Updated wording on domain membership screens to make it clear domain membership is only required for NTLM authentication.

Handle the case when DNS isn't available when SPF updates are applied for allowed and/or denied hosts.

There is now a Time of Day criteria available in Content Scanning for SafeChat applications. This allows matching of rules based of the time of day the activity happens. For example, a rule can be created to allow chatting about a specific subject only during specific hours of the day, and blocked the rest of the time.

The Windows BIC Agent now better supports user switching for sites that have multiple users on a single PC. This can optionally be tied in with Internet Auth to have a user automatically log in or log out based on who is active at the terminal.

When a Netbox is configured as an Ethernet Bridge, there is now an option to hard set the Ethernet interface speeds. This is a requirement on some sites where the existing networking infrastructure does not follow accepted Ethernet speed negotiation standards. This should only be used if absolutely necessary as should the infrastructure be updated in the future, it may become hard to diagnose why things are not performing as expected.

It has been discovered that some home routers that run a DNS server do not conform to the standard and do not respond to TXT or SRV DNS requests. The BIC Agent uses these types of records for various services as they should be available as it is part of the very early specification. However due to these faulty devices the BIC Agent will now find work arounds for the network it is running in, including using alternative DNS servers if the currently configured OS ones are not working as they should. If the agent has had to fall back to alternative DNS servers, it will periodically check to see if the OS ones are working (e.g: if the user has changed networks), and if so, start using them again automatically to increase performance.

Some emails that had an invalid encoding (typically spam), would cause text matching rules to not match. If an invalid encoding is detected, the Netbox will now fall back to using UTF-8 (which more closely matches what an email client does) for text searching.

The Netbox can be configured to integrate with most 802.1x devices (including WiFi access points and managed wired switches) using RADIUS Accounts information. This provides the ability to have pass-through authentication with any device that supports 802.1x, including iOS and Android devices. This is also ideal for Bring Your Own Device (BYOD) sites who have a lot of users bringing their own devices onto the network, a user can use their normal directory server credentials and have any policies and reports applied to them as an individual.

Groups now can be named with purely numbers. This allows matching against external authentication providers that may have groups that are only numbers. (Please note: group uploads with only numbers are not supported as this is ambiguous as to if it is referring to a group name or a group ID).

For systems that have not yet authenticated with the Netbox the attempts to authenticate them using pass-through authentication are rate limited. The minimises load on internal authentication servers which can get overwhelmed if to many devices are constantly trying to access the internet, but are always failing.

The tunnel that the Netbox establishes when running behind a firewall now tries additional methods to avoid getting blocked, including working over an upstream CONNECT proxy. Additionally it will also try more regularly to make updates come through more rapidly.

Previously when an entry was added to the direct proxy authentication whitelist, it would also be excluded from filtering. Now all URL's are filtered, even if there is no attached user name. For sites with a default block configuration, this may require a URL filtering policy to be created for these specific URL's to be allowed out.

SafeChat now supports Lotus Connections forums, for both hosted (Lotus Live) and internally hosted sites.

The services the BIC agent runs are now named to better match their function (on both Mac and Windows).

It is now possible to manually enter additional base URL's for specific SafeChat applications. For applications that can be hosted on internal servers, (e.g. Lotus Connections), the custom site URL can be entered here. This also applies to external applications with a custom external URL (e.g.: Google Apps).

Further hardening against tampering. Additional alerts are also produced if tampering is detected on either Mac or Windows.

It is now possible to exclude remote sites from SSL inspection, while still using the upstream CONNECT proxy. Previously white listing one would white list the other.

Additions to the operating kernel to support additional hardware in selected regions.

When running behind an upstream CONNECT proxy, downloads will be attempted from both HTTP and HTTPS sites to prevent filtering by the upstream proxy.

Prevent duplicate entries on the IPS signature configuration screen for languages other than English.

Automatically update SSL inspection certificates if they are about to expire or are invalid for the site.

Updates to user interface for languages other than English.

Added a new Proxy Statistics page under the Administration section of the user interface. This page shows statistics about recent usage and performance of the proxy server. This can help pin-point performance issues.

The CONNECT proxy is now supported when the Netbox is deployed in Ethernet bridge mode.

The Test URL page no longer fails for IP-based policies if only some of the sample criteria are entered (it did work as expected when all criteria were entered).

When the BIC Agent is used on home networks where a consumer gateway device does not respond correctly to TXT and SRV DNS requests, the BIC Agent will disregard the router's DNS server and will go directly to public internet DNS servers. (We encourage any users who are aware they have a router with a faulty DNS server to report it to their provider.)

The CONNECT Proxy may now take a username and password to use to authenticate with an upstream proxy server.

The proxy now has the option to, when configured under Configuration > Web Proxy > Record full URL in proxy logs, provide all GET parameters in the proxy logs visible under Administration > View Logs > Web Proxy. This remains off by default as it may have privacy and legal implications is some jurisdictions.

It is now possible to remove expired licenses for specific AV products. As licenses would not replace existing licenses, expired licenses would remain accessible without this fix.

Minor enhancements to the cloud lookup process to allow more simultaneous lookups.

When using the local database with category web filtering, if a URL is not available in the local database and the lookup goes to the cloud, the filtering service now waits for the response rather than queuing it in the background and immediately returning "uncategorised" for a few seconds. Now if a URL is already classified in the cloud, the category will be returned before the page loads allowing access if appropriate.

There have also been additional performance improvements as part of this upgrade.