Client Proxy 4.9.4 Release Notes
About this Patch Release
This patch release introduces Window Auto-Tuning Compatible Mode as a new policy setting in the Client Proxy (Windows only) to control TCP Window Auto-Tuning, the Client Proxy adds a checkbox to control PA local traffic bypass, giving more flexibility when Bypass all Gateways for local traffic is enabled and addresses important bugs, including BSOD errors caused by conflicts with external agents like NetMotion VPN, Network Manager hang issues, support for case-insensitive hostname matching for private applications (e.g., IBM AS400), and improvements for e2e health check for macOS. To view the full list of resolved issues, see the resolved issues list.
Release builds
- Windows - 4.9.4.266
- macOS - 4.9.4.101
- SCP Extension for Trellix SaaS ePO - 4.9.4.212
- SCP Extension for On-prem ePO - 4.9.4.211
NOTE:
- Client Proxy 4.9.x supports M3 and M4 chipsets on macOS.
- To install or upgrade the Client Proxy to version 4.9.4 on an ePO-managed Mac or Windows client, make sure that the MsgbuscertUpdater is version 5.8.3.939. If you are using a different version of MsgbuscertUpdater, install version 5.8.3.939 from ePO before deploying the Client Proxy version 4.9.4.
- To enhance security, the Skyhigh Client Proxy 4.9.4 and later releases include a README.txt file in the ZIP package, which contains the MD5 hash for package verification. For more details, see Verify MD5 Package.
Enhancements
Manage PA Traffic within Local Network
The Client Proxy introduces a new checkbox Exclude PA traffic from bypass, to give administrators better control over private application (PA) traffic when the Bypass all Gateways for Local Traffic option is enabled. This setting is found under Settings > Infrastructure > Client Proxy Management > Configuration Policies. For existing users without the OPG key, this checkbox is turned on by default, so PA traffic stays protected, even when local traffic is bypassed. To bypass PA traffic, uncheck the box. This provides flexibility and clarity in managing PA traffic across a local network.
Window Auto-Tuning Compatible Mode Introduced with Policy Setting (Windows Only)
Window Auto-Tuning automatically adjusts the TCP receive window size (the amount of data a device can receive before sending an acknowledgment) to optimize data flow based on network conditions.
You can now uncheck the Window Auto-Tuning (Windows Only) checkbox from the Client Configuration page. The checkbox is enabled by default, which reduces the TCP window size and may slow downloads. Clearing the checkbox improves download speed and reliability, and helps resolve compatibility issues with older routers, firewalls, and operating systems. For details, see Window Auto-Tuning.
Resolved Issues
| Reference | Operating System | Issue Description |
|---|---|---|
| MCP-6973 | Windows | Prevent BSOD errors by resolving conflicts with external agents like NetMotion VPN. |
| MCP-6978 | Windows | Address Network Manager thread blocks in Boost ASIO threads to prevent proxy disconnections. |
| MCP-7274, MCP-7406 |
- | In Trellix ePO and ePO SaaS, a large configuration in the bypass and alternate redirection lists may occasionally prevent the policy screen from rendering correctly. |
| MCP-7472 | Windows | The Client Proxy now consistently recognizes intercepted traffic IPs as part of the private application subnet, ensuring SMB PA apps work for all hosts. |
| MCP-7695, MCP-7699 |
- | In Trellix ePO and ePO SaaS, the validation check on configured ports that previously prevented the modification of the Client Proxy policies has been addressed, enabling the successful configuration of the Client Proxy policies from the policy catalog. |
| MCP-7884 | macOS | Web browsing issues following a Mac waking from sleep, caused by a deadlock in the auto-policy download thread, have been resolved. |
| MCP-8318 | - | In Trellix ePO and ePO SaaS, the corrupt policy does not load and causes high CPU usage. To mitigate this, a pop-up message stating 'Policy data is corrupted' is displayed when attempting to open the affected policy. |
| MCP-8462, MCP-8463 |
Windows and macOS | The inability to access the IBM AS400 application owing to the Client Proxy's inability to process hostnames passed in lowercase is now addressed. |
| MCP-8641 | Windows | The Client Proxy, which failed to detect VPN IPs within the internal network, now recognizes Local Internet VPN, assesses reachability, stays passive, and allows network traffic to pass through seamlessly. |
| MCP-8927 | macOS | The addition of redundant Private Access interception rules is now addressed. |
| MCP-8932 | macOS | Addressed the omission of the policy name from the 'X-SWEB-SystemInfo' header. |
| MCP-8957 | macOS | The failure of the end-to-end health check caused by the system falling into sleep is now addressed. |
| MCP-9151 | Windows | The issue of global bypass not being applied to traffic intended for the Cloud Firewall is now addressed. |
| MCP-9159 | Windows and macOS | Restrict the reuse of the global bypass code to prevent unauthorized extensions of bypass usage time. |