Version history

1. Now DePure NG, purchased as a virtual machine image, will be available in two options – Light and Basic. In the light version of the software, DePure NG Light, the Intrusion Detection and Prevention (IDS/IPS) feature and application control (nDPI, detection of application layer protocols (layer 7) using signature analysis are excluded. DePure NG Light is to a great extent geared towards performing the function of controlling user access to the Internet.
2. The following plug-in improvements were made:
   2.1. UserACL Plug-in, provides filtering using various access lists, selective filtering of content using the ICAP protocol, and distribution of queries over outbound channels:
   • Added the ability to enter a list of users and groups.
   • Now when attempting to delete lists being used the system will notify the administrator about the error.
   • Made changes to the system operation in transparent proxying mode – added the ability to create a list of approved sites for "all prohibited" mode (sites from this list are approved, all others are prohibited).
   2.2. nDPI Plug-in ‑ intelligent detection of application layer protocols (layer 7) using signature analysis:
   • Added the functionality to automatically refresh statistics every 5 minutes. Statistics are collected per the created rules, the number of matches and blocks provided that blocking is enabled; by the blocking rules of the firewall, by the number and type of packets; by protocol family; by recognized protocols.
   2.3. SSO Plug-in (Single Sign-On authentication):
   • Added the ability to turn off Basic authentication (this authentication scheme is used for authentication of users whose computers are not members of the domain). When Basic authentication is off, users whose computers are not in the domain will not be serviced by the proxy server.
   • Tightened up the procedure for checking DNS settings before connecting to the domain: now mandatory checks are performed only for one server — the first from the list, and not for all the servers on the list. If the first server can not process the query, the DePure NG administrator receives a notification about this. Also, not only is a check performed of the processing of requests for domain controller and DePure NG addresses, but external domains too.
   2.4. SquidLog Plug-in ‑ expanded web proxy reports:
   • Improved functionality of compressing the database of logs – old records removed from statistics are now also removed from the database, ensuring its compression.
3. Upgrade to current version OPNsense 21.7.3. DePure NG administrators can take advantage of the updated platform.

1. Added: forces bandwidth limitations of the proxy server. Now DePure NG Security Gateway administrators can limit the speed of Internet connections for individual users, thus improving overall network performance.
2. Added: switching YouTube to safe family mode. Switching to safe mode allows you to apply age restrictions to YouTube content and block comments below the video. The function is particularly relevant for organizations and educational institutions.

3. Optimized: transparent authentication mechanism using single sign-on/SSO technology for domain users (Single sign-on / SSO).

   When a blocking rule for a user or group of users is triggered, non-domain users and computers are switched over to the basic backup authentication and the user (group) receives an authentication notification.

   Now DePure NG Security Gateway administrators can disable basic authentication in order to avoid switching the user to this authentication mode. The user is shown a corresponding authentication window. In this mode, the website access which is forbidden for a user (group of users) will simply not load, and the user (group) will see a message that the proxy does not accept the connection.

   Basic authentication switch off mode has a feature: only domain users can use DePure NG Security Gateway.

4. Added: new proxy server reports in account statistics.

   Now DePure NG Security Gateway administrators can get detailed statistics for each user and domain, which they accessed, as well as the number of visits to each domain by the user.

5. Upgrade to current OPNsense version 20.7. DePure NG Security Gateway administrators can take advantage of the updated platform.

   Among the improvements to the new version is the policy-based IDS/IPS rule management, which makes the administrators work much easier when the number of rules exceeds one thousand.

6. The mechanism of activation of user and group rules in the access control list (ACLs) of the proxy server has been optimized. Now each rule has a toggle switch, which enables or disables the rule.

1. Web Proxy: Added FreeIPA (Free Identity, Policy and Audit) integration; added ability to generate exclusion list for access to sites that have their own (self-signed) SSL certificates.
2. Certificates: The root certificate is now generated automatically when DePure NG is installed.
3. VPN (Virtual Private Network): Updated os-gostvpn plug-in; added support for Cyrillic domains for IPSec.
4. Next-generation firewall: Added check for valid names for firewall aliases.
5. L7 filtering (NDPI, deep packet inspection system): added sorting by rule priority; moved from static library to library from ports.
6. Upgrade to OPNsense version 20.7.2.
7. Updated online documentation.
8. The following elements were optimized:
   • Automatic BIOS update when DePure NG is installed on the APU2 hybrid processor;
   • NetFlow start, stop, and restart;
   • Web server certificate generation;
   • View proxy logs;
   • Copying firewall rules to the Central Management System;
   • Priority numbers in the UserACL plug-in (web proxy advanced filtering feature)
   • SMS Portal;
   • Web interface.

1. Migated to latest version of OPNsense 19.7.10 to allow users to take full advantage of the updated platform.
2. Simultaneous anti-virus scan of web and mail traffic.
3. DNS traffic encryption (dnscrypt-proxy) is enabled by default for new version, which helps to protect DNS queries from spoofing and hijacking.
4. Improved hardware platform throughput for the low-end model S100, on average up to 1 Gb/s.

Bug fixes.

1. Added user authentication to proxy by their IP/MAC addresses.
2. When you install a new plug-in, the new plug-in partition automatically appears in the DePure NG Security Gateway menu. This modification eliminates the need for the administrator to manually update the menu interface when installing each new plug-in.
3. Theme selection option added. There are two preset themes in the standard DePure NG Security Gateway package. To use the three additional themes, you need to install the appropriate plug-ins.
4. Migrated to latest version of OPNsense 19.7.3 to allow users to take full advantage of the updated platform:
   • NAT rules logging. When enabled, information about triggered NAT rules is saved in the firewall logs.
   • WPAD / PAC and parent proxy support on web proxy. The modification allows to automatically configure the proxy server in client browsers.
   • DNSSEC support in the dnsmasq DNS server protects IP address against spoofing using cryptographic authentication of the data source and data integrity verification.
   • OpenVPN client export API provides the ability to automate the process of issuing client certificates for OpenVPN.
   • Added new plug-ins: API backup export - backup copies management automation; Hardware widget - hardware platform information; Nginx - web server and mail proxy server.
   • Added display of automatic firewall rules to the web interface to provide a complete list of rules used.
   • Added collection and display of statistics for all firewall rules.
   • Enabled support for synchronization of user groups in LDAP.
   • Certificate signing Request (CSR) is supported – you no longer need to fully generate SSL certificates on the device, it is enough to sign a pre-defined certificate request.

Bug fixes.