Enhancements v5.4 SP 5

Detailed Endpoint Security Logs

Endpoint Security logs have been enhanced in this release to provide more details and simplified scan results for the Security Officer/Administrator to understand. Now Logs will also have the following information.

Field	Description
Realm Applied Profile	HySecure Domain in which the user has logged in. EPS Device profile applied on logged-in user.
Client Type	Client type through which the user logged in, e.g., HySecure Client, Workspace Client, HyLite Portal
Client Mode	Client mode, e.g., Windows Client, Mac, Linux
Operating System Name	Operating System name from where the user logged in.
Operating System Version	Operating System version from where the user logged in, e.g., Windows Version 22H2.
Domain	The domain name of the client machine from where the user is logged in.

The Endpoint Security Logs Details field has been changed to Status to provide more details and better device scan status. Now it will also show the following information:

Field	Description
Windows Activation Status	Whether Windows is Activated on client machine
Windows License Status	Whether Windows is Licensed on client machine
Update Services Status	Whether Windows Update Service is running on client machine
Last Update Check On	Time at which Windows update was last checked on client machine
Update Status	Whether Windows is updated
Update Behavior	Whether Windows will update automatically or manually
Client Version	HySecure client version installed on client machine
Real Time Protection Status	Whether Real-Time Protection is enabled for Antivirus
Profile Scan Information Explanation	Detailed explanation of profile scan result

Note

Endpoint Security logs existing before this upgrade will not be shown in the management console as the table structure for logs has been changed. Supported Client Version: HySecure Windows Client V5.2.8537 onwards.

EPS remediation message for Antivirus

This release has added support for remediation messages for antivirus and Windows Updates. Currently, only HySecure Windows client V5.2.3.8508 and above will support this.

A remediation message will be shown for the following cases:

If compliant antivirus is not installed on the user device: Corporate compliant antiviruses are (comma separated list of configured anti viruses). Please install one of these to remediate.
Suppose the user device has the compliant antivirus installed, but the antivirus definitions are not up-to-date. In that case, the remediation message will be shown: Your Antivirus definitions are out of date. Please update your Antivirus definitions.
If the user device has a compliant antivirus installed but is disabled, then the remediation message will be shown: Real Time Protection of your Antivirus is disabled. Please enable it.

In EPS log details, the scan status will be shown as remediation sent when the remediation has been sent to the user.

PC Token support for 2FA

This release adds support for PC Token as a new 2FA token for user login into the HySecure client and HyLite Portal. PC token will be available as a 2FA token while creating/modifying the HyID policy.

To register PC Token, PC token should be enabled in HyID policy so that users will receive a link to register PC Token.

User Group support for Remote Meeting

From this release it is possible for user groups to join Remote Meetings. Earlier, administrators had to list individual usernames to enable them to join a remote meeting session.

How to configure support for Remote Meeting

Administrator has to create two distinct remote meeting applications.
The first remote meeting application should be assigned to users who are authorized solely to create remote meeting sessions. These users will have the ability to create remote meeting sessions.
The Second remote meeting application should be assigned to users authorized to create and join remote meeting sessions. These users will be able to join remote meeting sessions and create them.

TLS 1.3 support (Limited)

Support for TLS 1.3 is added for performance and speed improvement compared to TLS 1.2. Security Officer can enable TLS 1.3 from Settings > Global > Server. If TLS 1.3 is not supported, the gateway will automatically negotiate on TLS 1.2 if TLS 1.2 support is enabled. TLS 1.3 is kept for the following types of communication:

HySecure Gateway to HyLite Portal and vice versa.
HySecure Gateway to SMS gateway and vice versa.
HySecure Gateway to AD/LDAP server and vice versa.
HySecure Gateway to Radius server and vice versa.
HySecure Gateway to HyWorks controller and vice versa.

Enabling TLS 1.2 and TLS 1.3 is recommended because not all services and application servers may support TLS 1.3. This will ensure that if TLS 1.3 is not supported, the connection can automatically negotiate on TLS 1.2, allowing users to access the service.

New Antivirus added for host scan policies

In this release, Antivirus products shown in the image below have been added to the Antivirus type host scan policy.

User Directory Access for SAML Identity Provider(Limited)

From this version onwards, accessing user directories from a SAML Identity Provider is possible. Previously, the HySecure gateway could not retrieve users from a SAML Identity Provider. This will enable the creation of access control policies based on users for the SAML Identity Provider. Previously, any access control policy created would be applied to all users.

Enable User Directory access can be enabled from the SAML Identity provider configuration.

Note

This enhancement is only supported for Azure AD as a SAML Identity provider

Unlock User Profile in HySecure Gateway

In this release, the Self Service Portal feature has been enhanced to allow end users to unlock user profiles created in the Registered user's section of the HySecure management console. Users can do the same through HyLite Portal or HySecure client.

By default, this feature is disabled. It can be enabled from the Authentication domain.

How to unlock User Profile

Access the HyLite Portal in a web browser.
Select Self Service Portal.
Enter the username whose profile needs to be enabled, select the HySecure domain, and Submit.
Authenticate using OTP, PIN, Security Questions, or the selected Authentication method.
Select Unlock profile option and Submit.
The user will be shown a success message, and the profile will be unlocked.

Threshold support for Syslog server

This release includes support for sending EPS, HyID, Security, and Alert logs to a Syslog server. Previous versions only allowed for User and Admin logs to be sent to Syslog servers. In addition, a new threshold log level has been introduced in this release.

Logging level order: DEBUG < INFO < WARN < ERROR < FATAL

If the threshold log level is set to INFO, higher-level logs will also be sent to the Syslog server. If "Send to Syslog" is enabled, logs with log levels of INFO, WARN, ERROR, and FATAL will be sent to the Syslog server.

On-Screen Notification of License Expiry

In this release, a new enhancement for the HySecure gateway license has been added. The HySecure Monitor page will now display a floating message that dynamically notifies the Security Officer/Administrator when HySecure Gateway License will expire or has already expired.

By default, the Monitor page will show that the License will expire before 7 days. If the License expiry alert is configured 'n' days in advance, the Monitor page will continuously display a message stating that the License will expire 'n' days before its expiration. This message will be shown daily until the License is expired.

Once the License is expired, Monitor page will display a message stating that “License is expired. Please renew the License.”

Unlock the account in User Directory

In this release, support for unlocking user accounts locked in Windows Active Directory and HySecure Native user’s database through the Self-service portal has been added. An end user can now unlock the account through the HyLite portal and HySecure client.

To enable the account, and unlock it in AD/Native server, follow the below steps:

Login into the HySecure management console.
Go to Settings > Authentication > Authentication Domain.
Select and modify the Authentication domain mapped to the required Active directory/Native server.
Enable Unlock account in AD/Native server and Self Service Portal.

How to unlock an account using Self Service Portal

Launch HySecure Client and click on forgot password. The user will be redirected to the Self Service portal in HyLite.
User can alternatively go to the HyLite portal and select “Self Service Portal”.
Verify the user by entering Captcha/Security Questions/PIN/OTP. The user will reach the screen to select between “Unlock user account” and “Forgot password.”
Select unlock user account and click on submit. The user account will be unlocked in the user directory.

Device categorization

In this release, the existing Devices screen in the Management Console has been categorized into two categories:

Access Devices: Access Devices will have the details of registered devices from which the end-user login. Earlier same details were captured in Devices.

Authentication Devices: Authentication Devices is a newly created screen that will have the details of mobile devices registered for Password less login.

Monitor Auto Backup services

From this release onwards, Auto Backup services which are responsible for sending backups automatically to the FTP server or mail, will be monitored to run at all times. If these services stop for any reason, they will be started automatically. Also, the button to stop Auto Backup has been removed from this release onwards.

Log categorization

Six new categories are added - HySecure Logs, HyID Logs, Common Logs, Appliance Logs, System Logs, and Other Logs. Security Officers and Administrators can download these log files, as shown in the image below. Monitoring Users can also download all logs except debug logs from the Management Console.

Miscellaneous

Option to search SAML Identity Provider based on Identity Provider name, Domain name, Entity ID, and SSO Service Endpoint.
Added support for custom port numbers for the reverse proxy application. In previous releases, if the SSL port of the gateway was changed from the default port (443), the reverse proxy applications became inaccessible since the application did not support custom ports. However, in the latest release, support for custom ports has been added, allowing users to access reverse proxy applications even if the SSL port of the gateway is changed.
To ensure proper synchronization and avoid user login during upgrade activities, maintenance mode has been made mandatory to apply a hotfix/service pack.
The added search filter to list reverse proxy-based web applications
From this version onwards, including the cluster configuration page’s hidden HTTP application won't be necessary. Furthermore, some changes have been made to the user interface (UI), such as moving the RELOAD SERVICES button to a different location and presenting the load-balancing servers in a table.
Support to start, stop and restart VM and status of VM.
Disconnect and logout functionality for RDP sessions on HyLite.
Pulse logs are enabled in the HySecure gateway by default. These logs will also be archived with other logs.
The user’s display name instead of user ID will be shown after login into the HyLite portal.
Option to change Expired LDAP user password
Multiple Mobile number support for SMS OTP through the HyLite portal.
Ability to specify user password expiry during import
Multiple Mobile number support for SMS OTP Option to copy Mobile Token registration URL
Reset and delete option in app whitelisting rule resetting deletion of process paths in default and custom rules. The Security Officer/Administrator can reset the process paths while adding or editing the app whitelisting rules.

15. The Account Lockout Access Control feature has been enhanced to include the ability to disable user accounts if they do not log in within the specified number of days after creation. Implement deactivation by creating an Account Lockout policy.