You are here

Announcing Airlock WAF 5.3

Affects product: 
Airlock WAF

Airlock WAF 5.3 comes with plenty of new features, simplifying day-to-day work as well as integration of third-party components. The new release brings full support for Microsoft Lync and integrates the session recording solution by Qumram. In addition, several new features for networking are included. By supporting VLAN technology, Airlock WAF can now easily be integrated into virtual network architectures. Multiple back-end interfaces and source-based routing round off the new networking stack. Being the first release after the launch of the new Airlock Suite, Airlock WAF 5.3 integrates Airlock Login even tighter with support for combined licenses and Single Sign-on between Airlock WAF and Login administration consoles.

Full Support for Microsoft Lync

While running Lync over Airlock WAF has always been possible, authentication of clients relying on NTLM [1] failed with earlier versions. Airlock WAF 5.3 fully supports all clients and has been tested with Microsoft's official test lab for Lync. A mapping template and a manual for integrating Lync with Airlock are available.

Integration of Qumram Interceptor

Our technology partner Qumram offers a cutting-edge Big Data platform for recording, archiving and analyzing all customer interactions in the online world with guaranteed legal compliance. Airlock WAF, being the central gateway to your applications, is the ideal place for integrating the Qumram interceptor, easily covering all applications with a single installation.

Virtual Network Interfaces (VLAN) and Multiple Back-end Interfaces

Airlock WAF 5.3 supports VLAN tagging (IEEE 802.1Q) on all connected network interfaces. This allows operation of separate virtual interfaces over physical interfaces and easy integration of Airlock WAF into existing virtual network architectures.

Together with support for virtual interfaces, we got away with the restriction of having a single interface for back-end communication. Airlock WAF 5.3 supports any number of physical or virtual back-end interfaces and uses the CIDR notation for IP addresses and submasks consistently throughout the configuration GUI.

VLAN and multiple back-end support

Source-based Routing

Routing on Airlock WAF has so far been based on IP address destinations only. Airlock WAF 5.3 adds options for defining source-based routing rules (a subset of policy-based routing). For example, a source-based rule could enforce that requests on the management interface are always answered over the management interface (interface-stickiness). Otherwise, the global default gateway might be used and responses could be sent over a different interface, breaking communication. 


Tighter Integration of Airlock Login

Airlock Login, the suite's solution for simple upstream authentication and SSO, can be deployed on an Airlock WAF installation. Integration of Airlock Login on Airlock WAF has been improved by supporting combined license files in the WAF configuration center and providing Single Sign-on between the WAF configuration center and the administration application of Airlock Login.Airlock Login

Cascading ICAP Services 

The ICAP (Internet Content Adaptation Protocol) standard has been used on Airlock WAF for a long time, integrating the Airlock SOAP filter and many third-party components, such as antivirus scanners or the co-browing solution by unblu. With the Qumram interceptor, another component makes use of Airlock's ICAP interface. Therefore, we significantly extended Airlock's ICAP capabilities, adding support for cascading ICAP handlers (i.e., processing multiple handlers in a row) and several new configuration options.


Information Hiding Mode for URL Encryption

URL Encryption is a very powerful dynamic whitelisting technology. However, the effort for integrating dynamic applications with URL encryption may be considerable. To save URL encryption from being turned off hastily, we added a new mode of operation that encrypts URLs coming from servers but accepts unencrypted URLs in requests ("accept and log"). While this does not provide full protection of the URL encryption feature, it still hides sensitive application information leaked by URLs, such as the application topology or technology stacks. URL encryption

Cookie Rewriting

Airlock WAF 5.3 adds two new response actions for Cookie rewriting. Using the "Rewrite cookie" response action, matching cookies are parsed and specific attributes (e.g., domain or path) can be rewritten easily. Using the "Rewrite raw cookie" action, the complete value of matching Set-Cookie headers can be rewritten.Rewriting of Cookies 

Foot Notes

[1] Please note that NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet.


Knowledge Base Categories: