What's New in 2.1

Version 2.1 of our product includes many new features and enhancements.

2.1.6 Modbus TCP to RTU Gateway

We’ve enhanced our Serial over IP (SoIP) feature with a Modbus TCP to Modbus RTU gateway. After configuring Modbus via the HIPswitch SoIP settings in Conductor, the HIPswitch will accept Modbus TCP commands from servers, issue the commands to serially-connected Modbus RTU device(s), and return the responses via Modbus TCP back to the server. The HIPswitch accepts pipelined requests from the server(s). This provides optimal efficiency for Modbus traffic in terms of throughput, latency, and number of messages as compared to transparent Serial over IP.

2.1.6 DHCP Relay

HIPswitches can now relay DHCP requests to a central DHCP server as an alternative to your existing DHCP server. This allows additional deployment flexibility where extended DHCP options are needed, or an existing DHCP server integrates with other systems such as Active Directory and DNS.
Note: When moving devices from one HIPswitch to a different one, the central DHCP server may issue the same IP address to the device, which could result in policy or routing conflicts depending on your network.

2.1.6 Wireless Underlay Failsafe

The HIPswitch Link Manager, introduced in version 2.1.0, intelligently monitors the health of the underlay connection, detecting when there are no options for the HIPswitch to connect to Conductor or peer HIPswitches. Link Manager is now enhanced to reboot the HIPswitch which may restore the wireless connection to a healthy state. Occasionally, changes made in the wireless provider network will drop or hang a cellular or Wi-Fi HIPswitch uplink in such a way that the modem cannot recover. Rebooting the HS will force the modem and cell tower or access point to renegotiate their connection; sometimes this restores a healthy connection. This behavior is on by default for wireless models, and can be disabled and configured per HIPswitch in the Conductor UI. You can configure the amount of time Link Manager waits to reboot the HIPswitch after first detecting underlay failure, and a minimum amount of time to wait between reboot attempts. By default, all wireless models enable this feature with a wait-to-reboot value of 10 minutes, and min-wait-between-reboots value of 30 minutes.

Note: See known issue DEV-9877 for additional information in reference to running a HIPswitch on the Microsoft Azure platform.

2.1.6 APAC Modem Support

The HIPswitch cellular expansion module SFF-MOD-MC7430 (PLF-0118-01) is now available for the HIPswitch 150, which includes the Sierra Wireless MC7430 modem for operation in Hong Kong, Macau, and Japan.
Note: Firmware release 2.1.6 is required to use this expansion module.

2.1.6 HIPswitch 250 Series Revision 2 Support

The HIPswitch 250 Revision 2 is now available and includes the following SKUs:
  • HIPswitch 250e (PLF-0062-02)
  • HIPswitch 250g (PLF-0066-02)
  • HIPswitch 250gd (PLF-0111-02)

Revision 2 provides improved SFP compatibility, modem watchdog support, and improved modem carrier compatibility.

2.1.6 Wired Interface Support for Android

The HIPclient for Android now supports wired ethernet connectivity.

2.1.6 Tag integration with HIP invitations

You can now specify tags for HIP invitations, which apply to HIP services as they activate. This makes it easy to organize newly-activated HIP services and, when combined with smart device groups, automatically give them communications policy in overlay networks.

2.1.6 Longer HIPswitch UIDs

HIPswitches which are licensed with a 2.1.6 or higher firmware may generate a longer serial number portion of the UID (up to 20 characters), compared to the previous 12 characters. HIPswitches licensed from a previous release will not change their UID.

2.1.5 FIPS

Tempered Networks now offers FIPS 140-2, based on the HS-500 and Conductor-500 platforms. With FIPS, private keys are stored on the FIPS-certified HSM (hardware security module). The HSM performs all cryptographic operations. For this added key security, performance may be noticeably slower in terms of data plane throughput and firmware update processing. Redundant HA FIPS is not supported at this time.

2.1.5 Improved time management

NTP sync is now configurable from the Conductor. Various improvements have been made to ensure the Conductor and HIPswitch times remain closely synchronized, eliminating time-drift.
Note: We recommend pointing your HIP-enabled servers and clients to the same NTP Time source to ensure proper synchronization.

2.1.5 HIPswitch 75w Series

We now offer the HIPswitch 75 Series with a built-in Wi-Fi module. Software version 2.1.5 does not currently provide WiFi LED status on the outside of the unit, but the WiFi uplink functions correctly. This will be addressed in a future release.

2.1.5 HIPswitch 150e Series

We now offer the HIPswitch 150e base platform, suitable for ICS and SCADA environments and includes 4x Gig-E and 1x SFP port, 1x micro-USB console port, and can be powered by PoE or external single- or dual-power supply. The HS-150 can sustain 75 Mb/s, and burst up to 100 Mb/s. This new platform supports field-upgradeable expansion modules.

2.1.5 HIPswitch 150 Series cellular module

This release supports a cellular expansion module suitable for North American cell carriers, which accepts 3FF Micro SIM cards. ATT, Verizon, T-Mobile, Rogers, and Telus have been field-tested at the time of this release.

2.1.5 HIPswitch 250 Series single- and dual-modem automated recovery

We added an internal watchdog monitor for cell carrier uplink connections. If a HIPswitch cannot connect to Conductor via any means, then occasionally (approx. once per day) it will perform a full reset, which may re-establish the carrier connection in certain environments. This will only occur when the HS-250 has no means of reaching the Conductor or peer HIPswitches.

2.1.5 HIPrelay bandwidth reporting

It is now possible to view the bandwidth of relayed connections between HIP Services in Conductor! An extra tab will appear in Conductor at HIPservice > Reporting > HIPrelay Stats for each HIPrelay. These statistics provide visibility into your network utilization with full-color, layered bandwidth graphs. They are also useful for troubleshooting underlay network relayed connection issues.

2.1.5 Service-specific CPU and memory reporting

For 2.1.5 and above, your HIP Services will report resource utilization more granularly, and you will be able to see this diagnostic information in HIPswitch > Reporting > Graphs.

2.1.5 Headless install for Windows HIPclient and HIPserver

You can now perform non-interactive installations of the Windows 7 HIPclient or HIPserver using Microsoft’s System Center Configuration Manager (SCCM). Previous releases required manual acknowledgment by an administrator to complete the installation of an unsigned network tap (TAP) driver on Windows. We have patched the driver and obtained Microsoft certification, so this step is no longer necessary.

2.1.5 Tags public API

All basic tagging capabilities released in software version 2.1.4 are exposed in the public API. This includes the ability to index the tags, set or unset tags on taggable objects, such as devices, device groups, HIP Services, HIPservice groups, networks, and people. You can manage tags, retrieve various objects by tag, manage tag expirations, and perform other tag-based actions on several taggable objects at once. Advanced tag management, such as using tags in smart device group rules, or managing monitor event-actions that manipulate tags, will be added in a future release.

2.1.5 Custom CA alerts & public API

Though technically possible, it was difficult to use a non-Airwall CA at scale with your Conductor and Airwall Edge Services. Prior releases required you to manually copy/paste each CSR and cert from the Conductor GUI. Now you can automate the process using new public API calls. This enables a scriptable, scalable Conductor-centric workflow. Also, an admin alert is created in Conductor when custom CA certs are near expiration.

2.1.4 Airwall Agent for Android

With this release, the Airwall Agent is available for Android. Your Android devices can now natively connect to your Airwall overlay, giving them a trusted and verifiable connection wherever you are. Multiple profiles allow you to easily switch between different Airwall overlays as needed.

2.1.4 Improved Conductor UI Navigation

Several UI elements have been redone to improve navigation:
  • Conductor settings are now accessed from the gear icon in the upper right corner of the UI.
  • The logged in user profile, API docs, EULA, and sign-out are accessed from the user account icon in the upper right corner of the UI.
  • Item names in many lists throughout the UI now actively link to properties pages and dialogs. This greatly simplifies navigation between related elements.

2.1.4 Tags

Tags provide flexible asset management in the Conductor. Devices, Device Groups, Airwall Gateways, Airwall Groups, Overlay Networks, and People can be tagged directly. The Tag information dialog allows you to Navigate directly to any tagged item, perform bulk Actions (Enable, Disable, or Untag tagged items), and edit Properties. Items can be tagged permanently or until you untag them. You can also set an expiration date, which will untag a component after a configurable period of time. You can create tags from the Tags page, access from the tag icon in the upper right corner of the UI.

You can also create tags inline while modifying an item’s tag members by entering a new tag name and select colors for easy classification. Tags have been integrated into searching and filtering throughout Conductor.

Tags can be used in matching rules to greatly simplify Smart Device Groups. They can also be added to or removed from taggable items in Event Monitor Actions, which allows monitor results to affect overlay network policies. By using tags with these features, you can optimize your workflows. For example, you can create temporary network policies for specific devices, easily revoke policy directly from devices or HIPswitches without having to navigate to a network, and allow multiple admins to keep track of their assets in a single Conductor.

2.1.4 Relay Probes

An Airwall Gateway with this option selected periodically sends probe packets to all of its relays, and use the closest relay when initiating secure tunnels. This reduces the amount of network traffic used to build new tunnels, and allows auto-connect to be turned off. You can find this option in the Advanced settings section of a HIPswitch's settings page.

2.1.4 Conductor Diagnostics

Similar to diagnostics offered for Airwall Gateways, the Conductor now has a set of maintenance and diagnostic functions consolidated under the Diagnostics tab of the Settings page. These include Creation or Restoration of a DB Backup, downloading a Conductor support bundle, and viewing a Conductor diagnostic report. Network diagnostics allow you to generate a packet capture on the Conductor interface, ping, and traceroute.

2.1.3 The Airwall 75 Series

The Airwall 75, released with 2.1.3, is designed for medical devices, point of sale systems, and others like building automation controls. It securely connects and protects those endpoints across all networks with little to no change to existing infrastructure. The 75 plug and play design makes universal connectivity and segmentation simple, fast, and cost-effective.

2.1.3 Airwall Agent for Linux

With this release, the Airwall Agent is now available for Linux. Your Linux devices now can natively connect to your Airwall overlay, giving them a trusted and verifiable connection wherever you are. Multiple profiles allow you to easily switch between different Airwall overlays as needed.

2.1.3 New platform support for Microsoft Azure and Google Cloud

You can now create, manage, and retire Microsoft Azure and Google Cloud HIP Services directly from the Conductor UI.

2.1.3 Support for offline Conductor licensing

We have added support to allow Conductors without access to the public Internet to complete voucher and provisioning requests with our licensing and provisioning server. You can export a sync package, send it to Tempered Networks Support, and import a file containing your licenses back in to your Conductor from a drop-down on the Settings > Licensing tab.

2.1.3 New API token system and improved token management

We have updated the API to make tokens more secure. All API requests now require two headers:
  • X-API-Client-ID is unique by user and can be found on your user preferences page
  • X-API-Token is generated from your user preferences page. This token is secret, so if you lose it, you must generate a new one. Whenever you refresh your token, all previous tokens will be expired.

The client ID and a refreshed secret token may also be acquired via the API using basic authorization at/api/v1/token/generate. Please refer to the API documentation for details.

Note: The X-Person-Email and X-Person-Token headers are deprecated and no longer function.

2.1.3 New network creation wizard

New in this release is the ability to quickly create a hub-and-spoke or full mesh network using a simple, wizard-driven UI.

2.1.2 The HIPswitch 250 Series

The Airwall 250 Series is our newest hardware product and the industry’s first identity-based industrial IoT gateway for Industrial Control Systems, OT, SCADA, and critical infrastructure. The Airwall 250 includes highly available uplinks over ethernet and up to two different cellular carriers, all actively monitored using fast failover and the ability to prioritize across both cellular and wired links. It also provides 8 x 1 Gbps and 4 x SFP (fiber or copper) with PoE, eliminating the need for ethernet switches and additional power sources. The HIPswitch 250 can also act as a HIPrelay, a feature introduced in version 2.0 of our software.

2.1.2 Airwall Agent for macOS and iOS

With this release, the Airwall Agent is now available for macOS and iOS. Your devices now can natively connect to your IDN overlay, giving them a trusted and verifiable connection wherever you are. Multiple profiles allow you to easily switch between different IDN overlays as needed. Additionally, integration with Airwall Relay gives you seamless and secure mobility for your computers running Apple's macOS and your devices running iOS.

2.1.2 Link Manager

Link Manager supports all cellular platforms, including our new Airwall 250 Series, providing uplink redundancy and intelligent monitoring for one wired and two cellular uplinks. Dynamic switching occurs based on which port provides the best performance. Default monitors can be customized with your own destinations.

2.1.2 Integration with AWS

You can now create, manage, and retire AWS Airwall Edge Services directly from the Conductor. After creating a template, you can easily create more HIP Services to function as HIPrelays or protect virtual machines in your VPCs.

2.1.2 HIP Invitations

Airwall Invitations, a new feature in 2.1, allows you to add mobile phones, tablets, and computers running a Airwall Agent or Airwall Server to your Airwall solution by sending the user an email containing an invitation. When the user accepts the invitation, the Conductor automatically takes care of all the steps to provision, license, manage, name, group, and create policy for the new Airwall Agent or Airwall Server without manual steps by the administrator. Airwall Invitations can be sent in bulk to entire organizations, and the Conductor will handle the rest.

2.1.2 Improved alerts and monitoring

In this release we added additional monitors, such as the HTTP GET monitor that allows you to parse web responses from devices in an overlay. Monitors have been expanded to support device groups and HIPservice groups. The event history graphs will now display frequently or recently triggered monitors.

2.1.2 Improved performance

We made significant performance improvements across the board for all platforms, with virtual Airwall Gateways and the Airwall 400 roughly doubling in performance.