nGenius Decryption Appliance v1.

6P
Release Notes

733-1425 R e v . B S e p te m b e r 15, 2020

Use of this product is subject to the End User License Agreement available at http://www.NetScout.com/legal/terms-
andconditions or which accompanies the product at the time of shipment or, if applicable, the legal agreement executed
by and between NETSCOUT SYSTEMS, Inc. or one of its wholly-owned subsidiaries (“NETSCOUT”) and the purchaser of
this product (“Agreement”).
Government Use and Notice of Restricted Rights: In U.S. government (“Government”) contracts or subcontracts, Customer
will provide that the Products and Documentation including and technical data (collectively “Materials”), sold or delivered
pursuant to this Agreement for Government use are commercial as defined in Federal Acquisition Regulation (“FAR”) 2.101
and any supplement and further is provided with RESTRICTED RIGHTS. All materials were fully developed at private
expense. Use, duplication, release, modification, transfer, or disclosure (‘Use”) of the Material is restricted by the terms of
this Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and
252.227-7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for military Government agency
purposes, or the similar acquisition regulations of other applicable Government organizations, as applicable and amended.
The Use of Materials is restricted by the terms of the Agreement, and, in accordance with DFARS Section 227.7202 and FAR
Section 12.212, is further restricted in accordance with the terms of NETSCOUT’s commercial End User License Agreement.
All other Use is prohibited, except as described herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and documentation
("Third-Party Materials") for use with the Product only. In the event the Product contains Third-Party Materials, or in the
event you have the option to use the Product in conjunction with Third-Party Materials (as identified by NETSCOUT in the
Documentation provided with this Product), then such third-party materials are provided or accessible subject to the
applicable third-party terms and conditions contained either in the “Read Me” or “About” file located in the Software or on
an Application CD provided with this Product, or in an appendix located in the documentation provided with this Product. To
the extent the Product includes Third-Party Materials licensed to NETSCOUT by third parties, those third parties are third-
party beneficiaries of, and may enforce, the applicable provisions of such third-party terms and conditions.
Open Source Software Acknowledgement: This product may include open source components that are governed by the GNU
General Public License (“GPL”). In accordance with the terms of the GN GPL, NETSCOUT will make available a complete,
machine-readable copy of the source code components of this product covered by the GNU GPL, if any, upon receipt of a
written request. Please identify the product and send a request to:
NETSCOUT SYSTEMS, INC.
GNU GPL Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department
To the extent applicable, the following information is provided for FCC compliance of Class A devices:
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of
the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case
users will be required to correct the interference at their own expense.
Modifications to this product not authorized by NETSCOUT could void the FCC approval and terminate your authority to
operate the product. Please also see NETSCOUT’s Compliance and Safety Warnings for NETSCOUT Hardware Products
document, which can be found in the documents accompanying the equipment, or in the event such document is not
included with the product, please see the compliance and safety warning section of the user guides and installation
manuals.
No portion of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine form without prior consent in writing from NETSCOUT. The information in this document is subject to change
without notice and does not represent a commitment on the part of NETSCOUT. The products and specifications,
configurations, and other technical information regarding the products described or referenced in this document are subject
to change without notice and NETSCOUT reserves the right, at its sole discretion, to make changes at any time in its
technical information, specifications, service, and support programs. All statements, technical information, and
recommendations contained in this document are believed to be accurate and reliable but are presented "as is" without
warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in
this document. NETSCOUT makes no implied warranties of merchantability or fitness for a purpose as a result of this
document or the information described or referenced within, and all other warranties, express or implied, are excluded.
Except where otherwise indicated, the information contained in this document represents the planned capabilities and
intended functionality offered by the product and version number identified on the front of this document. Screen images
depicted in this document are representative and intended to serve as example images only.
Copyright © NETSCOUT 2009-2020. All rights reserved.

ii 733-1425 R e v . B
Contacting NETSCOUT SYSTEMS
Customer Support
The best way to contact Customer Support is to submit a Support Request:
https://my.netscout.com/mcp/Pages/default.aspx

Telephone: In the US, call 888-357-7667; outside the US, call

+011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).

E-mail: support@netscout.com

When you contact Customer Support, the following information can be helpful in diagnosing and solving problems:
— Type of network platform
— Software and firmware versions
— Hardware model number and serial number
— License number and your organization’s name
— The text of any error messages
— Supporting screen images, logs, and error files, as appropriate
— A detailed description of the problem

Sales
Call 800-357-7666 for the sales office nearest your location.

Training
Course listings and information on certification programs are available at:
https://www.netscout.com/netscout-university

733-1 425 R e v . B iii

 Contents
Introduction .................................................................................................................................... 6
System Requirements ...................................................................................................................... 7
Models Supported in this Release ................................................................................................... 7
Browser Requirements.................................................................................................................. 7
New and Changed Features............................................................................................................... 8
Known Issues.................................................................................................................................. 9

iv 733-1425 R e v . B
733-1 425 R e v . B v
Introduction
This document describes features and known issues in the v1.6P release of the nGenius Decryption
Appliance (nDA). The nDA is a high-performance packet processing and decryption device that can
bridge a network connection between two endpoints, relaying all SSL/TLS encrypted and non-
encrypted traffic to the original endpoints while providing decrypted traffic to an attached appliance
using a separate set of ports. The nGenius Decryption Appliances are often deployed with a packet
flow switch (PFS), to maintain the network connections if the nGenius Decryption Appliance goes out
of service or loses power.

NETSCOUT strongly recommends that you read this document in its entirety, as well as the following
additional documentation:
• nGenius Decryption Appliance Quick Connect Guide
• nGenius Decryption Appliance Administrator Guide, v1.6P

These and other documents as well as any updates to these release notes are available on the
My.NETSCOUT.com website.

Document Contents
Refer to the following sections for details:
• System Requirements
• New and Changed Features
• Known Issues
System Requirements
The following is a summary of key requirements for this release. Refer to the nGenius Decryption
Appliance Administrator Guide for additional details installing and configuring the nGenius Decryption
Appliance.

Models Supported in this Release

The following nGenius Decryption Appliance models can be purchased from certified resellers and used
with this release:

NIC/ Storage Capacity/ System Removable

Model Ports Drives LAN Ports Storage Media

D-02725 Four Ethernet ports on a 32 TB Two onboard 10 Single 2.5" None

(Certified) single NIC with 1 Gigabit Four 8 TB SATA drives, Gigabit LAN ports 240 GB solid
(SFP) or 10 Gigabit (SFP+) configured in RAID 5 (one used as eth0 state drive
transceivers used as Management port)
follows 1:
• 1 Gigabit (SFP) on all
four ports
• 10 Gigabit (SFP+) on all
four ports 2

D-04835 Eight Ethernet ports on two

(Certified) NICs with 1 Gigabit (SFP) or
10 Gigabit (SFP+) transceivers
used as follows1:
• 1 Gigabit (SFP) on all four
ports on either or both
NICs
• 10 Gigabit (SFP+) on all
four ports on either or both
NICs2

Browser Requirements
For best results, use of the following Web browsers/versions to access the nGenius Decryption
Appliance Web interface:
• Google Chrome 77 or higher
• Mozilla Firefox 69 or higher
• Microsoft Edge 44 or higher
• Apple Safari 13 or higher
• Opera 50 or higher

Microsoft Internet Explorer (any version) is not recommended.

1
All four ports on the NIC must operate at the same speed (either 1 Gigabit or 10 Gigabit). On the dual NIC D-04835, one NIC could be
configured with four 1 Gigabit ports and the second NIC with four 10 Gigabit ports.
2
The license installed on the nGenius Decryption Appliance may limit the overall throughput through the appliance.

733-1 425 R e v . B 7
New and Changed Features
Release v1.6P introduces the following new or changed features since the previous 1.4.1 nGenius
Decryption Appliance (nDA) release:

Expanded For the I/P: Network Inline / Appliance Passive and P/P: Network Passive / Appliance Passive
Segment Modes segment modes, two variations are now available:
• Balance to Ports: The traffic received on either network port and sent out the
attached appliance ports (np2 and np3) is automatically load-balanced across both
attached appliance ports.
• Corresponding Ports: Traffic to and from each network port is sent out a specific
attached appliance port depending upon the direction.
For segments configured in I/I: Network Inline / Appliance Inline mode, traffic to and from
each network port continues to be mapped to a specific attached appliance port depending
upon direction just as in previous releases.
Certificate and In previous releases, server certificate and key files had to be installed on the nGenius
Key File Handling Decryption Appliance one at a time. This release now allows you to bulk load these items
Enhancements using PEM Bundle files containing multiple (1000+) certificates and keys in a single file.
Additionally, PKI lists (not just individual PKI items), can now be used in rules for the known-
key and re-signing actions.
Logging The following improvements have been made to nDA logging:
Improvements • Syslog and Local log levels can now be set independently for the Session Log
• SSL logs now contain additional certificate information in the SSL Log, including
certificate serial numbers, signatures, valid dates, etc. Fingerprint information is
now displayed in the top level SSL log viewer, with a View option available to launch
a details window pop-up showing handshakes and other details.
Traffic In this release, the nDA offers the option to forward traffic if attached appliance links are
Forwarding down. The ability to forward traffic even if it is not seen by the attached appliance is
Options on Link configurable per segment. If disabled, traffic is dropped if link is down on all attached
Failure appliance ports.
PowerSafe TAP This release introduces support for automatically configuring and using the PowerSafe TAP
3296 Support 3296 bypass switch with the nGenius Decryption Appliance.

VLAN Tagging VLAN tags are now included in the definition of a flow / session (configurable per segment).
Enhancements Also, VLAN reverse mapping is now supported, enabling the use of VLAN mapping in Inline-
Inline (I/I) mode
TLS Version The TLS version now matches the negotiated version. Previously, the version matched the
Matching TLS version reported in the record layer of the client HELLO message.
General The following general improvements have been made to nDA management:
Management • Authentication: Password quality is now enforced. Passwords must be at least
Improvements eight characters long and contain at least one uppercase, one lowercase, one
numeric and one special character LDAP server settings are also now configurable
using the UI.
• Selecting multiple items: You can select and perform some actions on multiple
certificates at the same time. To use the multiselection tool, check the box next to
the multiselect icon ( ) and use the options to select all, deselect all, or select
multiple items. This feature is particularly useful for deleting large groups of items
(such as PKI Endpoints) when reconfiguring the nGenius Decryption Appliance.

8 733-1425 R e v . B
 Using this release, the nGenius Decryption Appliance supports the following versions of SSL/TLS:
• SSL 3.0
• TLS 1.0, 1.2 and 1.3
• SSH v2
For complete information on the specifications and features of the nGenius Decryption Appliance,
refer to the materials available at https://www.netscout.com/product/ngenius-decryption-appliance.

Known Issues
The following topics contain lists of known limitations and workarounds (where available) applicable
to this release.
Internal ID Description
Some traffic cannot be decrypted because devices or applications detect that decryption is being performed
and refuse to proceed with sending traffic. For example, some devices cannot be configured to trust a re-
signing certificate, or they expect a specific CA or server certificate (a process known as certificate pinning).
Contact NETSCOUT Support for a list of affected applications and devices. Examples include IoT, smart home
and mobile (Android and IOS.) devices, as well as Apple, Microsoft and Linux software updates.
In order to fully bypass traffic at the TCP connection level, without decrypting it or modifying the traffic in any
other way, one needs to add the rules that match the traffic at the top of the list (to ensure they are the highest
priority rules). Match the traffic by matching client IP / port, server IP / port, VLAN, SNI, and/or ALPN, and use
bypass as the action. Do not match any other fields, as that requires commencing decryption in order to know
whether one should decrypt in some cases.

Inline-Inline VLAN mapping is supported. The reverse mapping required for this to function has been
implemented. Mapping multiple VLAN tags arriving from the main network to the same tag presented to the
attached appliance can however not be supported as the reverse mapping can then not be done.

The attached appliance is not permitted to fragment traffic at the IP level. It is permissible for it to re-segment
traffic at the TCP level.

When using tunnels that encapsulate an IP packet in another IP packet, decryption is only supported if the
inner packet is not fragmented. It is acceptable for the outer packet to be fragmented.

The total number of certificates / keys in the system should not exceed 5000 as creating a large number of
certificates / keys will result in the administration user interface slowing down.

Dropped packets result in the rest of the flow no longer being decryptable in Passive-Passive mode. As this is
unavoidable in principle in any product, this is not something that can be fixed. Networks need to be
configured and sized to ensure that packets are not dropped.

Client certificates are in general not supported. In Passive-Passive mode, when the handshake is not modified,
and when they do not participate in the key exchange process, they are supported, to the extent that they are
skipped during decryption.

Systems are expected to be configured to always maintain the correct time by synchronizing time with a
Network Time Protocol (NTP) server. When manually moving the system time back by more than a few
minutes, the system needs to be rebooted.

If a link is down on the attached appliance ports, traffic may be disrupted on the main network ports.

733-1 425 R e v . B 9
NETSCOUT SYSTEMS, INC.
310 Littleton Road
Westford, MA 01886-4105
Tel. 978 614-4000
888-999-5946
Fax 978-614-4004
E-mail info@netscout.com
Web www.netscout.com

10 733-1425 R e v . B