LogonBox VPN Changelog 2.4.12-1922 - 29th May 2025
Features
* Some changes have been made to reduce the memory footprint of the service when large numbers of users and groups exist.
* Disabled user accounts no longer consume a license seat.
* Failed deliveries via Cloud Messaging now have the capability to retry sending the message.
* Added a new task, Reset Profile, for use in automations and triggers.
* A new permission has been added, Mobile Number Personal, which can be removed from the Everyone Role to disallow users from adding their own SMS mobile numbers.
* Support added for Subject Alternative Names for Let's Encrypt SSL certificates
* When using User Selective 2FA, a default authenticator can now be set.
Bugs
* Some text fields that were missing a + button to add the text to a list now have the + button again.
* Profile Read permission is now default on a new install, this fixes a 403 error on a password reset.
* Forgetting to configure a Yubikey client ID now gives a better error message in the server log file.
* Removed edit action on the Sessions page (sessions cannot be edited, only deleted).
* Removed Audit Log->Settings->Notifications as this did not alter which popups appear in the UI.
* If a user's security question answers do not match, the error message is now correctly displayed in red rather than green.
* Perpetual license now shows the correct support expiry date.
--------------------------------
LogonBox VPN Changelog 2.4.11-1865 - 24th February 2025
Features
* Added option to log off Azure when signing out of LogonBox (connected to Azure)
* Updated Bootstrap components to latest version
* Added a new Content-Security-Policy for frame-ancestors to replace the now deprecated X-Frame-Options header
* The /boot partition has been merged into / for new builds as previous VMs had a too small /boot partition.
* Clicking the manual Synchronize button will now re-enable the sync schedule if it was in a disabled state.
* Added option to prevent a user deleting their own TOTP authenticator configurations.
* Added TOTP support to the LogonBox Authenticator, which can be used if your mobile cannot contact the server.
* Added the ability to trigger events off the back of a VPN client registration. This can be used for example to whitelist only a specified set of clients.
Bugs
* Fixed automatic log off in Azure when logging out of LogonBox.
* Services now showing correctly again in VMCentre
* Support callback can now be launched again from the web UI and VMCentre
* A user's password expiry time is now displayed in the UI in the local server timezone rather than UTC.
* Error messages on small (mobile) screens now wrap onto new lines so the full error can be read.
* The user can now see their Active Directory password policy again on the reset password screen.
* A user's locked status is now updated on a sync if a user has been unlocked directly in AD.
* A suspended user will now resume again as expected after the lockout time expires.
--------------------------------
LogonBox VPN Changelog 2.4.10-1813 - 7th November 2024
Features
* Can now alter AD sync schedules again in sub-tenants.
* CSR signature algorithm for SSL Certificates has been upgraded to SHA512WithRSA
* JQuery has been updated to version 3.7.1 to address potential vulnerabilities
* Added CSP headers to initial root redirect page /
* Added option to turn off Gzip compression of web pages as another mitigiation for the BREACH vulnerability
* Calls to the password generator API now require an authenticated session.
* Added an index to a database table to improve performance when reading AD groups.
* Option added to Group filter mode for AD - Disable Group Support. This can significantly speed up syncs on large AD domains if you're not interested in managing groups via LogonBox.
* Optimised user property writing during synchronization to avoid excessive database reads of group relationships
Bugs
* Users can no longer authenticate when Cache Passwords is set and their account is locked
* Mitigation added for BREACH vulnerability, random bytes can now be written to any gzipped web response
* When using Azure/O365, when a user logs off LogonBox, this now will log the user off Azure as expected
* Server log file should log significantly fewer lines when large numbers of groups are excluded in a sync, resulting in much smaller log file.
* Fixed a display order issue with Captcha authentication module when it is placed at the beginning of an authentication flow.
* Fixed incorrect message with the free license which suggested the server was not entitled to updates.
* Added some missing database cascades which could stop roles from being deleted.
* Duo authentications should no longer end up in an auth loop if Duo bypass MFA is enabled.
* Fixed a memory leak relating to Roles when large amounts of users or groups are present.
--------------------------------
LogonBox VPN Changelog 2.4.9-1768 - 14th August 2024
Features
* Performance improvements on a full reconcile.
* New SSL certificate can now replace the existing one
Bugs
* Fixed an encoding error with an incoming webhook request.
* If a device has a small screen height, the Next button on a reset is no longer off the bottom of the screen.
* Fixed an issue with the Duo Admin API causing errors on some profile checks.
* GeoLocation is now working again.
--------------------------------
LogonBox VPN Changelog 2.4.7-1694 - 3rd June 2024
Features
* Significant performance improvements to some database calls.
* The database improvement that was added in 2.4.6 as an optional property is now the new default, so all customers will benefit from the most commonly called database query being improved by a factor of 100, which will reduce CPU load significantly on a busy system.
* Added a new permission, Authenticator Personal. This enables the LogonBox Authenticator setup in a user?s My Credentials page.
* Moved logging framework for Callback Service from Log4J to Reload4J to resolve vulnerability report (was not susceptible to the vulnerability, but this will stop vuln scanners reporting a potential issue).
* Added HTTP Strict-Transport-Security preload directive to all requests. This isn?t technically required as our HTTP interface is only there to redrect to HTTPS, but adding this directive will stop vulnerability scanners complaining about this missing item.
* An admin can now reset a user?s profile state for Duo credentials from the User Directory page.
* Added hints to the text fields for Security Questions on the profile setup wizard to make it clear that a user needs to set and confirm an answer.
* SMS messaging now accepts HTTP 202 responses, which some messaging providers use.
* Added new account locked event when we detect an AD account has become locked.
* VPN clients are now excluded from the concurrent sessions notifications check to stop the popup on a VPN client.
Bugs
* On browser windows less than 1100 pixels wide, the user list in User Directory now displays as expected rather than getting pushed down the page.
* Add All, Remove All and Reset actions in multi-select fields are now correctly showing as buttons rather than links and have a consistent text size.
* The column filter on the Users page had a blank entry. This is now correctly named after the Actions tab and shows/hides the Actions column.
* Features can now be removed again from Updates, Features & Licensing.
* The setup prompt for the LogonBox Authenticator QR code now has the app store icons below it correctly justified.
* Removing a Role from a user in the Roles tab when a user object has been expanded with the + button now works again.
* If an AD user is locked, you can no longer log into LogonBox if you have Cache Passwords turned on.
* Fixed an issue with registering a ToTP authenticator (Microsoft, Google, Authy) on a sub-realm if using the Realm Selector dropdown. This now registers correctly again.
* Fixed prompts for PIN on profile completion wizard which was not happening if User Selective 2FA was also in use.
* Altered server log rolling so that logs roll over once per day as they used to. A bug was introduced with the Log4J2 upgraded where logs would rotate every 20Mb and then never get cleaned up after their max age.
* Attachments can be sent on a message template again
* Fixed an issue where you couldn?t update the user directory configuration when the UI was set to Portuguese language.
* Removed redundant search buttons for filter input text boxes on System Configuration->SSL.
* Added an expiry time to some of the recently introduced caching to reduce memory load over time.
* Altered JSON response returned on bad username during login to not return the username (only happened previously when verbose errors were on which falsely triggered some vulnerability scanners).
* It?s possible to add multiple certificates to the HTTPS Interface again.
* Local Groups can now be deleted on the VPN after they have previously been assigned to a peer definition.
--------------------------------
Features
* Buy or Upgrade button is now always shown on license status widget
* Added support for further improvement to some database calls
* Do not show local login link for non-administration login schemes.
* VPN client no longer showing blank screen when server behind a reverse proxy
* Don't throw exceptions if no content-length header present in request (which can happen behind some reverse proxies)
* Updated syslog library to fix SSL over TCP support
* License reminders removed from product, as reminders are already sent out by our CRM automatically
Bugs
* Fixed a typo in startup script which stopped VMCentre on VPN from starting
* Fixed a couple of issues with Update Realm and edit principal which were not showing the new value after changes (caching issue)
* Fixed a number of missing database CASCADES on some tables (could stop some resources types from being delete)
* Fixed a possibility of Null Pointer Exception if an extension declares an extension that doesn't exist.
* Some license states were too aggressively preventing updates.
* Issue fixed with uploading certificates when using the 'Setup the SSL certificate' wizard from the dashboard.
* AD reconcile time default was incorrectly set to every 4 minutes rather than every 4 hours.
--------------------------------
--------------------------------
Changes
-----------
Features
* Various libraries updated to address vulnerability reports (commons-io, apache-tika, spring-framework, PostgreSQL (driver), metadata-extractor)
* Improvements to remote realm synchronization. Now scheduled to run at certain fixed times (using cron expressions) instead of intervals. Active directory has two schedules, one for partial and one for full.
* Significant performance improvements, mainly more database caching and fixing faulty caching (e.g. broken negative caching).
* There is a new cache status page on System Configuration->Caches.
* Sessions are now transient. If you restart a server, all sessions will be invalidated.
* Improvements to the job status page with meaningful job names.
* ON/OFF switch element changed to a different library to address a vulnerability scan report
* Added a new task for Start Reconcile for use in Automations and Triggers
* One Time Password configuration has been pulled into a single realm setting rather than per authentication module
* Enable NAT on all local interfaces by default, but allow this configuration to be changed. (System Configuration->VPN->NAT Interfaces)
* Site-to-site configurations now by default will not publish routes between sites, isolating them. Previous open access behaviour can be re-enabled in VPN configuration (VPN->Configuration->Share User Allowed Ips).
* VPN Client now has the version numbers in the executables
Bugs
* Browser was not caching user icons on the User Database page.
* Show user status dates in the system or user-configured timezone.
* Fixed start-up order of encryption services, which may fail, particularly on 2.3 -> 2.4 upgrades.
* Delegated access to users now shows the correct users when using the "Users not logged on in 30 days" filter.
* Could not edit non-AD attributes when AD was in read-only mode.
* Various missing text localization keys added
* Removed Excessive popup notification messages when sessions are invalidated
* Fixed a problem with the Azure login module integration
* SMS delivery was broken in some places; now fixed
* Fixed a database cascade issue with shared password resources
* Could not change graph type in perfmon extension dashboard.
* Some "flash" error notifications were being incorrectly suppressed.
* Fixed issue with firstName missing in message when sent to additional contact
* Account linking messages were not working
* Fixed an issue where a user could register only one Yubikey on a system from the user profile completion wizard.
* If configuration help text contained hyperlinks, changing the associated field would turn the link text back into raw HTML
* Password last changed time now displayed in local server timezone
* Reconcile hashes should no longer get out of sync and cause unnecessary full reconcile cache rebuilds
* Fixed an issue where a group ID was being used in place of a user ID on reconciles, which would invalidate the cache
* One Time Password authentication should now correctly save email addresses to the directory if the option Save to Directory is turned on
* Can now edit allowed IPs on a user again (because active directory is in read only mode)
* Fixed an issue where the VPN port was not being added for the firewall configuration when a local ufw firewall was enabled
--------------------------------
--------------------------------
--------------------------------
--------------------------------
LogonBox VPN 2.3.19
Features
o Twilio SMS support was added and set to default on a cloud evaluation.
o SSH Directory now supports password and account locks on Redhatsystems (faillock and passwd -l).
o SSH Directory can now read in /etc/passwd files larger than 32KB.
o Changes added to validated emails with OTP (AD email changing, use Additional Emails).
o New option to show Administration link. Newly deployed VPN servers will ship with the Admin Logon option enabled by default.
Bugs
o AD user?s Fullname attribute incorrectly using AD?s description attribute.
o End users now receive Account Suspended emails again.
o Completed profile counts are now consistent (graphs vs profile counts on the Users menu).
o Added some missing database cascades, which prevented some resources from being deleted.
o Let?s Encrypt adds the intermediate certificate.
o Profile status gets updated when PIN and Questions are in use.
o Added some missing i18 strings for Lock Threshold, Window and Time.
o Added permissions to fix 403 error on My Resources->Passwords.
o VPN server now correctly handles v1 cookies sent by the VPN client.
o Added missing i18n strings on some AD attributes (givenName, sn, displayName) visible in User Directory->User Attributes and on the end user My Profile.
o Added a missing i18n string for Early Access update repository.
--------------------------------
Features
* Support added for Turkish language Windows OS.
* Client connections no longer get interrupted when other clients connect.
Bugs
* Geo IP Restrictions now support a more extensive list of countries in a single rule (it was previously limited to around 52 countries)
* The defaults for the database connection pool size are limited to a value which will not run out of connections to the underlying MariaDB database
--------------------------------
--------------------------------
--------------------------------
--------------------------------
Features:
* Administrative access can now be configured to use a different port if required:
- To do this, create a new interface from System Configuration->Interfaces and set the port number in this interface (requires a restart).
- Then in System Configuration->Configuration->Authentication, in Admin Interfaces, add your new interface to the Included section.
- Note that after making this change, the Administration Link will still exist on the main interface, but you will not be able to authenticate, so you may wish to also turn off the Administration link.
* Support Callback service has been completely re-coded to allow us to help you better on more complicated support cases. It is recommended to run apt upgrade on a VM or run the new installer if you use Windows to ensure you get this update.
* The LogonBox Authenticator app is now available for Apple mobile devices in the Appstore.
* LogonBox now dynamically scales the number of threads based on CPU count for better performance and reliability under high load.
* Added option in Messages->Settings->SMTP->Debug for troubleshooting SMTP message issues.
* The Synchronize button in User Directory->Users will now re-enable a reconcile if it was disabled due to previous connection errors.
* Added new permission to delegate the user Synchronize button to User Directory->Users.
* Added new permission to delegate the Configure User Directory link in User Directory->Users.
* The User Selective 2FA wizard now provides options to apply the 2FA modules to any Authentication Flow.
* Changed the default ordering of the widgets on the Dashboard->Get Help page.
Bugs:
* Fixed a problem with Performance Monitor feature, which prevented the LogonBox service from starting up.
* Removed duplicate entries in the Select Language menu.
* Fixed an issue where importing a PKCS12 certificate could result in a bad certificate type.
* HaveIBeenPwned password checking can now be enabled on a per-realm basis.
VPN client bugs:
* Fixed upgrade issue with MacOS client.
* Fixed upgrade issue with Windows client when VPN is connected to a session.
--------------------------------
Features:
* Push authentication support added for LogonBox Authenticator.
* Added support for emails for Linux users using the SSH user directory.
* The left-hand menu is pinned open by default to make it easier for end-users to find their settings.
* Added a maximum number of backups setting to Backup and Restore in VMCentre.
* Added an option for Force Change at Logon when an admin sets a user's PIN.
* A user's PIN can now start with a 0.
Bugs:
* Scheduled backups now working correctly in VMCentre.
* When changing a filter on Audit Log or Users and you are on page 2 or higher, changing the filter which results in just one page will show that page as expected.
* A username with a # in the name now automatically generates a user profile image.
* VMCentre logs no longer grow rapidly if the server idletime is greater than maxInt seconds.
* Setting attributes in a CSV export from the user's page now works if you mix local and AD users.
--------------------------------
Features:
? VPN client downloads are always visible from the User Dashboard in the devices widget for easier client access.
? VPN client now checks for available updates on start and provides an option to upgrade.
? OS X client is now notarized, so it should work with silent install options.
? The client should now switch screens automatically if the screen it is on disappears.
? System IP restrictions merged into the new service-based set of rules. The new IP Authentication menu now looks and works more like a set of Firewall rules.
? Added an option not to show a default realm if you use the realm dropdown to login pages.
? Email subsystem reworked - Emails will now be sent only in plaintext if there is no HTML content.
? Email subsystem reworked - Batched emails (i.e. password reminders, profile reminders) should now send significantly faster (several per second rather than once per few seconds).
? New permission added for User Dashboard view. Remove this permission from the Everyone Role if you don't want users to see the new User Dashboard on login.
? The Portuguese language added.
? System Configuration->Configuration->Application Name now accepts a - character.
Bugs:
? VPN client error messages have had some justification issues fixed for certificate error notifications.
? Windows VPN client tray icon right-click menu now works as expected.
? Changing SMTP hostname no longer requires to restart to take effect.
? We fixed some issues with sessions not timing out as expected when on certain pages.
? On session timeout, the system will automatically refresh the login screen rather than only doing so after the next page interaction after the expiry.
? Authentication flows will now iterate through nested group memberships for the Assigned Flow authentication module.
? Combining an Assigned Flow with User Flow Selection in Authentication Flows now works as expected.
--------------------------------
--------------------------------
--------------------------------
--------------------------------
LogonBox VPN 2.3.0-1113
Getting started: https://docs.logonbox.com/app/manpage/en/article/2748959
Changes:
Added support for licensing to allow access to different authentication methods and user directories
--------------------------------
LogonBox VPN 2.3.0-1079
Getting started: https://docs.logonbox.com/app/manpage/en/article/2748959
Fixes:
* Changing the address pool range now works as expected
--------------------------------
LogonBox VPN 2.3.0-1051
Getting started: https://docs.logonbox.com/app/manpage/en/article/2748959
Features:
Now defaults to using NAT to remove requirement for default routes on the server network, making deployment quicker.
--------------------------------
*Initial release* LogonBox VPN 2.3.0-1051
Getting started: https://docs.logonbox.com/app/manpage/en/article/2748959
--------------------------------
--------------------------------