2 upgraded where logs would rotate every 20Mb and then never get cleaned up after their max age.
    • Attachments can be sent on a message template again
    • Fixed an issue where you couldn’t update the user directory configuration when the UI was set to Portuguese language.
    • Removed redundant search buttons for filter input text boxes on System Configuration->SSL.
    • Added an expiry time to some of the recently introduced caching to reduce memory load over time.
    • Altered JSON response returned on bad username during login to not return the username (only happened previously when verbose errors were on which falsely triggered some vulnerability scanners).
    • It’s possible to add multiple certificates to the HTTPS Interface again.
    • Local Groups can now be deleted on the VPN after they have previously been assigned to a peer definition.