What's New in Mobility XE Version 8.0
Before Upgrading
The Mobility XE version 8.0 client and server setup software was designed to allow for a brand new installation or to upgrade an existing installation. When upgrading from a previous version of the Mobility XE client or server, the Mobility XE version 8.0 setup software can only be used to upgrade (e.g. overinstall) on Mobility XE version 6.7 or later. If you are running a version of the Mobility XE client or server prior to version 6.7, you must first upgrade to version 6.7 prior to upgrading to version 8.0.
Version 8.0 also requires Level 4 license keys. If you upgrade from a previous version of Mobility XE, your Level 2 (Mobility XE version 6.x) or Level 3 (Mobility XE version 7.x) permanent license keys will be converted to temporary (time-limited) Level 4 license keys. Only customers with Premium Maintenance agreements or those who pay for the upgrade will be granted permanent Level 4 license keys. The only way to restore a Mobility XE server pool that has been upgraded to version 8.0 is by restoring system backups for the Mobility warehouse and Mobility servers that were made prior to upgrading.
Clients prior to version 6.7 will automatically be disconnected from a version 8.0 or later Mobility server. And version 8.0 clients will be disconnected from a version of the Mobility XE server prior to 6.7.
Major Features & Changes
New Mobile Network Access Control (NAC) Module
There is a new Network Access Control (NAC) Module that lets administrators control which mobile devices are allowed to connect to the Mobility server based on their compliance to customizable configuration policies. The NAC Module bolsters remote access security by ensuring that only “healthy” mobile devices are allowed to connect to the Mobility XE server and access corporate resources.
The NAC Module is an optional component for Mobility XE 8.0. Both the Mobility server and client must be running Mobility XE 8.0 for the NAC Module to function.
Details
Mobility system administrators write NAC policies and subscribe groups, classes, devices, or users to them. The policies are automatically pushed down to and evaluated on the device before any data transmissions are allowed through the VPN tunnel. NAC policies are evaluated when the device is started/booted, when the device attempts to connect to the Mobility XE 8.0 server, and they are reevaluated every 5 minutes even after a device is allowed to connect. The NAC Module is supported on all client operating systems, including Windows Mobile devices.
Based on their compliance with the NAC policy, the Mobility server can allow, warn, disconnect, or quarantine the mobile device. In addition, the NAC Module integrates with the Policy Module to allow for and enforce remediation on the client device. For example, if a device fails a NAC policy check, it can automatically trigger the Policy Module to restrict access to a specific application or subnet.
There is an easy-to-use one-screen NAC Wizard that allows administrators to create the most common rules with just a few clicks. And an advanced interface provides administrators maximum flexibility and customization. NAC rules support inspecting attributes and configurations related to anti-virus, anti-spyware, firewalls, Windows Update status, running processes, installed files, operating system versions, the Mobility XE client version, and registry keys. The Mobility client API (nmclapi.dll) also now supports a new function call that allows external programs and processes to integrate directly with the NAC Module. The NAC Module automatically recognizes common antivirus, firewall products and anti-spyware products.
Pricing for the Network Access Control Module will be released to the retail channel thirty days prior to general availability. Customers with a current Premium Maintenance Agreement can elect to receive the NAC Module at no additional charge. The NAC Module will carry an additional licensing fee for new customers and customers with a current Standard Maintenance Agreement.
Policy Management Module Additions and Improvements
QoS Action Optimized for Real-time Applications in Policy Management Module
QoS rules in the Policy Management Module have been enhanced to provide better support for real-time applications. As a result, voice and video quality are significantly improved in networks where there is high packet loss, high latency, or jitter.
The “Set quality of service parameters for [applications | addresses | ports]” action has been significantly enhanced to provide better support for real-time applications. Based on its settings, this action now automatically uses Packet Loss Recovery (PLR) to automatically replace missing or lost packets in real-time application transmissions without having to re-request/re-transmit them. This alleviates many of the negative effects from packet loss and ameliorates many of the problems caused by high latency and jitter. As a result, when running real-time applications—like voice-over-IP, video, web conferencing, and instant messaging—Mobility XE 8.0 can maintain a much higher quality in transmissions and communications, even on wireless networks. In lab testing, the PLR functionality has been able to maintain call quality—a Mean Opinion Scores (MOS) above 2.5—with as high as 70% packet loss. MOS generally drops below 2.5 with only 10% or 20% packet loss when using a traditional IPSec or SSL VPN.
The QoS action comes with a revised and simplified set of preconfigured settings tuned specifically for different types of applications, including high-priority TCP applications, voice, video, best-effort, and background. In addition, individual parameters for each setting are customizable. Packet Loss Recovery (PLR) is only available for real-time applications running over the UDP protocol.
Pricing for the Policy Module is unchanged from previous version of Mobility. Customers who previously purchased the Policy Module and who have a current Premium Maintenance Agreement will receive the Policy Module updates at no additional charge. There is a license fee for the Policy Module for new customers and new seats purchased, and an upgrade fee for customers with a current Standard Maintenance Agreement.
New Registry Key/Value Condition in Policy Management Module
A new condition in the Policy Management Module checks for the existence and compares the value of Windows registry keys. Using the new registry key condition, administrators can write rules that are more flexible integrating with applications and more aware of the Windows operating environment.
New External Key/Value Condition in Policy Management Module
A new condition in the Policy Management Module can be set by the Mobility client API (nmclapi.dll) or the tellmes command line utility. Using either tool can set a variable name and value that can then be checked and compared as a rule condition. The External Key/Value condition is complementary to the Registry Key/Value condition, in that it allows administrators to write rules that can identify and integrate with other applications and processes.
New Network Access Control (NAC) Status Condition in Policy Management Module
There is a new NAC Failure Action condition in the Policy Management Module that allows the Policy Management Module to integrate with the NAC Module. For example, the condition can be used to restrict access to IP addresses or a more limited set of applications if a Mobility client device does not fully comply with the NAC policy.
Better Integration between Rule Sets and Rules
The Policy Management Module now starts out by default on the Rule Sets page, and it is now possible to create new rules when editing a rule set. The changes facilitate a more natural workflow, making it easier to create policies without requiring administrators to move back-and-forth between rule creation and rule set creation.
Other Features, Changes and Bug Fixes
Mobility XE Certified for Scalability and Capacity on VMware ESX
Mobility XE 8.0 is now fully supported, including full capacity and scalability, when running in VMware ESX environments. VMware ESX must be configured to provide comparable “virtual” resources to the system requirements for Mobility XE when running on dedicated, non-virtualized hardware. A TechNote detailing recommendation configuration of VMware ESX for Mobility XE is available in the technical support area of the NetMotion Wireless corporate website.
Support for Windows Mobile 6.1
In addition to previous versions of Windows Mobile, the Mobility XE version 8.0 client also supports the Windows Mobile 6.1 platform.
Support for RSA SecurID Software Tokens on Windows Mobile (010653)
RSA SecurID software tokens are now also supported on Windows Mobile devices, in addition to our other supported client platforms.
Support for user-specified locations when installing the Mobility XE client on Windows CE devices (08132)
When installing the Mobility XE client to a Windows CE device, the setup program now provides the option to specify the location of Drive and Path for the installation files. As a result, Windows CE installations can be more successful without additional user intervention.
Clarified Connectivity Requirements for Zones and Geographically-dispersed Server Pool Components
Connectivity requirements between server pool components—Mobility servers and Mobility warehouses, including replicas—have been clarified. At a minimum, Mobility servers and warehouse need access to all other pool components with a 10 Mbps link that has 150 ms or less round-trip latency. Previously, the minimum requirement for pool component connectivity was 100Mbs and “Low Latency”. Large deployments seeking to get maximum performance and scalability should improve the minimum bandwidth and latency as much as possible. (See “Guidelines for Supported Mobility Deployments” for further details.)
Simplified Mobility Console Menu System
The Mobility console menu system has been revised and simplified to better group and organize the top-level choices available to administrators.
Client Session Details Now Shows Running Applications (08607)
When viewing session details for a particular device, there is a new column in the Network Process List (Mobility console > Connection List > Session Details) that shows which applications are running.
Ability to Filter out Example Rules and Rule Sets (08567)
There is a new “No Examples” filter available on the Policy Management and NAC Module screens that allow administrators to view a list of policies that is not cluttered with Example policies.
Ability to Add Port Ranges to QoS Rules (07896)
The Policy Module in Mobility XE 8.0 includes the ability to specify a range of ports for voice or other real-time traffic.
Easier to Determine Live and Disconnected Interfaces (08250 & 08254)
It is now easier to determine when an interface listed in Mobility Client Properties (Details tab) is active. Interfaces that are active are displayed as ‘up’ and it is easy to distinguish between a current live interface and a disconnected one.
Client's Active Interface Displayed in the Mobility Console (008770)
Drilling down on a device in the connection list on the Mobility console now displays the active interface name in addition to speed when displaying the session details.
Active Interface Displayed on Mobility Client ‘Connecting’ Dialog (008254)
When logging on, the Mobility client ‘Connecting’ dialog now more clearly shows which interface the client is using. This can be useful information if the user is experiencing problems connecting to the Mobility server.
Bypassing Displays Warning About Encryption Loss (008451)
Bypassing the Mobility client now pops up a dialog warning users that encryption will stop and any data received or sent by the device may be intercepted.
Updated the Mobility Console to Support Java Version 6.0 (008419)
In some situations the Mobility console would display “JNI exception: EXCEPTION_ACCESS_VIOLATION”. Moving to Java version 6.0 resolved many of these instances.
Resolved Failure When Exceeding Passthrough List Limit (006908)
If too many addresses were added to the Passthrough List setting in the Mobility console, none of the addresses were propagated to the Mobility clients and there was no error message notifying the administrator of the failure.
Now, when the maximum number of addresses in the Passthrough List is exceeded, the Mobility console displays a warning message explaining the problem. If you require more addresses in the list than are supported (between 6 and 10 depending on how they are defined), they can be added using the Policy Management Module.
Resolved Inability to Remove Devices After Server Upgrade (007736)
Fixed a problem that, in some situations, prevented administrators from deleting previously registered devices, after upgrading (overinstalling) the Mobility XE server.
Resolved Logon Failure When Running Wave Embassy Security Center Software on the Mobility XE Client Device (007886)
The Mobility XE 8.0 client has been modified to recognize Wave's GINA and authentication package and allow authentication to proceed normally. When using Wave Embassy Security Center's software with the Windows Logon > Enable Secure Windows Logon feature checked on devices running previous versions of the Mobility XE client, the Mobility client was unable to successfully logon. The Wave Embassy Trust Suite for Dell 1.0 came preinstalled on many Dell laptop models.
Resolved Problem with Stranded Devices When Renaming Device Class (008098)
Fixed a problem that could strand device licenses used by devices in a device class if the device class was renamed.
Resolved Connection Conflict with HP Credential Manager is Enabled (008188)
Resolved a conflict with the HP Credential Manager that prevented the Mobility client from establishing a connection.
Resolved Security Warning When Using a Policy to Open a Remote File (008346)
In previous versions of Mobility running on Windows 2000, Windows XP, or Windows Vista, using Policy to execute a file accessible via a UNC would generate a warning ‘Open File -Security Warning’ dialog, asking the user to confirm whether or not to run the software. The warning dialog has been suppressed allowing these types of policy actions to run reliably and without user intervention.
Resolved Errors When Using Square Brackets (“[“ or “]”) in the Rule Names (008400)
Saving a rule with square brackets “[“ or “]” in its name would cause an error. The Mobility console now validates and prevents invalid characters in the rule name.
Resolved Inability to ActiveSync Psion Teklogix WorkAbout Pro Handheld (008463)
Fixed a problem where ActiveSync did not work on the Psion Teklogix WorkAbout Pro device, when the Mobility client was connected or in Bypass.
Resolved Incorrect Device Count on Mobility Server (008577)
Fixed a problem that caused incorrect display of the registered device on the Client Status page in the Mobility Console. Wait times are shorter now when moving devices into device classes.
Reconciled Time Zones Used When Displaying Connected Time and Registered Time in Client Status (008614)
Connected Time for registered devices was being displayed on the Mobility console using the local time, but the Registered Time was using the warehouse's GMT time. Both times are now displayed in the local standard time of the servers.
Fixed Remote Assistance Calls Initiated from Windows Vista or Windows XP (009071)
Remote assistance worked in most cases except when calls were initiated from Vista to XP, regardless of whether the client is connected or bypassed.
Fixed Client Network Failover When Using Policy to Override Interface Speeds (009099)
Fixed a problem where the Client Network Failover feature would not switch to the interface with the fastest speed if the interface’s speed had been overridden by a policy rule and the Mobility client had two different interfaces with differing interface speeds.
Fixed Device Registration Conflicts (Duplicate nmwUniqueHWId) with Devices Using SATA Drives (009108)
We fixed a problem where we were not creating unique device PIDs because the devices had the same serial hardware number. This problem has been seen on Panasonic Toughbook CF-29, CF-30, CF-71 devices, some Dell laptops, and other devices with SATA hard drives.
Fixed MS Communicator Failure on Windows Mobile (010762)
Fixed a problem where Microsoft Office Communicator would fail when running on Windows Mobile also running the Mobility client software.
Hardware and Software Requirements
Mobility XE Small Deployment Server System
• Processor: x86-compatible Pentium 4 processor, 2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2 (Service Pack 2), Microsoft Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000 Server (Service Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 2 GB free, minimum.
• Browser (with JavaScript enabled): Internet Explorer v7, Internet Explorer v6, Firefox 2.0.
The Mobility XE small deployment server system installs both Mobility server and Mobility warehouse on one machine. It is intended for pilot programs and small deployments with under 400 users.
Stand-alone Mobility Server
• Processor: x86-compatible Pentium 4, 2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2 (Service Pack 2), Microsoft Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000 Server (Service Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 1GB free, minimum.
• Browser (with JavaScript enabled): Internet Explorer v7, Internet Explorer v6, Firefox 2.0.
• For RSA SecurID user authentication: RSA Authentication Agent version 6.0 or higher.
Stand-alone Mobility warehouse
• Processor: x86-compatible Pentium 4, 2.0 GHz (minimum).
• Operating system: Microsoft Windows Server 2003 R2, Microsoft Windows Server 2003 (Service Pack 2), or Microsoft Windows 2000 Server (Service Pack 4).
• RAM: 2 GB, minimum.
• Disk space: 3 GB for a pool of four or fewer Mobility servers. 5 GB for a pool of five or more Mobility servers.
Mobility Client for Windows Vista, Windows XP, Windows XP Tablet or Windows 2000
• Operating system: Microsoft Windows Vista (Business, Enterprise, or Ultimate Edition), Microsoft Windows XP (Service Pack 2), Microsoft Windows XP Tablet (Service Pack 2), or Microsoft Windows 2000 Professional (Service Pack 4).
• Disk space: 10 MB free.
• Mobility XE online help requires a web browser that supports HTML 4.0, JavaS¬cript 1.2, and CSS1 or higher.
Mobility client for Windows Mobile
• Processor: StrongARM 1100 or compatible processor (e.g., XScale).
• Operating system: Microsoft Windows Mobile 6.0 (Classic, Standard, or Profes¬sional), Microsoft Windows Mobile 5.0 for Smartphone or Pocket PC, Microsoft Windows Mobile 2003 for Pocket PC, Microsoft Windows CE version 5.0, or Microsoft Windows CE version 4.2.
- See Technical Note 1515 on our web site (www.netmotionwireless.com) for a current list of tested device types and processors.
• Storage memory: 3 MB free on Windows Mobile for Pocket PC devices, or 7 MB free on Windows Mobile for Smartphone.
• ActiveSync installation requires ActiveSync v. 4.1 or greater.
• Network requirements: To integrate Mobility XE into a wireless network environment, you must have at least one of the following:
- A wireless LAN adapter installed on a mobile device and wireless access points installed on the wired network.
- A wireless WAN device installed on a mobile system and available wireless WAN service (for example, an account with a service provider).
- A modem installed on a mobile device and available dial-up service.
• Server components should be installed on workgroup or domain machines. Mobility XE does not support servers installed on domain controllers.
• For subnet roaming, DHCP services must be available on the network.
Advance End of Life Notice for Mobility XE Version 6.7
NetMotion Wireless has announced the end-of-life (EOL) for NetMotion Mobility XE version 6.7 will occur eighteen months from now. Effective December 31, 2009, customers who want to continue receiving technical support must upgrade to Mobility XE version 7.x or a later version. Until December 31, 2009, customers with maintenance contracts will continue to receive support. Until it is discontinued, any NetMotion Wireless customers can upgrade without charge to Mobility XE version 6.7 from any previous version of Mobility XE.
Specific EOL announcements for any later versions will be issued at least 12 months in advance of their end-of-life effective date.
Advance Notice of Intent to Discontinue EAP-MD5 Support
Mobility XE version 8.0 is the last release that will support the EAP-MD5 authentication method. EAP-MD5 has long been considered an “at-risk” authentication method due to security weaknesses (collision attacks and increased exposure to man-in-the-middle attacks). Because attacks on EAP-MD5 are no longer theoretical in nature, NetMotion Wireless has determined that it is unwise to continue support for the algorithm in our products.
If you are currently using EAP-MD5 authentication with Mobility XE, we strongly encourage you to migrate to one of the other available authentication methods as soon as possible. To determine if your Mobility XE system is affected, log in to the Mobility console, click on Server Settings, and then click on the ‘Authentication – Protocol’ setting. If ‘RADIUS – MD5’ is selected, you should plan to change to one of the alternate settings as soon as possible.
We will continue to support RADIUS authentication using the LEAP method and the PEAP with EAP-GTC or EAP-NTLMv2 inner methods. Support for additional EAP authentication methods is also planned for upcoming releases.
Note that starting with Windows Vista, Microsoft also discontinued support for EAP-MD5 (see http://support.microsoft.com/kb/922574), and many other security vendors have already discontinued their support for the protocol. There is also great deal of searchable information on the Internet about EAP-MD5’s security weaknesses.
Advance Notice of Intent to Discontinue Support for the MS Windows 2000 Server Operating System
Support for Windows 2000 Server will be deprecated in the next Mobility XE release, planned for later this year. Customers should plan to upgrade their Mobility XE server infrastructure to Windows Server 2003 SP2.
Advance Notice of Intent to Discontinue Support for the MS Windows 2000 Professional Operating System
Support for Windows 2000 Professional will be deprecated in the next Mobility XE release, planned for later this year. Customers should plan to upgrade their Mobility XE client devices to Windows XP or Windows Vista.
Advance Notice of Intent to Discontinue Support for the MS Windows Mobile 2003 (Pocket PC 2003) Operating System
Support for Windows Mobile 2003 (a.k.a. Pocket PC 2003) will be deprecated in the next release Mobility XE release, planned for later this year.
What's New In Previous Versions
