Skip to content

Version 10.3


This is an old version. We strongly recommend upgrading your appliance to the latest version to ensure optimal performance and security.

Upgrading to the latest version provides enhanced security features, bug fixes, and overall improvements, safeguarding your system against potential vulnerabilities.

Version 10.3.15

Application Control

Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.

Version 10.3.14

E-mail Services

Move e-mails containing ".rar" attachments to the quarantine queue if they match a blocked extension filter.

Reporting and Statistics

  • Include SSTP server logins in the Remote Access reports.
  • Show collectd errors in the full event log.


  • Improve the PAX and OpenVPN server documentation.
  • Update the certificate hint in the IPsec server configuration page.

Reverse Proxy

  • Update the copyright notes in the Session Management login page.
  • Update the certificate hints in the reverse proxy server configuration pages.

System Administration Tool

Remove obsolete product items from the License > General page.

Version 10.3.13

Administrator Tool

Fixed the 'Operation Not Permitted' message when using the ping network utility under Network -> Tools -> Ping.

Allow system administrators to configure IP addresses with a /31 subnet for network devices.

Add a description field to facilitate the management of computers in the network.

Reverse Proxy

Fix RDG broken pipe errors and related system performance issues. The client/server socket write channel will now remain open as long as there is outstanding data.

VPN Services

Increase the maximum number of concurrent VPN connections for PPTP, SSTP and L2TP.

Web Access

Correct the handling of Kerberos authentication failures for the proxy server, preventing the invocation of an excessive number of 'negotiate_kerberos_auth' helpers.


Improve the general responsiveness of the webmail service when used by a large amount of concurrent users.

Version 10.3.12

Clarified instructions in License Wizard

The license wizard allows system administrators to upload a system license to the AXS Guard appliance, which is required to get it to full operational, in-service status.

The wizard now contains clearer instructions to guide administrators through the entire licensing process.

New authentication policies for VPN services

A second authentication factor can now be used in combination with one-time passwords generated by OATH (Google or Microsoft) authenticators.

DIGIPASS tokens already offered this possibility in the form of a PIN. However, this option was not available for users with an OATH authenticator.

To further strengthen the authentication process and allow greater flexibility in the deployment of strong authentication for VPN access, new authentication policies are now available for PPTP, L2TP and SSTP.

The 'PasswordAndOATHOrDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or DIGIPASS token.

The 'PasswordAndOATHorPasswordAndDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or with their password and a one-time password generated by their DIGIPASS token.

System Dashboard improvements

New badges have been introduced to indicate the status of various feature licenses. While hovering over them, more detailed license information will appear automatically.

A widget showing blocked users and hosts has also been added. This widget allows system administrators to unlock accounts and unblock hosts with greater ease, while providing additional details about the listed items.

Various VPN Fixes

The OpenVPN topology has been changed so that the full virtual IP range is available for VPN clients.

The number of pseudo-terminal devices for PPP tunnels has been increased to avoid client 'port' failures.

IP addresses allocated to clients by SSTP are now freed correctly after SSTP clients disconnect. This prevents premature depletion of the IP address pool.

Version 10.3.11

AXS Guard SSL Proxy Feature Release

The SSL filtering feature is no longer in its experimental phase and is now available for customers with a Premium Content Scanning license.

Information and configuration instructions pertaining to this new feature are available on this website (see system administration > web access).

Contact to upgrade your existing content scanning license or to purchase a new license.

Fix SSTP Authentication Failures Make AXS Guard wait for LCP configuration requests from clients, rather than initiating them on the server side.

This avoids a race condition in (samba) PPP causing LCP configuration requests to stop prematurely and fail due to authentication proposals that were perceived as invalid.

Fix Firewall Policy Rendering Issue In some cases, very long firewall policy descriptions caused the browser to hide other policy data. The readability of the firewall policy page has been improved and the issue has been resolved.

Version 10.3.10

Transparent Proxy for SSL Inspection

Transparent proxies are commonly used to prevent users from abusing or bypassing company web access policies and to ease administrative burden, since no client-side browser configuration is required.

SSL Inspection can now be enabled transparently. If enabled, client traffic towards TCP port 443 will be intercepted and redirected to port 3130 for further processing.

For this to work seemlessly, the CA certificate used by the SSL proxy must be added as a trusted root CA on all clients that will be scanned.

Note that certain web applications may not function properly when decrypted. You may also want to exclude certain domains and networks for any other reason, including legal or privacy reasons, e.g. sites which provide online banking services.

For this purpose, the AXS Guard cloud service provides a global SSL exception list which will be available on all systems with a Premium Content Scanning license. We highly recommend using this list for best performance and results.

System Dashboard Improvements

All widgets will show dummy data when the dashboard is being loaded to avoid reported flickering and layout issues.

The basic system load information on the dashboard has been replaced by a more detailed system load graph, showing various system loads over time.

Version 10.3.9

Gradual rollout of the new SSL Inspection feature

Over the last few years, many popular web sites including Google, Youtube, Reddit and Facebook have started enabling HTTPS encryption by default.

This means that without configuring SSL inspection, proxies have limited filtering, monitoring and logging capabilities.

In this new version, we implemented support for man-in-the-middle SSL filtering, which will allow system administrators to more effectively control and monitor web traffic passing through the AXS Guard proxy server.

System Dashboard Improvements

The AXS Guard system dashboard represents key performance indicators and metrics and is constantly reworked based on customer feedback.

A tooltip showing IPsec tunnel status information has been added to the system dashboard to improve the user experience.

Personal AXS Guard logs are now grouped per client, allowing system administrators to locate various client logs with greater ease.


DNS over HTTPS is problematic for the analysis and monitoring of DNS traffic for cyber security purposes, as it can be used to bypass company content-control software and DNS policies.

Firefox implemented a mechanism to automatically disable or enable DNS over HTTPS based on a canary domain. This canary domain is enabled by default on AXS Guard to block DNS over HTTPS.

Also see the KB article on this site, which covers all client implementations (Knowledge Base > Networking).

Version 10.3.8

Export system metrics to AXS Guard cloud

Some important system metrics have been made available in the AXS Guard cloud so system administrators can easily access vital information pertaining to all their deployed systems in a secure fashion.

Add option to set SMTP authentication policy

AXS Guard can be intergrated into an Office 365 environment to scan all incoming and outgoing mail traffic for malicious content and viruses.

To allow AXS Guard to also scan outgoing messages, mail clients must be configured to use the AXS Guard SMTP server instead of the Office 365 SMTP server.

This will ensure that all outgoing mail traffic is logged by AXS Guard and that its mail policies can be enforced.

The new option allows system administrators to restrict user access to protect the AXS Guard MTA against brute-force attempts and to implement a more strict TLS policy.

Disable IP forwarding when license is expired

AXS Guard will automatically put itself in "safe mode" when its license expires. As the system will no longer be able to download critical software updates without a valid license, all Internet traffic will be blocked for security purposes.

Version 10.3.7

New System Dashboard

In the first version of the new dashboard, we represent the same data of the "old dashboard" using new and interactive widgets.

For the sake of convenience, the former dashboard can still be accessed.

The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.

Previous versions

Various improvements and software fixes

Versions 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5 and 10.3.6 contain small feature changes and software fixes to improve the overall quality, stability and reliability of the AXS Guard appliance.

Contact for details.


New Dashboard

The AXS Guard system dashboard has been reworked extensively to better represent key performance indicators and metrics.

In the first version, we represent the same data of the "old dashboard" with new and interactive widgets. For the sake of convenience, the former dashboard is still easily accessible.

In the next iteration, extra widgets will be added to adequately respresent information about the system’s disk usage, the status of IPsec tunnels and VPN client connections.

The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.

Microsoft Azure

AXS Guard is now available as a cloud platform in Microsoft Azure. With this PaaS (platform as a service) solution, organizations can safely build and host Microsoft-based products and configurations in their data centers.

The AXS Guard UTM virtual appliance is available in the Microsoft Azure Market place, the online store that offers applications and services either built on or designed to integrate with Microsoft’s Azure public cloud.

AXS Guard provides improved Azure cloud data access security by leveraging its multi-layered defense that crosses network, VPN, e-mail, web and content security. Hence you can easily and securely extend your on-premise hosted data and services to the Azure cloud.

From the Azure Market place, AXS Guard UTM virtual appliances can be easily set up with just a few clicks and deployed in a matter of minutes. Remember the public IP address of the newly deployed virtual machine, and use it in a web browser to access the AXS Guard configuration tool where you can start the configuration wizards to complete the setup process.


The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in PDF and HTML.

The following AXS Guard manuals have been updated:

  • System Administration Guide

  • Installation Guide (Getting started)

  • Personal AXS Guard Server Guide

The following manual has been added:

  • Personal AXS Guard Industrial all-in-one Guide


Microsoft Azure Ready

The AXS Guard virtual appliance can now be easily deployed from within the Azure Market place to operate on the Microsoft Azure platform. AXS Guard integrates the Microsoft Azure Linux Agent which manages provisioning and Virtual Machine interaction with the Azure Fabric Controller.

Office 365 Fast Lane

According to a Computable Magazine article of 17 June 2019: "Office 365 issues with legacy networks" - excessive network latency causes major delays in Office 365 implementations. Additionally, 63% of 250 surveyed companies agree that project collaboration in an Office 365 environment suffers from network-related problems.

As a response to these complaints, Microsoft recommended its "ExpressRoute" solution, which allows companies to optimize their connection speeds for Microsoft cloud services. However, this solution is rather expensive and complex to configure, making it often prohibitive for SMEs.

This is why AXS Guard developed the "Office 365 Fast Lane" solution, a cheaper alternative that is technically similar. The solution consists of a simple setup wizard which allows system administrators to correctly configure firewall, security and other Office 365 network settings in no time.

This way, employees can benefit from faster, optimized Office 365 connection speeds and profit from the increased responsiveness of frequently-used Office 365 applications.

Optimal network speeds are calculated in function of the total available Internet bandwidth, which is automatically measured by AXS Guard. After completing the wizard, users will immediately notice the result.

E-mail filtering incorporates Google Safe Browsing

Google Safe Browsing helps to protect users on the internet against malicious sites by showing warnings when they attempt to visit such sites or download dangerous files.

AXS Guard integrates Google Safe Browsing as an extension to its adaptive e-mail filter. Every URL present in e-mails is processed by the AXS Guard cloud URL threat protection service (CTRS) using Google’s Safe Browsing technology. Messages containing potentially dangerous URLs will be marked as unsafe and quarantined.

Dynamic hostnames in IPsec tunnel definitions

Traditionally IPsec site-to-site tunnel definitions require fixed IP addresses for host identification and policy matching. In order to support IPsec tunnels for sites where one side has a dynamic IP address, AXS Guard can now be configured with a template or wild-card definition to accept any connection with the right credentials. Security-wise this is not an optimal solution. Furthermore it can cause a lot of unwanted log entries originating from unknown connections.

To address this issue, AXS Guard now supports the use of dynamic (DNS) hostnames, making tunnels definitions more secure. Every time a tunnel is (re)started, a DNS lookup of the hostname is performed to determine the IP address to connect to. When the tunnel collapses because one side changed its IP address, the tunnel is re-established automatically when that side updates its dynamic DNS entry with the new IP address.

Lists of local and remote subnets in IPsec tunnel definitions

IPsec site-to-site tunnels definitions share one local subnet with one remote subnet. In case that many local subnets have to be shared with possibly many remote subnets, multiple tunnel definitions have to be configured separately for each subnet sharing the same IPsec MAIN mode.

System administrators can now specify a list of local and remote subnets. This reduces configuration overhead and also simplifies IPsec VPN status management.

Personal AXS Guard Industrial AIO

The Personal AXS Guard portfolio of products has been extended with a new type of hardware geared towards industrial applications. The brand new Personal AXS Guard Industrial all-in-one device is based on an x86 64bits platform with two ethernet ports (LAN and WAN), an optional wireless-N adaptor, mSATA storage and is rack-mountable (DIN rail).

Create a new Personal AXS Guard client and select the AG-I122 (Industrial all-in-one) hardware type for an optimal configuration.