6.6

  • 5 minute read
Prev Next

Released December 22, 2025

Main Features

Security

  • Device Claim scripting is now disabled by default. Device Claim script execution in 6.6 Clients now requires the inclusion of the profile DNS name in the license file. Please contact AppGate Support to get the new license file.

Application Discovery

  • It is now possible to see and add multiple discovered apps (or ranges) to the narrow Entitlement.

  • It is now possible to define which user claim to use for detecting groups.

  • Discovered apps can be added to an existing Entitlement.

  • App types can be defines with multiple ports or port ranges to simplify the workflow.

  • It is possible to filter Discovered Apps using advanced search fields and pin searches to save the viewed list of discovered apps.

  • Hits per Day chart was updated to be more accessible, and a Show as List toggle has been added to view the data in a table.

  • The names of known ports will now appear in the Port column of the Discovered Apps Details page.

GeoLocation

  • It is now possible to use other GeoLocation providers to gain better accuracy. An own account with the specific GeoLocation provider is required.

QUIC

  • QUIC replace DTLS as UDP based tunnel protocol. DTLS will be supported in this, and the upcoming release.

Client

  • Collective failover behavior has been improved to trigger on every failed Controller connection and any sign-in issue. Users will be notified when logged out and banners will be displayed notifying them when a fallback profile is selected.

Linux

  • The Linux headless and full Clients now run on Ubuntu 22+ ARM-based distributions.

Mobile

  • The default browser for Android devices will be used for external authentication (OIDC/SAML) instead of WebView. ChromeOS devices will still use WebView.

  • Users of iOS devices can now use an MDM configuration to override the external authentication behavior (OIDC/SAML) where Safari is used instead of WebView, and the appgate:// protocol is now used for OIDC redirection.

New Features

Appliance

  • Appliances have been upgraded to BDR 5.

  • The hashing algorithm for etc/shadow was changed to yescrypt.

  • Appliances have been migrated to Ubuntu 24.

  • chrony has replaced ntpq for time synchronization. Appliances will no longer listen on port 123. chrony accepts requests only through a UNIX socket.

License usage

  • Users can now download license utilization according to IdP and license usage data from the Licenses page.

Collective sizing

  • The allowed number of Controllers per Collective has been increased to nine (9).

  • There is no longer a limitation to have a single local Site. Overlapping IPs and subnets can now be assigned to multiple Sites as a Local Site.

  • There is no longer a limitation to the number of Gateways that can be present in a collective.

Admin UI/Frontend

  • It is now possible to search for Entitlements in Access > Entitlements using an IP within a subnet to return a list of all Entitlements in that IP range.

  • The appliance CA now appears on the Trusted Certificates page.

  • The Session Details view Used Bandwidth label has been updated to reflect Sent/Received data.

  • The size of the code editor (scripts) can now be increased to full screen.

  • The user will now be notified if they enter secret names containing invalid characters.

  • Support was added to print boolean claims in the messages of remedies, such as "Display message".

  • The Identity Provider - Test User action button will now list all errors with all servers, including the server IP/hostname.

Gateway

  • Clients will now be immediately informed if the Client hostname of a Gateway is changed or a Gateway is added or removed from a Site. This requires Clients to have at least one working Gateway connection.

Name resolving

  • Support was added for overlapping domains in the DNS Forwarder.

Metrics

  • Users can now configure the Metrics Aggregator poll interval warning message time using cz-config.

  • The ctr_client_average_time Prometheus metric was added, which collects the average time for API calls for ctrClient and ctrAdmin values.

  • The following items have been added to the SNMP MIB:

    • 1.3.6.1.4.1.7607.1.3.27.11 APPGATE-MIB::appgate.sdp.sdpCtr.ctrClient.ctrClientAverageTime

    • 1.3.6.1.4.1.7607.1.3.28.5 APPGATE-MIB::appgate.sdp.sdpCtr.ctrAdmin.ctrAdminAverageTime

Portal

  • By default, the Portal supports only a single source IP per Client for stricter security, which can cause customers with multi-instance load balancers or WAF to run into issues. Customers with that use case can now remove the source IP restriction by running the following command: sudo cz-config set -j portal/strictSrcIPCheck true

Client

  • Users now have the option to not display the Message of the Day at every subsequent login to the Client.

Linux

  • The Linux Client was updated to use the stored keyring first.

  • RHEL8 is no longer supported. Clients built by RHEL8 work on RHEL9.

Updates

Security

  • Administrators with the “Administrative Role” privilege can no longer create an administrative role that has more privileges than themselves.

Stability

  • Fixed an issue in which ordered lists (e.g. User actions or Resolvers), under certain circumstances, would get out of order among Controllers. This would result in the items in the list being applied differently depending on to which Controller the connection is made.

  • An issue was addressed in which downloading client logs from the Active Sessions page was taking more time than expected and causing the download to fail.

Appliance

  • Fixed an issue in which cz-config set ... commands did not apply properly when the value was a dictionary.

REST API

  • An Entitlement without any conditions can no longer be created.

Admin UI

  • Fixed an issue in which, under certain circumstances, a field would erroneously add the required asterisk (*).

  • Fixed an issue in which the Edit Identity Provider - OIDC form displayed incorrect help text for the Issuer and Audience/Client ID fields.

  • Fixed an issue in which the upgrade screen would erroneously report “Upgrade Failed”.

  • The Blacklisted Users page is now the Denylist page.

Name resolving

  • Addressed an issue in which glob name updates did not take effect.

Audit logging

  • Addressed an issue in which logs would stop forwarding on ZTP-enabled Collectives.

Other

  • Addressed an issue in which cz-vpnd would crash when “Log NAT-IP and NAT-port” was enabled.

Client

  • Fixed an issue in which auto sign-in did not apply the first time a Policy-managed Client Profile was applied.

  • Fixed an issue in which a Device Claim script was considered timed out when a machine went to sleep while the script was running.

  • Addressed an issue in which the device Policy configuration for disabling “Keep Me Signed In” would remove credentials from the headless configuration after signing in.

  • Addressed an issue in which the Entitlement list would not load and use a lot of CPU when Site connections were unstable.

Windows

  • Fixed an issue in which the Lite Windows Client would crash due to a faulty DNS policy setup and would not produce crash information or log data about the issue.

macOS

  • Fixed an issue in which the macOS menu bar was erroneously displaying AppGate ZTNA-specific menu options when the Client UI is selected.

Related articles
  • 6.5
    Release Notes > Version 6.5.x > 6.5
  • 6.4.1
    Release Notes > Version 6.4.x > 6.4.1
  • 6.3.1
    Release Notes > Version 6.3.x > 6.3.1