1.1.1Windows 7 Support for Configuration Protection
1.1.2Fast Initial Encryption
1.1.3Improved Encryption Performance
1.2What’s included in the SGN 5.50.1 Release
1.2.164-Bit Platform Support for Data Exchange
1.3What’s included in the SGN 5.50 Release
1.3.3Web Helpdesk is now included in the SafeGuard Management Center license
1.3.7Hierarchical Officer Management
1.3.8Improved Hardware/Operating System Compatibility
- Fault tolerance for USB devices that fall short in adhering to USB specifications
- Improved performance of the initial encryption process when running on Windows Vista or Windows 7
- U3 compliant USB tokens can now be configured by SGN Configuration Protection
- Extended hardware compatibility list in installer. See knowledge base article here for latest updates http://www.sophos.com/support/knowledgebase/article/65700.html
1.3.10SafeGuard Easy 5.50
1.3.11Windows PE recovery CD (Virtual Client)
1.3.12Simplified Installation and Key Backup
Furthermore, the knowledgebase now contains an SGN Installation Best Practice Guide, seehttp://www.sophos.com/support/knowledgebase/article/110259.html.
- Improved UI design and user experience, e.g., a more accurate and comprehensive display of the user state in the client’s tray icon.
- Better support for recovering from accidental/unwanted administrative actions by preventing internal SGN keys from being permanently deleted.
- SGNState now also reports the version of the SafeGuard client.
- A new tool can now roll back the exceptional case of a failed installation that leads to a hang in the POA.
- A compatibility fix for the file filter driver layering in the SafeGuard Enterprise Data Exchange (DX) and Configuration Protection (CP) modules has been added. This allows the concurrent use of file- type based export rules and encrypted files.
- The validity period for a challenge/response session has been extended to 30 minutes. The password retry delay now grows by the power of 2 (it was 3). These measures ease the impact of a forgotten password on the user while still maintaining a high security level.
- Company certificates of previous installations can now be imported during setup for recovery purposes.
- A client-side uninstall password can now be required even from local administrative users via a configurable policy. This applies only to Sophos Endpoint Security packages starting with version 9.5.
- Various performance, security and compatibility improvements throughout the product including all hotfixes issued since SGN 5.40.
- Complete Sophos rebranding.
Utimaco Cardman Usb Driver
- Microsoft PKI (length 384 to 4096 bit – but at least 2048 bit is recommended for security reasons)
- MS Base Cryptographic Provider 1.0
- MS Strong Cryptographic Provider
- OpenSSL
- Windows NT authentication
- SQL database authentication (recommended)
- Intel or AMD X86 CPU
- 512 MB RAM (minimum), 1 GB recommended for Windows Vista / 7
- The installation needs at least 300 MB free of hard disk space. For Device Encryption, at least 100 MB of this free space must be one contiguous area. Please defragment your system before installation if you have below 5 GB free hard disk space and your operating system is not freshly installed to increase the chance that this contiguous area is available. Otherwise, installation may fail due to 'not enough free contiguous space” and cannot be supported.
- XP SP2 SP3 32 bit
- Vista SP1 SP2 32 bit 64 bit Enterprise/Ultimate/Business/Home Premium
- 7 32 bit 64 bit Enterprise/Ultimate/Professional/Home Premium
- Internet Explorer Version 6.0 or higher
- Intel or AMD X86 CPU
- 512 MB RAM minimum, 1 GB recommended
- 1 GB free hard disk space (minimum)
- XP SP2 SP3 32 bit
- Vista SP1 SP2 32 bit Enterprise/Ultimate/Business/Home Premium
- 7 32 bit 64 bit Enterprise/Ultimate/Professional/Home Premium
Manufacturer | Card Reader | Interface | Comment |
ACS | ACR 38U-CCID | USB-CCID | Requires firmware version ³ v1.12c |
ActivIdentity | USB Reader 3.0 | USB-CCID | |
PCMCIA Reader | PC-Card | SCR 243 OEM | |
Broadcom | BCM 5880 | integrated (USB) | |
Cherry | ST-1044U | USB-CCID | |
ST-2000 | USB-CCID | PIN pad for secure PIN entry is not supported | |
ST-4044 | PC-Card | CardMan 4040 OEM | |
G83-6644 G83-6733 G83-6744 | USB-CCID | keyboards; secure PIN entry is not supported | |
Dell | RT7D60 SK-3105 | USB-CCID | keyboards |
Eutronsec | SIM Pocket (incl. combo versions) | USB-CCID | SIM and standard size cards |
Smart Pocket (incl. combo versions) | USB-CCID | ||
Fujitsu Siemens | Smartcase SCR (USB) | USB-CCID | a.k.a. “Solo” |
Gemalto | GemPC Express | ExpressCard | |
GemPC Twin | USB-CCID | ||
GemPC Key | USB-CCID | SIM size | |
Reflex USB v3 | USB-CCID | ||
HP | SC Terminal (KUS0133) | USB-CCID | keyboard |
PC Smart Card Reader | PC-Card | SCR 243 OEM | |
Kobil | KAAN Base | USB-CCID | |
KAAN Advanced | USB-CCID | PIN pad for secure PIN entry is not supported | |
Lenovo | Integrated Smart Card Reader | integrated (USB) | Reader might be replaced by another type – depending on market situation |
o2micro | Oz711 series | integrated (CardBus) | |
Oz776 | integrated-CCID |
Omnikey | CardMan 3021 CardMan 3121 | USB-CCID | |
CardMan 4040 | PC-Card | ||
CardMan 4321 | ExpressCard | ||
CardMan 5125 CardMan 5321 | USB-CCID | contactless interface is not supported | |
CardMan 6121 | USB-CCID | SIM size | |
Ricoh | R/RL/5C476 | Integrated (CardBus) | |
SCM | SCR 243 | PC-Card | |
SCR 331 | USB-CCID | Requires firmware version 5.18 or higher! | |
SCR 335 SCR 3310 SCR 3311 | USB-CCID | ||
SCR 3320 | USB-CCID The Piper PA-30 and PA-39 Twin Comanche are a twin-engine development of the PA-24 Comanche. The Piper PA-30 Twin Comanche is available for FS2004 and FSX. Nov 06, 2007 Has anyone purchased this aircraft? I am still on the fence about weather or not I want to purchase this aircraft. I am in the market for a GA aircraft with a nice virtual cockpit for FSX. Piper twin comanche for sale. MilViz has posted a teaser image showcasing the developers next project, that being the Piper Twin Comanche. Originally posted with the caption. Nov 04, 2007 eaglesoft twin pa-30 comanche fsx piper fs9 purchase released attempted. Built from the ground up for XPlane 11, the Twin Comanche features XPlane's new FMOD sounds, PBR textures for all exterior and interior objects, an. | SIM size | |
SCR 3340 | ExpressCard | ||
SDI 010 | USB-CCID | contactless interface is not supported | |
Texas Instruments | PCI 6515a PCI 7621 | integrated (CardBus) | Generic support for PCI xx21 readers |
Manufacturer | Card Reader | Interface | Comment |
ACS | ACR 38T ACR 38U-BMC ACR 38F ACR 38K ACR 100F | USB-CCID | SIM size |
ACR 122U ACR 122T | contactless interface is not supported | ||
Cherry | G81-7040 G81-7043 G81-8040 G81-8043 | USB-CCID | keyboards; secure PIN entry is not supported |
G83-14200 G83-14400 G83-14600 | USB-CCID | biometric keyboards; secure PIN entry and biometric functions are not supported | |
Eutronsec | SIM Reader (incl. combo versions) | USB-CCID | SIM size |
Fujitsu Siemens | Smartcase SCR (PC Card) | PC-Card | CardMan 4040 OEM |
Smartcase SCR (Express Card) | ExpressCard | SCR 3340 OEM | |
Gemalto | Reflex 20 v3 | PC-Card | SCR 243 OEM |
Ricoh | R5C835 R5C853 | integrated | |
SCM | SPR 532 | USB-CCID | PIN pad for secure PIN entry is not supported Requires firmware version 5.10 and updated Windows drivers |
Vasco | DigiPass 905 | USB-CCID |
Vendor | Card | Versions | Card Type | Data Format |
ActivIdentity | Smart Card 64K | v2 (Oberthur) v2c (Axalto) | Java Card | ActivIdentity |
AET [1] | G&D Sm@rtCafe | 64K | Java Card | PKCS#15 |
G&D STARCOS SPK | 2.3 3.0 | ISO 7816 | PKCS#15 | |
IBM JCOP | 20 31 41 72K | Java Card | PKCS#15 | |
Siemens CardOS | M4.3b | ISO 7816 | PKCS#15 | |
Charismathics | Siemens CardOS | M4.3b | ISO 7816 | CSSID |
IT Solution | Siemens CardOS | M4.3b | ISO 7816 | PKCS#15 |
Siemens | Siemens CardOS | M4.3b | ISO 7816 | PKCS#15 |
T-Systems | TCOS | 3.0 | ISO 7816 | NetKey |
Country/Type | Card | Versions | Card Type | Data Format |
Austria [2] | AustriaCard ACOS | 3.01 4.0 | ISO 7816 | A-Trust |
Estonia [3] | Orga Micardo | V1 V2 | ISO 7816 |
- CardOS, Siemens profile
- Estonian ID Card
- A-trust
- RSA
Vendor | USB Token | Middleware Supplier | Comment |
ActivIdentity | ActivKey SIM | ActivIdentity | |
ActivKey Display | ActivIdentity | OTP function not supported | |
Aladdin (CardOS) | eToken Pro eToken NG-Flash | Aladdin | |
eToken NG-OTP | Aladdin Interactual player download microsoft edge. A client application that plays DVD-ROM content. | OTP function is not supported | |
Aladdin (Java) | eToken Pro eToken NG-Flash | Aladdin | |
Charismathics | OTP Sign | Charismathics | OTP function is not supported |
plug’n’crypt ID | Charismathics | ||
Eutronsec | CryptoIdentity ITSEC-I | Charismathics | |
CryptoIdentity ITSEC-P | AET | ||
OTP Sign | Charismathics | OTP function is not supported | |
Kobil | mIDentity Light | Siemens | Includes flash memory |
MARX | CrypToken | AET | |
RSA | SecurID 800 v1 [4] SecurID 800 v2 | RSA | OTP function is not supported |
Vendor | Middleware | Version | XP | Vista 32 bit | Vista | 7 | 7 | Comments |
ActivIdentity | ActivClient | 6.2 | x | x | x | x | x | |
AET | SafeSign | 3.0.33 | x | x | c) | x | ||
Aladdin | PKI Client | 5.1 SP1 a) | x | x | x | x | x | |
A-Trust | a.sign client | 1.2.7.0 | x | |||||
Charismathics | Smart Security Interface | 4.8.1 | x | x | ||||
* Estonian ID card | <multiple> | x | ||||||
IT Solution | trustWare CSP+ | 1.0.1.23 | x | |||||
Gemalto | .NET | 2.1.3.1 | x d) | x | x | x | x | |
Gemalto | Access Client | 5.6.4 | x | x | x | x | x | d) |
Gemalto | Classic Client | 6.0 | x | x | x | |||
RSA | RSA Smart Card Middleware | 2.0.1 | x | |||||
3.0.1 | x | |||||||
Siemens | CardOS API | 3.1 | x | |||||
T-Systems | NetKey 3.0 | 1.6.0.10 + 1.3.0.4 b) | c) | c) | c) | c) | c) |
SGN Update Matrix | |||||||||||||||||
Update from | |||||||||||||||||
Update To | SGN 5.20 | SGN 5.20.1 | SGN 5.20.2 | SGN 5.20.3 | SGN 5.20.4 | SGN 5.20.5 | SGN 5.21 | SGN 5.21.1 | SGN 5.30 RC1 | SGN 5.30 GA | SGN 5.30.1 | SGN 5.30.2 | SGN 5.30.3 | SGN 5.35 GA | SGN 5.35.x | SGN 5.40.x | SGN 5.50 |
SGN 5.50.8 | l | l | l | l | |||||||||||||
SGN 5.50.1 | l | l | l | l | |||||||||||||
SGN 5.50 GA | l | l | l | ||||||||||||||
SGN 5.40.x | l | l | l | l | l | l | |||||||||||
SGN 5.35.x | l | l | l | l | l | ||||||||||||
SGN 5.35 GA | l | l | l | l | |||||||||||||
SGN 5.30.3 | ¢1 | ¢1 | ¢1 | ¢1 | ¢1 | ¢1 | ¢1 | ¢1 | l | l | l | l | |||||
SGN 5.30.2 | l | l | l | l | l | l | l | l | l | l | l | ||||||
SGN 5.30.1 | l | l | l | l | l | l | l | l | l | l | |||||||
SGN 5.30 GA | l | l | l | l | l | l | l | l | l | ||||||||
SGN 5.30 RC 1 | l | l | l | l | l | l | l | l | |||||||||
SGN 5.21.1 (Patch) | l | ||||||||||||||||
SGN 5.21 | l | l | l | l | l | l | |||||||||||
SGN 5.20.5 (Patch) | l | l | |||||||||||||||
SGN 5.20.4 (Patch) | l | l | |||||||||||||||
SGN 5.20.3 (Patch) | l | l | |||||||||||||||
SGN 5.20.2 (Patch) | l | l | |||||||||||||||
SGN 5.20.1 (Lenovo) | |||||||||||||||||
SGN 5.20 |
SGE- SGN Migration Matrix | ||||||||
IDEA | DES | 3DES | AES 128 | AES 256 | Blowfish | Stealth | XOR | |
SGE 4.50 | l | l | l | l | ||||
SGE 4.40 | l | l | l | l | ||||
SGE 4.30 | l | l | l | l | ||||
SGE 4.20 | ||||||||
SGE 4.1x | ||||||||
SGE 3.x |
SGN - Client/Server Matrix | |||||
| |||||
SGN Server | 5.2x | 5.30 | 5.35 | 5.40 | 5.50.x |
SGN 5.50.x | l | l | l | ||
SGN 5.40.x | l | l | l | ||
SGN 5.35.x | l | l | |||
SGN 5.35 GA | l | l | |||
SGN 5.30.2 | l | l | |||
SGN 5.30.2 | l | l | |||
SGN 5.30.1 | l | l | |||
SGN 5.30 GA | l | l | |||
SGN 5.21 | l | ||||
SGN 5.20 | l |
SGN – Microsoft Windows Platform Support | ||||||||||
SGN 5.50.x | ||||||||||
DE | DE BitLocker | DX | CP | SGN Server | MC | |||||
XP Professional Edition | SP2 SP3 | 32 Bit | l | l | .NET 2.0 | .NET 3.01 | ||||
Vista Home Premium Business Enterprise Ultimate | SP1 SP2 | 32 Bit | l | - - l l | l | l | .NET 3.01 | |||
Vista Home Premium Business Enterprise Ultimate | SP1 SP2 | 64 Bit | l | - - l l | l | .NET 3.01 | ||||
7 Home Premium Professional Enterprise Ultimate | 32 Bit | l | - - l l | l | l | NET 3.01 | ||||
7 Home Premium Professional Enterprise Ultimate | 64 Bit | l | - - l l | l | l | NET 3.01 | ||||
Server 2003 / R2 | .NET 3.0 | IIS 6 | SP1 SP2 | 32 Bit 64 Bit | l l | l l | ||||
Server 2008 Server 2008 R2 | .NET 3.0 | IIS 7.0 IIS 7.5 | SP1 | 64 Bit 64 Bit | l l | l l |
SGN Server - Database Server Support | ||
SGN 5.40 | SGN 5.50 | |
Microsoft SQL Server 2005 SP1 | l | |
Microsoft SQL Server 2005 Express SP1 | l | |
Microsoft SQL Server 2005 SP2 | l | l |
Microsoft SQL Server 2005 Express SP2 | l | l |
Microsoft SQL Server 2005 SP3 | l | l |
Microsoft SQL Server 2005 Express SP3 | l | l |
Microsoft SQL Server 2008 SP1 | l | |
Microsoft SQL Server 2008 Express SP1 | l |
4.1SafeGuard Enterprise Management Center
- The import of Configuration Protection white lists did not work properly in some scenarios.
- When appending information text files, no new line was inserted, thus leading to unwanted concatenations.
4.2SafeGuard Enterprise Server
- The SGN Active Directory synchronization failed in some cases where a subtree was moved in the Active Directory. This has been fixed. Also, internally used keys are now always recoverable to support disaster recovery scenarios when encountering unsupported/unwanted AD actions or data.
- The SGN server process showed a memory leak when updating clients with large Configuration Protection white lists.
- Device Encryption
- SafeGuard Portable
- Data Exchange
- Configuration Protection
5.1SGN 5.50 Release
- Upgrading the SGN 5.50 Beta version of the client does not work as expected. The beta version must be uninstalled before installing the SGN 5.50 final release.
- On the Windows Vista and Windows 7 platforms, when updating the client from SGN 5.35 or higher to SGN 5.50, the installer asks the user to stop some running processes. The user should and can safely ignore this. Especially, not doing so on Windows 7 will cause the Windows Explorer to crash after the next reboot.
- The SGN installation process requires to be started in the context of a Windows administrator’s logon session. Starting the installation via “Run as administrator” is not supported.
- On a supported 64 bit operating system the Management Center API does not work unless you start the script on cmd.exe in the C:WindowsSysWOW64 folder.
- Usage of Caps-Lock in POA: please note that the Caps-Lock key in the POA only alters the case of letters and does not affect the number row on the keyboard. The recommended best practice is to use the Shift key for entering passwords and not rely on the functionality of the Caps-Lock key as this may vary per application.
- During an uninstallation of the client, which includes the decryption of encrypted volumes, the machine should not be shut down or rebooted. Doing so will generate an error message from the uninstaller.
- A SGN client is unable to connect to the SGN server when a Sophos Firewall with default settings is installed on the client machine. By default, the Sophos Firewall blocks NetBIOS connections which are needed for resolving the SGN server’s network name. There are 2 workarounds for this issue:
- Unblock NetBIOS connections in the firewall.
- Include the fully qualified name for the SGN server in the server configuration package as follows:
- Select server certificate from, e.g., C:Program FilesSophosSafeGuard EnterpriseMachCertsgnsrv.utimaco.local.cer
- Enter the fully qualified servername,e.g., sgnsrv.utimaco.local
- Go toTools -> Configuration Package Tool -> Create Server Configuration Package tab
- Select sgnsrv.utimaco.local
- Click Create Configuration Package, e.g., Server Configuration Package.msi
- Install Server Configuration Package.msi
- When a client with a SafeGuard Enterprise installation is being re-imaged or re-installed using the same hostname, it is required to delete the machine manually in the SafeGuard Management Center before reconnecting the machine to the SafeGuard Enterprise Server in order to avoid unwanted side effects.
- For all supported OS versions, if an internal SD card reader is attached to the Secure Digital-Host controller driven by the Standard Microsoft sdbus.sys driver, the inserted card will not be subject to SGN Device Encryption, meaning it can be neither encrypted nor blocked. It will not be visible in the BE Encryption Viewer. However, it will be available and accessible as plaintext device in Windows Explorer. For SD card encryption customers should use file based encryption (SGN DX)
- As documented, on a SafeGuard Enterprise Server old configuration packages must be uninstalled before installing a new one. However, as some data might need to be updated in the Local Cache (e.g. SSL settings) when a new configuration package is applied, the Local Cache must also be deleted manually before installation.
- If there is an authentication policy containing the Lock Option 'Lock screen after resume' YES/NO, it will not be transferred to the SafeGuard Enterprise client.
- When importing external keys, these may not contain any special XML characters, such as ‘<’, ’>’, ’&’, ‘’, ‘”’.
- The exFAT file system, introduced by Microsoft with Windows CE 6.0 and Windows Vista Service Pack 1, is not supported by SafeGuard Enterprise Device Encryption.
- If the SafeGuard Enterprise client is installed with Microsoft BitLocker support, the installation has to be executed with either deactivated User access control (UAC) or the built-in Administrator account.
- On Windows Vista 64-bit, burning encrypted files on optical media (CD/DVD) using the Windows built-in burning Wizard is not supported.
- In certain configurations access to remote shares will fail if the SGN DataExchange Module and the SafeGuard ConfigurationProtection module are installed on the remote system. This issue is usually caused by the system’s resource constrains and can be resolved by increasing the IRP stack size using the following registry setting:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEMCurrentControlSetServiceslanmanserverparameters
Value Name:IRPStackSize (DWORD)
Value: 21 (or at least 3 higher than the current value)
Please check http://support.microsoft.com/kb/177078/ EN-US for further details.
Please do also consider the following maximum file sizes for files imported to a client by policy:
When the SafeGuard Management Center is being run on a machine with a SGN client installation, uninstalling the client will leave the MC in an unusable state. This issue does not depend on the order of installation of the two modules. If you want to continue running the MC on such a machine, you must reinstall the MC.
SGN Databases names should comply with the following naming scheme in order to prevent localization issues.
SGN Database names should only contain:
- Characters (A-Z, a-z)
- Numbers (0-9)
- Underscores (_)
- Please check the SGN software CD (tools folder) on additional information regarding SGN Management Center update (please also search the Sophos knowledge base for “SGN & update” to gather detailed instructions).
The Windows NT Authentication option requires further mandatory configuration steps proposed by Microsoft (please search the Sophos knowledge base for “SGN & service account”). The SQL Authentication is the less complex way and does not require additional configuration.
It is recommended to create one dedicated service account that is used for the authentication of all import and synchronization tasks, to prevent an accidental deletion of objects in the SGN Database (please search the Sophos knowledge base for “SGN & synchronization”).
- Overlapping policies assigned to a group might result in incorrect calculation of the priorities. Please use disjunctive policy settings.
- If you want to allow minimum password durations of less than 2 days please do not change the setting “Password change allowed after min. (days)”. Once changed the minimum is 2 days.
- Please note before uninstall: Users are unable to perform an uninstall for volumes that are encrypted with a user-specific key that is not assigned to them.
- There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
- It is recommended to divide import of more than 400,000 objects from AD into multiple operations. This might not be possible if there are more than 400,000 objects in a single organizational unit.
- Encryption keys created locally using SafeGuard Removable Media older than version 1.20 are not transported to SafeGuard Management Center and are not visible there.
- Clients which are members of an unknown Workgroup cannot autoregister on SGN installations which have been migrated from versions earlier than 5.20. The Workgroup has to be created in the SafeGuard Management Center first.
- Autoregistration fails if NetBIOS support is not available.
Only use IP addresses, if NetBIOS is also active in your network. If you use IP addresses without NetBIOS support, autoregistered users and computers will not be sorted into their domain. - Two security officers must not use the same Windows account on the same PC. Otherwise it is not possible to separate their access rights properly.
- The inventory of a BitLocker client does not show the proper status of removable media.
- Clients, which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup
- After updating the SGN database to version 5.50 old Management Consoles show an error message. They must be updated as well.
- When performing uninstall, some files and registry entries may remain. Please consult the Sophos knowledge database (keywords “SGN & uninstall”) on how to clean the installation manually. Such a cleanup is necessary in order to reinstall SGN on the same computer.
- Delta CRLs are not supported by SafeGuard Enterprise. When importing a delta CRL for a CA, the original CRL for this CA is overwritten. Doing that, earlier revoked certificates can become valid again! Only use full CRLs for SafeGuard Enterprise. Support for delta CRLs will be addressed in future versions of this product.
- In rare situations it might be possible to experience timing and/or configuration problems with local SQL Server Express editions, the configuration of the SafeGuard Database in conjunction with SQL Server Authentication might not work. If that is the case, we recommend using Windows authentication with SQL Server Express instead.
- In rare situations it might be possible to experience timeout problems when running a report query on a database with several 100,000 events. In such a case it might help to increase the timeout value using the following registry setting:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWAREUtimacoSafeGuard EnterpriseInternal Settings
Value Name: TimeOut (DWORD)
Value: 1…30000 [milliseconds]
- Please check the SGN software CD (tools folder) on additional information regarding SGN Server update.
- SGN 5.50 clients are not supported to be connected to SGN Servers older than release 5.50. A mixture of SGN Client versions should only be present during migration phase.
- SafeGuard Enterprise API: Management Console log events may not be created when calling similar functionality concurrently via the SGN API.
- SafeGuard Enterprise API: The method “CreateDirectoryConnection” does not run on a SGN Server alone. The machine must also have the SGN Management Console installed for this API.
SafeGuard Data Exchange without Device Encryption does not provide Challenge/Response recovery, when the user has forgotten his password. In this case you must change the password in the Active Directory, logon without a Sophos Credential Provider and restore the user configuration on the client. Consult the Sophos knowledge base for further details.
Local keys created with SafeGuard Removable Media older than version 1.20 before switching to SafeGuard Data Exchange can be used in the SGN Client. But they are not transferred to the SGN Database automatically.
When using SafeGuard Data Exchange together with SafeGuard Easy 4.x note that the SGE GINA mechanisms (especially secure auto logon - SAL) will no longer work, SGE must be installed first and both products should only be uninstalled together (without reboot) to avoid GINA conflicts.
Microsoft Office 2007 applications (e.g. Word, Excel) will abort stating an error when saving modifications to a plain file that actually needs to be encrypted according to the current encryption policy.
Solution:
- Adjust the files encryption status to comply with the policy, or
- add the Office Programs to the Special Rename Processes registry key.
Here is a sample registry setting which adds WinWord.exe and Excel.exe to this key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlUTIMACOSGLCENC]
'SpecialRenamePrograms'='winword.exe;excel.exe;'
Please refer to the Sophos knowledge base SGI 109474 for further information.
If an encrypted executable or installation package is started and requires a user elevation in Windows Vista or Windows 7, it may happen that the elevation doesn't take place and the executable is not started.
The link to the SafeGuard Portable application created in the root of a removable media might not work under certain conditions (on Windows 7 only). When the media is inserted into a device which device letter differs from the one when SafeGuard Portable was copied to, the link does not work if the drive with this letter is available on the device too. For example: The SafeGuard Portable link was created on a media in drive D:. The media is the used on a different machine in drive E:. The link is broken if this machine also has a drive D:, otherwise the link works as expected.
A user's key-ring is no longer accessible after an established remote-session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access.
If a BitLocker To Go-encrypted USB stick is attached to a machine during the setup of SGN, the installation will fail because Windows reports the system as being BitLocker-enabled, which is a valid failure condition for the DE client installation. The solution is to remove any BitLocker to Go-encrypted devices before installing SGN DE.
Some rare USB stick models report an incorrect storage capacity (usually larger than their actual physically available capacity). On these models, a volume-based initial encryption will fail and the data on the stick will be lost. Sophos generally recommends using file-based encryption (DX module) for removable media encryption.
When encrypting the volume that contains the user profile(s) only keys should be used that are available to any user whose profile is located on the encrypted volume. To ensure proper system configuration user profiles must not be located on encrypted volumes which a user does not have the encryption key for, or only keys available to all users must be used for encryption of this volume. This will only be an issue when changing the default location of the user profiles from the system volume to any other local volume which is encrypted.
The client requires an extra reboot after the first logon to ensure the registration of the logged on user.
When updating an older version of SGN Client it is recommended to choose the ‘Custom’ installation mode and manually select all the desired features whether they were already installed by the previous version or not. Optionally, you can use the ‘Complete’ mode instead. If typical mode is chosen, some of the features might not be updated properly.
In case of an unattended installation you have to use the ADDLOCAL= property to select all desired features (existing and new). If this option is not specified, only features installed by the previous version will be updated.
After installation of the client configuration package, the user should wait for ~5-10 seconds before acknowledging the final reboot. Then, after rebooting, the user should wait again for approximately 3 minutes at the Windows logon screen before proceeding to log on. Otherwise, the initial user synchronization may not be completed until rebooting again.
For the Local Self Help option the Recovery option in the POA will never be shown if the user who is logged on to the POA has the option to log on with a token or via fingerprint. LSH only works if the user logs on to the POA with user ID and password.
During the installation of SafeGuard Enterprise Base Encryption, delayed write failures may be reported by the operating system. This happens right after installing the kernel onto the file system. This may be forced by executing many parallel file I/O operations during the next boot right after manipulating the file system.
Solution:
An alternate way to install the SafeGuard Enterprise Base Encryption Kernel can be forced by adding the registry value:
Hive: HKEY_LOCAL_MACHINE
Key: SystemCurrentControlSetControlSession Manager
Value Name: AllocMode (DWORD)
Value: 1
This registry value should be added before executing the SafeGuard Enterprise Base
Encryption setup
A policy to encrypt removable Drives volume based that allows the user to choose a key from a list (for example “all keys in key ring”) can be circumvented by the user by not choosing a key. To make sure removable drives are always encrypted the security officer should either use a file based encryption policy, or explicitly set a key in the volume based encryption policy.
If both volume based encryption and configuration protection features are installed on Windows Vista systems, policies to encrypt non-boot volumes can cause the initial encryption process to freeze. This can be avoided by copying the bootmgr file to these non-boot volumes before the installation of SGN and the encryption policy has to be defined for ‘Bootvolumes’.
Data Exchange policies cannot use the defined machine key on SafeGuard Easy 5.50. Please use a different key if the policy will be applied to SafeGuard Easy clients.
Client setup for Kerberos logon with A-Trust smartcards:
The A-Trust middleware must be installed with the following parameters:
acSetup.exe /CALAIS=Yes
Use the A-Trust tray icon to perform an update of the middleware. This step is also necessary if you have already installed the latest version of A-Trust middleware because it will download and install the A-Trust root certificate.
Install the registry settings from ToolsATrustSetup.reg.
Note: The user key store cannot be opened with version 1.2.5.2 or earlier of A-Trust middleware. A-Trust is already working on this issue.
The Aladdin PKI Client 5.0 is required for Windows Kerberos Logon with Aladdin eToken PRO 72k (Java). However, these tokens must be initialized with Aladdin PKI Client 4.55 in order to be compatible with SGN's POA.
To use SGN Client in conjunction with a Novell Client there are some project specific adaptations necessary. Please contact Sophos Support for further information.
Fast user switching is not supported and must be disabled.
After installation of SGN Device Encryption on Windows Vista the built-in floppy drive is no longer available. This limitation does not apply to external floppy drives attached via the USB bus.
Boot time increases by about one minute after installing the SGN Client software.
Virtual drives that are mounted on the client workstation (e.g. VHD file into Windows using MS Virtual Server mounter) are considered as local hard drives and therefore their contents will be encrypted too if an encryption policy for ‘other volumes’ is defined.
- AVG
AVG Anti-Virus Netzwerk Edition 8.5.386 - Computer Associates
CA Anti-Virus 2009
Please use the following registry key
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesINO_FLTRSetting]
'Controls'=dword:00000003 - F-Secure
F-Secure AntiVirus 2009 (Version 9.00 Build 149) - G-Data
G Data Antivirus 2010 (Version 20.0.1.1) - Kaspersky
Kaspersky Internet Security 2010 (Version 9.0.0.459) - Network Associates
McAfee VirusScan Enterprise Version 8.7.0 i
Scanmodul-Version (32-bit): 5300.2777, DAT-Version: 5381.0000 - Norman
Norman Virus Control (Version 5.99) - Symantec
Symantec Endpoint Protection 11.0 (Version 11.0.4000)
- Trend Micro
Trend Micro Internet Security 2009
- Devices are not blocked after logon.
User policies are enforced by a process which is started in the user session after logon. If the start of this process is delayed by the operating system, the user may gain the ability to access blocked or access-restricted devices during this delay. To avoid this behavior always apply the restricting policy to both: machine and user. - BSOD after Installation of SGN CP
Microsoft has issued a hotfix for a BSOD issue that may also occur after installing the Configuration Protection package. Please refer to http://support.microsoft.com, article id 906866 for further information. - Installation
.NET Framework 2.0
To install SGN Configuration Protection, please follow the following installation order:
To uninstall SGN Configuration Protection, please follow the following installation order:
Cherry Card Man Usb Driver
- Upgrade
On updating the Configuration Protection Module the policy needs to be reapplied to be taken into account - Vista
Configuration Protection Client (SimonPro.exe) keeps a handle to the registry (for anti tampering reason) which cause this warning on Vista OS
If users do not have to press Ctrl+Alt+Del to log on to Vista (interactive logon setting), the user policy does not get loaded properly. In that scenario the machine policy is used instead.
- USB Keyboards classified as Hardware Key-Logging Device
Certain USB keyboards are considered to be hardware key-logging devices and thus blocked making them unavailable for the OS. This issue only arises when the keyboard is un-plugged and attached to a different USB port while the system is running. At the time of writing, the following keyboards are known to cause this issue:
- Dell Keyboard RT7D60
- Dell Keyboard SK-3106 - Maximum Number of Devices in White-List
When adding devices to the white-list for not being blocked, it is advised to keep the number of allowed devices at a manageable level. Adding substantially more than 1 000 devices to a white list can considerably impact a machines performance when evaluating the policy. - White-List Import
When importing a white-list that has been generated by the Port Auditor application, the resulting white-list has to be edited and saved back in the SGN Management Center before it can be used in a Configuration Protection Policy.
5.7Web Helpdesk
- Web Browser Requirement
The web pages hosted by the SafeGuard Web Helpdesk component are not rendered properly by Internet Explorer 6. Therefore we suggest using Internet Explorer Versions 7 or higher or Firefox versions 2 or higher instead. - If SafeGuard Web Helpdesk is installed on IIS, the worker processes must not be increased to more than 1 (default), otherwise authorization to Web Helpdesk will fail.
5.8Update SGN 5.35 and higher to SGN 5.50
SGN ConfigurationProtection Module cannot be updated to SGN 5.50 directly due to security constraints. In order to get the new version of the ConfigurationProtection Module installed properly the existing version has to be removed beforehand.
5.9SafeGuard Easy 4.x
- Migration of SafeGuard Easy 4.30 or higher to SafeGuard Enterprise
For migration from SafeGuard Easy to SafeGuard Enterprise the user needs a valid Windows account. In the case that the user does not know his Windows password, because he is using SAL for Windows log on, the user’s Windows password has to be reset and the new value has to be forwarded to the user. Please be sure to read the corresponding installation manual section before proceeding with the upgrade. - Parallel Installation of SafeGuard Easy 4.x and SafeGuard Enterprise w/o Migration
SafeGuard Easy 4.x and SafeGuard Enterprise can be installed in parallel on the same machine as long as the Device Encryption module of SGN is not installed. Since both products install their own GINA, SGN will only work properly if its own GINA is used. In order to assure proper configuration SGE has to be installed without GINA support (i.e. use the GINASYS=0 option) before any SGN module is installed (except SGN DE). If SGE has been installed with the GINA option enabled it has to be removed prior installation of SGN.
- Gemalto Classic Client (Gemalto GemXpresso (Classic TPC) V1 32k and V1 64k)
Only works with the upcoming Gemalto Classic Client 5.2.0. Additionally the following registry entry must be set to a value of 0x120 or higher:
[HKEY_LOCAL_MACHINESOFTWAREGemplusCryptography]
'ShmMaxLoops'=dword:00000120 - Axalto Access Client (Cyberflex 64k)
Logon to Windows with Cyberflex Cards in combination with Axalto Access Client is not possible immediately after reboot. The following registry values have to be configured accordingly to get this issue solved:
[HKEY_LOCAL_MACHINESOFTWAREAxaltoAccessCK]
“UseCAM”=dword:00000000
[HKEY_LOCAL_MACHINESOFTWAREAxaltoAccessCSP]
“UseCAM” =dword:00000000
[HKEY_LOCAL_MACHINESOFTWAREAxaltoAccessCAM]
“Allow” =dword:00000000 - Token Middleware on Windows Vista
When using token middleware on Windows Vista, after logging off it may be necessary (depending on the manufacturer) to remove and reinsert the smart card in order to log on with the same smart card again.
Using Fast User Switching after the preceding logon has been performed with a token/smartcard may lead to the situation where non-Sophos Credential Providers are unable to unlock the user desktop. It is recommended to either use Sophos’ Credential Provider or logoff the current user before switching to a different account.
When using the ActivIdentity ActivClient software for token logon on Windows Vista 64 bit or Windows 7 64 bit, uninstallation of the SGN client software fails with a hint that some components could not be removed. As a workaround, before deinstallation starts the first time, the policy must be changed so that ActivIdentity ActivClient is no longer the PKCS#11 module in use and a restart must be performed. Uninstallation works after that.
- Lenovo ThinkVantage Fingerprint Software
Due to a limitation of UPEK ThinkVantage Fingerprint Software, fingerprint logon is not supported for users having a whitespace in their user names.
- Empirum Security Suite Agent
If SGN 5.50 Client software is installed and run in combination with Empirum Security Suite Agent software, the system might stop with the following BSOD:
BSOD on system startup with stop code 0x00000044 MULTIPLE_IRP_COMPLETE_REQUESTS
This problem is caused by one of the Empirum Software components. A fix for that problem will be included in Empirum Security Suite.
Please contact Matrix42 support for latest details/updates on this issue. - Lenovo Rescue and Recovery
For information on compatibility of Rescue and Recovery versions with SafeGuard Enterprise versions see:http://www.sophos.com/support/knowledgebase/article/108383.html - AbsoluteSoftware Computrace
SGN Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated ‘track-0 based persisent agent’ installed.
- SafeGuard Enterprise Device Encryption Client
The SafeGuard Enterprise Device Encryption Client does not support systems that are equipped with hard disks that are attached via the SCSI bus.
- Visit the SophosTalk forum at http://community.sophos.com/ and search for other users who are experiencing the same problem.
- Visit the Sophos support knowledgebase at http://www.sophos.de/support/
- Download the product documentation at http://www.sophos.de/support/docs/
- Send an email to [email protected], including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.
University of Cambridge Computing Service
- Experience with Card Readers
Smartcard background
Card access APIs
Cambridge card utilities
- kpcsctestwon't compile as supplied (missing 'unsigned' in the definition offReceiveSize in kcardhelper.h)
- neither will thepkcs#11 module (for reasons not yet investigated)
- kcardview throws a SIGSEGV (probably because it doesn't copegracefully with the new version 1 layout of files on the Cambridgecard.
Experience with Card Readers
GemPlus GemPC410
GemPlus GCR410
GemPlus GemPC430
ACR CyberMouse
'ACR20S/Cybermouse does not accept class 2 or 4 commands where Le is 0and returns malformed packets with some commands. Also inverseconvention does not work with my driver. I recommend to run like hell,when you see this reader'.
Towitoko Chipdrive Micro 130
USB readers: Linux kernel version 2.4.12 or greater with PL2303 USBserial driver enabled is needed. .. Note that PL2303 support is stillin experimental stage!
Utimaco (Omnikey) CardMan 2020
References and links
- Cambridge Smartcard
- Card Office official site http://www.admin.cam.ac.uk/offices/misd/univcard/
- Graham Phillips's 'Cambridge University smart card' pages at http://smartcard.caret.cam.ac.uk/ (previously http://vertebra.cbcu.cam.ac.uk/)
- Rich Wareham's 'University of Cambridge Smartcard support under Linux' pages at http://www.srcf.ucam.org/~rjw57/sc/ (most of which is duplicated on smartcard.caret.cam.ac.uk)
- Linux resources
- MUSCLE site http://www.linuxnet.com/, including pcscd http://www.linuxnet.com/middle.html and driver sources http://www.linuxnet.com/sourcedrivers.html.
- The University of Michigan's Centre for Information TechnologyIntegration Smart Card project page http://www.citi.umich.edu/projects/smartcard/
- An other smartcard library: SCEZ http://www.franken.de/crypt/scez.html
- A Python binding for PC/SC: http://www.advogato.org/person/barryp/
- General card resources
- Infosyssec: Smartcards http://www.infosyssec.org/infosyssec/secsmc1.htm
- Vague SSH Success story with Putty: http://www.advogato.org/person/barryp/
- ssh-smart - someone else's work to integrate SSH and smartcards http://www.foo.be/ssh-smart/
- SSH.COM's smartcard interface: http://www.ssh.com/products/accession/