Skip to content

Release Notes

AXS Guard Versions

The release notes contain information about new product features, improvements, known issues and bug fixes for each release. The individual software components are documented in the product manuals section. Carefully review the notes below to avoid configuration difficulties.

Version 10.4

Version 10.4.12

Various improvements and software fixes

  • E-mail

    • Bug #92105: Fix domain masquerading.
  • Configuration Tool

    • Bug #0bd10e4ef: Fix visual glitch in certificate export labels.
    • Bug #ae4a0a306: Fix visual glitch in tool access type labels.
Version 10.4.11

HTTP Reverse Proxy Access Control

System administrators now have the possibility to restrict access to applications and services based on the IP address of the remote client. This is especially useful for applications and websites where user authentication is not enforceable or desired.

OpenVPN System Legacy Options

The following options have been relocated in the OpenVPN Server configuration screen:

  • Allow Deprecated Ciphers
  • Use small Subranges
  • Accept Compressed Data

Note that these options are only present for legacy reasons, i.e. to support outdated client software and/or obsolete OpenVPN configurations. The use of obsolete server and client options is insecure. System administrators should upgrade old OpenVPN client software and configurations ASAP.

Personal AXS Guard

The PAX diagnostic tool has been refactored and improved, so system administrators can identify problems and detect network issues more easily.

Various improvements and software fixes

  • E-Mail

    • Bug #91274: Keep original From-address when it doesn't contain a domain name.
    • Bug #92041: Correctly deliver Virus E-mail notifications when multiple System Administrator E-mail Addresses are configured.
    • Bug #91920: Only include E-mail domains in mail configuration when E-mail transfer feature is enabled.
    • Rfe #92081: Validate the response code of the real time blacklist lookups to prevent false positives.
  • Firewall

    • Rfe #91052: Add static policy and forward rule to allow communication with EDR.
  • High Availability

    • Bug #90871: Service failed to start when DHCP device failed to obtain a lease.
    • Rfe #90372: Disable automatic updates.
  • OpenVPN

    • Bug #86617: Include login attempts of users with no OpenVPN access in the authentication summary log.
    • Rfe #90873: Add checkbox to disable 'Receive compression'. It's recommended to disable this option but this requires distributing new configurations files to all clients.
    • Rfe #90872: Add checkbox to remove the - deprecated - cipher option from client configuration files. It's recommended to disable this option but this requires all OpenVPN users to use OpenVPN 2.4+.
  • Proxy

    • Bug #88401: Only allow users that are configured on the AXS Guard to authenticate using Kerberos.
  • Reporting

    • Rfe #86826: Group similar reject reasons in the E-mail reports.
  • Reverse Proxy

    • Rfe #187a1e: Verify if configured port is available during a system configuration check.
    • Rfe #f4ae84: Show warning when the configured certificate is expired.
  • SSTP

    • Rfe #85379: Extend the SSTP validation to detect configuration conflicts.
  • Tool

    • Bug #91241: Clear the 'changed' flag after restoring a backup.
    • Rfe #85548: Fine-tune 'Port already in use' errors.
    • Bug #87549: Reduce number of validation errors when an invalid authentication policy is configured.
    • Bug #90333: Correct information-links of IPS Rules.
    • Bug #86482: Fix for excluding a previously included IPS rule.
    • Rfe #91226: Update title of the IPS Rules page.
    • Rfe #87331: Enhance IPsec Status page when no tunnels are configured.
    • Rfe #86203: Include the blocked reason when viewing a quarantined e-mail.
    • Bug #87867: Correct invalid link on Personal AXS Guard status page.
    • Rfe #86825: Add a scrollbar in the legends of Web Access and E-Mail reports.
    • Rfe #91794: Speed-up loading of DHCP used leases overview.
    • Rfe #90801: Include device description in Device Statistics.
Version 10.4.10

Trend Micro Antivirus

Resolve Bug #130743 - Antivirus : Ensure only one instance of trophie is running after upgrade to 10.4.9.

Prevent more than one trophie process to accept new connections for antivirus processing in order to avoid the use of outdated pattern files and HA failover issues.

On HA systems, failovers will not succeed as only one trophie process is terminated while others still hold references to the trophie socket residing on the DRBD filesystem. As long as this socket continues to exist, the DRBD filesystem will fail to unmount, stalling the HA failover.

Version 10.4.9

Antivirus Protection

  • Web Access
    • Bug #92003 - Antivirus : Remove application/pdf from HAVP skip mime list.
    • Bug #92001 - Antivirus : Update HAVP to version 0.93.7 with ICAP quick-process loop fix and preview support.
Version 10.4.8

Advanced Threat Protection for all web traffic

The AXS Guard premium content scanning license has been updated to support advanced threat intelligence and content scanning for HTTP and HTTPS traffic. To use this feature, simply enable the 'Advanced Threat Protection AXS Guard Cloud - Web' option in the Feature Activation page of your appliance.

Personal AXS Guard

PAX clients are sometimes used in environments where access to the Internet is restricted and where you cannot simply change firewall settings for outbound connections. An option to traverse restrictive firewalls has been implemented to facilitate connections for any PAX unit that is sitting behind a corporate firewall which is beyond your control. This new 'Support HTTPS Firewall Passthrough' option can be found in the PAX > Server page.

Various improvements and software fixes

  • PAX

    • Bug #91414: Fix race conditions and deadlocks in the PAX client management service, which caused delays and/or unexpected client disconnects.
  • Web Access

    • Bug 3b2eaa9fe5: Fix high CPU usage spikes by disabling partial (un)locking when scanning Microsoft Cabinet (.cab) files with ClamAV.
  • Documentation & context-sensitive help

    • All PDF documents have been replaced with a link to the online documentation.
    • Add context-sensitive help for new PAX firewall traversal option.
Version 10.4.7


AXS Guard now features an OpenVPN Access Server which facilitates the rapid deployment of secure remote access for OpenVPN users. The OpenVPN Access Server is fully compatibile with the OpenVPN Connect Client, which is freely available for Windows, Android and iOS.

With this client, users can easily download and import their OpenVPN configuration and certificate via a secure connection to the AXS Guard Cloud. This new feature considerably alleviates administrative burden for system administrators, as they no longer have to manually distribute OpenVPN certificates and configuration files to authorized users.

Various improvements and software fixes

  • Blocklists

    • Bug #90466: Extend backup with blocklists configuration.
  • Network

    • Rfe #90903: Upgrade network speed test.
  • Reports

    • Rfe #90319: Increase visbility of system reports.
  • Reverse Proxy RDG

    • Bug #90929: Fix issues with some characters in backend password.
  • System

    • Rfe #1d658c44b2: Upgrade OpenSSL library.
    • Rfe #90847: Also perform time synchronization when there is a large time drift.
    • Rfe #90392: Add support for TLSv1.3.
Version 10.4.6

Various improvements and software fixes

  • edb946ddc7: Remove syntax errors in RADIUS configuration when secrets contain spaces or quotes.

  • cf248bf44d: Remove DIGIPAS API models from backup validation to eliminate error messages on systems without licensed tokens.

  • 19a4b8889b: Remove DIGIPASS API login and registration background jobs when the DIGIPASS feature is no longer used.

Version 10.4.5

Various improvements and software fixes

  • Defect #90711: Change the default service port of the DIGIPASS App server to avoid port conflicts.

  • Rfe #125917: Optimize the activation of all IP address lists at boot time, in order to speed up the boot process on slower systems. This means a considerable reduction of the total boot time from a little over 6 mins to just about 6 seconds.

  • Rfe #84772: Collect all SSTP VPN log messages into a single file for a better user experience. The updated log consists of relevant HTTP reverse proxy entries, SSTP server and PPP events.

Version 10.4.4

Various improvements and software fixes

  • Rfe #90764: Fine-tune e-mail security checks for whitelisted e-mail addresses.
  • Rfe #90765: Automatically disable anti-spoofing for VPN clients.
  • Rfe #90753: Reduce excessive logging in Webmail error logs.
Version 10.4.3

Various improvements and software fixes

  • Rfe #89897 IPsec: Add default IKE profiles for SHA-256.
  • Rfe #133d575c E-mail: Include the reason why spam was deleted by AXS Guard (extra column in 'deleted spam' overview).
  • Rfe #89192 E-mail: Improve anti-spoofing capabilities.
  • Rfe #82697 Directory Services: Disable users on AXS Guard when they are disabled in the LDAP backend.
Version 10.4.2

Application Control

Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.

Virtual AXS Guard

Added support for oVirt, an open-source distributed virtualization solution.


Added new functionality to the Intrusion Prevention System to automatically detect whether a system CPU supports SSSE3, a SIMD instruction set created by
Intel (for increased performance).


Ignore the IP address of a DHCP device during the validation of a static route.

Reverse Proxy RDG

A new authentication policy was added, which supports logins with a back-end password, followed by a one-time password generated with either an OATH or DIGIPASS token (back-end password + OATH or DIGIPASS).

Version 10.4.1

Various improvements and software fixes

Version 10.4.1 contains various software fixes to improve the overall quality, stability and security of the AXS Guard appliance.

Contact for additional information.

Strong Authentication with Push Notifications for Web Applications

The AXS Guard reverse proxy now supports Push Notification Authentication.

Push Notification Authentication enables user authentication by sending a push notification directly to the user’s smartphone, alerting them that an authentication attempt is taking place.

Users can now use their mobile devices as the second required factor for secure two-factor authentication; there is no need for client-side tokens or additional devices.

When users log into a secured web application, they will automatically receive an authentication request based on their username. Users can then view the authentication details and approve or deny access, via the simple press of a button.

To use this feature, you need the mobile application, which can be personalized and branded according your requirements, a DIGIPASS server license, the AXS Guard Enterprise bundle and a web application to be secured.

Please note that in order to use this feature, some custom development is required. Contact for more information.

Firewall Geo-blocking

Geo-blocking is a technology which limits Internet traffic based on geographic location. You determine whether users can access your network or application based on their specific location.

This new feature allows system administrators to easily block malicious traffic - such as automated cyberattacks & port scanners - coming from unauthorized locations. It can also be used to prevent users from accessing potentially dangerous and questionable services hosted abroad.

Geo-blocking is an effective tool to prevent your system logs from being flooded with unnecessary information and eases administrative burden.

AXS Guard NTP Cloud Service

A precise time is necessary to be able to efficiently compare log files between various IT systems, for example in the event of a security incident. Many AXS Guard services, such as 2FA, Kerberos and scheduled tasks also rely on a precise time.

AXS Guard has gone through the validation process and is now officially part of the global NTP network.

NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to some time reference. NTP is an Internet standard.

Reconfiguring the NTP settings of your computers is relatively easy. This setting can also be configured centrally so that you don’t have to manually reconfigure each and every individual computer in your network.

CEO Fraud Protection

CEO Fraud is a type of spear-phishing email attack.

Typically, attackers identify themselves as high-level executives (CFO, CEO, CTO, etc.), lawyers or other types of legal representatives and purport to be handling confidential or time-sensitive matters, attempting to trick staff into transferring money to a bank account they control.

The AXS Guard content scanning engine has been updated to detect and block such attacks more effectively.

System Updates and Improvements

EAP-MSCHAP v2 Support for SSTP Server

Support for the Extensible Authentication Protocol (EAP-MSCHAP v2) has been added to the AXS Guard SSTP server to improve security.

RDG Password Auto-learning

This reverse proxy feature already existed for HTTP back-ends, but has now also been implemented for Remote Desktop Gateways. It offers a better UX to end users and allows for a swifter integration of secure AXS Guard authentication methods, such as 2FA.

Network Connectivity Checks

Connectivity checking is a functionality which periodically tests whether the AXS Guard network interfaces still have connectivity or not. This option has been refactored in the web-based administrator tool for a better user experience.

OpenVPN and PAX Server

The server binding options have been refactored to improve the user experience. Administrators who are looking to (re)configure the PAX or OpenVPN service are now presented with a clear selection of binding options.

Semi-Persistent IP Addresses for OpenVPN Clients

The OpenVPN server has been updated to maintain a persistent list of IP addresses handed out to different clients. When a client reconnects at a later time, the IP address that was used previously will automatically be reassigned by the server.

Samba Updates

Samba is a standard Windows interoperability suite of programs used on AXS Guard. Various components of this suite have been upgraded to improve security for the following services:

  • System backups on network shares

  • Directory services & authentication (LDAP)


The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.

The following manuals have been added or updated:

  • AXS Guard Authentication Guide

  • AXS Guard Firewall Guide

  • AXS Guard OpenVPN Guide

  • AXS Guard PAX Installation Guide

  • AXS Guard Reverse Proxy Guide

  • AXS Guard System Administration Guide

  • AXS Guard SSTP Guide

The following KB articles have been added or updated:

  • AXS Guard WPAD Configuration

  • AXS Guard Remote Workspace

Version 10.3

Version 10.3.15

Application Control

Introduce a software fix to prevent system failures (kernel panics) when malformed packets occur.

Version 10.3.14

E-mail Services

Move e-mails containing ".rar" attachments to the quarantine queue if they match a blocked extension filter.

Reporting and Statistics

  • Include SSTP server logins in the Remote Access reports.
  • Show collectd errors in the full event log.


  • Improve the PAX and OpenVPN server documentation.
  • Update the certificate hint in the IPsec server configuration page.

Reverse Proxy

  • Update the copyright notes in the Session Management login page.
  • Update the certificate hints in the reverse proxy server configuration pages.

System Administration Tool

Remove obsolete product items from the License > General page.

Version 10.3.13

Administrator Tool

Fixed the 'Operation Not Permitted' message when using the ping network utility under Network -> Tools -> Ping.

Allow system administrators to configure IP addresses with a /31 subnet for network devices.

Add a description field to facilitate the management of computers in the network.

Reverse Proxy

Fix RDG broken pipe errors and related system performance issues. The client/server socket write channel will now remain open as long as there is outstanding data.

VPN Services

Increase the maximum number of concurrent VPN connections for PPTP, SSTP and L2TP.

Web Access

Correct the handling of Kerberos authentication failures for the proxy server, preventing the invocation of an excessive number of 'negotiate_kerberos_auth' helpers.


Improve the general responsiveness of the webmail service when used by a large amount of concurrent users.

Version 10.3.12

Clarified instructions in License Wizard

The license wizard allows system administrators to upload a system license to the AXS Guard appliance, which is required to get it to full operational, in-service status.

The wizard now contains clearer instructions to guide administrators through the entire licensing process.

New authentication policies for VPN services

A second authentication factor can now be used in combination with one-time passwords generated by OATH (Google or Microsoft) authenticators.

DIGIPASS tokens already offered this possibility in the form of a PIN. However, this option was not available for users with an OATH authenticator.

To further strengthen the authentication process and allow greater flexibility in the deployment of strong authentication for VPN access, new authentication policies are now available for PPTP, L2TP and SSTP.

The 'PasswordAndOATHOrDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or DIGIPASS token.

The 'PasswordAndOATHorPasswordAndDIGIPASS' policy requires users to log in with their password and a one-time password generated by their OATH authenticator or with their password and a one-time password generated by their DIGIPASS token.

System Dashboard improvements

New badges have been introduced to indicate the status of various feature licenses. While hovering over them, more detailed license information will appear automatically.

A widget showing blocked users and hosts has also been added. This widget allows system administrators to unlock accounts and unblock hosts with greater ease, while providing additional details about the listed items.

Various VPN Fixes

The OpenVPN topology has been changed so that the full virtual IP range is available for VPN clients.

The number of pseudo-terminal devices for PPP tunnels has been increased to avoid client 'port' failures.

IP addresses allocated to clients by SSTP are now freed correctly after SSTP clients disconnect. This prevents premature depletion of the IP address pool.

Version 10.3.11

AXS Guard SSL Proxy Feature Release

The SSL filtering feature is no longer in its experimental phase and is now available for customers with a Premium Content Scanning license.

Information and configuration instructions pertaining to this new feature are available on this website (see system administration > web access).

Contact to upgrade your existing content scanning license or to purchase a new license.

Fix SSTP Authentication Failures Make AXS Guard wait for LCP configuration requests from clients, rather than initiating them on the server side.

This avoids a race condition in (samba) PPP causing LCP configuration requests to stop prematurely and fail due to authentication proposals that were perceived as invalid.

Fix Firewall Policy Rendering Issue In some cases, very long firewall policy descriptions caused the browser to hide other policy data. The readability of the firewall policy page has been improved and the issue has been resolved.

Version 10.3.10

Transparent Proxy for SSL Inspection

Transparent proxies are commonly used to prevent users from abusing or bypassing company web access policies and to ease administrative burden, since no client-side browser configuration is required.

SSL Inspection can now be enabled transparently. If enabled, client traffic towards TCP port 443 will be intercepted and redirected to port 3130 for further processing.

For this to work seemlessly, the CA certificate used by the SSL proxy must be added as a trusted root CA on all clients that will be scanned.

Note that certain web applications may not function properly when decrypted. You may also want to exclude certain domains and networks for any other reason, including legal or privacy reasons, e.g. sites which provide online banking services.

For this purpose, the AXS Guard cloud service provides a global SSL exception list which will be available on all systems with a Premium Content Scanning license. We highly recommend using this list for best performance and results.

System Dashboard Improvements

All widgets will show dummy data when the dashboard is being loaded to avoid reported flickering and layout issues.

The basic system load information on the dashboard has been replaced by a more detailed system load graph, showing various system loads over time.

Version 10.3.9

Gradual rollout of the new SSL Inspection feature

Over the last few years, many popular web sites including Google, Youtube, Reddit and Facebook have started enabling HTTPS encryption by default.

This means that without configuring SSL inspection, proxies have limited filtering, monitoring and logging capabilities.

In this new version, we implemented support for man-in-the-middle SSL filtering, which will allow system administrators to more effectively control and monitor web traffic passing through the AXS Guard proxy server.

System Dashboard Improvements

The AXS Guard system dashboard represents key performance indicators and metrics and is constantly reworked based on customer feedback.

A tooltip showing IPsec tunnel status information has been added to the system dashboard to improve the user experience.

Personal AXS Guard logs are now grouped per client, allowing system administrators to locate various client logs with greater ease.


DNS over HTTPS is problematic for the analysis and monitoring of DNS traffic for cyber security purposes, as it can be used to bypass company content-control software and DNS policies.

Firefox implemented a mechanism to automatically disable or enable DNS over HTTPS based on a canary domain. This canary domain is enabled by default on AXS Guard to block DNS over HTTPS.

Also see the KB article on this site, which covers all client implementations (Knowledge Base > Networking).

Version 10.3.8

Export system metrics to AXS Guard cloud

Some important system metrics have been made available in the AXS Guard cloud so system administrators can easily access vital information pertaining to all their deployed systems in a secure fashion.

Add option to set SMTP authentication policy

AXS Guard can be intergrated into an Office 365 environment to scan all incoming and outgoing mail traffic for malicious content and viruses.

To allow AXS Guard to also scan outgoing messages, mail clients must be configured to use the AXS Guard SMTP server instead of the Office 365 SMTP server.

This will ensure that all outgoing mail traffic is logged by AXS Guard and that its mail policies can be enforced.

The new option allows system administrators to restrict user access to protect the AXS Guard MTA against brute-force attempts and to implement a more strict TLS policy.

Disable IP forwarding when license is expired

AXS Guard will automatically put itself in "safe mode" when its license expires. As the system will no longer be able to download critical software updates without a valid license, all Internet traffic will be blocked for security purposes.

Version 10.3.7

New System Dashboard

In the first version of the new dashboard, we represent the same data of the "old dashboard" using new and interactive widgets.

For the sake of convenience, the former dashboard can still be accessed.

The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.

Previous versions

Various improvements and software fixes

Versions 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5 and 10.3.6 contain small feature changes and software fixes to improve the overall quality, stability and reliability of the AXS Guard appliance.

Contact for details.

New Dashboard

The AXS Guard system dashboard has been reworked extensively to better represent key performance indicators and metrics.

In the first version, we represent the same data of the "old dashboard" with new and interactive widgets. For the sake of convenience, the former dashboard is still easily accessible.

In the next iteration, extra widgets will be added to adequately respresent information about the system’s disk usage, the status of IPsec tunnels and VPN client connections.

The AXS Guard dashboard will remain a focus for improvement; administrators can expect a lot more interesting widgets and functionalities in the near future.

Microsoft Azure

AXS Guard is now available as a cloud platform in Microsoft Azure. With this PaaS (platform as a service) solution, organizations can safely build and host Microsoft-based products and configurations in their data centers.

The AXS Guard UTM virtual appliance is available in the Microsoft Azure Market place, the online store that offers applications and services either built on or designed to integrate with Microsoft’s Azure public cloud.

AXS Guard provides improved Azure cloud data access security by leveraging its multi-layered defense that crosses network, VPN, e-mail, web and content security. Hence you can easily and securely extend your on-premise hosted data and services to the Azure cloud.

From the Azure Market place, AXS Guard UTM virtual appliances can be easily set up with just a few clicks and deployed in a matter of minutes. Remember the public IP address of the newly deployed virtual machine, and use it in a web browser to access the AXS Guard configuration tool where you can start the configuration wizards to complete the setup process.


The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in PDF and HTML.

The following AXS Guard manuals have been updated:

  • System Administration Guide

  • Installation Guide (Getting started)

  • Personal AXS Guard Server Guide

The following manual has been added:

  • Personal AXS Guard Industrial all-in-one Guide

New Features

Microsoft Azure Ready

The AXS Guard virtual appliance can now be easily deployed from within the Azure Market place to operate on the Microsoft Azure platform. AXS Guard integrates the Microsoft Azure Linux Agent which manages provisioning and Virtual Machine interaction with the Azure Fabric Controller.

Office 365 Fast Lane

According to a Computable Magazine article of 17 June 2019: "Office 365 issues with legacy networks" - excessive network latency causes major delays in Office 365 implementations. Additionally, 63% of 250 surveyed companies agree that project collaboration in an Office 365 environment suffers from network-related problems.

As a response to these complaints, Microsoft recommended its "ExpressRoute" solution, which allows companies to optimize their connection speeds for Microsoft cloud services. However, this solution is rather expensive and complex to configure, making it often prohibitive for SMEs.

This is why AXS Guard developed the "Office 365 Fast Lane" solution, a cheaper alternative that is technically similar. The solution consists of a simple setup wizard which allows system administrators to correctly configure firewall, security and other Office 365 network settings in no time.

This way, employees can benefit from faster, optimized Office 365 connection speeds and profit from the increased responsiveness of frequently-used Office 365 applications.

Optimal network speeds are calculated in function of the total available Internet bandwidth, which is automatically measured by AXS Guard. After completing the wizard, users will immediately notice the result.

E-mail filtering incorporates Google Safe Browsing

Google Safe Browsing helps to protect users on the internet against malicious sites by showing warnings when they attempt to visit such sites or download dangerous files.

AXS Guard integrates Google Safe Browsing as an extension to its adaptive e-mail filter. Every URL present in e-mails is processed by the AXS Guard cloud URL threat protection service (CTRS) using Google’s Safe Browsing technology. Messages containing potentially dangerous URLs will be marked as unsafe and quarantined.

Dynamic hostnames in IPsec tunnel definitions

Traditionally IPsec site-to-site tunnel definitions require fixed IP addresses for host identification and policy matching. In order to support IPsec tunnels for sites where one side has a dynamic IP address, AXS Guard can now be configured with a template or wild-card definition to accept any connection with the right credentials. Security-wise this is not an optimal solution. Furthermore it can cause a lot of unwanted log entries originating from unknown connections.

To address this issue, AXS Guard now supports the use of dynamic (DNS) hostnames, making tunnels definitions more secure. Every time a tunnel is (re)started, a DNS lookup of the hostname is performed to determine the IP address to connect to. When the tunnel collapses because one side changed its IP address, the tunnel is re-established automatically when that side updates its dynamic DNS entry with the new IP address.

Lists of local and remote subnets in IPsec tunnel definitions

IPsec site-to-site tunnels definitions share one local subnet with one remote subnet. In case that many local subnets have to be shared with possibly many remote subnets, multiple tunnel definitions have to be configured separately for each subnet sharing the same IPsec MAIN mode.

System administrators can now specify a list of local and remote subnets. This reduces configuration overhead and also simplifies IPsec VPN status management.

Personal AXS Guard Industrial AIO

The Personal AXS Guard portfolio of products has been extended with a new type of hardware geared towards industrial applications. The brand new Personal AXS Guard Industrial all-in-one device is based on an x86 64bits platform with two ethernet ports (LAN and WAN), an optional wireless-N adaptor, mSATA storage and is rack-mountable (DIN rail).

Create a new Personal AXS Guard client and select the AG-I122 (Industrial all-in-one) hardware type for an optimal configuration.

Version 10.2

Secure Socket Tunneling Protocol (SSTP)

AXS Guard extends its offering of remote access solutions with support for the Microsoft Secure Socket Tunneling Protocol (SSTP), a VPN service that provides a mechanism to transport PPP traffic over an SSL/TLS channel.

SSL and TLS are cryptographic protocols designed to provide communications security over a computer network.

The use of SSL/TLS over TCP port 443 allows SSTP clients to pass through virtually all firewalls and proxy servers, except for authenticated web proxies.

The SSTP server can be configured to enforce strong authentication, which is capable of blending different authentication factors and/or types for increased security.

The AXS Guard reverse proxy manages the SSTP server as a separate application, allowing administrators to share the same external IP address and port with other applications and services.

See the official Microsoft documentation for additional information about SSTP.


The AXS Guard documentation is constantly updated to reflect the various changes and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.

The following manuals have been added or updated:

  • AXS Guard PKI Guide

  • AXS Guard SSTP Guide

  • AXS Guard Reverse Proxy Guide

The following KB articles have been added or updated:

  • Terminal Server Setups

  • HTTP Authentication Methods

New Features

Microsoft SSTP VPN Support

MS-SSTP (Microsoft Secure Socket Tunneling Protocol) is a VPN protocol which is developed by Microsoft. It implements PPP over HTTPS (SSL), so traffic can easily traverse firewalls and proxies.

CA Certificate Export Option

If the SSTP server certificate is signed by the AXS Guard CA, the CA certificate must be exported and added as a trusted root CA on each Windows SSTP client in order for connections to succeed. A new button has been added for this purpose.

OATH Support for Remote Desktop Gateway Back-ends

The Remote Desktop Gateway (RDG) reverse proxy back-end now supports authentication with OATH-based tokens, such as Google and Microsoft Authenticator apps.

The following authentication methods are available:

  • OATH (default)


  • OATH or DIGIPASS (to facilitate migration)

  • AXS Guard password

  • Back-end password (LDAP)

OATH is supported for all RDG implementations, such as RPC over HTTP (prior to Windows 8), RDG (Windows 8 or later) and the Microsoft Remote Desktop App (Android, iOS and Windows).

Version 10.1


Support for Google and Microsoft OATH tokens has been implemented. OATH tokens provide one-time passwords to end users and are a form of strong authentication.

The Initiative for Open Authentication (OATH) is a collaborative effort of IT industry leaders aimed at providing a reference architecture for universal strong authentication across all users and all devices over all networks. Using open standards, OATH will offer more hardware choices, lower cost of ownership, and allow customers to replace existing disparate and proprietary security systems whose complexity often leads to higher costs.

An OATH license is required for this feature.

Visit for additional information.


The AXS Guard documentation is constantly updated to reflect the various updates and improvements in the software and the product as a whole. Documents are available in the PDF and HTML format.

The following manuals have been updated:

  • AXS Guard Authentication Guide

The following articles have been added to the knowledge base:

  • How to set up your Google Authenticator

  • How to set up your Microsoft Authenticator

New Features

Microsoft and Google Authenticator Support

Both Google and Microsoft provide authenticators based on the OATH standard. Most implementations of OATH leverage smartphones and apps for the generation of one-time passwords.

The Authenticator apps can be downloaded from the Android and iOS app stores at no cost.


Tokens cannot be assigned without a valid license; a new system license is required. Contact your reseller to obtain an OATH token license.

Go to System > License > Authenticators > OATH to view your license details.


On the server side, secrets are provisioned by assigning a token to a user. An e-mail with configuration instructions is automatically sent to the user’s AXS Guard mailbox after a token has been assigned by an administrator.

On the client side, the user can simply import the secret by scanning the QR code provided in the e-mail, which also contains instructions to manually enter the required information.

Authentication Policies

New policies have been added to accommodate authentication with OATH tokens. These feature authentication methods for both password (PAP) and challenge (CHAP) based authentication protocols, as used by PPTP and L2TP VPN services.

Version 10.0

Kernel Upgrade

A new 64-bit kernel has been implemented. The previous kernel has also been upgraded to version 4.14. This is especially important when installing the appliance in a virtual environment; it will no longer be possible to boot your virtual AXS Guard appliance with a virtual machine that has been configured for a 32-bit guest OS.

The upgrade process may take over 30 minutes to complete. It is recommended to upgrade your appliance during off-peak hours or during a maintenance window to avoid service interruptions.

A new NAT option has been added to the Personal AXS Guard service to allow administrators to use the same subnet for multiple PAX units. Some minor changes were also made to the server-side user interface, making DHCP and passwords easier to configure.

A drag and drop feature has been implemented allowing administrators to easily change the order of rules in system policies, such as firewall policies.

A new reverse proxy back-end has been added to support Awingu version 4.0 and above.


The AXS Guard documentation is constantly updated to reflect the various updates and improvements in the software and the product as a whole. Documents are available in PDF and HTML formats.

The following guides have been updated:

  • AXS Guard PAX Installation Guide

  • AXS Guard Reverse Proxy Guide

  • AXS Guard Firewall Guide

  • AXS Guard PKI Guide

  • AXS Guard Virtual Appliance Guides

New Features

Kernel 4.14

Kernel updates introduce fixes which close up previously discovered security vulnerabilities and are the most important reason to upgrade your system.

Updates will also include support for new hardware, new functionalities and improve the stability and speed of your system.

IPsec netkey and VTI interfaces

The IP security (IPsec) stack is switched to the native linux implementation called netkey. In order to facilitate this transition, AXS Guard makes use of virtual tunnel interfaces (VTI), which provide routable ipsec software interfaces that support multicast, bandwidth management and load balancing, similar to the KLIPS IPsec stack used before.

The switch to netkey IPsec stack offers active development and support, a larger selection of cryptographic algorithm support, cryptographic offloading and parallel processing.

New PAX NAT Option

A new Translate Remote LAN option has been added, allowing administrators to reuse the same subnet for multiple PAX units.

Reverse Proxy support for Awingu 4.0

The reverse proxy has been refactored to support Awingu 4.0 and later versions. To configure the reverse proxy for use with Awingu 4.0, just select the "awingu-v2" back-end.

SSO Tool

Version 2.15

Bug Fixes

  • The OpenSSL suite has been upgraded.
  • Resolved issue where clients could no longer connect after sleep mode.
  • Msi configuration tool now supports username/password mode.
  • Per-user install has been fixed.
  • The msi configuration tool was moved to the "Configuration Tools" folder in the SSO zip file.
Version 2.14

New Features

  • Windows 10 compatibility.
  • A new utility helps you to customize the msi installer for deployment via a GPO.
  • Software can be installed per-user or per-computer. Per-user context no longer requires administrative privileges.
  • New icon which indicates the connection status.
  • Updated AXS GUARD logos, icons and trademarks.
  • The software has been optimized for AXS GUARD version 8.2.1


  • OpenSSL and wxWidgets have been upgraded.
  • Version 2.14 will play nice with Windows sleep, shutdown and hibernate.
  • The uninstall and upgrade wizards will automatically close running instances of the SSO tool (as of version 2.14)
  • Version 2.14 can be configured to automatically update the Windows system proxy settings.
  • SSO binaries are now signed by "Vasco, The Security Company". See for additional information.
  • When starting the SSO tool without a profile, a friendly dialog box will help you create one.
  • Possibility to use an IP or hostname to configure the gateway.
  • The installer automatically launches the SSO Tool after installing the software.
  • Possibility to choose the installation path of the SSO Tool.
  • Only one instance of the SSO Tool can be active at any given time.
  • Ability to edit the default profile in a per-computer context (new users only).
  • Uninstall will clean up existing SSO registry data, including profiles.
  • Validation has been improved
  • Improved error messages and debug logging.
  • Resilient networking code.
  • Friendly reminders will be shown of new versions every time the SSO tool is restarted.

Bug Fixes

  • On some systems, uninstalling version 2.13 of the SSO tool is not possible. Upgrading to 2.14 will correct these issues.
  • Various memory leaks and software crashes have been fixed.
  • The default system profile was not always applied to first-time users in previous versions. This has been fixed in version 2.14.
  • Command line install has been updated and is now fully supported.
  • The debug log is now saved in %AppData%\AXSGUARDSSOv2 instead of the application directory.
  • Fixed connection errors on very fast networks.
  • Fixed all inconsistencies between setup-profile and run-profile.
  • Improved silent install for per-user and per-computer contexts. Note that the latter requires administrative privileges.
  • Profile auto-detection issue has been fixed.
  • Corruption of Firefox proxy settings has been fixed.
Back to top