You are here

Airlock 4.2 Highlights

Affects product: 
Airlock WAF

Airlock 4.2 has been developed with the following targets in mind:

  • Support for newest hardware
    Airlock 4.2 is based on the latest release of Solaris 10 and supports the newest hardware (x86 and SPARC) and drivers for many popular RAID controllers.
  • Improved stability and performance
    Both CPU load and memory consumption have been reduced, resulting in a noticeable performance boost.
  • Completely new administration user interface
    The new Configuration Center is both easy to understand for beginners and flexible for an expert.
  • Free and easy upgrade from previous releases
    Upgrading from Airlock 4.1 is almost as easy as booting from CD. Just follow our checklist for a hassle-free upgrade.

 

airlock 4.2 overview

New admin interface

The Configuration Center has undergone a complete re-work. The navigation, look and feel of the GUI have been redesigned for better usability. And much more has changed under the hood...

Flexible administrator authentication

The administration login is now based on Airlock's proven authentication service. This makes it easy to customize the authentication of Airlock administrators. You can basically use any authentication scheme supported by the Airlock Authentication Service, for example:

  • Switch to external authentication using a central user directory (LDAP/AD, RADIUS etc.)
  • Require strong authentication (client certificate, one-time passwords, RSA etc.)

Each administrator should get his or her own personal Airlock account. Administrators can be added or edited using a simple but effective user management script.

Role-based administration permissions

Airlock comes with predefined roles with tailored permissions (including a read-only role and an application owner). As an experimental feature, you may also add your own roles with custom permissions down to single configuration fields.

Graphical reverse proxy connections

The new Reverse Proxy page combines the list of virtual hosts, mappings and back-end hosts. The connecting lines between these elements give you a quick overview of how your applications are published. And you can even edit these connections visually! Adding a new connection or remove existing lines is done with only one mouse click.

Reverse Proxy Connections

Select a virtual host, mapping or back-end host to edit its properties in the detail view below the Reverse Proxy table. The numerous fields are grouped into tabs for a better overview and less scrolling.

Configuration History

All configuration and rule changes are now saved in the configuration history. This allows for a quick roll-back if some of the changes result in unexpected problems. As this list contains the administrator name and a personal comment, it also serves as an audit trail.

Last but not least: You can now save configuration changes without actually activating them. Together with the role-based permission model, the duties may be separated. The application owner might for example prepare (=save) the rule changes, while the Airlock administrator double-checks the changes and activates them.

Configuration History Screenshot

Partial configuration import/export

A single mapping can now be exported for copying application-specific rule changes to another Airlock. This is useful in the typical scenario of multiple staging environments:

  • Test Environment
  • A new web application release gets tested
  • Application owner verifies and adapts Airlock rules
  • Application owner exports the relevant mapping and
    sends the mapping file to the production-Airlock admin
  • Production Environment
  • New application release is deployed in production
  • Airlock admin imports mapping file and re-connects it to the corresponding virtual and back-end host(s)
Transfer mapping from test to production

 

Standard Application Templates

When creating a new mapping, you can choose a template. Airlock 4.2 comes with a list of predefined templates for standard applications:

  • Blank mapping (creates a new mapping with default values)
  • Authentication Service mapping
  • SSL VPN mapping
  • Outlook Web Access
  • Outlook Mobile Access (Active Sync)
  • Microsoft Sharepoint

More templates will be added with later releases.

Expert Settings

Airlock contains many tweaks and expert options that are not part of the graphical user interface because they would overburden the normal administrator. These expert settings are no longer hidden in special configuration files. Instead of struggling with the vi editor, you may now use the expert settings editor to override the default values for all settings.  Your own settings are now separated from the Airlock defaults; you are no longer in danger of losing any custom changes. And of course, these settings are now part of the Airlock configuration file.

Expert Settings Screenshot

 

Background Activation

When adding a complex application to your Airlock configuration, you may need several attempts to get everything right. That's where Airlock helps you keep the integration change-cycles as short as possible:

  • Activate in background if you do not want to wait until all changes are active. Just continue to refine your configuration after activating a small change.
  • Activation will not move you away from the current page. No need to look for the mapping you were just editing...
  • Activation is now much faster because all configuration changes are continuosly validated (as soon as you submit them or move to another page). Any errors or warnings are immediately displayed right behind the affected fields.

Skins

Have you ever changed the configuration on the wrong Airlock? You may choose a different skin color for each Airlock to quickly recognize the system or environment you are managing.

Skins help to quickly identify the environment

RegEx Tester

Even if you are the master of regular expressions, you may want to test your new pattern before you activate your changes. For that purpose, the regular expression editor also contains a test field.

Regular expression tester

Comment Box

You often want to document why you have configured something exactly that way. With Airlock 4.2, we have added many more fields for these comments. In order to save precious screen space, your comments are now visible on demand: Clicking on the comment icon opens a small text box to read or change the notes for a particular setting. The icon changes to indicate whether any notes exist for that field.

Comment popup

 

Centralized Certificate Management

The new Certificates page lists all SSL server certificates and allows to add your own certificates. On the SSL tab of each virtual host, you can select one of these certificates. As Airlock supports wildcard certificates and the 'Subject Alternative Name' extension, you may easily share the same certificate for multiple domain names.

 

New core features

  • Load Balancing: Starving back-end hosts
    Just set a back-end host to Maintenance before you take it offline: The back-end host will then be ignored for new users, i.e. no new sessions are assigned to it. The system begins to starve as its sessions are terminated (timeout/logout). Vice versa, you can also add an additional back-end host at runtime to balance the load to one more server.
  • Multiple virtual hosts per mapping
    If your application should be available under more than one domain name, you can now connect a mapping to multiple virtual hosts. This comes in handy for multi-language sites with similar content for many different domains.
  • Application cookie settings per mapping
    Cookie encryption and pass-through prefixes are no longer global settings, they can now be configured per mapping. This is an important security improvement as you can control more precisely how your application cookies are protected. Furthermore, these two parameters are now configured by regular expressions.
  • Back-end timeout per mapping
    Timeouts help to free Airlock resources if a request seems to be hanging for a long time. As the normal behaviour depends on the actual application and its normal usage, this timeout is now configurable per mapping.
  • HttpOnly Session Cookie
    Airlock's own session cookie is now even better protected with to the HttpOnly flag. This helps mitigate session hijacking attacks based on XSS.

Licensing changes

Airlock 4.2 requires a new license key. Please request your new license key before upgrading.

  • A license may now contain multiple network interface (MAC) addresses. For a failover cluster, you typically get a single license key containing the MAC addresses of both Airlocks. 
  • The RawSessionSlots parameter is no longer part of the license key. This parameter determines the maximum number of session slots of both anonymous and authenticated users. Its value depends on the memory available, but also on the number of users and of their typical application usage. Check the upgrade guide for more information about the formula for the default value and how to customize it.
Knowledge Base Categories: