Last Revision:
July 24, 2017
These notes are additional to the WebMarshal User Guide and supersede information supplied in that Guide.
The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q20453.
New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History
For more information about additional minor features and bug fixes, see the release history.
To review earlier feature enhancement history, see the release notes for earlier WebMarshal versions, available through the Trustwave Knowledge Base.
Hardware required is dependent on the number of concurrent web users and the rules in use. Use of Filtering Lists improves performance. Heavy use of TextCensor decreases performance.
Typically a computer with the following specifications is adequate as a processing server for 250-500 concurrent users.
WebMarshal Array Manager, processing servers, and Console require the following software:
Note: Install Windows using the English language version.
To upgrade from a previous version 6.X release, run the product installer on each server where WebMarshal components are installed (including the Array Manager, and any additional processing node servers and Console installations).
If you are logging data to a SQL database, the database must be upgraded. If necessary, the installer will prompt for credentials of a database user with permission to upgrade the database (database owner privilege). If the database is not upgraded, database logging will be disabled until you upgrade the database and re-enable logging. For more information and instructions, see Trustwave Knowledge Base article Q12030.
See the upgrade notes below for version-specific information. For upgrade notes relating to versions prior to 6.9.5, please see earlier Release Note documents available through the Trustwave Knowledge Base.
For upgrade notes relating to versions prior to 6.9.5, please see earlier Release Note documents available on the Trustwave website.
WebMarshal can be installed in a variety of scenarios. For full information on uninstalling WebMarshal from a production environment, see the WebMarshal User Guide.
To uninstall a trial installation on a single computer:
The following additional items have been changed or updated in the specific build versions of WebMarshal listed.
| WM-5004 | User session uploading has been optimized to reduce memory usage. |
| WM-5104 | The version of Bitdefender for Marshal bundled with WebMarshal has been updated. |
| WM-5147 | Connections to remote sites now support GZIP and DEFLATE encoding. |
| WM-5151 | zlib streams were not correctly handled at the end of the stream. Fixed. |
| WM-5152 | Installation copies the required DLLs from any existing "for Marshal" malware scanning installation. |
| WM-5154 | The version of the TLS/SSL library included with the product has been updated. |
| WM-5008 | Memory consumption for FileFilter has been reduced. |
| WM-5011 | The proxy service could fail due to a specific issue with the C++ version used. Fixed. |
| WM-5022 | The proxy service could fail to start after a configuration commit if the controller was processing a configuration commit and a policy update to the proxy at the same time. Fixed. |
| WM-5024 | The unpacking limit setting (introduced in version 6.11) now allows for complete exclusion from unpacking (set by making the limit zero). |
| WM-5027 | The proxy service could become unresponsive when checking certificates if the certificate trust chain was circular. Fixed. |
| WM-5030 | CRL checking could cause service failures with long CRL URLs. Fixed. |
| WM-4968 | A single version of the Regular Expression library is now used by all WebMarshal components. |
| WM-4980 | When calls from the Proxy to the Engine timed out (usually due to under-resourced systems), the Proxy could stop unexpectedly. Fixed. |
| WM-4981 | The version of the TLS/SSL library included with the product has been updated. This update also fixes an issue with inability to extract CRL information from some certificates with V3 extensions. |
| WM-4982 | Tortoise SVN did not work through WebMarshal due to a violation of HTTP protocol standards in the client. WebMarshal now handles the requests. |
| WM-4984 | In release 6.12.0, matching of URLs with a wildcard in the domain part was not correctly supported. Fixed. |
| WM-4985 | Download of Web Filter Database files now retries individual file downloads to be more resilient to minor network issues. |
| WM-4986 | The proxy service could fail due to a problem in the revocation check. Fixed. |
| WM-4987 | The WebMarshal Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems. |
| WM-4988 | WebMarshal now supports Chunked encoding for file upload. |
| WM-5001 | The X-Authenticated-User header was not added to HTTPS CONNECT requests and some requests for images. Fixed. |
| WM-5003 | In release 6.12.0, use of HTTPS CONNECT for FTP proxying did not work. Fixed. Also, the default behavior of related settings now matches the documentation (Knowledge Base article Q12950). |
| WM-4717 | The WebMarshal Support Tool has been replaced by the Support Tool as used in the MRC, SEG, and SPE products. This tool is updated automatically when it is run. |
| WM-4843 | WebMarshal URL Categories can contain entries ending in a specific file name. |
| WM-4882 | For new installations, a default HTTPS rule is included to block sites with invalid certificates. |
| WM-4883 | The "Spyware Scanner" selections within Malware Scanners are no longer available to license and have been removed from configuration. Detection of all malware is fully covered through the available virus/malware scanners and TRACEnet. |
| WM-4885 | The Policy Tester and entry of URLs in categories now ignore leading and trailing dot, space and tab characters, for consistency with the filter. |
| WM-4886 | The Engine, Controller, and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Performance enhancement is expected. |
| WM-4887 | TextCensor memory usage has been improved. |
| WM-4889 | In version 6.11, the "reason" entry on the FileAborted template was not populated. Fixed. |
| WM-4892 | Specific HTTPS sites loaded slowly as the data completion was not recognized. Fixed. |
| WM-4893 | The MarshalFilter and SmartFilter URL lists cannot be selected. These lists are no longer offered. |
| WM-4894 | File names were displayed and logged as "default.htm" in some cases when the actual file name was available. Fixed. |
| WM-4896 | A File Aborted action from a Standard rule resulted in an "invalid template" notice in rare cases. Fixed. |
| WM-4899 | Visual C++ 2013 runtimes are installed as required. |
| WM-4900 | The X-Forwarded-For header is enabled on HTTP requests by default for new installations, and also for upgrades unless it was explicitly disabled. See also WM-4934. For more information see Trustwave Knowledge Base article Q12723. |
| WM-4916 | Traffic log files can now be limited in size. New files will be created as required. For more information see Trustwave Knowledge Base article Q20581. |
| WM-4920 | Certificate validation rules failed when the certificate used DHC or ECDHE ciphers. Fixed. |
| WM-4921 | Redirect could fail when the HTTP response was malformed (lacking a blank line after headers). Fixed. |
| WM-4922 | Distributed files created after January 1, 2016 are signed with a SHA-2 certificate. |
| WM-4924 | The version of the TLS/SSL library included with the product has been updated. |
| WM-4926 | Support for SSLv2 has been removed in all rules and processing. SSLv2 connections cannot be negotiated. A rule to block connections where SSL could not be negotiated is enabled on upgrade. |
| WM-4931 | FileFilter will match entries ending in a specific file name. |
| WM-4934 | The X-Forwarded-For header can be enabled separately for HTTPS requests by setting a value in the proxy configuration file. See also WM-4900. For more information see Trustwave Knowledge Base article Q12723. |
| WM-4937 | The "Read-Only Access - Facebook" rule has been updated to work with the current Facebook framework for new installations only. To update this rule for upgraded installations, see Trustwave Knowledge Base article Q20602. |
| WM-4951 | The included SQL Express installer is updated to SQL 2014 Express SP1. |
| WM-4957 | The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners. |
| WM-4967 | In version 6.11, the Rule Print output did not show the TLS 1.1 and 1.2 options. Fixed. |
| WM-4735 | Authentication bypass by User-Agent incorrectly required a matching IP address. Fixed. |
| WM-4870 | A corrupt email notification request could block processing of later requests. Fixed. |
| WM-4871 | The version of the TLS/SSL library included with the product has been updated. |
| WM-4850 | The Connection Rules logic has been updated to recognize HTTPS URLs for Google and YouTube video. |
| WM-4853 | In release 6.11.0, sites could fail to load or load slowly due to a problem with buffer allocation in the Proxy service. Fixed. |
| WM-4868 | In release 6.11.0, if SSL could not be negotiated the proxy service could stop unexpectedly due to a logging error. Fixed. |
| WM-4869 | The SHA-256 digest is registered with Open SSL to avoid potential problems generating certificates in the Array Manager. |
| WM-4596 | The allowed size of client and server headings can be adjusted if required (for instance if very large headers are required for successful authentication). See Trustwave Knowledge Base article Q20073. |
| WM-4800 | The Kaspersky for Marshal linking DLL is correctly signed. |
| WM-4801 | Categorization of URLs in a session could be incorrect for a site where the root and paths were differently categorized. Fixed. |
| WM-4804 | FTP downloads could fail when the URL contained URL-encoded strings. Fixed. |
| WM-4805 | The default size of the TCP/IP application buffer in the Proxy has been increased from 2 to 16 KB to enhance performance. You can adjust the size if required. See Trustwave Knowledge Base article Q20071. |
| WM-4806 | When an alternate upstream proxy was configured, reloading configuration would always restart the WebMarshal Proxy service. Fixed. |
| WM-4808 | The McAfee for Marshal linking DLL included with the product has been updated to resolve a potential issue with engine responsiveness after updates. |
| WM-4810 | The licensing function is now found under the Tools menu of the Console. |
| WM-4811 | The log entries for long-running processing threads have been clarified. |
| WM-4816 | The version of the TLS/SSL library included with the product has been updated. |
| WM-4817 | The product End User License Agreement has been updated. |
| WM-4818 | The product is re-branded as WebMarshal. |
| WM-4821 | The versions of SSL and TLS protocol that will be negotiated and allowed by WebMarshal for client and server connections can be configured. By default SSLv2 and SSLv3 are not allowed. The list of ciphers available for SSL negotiation has been updated to exclude weak and anonymous ciphers. To configure the list of protocols, see Trustwave Knowledge Base article Q20067. |
| WM-4823 | Service executable paths are quoted to mitigate a potential vulnerability. |
| WM-4824 | WebMarshal Content Inspection certificates are now signed with SHA-256 for improved security. |
| WM-4828 | Use of anonymous authentication ciphers is disabled by default. |
| WM-4840 | XML documents greater than 50MB in size are not extracted, for performance reasons. |
| WM-4675 | Files in the Templates folder being served in web responses could be locked and prevent application of policy changes. Addressed with improved buffering of files smaller than 32 KB. Larger files, if required, should be served from a web server. |
| WM-4768 | The included Sophos for Marshal DLL and installer are updated to version 1.0.4. |
| WM-4784 | The included SQL Express installer is updated to 2008 R2. The database size limit imposed by Microsoft for this version is 10GB. |
| WM-4785 | In earlier 6.10 releases, HTTPS inspection of Google and YouTube sites could be ineffective. Fixed by WM-4796. |
| WM-4786 | Installation of prerequisites could cause a system restart with no confirmation. Fixed. |
| WM-4787 | Upgrade from earlier 6.10 versions on an ISA server incorrectly detected WebMarshal ISA plugin mode. Fixed. |
| WM-4788 | WebMarshal now supports the MLSD command in FTP connections when using HTTPS content inspection. |
| WM-4789 | In earlier 6.10 releases, the M86 Filter List (Trustwave Web Filter) did not respond correctly when a path within a site was categorized differently to the base URL. Fixed |
| WM-4790 | The "Purge unreferenced users at midnight" option did not run daily as expected. Fixed. |
| WM-4791 | The "Purge unreferenced users at midnight" setting was not saved to the configuration file. Fixed. |
| WM-4793 | The included Kaspersky for Marshal DLL and installer are updated to version 1.0.3. |
| WM-4796 | WebMarshal now supports Server Name Indication (SNI) for HTTPS sites. |
| WM-4797 | WebMarshal now supports adding the X-Authenticated-User header. For details, see Knowledge Base article Q16479. |
| WM-3705 | WebMarshal now supports additional HTTP methods used by Subversion and Microsoft extensions, and included in RFC 3253: REPORT, MKACTIVITY, CHECKOUT, MERGE, BCOPY, GETLIB, (GETSOURCE), (POSTSOURCE), (HEADSOURCE), CHECKIN, VERSION-CONTROL, UNCHECKOUT, LABEL, MKWORKSPACE, BASELINE-CONTROL, ORDERPATCH, PATCH, RPC_IN_DATA, RPC_OUT_DATA |
| WM-4771 | WebMarshal now supports the HTTP methods LOCK and UNLOCK |
| WM-4772 | In version 6.10.1, some temporary files were not deleted when proxy caching was enabled. Fixed. |
| WM-4773 | The Exclude from Reporting setting was not correctly applied for Connection Rules in the Active Sessions view. Fixed. |
| WM-4774 | The included Sophos for Marshal DLL is updated to version 1.3.4.0. |
| WM-4775 | TextCensor is updated to correct a false trigger on credit card number strings. |
| WM-4776 | Proxy timeout for SSL and FTP connections can now be specified with an entry in the proxy configuration XML file. See Q12914. |
| WM-4782 | Integration with VuSafe has been removed from WebMarshal because the VuSafe service is being terminated as of September 1, 2013. |
| WM-4783 | In version 6.10.1, block pages could be displayed to users for reasons that were not obvious (related to binary files of unknown type used in the background by legitimate websites). |
| WM-4715 | The Server Tool now applies different default and maximum thread counts for 32 or 64 bit proxies. |
| WM-4725 | The January 2013 version of the Google Images results did not show image previews when accessed through WebMarshal in some cases. Fixed. |
| WM-4732 | Basic Authentication connection to an upstream proxy could fail in some cases due to a problem with string data. Fixed. |
| WM-4766 | The included Kaspersky for Marshal DLL and installer are updated to version 1.0.2. |
| WM-3714 | WebMarshal development now uses Visual Studio 2010. |
| WM-3842 | The Active Directory connector no longer imports Computer accounts. |
| WM-4091 | The Email Notifications edit field in the Console did not accept multiple addresses when the required semi-colon was followed by a space. Fixed: spaces are now ignored. |
| WM-4211 | An incorrect error message was shown when a user attempted to access Global Settings without Modify permission. Fixed. |
| WM-4267 | FileFilter was reported not to work with URLs longer than 256 characters. Function has now been verified with URLs up to 2048 characters. |
| WM-4296 | URLs including non-standard ports did not match entries in the Web Filter database (M86 URL filter list). Fixed. |
| WM-4417 | When a service cannot create a text log file, it logs this error to the Windows Event Log. |
| WM-4453 | Certain XLSX files took excessive resources to unpack. Fixed. |
| WM-4511 | The PurgeLogData stored procedure in the reporting database could deadlock with insertions. An index has been added to the SessionLog table to enhance performance. |
| WM-4518 | Traffic log files were not purged as scheduled in some cases where the date was not correctly found. Fixed. |
| WM-4574 | The RuleWarnings.XML file used to propagate warnings to nodes could grow large and cause delays. Fixed: the file is pruned of unnecessary data. |
| WM-4575 | Proxy temporary files were not deleted in some rare circumstances. Issue addressed by re-trying deletion of these file if the first deletion fails. |
| WM-4577 | WebMarshal Proxy is now installed in a native 64 bit version on 64 bit systems. |
| WM-4598 | The Proxy Cache Tool is now available in a 64 bit version. |
| WM-4600 | WebMarshal Proxy 64 bit version supports NDS. |
| WM-4606 | WebMarshal can now create Traffic Logs in W3C format (as well as WELF format). |
| WM-4619 | In version 6.9.5 and 6.9.6, the Console Active Sessions raised an "item not found" error when the selected user triggered a rule within nested Policy Groups. This issue did not affect rule processing. Fixed. |
| WM-4635 | The Engine service could encounter an issue when shutting down due to incorrect order of events. Fixed. |
| WM-4636 | Text log files now include better information of the product version number and server name. |
| WM-4644 | WebMarshal block pages were vulnerable to cross-site scripting attack. Fixed. |
| WM-4650 | Proxy service logs could include basic authorization strings. Fixed. |
| WM-4653 | Active Sessions display performance was poor for large sessions. Fixed. Note that some additional files are now ignored in Active Sessions display. See Help for the Active Session Files window. |
| WM-4655 | The number of concurrent connections from a single client IP address is now limited. The limit can be configured. See Q15307. |
| WM-4673 | The SafeSearch feature now includes YouTube Safety Mode. |
| WM-4677 | Dashboard graphs for Page Requests, Bandwidth, Traffic Type, and Cache Bandwidth are now expressed as Bytes or number per second. |
| WM-4680 | WebMarshal can no longer be installed or upgraded as a plug-in to ISA or TMG. |
| WM-4697 | URLs longer that 500 characters in the M86 Filter List (WFDB) caused a failure that prevented update of the database. Fixed. |
| WM-4514 | In release 6.9.5, TextCensor items including some special characters were not correctly matched. Fixed. |
| WM-4516 | In release 6.9.5, TextCensor items including some special characters were not upgraded correctly from the earlier TextCensor format. Fixed. |
| WM-4524 | In release 6.9.5, performance counters were not registered under the US English version of Windows with a locale setting. Fixed. |
| WM-4529 | In release 6.9.5, the OR keyword incorrectly returned logical "false" when an input was an empty position set (generated by a subexpression such as a FOLLOWEDBY b). Fixed: Evaluating OR with two position sets now returns a position set as the result, even if the input sets are empty. |
| WM-4530 | In release 6.9.5, word positions were incorrectly returned for text with conditional word break characters such as the apostrophe and hyphen. Fixed. |
| WM-4208 | On non-English versions of Windows, a failure to load performance counters was logged repeatedly. Fixed: logging and retry time are correctly limited. |
| WM-4351 | When a URL entry in a category was edited in the Console, comment and insert date were lost. Fixed. |
| WM-4396 | The default value for maximum number of proxy threads has been increased to 4000. See the upgrade notes above. |
| WM-4406 | An additional TRACEnet DLL file was included in the installation. This did not affect operation. Fixed. |
| WM-4407 | When upgrading from version 6.5.6 or below to earlier 6.9 releases, child category information was not correctly imported. Fixed. |
| WM-4410 | It is now possible to configure a custom Via: header to obfuscate the source of requests. Contact Trustwave for details of the setting. |
| WM-4412 | The Controller could not load the list of users (Users.xml) in some cases due to problems with encoding and illegal XML characters. Fixed: The file is correctly declared and written as UTF-8 and illegal characters are stripped. |
| WM-4414 | Proxy and Filter threads could wait for a long time and consume a large amount of memory if the Engine was not responding. Fixed: a timeout has been set for this wait. |
| WM-4415 | Full logging (to text logs) now includes detailed information about aborted and blocked requests (including rule name and user name if applicable). |
| WM-4420 | The TextCensor functionality has been upgraded. New functionality includes support for Unicode and non-alphabetic languages. This release also includes initial support for automatic upgrades to the TextCensor functionality, through the Array Manager. |
| WM-4450 | The Proxy service could encounter a processing loop as a result of a bad response from a site (only when full logging was enabled). Fixed. |
| WM-4455 | Users with Unicode characters in the username could not authenticate. Fixed. Note that NDS does not support Unicode names. |
| WM-4456 | Minor additions have been made to database structure to support future use of Unicode data in reports. |
| WM-4457 | Database synchronization of users could fail with "Access denied due to ACL" in some cases where strict security was set within WebMarshal. Fixed. |
| WM-4470 | When an unpacking error occurred, file-related conditions were not run on the top-level file. Fixed. |
| WM-4489 | WebMarshal performance counters were not available when the Windows display language was other than English. Fixed. |
| WM-4491 | Error messages returned by the operating system as Unicode strings are now displayed properly in WebMarshal notification pages. |
| WM-4497 | URLs entered into categories without a reason (comment) entry were not displayed in the Console after a restart of the Array Manager. Fixed. |
Note: To review change history for earlier versions, please see the Release Notes for the specific version of WebMarshal. All Release Notes are available through the Trustwave Knowledge Base.
Copyright © 2017 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.