Last Revision:
December 10, 2018
These notes are additional to the WebMarshal User Guide and supersede information supplied in that Guide.
The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21060.
New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History
For more information about additional minor features and bug fixes, see the release history.
To review earlier feature enhancement history, see the release notes for earlier WebMarshal versions, available through the Trustwave Knowledge Base.
Hardware required is dependent on the number of concurrent web users and the rules in use. Use of Filtering Lists improves performance. Heavy use of TextCensor decreases performance. Be prepared to adjust specification as required.
Typically a computer with the following specifications is adequate as a processing server for 250-500 concurrent users.
WebMarshal Array Manager, processing servers, and Console require the following software:
Note: Install Windows using the English language version.
Upgrade from 7.X is a standard in-place upgrade. Upgrade/migration from 6.X uninstalls the 32-bit software and installs the 64-bit software.
To upgrade from a WebMarshal 6.11 or later release, run the product installer on each server where WebMarshal components are installed (including the Array Manager, and any additional processing node servers and Console installations).
To upgrade from versions prior to 6.11, you must first upgrade to at least 6.11.0.
If you are logging data to a SQL database, the database must be upgraded. If necessary, the installer will prompt for credentials of a database user with permission to upgrade the database (database owner privilege). If the database is not upgraded, database logging will be disabled until you upgrade the database and re-enable logging. For more information and instructions, see Trustwave Knowledge Base article Q12030.
See the upgrade notes below for version-specific information. For upgrade notes relating to versions prior to 6.11, please see earlier Release Note documents available through the Trustwave Knowledge Base.
For upgrade notes relating to versions prior to 6.11, please see earlier Release Note documents available on the Trustwave website.
WebMarshal can be installed in a variety of scenarios. For full information on uninstalling WebMarshal from a production environment, see the WebMarshal User Guide.
To uninstall a trial installation on a single computer:
The following additional items have been changed or updated in the specific build versions of WebMarshal listed.
WM-5207 | The WebMarshal HTTPS certificate was not saved when HTTPS inspection was not enabled. Fixed. |
WM-5348 | On upgrade WebMarshal replaces the TextCensor DLL with the copy from the install package. |
WM-5357 | Checking of OCSP stapled validity replies did not check the expiry time. Fixed. |
WM-5360 | Traffic Logging now includes the Bytes Sent (in WELF format, "Sent="; in W3C format, "cs-bytes"). |
WM-5365 | File paths longer than 255 characters were not correctly decoded in some cases. Fixed. |
WM-5375 | In release 7.1.0, the Engine could fail to start after upgrade if the default URL category "[Exclude from HTTPS inspection]" did not exist. Fixed. |
WM-5379 | Logging of missing policy elements in the configuration file is improved. |
WM-5401 | The version of TextCensor that is included in the installation has been updated for improved reliability and performance. Features are not changed. |
WM-5417 | The version of Libtet (PDF unpacking) that is included in the installation has been updated. |
WM-5418 | Some third party modules did not correctly handle files when the file name ended with a space or fullstop. Fixed. |
WM-5455 | Matching of SAN entries in certificates was case sensitive, causing validation failure in rare cases. Fixed. |
WM-5458 | The warning message "Token position data not available" has been removed from TextCensor test results and log entries. This event does not affect TextCensor results. |
WM-5473 | In earlier 7.X releases, installation of the Visual C++ 2015 runtime returned an error if Visual C++ 2017 was already installed. Fixed: Visual C++ 2017 is recognized as a valid runtime version. |
WM-3758 | In the Server Tool, stopping or restarting the Proxy service affected all services. Fixed. |
WM-4978 | SSL certificate checking could incorrectly cache session state when sites shared an IP address and port using SNI. Fixed. |
WM-5007 | Caching failed to create folders for top level domains shorter than three characters. Fixed. |
WM-5105 | SSL negotiation was not retried where SSL could not be negotiated due to timeouts. Fixed. |
WM-5195 | The Proxy service could stop responding if Proxy Cache log files could not be created. Fixed. |
WM-5215 | Trustwave domains are added to the default Business Related URL category on new installations. |
WM-5234 | Computer accounts can be imported from Active Directory. For details of the setting to enable this functionality, see Trustwave Knowledgebase article Q20103. |
WM-5248 | Requesting URLCensor categorization of URLs over 256 characters in length returned an error. Fixed. |
WM-5302 | Proxy thread cleanup logic has been improved. |
WM-5304 | Obsolete server certificate keys have been removed from the installation. |
WM-5316 | A new default rule is created to exclude URLs in the "[Exclude from HTTPS inspection]" category from HTTPS inspection. |
WM-5338 | WebMarshal can use the MSOLEDBSQL database driver to allow connection to SQL servers that require TLSv1.2 connections. For more information, see Trustwave Knowledge Base article Q21019. |
WM-5339 | The version of Libtet (PDF unpacking) that is included in the installation has been updated. |
WM-5340 | The version of the TextCensor processor that is included in the installation has been updated to improve performance. Script functionality is not changed. |
WM-5341 | In earlier 7.X versions, the Array Manager stopped unexpectedly when refreshing groups from the NT Connector. Fixed. |
WM-5345 | The customized version of 7zip (archive unpacker) included with WebMarshal has been updated to address known vulnerabilities. |
WM-5346 | WebMarshal automatic updates now include the 7-zip archive unpacker. |
WM-5349 | WebMarshal now supports Elliptic Curve key exchange for SSL connections from clients. |
WM-5351 | WebMarshal now enforces the strongest available cipher for SSL connections from clients. |
WM-5352 | In earlier 7.X releases, it was not possible to connect to the database using a machine name or "localhost". Fixed. |
WM-5355 | In earlier 7.X releases, certain OCSP responses caused the Proxy to stop unexpectedly. Fixed. |
WM-5237 | In release 7.0.1, the Engine could hang with 100% CPU under load in specific circumstances. Fixed. |
WM-5084 | HTTPS rules did not log a classification when the URL was not blocked. Fixed. |
WM-5193 | In release 7.0.0, the installer did not show the scanner installation screen when in Modify mode. Fixed. |
WM-5196 | In release 7.0.0, logging did not correctly display the operating system version in some cases. Fixed. |
WM-5198 | The Address Resolution Preference setting was not included in configuration print output. Fixed. |
WM-5199 | URL matching efficiency has been improved with a change in data structures. |
WM-5200 | Unpacking time has been reduced significantly with improvements in communication between processes. |
WM-5201 | In release 7.0.0, some files published for automatic update would not be updated. Fixed. |
WM-5206 | In release 7.0.0, a configuration could not be restored if it included TextCensor scripts that used item references. Fixed. |
WM-5210 | Upgrade from version 6.X could fail when moving a large Proxy Cache within in the install folder. Fixed: the Proxy Cache is not preserved if it is within the install folder. See Upgrade Notes above. |
WM-5214 | In an array installation, upgraded processing servers encountered an error when attempting to rejoin the array. Fixed. |
WM-4248 | The Trustwave WFDB licensing information in the Array Policy was not updated when a new WebMarshal license key was entered. Fixed. |
WM-4413 | Active Sessions filters were saved when a user navigated away from and back to the page, but were not displayed. Fixed: filters are properly displayed. |
WM-4634 | The Proxy service could stop creating log files if an attempt to create a file failed. Fixed: the service will continue to attempt to create a new file. |
WM-4640 | When a URL in a category was renamed, wildcard syntax was not enforced. Fixed. |
WM-4698 | URLs in the Trustwave Web Filter Database can now be up to 65535 characters in length. |
WM-4977 | CRL checking performance has been enhanced with brief in-memory caching. |
WM-5002 | A virus scanner could not be removed if it was used in any rule, even a disabled rule. Fixed. |
WM-5023 | If a configuration could not be updated on a processing node because the policy folder was locked, policy could be left in an inconsistent state. Fixed. |
WM-5034 | URL matching logic has been updated and made consistent between FileFilter and URL Category matching. |
WM-5037 | WebMarshal now uses OCSP stapling to validate certificates where available. |
WM-5039 | The version of OpenSSL used by WebMarshal has been updated. |
WM-5058 | The customized version of 7zip (archive unpacker) included with WebMarshal has been updated to support newer decompression methods. |
WM-5087 | The included version of SQL Express has been updated to SQL Express 2016 SP1. |
WM-5155 | FileFilter now accepts files that contain a Unicode Byte Order Marker. |
WM-5156 | Importing a configuration during installation caused the engine to stop. Fixed. |
WM-5169 | Configuration updates to nodes are not longer blocked by locked files in the Templates folder. |
WM-5175 | The Proxy could stop if configuration changed while a https connection was being established. Fixed. |
WM-5176 | When a URL in a category was renamed to include a wildcard *, it could no longer be deleted. Fixed. |
WM-5191 | If the WebMarshal Database connection was made using a limited Windows account, FileFilter categories could not be imported to the database. Fixed. |
WM-5004 | User session uploading has been optimized to reduce memory usage. |
WM-5104 | The version of Bitdefender for Marshal bundled with WebMarshal has been updated. |
WM-5147 | Connections to remote sites now support GZIP and DEFLATE encoding. |
WM-5151 | zlib streams were not correctly handled at the end of the stream. Fixed. |
WM-5152 | The versions of Sophos for Marshal, Kaspersky for Marshal, and McAfee for Marshal bundled with WebMarshal have been updated. Installation copies the required DLLs from any existing "for Marshal" malware scanning installation. |
WM-5154 | The version of OpenSSL included with the product has been updated. |
WM-5008 | Memory consumption for FileFilter has been reduced. |
WM-5011 | The proxy service could fail due to a specific issue with the C++ version used. Fixed. |
WM-5022 | The proxy service could fail to start after a configuration commit if the controller was processing a configuration commit and a policy update to the proxy at the same time. Fixed. |
WM-5024 | The unpacking limit setting (introduced in version 6.11) now allows for complete exclusion from unpacking (set by making the limit zero). |
WM-5027 | The proxy service could become unresponsive when checking certificates if the certificate trust chain was circular. Fixed. |
WM-5030 | CRL checking could cause service failures with long CRL URLs. Fixed. |
WM-4968 | A single version of the Regular Expression library is now used by all WebMarshal components. |
WM-4980 | When calls from the Proxy to the Engine timed out (usually due to under-resourced systems), the Proxy could stop unexpectedly. Fixed. |
WM-4981 | The version of OpenSSL included with the product has been updated to 1.0.2h. This update also fixes an issue with inability to extract CRL information from some certificates with V3 extensions. |
WM-4982 | Tortoise SVN did not work through WebMarshal due to a violation of HTTP protocol standards in the client. WebMarshal now handles the requests. |
WM-4984 | In release 6.12.0, matching of URLs with a wildcard in the domain part was not correctly supported. Fixed. |
WM-4985 | Download of Web Filter Database files now retries individual file downloads to be more resilient to minor network issues. |
WM-4986 | The proxy service could fail due to a problem in the revocation check. Fixed. |
WM-4987 | The WebMarshal Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems. |
WM-4988 | WebMarshal now supports Chunked encoding for file upload. |
WM-5001 | The X-Authenticated-User header was not added to HTTPS CONNECT requests and some requests for images. Fixed. |
WM-5003 | In release 6.12.0, use of HTTPS CONNECT for FTP proxying did not work. Fixed. Also, the default behavior of related settings now matches the documentation (Knowledge Base article Q12950). |
WM-4717 | The WebMarshal Support Tool has been replaced by the Support Tool as used in the MRC, SEG, and SPE products. This tool is updated automatically when it is run. |
WM-4843 | WebMarshal URL Categories can contain entries ending in a specific file name. |
WM-4882 | For new installations, a default HTTPS rule is included to block sites with invalid certificates. |
WM-4883 | The "Spyware Scanner" selections within Malware Scanners are no longer available to license and have been removed from configuration. Detection of all malware is fully covered through the available virus/malware scanners and TRACEnet. |
WM-4885 | The Policy Tester and entry of URLs in categories now ignore leading and trailing dot, space and tab characters, for consistency with the filter. |
WM-4886 | The Engine, Controller, and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Performance enhancement is expected. |
WM-4887 | TextCensor memory usage has been improved. |
WM-4889 | In version 6.11, the "reason" entry on the FileAborted template was not populated. Fixed. |
WM-4892 | Specific HTTPS sites loaded slowly as the data completion was not recognized. Fixed. |
WM-4893 | The MarshalFilter and SmartFilter URL lists cannot be selected. These lists are no longer offered. |
WM-4894 | File names were displayed and logged as "default.htm" in some cases when the actual file name was available. Fixed. |
WM-4896 | A File Aborted action from a Standard rule resulted in an "invalid template" notice in rare cases. Fixed. |
WM-4899 | Visual C++ 2013 runtimes are installed as required. |
WM-4900 | The X-Forwarded-For header is enabled on HTTP requests by default for new installations, and also for upgrades unless it was explicitly disabled. See also WM-4934. For more information see Trustwave Knowledge Base article Q12723. |
WM-4916 | Traffic log files can now be limited in size. New files will be created as required. For more information see Trustwave Knowledge Base article Q20581. |
WM-4920 | Certificate validation rules failed when the certificate used DHC or ECDHE ciphers. Fixed. |
WM-4921 | Redirect could fail when the HTTP response was malformed (lacking a blank line after headers). Fixed. |
WM-4922 | Distributed files created after January 1, 2016 are signed with a SHA-2 certificate. |
WM-4924 | The version of OpenSSL included with the product has been updated to 1.0.1s. |
WM-4926 | Support for SSLv2 has been removed in all rules and processing. SSLv2 connections cannot be negotiated. A rule to block connections where SSL could not be negotiated is enabled on upgrade. |
WM-4931 | FileFilter will match entries ending in a specific file name. |
WM-4934 | The X-Forwarded-For header can be enabled separately for HTTPS requests by setting a value in the proxy configuration file. See also WM-4900. For more information see Trustwave Knowledge Base article Q12723. |
WM-4937 | The "Read-Only Access - Facebook" rule has been updated to work with the current Facebook framework for new installations only. To update this rule for upgraded installations, see Trustwave Knowledge Base article Q20602. |
WM-4951 | The included SQL Express installer is updated to SQL 2014 Express SP1. |
WM-4957 | The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners. |
WM-4967 | In version 6.11, the Rule Print output did not show the TLS 1.1 and 1.2 options. Fixed. |
WM-4735 | Authentication bypass by User-Agent incorrectly required a matching IP address. Fixed. |
WM-4870 | A corrupt email notification request could block processing of later requests. Fixed. |
WM-4871 | The version of OpenSSL included with the product has been updated to 1.0.1m. |
WM-4850 | The Connection Rules logic has been updated to recognize HTTPS URLs for Google and YouTube video. |
WM-4853 | In release 6.11.0, sites could fail to load or load slowly due to a problem with buffer allocation in the Proxy service. Fixed. |
WM-4868 | In release 6.11.0, if SSL could not be negotiated the proxy service could stop unexpectedly due to a logging error. Fixed. |
WM-4869 | The SHA-256 digest is registered with Open SSL to avoid potential problems generating certificates in the Array Manager. |
WM-4596 | The allowed size of client and server headings can be adjusted if required (for instance if very large headers are required for successful authentication). See Trustwave Knowledge Base article Q20073. |
WM-4800 | The Kaspersky for Marshal linking DLL is correctly signed. |
WM-4801 | Categorization of URLs in a session could be incorrect for a site where the root and paths were differently categorized. Fixed. |
WM-4804 | FTP downloads could fail when the URL contained URL-encoded strings. Fixed. |
WM-4805 | The default size of the TCP/IP application buffer in the Proxy has been increased from 2 to 16 KB to enhance performance. You can adjust the size if required. See Trustwave Knowledge Base article Q20071. |
WM-4806 | When an alternate upstream proxy was configured, reloading configuration would always restart the WebMarshal Proxy service. Fixed. |
WM-4808 | The McAfee for Marshal linking DLL included with the product has been updated to resolve a potential issue with engine responsiveness after updates. |
WM-4810 | The licensing function is now found under the Tools menu of the Console. |
WM-4811 | The log entries for long-running processing threads have been clarified. |
WM-4816 | The version of OpenSSL included with the product has been updated to 1.0.1j. |
WM-4817 | The product End User License Agreement has been updated. |
WM-4818 | The product is re-branded as WebMarshal. |
WM-4821 | The versions of SSL and TLS protocol that will be negotiated and allowed by WebMarshal for client and server connections can be configured. By default SSLv2 and SSLv3 are not allowed. The list of ciphers available for SSL negotiation has been updated to exclude weak and anonymous ciphers. To configure the list of protocols, see Trustwave Knowledge Base article Q20067. |
WM-4823 | Service executable paths are quoted to mitigate a potential vulnerability. |
WM-4824 | WebMarshal Content Inspection certificates are now signed with SHA-256 for improved security. |
WM-4828 | Use of anonymous authentication ciphers is disabled by default. |
WM-4840 | XML documents greater than 50MB in size are not extracted, for performance reasons. |
Note: To review change history for earlier versions, please see the Release Notes for the specific version of WebMarshal. All Release Notes are available through the Trustwave Knowledge Base.
Copyright © 2018 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.