Skip to content

Release notes

Version 3.8.2

Features

Rendezvous bridge health monitoring

XoTs now continuously monitor the health of rendezvous bridge connections. Both sides of a bridge exchange periodic ping/pong messages over the WireGuard bridge interface, and each side independently tracks peer health. Peers that miss several consecutive pings are classified as degraded and eventually dead, at which point they are automatically excluded from the WireGuard configuration to prevent traffic from being routed through a broken tunnel. Health status and round-trip times are exposed as Prometheus metrics.

Delayed certificate handout for future-dated certificates

When enrolling XoTs, if the certificate authority issues certificates with a validity start date in the future, XMS now waits until the certificate becomes valid before handing it to the XoT. This prevents enrollment failures caused by certificates that are not yet within their validity period.

Fixes and adjustments

XMS

  • Fixed system-wide configuration changes failing with an internal server error.
  • Fixed the client showing assets that the user has no policy-based access to, even though those assets were not actually reachable.
  • Fixed the Tickets page showing duplicate rows and blank asset names.

XoT

  • Fixed bridges not handling concurrent access requests to the same XoT, where two simultaneous requests would overwrite each other's session data.
  • State updates are now atomic to prevent issues from write operations failing mid-update.
  • Fixed certificates with slightly off validity periods being accepted initially but rejected after a state machine restart, triggering unnecessary re-enrollment.
  • Fixed DHCP lease persistence failing when leases contained hostname (option 12), parameter request list (option 55), or classless route (option 121) options, causing all stored leases to be lost on restart.
  • Fixed static /32 device addresses that match the external default gateway shadowing the gateway route and breaking all external connectivity.
  • Fixed transparent (proxy) mode outbound traffic failing because the atomic file write introduced for resilience does not work on virtual filesystems (/proc, /sys), preventing proxy ARP from being enabled.
  • Fixed XoTs permanently losing enrollment when NTP sync fails on boot with incorrect system time, which caused certificate validation to run with wrong time and irreversibly destroy enrollment data.
  • Fixed DHCP-configured devices on eth-dev failing to obtain an IP address due to false Duplicate Address Detection.
  • Fixed software XoTs failing to change MTU on WireGuard interfaces when the underlying network interfaces have a non-standard MTU.
  • Fixed the Debian package depending on the wrong arping implementation, causing device ping to fail on systems where iputils-arping is not installed at the expected path.

Version 3.8.1

Features

Upgraded Firmware Management page

The Firmware Management page in XMS has been redesigned to match the standard table layout used across other pages. It now shows the number of XoTs per firmware label and supports deleting firmware labels (with protection against deleting labels that are currently in use).

Evaluation firmware for initial deployments

A new "eval" firmware variant is available for proof-of-concept and initial roll-out deployments. The eval firmware includes enhanced diagnostics and debugging capabilities, making it easier to troubleshoot potential issues during early deployment stages before transitioning to standard production firmware.

USB mass storage support for S1

XoT S1 devices with "eval" firmware now support optionally mounting a USB drive during boot for initial deployment and troubleshooting. This is particularly useful in locked-down environments where network connectivity may be limited. The USB drive can be used to:

  • Provide initial networking configuration.
  • Supply SSH keys for remote access.
  • Collect debug logs.

Dummy asset mode for connectivity checking

A dummy asset can now be added to a subnet on the XoT for network health checking. This allows administrators to verify XoT connectivity after installation or troubleshoot network issues without relying on a real physical asset connected to the device port.

XoT ID reported as DHCP hostname

XoTs now send their XoT ID as the hostname in DHCP requests, making it easier to identify XoTs on the network via DHCP server logs or lease tables.

Support for DHCP-assigned routes

XoTs now support extra routes assigned via DHCP options 33 and 121, enabling more complex network setups where additional routing is managed by the DHCP server.

More verbose DHCP logging

DHCP packet logging has been made more verbose to assist with diagnosing DHCP-related issues during deployment and troubleshooting.

Certificate warnings in dashboard

XMS now displays certificate expiry warnings directly in the dashboard, providing earlier visibility into upcoming certificate renewals.

Fixes and adjustments

XMS

  • Fixed policy graph not showing edges from m2m policies to destination assets connected via subnets.
  • Improved policy graph display of unprotected sources to show the neighbor IP subnet instead of confusing "multiple neighbors" entries.

XoT

  • Fixed arping in proxy mode when the external and device networks differ. ARP requests now use Duplicate Address Detection mode, which is more compatible with assets on different subnets.
  • Fixed an issue where only the first device was being arping'd in multi-device setups.
  • Fixed Proxy ARP for device-side-only /32 assets, resolving external ARP leaks, M2M device unreachability, and M2M forwarding failures.

Version 3.8.0

Features

WebAccess 2.0

This release introduces WebAccess 2.0, the first step in integrating our new experimental web client into the overall software stack.

Key capabilities:

  • React-based frontend that lays the foundation for future UI improvements.
  • Session recording and monitoring to help with troubleshooting and auditing.
  • Clipboard support for copy/paste during remote sessions.
  • File upload support directly from the browser.

WebAccess 2.0 will continue to evolve in upcoming releases.

Revamped Policy Graph

The Policy Graph has been completely revamped to make it easier to understand and troubleshoot access.

What's new:

  • Clear visual representation of how Users, User Groups, Policies, Assets, and external/unprotected endpoints relate to each other.
  • Access paths as connected nodes, so you can quickly see which sources can reach which destinations.
  • Support for both active and inactive policies, including scheduled policies that are only active during their configured time windows.
  • Powerful filtering by source, policy, and destination.

This makes it significantly easier to answer "who can access what?" and get further insight into the current network access topology.

Geofencing and fine-grained admin permissions

We've added a new, more flexible permission system for XMS administrators, enabling location- and classification-based control of what different admins are allowed to change.

Key concepts:

  • Permissions define resource, actions, and scope.
  • Scope can be defined by location and/or classification.

Admins can be limited to only modify assets and policies at specific locations. Edit rights can be restricted through three permission types: Asset manager, Policy manager, and Policy activator.

XoTs now have a location attribute so that asset permissions can safely include connecting assets to XoTs in the same location.

This also lays the groundwork for future specialized roles (such as an "Installer" role that can enroll XoTs with limited scope).

Role model changes:

  • The previously hard-coded user role has been removed.
  • root has been renamed to superadmin. This remains the most privileged role with unrestricted access to XMS.
  • admin remains as a role below superadmin, with global administrative access except for:
  • Uploading XoT firmware
  • Managing group synchronization

Remote XoT reboot

Administrators can now remotely reboot XoTs directly from the diagnostic information page in XMS.

Use XMS as an NTP server

XMS now has NTP enabled by default and can act as a time server for XoTs.

Certificate expiry visibility

XoT and client certificate expiration dates are now visible in the XMS dashboard, making it easier to plan certificate renewals ahead of time.

Terminology changes

To better reflect the variety of resources that XMS manages — physical devices, subnets, and remote endpoints — the term Devices has been renamed to Assets throughout the interface. Correspondingly, Policy Groups are now called User Groups on the policies page.

Pending Assets are now called Discovered Assets, better reflecting that these are assets that XMS has detected without implying that action is always required.

Fixes and adjustments

XMS

  • Future policies no longer contribute to bridge requirements (must pass list) which previously made access requirements overly strict.
  • Unprotected device firewall rules now respect schedule and active settings.
  • More reliable login behavior in the identity provider flow.
  • Stricter (hierarchical) validation of asset locations.
  • Better error handling for invalid IDs in the API.
  • Clearer feedback when navigating to a non-existent policy.
  • Fixed DHCP lease time setting not working for subnets.
  • Fixed XoT revoke command not being sent properly to XoTs.
  • Added default values for WireGuard port ranges (19000-19099).
  • Improved Grafana integration: configuration moved to backend, with direct links to XoT and client session dashboards.
  • Updated login page appearance (new Keycloak theme).

XoT

  • XoT now has more robust handling of IPv6-related DNS responses in environments where IPv6 is not supported.
  • Improved XoT bridge peer selection to avoid routing traffic via stale peers.
  • XoT now persists configuration across restarts, so it no longer requires XMS to be accessible after restart.
  • More standard handling of DHCP client identifiers, which previously confused some DHCP servers.
  • DHCP messages are now padded in accordance with the BOOTP specification.
  • Always include DHCP parameter request list (some DHCP servers will not serve standard options if they have not been requested).

Version 3.7.4

Fixes and adjustments

XMS

  • Fixed an issue where users were immediately logged out after signing in.
  • Fixed location parameter verification for assets.
  • Fixed location dropdown showing options from the wrong hierarchy path.
  • Fixed client configuration generation not providing token information.
  • Fixed DHCP lease time not being configurable for subnets.

XoT

  • XoT now stores the XMS URL earlier during discovery, improving reliability in environments where XMS is intermittently available.
  • ICMP firewall rules now correctly restrict by protocol direction.
  • XoT now persists its configuration across restarts, so it no longer requires XMS to be accessible after restart.
  • More standard handling of DHCP client identifiers, which previously confused some DHCP servers.
  • DHCP messages are now padded in accordance with the BOOTP specification.
  • Always include DHCP parameter request list (some DHCP servers will not serve standard options if they have not been requested).

Version 3.7.3

Fixes and adjustments

XMS

  • Device-side firewall bundles now exclude inactive policies and scheduled policies that are currently outside all valid time slots. This prevents XoT data from including firewall rules from inactive or out-of-window policies.
  • Scheduled policies that have not yet started no longer contribute bridge requirements to access tickets. Only currently active policies can add must_pass_any_xra requirements.

XoT

  • Bridging in Rendezvous mode (default) no longer fails due to changing WireGuard keys. XoTs now avoid stale bridge peer selection that could route traffic via outdated keys and block connectivity.
  • More robust handling of IPv6-related DNS responses in environments where IPv6 is not supported.

Version 3.7.2

Features

Device-side NTP server on XoTs

Protected devices behind an XoT can use their XoT for NTP if needed.

Nested user groups in XMS (Keycloak)

When XMS is set up with Keycloak as its user source, user groups can be added to subgroups. This helps distinguish groups from different sources that share the same group name. They now appear as, for example, source1/admins and source2/admins.

User onboarding wizard

When starting the XoT-Desktop client without configuration you are now presented with an onboarding wizard which allows you to authenticate and acquire user credentials with the XMS of your choosing.

Revised XMS setup

XMS setup has been reworked to be more reliable and handle a wider range of configurations:

  • Entra ID user and group sync wizard.
  • Allow issuing TLS certificates with internal CA (instead of creating self-signed certificates).
  • Improved handling and validation when setting up XMS with an external database.
  • Added setup logging to /var/log/xms-setup/.
  • Improved end-of-setup information with URL and credentials for XMS and Keycloak administration.
  • Fixed TLS certificate setup when importing credentials from file.
  • Increased setup timeouts for installation on slower systems.
  • Consider certificate chains when issuing service certificates.
  • Fixed issues with retrieving and displaying installation status.
  • Explicit hashing functions for self-signed TLS certificates (instead of relying on system defaults).

Tweaked XMS user roles

  • The None role has been renamed to client to clarify that this role can still access assets via policies.
  • The User role has been further restricted in its administration capabilities.

Version 3.7.1

Remote subnets

Version 3.7.0 had a feature regression (compared to 3.6) in that it no longer supports remote subnets. This is where traffic to assets on the protected side of an XoT needs to be routed via a gateway. With this version remote subnets are available once again.

Version 3.7

Features

XoT-WebAccess for the browser

  • Use the XoT Technology by logging in via a browser only. Lets the user use a sandbox jumpbox to connect to the same resources as if the user had the XoT-Client installed.

More flexibility for supporting complex networks

  • Assets like devices and subnets are now objects that can be detached and attached to XoT-Locks.
  • Policies can now specify individual assets behind an XoT-Lock, even if it protects multiple assets.
  • Put multiple devices or subnets behind an XoT-Lock in seconds, also in transparent mode.
  • Adjust policies to apply only for selected users.
  • Tweak details like DHCP for NTP override, lease time, and more.

Easier overview, configuration, and troubleshooting

  • Improved dashboard for better overview in XMS.
  • More diagnostic information in XMS.
  • Extended tooling for debugging the XoT-Lock and the XoT-Client.
  • A lot of new articles on Docs.xertified.com, with clear separation of version 3.6 and 3.7 content.

Version 3.6

Enabling running XoT on more devices and new Beta access to XoT-WebAccess.

Features

Run XoT-Lock on ARM devices

Adding support for deploying XoT to ARM devices gives you the possibility to use a wide variety of devices as XoT-platforms for XoT-Lock, XoT-Bridge, and more.

XMS enhancement

  • Easier integration with Grafana for metrics.
  • Improved XMS policy editor. Easy to create scheduled policies.

802.1x supplicant

Now possible to be added into networks protected by 802.1x (dot1x).

XoT-WebAccess beta access

Optional possibility to try the new browser-based access to XoT.

Version 3.5

Core system update improving robustness, introducing adjustable firewalls, and makes it possible to deploy air-gapped systems, also for RHEL.

Features

A ticket permission design

The permission system design is now ticket-based and asynchronous. By choosing a ticket time-to-live the XoT Technology can be kept alive also during disturbance or maintenance windows.

Firewalls

Built-in firewall in XoT-Locks are now adjustable by the administrator.

Air-gapped XoT Technology

The XoT Technology is now delivered with all the necessary components for running in air-gapped networks.

XoT-Desktop client and XoT-Client Config tool update

  • Usability improvements for the XoT-Desktop client.
  • New XoT-Client Config tool for Windows users, making it easy to setup the configuration for users and administrators.

XMS integrations

Integration and support for many new external systems:

  • Wazuh for SIEM.
  • Zabbix for monitoring.
  • SPAN for port mirroring and traffic analysis.
  • Keycloak for identity management.
  • OpenSSL for certificate authority.

XRA is now XoT-Bridge

The product formerly known as XoT Remote Access (XRA) is now renamed to XoT-Bridge.

OVA for easy server deployment

  • Easy deployment via OVA-file for ESXi.

Support for Red Hat Enterprise Linux 9+

  • Verified support for RHEL 9.x for both server and client software.