Web User Interface (WUI)

Configuration Guide

VERSION: 14.0

UPDATED: March 2017

Web User Interface (WUI)

Copyright Notices
Copyright 2002-2017 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP
Technologies logo are registered trademarks of KEMP Technologies, Inc..

KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software and
documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement. Information in
this guide may be modified at any time without prior notice.

Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other countries.
All other trademarks and service marks are the property of their respective owners.

Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts to
ensure that the information presented herein are correct, but makes no warranty, express or implied, about the
accuracy of this information. If any material errors or inaccuracies should occur in this document, KEMP
Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the sole and
exclusive remedy at law or in equity. Users of the information in this document acknowledge that KEMP
Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective, including
without limitation any direct, special, incidental or consequential damages (including without limitation lost profits
and loss of damage to goodwill) whether suffered by recipient or third party or from any action or inaction
whether or not negligent, in the compiling or in delivering or communicating or publishing this document.

Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact information
used in this document are not intended to be actual addresses, phone numbers or contact information. Any
examples, command display output, network topology diagrams, and other figures included in this document are
shown for illustrative purposes only. Any use of actual addressing or contact information in illustrative content is
unintentional and coincidental.

Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002 Michael
Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 2

Web User Interface (WUI)

WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and should not
be interpreted as representing official policies, either expressed or implied, of the above copyright holders..

Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51 Franklin
Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance of the GNU
license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.

Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this
paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials
related to such distribution and use acknowledge that the software was developed by the University of California,
Berkeley. The name of the University may not be used to endorse or promote products derived from this software
without specific prior written permission.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.

Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held
liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to
alter it and redistribute it freely, subject to the following restrictions:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 3

Web User Interface (WUI)

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software.
If you use this software in a product, an acknowledgment in the product documentation would be appreciated but
is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original
software.

3. This notice may not be removed or altered from any source distribution.

Portions of this software are Copyright (C) 2003, Internet Systems Consortium

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby
granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.

Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912,
7,346,695, 7,287,084 and 6,970,933

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 4

Web User Interface (WUI)

Table of Contents

1 Introduction 11

1.1 Document Purpose 11

1.2 Intended Audience 11

2 Home 12

2.1 Login Information 12

2.2 General Information 13

2.3 Virtual Service and Real Server Status 13

2.4 WAF Status 13

2.5 System Metrics 14

2.6 License Information 15

2.7 About LoadMaster 15

2.8 Other Links 16

3 Virtual Services 17

3.1 Add New 17

3.2 View/Modify (Existing HTTP Service) 17

3.3 Basic Properties 19

3.4 Standard Options 21

3.5 SSL Properties 30

3.6 Advanced Properties 33

3.7 Web Application Firewall (WAF) Options 39

3.8 Edge Security Pack (ESP) Options 41

3.8.1 SMTP Virtual Services and ESP 52

3.9 Sub Virtual Services 53

3.10 View/Modify (Remote Terminal Service) 55

3.11 Real Servers 55

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 5

Web User Interface (WUI)

3.11.1 HTTP or HTTPS Protocol Health Checking 58

3.11.2 Binary Data Health Checking 62

3.11.3 Name Server (DNS) Protocol Health Checking 62

3.11.4 Add a Real Server 63

3.11.5 Modify a Real Server 65

3.12 Manage Templates 66

3.13 Manage SSO Domains 67

3.13.1 Single Sign On Domains 67

3.13.1.1 Client Side (Inbound) SSO Domains 68

3.13.1.1.1 Client Side (Inbound) SAML SSO Domains 72

3.13.1.1.2 Sessions 75

3.13.1.2 Server Side (Outbound) SSO Domains 77

3.13.2 Single Sign On Image Sets 78

3.14 WAF Settings 78

4 Global Balancing 81

4.1 Enable/Disable GSLB 81

4.2 Manage FQDNs 81

4.2.1 Add a FQDN 81

4.2.2 Add/Modify an FQDN 82

4.3 Manage Clusters 87

4.3.1 Add a Cluster 87

4.3.2 Modify a Cluster 88

4.3.3 Delete a Cluster 89

4.3.4 Upgrading GEO Clusters 89

4.4 Miscellaneous Params 89

4.4.1 Resource Check Parameters 90

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 6

Web User Interface (WUI)

4.4.2 Stickiness 92

4.4.3 Location Data Update 92

4.5 IP Range Selection Criteria 92

4.6 IP Blacklist Settings 93

4.7 Configure DNSSEC 95

5 Statistics 97

5.1 Real Time Statistics 97

5.1.1 Global 97

5.1.2 Real Servers 98

5.1.3 Virtual Services 100

5.1.4 WAF 102

5.2 Historical Graphs 103

6 SDN Statistics 106

6.1 Device Information 107

6.1.1 Path Information 108

7 Real Servers 111

8 Rules & Checking 112

8.1 Content Rules 112

8.1.1 Content Matching Rules 112

8.1.2 Content Matching 112

8.1.3 Add Header 114

8.1.4 Delete Header 115

8.1.5 Replace Header 115

8.1.6 Modify URL 116

8.1.7 Header Modification 117

8.2 Check Parameters 117

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 7

Web User Interface (WUI)

8.2.1 Service (Health) Check Parameters 117

8.2.2 Adaptive Parameters 118

8.2.3 SDN Adaptive Parameters 119

9 Certificates & Security 121

9.1 SSL Certificates 121

9.1.1 HSM Not Enabled 121

9.1.2 HSM Enabled 122

9.2 Intermediate Certificates 123

9.3 Generate CSR (Certificate Signing Request) 123

9.4 Backup/Restore Certs 126

9.4.1 HSM Not Enabled 126

9.4.2 HSM Enabled 126

9.5 Cipher Sets 127

9.6 Remote Access 129

9.6.1 Administrator Access 129

9.6.2 GEO Settings 133

9.6.3 GEO Partners Status 134

9.6.4 WUI Authentication and Authorization 134

9.7 Admin WUI Access 137

9.8 OCSP Configuration 141

9.9 HSM Configuration 142

9.10 LDAP Configuration 144

10 System Configuration 146

10.1 Network Setup 146

10.1.1 Interfaces 146

10.1.2 Host & DNS Configuration 151

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 8

Web User Interface (WUI)

10.1.3 Default Gateway 153

10.1.4 Additional Routes 153

10.1.5 Packet Routing Filter 154

10.1.6 VPN Management 155

10.1.6.1 View/Modify VPN Connection 156

10.2 HA and Clustering 158

10.2.1 HA Mode 159

10.2.1.1 Azure HA Parameters 163

10.2.1.2 AWS HA Parameters 164

10.2.2 Cluster Control 165

10.2.2.1 Cluster Parameters 168

10.3 System Administration 168

10.3.1 User Management 168

10.3.1.1 Modify User 170

10.3.2 Update License 172

10.3.2.1 Online Method 172

10.3.2.2 Offline Method 172

10.3.2.3 Debug Checks 173

10.3.3 System Reboot 173

10.3.4 Update Software 174

10.3.5 Backup/Restore 175

10.3.6 Date/Time 177

10.4 Logging Options 178

10.4.1 System Log Files 179

10.4.1.1 Debug Options 180

10.4.2 Extended Log Files 184

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 9

Web User Interface (WUI)

10.4.3 Syslog Options 186

10.4.4 SNMP Options 188

10.4.5 Email Options 191

10.4.6 SDN Log Files 194

10.4.6.1 Debug Options 195

10.5 Miscellaneous Options 196

10.5.1 WUI Settings 196

10.5.2 L7 Configuration 198

10.5.3 Network Options 202

10.5.4 AFE Configuration 206

10.5.5 SDN Configuration 208

10.5.5.1 SDN Controller Settings 208

References 210

Document History 212

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 10

Web User Interface (WUI)
1 Introduction

1 Introduction
KEMP Technologies products optimize web and application infrastructure as defined by high-availability,
high-performance, flexible scalability, security and ease of management. KEMP Technologies products
maximize the total cost-of-ownership for web infrastructure, while enabling flexible and comprehensive
deployment options.

1.1 Document Purpose

This document describes the Web User Interface (WUI) of the KEMP LoadMaster. It describes in detail
how to configure the various features of the KEMP LoadMaster using the WUI.

The available menu options in the LoadMaster may vary from the ones described in this document. The
features available in a LoadMaster depend on what license is in place. To upgrade a license, please call a
KEMP Technologies representative.

1.2 Intended Audience

This document is intended to help anyone who wishes to configure the KEMP LoadMaster using the
WUI.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 11

Web User Interface (WUI)
2 Home

2 Home
Clicking the Home menu option displays the home page which presents a list of basic information
regarding the LoadMaster.

2.1 Login Information

After initially logging in to the LoadMaster, if Session Management is enabled - some login information is
displayed:

The last login time and IP address of the current user

The number of successful logins by the current user in the last 30 days

The total number of failed login attempts by any user (including unknown usernames) since the last
successful login

For further information on Session Management, refer to the OCSP Configuration section.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 12

Web User Interface (WUI)
2 Home

2.2 General Information

IP address: The IP address of the LoadMaster.

LoadMaster Version: The firmware version of the LoadMaster.

If the Allow Update Checks feature is enabled - when a new version of the LoadMaster firmware
becomes available, a message is displayed at the top of the Home screen to inform you. To enable the
auto-check feature, go to Certificates & Security > Remote Access. For further information, refer to the
Administrator Access section.

Serial Number: The Serial Number of the LoadMaster.

Boot Time: The time of the last server reboot.

2.3 Virtual Service and Real Server Status

VS Status

This section displays some monitoring information for the Virtual Services, such as the percentage of
Virtual Services that are up and the number of disabled Virtual Services. Clicking the Details link will
display the View/Modify Services screen.

Syslog messages are generated every hour about the number of Virtual Services, SubVSs and Real
Servers that are up/down, and so on. Syslog messages are also generated when a status changes.

RS Status

This section displays some monitoring information for the Real Servers, such as the percentage of Real
Servers that are up and the number of disabled Real Servers. Clicking the Details link will display the Real
Servers screen.

2.4 WAF Status

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 13

Web User Interface (WUI)
2 Home

The Web Application Firewall (WAF) Status section is displayed if at least one Virtual Service has WAF
enabled. The values shown here are as follows:

The total number of requests handled by the WAF (shows all requests, whether they were blocked or
not). Two requests are recorded for each connection one incoming and one outgoing request.

The total number of events handled by the WAF (that is, requests that were blocked)

The number of events that have happened in the current hour (since xx.00.00)

The number of events that have happened since midnight (local time)

The number of times the event counter has gone over the configured warning threshold today. For
example, if the threshold is set to 10 and there has been 20 events, this counter is set to 2. The
warning threshold is set on a per-Virtual Service basis by filling out the Hourly Alert Notification
Threshold field in WAF Options in the Virtual Service modify screen. For further information, refer to
the Web Application Firewall (WAF) Options section.

2.5 System Metrics

CPU Load: The percentage of load to the CPU of the LoadMaster appliance.

TPS [conn/s]: The total number of Transactions Per Second and the number of Secure Sockets Layer
(SSL) transactions per second.

Net Load: Network load in megabits per second, shown for each configured interface. The Net Load will
only be displayed for interfaces which have been configured.

CPU Temp.: Displays the temperature of the CPU on supported hardware platforms.

The CPU Load and Net Load data is updated every 5 seconds.

On Dell LoadMasters, you can retrieve hardware statistics using SNMP. These include:

Temperature

Fan speed

Power supply

Voltage current

These values are only available using SNMP. For further information on SNMP Options, refer to the
SNMP Options section.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 14

Web User Interface (WUI)
2 Home

2.6 License Information

Clicking the View License link displays model, subscription expiry and subscription feature details, such
as the activation date and end date of the LoadMaster license.

If the subscription has expired, a message is displayed in the License Information section. To renew a
subscription, please contact KEMP.

Upgrade: Upgrade the LoadMaster by buying a license from the KEMP purchase portal.

2.7 About LoadMaster

On the About LoadMaster page, you can view licenses for third party software that is used in the
LoadMaster.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 15

Web User Interface (WUI)
2 Home

To view a license, click the View button next to the relevant item.

2.8 Other Links

Other links are provided at the bottom of the home page:

Support & FAQ: A link to the KEMP Support site

Find Online Documentation: A link to the KEMP documentation page

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 16

Web User Interface (WUI)
3 Virtual Services

3 Virtual Services
From this point onwards, the headings in this document generally correspond to the options in the
main menu on the left of the LoadMaster WUI.

3.1 Add New

Here the Virtual IP (VIP) address, port, protocol and name are defined. The VIP address, name and port
are manually entered into the text boxes and the protocol is selected from the drop-down list.

If templates are installed on your machine, a Use Template drop-down list is available whereby you can
select a template to configure the Virtual Service parameters such as port and protocol.

For further information regarding templates, please refer to the Virtual Services and Templates Feature
Description document on the KEMPDocumentation Page.

For the LoadMaster Exchange appliance there is a maximum limit of thirteen (13) Virtual Services that
may be configured.

3.2 View/Modify (Existing HTTP Service)

This screen displays a list of Virtual Services on the LoadMaster, summarizing the main properties of each
and giving the options to modify or delete services, or create a new service.

CAUTION
Delete is permanent, there is no UNDO feature. Use with care.

Each configured Virtual Service may be changed by clicking the Modify button or deleted by clicking the
Delete button.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 17

Web User Interface (WUI)
3 Virtual Services

The status of the Virtual Service is also displayed. Health checking is enabled by default when a Virtual
Service is created. For further information on health checking, refer to the Real Servers section.

The Virtual Service status may be one of the following:

Up At least one Real Server is available.

Down No Real Servers are available.

Sorry All Real Servers are down and traffic is routed to a separately configured Sorry Server that is
not part of the Real Server set, with no health checking.

Disabled The Virtual Service has been administratively disabled by unticking the Activate or
Deactivate Service check box in the Basic Properties section of the Virtual Service modify screen.

Redirect A fixed redirect response has been configured. Redirect Virtual Services can be created by
using the Add a Port 80 Redirector VS option in the Advanced Properties section. For more
information, refer to the Advanced Properties section.

Fail Message A fixed error message has been configured. A fixed error message can be specified
using the Not Available Redirection Handling options. Refer to the Advanced Properties section for
more information.

Unchecked Health checking of the Real Servers has been disabled. All Real Servers are accessed and
presumed UP.

Security Down The LoadMaster is unable to reach the Authentication Server and will prevent
access to any Virtual Service which has Edge Security Pack (ESP).

WAF Misconfigured If the WAF for a particular Virtual Service is misconfigured, for example if there
is an issue with a rule file, the status changes to WAF Misconfigured and turns red. If the Virtual
Service is in this state, all traffic is blocked. WAF can be disabled for that Virtual Service to stop the
traffic being blocked, if required, while troubleshooting the problem.

The image below shows the Virtual Service properties screen. It is composed of several component
sections:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 18

Web User Interface (WUI)
3 Virtual Services

Basic Properties - where the usual and most common attributes are set

Standard Options the most widely used features of a Virtual Service

SSL Properties if SSL acceleration is being used, it will show Acceleration Enabled and this section of
the screen is used to configure the SSL functions

Advanced Properties the additional features for a Virtual Service

WAF Options where the options relating to the Web Application Firewall (WAF) can be set

ESP Options where the options relating to ESP are set

Real Servers/SubVSs where Real Servers/SubVSs are assigned to a Virtual Server

Depending upon the service type, and enabled or disabled features, specific fields and options show in
the WUI. The screenshots in this document may not represent every possible configuration.

3.3 Basic Properties

There are three buttons adjacent to the Basic Properties heading:

Duplicate VIP

This option makes a copy of the Virtual Service, including any related SubVSs. All Virtual Service
configuration settings are copied to the duplicate Virtual Service. When this button is clicked, a screen
appears where the IP address and port can be specified for the copied Virtual Service.

Change Address

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 19

Web User Interface (WUI)
3 Virtual Services

Clicking this button opens a screen where the virtual IP address and port of the Virtual Service can be
modified.

Export Template

Export the Virtual Service settings as a template. Templates can be used to create Virtual Services quickly
and easily.

When exporting a Virtual Service template in which the Virtual Service uses a custom Cipher Set, the
LoadMaster on which the template is imported must include the same custom Cipher Set.

Virtual Services created from a template will have all of the settings preconfigured based on the settings
in the template. The settings in the Virtual Service can then be changed, as needed. For more
information on templates, refer to the Virtual Services and Templates, Feature Description.

Service Name

This text box allows you to assign a nickname to the Virtual Service being created, or change an existing
one.

In addition to the usual alphanumeric characters, the following special characters can be used as part
of the Service Name:

.@-_

However, there must be at least one alphanumeric character before the special characters.

Alternate Address

This is where, if so desired, you would specify a secondary address in either IPv6 or IPv4 format.

Service Type

Setting the Service Type controls the options displayed for the Virtual Service. Its important to make
sure the Service Type is set according to the type of application that you are load balancing.

WebSocket Virtual Services must be get to the Generic Service Type.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 20

Web User Interface (WUI)
3 Virtual Services

The HTTP/2 Service Type allows HTTP/2 traffic - but does not currently offer any Layer 7 options beyond
address translation (transparency, subnet originating, alternate source).

Activate or Deactivate Service

This check box gives you the option to activate or deactivate a Virtual Service. The default (active) is
selected.

3.4 Standard Options

Force L4

Select this check box to force the Virtual Service to run at Layer 4 and not at Layer 7. This is only required
in some special circumstances. If in doubt, leave this option unchecked.

L7 Transparency

When using L7, a connection can be transparent. This means the connection arriving at the Real Server
appears to come directly from the client. Alternatively, if the connection is not transparent connections
at the Real Server appear to come from the LoadMaster. KEMP recommends keeping transparency
disabled in most configurations.

Enabling transparency makes the Virtual Service transparent (no Network Address Translation (NAT)).
However, if the client resides on the same subnet as the Virtual IP and Real Servers, then the Virtual
Services will automatically NAT the source IP (enabling non-transparency).

If the Real Servers are local option is enabled, then the Real Servers are NATed (non-transparent), even if
L7 Transparency is enabled. This only happens if the Real Server is the originator of the request to the
Virtual Service (and not just answering requests from other clients). For further information on the Real
Servers are local option, refer to the L7 Configurationsection.

Subnet Originating Requests

This option is only available if Transparency is disabled.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 21

Web User Interface (WUI)
3 Virtual Services

If Subnet Originating Requests is enabled, the source addresses for connections to the Real Servers is
the interface address of the LoadMaster. If this option is disabled, the source address is the Virtual
Service IP address. If transparency is enabled, the source address is the IP address of the client and the
Subnet Originating Requests option is ignored.

If the Real Server is on a subnet, and the Subnet Originating Requests option is enabled, then the
subnet address of the LoadMaster is used as the source IP address.

This switch allows control of subnet originating requests on a per-Virtual Service basis. If the global switch
(Subnet Originating Requests in System Configuration > Miscellaneous Options > Network Options in
the main menu) is enabled then it is enabled for all Virtual Services.

It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service
basis.

For more information about the global option, refer to the Network Options section.

If the global option is not enabled, it can be controlled on a per-Virtual Service basis.

If this option is switched on for a Virtual Service that has SSL re-encryption enabled, all connections
currently using the Virtual Service is terminated.

Extra Ports

You may specify a range of ports, sequential or otherwise, starting with the base port already configured
for the Virtual Service. The port numbers are inputted to the field and separated with a space, and the
maximum range is 510 ports.

You can enter the extra ports either as port ranges or single ports separated by spaces or comma in
whatever order you wish, for example, entering the list 8000-8080, 9002, 80, 8050, 9000 will add the ports
80, 8000 to 8080, 9000 and 9002.

Server Initiating Protocols

By default, the LoadMaster will not initiate a connection with a Real Server until it has received some data
from a client. This prohibits certain protocols from working as they need to communicate with the Real
Server before transmitting data.

If the Virtual Service uses one of these protocols then select the protocol from the drop-down list to
enable it to work correctly.

The protocols that can be selected are:

SMTP

SSH

IMAP4

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 22

Web User Interface (WUI)
3 Virtual Services

MySQL

POP3

Other Server Initiating Protocols

The Server Initiating Protocols option is not visible when the port specified in the Virtual Service is 80,
8080 or 443.

Persistence Options

Persistence is setup on a per Virtual Service basis. This section allows you to select whether persistence is
enabled for this service, to set the type of persistence and the persistence timeout value.

If persistence is enabled it means that a client connection to a particular Real Server using the
LoadMaster is persistent, in other words - the same client will subsequently connect to the same Real
Server. The timeout value determines for how long this particular connection is remembered.

The drop-down list gives you the option to select the type of persistence. These are:

Source IP Address:

The source IP address (of the requesting client) is used as the key for persistency in this case.

Super HTTP:

Super HTTP is the recommended method for achieving persistence for HTTP and HTTPS services with the
LoadMaster. It functions by creating a unique fingerprint of the client browser and uses that fingerprint
to preserve connectivity to the correct Real Server. The fingerprint is based on the combined values of
the User-Agent field and, if present, the Authorization header. Connections with the same header
combination are sent back to the same Real Server.

Server Cookie:

The LoadMaster checks the value of a specially set cookie in the HTTP header. Connections with the
same cookie will go to the same Real Server.

Server Cookie or Source IP:

If cookie persistence fails, it reverts to source-based persistence.

Active Cookie:

With Active Cookie persistence, the cookies are generated by the LoadMaster, not the server. When
a connection comes into a LoadMaster Virtual Service configured with Active Cookie, the LoadMaster
looks for a specific cookie. If that cookie is not there, the LoadMaster inserts it into the HTTP stream
with a Set-Cookie directive. Existing cookies are not affected. As with the Server Cookie persistence
method, the value for the LoadMaster-generated cookie is unique to each user, allowing the

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 23

Web User Interface (WUI)
3 Virtual Services

LoadMaster to differentiate between users. A benefit of this method is that no cookies need to be
managed or generated by the servers, relieving the burden of server configuration. To gain better
dispersion per client connection you can enable the Add Port to Active Cookie feature in the L7
configuration. For further information on this option, refer to the L7 Configuration section.
With Active Cookie persistence, the cookie is valid for the session or until the persistence time
expires. For example, if using Active Cookie persistence with the persistence timeout set to 10
minutes and the client connects at 2pm, then disconnects and reconnects at 2.05pm this would
reset the persistence timeout value. If the client tries to connect to a Virtual Service after the
persistence timeout has expired, they would present the old cookie. The LoadMaster will check its
persistence table and see that it does not have a valid entry. The LoadMaster would then generate a
new cookie for the client and would update its persistence table.

Active Cookie or Source IP:

If active cookie persistence fails, it reverts to source-based persistence.

Hash All Cookies:

The Hash All Cookies method creates a hash of the values of all cookies in the HTTP stream. Cookies with
the same value are sent to the same server for each request. If the values change, then the connection is
treated as a new connection and the client is allocated to a server according to the load balancing
algorithm.

Hash All Cookies or Source IP:

Hash All Cookies or Source IP is identical to Hash All Cookies, with the additional feature that it will fall
back to Source IP persistence in the event no cookies are in the HTTP string.

Super HTTP and Source IP Address:

This is the same as super HTTP but it also appends the source IP address to the string, thus improving
the distribution of the resulting HASH.

URL Hash:

With URL Hash persistence, the LoadMaster will send requests with the same URL to the same server.

HTTP Host Header:

With HTTP Host Header persistence, the LoadMaster will send all requests that contain the same value in
the HTTP Host: header to the same server.

Hash of HTTP Query Item:

This method operates in exactly the same manner as Server Persistence, except that the named item
being inspected is a Query Item in the Query String of the URL. All queries with the same Query Item
value is sent to the same server.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 24

Web User Interface (WUI)
3 Virtual Services

Selected Header:

With Selected Header persistence, the LoadMaster will send all requests that contain the same value in
the specified header to the same server.

SSL Session ID:

Each session over SSL has its own session ID which can be persisted on.

For this option to appear as a persistence method, the Virtual Service needs to have a Service Type of
Generic and SSL acceleration must be disabled.

If a Virtual Service is an SSL service and not offloaded, the LoadMaster cannot meaningfully interact with
any of the data in the stream at Layer 7. The reason is, the data is encrypted and the LoadMaster has no
way of decrypting it.

If, in the above scenario, a persistence mode that is not based off source IP is required, this is the only
other option. When an SSL session is started, it generates a session ID for the connection. This session ID
can be used to cause the client to persist to the correct server.

There are some downsides to this however, as most modern browsers regenerate the session ID at very
short intervals, basically overwriting it, even if there is a longer interval set on the persist timeout.

UDP Session Initiation Protocol (SIP):

This persistence mode is only available in a UDP Virtual Service when Force L4 is enabled. SIP uses
request and response transactions, similar to HTTP. An initial INVITE request is sent, which contains a
number of header fields. These header fields can be used for persistence.

Timeout

For each persistence method, there is a configurable timeout value that determines how long the
persistence for each user is honored, selectable from one minute to seven days.

This timeout clock is started when the initial connection is established. The persistence timeout value is
updated if the client reconnects within the timeout period. For example, if the persistence timeout is set
to 1 hour and the client starts a connection at 2pm, if the client disconnects and then reconnects before
3pm they will still persist to the same Real Server. Also, the persistence record is updated to reflect this
and the persistence countdown timer is reset back to 1 hour for this client.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 25

Web User Interface (WUI)
3 Virtual Services

If a client made connections to the Virtual Service repeatedly within the timeout period, the persistence
would be honored indefinitely. For instance, given the following scenario:

Persistence Timeout is set to 10 minutes

A user makes several requests in the course of 20 minutes, but the time between connections is
always less than 1 minute

The request should be sent to the correct Real Server, as long as it is available (that is, passing health
checks).

If the user goes idle for 20 minutes, then the next connection is counted as a new session, and may be
sent to a different server, depending on scheduling. If the connection is opened for more than 10
minutes and the client disconnects and reconnects, the persistence record would have expired, the
LoadMaster will create a new persistence entry for that client and possibly send the client to a new Real
Server. This is due to the fact that the persistence countdown starts once a connection is established,
not at the closing of the connection.

If you are experiencing persistence issues, this may be due to the fact that the persistence timeout is not
long enough. If this is not long enough, then the timeout value should be set for a higher amount. In
general, matching this value to your server timeout value is recommended.

Header field name

When UDP Session Initiation Protocol is selected as the persistence mode is selected sin the
LoadMaster, a text box called Header field name will appear. The header field that is to be used as the
basis for the persistence information should be entered here.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 26

Web User Interface (WUI)
3 Virtual Services

Scheduling Methods

This section allows you to select the method by which the LoadMaster will select a Real Server, for this
particular service. The scheduling methods are as follows:

Round Robin:

Round Robin causes the LoadMaster to assign Real Servers to a session in order, for example the first
session connects to Real Server 1, the second to Real Server 2 and so on. There is no bias in the way the
Real Servers are assigned.

Weighted Round Robin:

This method uses the weight property of the Real Servers to determine which Real Servers get
preference. The higher the weight a Real Server has, the higher the proportion of connections it will
receive.

Least Connection:

With this method, the current Real Server with the fewest open connections is assigned to the session.

Weighted Least Connection:

As with Least Connection, but with a bias relative to the weight.

Resource Based (Adaptive):

Adaptive scheduling means that the load on the Real Servers is periodically monitored and that packets
are distributed such that load is approximately equal for all machines. More details can be found in the
section covering scheduling methods.

Resource Based (SDN Adaptive):

A Virtual Service which is using an adaptive scheduling method (whether using SDN or not) can be viewed
as a control system. The intent is to achieve an evenly distributed load over the Real Servers and the
controller calculates an error value from this (that describes the deviation from the desired even
distribution). It also calculates a set of control values (Real Server weights) that are fed back into the
system in a way to decrease the error value.

Fixed Weighting:

All traffic goes to highest weight Real Server that is available. Real Servers should be weighted at the time
they are create and no two Real Servers should have same weight, otherwise unpredictable results may
occur.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 27

Web User Interface (WUI)
3 Virtual Services

When fixed weighting is in use, the Real Server with the higher weight is indicated with a green star icon.

Weighted Response Time:

Every 15 seconds the LoadMaster measures the time it takes for a response to arrive for a health check
probe and uses this time to adjust the weights of the Real Servers accordingly, that is, a faster response
time relative to the other Real Servers leads to a higher weight which in turn leads to more traffic sent to
that server.

Source IP Hash:

Instead of using the weights or doing round robin, a hash of the source IP is generated and used to find
the correct real server. This means that the real server is always the same from the same host.
You do not need any source IP persistence.

Because this method relies solely on the client (source) IP address and ignores current server load,
using this method can lead to a particular Real Server becoming overloaded, or a general traffic
imbalance across all Real Servers.

Idle Connection Timeout (Default 660)

The seconds before an idle connection is closed. There are some special values that can be set for this
field:

Setting it to 0 will ensure that the default L7 connection timeout is used. The default Connection
Timeout value can be modified by going to System Configuration > Miscellaneous Options >
Network Options.

Setting it to 1 will discard the connection after the packet is first forwarded a response is not
expected or handled

Setting it to 2 will use a DNS type of operation. The connection is dropped after the reply message.

Setting the Idle Connection Timeout to the special values of 1 or 2 allow better performance and
memory usage for UDP connections and they correspond better to how UDP is used.

Quality of Service

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 28

Web User Interface (WUI)
3 Virtual Services

The Quality of Service drop-down sets a Differentiated Services Code Point (DSCP) in the IP header of
packets that leave the Virtual Service. This means that the next device or service that deals with the
packets will know how to treat and prioritise this traffic. Higher priority packets are sent from the
LoadMaster before lower priority packets.

The different options are described below:

Normal-Service: No special priority given to the traffic

Minimize-Cost: Used when data needs to be transferred over a link that has a lower cost

Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with
little or no retransmission

Maximize-Throughput: Used when the volume of data transferred during an interval is important,
even if the latency over the link is high

Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must
be low. This option has the quickest queue of each of the Quality of Service choices.

The Quality of Service feature only works with Layer 7 traffic. It does not work with Layer 4 traffic.

Use Address for Server NAT

By default, when the LoadMaster is being used to SNAT Real Servers, the source IP address used on the
internet is that of the LoadMaster. The Use Address for Server NAT option allows the Real Servers
configured on the Virtual Service to use the Virtual Service as the source IP address instead.

This option is most useful for services such as SMTP when the LoadMaster is in a public domain and
when the service requires a reverse DNS check to see if the source address sent from the LoadMaster is
the same as the Mail Exchanger (MX) record of the sender.

If the Real Servers are configured on more than one Virtual Service that has this option set, the
IPaddress of the Virtual Service matching the destination port of the server's request is used as the
source IPaddress. If no match is found for the port being requested, the IPaddress of the LoadMaster is
used as the source IPaddress.

The Use Address for Server NAT option only works on Virtual Services which are operating on the
default gateway. This option is not supported on non-default gateway interfaces.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 29

Web User Interface (WUI)
3 Virtual Services

3.5 SSL Properties

SSL Acceleration

This checkbox appears when the criteria for SSL Acceleration have been met, and serves to activate SSL
Acceleration.

Enabled: If the Enabled check box is selected, and there is no certificate for the Virtual Service, you are
prompted to install a certificate. A certificate can be added by clicking the Manage Certificates button
and importing or adding a certificate.

Reencrypt: Selecting the Reencrypt checkbox re-encrypts the SSL data stream before sending it to the
Real Server.

Reversed: Selecting this checkbox will mean that the data from the LoadMaster to the Real Server is re-
encrypted. The input stream must not be encrypted. This is only useful in connection with a separate
Virtual Service which decrypts SSL traffic then uses this Virtual Service as a Real Service and loops data
back to it. In this way, the client to real server data path is always encrypted on the wire.

Supported Protocols

The checkboxes in the Supported Protocols section enables you to specify which protocols should be
supported by the Virtual Service. By default, TLS1.1 and TLS 1.2 are enabled and SSLv3 and TLS1.0 are
disabled.

Starting with version 7.2.37, when re-encryption is enabled, the TLS version that can be negotiated
between the LoadMaster and the Real Servers behind it are no longer constrained by the TLSversion

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 30

Web User Interface (WUI)
3 Virtual Services

settings configured on the client side. All TLS versions and ciphers that are supported on the LoadMaster
can be negotiated without restriction by Real Servers. In this way, the LoadMaster can, for example,
provide strict security for client-side application access and still support server-side connections to legacy
servers that only support specific, less secure, TLS versions and ciphers. This is illustrated in the example
below.

Require SNI hostname

If require Server Name Indication (SNI) is selected, the hostname will always be required to be sent in the
TLS client hello message.

When Require SNI hostname is disabled, the first certificate is used if a host header match is not found.

When Require SNI hostname is enabled, a certificate with a matching common name must be found,
otherwise an SSL error is yielded. Wildcard certificates are also supported with SNI.

When using a Subject Alternative Name (SAN) certificate, alternate source names are not matched
against the host header.

Wildcard certificates are supported but please note that the root domain name will not be matched as
per RFC 2459. Only anything to the left of the dot is matched. Additional certificates must be added to

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 31

Web User Interface (WUI)
3 Virtual Services

match the root domain names. For example, www.kemptechnologies.com is matched until a wildcard
of *.kemptechnologies.com. Kemptechnologies.com will not be matched.

To send SNI host information in HTTPS health checks, please enable Use HTTP/1.1 in the Real Servers
section of the relevant Virtual Service(s) and specify a host header. If this is not set, the IP address of the
Real Server is used.

Certificates

Available certificates are listed in the Available Certificates select list on the left. To assign or unassign a
certificate, select it and click the right or left arrow button. Then click Set Certificates. Multiple certificates
can be selected by holding Ctrl on your keyboard and clicking each required certificate.

Clicking the Manage Certificates button brings you to the SSL Certificates screen.

Reencryption Client Certificate

With SSL connections, the LoadMaster gets a certificate from the client and also gets a certificate from
the server. The LoadMaster transcribes the client certificate in a header and sends the data to the server.
The server still expects a certificate. This is why it is preferable to install a pre-authenticated certificate in
the LoadMaster.

Reencryption SNI Hostname

Specify the Server Name Indication (SNI) hostname that should be used when connecting to the Real
Servers.

This field is only visible when SSL re-encryption is enabled.

Cipher Set

A cipher is an algorithm for performing encryption or decryption.

Each Virtual Service (which has SSL Acceleration enabled) has a cipher set assigned to it. This can either
be one of the system-defined cipher sets or a user-customized cipher set. The system-defined cipher sets
can be selected to quickly and easily select and apply the relevant ciphers. Custom cipher sets can be
created and modified by clicking the Modify Cipher Set button.

Ciphers

The Ciphers list is read only and displays a list of the currently assigned ciphers. Clicking the Modify
Cipher Set button will bring you to the Cipher Set Management screen. This screen allows you to create
new and modify existing custom cipher sets.

Client Certificates

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 32

Web User Interface (WUI)
3 Virtual Services

No Client Certificates required: enables the LoadMaster to accept HTTPS requests from any client.
This is the recommended option.

By default the LoadMaster will accept HTTPS requests from any client. Selecting any of the other values
below will require all clients to present a valid client certificate. In addition, the LoadMaster can also pass
information about the certificate to the application.

This option should not be changed from the default of No Client Certificates required. Only change
from the default option if you are sure that all clients that access this service have valid client
certificates.

Client Certificates required: requires that all clients forwarding a HTTPS request must present a valid
client certificate.

Client Certificates and add Headers: requires that all clients forwarding a HTTPS request must
present a valid client certificate. The LoadMaster also passes information about the certificate to the
application by adding headers.

The below options send the certificate in its original raw form. The different options let you specify
the format that you want to send the certificate in:

- Client Certificates and pass DER through as SSL-CLIENT-CERT

- Client Certificates and pass DER through as X-CLIENT-CERT

- Client Certificates and pass PEM through as SSL-CLIENT-CERT

- Client Certificates and pass PEM through as X-CLIENT-CERT

Verify Client using OCSP

Verify (using Online Certificate Status Protocol (OCSP)) that the client certificate is valid.

This option is only visible when ESP is enabled.

3.6 Advanced Properties

Content Switching

Clicking the Enable button, enables rule-based Content Switching on this Virtual Service. Once enabled,
rules must be assigned to the various Real Servers. Rules can be attached to Real Server by clicking the
None button located next the Real Server. Once rules are attached to a Real Server the None button will
display the count of rules attached.

Rules Precedence

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 33

Web User Interface (WUI)
3 Virtual Services

Clicking the Rules Precedence button displays the order in which Content Switching rules are applied.
This option only appears when Content Switching and when rules are assigned to the Real Server(s).

This screen shows the Content Switching rules that are assigned to the Real Servers of the Virtual Services
and the order in which they apply. A rule may be promoted in the order of precedence by clicking its
corresponding Promote button.

HTTP Selection Rules

Show the selection rules that are associated with the Virtual Service.

HTTP Header Modifications

Clicking Show Header Rules displays the order in which Header Modification rules are implemented. The
number of rules (of both request and response type) is displayed on the actual button.

From within the screen you can Add and Delete Header Modification rules. The order in which the rules
are applied can be changed by clicking the Promote buttons.

Enable Caching

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 34

Web User Interface (WUI)
3 Virtual Services

This option enables caching of static content. This saves valuable Real Server processing power and
bandwidth. Caching can be enabled per HTTP and offloaded HTTPS Virtual Services.

Types of file that can be cached may be defined in AFE configuration under the Systems Configuration
> Miscellaneous Options menu.

Maximum Cache Usage

This option limits the size of the cache memory per Virtual Service. For example, two Virtual Services,
each running with a limit of 50% will use 100% of the cache store. The default is No Limit. It is
recommended to limit the cache size to prevent unequal use of the cache store. Ensure that the cache
maximum usage is adjusted so that each Virtual Service has a percentage of cache to use. If there is not
remaining space to be allocated for a cache enabled Virtual Service, that service will not cache content.

Enable Compression

Files sent from LoadMaster are compressed with Gzip.

If compression is enabled without caching, LoadMaster performance may suffer. When compression
and caching are both enabled on a Virtual Service, compression will only be applied to the cached entry
(if the entry would be cached). The first request is not compressed; it is used to fill the cache. The
system can either fill the cache or compress the request it cannot do both at the same time.

The types of file that can be compressed may be defined in AFE configuration in the Systems
Configuration > Miscellaneous section of the LoadMaster WUI.

Compression is not recommended for files 100MB or greater in size.

More RAM may need to be added to Virtual LoadMasters using the hypervisor in order to compress
large files.

Detect Malicious Requests

The Intrusion Prevention System (IPS) service will provide in-line protection of Real Server(s) by providing
real-time mitigation of attacks and isolation of Real Server(s). Intrusion prevention is based on the
industry standard SNORT database and provides real-time intrusion alerting.

To get updated or customized rules, please refer to the SNORT website: https://www.snort.org/.

Selecting the Detect Malicious Requests check box enables the IPS per HTTP and offloaded HTTPS Virtual
Services. There are two options for handling of requests that match a SNORT rule. Drop Connection,
where a rule match will generate no HTTP response, or Send Reject, where a rule match will generate a
response to the client of HTTP 400 Invalid Request. Both options prevent the request from reaching
the Real Server(s).

Enable Multiple Connect

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 35

Web User Interface (WUI)
3 Virtual Services

Enabling this option permits the LoadMaster to manage connection handling between the LoadMaster
and the Real Servers. Requests from multiple clients are sent over the same TCP connection.

Multiplexing only works for simple HTTP GET operations. The Enable Multiple Connect check box will
not be available in certain situations, for example if WAF, ESP or SSL Acceleration is enabled.

Port Following

Port following enables a switch from an HTTP connection to an HTTPS (SSL) connection to be persistent
on the same Real Server. Port following is possible between UDP and TCP connections.

To switch on port following, the following must be true:

The Virtual Service where port following is being switched on must be an HTTPS service

There must be a HTTP service

Both of these Virtual Services must the same Layer 7 persistence mode selected, that is, Super HTTP
or Source IP Address persistence

Port following is not available on SubVSs.

For further information, refer to the Port Following, Feature Description.

Add Header to Request

Input the key and the value for the extra header that is to be inserted into every request sent to the Real
Servers.

Click the Set Header button to implement the functionality.

Copy Header in Request

This is the name of the source header field to copy into the new header field before the request is sent to
the Real Servers. Enter the name of the header field into which the source header is to be copied in the
To Header text box.

Add HTTP Headers

The Add HTTP Headers drop-down list is only available when SSL offloading (SSL Acceleration) is
enabled.

This option allows you to select which headers are to be added to the HTTP stream. The options available
include:

- Legacy Operation(X-ClientSide)

- None

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 36

Web User Interface (WUI)
3 Virtual Services

- X-Forwarded-For (+ Via)X-Forwarded-For (No Via)

- X-ClientSide (+ Via)

- X-ClientSide (No Via)

- Via Only

In the Legacy operation, if the system is in HTTP kernel mode, then a header is added. Otherwise nothing
is done. For the other operation methods, then the system is forced into HTTP kernel mode and the
specified operation is performed.

Sorry Server

Enter the IP Address and Port number in the applicable fields. If no Real Servers are available, the
LoadMaster will redirect to a specified location, with no checking. The IP address of a Sorry Server must
be on a network or subnet that is defined on the LoadMaster.

When using a Layer 4 Virtual Service, the Sorry Server should be on the same subnet as the Real Server.

When using a Layer 7 Virtual Service, the Sorry Server can be on any local network. It is also possible to
add a non-local sorry server. For this, Transparency must be disabled, there must be a route to the
Sorry Server and the Enable Non-Local Real Servers option must be enabled (System Configuration >
Miscellaneous Options > Network Options).

Sorry Server functionality does not work with SSL reencryption.

Not Available Redirection Handling

When no Real Servers are available to handle the request you can define the error code and URL that the
client should receive.

Error Code: If no Real Servers are available, the LoadMaster can terminate the connection with a
HTTP error code. Select the appropriate error code.

Redirect URL: When there are no Real Servers available and an error response is to be sent back to
the client, a redirect URL can also be specified. If the string entered in this text box does not include
http:// or https:// the string is treated as being relative to the current location, so the hostname is
added to the string in the redirect. This field also supports the use of wildcards such as %h and %s
which represent the requested hostname and Uniform Resource Identifier (URI) respectively.

Error Message: When no Real Servers are available and an error response is to be sent back to the
client, the specified error message is added to the response.

For security reasons, the returned HTML page only returns the text Document has moved. No request-
supplied information is returned.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 37

Web User Interface (WUI)
3 Virtual Services

Error File: When no Real Servers are available and an error response is to be sent back to the client,
the specified file is added to the response. This enables simple error HTML pages to be sent in
response to the specified error.

The maximum size of this error page is 16KB.

Not Available Server/Port

In a UDP Virtual Service there is an option to specify a Not Available Server and Port. When there are no
Real Servers available to handle the request this option defines the URL that the client will receive.

The value of the Not Available Server can only be changed for UDP if the service is not currently using
the Not Available Server.

Add a Port 80 Redirector VS

If no port 80 Virtual Service is configured, one can be created. It will then redirect the client to the URL
specified in the Redirection URL: field.

Click the Add HTTP Redirector button to implement the redirector.

When the Add HTTP Redirector button is clicked, a redirect Virtual Service is created and this WUI
option disappears from the relevant Virtual Service.

Default Gateway

Specify the Virtual Service-specific gateway to be used to send responses back to the clients. If this is not
set, the global default gateway is used.

Click the Set Default Gateway button to implement the default gateway. The Default Gateway for a
Virtual Service is only used for that Virtual Service.

If the global Use Default Route Only option is set in System Configuration > Miscellaneous Options >
Network Options, traffic from Virtual Services that have the Default Gateway set is only routed to the
interface where the Virtual Services default route is located. This can allow the LoadMaster to be
directly connected to client networks without returning traffic directly using the adjacent interface.

Alternate Source Addresses

If no list is specified, the LoadMaster will use the IP address of the Virtual Service as its local address.
Specifying a list of addresses ensures the LoadMaster will use these addresses instead.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 38

Web User Interface (WUI)
3 Virtual Services

Click the Set Alternate Source Addresses button to implement the Alternate Source Addresses.

This option is only available if the Allow connection scaling over 64K Connections option is enabled in
the L7 Configuration screen.

Service Specific Access Control

Allows you to change the Virtual Service-specific Access Control lists.

If you implement the Access Control Lists option, the Extra Ports option will not work correctly.

3.7 Web Application Firewall (WAF) Options

The Web Application Firewall (WAF) feature must be enabled before you can configure these options.

To enable WAF, select the Enabled check box. A message is displayed next to the Enabled check box
displaying how many WAF-enabled Virtual Services exist and it will also display the maximum number of
WAF-enabled Virtual Services that can exist. If the maximum number of WAF-enabled Virtual Services
have been reached, the Enabled check box is greyed out.

Utilizing WAF can have a significant performance impact on your LoadMaster deployment. Please
ensure that the appropriate resources are allocated.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 39

Web User Interface (WUI)
3 Virtual Services

For virtual and bare metal LoadMaster instances, a minimum of 2GB of allocated RAM is required for
operation of WAF. The default memory allocation for Virtual LoadMasters and LoadMaster Bare Metal
instances prior to LoadMaster Operating System version 7.1-22 is 1GB of RAM. If this default allocation
has not been changed please modify the memory settings before attempting to proceed with WAF
configuration.

Default Operation

Select the default operation of the WAF:

Audit Only: This is an audit-only mode logs are created but requests and responses are not
blocked.

Block Mode: Either requests or responses are blocked.

Audit mode

Select what logs to record:

No Audit: No data is logged.

Audit Relevant: Logs data which is of a warning level and higher. This is the default option for this
setting.

Audit All: Logs all data through the Virtual Service.

Selecting the Audit All option produces a large amount of log data. KEMP does not recommend
selecting the Audit All option for normal operation. However, the Audit All option can be useful when
troubleshooting a specific problem.

Inspect HTML POST Request Content

Enable this option to also process the data supplied in POST requests.

Two additional options (Disable JSON Parser and Disable XML Parser) only become available if Inspect
HTML Post Request Content is enabled.

Disable JSON Parser

Disable processing of JavaScript Object Notation (JSON) requests.

Disable XML Parser

Disable processing of XML requests.

Process Responses

Enable this option to verify responses sent from the Real Servers.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 40

Web User Interface (WUI)
3 Virtual Services

This can be CPU and memory intensive.

If a Real Server is gzip encoding, WAF will not check that traffic, even if Process Responses is enabled.

Hourly Alert Notification Threshold

This is the threshold of incidents per hour before sending an alert. Setting this to 0 disables alerting. This
threshold also relates to the Events over Limit Today number which is displayed on the WUI home page.
For example, if the threshold is set to 10 and there has been 20 events, the counter is set to 2.

Rules

This is where you can assign/un-assign generic, application-specific, application-generic and custom rules
to/from the Virtual Service.

You cannot assign application-specific and application-generic rules to the same Virtual Service.

Individual rules within each ruleset can be enabled/disabled as required. To enable a ruleset, tick the
relevant check box. If you have not enabled/disabled rules in that ruleset previously, all rules are enabled
by default in the right box. If you have previously enabled/disabled rules in that ruleset, within that
Virtual Service the rules will retain their previous settings.

You can enable/disable individual rules as needed by ticking the relevant ruleset on the left and
ticking/unticking the rules on the right.

Some rules or rule sets may have dependencies on other rules. There is no dependency check in the
LoadMaster when rules are disabled - before disabling any rule, please be aware of any rule chains or
dependencies.

When finished making changes, click the Apply button.

Clicking the Clear All button will disable all rules for the selected ruleset.

Clicking the Set All button will enable all rules for the selected ruleset.

Text can be entered in the Rule Filter text box in order to filter the rules to only show rules which contain
the filter text.

Clicking Reset will disable all rulesets and rules.

3.8 Edge Security Pack (ESP) Options

The ESP feature must be enabled before you can configure these options. To enable the ESP function,
please select the Enable ESP check box.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 41

Web User Interface (WUI)
3 Virtual Services

The full ESP Options screen will appear.

The ESP feature can only be enabled if the Virtual Service is a HTTP, HTTPS or SMTP Virtual Service

Enable ESP

Enable or disable the ESP feature set by selecting or removing the checkmark from the Enable ESP
checkbox.

ESP Logging

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 42

Web User Interface (WUI)
3 Virtual Services

There are three types of logs stored in relation to the ESP feature. Each of these logs can be enabled or
disabled by selecting or deselecting the relevant checkbox. The types of log include:

User Access: logs recording all user logins

Security: logs recording all security alerts

Connection: logs recording each connection

Logs are persistent and can be accessed after a reboot of the LoadMaster. For further information on
logs please refer to the Extended Log Files section.

Client Authentication Mode

Specifies how clients attempting to connect to the LoadMaster are authenticated. The following types of
methods are available:

Delegate to Server: the authentication is delegated to the server

Basic Authentication: standard Basic Authentication is used

Form Based: clients must enter their user details within a form to be authenticated on the
LoadMaster

Client Certificate: clients must present the certificate which is verified against the issuing authority

NTLM: NTLM credentials are based on data obtained during the interactive logon process and
consist of a domain name and a user name

The remaining fields in the ESP Options section will change based on the Client Authentication Mode
selected.

SSO Domain

Select the Single Sign-On (SSO) Domain within which the Virtual Service is included.

Please refer to the Manage SSO Domains section for further information on configuring SSO Domains.
An SSO Domain must be configured in order to correctly configure the ESP feature.

Only SSO domains with the Configuration type of Inbound Configuration are shown as options in this
SSO Domain field.

Alternative SSO Domains

Many organizations use extranets to share information with customers and partners. It is likely that
extranet portals will have users from two or more Active Directory domains. Rather than authenticating
users from individual domains one at a time, assigning Alternative SSO Domains gives the ability to
simultaneously authenticate users from two or more domains using one Virtual Service.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 43

Web User Interface (WUI)
3 Virtual Services

This option appears only when more than one domain has been configured and when the
Authentication Protocol for the SSO domains are set to LDAP.

Please refer to the Manage SSO Domains section for further information on configuring SSO Domains.

Before configuring the ESP Options to use Alternative SSO Domains ensure that, in the SSL Properties
section, the Enabled and Reencrypt tick boxes are selected.

The domain name which appears in the SSO Domain drop-down list is the default domain. This is also
the domain which is used if only one is configured.

Previously configured alternative domains appear in the Available Domain(s) list.

To assign alternative SSO Domains:

1. Highlight each of the domains you wish to assign and click the > button.

An assigned domain is a domain which can be authenticated using a particular Virtual Service.

All domains which appear as available may be assigned to a Virtual Service.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 44

Web User Interface (WUI)
3 Virtual Services

2. Click the Set Alternative SSO Domains button to confirm the updated list of Assigned Domain
(s).

3. Choose Basic Authentication from the Server Authentication Mode drop-down list.

When logging in to a domain using the ESP form, users should enter the name of the SSO Domain if an
alternative domain needs to be accessed. If no domain name is entered in the username, users are, by
default, logged on the domain entered in the default SSO Domain drop-down list.

To view the status of the Virtual Services, click Virtual Services and View/Modify Services in the main
menu.

A list of the Virtual Services displays showing the current status of each service.

If alternative domains are assigned and there is an issue with a particular domain, the affected domain
name is indicated in the Status column.

Allowed Virtual Hosts

The Virtual Service will only be allowed access to specified virtual hosts. Any virtual hosts that are not
specified are blocked.

Enter the virtual host name(s) in the Allowed Virtual Hosts field and click the Set Allowed Virtual Hosts
button to specify the allowed virtual hosts.

Multiple domains may be specified within the field allowing many domains to be associated with the
Single Sign On Domain.

The use of regular expressions is allowed within this field.

If this field is left blank, the Virtual Service is blocked.

Allowed Virtual Directories

The Virtual Service will only be allowed access to the specified virtual directories, within the allowed
virtual hosts. Any virtual directories that are not specified are blocked.

Enter the virtual directory name(s) in the Allowed Virtual Directories field and click the Set Allowed
Virtual Directories button to specify the allowed virtual directories.

The use of regular expressions is allowed within this field.

Pre-Authorization Excluded Directories

Any virtual directories specified within this field will not be pre-authorized on this Virtual Service and are
passed directly to the relevant Real Servers.

Permitted Groups

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 45

Web User Interface (WUI)
3 Virtual Services

Specify the groups that are allowed to access this Virtual Service. When set, if a user logs in to a service
published by this Virtual Service, the user must be a member of at least one of the groups specified. Up
to 10 groups are supported per Virtual Service. Performance may be impacted if a large number of
groups are entered. Groups entered in this field are validated using an LDAP query.

Some guidelines about this field are as follows:

The group(s) specified must be valid groups on the Active Directory in the SSO domain associated
with the Virtual Service. The SSO domain in the LoadMaster must be set to the directory for the
groups. For example, if the SSO domain in the LoadMaster is set to webmail.example and webmail is
not the directory for the groups, it will not work. Instead, the SSO domain may need to be set to
.example.com.

The group(s) listed must be separated by a semi-colon

A space-separated list does not work because most groups contain a space in the name, for example IT
Users.

Do not use the Domain Users group because it is a default primary group for new users.

The following characters are not allowed in permitted group names:

/:+*

The authentication protocol of the SSO domain must be LDAP

The groups should be specified by name, not by full distinguished name

Permitted Group SID(s)

This field is the equivalent of the Permitted Groups field. If specifying permitted groups, you can
complete either the Permitted Groups field or the Permitted Groups SID(s) field (security identifiers).

In the Permitted Group SID(s) field you can specify the group SIDs that are allowed to access this Virtual
Service. Each group must be separated by a semicolon. After you type the groups, click Set Permitted
Group SIDs.

Include Nested Groups

This field relates to the Permitted Groups setting. Enable this option to include nested groups in the
authentication attempt. If this option is disabled, only users in the top-level group are granted access. If
this option is enabled, users in both the top-level and first sub-level group are granted access.

SSO Image Set

This option is only available if Form Based is selected as the Client Authentication Mode. You can
choose which form to use to gather the Username and Password. There are three form options,

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 46

Web User Interface (WUI)
3 Virtual Services

Exchange, Blank and Dual Factor Authentication. There are also options to display the form and error
messages in other languages.

Exchange Form

The Exchange Form contains the KEMP Logo

Blank Form

The Blank Form does not contain the large KEMP logo.

Dual Factor Authentication

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 47

Web User Interface (WUI)
3 Virtual Services

The Dual Factor Authentication form contains four fields - two for the remote credentials and two for
the internal credentials.

Remote Credentials are credentials that are used to authenticate against remote authentication servers
such as RADIUS, before allowing the user to authenticate against Domain Servers such as Active Directory
servers.

Internal Credentials are credentials that are used to authenticate against the internal domain servers
such as Active Directory Servers.

If the Authentication Protocol of the relevant SSO Domain is set to RADIUS and LDAP, the SSO Image
Set must be set to Dual Factor Authentication.

SSO Greeting Message

This option is only available if Form Based is selected as the Client Authentication Mode. The login
forms can be further customized by adding text. Enter the text that you would like to appear on the form
within the SSO Greeting Message field and click Set SSO Greeting Message. The message can have up to
255 characters.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 48

Web User Interface (WUI)
3 Virtual Services

The SSO Greeting Message field accepts HTML code, so you can insert an image if required.

There are several characters that are not supported. These are the grave accent character (` ) and the
single quote ('). If a grave accent character is used in the SSO Greeting Message, the character will not
display in the output, for example a`b`c becomes abc. If a single quote is used, users will not be able to
log in.

Logoff String

This option is only available if Form Based is selected as the Client Authentication Mode. Normally this
field should be left blank. For OWA Virtual Services, the Logoff String should be set to /owa/logoff.owa

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 49

Web User Interface (WUI)
3 Virtual Services

or in customized environments, the modified Logoff String needs to be specified in this text box.
Multiple logoff strings can be entered by using a space-separated list.

If the URL to be matched contains sub-directories before the specified string, the logoff string will not be
matched. Therefore the LoadMaster will not log the user off.

Display Public/Private Option

Enabling this check box will display a public/private option on the ESP log in page. Based on the option
the user selected on the login form, the Session timeout value is set to the value specified for either
public or private in the Manage SSO Domain screen. If the user selects the private option their username
is stored for that session. Refer to the Manage SSO Domains section for more information about these
fields.

Disable Password Form

Enabling this option removes the password field from the login page. This may be needed when
password validation is not required, for example if using RSA SecurID authentication in a singular fashion.
By default, this option is disabled.

Use Session or Permanent Cookies

Three options are available to select for this field:

Session Cookies Only: This is the default and most secure option

Permanent Cookies only on Private Computers: Sends session cookies on public computers

Permanent Cookies Always: Sends permanent cookies in all situations

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 50

Web User Interface (WUI)
3 Virtual Services

Specify if the LoadMaster should send session or permanent cookies to the users browser when logging
in.

Permanent cookies should only be used when using single sign on with services that have sessions
spanning multiple applications, such as SharePoint.

User Password Change URL

This is relevant when using form-based or LDAP authentication. Specify the URL that users can use to
change their password, for example
https://mail.kempqakcd.net/owa/auth/expiredpassword.aspx?url=/owa/auth.owa

If a users password has expired, or if they must reset their password, this URL and the User Password
Change Dialog Message is displayed on the login form.

This URL must be put into the exception list for authentication, if required.

User Password Change Dialog Message

This text box is only visible if something is set for the User Password Change URL text box. Specify the
text to be displayed on the login form when the user must reset their password.

Server Authentication Mode

This field is only updatable when the Client Authentication Mode is set to Form Based.

Specifies how the LoadMaster is authenticated by the Real Servers. There are three types of methods
available:

None: no client authentication is required

Basic Authentication: standard Basic Authentication is used

KCD: KCD authentication is used

Form Based: The Server Authentication Mode can be set to Form Based if the Client
Authentication Mode is set to Form Based. If Form Based is selected as the Server Authentication
Mode, two other fields called Form Authentication Path and Form POST Format appear. The
username and password from the client-side, form-based authentication gets injected into the form
POST format to build the POST body.
This feature is predominantly used in Microsoft Exchange deployments. Therefore, the following
strings do not need to be explicitly configured for Exchange. They are used by default in the
implementation:

- Form Authentication Path: /owa/auth.owa

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 51

Web User Interface (WUI)
3 Virtual Services

- Form POST Format:

destination=%s#authRedirect=true&flags=4&forcedownlevel=0&username=%s&pass
word=%s&passwordText=&isUtf8=1

If the deployment is not Exchange, KEMPrecommends that the settings are evaluated based on the
required interaction with the Real Server and subsequently set appropriately.

If Delegate to Server is selected as the Client Authentication Mode, then None is automatically selected
as the Server Authentication mode. Similarly, if Basic Authentication is selected as the Client
Authentication Mode, then Basic Authentication is automatically selected as the Server Authentication
mode.

Server Side configuration

This option is only visible when the Server Authentication mode value is set to KCD.

Select the SSO domain for the server side configuration. Only SSO domains which have the
Configuration type set to Outbound Configuration are shown here.

3.8.1 SMTP Virtual Services and ESP

If you create an SMTP Virtual Service (with 25 as the port), the ESP feature is available when you select
the Enable ESP checkbox but with a reduced set of options.

Enable ESP

Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox.

Connection Logging

Logging of connections can be enabled or disabled by selecting or deselecting the Connection Logging
checkbox.

Permitted Domains

All the permitted domains that are allowed to be received by this Virtual Service must be specified here.
For example, if you wish the Virtual Service to receive SMTP traffic from [email protected], then the
kemp.com domain must be specified in this field.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 52

Web User Interface (WUI)
3 Virtual Services

3.9 Sub Virtual Services

From within a Virtual Service you can create one or more Sub Virtual Services (SubVS). A SubVS is linked
to, and uses the IP address of, the parent Virtual Service. The SubVSs may have different settings (such
as health check methods and content rules) to the parent Virtual Service and to each other. This allows
the grouping of related Virtual Services, all using the same IP address. This could be useful for certain
configurations such as Exchange or Lync which typically are comprised of a number of Virtual Services.

Users with the Virtual Services permission can add a SubVS.

Users with the Real Server permission cannot add a SubVS.

To create a SubVS, within a Virtual Service configuration screen, expand the Real Servers section and click
the Add SubVS button.

A message appears stating that the SubVS has been created.

You cannot have Real Servers and SubVSs associated with the same Virtual Service. You can however,
associate a Real Server with a SubVS.

When the SubVS is created, the Real Servers section of the Virtual Services configuration screen is
replaced with a SubVSs section.

All the SubVSs for the Virtual Service are listed here. The Critical check box can be enabled to indicate
that the SubVS is required in order for the Virtual Service to be considered available. If a non-critical
SubVS is down, the Virtual Service is reported as up and a warning is logged. If a critical SubVS is down, a
critical log is generated and the Virtual Service is marked as down. If the email options are configured, an

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 53

Web User Interface (WUI)
3 Virtual Services

email is sent to the relevant recipients. For further information on the email options, refer to the Email
Options section. In all cases, if the Virtual Service is considered to be down and the Virtual Service has a
sorry server or an error message configured, these are used.

To modify the SubVS, click the relevant Modify button. A configuration screen for the SubVS appears.
This contains a subset of the configuration options available for a normal Virtual Service.

The SubVSs can also be modified by clicking the relevant Modify button from within the main Virtual
Services view. A Virtual Service with SubVSs is colored differently within the Virtual IP address section and
the SubVSs are listed in the Real Server section. The SubVS details can be viewed by clicking the parent
Virtual Service to expand the view to include the SubVSs.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 54

Web User Interface (WUI)
3 Virtual Services

If you would like to remove a Virtual Service which contains SubVSs, you must remove the SubVSs first
before you are able to delete the main service.

SubVSs may have different ESP configurations than their parent Virtual Service, however care must be
taken to ensure that the parent Virtual Service and SubVS ESP options do not conflict.

3.10 View/Modify (Remote Terminal Service)

This section is not relevant to the LoadMaster Exchange product.

Properties of the Virtual Service include the Generic Type and also provide Remote Terminal specific
options.

Persistence

If the terminal servers support a Session Directory, the LoadMaster will use the "routing " supplied by
the Session Directory to determine the correct host to connect to. The LoadMaster persistency timeout
value is irrelevant here - it is a feature of the Session Directory.

The switch "IP address redirection" in the Session Directory configuration must not be selected in order
for this to work.

Using Session Directory with LoadMaster is optional, in terms of persistence. If the client pre-populates
the username and password fields in the initial request, then this value is stored on the LoadMaster. As
long as these fields are still populated upon reconnect, the LoadMaster will look up the name and
reconnect to the same server as the original connection. The persistence timeout is used to limit the time
the information is kept on the LoadMaster.

If using Terminal-Service or Source IP mode, then if neither of these two modes succeeds, then the
source IP address is used for persistency.

Service Check for the Virtual Service

Only three options are available; ICMP, TCP and RDP. Remote Terminal Protocol (RDP) opens a TCP
connection to the Real Server on the Service port (port 3389). The LoadMaster sends an a1110 Code
(Connection Request) to the server. If the server sends an a1101 Code (Connection Confirm) then
LoadMaster closes the connection and marks the server as active. If the server fails to respond within
the configured response time for the configured number of times, or if it responds with a different status
code, it is assumed dead.

3.11 Real Servers

This section allows you to create a Real Server and lists the Real Servers that are assigned to the Virtual
Service. The properties of the Real Servers are summarized and there is also the opportunity to add or

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 55

Web User Interface (WUI)
3 Virtual Services

delete a Real Server, or modify the properties of a Real Server. When Content Switching is enabled, there
is also the opportunity to add rules to, or remove rules from, the Real Server (see Add Rule).

Real Server Check Method

This provides a list of health checks for well-known services, as well as lower level checks for TCP/UDP or
ICMP. With the service health checks, the Real Servers are checked for the availability of the selected
service. With TCP/UDP the check is simply a connect attempt.

The tables below describe the options that may be used to verify Real Server health. You may also specify
a health check port on the Real Server. If none are specified here, it will default to the Real Server port.

When the HTTP/HTTPS, Generic and STARTTLS protocols Service Types are selected, the following health
check options are available.

Method Action
ICMP
An ICMP ping is sent to the Real Server
Ping
HTTP HTTP checking is enabled
HTTPS HTTPS (SSL) checking is enabled
TCP A basic TCP connection is checked
Mail The SMTP (Simple Mail Transfer Protocol) is used
NNTP The NNTP (Network News Transfer Protocol) is used
FTP The FTP (File Transfer Protocol) is used
Telnet The Telnet protocol is used
POP3 The POP3 (Post Office Protocol mail client protocol) is used
IMAP The IMAP (Internet Message Access Protocol mail client protocol) is used
Name
Service
The Name Service Protocol is used
(DNS)
Protocol

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 56

Web User Interface (WUI)
3 Virtual Services

Binary Specify a hexadecimal string to send and specify a hexadecimal string to check for in the
Data response
Select an LDAP endpoint to use for the health checks. If LDAP is selected as the health check
protocol, the server IP address (or addresses) and ports from the LDAP endpoint
LDAP
configuration is used instead of the Real Server IP address and port. For further information
on LDAP endpoints, refer to the LDAP Configuration section.
None No checking performed

When the Remote Terminal Service Type is selected the following health check options are available.

Method Action
ICMP Ping An ICMP ping is sent to the Real Server
TCP A basic TCP connection is checked
An RDP Routing Token is passed to the Real Server.
Remote Terminal Protocol
This health check supports Network-Level Authentication.
None No checking performed

For a UDP virtual service, only the ICMP Ping and Name Service (DNS) Protocol options are available
for use

Enhanced Options

Enabling the Enhanced Options check box provides an additional health check option Minimum
number of RS required for VS to be considered up. If the Enhanced Options check box is disabled (the
default), the Virtual Service is considered available if at least one Real Server is available. If the Enhanced
Options check box is enabled, you can specify the minimum number of Real Servers that must be
available in order to consider the Virtual Service to be available.

Minimum number of RS required for VS to be considered up

This option will only appear if the Enhanced Options check box is enabled and if there is more than one
Real Server.

Select the minimum number of Real Servers required to be available for the Virtual Service to be
considered up.

If less than the minimum number of Real Servers is available, a critical log is generated. If some Real
Servers are down but it has not reached the minimum amount specified, a warning is logged. If the email

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 57

Web User Interface (WUI)
3 Virtual Services

options are configured, an email is sent to the relevant recipients. For further information on the email
options, refer to the Email Options section.

Note that the system marks a Virtual Service as down whenever a Real Server that is marked as Critical
becomes unavailable even if Enhanced Options are enabled and there are more than the specified
minimum number of Real Servers still available.

In all cases, if the Virtual Service is considered to be down and the Virtual Service has a sorry server or an
error message configured, these are used.

If the minimum number is set to the total number of Real Servers and one of the Real Servers is deleted,
the minimum will automatically reduce by one.

When using content rules in a SubVS, the minimum number of Real Servers required has a slightly
different meaning. A rule is said to be available and can be matched if and only if the number of available
Real Servers with that rule assigned to them is greater than the limit. If the number of available Real
Servers is below this limit, the rule can never be matched - the SubVS is marked as down and this is
logged appropriately.

If a Real Server on a SubVS is marked as critical the SubVS is marked as down if that Real Server is down.
However, the parent Virtual Service will not be marked down unless that SubVS is marked as critical.

3.11.1 HTTP or HTTPS Protocol Health Checking

When either the HTTP Protocol or HTTPS Protocol options are selected a number of extra options are
available as described below.

The post data option only appears if the POST HTTP Method is selected.

The Reply 200 Pattern option only appears if either the POST or GET HTTP Method is selected

URL

By default, the health checker tries to access the URL to determine if the machine is available. A different
URL can be specified here.

Status Codes

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 58

Web User Interface (WUI)
3 Virtual Services

Health check status codes can be set to override default functionality. Without any Status Codes set, the
following HTTP status codes are considered to be Up:

200-299

301

302

401

Additionally, 2xx status codes are subject to pattern matching the response data, if this is configured.
Other codes are considered up without pattern matching, even if it is set.

If custom health check codes are set:

Check codes may be set to a list of numbers, each from 300-599

Check codes may be up to 127 characters long, which means 32 valid codes

Any code in the list is considered to have a health check status of Up

Configured codes override the default set

- 2xx codes are always considered up in all cases and are subject to pattern matching,
if configured

- Check codes may be official HTTP status codes, unofficial codes or custom-defined
user codes as long as they fall in the range of 300-599

- For a list of official HTTP status codes, refer to:

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

- For a list of unofficial codes, refer to:

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#Unofficial_codes

- Microsoft sub-codes using decimals can be supported, but only by the top-level
status code

- For a list of Microsoft sub-codes using decimals, refer to:

https://support.microsoft.com/en-us/kb/943891

- Sub-codes may not be configured in the Status Codes field please

use the three digit code

- Sub-codes are grouped by the top-level code

Use HTTP/1.1

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 59

Web User Interface (WUI)
3 Virtual Services

By default, the LoadMaster uses HTTP/1.0. However you may opt to use HTTP/1.1 which will operate
more efficiently. When using HTTP/1.1, the health checks are multiplexed to a single connection. This
means that more health checks are sent to the server in a single connection which is more efficient from
a connection point of view, that is, there is only one connection rather than multiple connections

HTTP/1.1 Host

This field will only be visible if Use HTTP/1.1 is selected.

When using HTTP/1.1 checking, the Real Servers require a hostname to be supplied in each request. If no
value is set, then this value is the IP address of the Virtual Service.

To send SNI host information in HTTPS health checks, please enable Use HTTP/1.1 in the Real Servers
section of the relevant Virtual Service(s) and specify a host header. If this is not set, the IP address of the
Real Server is used.

HTTP Method

When accessing the health check URL, the system can use either the HEAD, GET or POST method.

Post Data

This field will only be available if the HTTP Method is set to POST. When using the POST method, up to
2047 characters of POST data can be passed to the server.

Reply 200 Pattern

When using the GET or the POST method, the contents of the returned response message can be
checked. If the response contains the string specified by this Regular Expression, then the machine is
determined to be up. The response will have all HTML formatting information removed before the match
is performed. Only the first 4K of response data can be matched.

The LoadMaster will only check for this phrase if the reply from the server is a 200 code. If the reply is
something else, the page is marked as down without checking for the phrase. However, if the reply is a
redirect (code 302), the page is not marked as down. This is because the LoadMaster assumes that the
phrase will not be present and also it cannot take the service down, as the redirect would then become
useless.

If the pattern starts with a carat ^ symbol, it inverts the pattern response.

Both Regular Expressions and Perl Compatible Regular Expressions (PCRE) can be used to specify strings.
For further information on Regular Expressions and PCRE, please refer to the Content Rules, Feature
Description document.

Custom Headers

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 60

Web User Interface (WUI)
3 Virtual Services

Here you can specify up to 4 additional headers/fields which are sent with each health check request.
Clicking the Show Headers button will show the entry fields. The first field is where you define the key for
the custom header that is to be part of the health check request. The second field is the value of the
custom header that is to be sent as part of the health check request. Once the information is input, click
the Set Header button. Each of the headers can be up to a maximum of 20 characters long and the fields
can be up to a maximum of 100 characters long. However, the maximum allowed number of characters in
total for the 4 header/fields is 256.

The following special characters are allowed in the Custom Headers fields:

; . () / + = - _

If a user has specified HTTP/1.1, the Host field is sent as before to the Real Server. This can be overridden
by specifying a Host entry in the additional headers section. The User-Agent can also be overridden in
the same manner. If a Real Server is using adaptive scheduling, the additional headers which are
specified in the health check are also sent when getting the adaptive information.

It is possible to perform a health check using an authenticated user: enable Use HTTP/1.1, select HEAD as
the HTTP Method and enter the Authorization header with the correctly constructed value. The
Authorization field is constructed as follows:

1. The username and password are combined into a string username:password.

2. The resulting string is then encoded using the RFC2045-MIME variant of Base64, except not
limited to 76 char/line.

3. The authorization method and a space, for example, Basic is then put before the encoded
string.

For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then
the field is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

To send SNI host information in HTTPS health checks, please enable Use HTTP/1.1 in the Real Servers
section of the relevant Virtual Service(s) and specify a host header. If this is not set, the IP address of the
Real Server is used.

Rules

If any of the Real Servers have Content Switching rules assigned to them the Rules column appears in the
Real Servers section. A button with the number of rules assigned to each of the Real Server (or with None
if there are no rules assigned) is displayed in the Rules column.

Clicking the button within the Rules column opens the Rules Management screen.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 61

Web User Interface (WUI)
3 Virtual Services

From within this screen you can Add or Delete the rules assigned to a Real Server.

3.11.2 Binary Data Health Checking

When Binary Data is selected as the health check method, some other fields are available, as described
below.

Data to Send

Specify a hexadecimal string to send to the Real Server.

This hexadecimal string must contain an even number of characters.

Reply Pattern

Specify the hexadecimal string which is searched for in the response sent back from the Real Server. If the
LoadMaster finds this pattern in the response, the Real Server is considered up. If the string is not found,
the Real Server is marked as down.

This hexadecimal string must contain an even number of characters.

Find Match Within

When a response is returned, the LoadMaster will search for the Reply Pattern in the response. The
LoadMaster will search up to the number of bytes specified in this field for a match.

Setting this to 0 means that the search is not limited. Data is read from the Real Server until a match is
found. A maximum of 8 KB is read from the Real Server.

Setting the value to less than the length of the reply string means that the check will act as if the value
has been set to 0, that is, all packets (up to 8 KB) are searched.

3.11.3 Name Server (DNS) Protocol Health Checking

Name Server (DNS) Protocol health checking is only available when using a UDP Virtual Service.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 62

Web User Interface (WUI)
3 Virtual Services

Checked Port

The port to be checked. If there is no port specified, the Real Server port is used.

DNS query

Specify the query string to be requested from the name server. This field has a maximum length of 126
characters.

3.11.4 Add a Real Server

Clicking the Add New button brings you to the following screen where the properties of the Real Server
are set.

Allow Remote Addresses: By default only Real Servers on local networks can be assigned to a Virtual
Service. Enabling this option will allow a non-local Real Server to be assigned to the Virtual Service.

To make the Allow Remote Addresses option visible, Enable Non-Local Real Servers must be selected
(in System Configuration > Miscellaneous Options > Network Options). Also, Transparency must be
disabled in the Virtual Service.

When alternative gateways/non-local Real Servers are set up, health checks are routed through the
default gateway.

Real Server Address: The Real Server address. This can either be an IP address or a Fully Qualified
Domain Name (FQDN). This is not editable when modifying a Real Server. An FQDN can only be used if a
Nameserver is configured. For further information, refer to the Host & DNS Configuration section. If an

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 63

Web User Interface (WUI)
3 Virtual Services

FQDN is used when adding a Real Server the name is resolved at the time of adding. If it fails to resolve,
the Real Server will not be created and an error is generated.

Port: The forwarding port of the Real Server. This field is editable, so the port may be altered later if
required.

Forwarding Method: Either NAT (Network Address Translation) or Route (Direct) forwarding. The
available options are dependent on the other modes selected for the service.

Weight: The Real Server's weight. This is weight of the Real Server, as used by the Weighted Round
Robin, Weighted Least Connection and Adaptive scheduling methods. The default initial value for the
weight is 1000, the maximum is 65535, and the minimum is 1. It is a good benchmark to give a Real Server
a weight relative to its processor speed, for example, if server1 seems to bring four times the power of
server2, assign a weight of 4000 to server1 and weight of 1000 to server2.

Connection Limit: The maximum number of open connections that a Real Server will accept before it is
taken out of the rotation. This is only available for Layer 7 traffic. The limit stops new connections from
being created, but it will allow requests that already have persistent connections to the server. Persistent
connections include connections to a Virtual Service using Session Broker Persistence which include a
Session Broker cookie as set by the Connection Broker.

A maximum number of 1024 Real Servers is allowed. This is the global limit and is divided among the
existing Virtual Services. For example, if one Virtual Service had 1000 Real Servers, then the remaining
Virtual Services can only have 24 further Real Servers in total.

For the LoadMaster Exchange, there is a limit of six Real Servers that may be configured.

Click the Add This Real Server button and it gets added to the pool.

Critical

This option will only appear if the Enhanced Options check box is enabled. For further information on
the Enhanced Options check box, refer to the Real Servers section.

In the Real Servers section of the Virtual Service modify screen, there is a Critical check box for each of
the Real Servers. Enabling this option indicates that the Real Server is required for the Virtual Service to
be considered available. The Virtual Service is marked as down if the Real Server has failed or is disabled.

If a Real Server on a SubVS is marked as critical the SubVS is marked as down if that Real Server is down.
However, the parent Virtual Service will not be marked down unless that SubVS is marked as critical.

This option overrides the Minimum number of RS required for VS to be considered up field. For
example, if the minimum is set to two and only one Real Server is down but that Real Server is set to
critical the Virtual Service is marked as down.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 64

Web User Interface (WUI)
3 Virtual Services

In all cases, if the Virtual Service is considered to be down and the Virtual Service has a sorry server or an
error message configured, these are used.

Healthcheck On

This option will only appear if the Enhanced Options check box is enabled. For further information on
the Enhanced Options check box, refer to the Real Servers section.

In the Real Servers section of the Virtual Service modify screen, there is a Healthcheck On drop-down list
for each of the Real Servers. This allows you to specify what Real Server the health check is based on. This
can either be set to Self in order to perform the health check based on that particular Real Server status,
or another Real Server can be selected. For example if Real Server 1 is down, any Real Servers which
have their health check based on Real Server 1 will also be marked as down, regardless of their actual
Real Server status.

Some points to be aware of are listed below:

A Real Server can only follow a Real Server and not a SubVS.

A Real Server can follow a Real Server that is also following a third Real Server. The status of the first
two Real Servers will reflect the status of the third Real Server.

Chains of Real Servers are allowed but loops are not allowed and cannot be created.

If a Real Server is deleted (either singly or as part of a Virtual Service), all Real Servers that are
following the Real Server are reset to normal behaviour (that is, they will start using the Virtual
Service health check options).

If all Real Servers in a Virtual Service are following Real Servers on a different Virtual Service, the
health check parameters for the Virtual Service are not shown on the WUI (because the settings do
not affect any Real Servers).

Disabling the Enhanced Options check box will disable all Real Server health check following for that
Virtual Service.

3.11.5 Modify a Real Server

When you click the Modify button of a Real Server, the following options are available:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 65

Web User Interface (WUI)
3 Virtual Services

Real Server Address

This field shows the address of the Real Server. This is not an editable field.

Port

This is a field detailing the port on the Real Server that is to be used.

Forwarding Method

This is a field detailing the type of forwarding method to be used. The default is NAT; Direct Server Return
can only be used with L4 services.

Weight

When using Weighted Round Robin Scheduling, the weight of a Real Server is used to indicate what
relative proportion of traffic should be sent to the server. Servers with higher values will receive more
traffic.

Connection Limit

This is the maximum amount of open connections that can be sent to the real server before it is taken
out of rotation. The maximum limit is 100,000.

3.12 Manage Templates

Templates make the setting up of Virtual Services easier by automatically creating and configuring the
parameters for a Virtual Service. Before a template can be used to configure a Virtual Service, it must be
imported and installed on the LoadMaster.

Click the Choose File button, select the template you wish to install and click the Add New Template
button to install the selected template. This template is now available for use when you are adding a new
Virtual Service.

Click Delete to remove the template.

The KEMP Certified column will indicate whether the template was supplied by KEMP or not. If a
template is certified, it has been provided by KEMP. If a template is not certified, it might be a template
created by you (by exporting a Virtual Service).

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 66

Web User Interface (WUI)
3 Virtual Services

For further details on templates, such as how to use a template to create and configure a new Virtual
Service and where to obtain KEMP templates, please refer to the Virtual Services and Templates Feature
Description document on the KEMP documentation page.

3.13 Manage SSO Domains

Before using the Edge Security Pack (ESP) the user must first set up a Single Sign-On (SSO) Domain on the
LoadMaster. The SSO Domain is a logical grouping of Virtual Services which are authenticated by an LDAP
server.

The maximum number of SSO domains that are allowed is 128.

Click the Manage SSO Domains menu option to open the Manage Single Sign On Options screen.

3.13.1 Single Sign On Domains

Two types of SSO domains can be created client side and server side.

Client Side configurations allow you to set the Authentication Protocol to LDAP, RADIUS, RSA-SecurID,
Certificates, RADIUS and LDAP or RSA-SecurID and LDAP.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 67

Web User Interface (WUI)
3 Virtual Services

Server Side configurations allow you to set the Authentication Protocol to Kerberos Constrained
Delegation (KCD).

To add a new SSO Domain enter the name of the domain in the Name field and click the Add button. The
name entered here does not need to relate to the allowed hosts within the Single Sign On Domain.

When using the Permitted Groups field in ESP Options, you need to ensure that the SSO domain set
here is the directory for the permitted groups. For example, if the SSO Domain is set to
webmail.example and webmail is not the directory for the permitted groups within example.com, it will
not work. Instead, the SSO Domain needs to be set to .example.com.

If the Domain/Realm field is not set, the domain Name set when initially adding an SSO domain is used
as the Domain/Realm name.

3.13.1.1 Client Side (Inbound) SSO Domains

Authentication Protocol

This dropdown allows you to select the transport protocol used to communicate with the authentication
server. The options are:

LDAP

RADIUS

RSA-SecurID

Certificates

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 68

Web User Interface (WUI)
3 Virtual Services

RADIUS and LDAP

RSA-SecurID and LDAP

SAML

The fields displayed on this screen will change depending on the Authentication protocol selected.

LDAP Endpoint

Select the LDAP endpoint to use. For further information on LDAP endpoints, refer to the LDAP
Configuration section.

This option is only available if the Authentication Protocol is set to LDAP, RADIUS and LDAP or RSA-
SecurID and LDAP.

RADIUS/RSA-SecurID Server(s)

Type the IP addresses of the server or servers which are used to authenticate the domain into the server
(s) field and click the set server(s) button.

Multiple server addresses can be entered within this text box. Each entry must be separated by a space.

RADIUS Shared Secret

The shared secret to be used between the RADIUS server and the LoadMaster.

This field will only be available if the Authentication Protocol is set to RADIUS or RADIUS and LDAP.

Check Certificate to User Mapping

This option is only available when the Authentication Protocol is set to Certificates. When this option is
enabled - in addition to checking the validity of the client certificate, the client certificate will also be
checked against the altSecurityIdentities (ASI) attribute of the user on the Active Directory.

If this option is enabled and the check fails, the login attempt will fail. If this option is not enabled, only a
valid client certificate (with the username in the SubjectAltName (SAN)) is required to log in, even if the
altSecurityIdentities attribute for the user is not present or not matching.

For more information, refer to the Kerberos Constrained Delegation, Feature Description.

Allow fallback to check Common Name

Enabling this option allows a fallback to check the Common Name (CN) in the certificate when the SAN is
not available.

This field only appears when the Authentication Protocol is set to Certificates.

Domain/Realm

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 69

Web User Interface (WUI)
3 Virtual Services

The login domain to be used. This is also used with the logon format to construct the normalized
username, for example;

Principalname: <username>@<domain>

Username: <domain>\<username>

If the Domain/Realm field is not set, the Domain name set when initially adding an SSO domain is used
as the Domain/Realm name.

RSA Authentication Manager Config File

This file needs to be exported from the RSA Authentication Manager.

For more information on the RSA authentication method, including how to configure it, refer to the RSA
Two Factor Authentication, Feature Description.

RSA Node Secret File

A node secret must be generated and exported in the RSA Authentication Manager.

It is not possible to upload the RSA node secret file until the RSA Authentication Manager configuration
file is uploaded. The node secret file is dependent on the configuration file.

Logon Format

This drop-down list allows you to specify the format of the login information that the client has to enter.

The options available vary depending upon which Authentication Protocol is selected.

Not Specified: The username will have no normalization applied to it - it is taken as it is typed.

Principalname: Selecting this as the Logon format means that the client does not need to enter the
domain when logging in, for example [email protected]. The SSO domain added in the corresponding
text box is used as the domain in this case.

When using RADIUS as the Authentication protocol the value in this SSO domain field must exactly
match for the login to work. It is case sensitive.

Username: Selecting this as the Logon format means that the client needs to enter the domain and
username, for example domain\[email protected].

Username Only: Selecting this as the Logon Format means that the text entered is normalized to the
username only (the domain is removed).

The Username Only option is only available for the RADIUS and RSA-SecurID protocols.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 70

Web User Interface (WUI)
3 Virtual Services

Logon Format (Phase 2 Real Server)

Specify the logon string format used to authenticate to the Real Server.

The Logon Format (Phase 2 Real Server) field only appears if the Authentication Protocol is set to one
of the following options:

RADIUS

RSA-SecurID

Logon Format (Phase 2 LDAP)

Specify the logon string format used to authenticate to LDAP.

The Logon Format (Phase 2 LDAP) field only appears if the Authentication Protocol is set to one of the
following options:

RADIUS and LDAP

RSA-SecurID and LDAP

Logon Transcode

Enable or disable the transcode of logon credentials, from ISO-8859-1 to UTF-8, when required.

If this option is disabled, log in using the format that the client dictates. If this option is enabled, check if
the client uses UTF-8. If the client does not use UTF-8, use ISO-8859-1.

Failed Login Attempts

The maximum number of consecutive failed login attempts before the user is locked out. Valid values
range from 0 to 99. Setting this to 0 means that users will never be locked out.

When a user is locked out, all existing logins for that user are terminated, along with future logins.

Reset Failed Login Attempt Counter after

When this time (in seconds) has elapsed after a failed authentication attempt (without any new
attempts) the failed login attempts counter is reset to 0. Valid values for this text box range from 60 to
86400. This value must be less than the Unblock timeout value.

Unblock timeout

The time (in seconds) before a blocked account is automatically unblocked, that is, unblocked without
administrator intervention. Valid values for this text box range from 60 to 86400. This value must be
greater than the Reset Failed Login Attempt Counter after value.

Session timeout

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 71

Web User Interface (WUI)
3 Virtual Services

The idle time and max duration values can be set here for trusted (private) and untrusted (public)
environments. The value that is used is dependent on whether the user selects public or private on their
login form. Also, either max duration or idle time can be specified as the value to use.

Idle time: The maximum idle time of the session in seconds, that is, idle timeout.

Max duration: The max duration of the session in seconds, that is, session timeout.

Valid values for these fields range from 60 to 86400.

Use for Session Timeout: A switch to select the session timeout behaviour (max duration or idle time).

The underlying network traffic may keep the session active, even if there is no obvious user interaction.

Use LDAP Endpoint for Healthcheck

Select this check box to use the LDAP endpoint administrator username and password for health
checking. If this is enabled, the Test User and Test User Password textboxes will not be available.

For more information on LDAP endpoints, refer to the LDAP Configuration section.

This option is only available for the following protocols; LDAP, Certificates, RADIUS and LDAP and RSA-
SecurID and LDAP.

Test User and Test User Password

In these two fields, enter credentials of a user account for your SSO Domain. The LoadMaster will use this
information in a health check of the Authentication Server. This health check is performed every 20
seconds.

3.13.1.1.1 Client Side (Inbound) SAML SSO Domains

The fields vary when the Authentication Protocol is set to SAML. The SAML-specific fields are described
below.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 72

Web User Interface (WUI)
3 Virtual Services

IdP Provisioning

The Manual option enables you to manually input details into the IdP fields.

The MetaData File option allows you to upload an IdP MetaData File. This simplifies the configuration of
the IdP attributes, including the IdP Entity ID, IdP SSO URL and IdP Logoff URL. The metadata file can be
downloaded from the IdP.

IdP Metadata File

This field is only visible if the IdP Provisioning field is set to MetaData File. To upload the file - click
Browse, navigate to and select the relevant file and click Import IdP MetaData File.

IdP Entity ID

Specify the IdP entity identifier.

IdP SSO URL

Specify the IdP SSO URL.

IdP Logoff URL

Specify the IdP logoff URL.

IdP Certificate

The IdP Certificate is very important in terms of verification of the assertions that must be contained in
the SAML response that is received from the IdP. Without the certificate, verification cannot proceed.

SP Entity ID

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 73

Web User Interface (WUI)
3 Virtual Services

This is an identifier that is shared to enable the IdP to understand, accept and have knowledge of the
entity when request messages are sent from the LoadMaster. This must correlate to the identifier of the
relying party on the AD FS server.

SP Signing Certificate

It is optional to sign requests that are sent in the context of logon. Currently, the LoadMaster does not
sign those requests.

In the context of log off requests it is mandatory and these requests must be signed. This is to avoid
any spoofing and to provide extra security in relation to log off functionality. This ensures that users are
not being hacked and not being logged off unnecessarily.

In the SP Signing Certificate drop-down list, you can choose to use a self-signed certificate or third party
certificate to perform the signing.

Download SPSigning Certificate

If using a self-signed certificate, click Download to download the certificate. This certificate must be
installed on the IdP server (for example AD FS) to be added to the relying party signature.

The AD FS server requires this certificate for use of the public key to verify the signatures that the
LoadMaster generates.

Session Control

Select the relevant session control option. The available options are:

SP Session Idle Duration

SP Session Max Duration

IdP Session Max Duration

The IdP maximum duration value cannot be set in the LoadMaster. The value is taken from the IdP
protocol. If the value is not already set in the IdP authentication response, the default value of 30
minutes is assigned as the IdP maximum duration.

SP Session Idle Duration

Specify the session idle duration (in seconds). This field is only visible if SP Session Idle Duration is set as
the Session Control option.

SP Session Max Duration

Specify the maximum duration of the session (in seconds). This field is only visible if SP Session Max
Duration is set as the Session Control option.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 74

Web User Interface (WUI)
3 Virtual Services

3.13.1.1.2 Sessions

Clicking the Sessions button, for a client-side SSO domain, opens a screen listing the current open
sessions on that domain.

You can filter the list by entering a search term in the Filter users text box.

The following information is provided about each session:

Users: The username/domain of the client.

Source: The client (host) IPaddress and source port.

Dest IP: The destination IPaddress of the connection.

Created: The date and time the connection was created.

Expires: The date and time that the connection expires.

Cookie: The cookie used in the connection.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 75

Web User Interface (WUI)
3 Virtual Services

Clicking the Kill All button kills all open sessions (flushes the SSO cache).

Selecting one or more sessions provides some further options:

Kill Selected

Block Selected

Show All

Logs are added to the audit log for every kill session operation. For example:

Kill 'non-cookie' session log:

Nov 9 16:47:31 LM ssomgr: Deleted a session [email protected]:- for domain AKTEST.COM

Kill 'cookie' session log:

Nov 9 16:47:31 LM ssomgr: Deleted a session
[email protected]:420cf78373643b3c0171d95c757e7bf3 for domain AKTEST.COM

Kill all domain sessions log:

Nov 9 16:48:46 LM ssomgr: Deleted all domain AKTEST.COM user sessions

Currently Blocked Users

This section displays a list of users who are currently blocked and it also shows the date and time that the
block occurred. It is possible to remove the block by clicking the unlock button in the Operation drop-
down list.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 76

Web User Interface (WUI)
3 Virtual Services

Different formats of the same username are treated as the same username, for example,
[email protected], kemptech\administrator and kemptech.net\administrator are all
treated as one username.

3.13.1.2 Server Side (Outbound) SSO Domains

Authentication Protocol

This dropdown allows you to select the transport protocol used to communicate with the authentication
server. The only option available for outbound (server side) configurations is Kerberos Constrained
Delegation.

Kerberos Realm

The address of the Kerberos Realm.

Colons, slashes and double quotes are not allowed in this field.

This field only supports one address.

Kerberos Key Distribution Center (KDC)

The host name or IP address of the Kerberos Key Distribution Center. The KDC is a network service that
supplies session tickets and temporary session keys to users and computers within an Active Directory
domain.

This field only accepts one host name or IP address. Double and single quotes are not allowed in this
field.

Kerberos Trusted User Name

Before configuring the LoadMaster, a user must be created and trusted in the Windows domain (Active
Directory). This user should also be set to use delegation. This trusted administrator user account is used
to get tickets on behalf of users and services when a password is not provided. The user name of this
trusted user should be entered in this text box.

Double and single quotes are not allowed in this field.

Kerberos Trusted User Password

The password of the Kerberos trusted user.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 77

Web User Interface (WUI)
3 Virtual Services

3.13.2 Single Sign On Image Sets

To upload a new image set, click Choose File, browse to and select the file and click Add Custom Image
Set. After adding the file, the supplied image set(s) are listed on this page. It will also be available to select
in the SSO Image Set drop-down list in the ESP Options section of the Virtual Service modify screen.

For more information on SSO image sets, including information on how the .tar file should be structured,
refer to the Custom Authentication Form, Technical Note.

3.14 WAF Settings

You can get to this screen by selecting Virtual Services > WAF Settings in the main menu of the
LoadMaster WUI.

Logging Format

Select either Native or JSON depending on what format you want the audit logs to appear in.

Enable Remote Logging

This check box enables you to enable or disable remote logging for WAF.

Remote URL

Specify the Uniform Resource Identifier (URI) for the remote logging server.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 78

Web User Interface (WUI)
3 Virtual Services

Username

Specify the username for the remote logging server.

Password

Specify the password for the remote logging server.

The automatic and manual download options are greyed out if the WAF subscription has expired.

Enable Automated Rule Updates

Select this check box to enable the automatic download of the latest WAF rule files. This is done on a
daily basis, if enabled.

Last Updated

This section displays the date when the last rules were downloaded. It gives you the option to attempt to
download the rules now. It will also display a warning if rules have not been downloaded in the last 7
days. The Show Changes button is displayed if the rules have been downloaded. This button can be
clicked to retrieve a log of changes which have been made to the KEMP Technologies WAF rule set.

Enable Automated Installs

Select this check box to enable the automatic daily install of updated rules at the specified time.

When to Install

Select the hour at which to install the updates every day.

Manually Install rules

This button allows you to manually install rule updates, rather than automatically installing them. This
section also displays when the rules were last installed.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 79

Web User Interface (WUI)
3 Virtual Services

Custom Rules

This section allows you to upload custom rules and associated data files. Individual rules can be loaded
as files with a .conf extension, or you can load a package of rules in a Tarball (.tar.gz) file. A Tarball of rule
files usually includes a number of individual .conf and .data files.

The .conf files should be in standard ModSecurity rule file format.

Custom Rule Data

This section allows you to upload data files which are associated to the custom rules.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 80

Web User Interface (WUI)
4 Global Balancing

4 Global Balancing
This menu option may not be available in your configuration. These features are part of the GSLB
Feature Pack and are enabled based on the license that has been applied to the LoadMaster. If you
would like to have these options available, contact KEMP to upgrade your license.

4.1 Enable/Disable GSLB

Click this menu option to either enable or disable GEO features. When GEO is enabled, the Packet
Routing Filter is enabled by default and cannot be changed. When GEO is disabled, it is possible to either
enable or disable the Packet Routing Filter in System Configuration > Access Control > Packet Filter.

4.2 Manage FQDNs

A Fully Qualified Domain Name (FQDN), sometimes also referred to as an absolute domain name, is a
domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It
specifies all domain levels, including the top-level domain and the root zone. A fully qualified domain
name is distinguished by its lack of ambiguity: it can only be interpreted in one way. The DNS root
domain is unnamed, which is expressed by the empty label, resulting in an FQDN ending with the dot
character.

From this screen, you can Add or Modify an FQDN.

4.2.1 Add a FQDN

New Fully Qualified Domain Name

The FQDN name, for example www.example.com. Wildcards are supported, for example
*.example1.com matches anything that ends in .example1.com.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 81

Web User Interface (WUI)
4 Global Balancing

4.2.2 Add/Modify an FQDN

Selection Criteria

The selection criterion used to distribute the resolution requests can be selected from this drop-down
list. The Selection Criteria available are:

Round Robin - traffic distributed sequentially across the server farm (cluster), that is, the available
servers.

Weighted Round Robin Incoming requests are distributed across the cluster in a sequential
manner, while taking account of a static weighting that can be pre-assigned per server.

Fixed Weighting - the highest weight Real Server is used only when other Real Server(s) are given
lower weight values.

Real Server Load - LoadMaster contains logic which checks the state of the servers at regular
intervals and independently of the configured weighting.

Proximity traffic is distributed to the closest site to the client. When using Proximity scheduling,
new public sites are automatically mapped to geographic coordinates based on the GEO database.
New private sites are mapped to 00'0" and function as expected. This coordinate should be
overridden with accurate values in order to ensure correct balancing. The position of the client is
determined by their IP address.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 82

Web User Interface (WUI)
4 Global Balancing

Location Based - traffic is distributed to the closest site to the client. The positioning of the sites is set
by inputting the location of the site (country or continent) during setup. The position of the client is
determined by their IP address. If there is more than one site with the same country code, requests
are distributed in a round robin fashion to each of the sites.

All Available returns all possible healthy targets for an A, AAAA or ANY query request. The contents
of the returned list is also controlled by the Public Requests and Private Requests settings:

- For Public Sites Only the list can only contain public addresses. Likewise, for Private
Sites Only the list can only contain private addresses.

- For Prefer Public the list only contains public addresses, unless no public addresses
are available in which case the list contains private addresses (if any are available).
Likewise, for Prefer Private the list only contains private addresses, unless no private
addresses are available in which case the list contains public addresses (if any are
available).

- For All Sites the list contains all available addresses

The purpose of this is to provide a list of preferred addresses, if they are available. Otherwise, provide a
list of non-preferred addresses as a failback measure for improved availability.

Fail Over

The Fail Over option is only available when the Selection Criteria is set to Location Based. When the Fail
Over option is enabled, if a request comes from a specific region and the target is down, the connection
will fail over and be answered with the next level in the hierarchy. If this is not available, the connection is
answered by the nearest (by proximity) target. If this is not possible, the target with the lowest requests
are picked. The Fail Over setting affects all targets.

Public Requests & Private Requests

The Isolate Public/Private Sites setting has been enhanced in version 7.1-30. The checkbox has been
migrated to two separate dropdown menus to allow more granular control of DNS responses. Existing
behavior has been preserved and is migrated from your current setting, ensuring that no change in DNS
responses is experienced.

These new settings allow administrators finer control of DNS responses to configured FQDNs.
Administrators may selectively respond with public or private sites based on whether the client is from a
public or private IP. For example, administrators may wish to allow only private clients to be sent to
private sites.

The following table outlines settings and their configurable values:

Setting Value Client Type Site Types Allowed

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 83

Web User Interface (WUI)
4 Global Balancing

Public Only Public Public

Prefer Public Public Public, Private if no public

Public Requests
Prefer Private Public Private, Public if no private

All Sites Public Private and Public

Private Only Private Private

Prefer Private Private Private, Public if no private

Private Requests
Prefer Public Private Public, Private if no public

All Sites Private Private and Public

Note that exposing private IP address information to public queries in this way may result in exposed
network details. Select this setting at your own risk.

Site Failure Handling

The default is for failover to occur automatically. However, in certain circumstances, for example in a
multi-site Exchange 2010 configuration, this may not be optimal and different behaviour may be
required. Failure Delay is set in minutes. If a Failure Delay is set, a new option called Site Recovery
Mode becomes available.

Site Recovery Mode

This option is only available if a Failure Delay has been set. There are two options:

Automatic: The site is brought back into operation immediately upon site recovery

Manual: Once the site has failed, disable the site. Manual intervention is required to restore normal
operation.

Enable Local Settings

Selecting this option will display two additional fields TTL and Stickiness. These can be set on a per-
FQDN basis or globally. To set them for an FQDN enable local settings and configure them as needed.
The per-FQDN settings will default to the value of the global settings when the FQDN is created.

TTL

The Time To Live (TTL) value dictates how long the reply from the GEO LoadMaster can be cached by
other DNS servers or client devices. The time interval is defined in seconds. This value should be as
practically low as possible. The default value for this field is 10. Valid values range from 1 to 86400.

Stickiness

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 84

Web User Interface (WUI)
4 Global Balancing

Stickiness, also known as persistence, is the property that enables all name resolution requests from an
individual client to be sent to the same resources until a specified period of time has elapsed. For further
information on Stickiness, refer to the GEO Sticky DNS, Feature Description.

Unanimous Cluster Health Checks

If this option is enabled, if any IP addresses fail health checking - other FQDN IP addresses which belong
to the same cluster are marked as down. When Unanimous Cluster Health Checks is enabled, the IP
addresses which belong to the same cluster within a specific FQDN are either all up or all down. For
example, example.com has addresses 172.21.58.101, 172.21.58.102 and 172.21.58.103 which all belong
to cluster cl58:

If 172.21.58.101 fails, the unanimous policy forces 172.21.58.102 and 172.21.58.103 down as well.

When 172.21.58.101 comes back, the unanimous policy brings back 172.21.58.102 and 172.21.58.103
along with it.

So, at any given time either all three addresses are available or all three addresses are down.

The same approach applies for site failure mode with manual recovery. Manual recovery causes a failed
address to be disabled, so the administrator can re-enable it after fixing the problem. When Unanimous
Cluster Health Checks is enabled, all three addresses are disabled.

The unanimous policy ignores disabled addresses. So, if you know that an address is down, and for
whatever reason you want to continue using the other addresses that belong to the same cluster, you
can disable the failed address and the unanimous policy will not force down the other addresses with it.

When Unanimous Cluster Health Checks are enabled, some configuration changes may cause FQDN
addresses to be forced down or brought back up. For example, if an address is forced down and you
remove it from the cluster while the unanimous policy is in effect, the address should come back up.
Similarly, if you add an address to a cluster where the unanimous policy is in effect and one of the
addresses is down, the new address should be forced down. This change may not occur immediately,
but it should happen the next time health checking occurs.

If there are addresses with the Checker set to None combined with addresses that have health checking
configured addresses with no health checking will not be forced down, but they can be forcibly disabled
if the Site Recovery Mode is set to Manual. For example, say there are three addresses:

172.21.58.101 with a Checker of Cluster Checks

172.21.58.102 with a Checker of Cluster Checks

172.21.58.103 with a Checker of None

If site failure handling is off or automatic, the failure of 172.21.58.101 causes 172.21.58.102 to be forced
down, but 172.21.58.103 remains up. The rationale is that if you do not want health checking on
172.21.58.103 then it should remain up.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 85

Web User Interface (WUI)
4 Global Balancing

However, if the Site Recovery Mode is set to Manual, failure of 172.21.58.101 causes both 172.21.58.102
and 172.21.58.103 to be disabled, along with 172.21.58.101. For site recovery all addresses are disabled,
even the ones with no health checking configured. This is to keep traffic away from the problem data
center until the system administrators fix it. This does not conflict with having addresses with no health
checking because you can have an address that is up but disabled.

Cluster

If needed, the cluster containing the IP address can be selected.

Checker

This defines the type of health checking that is performed. The options include:

None: This implies that no health check is performed to check the health status of the machine (IP
address) associated to the current FQDN

ICMP Ping: This tests the health status by pinging the IP address

TCP Connect: This will test the health by trying to connect to the IP address on a specified port

Cluster Checks: When this is selected, the health status check is performed using the method
associated with the selected cluster

- When using Real Server Load as the Selection Criteria, and the cluster Type is set to
Local LM or Remote LM, a drop-down list will appear called Mapping Menu. The
Mapping Menu drop-down list will display a list of Virtual Service IP addresses from
that LoadMaster. It will list each Virtual Service IP address with no port, as well as all
of the Virtual IP address and port combinations. Please select the Virtual IP address
that is associated with this mapping.
If a Virtual Service with no port is selected, the health check will check all Virtual
Services with the same IP address as the one selected. If one of them is in an Up
status, the FQDN will show as Up. The port does not come in to consideration.
If a Virtual Service with a port is selected, the health check will only check against the
health of that Virtual Service when updating the health of the FQDN.

For further information regarding health checks, refer to the GEO, Product Overview.

Parameters

The parameters for the Selection Criteria are described and can be changed within this section. The
parameters differ depending on the Selection Criteria in use, as described below:

Round Robin no parameters available

Weighted Round Robin the weight of the IP address can be set by changing the value in the
Weight text box and clicking the Set Weight button

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 86

Web User Interface (WUI)
4 Global Balancing

Fixed Weighting the weight of the IP address can be set in the Weight text box

Real Server Load the weight of the IP address can be set in the Weight text box and the Virtual
Service which is measured can be chosen from the Mapping field

Proximity the physical location of the IP address can be set by clicking the Show Coordinates
button

Location Based the locations associated with the IP address can be set by clicking the Show
Locations button

Delete IP address

An IP address can be deleted by clicking the Delete button in the Operation column of the relevant IP
address.

Delete FQDN

An FQDN can be deleted by clicking the Delete button at the bottom of the Modify (Configure) FQDN
screen.

4.3 Manage Clusters

GEO clusters is a feature mainly used inside data centers. Health checks are performed on a machine (IP
address) associated to a specific FQDN, using the containing cluster server, rather than the machine
itself.

In the Manage Clusters screen there are options to Add, Modify and Delete clusters.

4.3.1 Add a Cluster

When adding a cluster, there are 2 text boxes to fill out:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 87

Web User Interface (WUI)
4 Global Balancing

IP address the IP address of the cluster

Name the name of the cluster. This name can be used to identify the cluster while in other screens.

4.3.2 Modify a Cluster

Name

The name of the cluster.

Location

If needed, the Show Locations button can be clicked in order to enter the latitude and longitude of the
location of the IP address.

Type

The cluster type can be Default, Remote LM or Local LM:

Default: When the type of cluster is set to Default, the check is performed against the cluster using
one of the following three available health checks:

- None: No health check is performed. Therefore, the machine always appears to be

up.

- ICMP Ping: The health check is performed by pinging against the cluster IP address.

- TCP Connect: The health check is performed by connecting to the cluster IP address
on the port specified.

Local LM: When Local LM is selected as the Type, the Checkers field is automatically set to Not
Needed. This is because the health check is not necessary because the cluster is the local machine.

Remote LM: The health check for this type of cluster is Implicit (it is performed using SSH).

The only difference between Remote LM and Local LM is that it saves a TCP connection because it gets
the information locally and not over TCP. Otherwise, the functionality is the same.

Checkers

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 88

Web User Interface (WUI)
4 Global Balancing

The health check method used to check the status of the cluster.

If the Type is set to Default the health check methods available are ICMP Ping and TCP Connect.

If Remote LM or Local LM is selected as the Type, the Checkers dropdown list is unavailable.

Disable

If needed, a cluster can be disabled by clicking the Disable button in the Operation column.

4.3.3 Delete a Cluster

To delete a cluster, click the Delete button in the Operation column of the relevant cluster.

Use the Delete function with caution. There is no way to undo this deletion.

4.3.4 Upgrading GEO Clusters

When upgrading GEO clusters, it is strongly recommended that all nodes are upgraded at the same time.
Since GEO clusters operate in active-active mode, upgrading at the same time ensures that consistent
behavior is experienced across all nodes.

If you must operate a GEO cluster with mixed versions, be sure to make all changes from the most recent
version. This prevents configuration loss due to incompatible configurations. Additionally, changing
configuration options not present in older versions will result in disparate behavior.

4.4 Miscellaneous Params

A description of the sections and fields in the Miscellaneous Params menu option are below.

Zone Name

Enter the zone name to use. A zone name is necessary for DNSSEC configurations. All FQDNs within the
zone are signed using the provided key. All FQDNs outside the zone continue to work but the responses
are unsigned.

Source of Authority

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 89

Web User Interface (WUI)
4 Global Balancing

This is defined in RFC 1035. The SOA defines global parameters for the zone (domain). There is only one
SOA record allowed in a zone file.

Name Server

The Name Server is defined as the forward DNS entry configured in the Top Level DNS, written as a Fully-
Qualified Domain Name (FQDN and ends with a dot), for example lm1.example.com.

If there is more than one Name Server, for example in a HA configuration, then you would add the
second Name Server in the field also, separated by a blank space, for example lm1.example.com
lm2.example.com.

SOA Email

This textbox is used to publish a mail address of a person or role account dealing with this zone with the
@ converted to a .. The best practice is to define (and maintain) a dedicated mail alias, for example
hostmaster [RFC 2142] for DNS operations, for example [email protected].

TTL

The Time To Live (TTL) value dictates how long the reply from the GEO LoadMaster can be cached by
other DNS servers or client devices. This value should be as practically low as possible. The default value
for this field is 10. The time interval is defined in seconds.

4.4.1 Resource Check Parameters

Check Interval

Defined in seconds, this is the delay between health checks. This includes clusters and FQDNs. The valid
range for this field is between 9 and 3600. The default value is 120.

The interval value must be greater than the timeout value multiplied by the retry value (Interval >
Timeout * Retry + 1). This is to ensure that the next health check does not start before the previous one
completes.

If the timeout or retry values are increased to a value that breaks this rule, the interval value is
automatically increased.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 90

Web User Interface (WUI)
4 Global Balancing

Connection Timeout

Defined in seconds, this is the allowed maximum wait time for a reply to a health check. The valid range
for this field is between 4 and 60. The default value is 20.

Retry Attempts

This is the consecutive number of times in which a health check must fail before it is marked down and
removed from the list of healthy Real Servers. The default retry attempts is 2.

The maximum detection window for failed clusters of FQDNs is the Check Interval + (Connection
Timeout * (Retry attempts + 1)). On average, the maximum time is half that.

The timeline diagram below illustrates what happens from the time a resource IP is added or enabled, to
when it goes down and then comes back up again:

1. When a resource IP is enabled/created, an ICMP request is sent by the LoadMaster to the

resource IP. Assuming it responds, the resource is marked UP.

2. After 120 seconds has elapsed (the default Check Interval), an ICMP request is sent to the
resource IP. If 20 seconds (the default Connection Timeout) elapses and the IP fails to respond,
the LoadMaster will send up to two additional requests (the default Retry Attempts) and wait for
20 seconds between each. If all three of these requests receive no response, then the resource is
marked down, and the Check Interval timer is reset.

3. After 120 seconds elapses, the LoadMaster attempts to send an ICMP request to the resource
IP. If the resource has now come back up and responds before the Connection Timeout elapses,
the LoadMaster marks it UP and resets the Check Interval timer.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 91

Web User Interface (WUI)
4 Global Balancing

4.4.2 Stickiness

Stickiness, also known as Global Persistence, is the property that enables all name resolution requests
from an individual client to be sent to the same resources until a specified period of time has elapsed. For
further information on Stickiness, refer to the GEO Sticky DNS, Feature Description.

4.4.3 Location Data Update

The location patch contains the geographically-encoded IP to location data. Data files can be obtained
directly from KEMP using normal support channels. These files are a repackaged distribution of
Maxmind; the GeoIP database. To obtain the latest release, please contact support:
http://www.kemptechnologies.com.

4.5 IP Range Selection Criteria

This section allows a new IP address range to be defined.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 92

Web User Interface (WUI)
4 Global Balancing

After adding an address, clicking Modify will open the modify settings screen. It is also possible to delete
a range after it has been added.

This section allows the definition of up to 64 IP ranges per data center.

IP Address

Specify an IP address or network. Valid entries here are either a single IP, for example 192.168.0.1, or a
network in Classless Inter-Domain Routing (CIDR) format, for example 192.168.0.0/24.

Coordinates

Specify the latitude and longitude of the location.

Location

Specify the location to be assigned to the address.

Add Custom Location

This section allows you to add a custom location.

Existing custom locations can also be modified and deleted in this section.

4.6 IP Blacklist Settings

It is possible to download blacklist rules from KEMP to block access from IP addresses that are on the
blacklist. A whitelist can be manually specified that will override the blacklist.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 93

Web User Interface (WUI)
4 Global Balancing

This is a licensable feature. If you cannot see these options, or if any fields are grayed out, please
contact KEMP to upgrade your license.

Enable Automated GEO IP Blacklist data Updates

If this option is enabled, updates to the GEO IP blacklist are downloaded daily. By default, this option is
disabled.

Last Updated

The date when the last updates were downloaded is displayed. If the GEO blacklist data is more than 7
days old, a message appears to inform you.

Download Now

Click this button to download the updates now.

Enable Automated Installs

Select this check box to enable the automatic daily install of updated rules at the specified time.

When to Install

Select the hour at which to install the updates every day.

Manually Install GEO IP Blacklist data

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 94

Web User Interface (WUI)
4 Global Balancing

This button enables you to manually install the updates. This section also displays when the updates
were last installed. If the GEO blacklist data is not updated for more than 7 days, a message appears to
inform you.

View GEO IP Blacklist data file

Clicking the View button displays the current GEO IP Blacklist data file.

IP Whitelist Data Settings

This section displays the IP addresses that are currently on the whitelist.

Add New Address/Network

In this section, new addresses and networks can be added to the whitelist. The whitelist overrides the
blacklist.

4.7 Configure DNSSEC

Before you can configure DNSSEC, a zone must be defined. To define a zone, go to Global Balancing >
Miscellaneous Params and specify a Zone Name.

After the zone name is defined, the Key Signing Keys (KSKs) must be configured. You have two choices -
you can either:

Import the KSK files by clicking Import and browsing to the file locations.

Generate the KSK files by clicking Generate

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 95

Web User Interface (WUI)
4 Global Balancing

On the generate screen, select the cryptographic Algorithm and Key Size.

The following algorithms are supported:

NSEC3RSASHA1

RSASHA256

RSASHA512

The default is RSASHA256.

The supported key sizes are 1024, 2048 and 4096 bits. The default is 2048.

After the KSK files have been generated/imported, the DNSSEC screen shows the KSK details and gives
you an option to delete the KSK files.

The final step is to enable DNSSEC by selecting the check box.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 96

Web User Interface (WUI)
5 Statistics

5 Statistics
5.1 Real Time Statistics
Shows the activity for the LoadMasters within the system (Global), the Real Servers, the Virtual Services
and the WAF.

5.1.1 Global

Total CPU Activity

This table displays the following CPU utilization information for a given LoadMaster:

Statistic Description
User The percentage of the CPU spent processing in user mode
System The percentage of the CPU spent processing in system mode
Idle The percentage of CPU which is idle
I/O Waiting The percentage of the CPU spent waiting for I/O to complete

The sum of these four percentages equals 100%.

Core Temperatures: The temperature for each CPU core is displayed for LoadMaster hardware
appliances. Temperature will not show on a Virtual LoadMaster statistics screen.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 97

Web User Interface (WUI)
5 Statistics

On Dell LoadMasters, you can retrieve hardware statistics using SNMP. These include:

Temperature

Fan speed

Power supply

Voltage current

These values are only available using SNMP. For further information on SNMP Options, refer to the
SNMP Options section.

CPU Details: To get statistics for an individual CPU, click the relevant number button in CPU Details.

The CPU details screen has two additional statistics displayed - HW Interrupts and SW Interrupts.

Memory usage

This bar graph shows the amount of memory in use and the amount of memory free.

Network activity

These bar graphs show the current network throughput on each interface.

5.1.2 Real Servers

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 98

Web User Interface (WUI)
5 Statistics

These graphs display the connections, bytes, bits or packets, depending on choice. The buttons in the
top right of the page toggle which values are displayed. The values displayed for the Real Server comprise
of the values for all the Virtual Services accessing the Real Server.

If the Real Server has been assigned to more than one Virtual Service, you can view the statistics for each
Real Server by Virtual Service by clicking the arrow ( ) to the right of the number in the first column.
This expands the view to show the statistics for each Virtual Service on the Real Server.

Because of the way that encrypted services are implemented, it is not possible to view the packet
statistics on an encrypted Virtual Service.

Name: The Name column is automatically populated based on a DNS lookup.

RS-IP: This column displays the IP address of the Real Servers, and the Virtual Service (if expanded).

Clicking the links in the RS-IP column will display another screen containing a number of statistics specific
to that Real Server.

Status: This shows the status of the Real Server.

Adaptive: This will only be displayed if an adaptive scheduling method has been selected for a Virtual
Service. This column will display the adaptive value.

Weight: This will only be displayed if the scheduling method is set to resource based (SDN adaptive) in a
Virtual Service. The information which is gathered from the controller determines what the Adaptive
value is set to. As the adaptive value goes up, the weight of the Real Server goes down. If all adaptive
values are the same, all weights are the same. When the adaptive values are different the weights will
change. The weight of the Real Servers determines where traffic is sent. If a Real Server is configured in
multiple Virtual Services, two numbers are displayed for the weight - the first shows the average of the
current weights over all Virtual Services that the Real Server is configured in. The second shows the
number of Virtual Services that the Real Server is configured in. For example, a Weight of 972/2 means
that the average weight of a Real Server which is configured in two Virtual Services is 972.

Total Conns: The total number of connections made.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 99

Web User Interface (WUI)
5 Statistics

For Layer 4 UDPconnections - the connection count always shows as 0.

Last 60 Sec: The total number of connections in the last 60 seconds.

5 Mins: The total number of connections in the last 5 minutes.

30 Mins: The total number of connections in the last 30 minutes.

1 Hour: The total number of connections in the last hour.

Active Conns: The total number of connections that are currently active.

Current Rate Conns/sec: The current rate of connections per second.

[%]: The percentage of connections per second.

Conns/sec: A graphical representations of the connections per second.

System Total Conns: This row displays totals for each of the columns.

5.1.3 Virtual Services

These graphs display the connections, bytes, bits or packets, depending on choice. The buttons in the
top right of the page toggle which values are displayed. The percentage of distribution across the Virtual
Service's Real Servers are displayed.

Name: The name of the Virtual Service.

Virtual IP Address: The IP address and port of the Virtual Service.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 100
Web User Interface (WUI)
5 Statistics

Clicking the links in the Virtual IP Address column will display another screen containing a number of
statistics specific to that Virtual Service.

Address: The IP address of the Virtual Service.

Protocol: The protocol of the Virtual Service. This will either be tcp or udp.

Active Conns: The total number of connections that are currently active.

Total Conns: The total number of connections made.

Total Bytes: The total number of bytes transmitted.

Real Servers: The total number of Real Servers in this Virtual Service.

Persist Entries: The total number of persistence entries made.

WAF: The status, along with the other WAF statistics below, are displayed if WAF is enabled on the
Virtual Service.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 101
Web User Interface (WUI)
5 Statistics

Requests: The total number of requests handled by the WAF (shows all requests, whether they were
blocked or not). Two requests are recorded for each connection one incoming and one outgoing
request.

Incidents: The total number of events handled by the WAF (that is, requests that were blocked).

Incidents/Hour: The number of events that have happened in the current hour (since xx.00.00).

Incidents/Day: The number of events that have happened since midnight (local time).

Incidents/Dayover: The number of times the event counter has gone over the configured warning
threshold today. For example, if the threshold is set to 10 and there has been 20 events, this counter is
set to 2. The warning threshold is set on a per-Virtual Service basis by filling out the Hourly Alert
Notification Threshold field in WAF Options in the Virtual Service modify screen. For further
information, refer to the Web Application Firewall (WAF) Options section.

System Total Conns: This row displays totals for each of the columns.

5.1.4 WAF

These statistics refresh every 5 to 6 seconds. The following items are displayed on this screen:

Count: The left-most column displays the total number of WAF-enabled Virtual Services.

Name: The name of the WAF-enabled Virtual Service.

Virtual IP Address: The IP address and port of the Virtual Service.

Protocol: The protocol of the Virtual Service (tcp or udp).

Status: The status of the Virtual Service. For information on each of the possible statuses, refer to the
View/Modify (Existing HTTP Service) section.

Total Requests: The total number of requests handled by the WAF (shows all requests, whether they
were blocked or not). Two requests are recorded for each connection one incoming and one outgoing
request.

Total Events: The total number of events handled by the WAF (requests that were blocked).

Events this hour: The number of events that have happened in the current hour (since xx.00.00).

Events Today: The number of events that have happened since midnight (local time).

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 102
Web User Interface (WUI)
5 Statistics

Events over Limit Today: The number of times the event counter has gone over the configured warning
threshold today. For example, if the threshold is set to 10 and there has been 20 events, this counter is
set to 2. The warning threshold is set on a per-Virtual Service basis by filling out the Hourly Alert
Notification Threshold field in WAF Options in the Virtual Service modify screen. For further
information, refer to the Web Application Firewall (WAF) Options section.

5.2 Historical Graphs

The Historical Graphs screen provides a graphical representation of the LoadMaster statistics. These
configurable graphs provide a visual indication of the traffic that is being processed by the LoadMaster.

There are graphs for the network activity on each interface. There is also an option to view graphs for the
overall and individual Virtual Services and the overall and individual Real Servers.

The time granularity can be specified by selecting one of the hour, day, month, quarter or year options.

In the case of the network activity on the interface graphs, you can choose which type of measurement
unit you wish to use by selecting one of the Packet, Bits or Bytes options.

For the Virtual Services and Real Servers graphs you can choose which type of measurement unit you
wish to use by selecting one of the Connections, Bits or Bytes options.

You can configure which Virtual Service statistics are being displayed by clicking the configuration icon:

in the Virtual Services panel. This opens the Virtual Services configuration window.

From here, Virtual Services can be added or removed from the statistics display.

You can disable these graphs by disabling the Enable Historical Graphs check box in the WUI Settings
screen.

A maximum of five Virtual Services can be displayed at the same time.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 103
Web User Interface (WUI)
5 Statistics

To close the dialog and apply any changes, please ensure to click the button within the window itself.

You can configure which Real Server statistics are being displayed by clicking the configuration icon,
in the Real Servers panel. This opens the Real Servers configuration dialog in a separate window.

From here, Real Servers can be added or removed from the statistics display.

A maximum of five Real Servers can be displayed at the same time.

To close the dialog and apply any changes, please ensure you click the button within the window
itself.

By default, only the statistics for the Virtual Services and Real Servers displayed on the Statistics page are
gathered and stored. To view statistics for all Virtual Services and Real Servers, enable the Collect All
Statistics option in System Configuration > Miscellaneous Options > WUI Settings.

This option is disabled by default because collecting statistics for a large number of Virtual Services and
Real Servers can cause CPU utilization to become very high.

The graphs in the LoadMaster WUI are auto-scaling and are shown using SI magnitude units. The graph
will show the prefix of the scaling factor used so the absolute value can be calculated if needed.

The possible scaling factors and their prefixes are listed in the table below.

Symbol Prefix Factor

P peta 10^15
T tera 10^12

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 104
Web User Interface (WUI)
5 Statistics

G giga 10^9
M mega 10^6
k kilo 10^3
m milli 10^(-3)
micro 10^(-6)

To calculate the absolute real value, take the value shown in the graph and multiply it by the scaling
value.

Example

A value of 200 is shown in the connections per second graph with a scaling factor of m. As listed in the
table above, m stands for milli. Therefore, to find the absolute value of connections per second for
that time the value of 200 needs to be multiplied by a factor of 10^(-3):

10^(-3) = 0.001

200 x 0.001 = 0.2 connections per second

This calculation shows that there is less than one connection per second and, due to the fact that the
connection rate is so low, if the graph shows the absolute number of connections it will just be a straight
line at zero and offers no useful information.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 105
Web User Interface (WUI)
6 SDN Statistics

6 SDN Statistics
To view the SDN statistics, go to Statistics > SDN Statistics in the main menu of the LoadMaster WUI.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 106
Web User Interface (WUI)
6 SDN Statistics

The Name, Version and Credentials are displayed if the LoadMaster has successfully connected to the
SDN Controller.

Statistics section

Statistics will not be displayed unless the SDN Controller has been added and is communicating with the
LoadMaster. If the Name, Version and Credentials are not displaying it means that the LoadMaster is
not connected to the SDN Controller. This could mean that the configuration is not correct, or the SDN
Controller is down.

Two types of statistics are displayed on this screen - network traffic and adaptive parameters:

Network traffic - this can display the number of bits and bytes transferred per second for each of the
Real Servers. The maximum, average and minimum number of bits/bytes per second are shown.

Adaptive parameters - this displays the adaptive value (ctrl) and the weight. As the adaptive value
goes up, the weight of the Real Server goes down.

6.1 Device Information

Information about switches on a controller which has OpenFlow enabled can be viewed by clicking the
device info button.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 107
Web User Interface (WUI)
6 SDN Statistics

Further information can be seen by clicking the plus (+) button to expand each of the devices.

6.1.1 Path Information

Path information can be viewed by clicking the path info button.

The LoadMaster and the SDN controller need to be directly connected in order for the path information
to be displayed.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 108
Web User Interface (WUI)
6 SDN Statistics

To view a graphical representation of the path, click the => or <= icon in the Dir column for the relevant
path.

This screen will display the LoadMaster, Real Server and any switches in between. The LoadMaster and
Real Server are represented in brown. The LoadMaster is at the top and the Real Server is at the bottom.

The switches are represented in blue. The switch name will appear in the blue boxes if the SDN Controller
picks it up.

The Data Path Identifier (DPID) of each switch on the network is displayed on the right of the switches.
The DPID is how the controller identifies the different switches.

The Media Access Control (MAC) address of the LoadMaster and Real Server are displayed to the right of
those devices. The IP address of the LoadMaster and Real Server will also be displayed on the left.

The colour of the paths are explained below:

Light green: Traffic is idle and the link is healthy.

Red: The path is congested with traffic.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 109
Web User Interface (WUI)
6 SDN Statistics

Grey: The path between the LoadMaster and initial switch is shown as grey.

So, in the example screenshot above - the path between the Path2 and Switch2 switches is healthy but
the paths between Switch2 and Switch1 and the Real Server are congested.

The colour of the path may change as the path gets more or less congested. There is an array of red
colours that can be displayed - the darker the red colour is, the more congestion is on the path.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 110
Web User Interface (WUI)
7 Real Servers

7 Real Servers

This screen shows the current status of the Real Servers and gives the option to Disable or Enable each
Real Server. Each Real Server has corresponding buttons, and pressing one button will take an online
server offline, and vice-versa. The user can also Enable or Disable multiple Real Servers at the same time
by selecting the Real Servers that they want to perform the operation on, and clicking the relevant
button at the bottom. The status can be Enabled (Green), Disabled (Red) or Partial (Yellow) meaning the
Real Server is enabled in one Virtual Service.

Caution
Disabling a Real Server will disable it for all Virtual Services configured to use it. If it is the only Real
Server available, that is, the last one, the Virtual Service will effectively be down and not pass any traffic.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 111
Web User Interface (WUI)
8 Rules & Checking

8 Rules & Checking

8.1 Content Rules
8.1.1 Content Matching Rules

This screen shows rules that have been configured and gives the option to Modify or Delete.

To define a new rule, click the Create New button. You must give the rule a name.

Rule names must be alphanumeric, unique and start with an alpha character. They are case sensitive,
thus two different rules can exist in the form "Rule1" and rule1". Giving a rule an existing name will
overwrite the rule of that exact name. It is not possible to name a content rule default.

The options that are available depend on the Rule Type that you select. The available rules are as follows:

Rule Types:

Content Matching: matches the content of the header or body

Add Header: adds a header according to the rule

Delete Header: deletes the header according to the rule

Replace Header: replaces the header according to the rule

Modify URL: changes the URL according to the rule

For further information on configuring rules, please refer to the Content Rules, Feature Description
document.

8.1.2 Content Matching

When the Rule Type selected is Content Matching the following describes the options available.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 112
Web User Interface (WUI)
8 Rules & Checking

Rule Name

The name of the rule.

Match Type:

Regular Expression: compares the header to the rule

Prefix: compares the prefix of the header according to the rule

Postfix: compares the postfix of the header according to the rule

Header Field

The header field name must be matched. If no header field name is set, the default is to match the string
within the URL.

Rules can be matched based on the Source IP of the client by entering src-ip within the Header Field text
box. The header field is populated by the source IP of the client.

Similarly, rules can also be matched based on the HTTP Method used, for example GET, POST or HEAD.
The methods that are to be matched should be written in uppercase.

The body of a request can also be matched by typing body in the Header Field text box.

Match String

Input the pattern that is to be matched. Both Regular Expressions and PCRE are supported. The
maximum number of characters allowed is 250.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 113
Web User Interface (WUI)
8 Rules & Checking

For further information on Regular Expressions and PCRE, please refer to the Content Rules, Feature
Description document.

Negation

Invert the sense of the match.

Ignore Case

Ignore case when comparing strings.

Include Host in URL

Prepend the hostname to request URL before performing the match.

Include Query in URL

Append the query string to the URL before performing a match.

Fail On Match

If this rule is matched, then always fail to connect.

Perform If Flag Set

Only try to execute this rule if the specified flag is set.

Set Flag If Matched

If the rule is successfully matched, set the specified flag.

Using the Perform If Flag Set and Set Flag If Matched options, it is possible to make rules dependent on
each other, that is, only execute a particular rule if another rule has been successfully matched. For more
detailed instructions on chaining rules, please refer to the Content Rules, Feature Description
document.

8.1.3 Add Header

When the Rule Type selected is Add Header the following describes the options available.

Rule Name

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 114
Web User Interface (WUI)
8 Rules & Checking

This is a text box to enter the name of the rule.

Header Field to be Added

This is a text box to enter the name of the header field to be added.

Value of Header Field to be Added

This is for a textbox to enter the value of the header field to be added.

Perform If Flag Set

Only execute this rule if the specified flag is set.

The flag is set by a different rule. For further information on flags please refer to the Content Matching
section.

8.1.4 Delete Header

When the Rule Type selected is Delete Header the following describes the options available.

Rule Name

This is a textbox to enter the name of the rule.

Header Field to be Deleted

This is for a text box to enter the name of the header field to be deleted.

Perform If Flag Set

Only execute this rule if the specified flag is set.

The flag will have been set by a different rule. For a more detailed explanation of flags please refer to the
Content Matching section.

8.1.5 Replace Header

When the Rule Type selected is Replace Header the following describes the options available.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 115
Web User Interface (WUI)
8 Rules & Checking

Rule Name

This is for a textbox to enter the name of the rule.

Header Field

This is for a textbox to enter the header name field where the substitution should take place.

Match String

The pattern that is to be matched.

Value of Header Field to be replaced

This is for a textbox to enter the value of the header field to be replaced.

Perform If Flag Set

Only execute this rule if the specified flag is set.

The flag is set by a different rule. For a more detailed explanation of flags please refer to the Content
Matching section.

8.1.6 Modify URL

When the Rule Type selected is Modify URL the following describes the options available.

Rule Name

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 116
Web User Interface (WUI)
8 Rules & Checking

This is for a textbox to enter the name of the rule.

Match String

This is a textbox to enter the pattern that is to be matched.

Modified URL

This is a textbox to enter the URL that is to be modified.

Perform If Flag Set

Only execute this rule if the specified flag is set.

The flag is set by a different rule. For a more detailed explanation of flags please refer to the Content
Matching section.

8.1.7 Header Modification

For separate, detailed documentation on Header Modification, please refer to the Header Modification
Guide, Technical Note.

8.2 Check Parameters

To access the Check Parameters screen, go to Rules & Checking > Check Parameters in the main menu
of the LoadMaster WUI. The Check Parameters screen has two sections - Service Check Parameters and
either Adaptive Parameters or SDN Adaptive Parameters, depending on the Scheduling Method
selected in the Virtual Services. If the Scheduling Method is set to resource based (adaptive), the
Adaptive Parameters section is displayed. If the Scheduling Method is set to resource based (SDN
adaptive), the SDN Adaptive Parameters section is displayed.

Refer to the relevant section below to find out more information.

8.2.1 Service (Health) Check Parameters

The LoadMaster utilizes Layer 3, Layer 4 and Layer 7 health checks to monitor the availability of the Real
Servers and the Virtual Services.

Check Interval(sec)

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 117
Web User Interface (WUI)
8 Rules & Checking

With this field you can specify the number of seconds that will pass between consecutive checks. The
recommended value is 9 seconds.

Connect Timeout (sec)

The HTTP request has two steps: contact the server, and then retrieve the file. A timeout can be specified
for each step; how long to wait for a connection, how long to wait for a response. A good value for both
is 3 seconds.

Retry Count

This specifies the number of retry attempts the check will make before it determines that the server is
not functioning. A value of 1 or less disables retries.

8.2.2 Adaptive Parameters

Adaptive Interval (sec)

This is the interval, in seconds, at which the LoadMaster checks the load on the servers. A low value
means the LoadMaster is very sensitive to load, but this comes at a cost of extra load on the LoadMaster
itself. 7 seconds is a good starting value. This value must not be less than the HTTP checking interval.

Adaptive URL

The Adaptive method retrieves load information from the servers using HTTP inquiry. This URL specifies
the resource where the load information of the servers is stored. This resource can be either a file or
program (for example Adaptive Agent) that delivers this information. The standard location is /load. It is
the servers job to provide the current load data in this file in ASCII format. In doing so, the following
must be considered:

An ASCII file containing a value in the range of 0 to 100 in the first line where: 0=idle and 100=overloaded.
As the number increases, that is, the server becomes more heavily loaded, the LoadMaster will pass less
traffic to that server. Hence, it adapts to the server loading.

If the server becomes 101% or 102% loaded, a message is added to the logs.

The file is set to "/load" by default.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 118
Web User Interface (WUI)
8 Rules & Checking

The file must be accessible using HTTP.

The URL must be the same for all servers that are to be supported by the adaptive method.

This feature is not only of interest for HTTP-based Virtual Services, but for all Services. HTTP is merely
used as the transport method for extracting the application-specific load information from the Real
Server.

Port

This value specifies the port number of the HTTP daemon on the servers. The default value is 80.

Min. Control Variable Value (%)

This value specifies a threshold below which the balancer will switch to static weight-based scheduling,
that is, normal Weighted Round Robin. The value is a percentage of the maximum load (0-50). The
default is 5.

8.2.3 SDN Adaptive Parameters

Adaptive Interval (sec)

When using SDN-adaptive scheduling, the SDN controller is polled to retrieve the loading values for the
Real Server. This field value specifies how often this occurs.

Average over <N-Avg> Load values

Use this value to dampen fluctuations in the system.

UseMin. Control Variable Value (%)

Anything below the value set here is considered idle traffic and it does not affect the adaptive value
(which is displayed on the Real Servers Statistics screen), for example - in the screenshot above anything
below 5% is considered idle.

Use relative Bandwidth

Use the maximum load observed on the link as link bandwidth. KEMP recommends enabling this option.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 119
Web User Interface (WUI)
8 Rules & Checking

Current max. Bandwidth values

This section displays the current received and transmitted maximum bandwidth values.

Reset values

This checkbox can be used to reset the current max. bandwidth values.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 120
Web User Interface (WUI)
9 Certificates & Security

9 Certificates & Security

The sections below describe the various screens in the Certificates & Security section of the LoadMaster
WUI.

9.1 SSL Certificates

The SSL certificates screen looks different depending on whether the Hardware Security Module (HSM)
feature is enabled or not. To find out more about HSM, refer to the Hardware Security Module (HSM),
Feature Description on the KEMP Documentation Page.

Refer to the relevant section below, depending on your settings, to find out more information about the
SSL certificates screen.

9.1.1 HSM Not Enabled

Shown above is the Manage Certificates screen where:

Import Certificate to import the certificate with a chosen filename.

Add Intermediate refer to the Intermediate Certificates sectionfor further information.

Identifier is the name given to the certificate at the time it was created.

Common Name(s) is the FQDN (Fully Qualified Domain Name) for the site.

Virtual Services the Virtual Service with which the certificate is associated.

Assignment lists of available and assigned Virtual Services

Operations

New CSR generates a new Certificate Signing Request (CSR) based on the current certificate.

If the certificate has Subject Alternative Names (SANs), generating a CSR in this way will not add the
SANs. Instead, generate the CSR manually. For further information on this, refer to the Generate CSR
(Certificate Signing Request) section.

Replace Certificate updates or replaces the certificate stored in this file.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 121
Web User Interface (WUI)
9 Certificates & Security

Delete Certificate deletes the relevant certificate.

Reencryption Usage display the Virtual Services that are using this certificate as a client certificate
when re-encrypting.

Administrative Certificates the certificate you want to use, if any, for the administrative interface.

TPS Performance will vary based on key length. Larger keys will reduce performance.

9.1.2 HSM Enabled

Private Key Identifier

When HSM is enabled, the Generate CSR option moves from the main menu of the LoadMaster to the
Manage Certificates screen.

Enter a recognizable name for the private key on the LoadMaster and click Generate CSR. The fields on
the generate CSR screen are the same as the ones described in the Generate CSR (Certificate Signing
Request) section, except that the Use 2048 bit key field is not included.

Add Intermediate refer to the Intermediate Certificates section for further information.

Private Key - this column displays the private key name.

Common Name(s) is the FQDN (Fully Qualified Domain Name) for the site.

Virtual Services the Virtual Service with which the certificate is associated.

Assignment lists of available and assigned Virtual Services

Operations

Import Certificate import the certificate associated with this key

Delete Key delete this private key and/or certificate

Show Reencrypt Certs display the re-encrypt certificates

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 122
Web User Interface (WUI)
9 Certificates & Security

9.2 Intermediate Certificates

This screen shows a list of the installed intermediate certificates and the name assigned to them.

If you already have a certificate, or you have received one from a CSR, you can install the certificate by
clicking the Choose File button. Navigate to and select the certificate and then enter the desired
Certificate Name. The name can only contain alpha characters with a maximum of 32 characters.

Uploading several consecutive intermediate certificates within a single piece of text, as practiced by some
certificate vendors such as GoDaddy, is allowed. The uploaded file is split into the individual certificates.

9.3 Generate CSR (Certificate Signing Request)

If you do not have a certificate, you may complete the Certificate Signing Request (CSR) from and click
the Create CSR button. CSRs generated by the LoadMaster use SHA256.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 123
Web User Interface (WUI)
9 Certificates & Security

2 Letter Country Code (ex. US)

The 2 letter country code that should be included in the certificate, for example US should be entered for
the United States.

State/Province (Entire Name New York, not NY)

The state which should be included in the certificate. Enter the full name here, for example New York,
not NY.

City

The name of the city that should be included in the certificate.

Company

The name of the company which should be included in the certificate.

Organization (e.g., Marketing,Finance,Sales)

The department or organizational unit that should be included in the certificate.

Common Name

The Fully Qualified Domain Name (FQDN) for your web server.

Email Address

The email address of the responsible person or organization that should be contacted regarding this
certificate.

SAN/UCC Names

A space-separated list of alternate names.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 124
Web User Interface (WUI)
9 Certificates & Security

Alter clicking the Create CSR button, the following screen appears:

The top part of the screen should be copied and pasted into a plain text file and sent to the Certificate
Authority of your choice. They will validate the information and return a validated certificate.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 125
Web User Interface (WUI)
9 Certificates & Security

The lower part of the screen is your private key and should be kept in a safe place. This key should not be
disseminated as you will need it to use the certificate. Copy and paste the private key into a plain text file
(do not use an application such as Microsoft Word) and keep the file safe.

9.4 Backup/Restore Certs

This screen will be different depending on whether HSM has been enabled or not. Refer to the relevant
section below, depending on the LoadMaster configuration.

9.4.1 HSM Not Enabled

Backup all VIP and Intermediate Certificates: When backing up certificates, you will be prompted to
enter a mandatory passphrase (password) twice. The parameters of the passphrase are that it must be
alpha-numeric and it is case sensitive with a maximum of 64 characters.

Caution
This passphrase is a mandatory requirement to restore a certificate. A certificate cannot be restored
without the passphrase. If it is forgotten, there is no way to restore the certificate.

Backup File: select the certificate backup file

Which Certificates: select which certificates you wish to restore

Passphrase: enter the passphrase associated with the certificate backup file

9.4.2 HSM Enabled

Backup Intermediate Certificates: When backing up certificates, enter a mandatory passphrase
(password) twice. The parameters of the passphrase are that it must be alpha-numeric and it is case
sensitive with a maximum of 64 characters.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 126
Web User Interface (WUI)
9 Certificates & Security

Caution
This passphrase is a mandatory requirement to restore a certificate. A certificate cannot be restored
without the passphrase. If it is forgotten, there is no way to restore the certificate.

Intermediate Certificate Backup File: select the intermediate certificate backup file

Passphrase: enter the passphrase associated with the certificate backup file

9.5 Cipher Sets

Cipher Set

Select the cipher set to view/modify.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 127
Web User Interface (WUI)
9 Certificates & Security

The system-defined cipher sets are as follows:

Default: The current default set of ciphers in the LoadMaster.

Default_NoRc4: The Default_NoRc4 cipher set contains the same ciphers as the default cipher set,
except without the RC4 ciphers (which are considered to be insecure).

BestPractices: This is the recommended cipher set to use. This cipher set is for services that do not
need backward compatibility - the ciphers provide a higher level of security. The configuration is
compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7.

Intermediate_compatibility: For services that do not need compatibility with legacy clients (mostly
Windows XP), but still need to support a wide range of clients, this configuration is recommended. It
is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.

Backward_compatibility: This is the old cipher suite that works with clients back to Windows XP/IE6.
This should be used as a last resort only.

WUI: This is the cipher set recommended to be used as the WUI cipher set. The WUI cipher set can
be selected in the Admin WUI Access screen. For further information, refer to the Admin WUI
Access section.

FIPS: Ciphers which conform to FIPS (Federal Information Processing Standards).

Legacy: This is the set of ciphers that were available on the old LoadMaster firmware (v7.0-10) before
OpenSSL was updated.

Refer to the SSL Accelerated Services, Feature Description on the KEMP Documentation Page for a full
list of the ciphers supported by the LoadMaster, and a breakdown of what ciphers are in each of the
system-defined cipher sets.

KEMP Technologies can change the contents of these cipher sets as required based on the best
available information.

Two lists are displayed Available Ciphers and Assigned Ciphers. These lists can be filtered by typing
some text into the Filter text boxes provided. iThe Filter text boxes will only allow you to enter valid text
which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn
red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which
are already assigned will appear greyed out in the Available Ciphers list.

Changes cannot be made to a preconfigured cipher set. However, you can start with a preconfigured
cipher set make any changes as needed and then save the cipher set with a new custom name. Enter
the new name in the Save as text box and click the Save button. Custom cipher sets can be used across
different Virtual Services and can be assigned as the WUI cipher set.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 128
Web User Interface (WUI)
9 Certificates & Security

It is not possible to delete preconfigured cipher sets. However, custom cipher sets can be deleted by
selecting the relevant custom cipher set and clicking the Delete Cipher set button.

9.6 Remote Access

The sections below describe the different areas within the Remote Access screen in the LoadMaster WUI.

9.6.1 Administrator Access

Allow Remote SSH Access

You can limit the network from which clients can connect to the SSH administrative interface on
LoadMaster.

Using

Specify which addresses that remote administrative SSH access to the LoadMaster is allowed.

Only the bal user has rights to access the LoadMaster using SSH.

Port

Specify the port used to access the LoadMaster using the SSH protocol.

SSH Pre-Auth Banner

Set the SSH pre-authentication banner, which is displayed before the login prompt when logging in using
SSH. This field accepts up to 5,000 characters.

Allow Web Administrative Access

Selecting this check box allows administrative web access to the LoadMaster. Disabling this option will
stop access upon the next reboot. Click Set Administrative Access to apply any changes to this field.

Disabling web access is not recommended.

Using0

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 129
Web User Interface (WUI)
9 Certificates & Security

Specify the addresses that administrative web access is to be permitted. Click Set Administrative Access
to apply any changes to this field.

Port

Specify the port used to access the administrative web interface. Click Set Administrative Access to
apply any changes to this field.

Admin Default Gateway

When administering the LoadMaster from a non-default interface, this option allows the User to specify a
different default gateway for administrative traffic only. Click Set Administrative Access to apply any
changes to this field.

Allow Multi Interface Access

Enabling this option allows the WUI to be accessed from multiple interfaces. When this option is enabled,
a new option appears in each of the interface screens (System Configuration > eth<n>) called Allow
Administrative WUI Access. When both of these options are enabled, the WUI can be accessed from the
IP address of the relevant interface(s) and any Additional addresses configured for that interface. Click
Set Administrative Access to apply any changes to this field.

The certificate used by default to secure WUI connections specifies the initial WUI IP address, and so will
not work for WUI connections on other interfaces. If you enable the WUI on multiple interfaces, you will
need to install a wildcard certificate for the WUI. For more information on certificates, refer to the SSL
Accelerated Services, Feature Description.

Enabling the WUI on multiple interfaces can have a performance impact on the system. There is a
maximum of 64 network interfaces that can be tracked. There are a maximum of 1024 total addresses
where the system will listen on.

RADIUS Server

Here you can enter the address of the RADIUS server that is to be used to validate user access to the
LoadMaster. To use a RADIUS server, you have to specify the Shared Secret.

A Shared Secret is a text string that serves as a password between the LoadMaster and the RADIUS
server.

The Revalidation Interval specifies how often a user should be revalidated by the RADIUS server.

RADIUS Server Configuration

To configure RADIUS to work correctly with the LoadMaster, authentication must be configured on the
RADIUS server and the RADIUS Reply-Message must be mapped to LoadMaster permissions.

The Reply-Message values correspond to LoadMaster permissions as shown in the table below.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 130
Web User Interface (WUI)
9 Certificates & Security

Reply-Message LoadMaster Permission

real Real Servers
vs Virtual Services
rules Rules
backup System Backup
certs Certificate Creation
cert3 Intermediate Certificates
certbackup Certificate Backup
users User Administration
geo GEO Configuration

The values in the Reply-Message should map to the user permissions page in the WUI as per Figure 119,
with the exception of All Permissions:

To configure the Linux FreeRADIUS server, please insert the text below into the /etc/freeradius/users file
in the sections indicated within the file. The example below is to configure permissions for the user
LMUSER.

LMUSER Cleartext-Password := "1fourall"Reply-Message =

"real,vs,rules,backup,certs,cert3,certbackup,users"

The /etc/freeradius/clients.conf file must also be configured to include the LoadMaster IP address. This
file lists the IP addresses that are allowed to contact RADIUS.

When Session Management is enabled, the RADIUS Server options are not available within this screen.
Please refer to the WUI Authentication and Authorization section for further information on how to
configure RADIUS Server when Session Management is enabled.

Enable API Interface

Enables/disables the RESTful Application Program Interface (API).

Admin Login Method

This option will only appear if Session Management is enabled. For further information on Session
Management, refer to the Admin WUI Access section or the User Management, Feature Description.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 131
Web User Interface (WUI)
9 Certificates & Security

Specify the login option for access to the LoadMaster WUI. The following options are available:

Password Only Access (default): This option provides access using the username and password
only there is no access using client certificates.

Password or Client certificate: The user can log in using either the username/password or using a
valid client certificate. If a valid client certificate is in place, the username and password is not
required.
The client will be asked for a certificate. If a client certificate is supplied, the LoadMaster will check for
a match. The LoadMaster checks if the certificate is a match with one of the local certificates, or
checks if the Subject Alternative Name (SAN) or Common Name (CN) of the certificate is a match. The
SAN is used in preference to the CN when performing a match. If there is a match, the user is allowed
access to the LoadMaster. This works both using the API and user interface.
An invalid certificate will not allow access.
If no client certificate is supplied, the LoadMaster will expect that a username and password is
supplied (for the API) or will ask the user to enter a password using the standard WUI login page.

Client certificate required: Access is only allowed with the use of a client certificate. It is not possible
to log in using the username and password. SSH access is not affected by this (only the bal user can
log in using SSH).

Client certificate required (Verify via OCSP): This is the same as the Client certificate required
option, but the client certificate is verified using an OCSP service. The OCSP Server Settings must be
configured in order for this to work. For further information on the OCSP Server Settings, refer to the
Cipher Sets section.

Some points to note regarding the client certificate methods are below:

The bal user does not have a client certificate. Therefore, it is not possible to log into the LoadMaster
as bal using the Client certificate required methods. However, a non-bal user can be created and
granted All Permissions. This will allow the same functionality as the bal user.

There is no log out option for users that are logged in to the WUI using client certificates, as it is not
possible to log out (if the user did log out the next access would automatically log them back in
again). The session is terminated when the page is closed, or when the browser is restarted.

For further information on client certificate WUI authentication, including step-by-step instructions on
how to configure it, please refer to the User Management, Feature Description.

Enable Software FIPS 140-2 level 1 Mode

FIPS mode cannot be enabled if Session Management is disabled. For further information on Session
Management, refer to the Admin WUI Access section.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 132
Web User Interface (WUI)
9 Certificates & Security

Switch to FIPS 140-2 level 1 certified mode for this LoadMaster. The LoadMaster must be rebooted to
activate.

A number of warnings will appear before enabling FIPS. If FIPS is enabled on a LoadMaster, it cannot
easily be disabled. If FIPS has been enabled and you want to disable it, please contact KEMP Support.

When a LoadMaster is in FIPS level 1 mode - FIPS-1 will appear in the top-right of the LoadMaster WUI.

FIPS level 1 has a different set of ciphers to a non-FIPS LoadMaster. There is a Default cipher set and
there are no other system-defined cipher sets to choose from.

If FIPS is enabled, you cannot use RADIUS authentication.

Allow Update Checks

Allow the LoadMaster to regularly check the KEMP website for new software versions.

9.6.2 GEO Settings

Remote GEO LoadMaster Access

Set the addresses of the GEO LoadMasters that can retrieve service status information from this
LoadMaster. The addresses are space separated. When in HA mode, only the shared address needs to be
entered.

GEO LoadMaster Partners

GEO functionality comes as part of the GSLB Feature Pack and is enabled based on the license that has
been applied to the LoadMaster. If you would like to get the GSLB Feature pack, contact KEMP to
upgrade your license.

Set the addresses of the partner GEO LoadMasters. The addresses are space separated. These GEO
LoadMasters will keep their DNS configurations in sync.

Before partnering GEO LoadMasters, a backup should be taken of the relevant GEO LoadMaster which

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 133
Web User Interface (WUI)
9 Certificates & Security

has the correct/preferred configuration. This backup should then be restored to the other LoadMasters
that will be partnered with the original LoadMaster. For more information and step-by-step
instructions, refer to the GEO, Feature Description.

Up to 64 GEO HA partner addresses can be added.

GEO LoadMaster Port

The port over which GEO LoadMasters will use to communicate with this LoadMaster unit.

GEO update interface

Specify the GEO interface in which the SSH partner tunnel is created. This is the interface that the GEO
partners will communicate through.

9.6.3 GEO Partners Status

This section is only visible when GEO partners have been set.

A GEO partner status of Green indicates the two partners can see each other.

A GEO partner status of Red indicates the LoadMasters cannot communicate. The reasons for this
include (among other possibilities); one of the partners is powered down, there may be a power outage
or a cable may be disconnected.

If there is a failure to update the GEO partner, the logs display an error message saying the GEO update
to the partner failed. The message displays the IP address of the partner.

9.6.4 WUI Authentication and Authorization

WUI Authorization Options

Click the WUI Authorization Options button on the Remote Access screen to display the WUI
Authentication and Authorization screen. This option is only available when Session Management is
enabled.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 134
Web User Interface (WUI)
9 Certificates & Security

The WUI Authentication and Authorization screen enables the administration of the available
authentication (login) and authorization (allowed permissions) options.

Authentication

Users must be authenticated before logging on to the LoadMaster. The LoadMaster allows
authentication of users to be performed using the RADIUS and LDAP authentication methods as well as
Local User authentication.

When all authentication methods are selected, the LoadMaster attempts to authenticate users using the
authentication methods in the following order:

1. RADIUS

2. LDAP

3. Local Users

For example, if the RADIUS server is not available then the LDAP server is used. If the LDAP server is also
not available, then Local User authentication methods are used.

If neither RADIUS nor LDAP authentication methods are selected, then the Local User authentication
method is selected by default.

Authorization

LoadMaster allows the users to be authorized by either RADIUS or using Local User authorization. The
users authorization decides what level of permissions the user has and what functions on the
LoadMaster they are allowed to perform.

You can only use the RADIUS authorization method if you are using the RADIUS authentication method.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 135
Web User Interface (WUI)
9 Certificates & Security

When both authorization methods are selected, the LoadMaster initially attempts to authorize the user
using RADIUS. If this authorization method is not available, the LoadMaster attempts to authorize the
user using the Local User authorization. Authorization using LDAP is not supported.

If the RADIUS authorization method is not selected, then the Local User authorization method is selected
by default.

Below is an example of the configuration that needs to be on the RADIUS server for authorization to
work.

The below example is for Linux only.

The Reply-Message should be self-explanatory on what permission its allowing. They should match up
to the WUIs user permissions page, with the exception of All Permissions:

LMUSER Cleartext-Password := "1fourall"Reply-Message =

"real,vs,rules,backup,certs,cert3,certbackup,users"

The bal user is always authenticated and authorized using the Local User authentication and
authorization methods.

RADIUS Server Configuration

RADIUS Server

The IP address and Port of the RADIUS Server that is to be used to authenticate user WUI access to the
LoadMaster.

Shared Secret

This input field is for the Shared Secret of the RADUS Server.

A Shared Secret is a text string that serves as a password between the LoadMaster and the RADIUS
server.

Backup RADIUS Server

The IP address and Port of the backup RADIUS Server that is to be used to authenticate user WUI access
to the LoadMaster. This server will be used in case of failure of the main RADIUS Server.

Backup Shared Secret

This text box is to enter the Shared Secret of the backup RADUS Server.

Revalidation Interval

Specifies how often a user should be revalidated by the RADIUS server.

LDAP Endpoint

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 136
Web User Interface (WUI)
9 Certificates & Security

Select the relevant LDAP Endpoint to use. For further information on LDAP endpoints, refer to the LDAP
Configuration section.

If client users are being authenticated with client certificates, the Common Name (CN) is normalized to
lowercase. Therefore, the associated local user entries (with no password), which may be required for
permissions, should be in lowercase also.

Local Users Configuration

Use ONLY if other AAA services fail

When selected, the Local Users authentication and authorization methods are used only if the RADIUS
and LDAP authentication and authorization methods fail.

Test AAA for User

To test a users credentials, enter their username and password in the Username and Password fields
and click the Test User button.

A message appears to inform you whether the user is validated or not. This is a useful utility to check a
users credentials without having to log in or out.

9.7 Admin WUI Access

Supported TLS Protocols

Checkboxes are provided here which can be used to specify whether or not it is possible to connect to
the LoadMaster WUI using the following protocols; SSLv3, TLS1.0, TLS1.1 or TLS1.2. TLS1.1 and TLS1.2 are
enabled by default. It is not recommended to only have SSLv3 selected because SSLv3 is only supported
by some old browsers. When connecting to the WUI using a web browser, the highest security protocol
which is mutually supported by both the browser and the WUI will be used.

If FIPS mode is enabled, the only available options are TLS1.1 and TLS1.2.

WUI Cipher set

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 137
Web User Interface (WUI)
9 Certificates & Security

Select the relevant cipher set to use for WUI access. For information on each of the cipher sets available,
refer to the Cipher Sets section.

WUI Session Management

Session management is enabled by default on all LoadMasters initially deployed with firmware version
7.1.35 or above.

The level of user permissions determine what WUI Session Management fields can be seen and modified.
Refer to the table below for a breakdown of permissions.

Bal User with All User with User Administration All other
Control
user Permissions permissions users
Session Management Modify View View None
Require Basic
Modify View View None
Authentication
Basic Authentication
Modify View View None
Password
Failed Login Attempts Modify Modify View None
Idle Session Timeout Modify Modify View None
Limit Concurrent
Modify Modify View
Logins
Pre-Auth Click Through
Modify Modify View None
Banner
Currently Active Users Modify Modify View None
Currently Blocked
Modify Modify View None
Users

When using WUI Session Management, it is possible to use one or two steps of authentication.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 138
Web User Interface (WUI)
9 Certificates & Security

If Enable Session Management check box is ticked and Require Basic Authentication is disabled, the
user only needs to log in using their local username and password. Users are not prompted to log in
using the bal or user logins.

If the Enable Session Management and Require Basic Authentication check boxes are both selected,
there are two levels of authentication enforced in order to access the LoadMaster WUI. The initial level is
Basic Authentication where users log in using the bal or user logins, which are default usernames defined
by the system.

The purpose of the user user is so that administrators can provide credentials of the user user to people,
instead of providing the bal credentials. The password for the user user, can be set by configuring the
Basic Authentication Password text box. Only the bal user is permitted to set the Basic Authentication
Password.

Once logged in using Basic Authentication, the user then must log in using their local username and
password to begin the session.

Enable Session Management

Selecting the Enable Session Management check box enables the WUI Session Management
functionality. This will force all users to log in to the session using their normal credentials.

When this check box is checked, the user is required to login in order to continue to use the LoadMaster.

LDAP users need to login using the full domain name. For example; an LDAP username should be
[email protected] and not just test.

After a user has logged in, they may log out by clicking the Logout button, , in the top right-hand
corner of the screen.

Once the WUI Session Management functionality is enabled, all the WUI Session Management options
appear.

Require Basic Authentication

If WUI Session Management and Basic Authentication are both enabled, there are two levels of
authentication enforced in order to access the LoadMaster WUI. The initial level is Basic Authentication
where users log in using the bal or user logins, which are default usernames defined by the system.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 139
Web User Interface (WUI)
9 Certificates & Security

Once logged in with Basic Authentication, the user then must log in using their local username and
password to begin the session.

Basic Authentication Password

The Basic Authentication password for the user login can be set by typing the password into the Basic
Authentication Password text box and clicking the Set Basic Password button.

The password needs to be at least 8 characters long and should be a mix of alpha and numeric
characters. If the password is considered to be too weak, a message appears asking you to enter a new
password.

Only the bal user is permitted to set the Basic Authentication password.

Failed Login Attempts

The number of times that a user can fail to login correctly before they are blocked can be specified within
this text box. The valid values that may be entered are numbers between 1 and 999.

If a user is blocked, only the bal user or other users with All Permissions set can unblock a blocked user.

If the bal user is blocked, there is a cool-down period of 10 minutes before the bal user can login again.

Idle Session Timeout

The length of time (in seconds) a user can be idle (no activity recorded) before they are logged out of the
session. The valid values that may be entered are numbers between 60 and 86400 (between one minute
and 24 hours).

Limit Concurrent Logins

This option enables LoadMaster administrators to limit the maximum number of concurrent login
sessions logins a single user can have to the LoadMaster WUI at any one time.

The values that can be selected range from 0 to 9.

A value of 0 allows an unlimited number of logins.

The value entered represents the total number and is inclusive of any bal user logins.

Pre-Auth Click Through Banner

Set the pre-authentication click through banner that is displayed before the LoadMaster WUI login page.
This field can contain plain text or HTML code but not JavaScript. For security purposes, you cannot use
the (single quote) and (double-quote) characters. This field accepts up to 5,000 characters.

Active and Blocked Users

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 140
Web User Interface (WUI)
9 Certificates & Security

Only the bal user or users with All Permissions set can use this functionality. Users with User
Administration permissions set can view the screen but all buttons and input fields are greyed out. All
other users cannot view this portion of the screen.

Currently Active Users

The user name and login time of all users logged into the LoadMaster are listed within this section.

To immediately log out a user and force them to log back into the system, click the Force logout button.

To block a user from being able to log in to the system, click the Block user button. The user will not be
able to log back in to the system until they are unblocked or until the LoadMaster reboots. Clicking the
Block user button does not force the user to log off, to do this, click the Force logout button.

If a user exits the browser without logging off, that session will remain open in the currently active users
list until the timeout has reached. If the same user logs in again, before the timeout is reached, it would
be within a separate session.

Currently Blocked Users

The user name and login time of when the user was blocked are listed within this section.

To unblock a user to allow them to login to the system, click the Unblock button.

9.8 OCSP Configuration

OCSP Server

The address of the OCSP server.

OCSP Server Port

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 141
Web User Interface (WUI)
9 Certificates & Security

The port of the OCSP server.

OCSP URL

The URL to access on the OCSP server.

Use SSL

Select this to use SSL to connect to the OCSP server.

Allow Access on Server Failure

Treat an OCSP server connection failure or timeout as if the OCSP server had returned a valid response,
that is, treat the client certificate as valid.

Enable OCSP Stapling

Select this check box to enable the LoadMaster to respond to OCSP stapling requests. If a client connects
using SSL and asks for an OCSP response, this is returned. Only Virtual Service certificates are validated.
The system holds a cache of OCSP responses that are sent back to the client. This cache is maintained by
the OCSP daemon. When the OCSP daemon sends a request to the server, it uses the name specified in
the certificate (in the Authority Information Access field). If it cannot resolve this name, then it uses the
default OCSP server specified in the OCSP Server text box.

OCSP Refresh Interval

Specify how often the LoadMaster should refresh the OCSPstapling information. The OCSP daemon
caches the entry for up to the amount of time specified here, after which it is refreshed. Valid values
range from 1 hour (default) to 7 days.

9.9 HSM Configuration

Please select a HSM subsystem

This drop-down menu has two options:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 142
Web User Interface (WUI)
9 Certificates & Security

No HSM Support

Safenet Luna HSM

To use HSM, select Safenet Luna HSM and configure the settings.

Address of the Safenet HSM

Enter the IP address of the Safenet unit to be used.

Upload the CA certificate

Upload the certificate that has been downloaded from the HSM.

Generate the HSM Client Certificate

Generate the local client certificate that is to be uploaded to the HSM. The name specified here should be
the LoadMaster FQDN name. This name should be used in the client register command on the HSM.

Password for the HSM partition

Specify the password for the partition on the HSM so that the LoadMaster can access the HSM.

The partition password cannot be set here until the certificates have been generated.

Enable Safenet HSM

This check box can be used to enable or disable HSM.

Starting the HSM may take some time.

Disabling the HSM will cause the LoadMaster to be unable to create new SSL (HTTPS) connections and
will immediately drop existing connections until another HSM is added or the certificate configuration is
changed.

It is strongly recommended to only change the HSM configuration when there are no active SSL
connections.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 143
Web User Interface (WUI)
9 Certificates & Security

9.10 LDAP Configuration

To get to the LDAP Configuration screen, expand Certificates & Security and click LDAP Configuration.
This screen provides a management interface for LDAP endpoints. These LDAP endpoints may be used in
three different areas:

Health checks

SSO domains

WUI authentication

Any existing LDAP Endpoints are listed here, with an option to Modify and Delete. If an LDAP endpoint is
in use, it cannot be deleted.

There is also an option to add a new LDAP endpoint. Type a name for the endpoint and click Add. Spaces
and special characters are not permitted in the LDAP endpoint name.

LDAP Server(s)

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 144
Web User Interface (WUI)
9 Certificates & Security

Specify a space-separated list of LDAP servers to be used. Port numbers can also be specified if required.
If you have multiple domains and are using Permitted Groups, sometimes it is necessary to include the
Global Catalog port number, otherwise the Permitted Groups will fail. The default port is 3628. For
example, 10.110.20.23:3268.

LDAP Protocol

Select the transport protocol to use when communicating with the LDAP server.

Validation Interval

Specify how often you should revalidate the user with the LDAP server.

Referral Count

The LoadMaster offers beta functionality to support LDAP referral replies from Active Directory Domain
Controllers. If this is set to 0, referral support is not enabled. Set this field to a value between 1 and 10 to
enable referral chasing. The number specified will limit the number of hops (referrals chased).

Multiple hops may increase authentication latency. There is a performance impact that depends on the
number and depth of referrals required in your configuration.

You must have intimate knowledge of your Active Directory structure to set the referral limit
appropriately. The same credentials are used for all lookups, and so on.

The use of Active Directory Global Catalog (GC) is the preferred configuration as the primary means of
resolution instead of enabling LDAP referral chasing. A GC query can be used to query the GC cache
instead of relying on LDAP and the referral process. Using Active Directory GC has little or no
performance drag on the LoadMaster. For steps on how to add/remove the GC, refer to the following
TechNet article: https://technet.microsoft.com/en-us/library/cc755257(v=ws.11).aspx

Admin User

Type the username of an administrator user.

Admin User Password

Type the password for the specified administrator user.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 145
Web User Interface (WUI)
10 System Configuration

10 System Configuration
10.1 Network Setup
10.1.1 Interfaces
Describes the external network and internal network interfaces. The screen has the same information for
the eth0 and eth1 Ethernet ports. The example below is for eth0 on a nonHA (High Availability) unit.

Interface Address

Within the Interface Address (address[/prefix]) text box you can specify the Internet address of this
interface.

Cluster Shared IP address

Specify the shared IP address which can be used to access the cluster. This is also used as the default
source address when using Server NAT.

The clustering options will only be available on LoadMasters which have a clustering license. To add the
clustering feature to your license, please contact a KEMP representative. For further information on
clustering, refer to the LoadMaster Clustering, Feature Description.

Use for Cluster checks

Use this option to enable cluster health checking between the nodes. At least one interface must be
enabled.

Use for Cluster Updates

Use this interface for cluster synchronization operations.

Speed

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 146
Web User Interface (WUI)
10 System Configuration

By default, the Speed of the link is automatically detected. In certain configurations, this speed is
incorrect and must be forced to a specific value.

Use for Default Gateway

The Use for Default Gateway checkbox is only available if the Enable Alternate GW support is selected
in the Network Options screen. If the settings being viewed are for the default interface this option will
be greyed out and selected. To enable this option on another interface, go to the other interface by
clicking it in the main menu on the left. Then this option is available to select.

Allow Administrative WUI Access

This option is only available when the Allow Multi Interface Access check box is enabled in Certificates
& Security > Remote Access.

When both of these options are enabled, the WUI can be accessed from the IP address of the relevant
interface, and any Additional addresses set up for that interface.

There is only one interface attached to all of these addresses so there may be issues with this unless the
certificate used is a wildcard certificate. For more information on certificates, refer to the SSL
Accelerated Services, Feature Description.

There is a maximum of 64 network interfaces that can be tracked and a maximum of 1024 total
addresses where the system will listen on.

Use for GEO Responses and Requests

By default, only the default gateway interface is used to listen for and respond to DNS requests. This field
gives you the option to listen on additional interfaces.

This option cannot be disabled on the interface containing the default gateway. By default, this is eth0.

When this option is enabled, GEO also listens on any Additional addresses that are configured for the
interface.

MTU

Within the MTU field you can specify the maximum size of Ethernet frames that will be sent from this
interface. The valid range is 512 - 9216.

The valid range of 512 - 9216 may not apply to VLMs as the range will be dependent on the hardware
the VLM is running on. It is advised to check your hardware restrictions.

Additional addresses

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 147
Web User Interface (WUI)
10 System Configuration

Using the Additional addresses field allows the LoadMaster to give multiple addresses to each interface,
as aliases. This is sometimes referred to as a router on a stick. It allows both IPv4 and IPv6 addresses in
standard IP+CIDR format, so this can also be used to do a mixed mode of IPv4 and IPv6 addresses on the
same interface. Any of the subnets that are added here will be available for both virtual IPs and real
server IPs.

HA

If the unit is part of a HA configuration, the following screen will be displayed when one of the interfaces
is clicked.

This screen tells the user:

This is the Master machine of the pair (top-rightof the screen)

This LoadMaster is up and the paired machine is down (green and red icons)

The IP address of this LoadMaster

The HA Shared IP address. This is the IP address used to configure the pair.

The IP address of the paired machine

This interface is enabled for HA health checking

This interface is used as the Default Gateway

The speed of the link is automatically detected

Any alternate addresses on this interface

Creating a Bond/Team

Before creating a bonded interface please note the following:

You can only bond interfaces higher than the parent, so if you choose to start with port 10 then you
can only add ports 11 and greater

Bond links first if you need VLAN tagging then add VLANs after the bond has been configured

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 148
Web User Interface (WUI)
10 System Configuration

In order to add a link to a bonded interface, any IP addressing must first be removed from the link to
be added

Enabling the Active-Backup mode generally does not require switch intervention

Bonding eth0 with eth1 can lead to serious issues and is not allowed to occur

Click Interface Bonding to request the bond.

Confirm the bond creation by clicking Create a bonded interface.

Acknowledge the warning dialogs.

Using the Web User Interface (WUI) select the System Configuration > Interfaces > bndx menu option.

If you do not see the bndX interface, refresh your browser, then select the bonded interface and click the
Bonded Devices button.

Select the desired bonding mode.

Add the additional interfaces to this bond.

Configure the IP and Subnet Mask on the bonded interface.

Removing a Bond/Team

Remove all VLANs on the bonded interface first; if you do not remove them they will automatically be
assigned to the physical port at which the bond started.

Select the System Configuration > Interfaces > bndx menu option. If you do not see the bndX interface
refresh your browser, then select the bonded interface, then click the Bonded Devices button.

Unbind each port by clicking Unbind Port, repeat until all ports have been removed from bond.

Once all child ports have been unbounded, you can unbond the parent port by clicking Unbond this
interface button.

Adding a VLAN

Select the interface and then select the VLAN Configuration button.

Add the VLAN Id value and select the Add New VLAN menu option.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 149
Web User Interface (WUI)
10 System Configuration

Repeat as needed. To view the VLANs, select the System Configuration > Network Setup menu option
and expand the drop-down list.

Removing a VLAN

Before removing a VLAN, please ensure that the interface is not being used for other purposes, for
example as a multicast interface, WUI interface, SSH interface or a GEO interface.

To remove a VLAN select the System Configuration > Network Setup menu option and select the
appropriate VLAN ID from the drop-down list.

Once selected, delete the IP and then click Set Address. Once the IP has been removed you will have the
option to delete the VLAN, by clicking the Delete this VLAN button.

Repeat as needed. To view the VLANs select the System Configuration > Interfaces menu option and
select the appropriate VLAN ID from the drop-down list.

Adding a VXLAN

Select the relevant interface and then click the VXLAN Configuration button.

Enter a new VXLAN Network Identifier (VNI) in the VNI text box. Enter the multicast group or remote
address in the Group or Remote address text box. Click Add New VXLAN.

To modify the VXLAN, go to System Configuration > Interfaces and select the VXLAN from the drop-
down list.

On this screen, the interface address of the VXLAN can be specified. The VXLAN can also be deleted from
this screen.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 150
Web User Interface (WUI)
10 System Configuration

If HA is enabled, HA parameters can be set in the VXLAN:

The HA Shared IP address. This is the IP address used to configure the HA pair.

The IP address of the partner machine

Specify whether or not this interface is used for HA health checking

10.1.2 Host & DNS Configuration

Set Hostname

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 151
Web User Interface (WUI)
10 System Configuration

Set the hostname of the local machine by entering the hostname in the Hostname text box and clicking
the Set Hostname button. Only alphanumeric characters are allowed.

Add NameServer (IP Address)

Enter the IP address of a DNS server that will be used to resolve names locally on the LoadMaster in this
field and click the Add button. A maximum of three DNS servers are allowed.

It is not possible to delete the last remaining NameServer if the DNSSEC client is enabled. The DNSSEC
client can be disabled on the Host & DNS Configuration screen.

Add Search Domain

Specify the domain name that is to be prepended to requests to the DNS NameServer in this field and
click the Add button. A maximum of six Search Domains are allowed.

Add/Modify Hosts for Local Resolution

These fields provide the ability to manipulate the host file from the LoadMaster WUI. Specify the IP
address and the host FQDN for the entry.

Enable DNSSEC Resolver

By default, the LoadMaster DNSSEC client is disabled. Only enable this option if needed. In some
circumstances, the DNSSEC validation can take a significant amount of time to fail. This can cause the
LoadMaster to appear to freeze or hang.

Ticking this option will enable DNSSEC capabilities on the LoadMaster. At least one Nameserver must be
added before DNSSEC can be enabled. The LoadMaster must be rebooted after changing the DNSSEC
option in order to activate/deactivate the feature. Once the setting is changed, it cannot be changed
again until the LoadMaster has been rebooted.

When using HA the DNSSEC option must be configured on both devices separately.

DNSSEC works with the following utilities in the LoadMaster:

Vipdump

Ping and ping6

Syslog

SNMP

Wget

NTP

SMTP

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 152
Web User Interface (WUI)
10 System Configuration

Real Servers

Automatically Update DNS Entries

When this option is enabled, the LoadMaster will try to resolve the DNS names once every hour:

If the address is not found, or if it is the same as before nothing is done (except a log entry is
generated).

If the address is different, the Real Server entry will be updated with the new address, if possible.

If the new address is invalid for some reason, for example if it is a non-local address and the Enable
Non-Local Real Servers option has been disabled, no changes are made and a log is generated.

Resolve DNS Names now

Clicking the Run Resolver Now button will force a new resolution of DNS names. The behaviour is the
same as the Automatically Update DNS Entries option, except this is a manual (not an automatic)
check.

10.1.3 Default Gateway

The LoadMaster requires a default gateway through which it can communicate with the Internet.

If both IPv4 and IPv6 addresses are being used on the LoadMaster, then both an IPv4 and IPv6 Default
Gateway Address are required.

IPv4 and IPv6 default gateways must be on the same interface.

10.1.4 Additional Routes

Further routes can be added. These routes are static and the gateways must be on the same network as
the LoadMaster. To segment traffic you can also leverage the Virtual Service level default gateway.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 153
Web User Interface (WUI)
10 System Configuration

10.1.5 Packet Routing Filter

Packet Routing Filter

If GEO is enabled, the Packet Routing Filter is enabled by default and cannot be disabled. If GEO is
disabled, the Packet Routing Filter is configurable it can be either enabled or disabled. To disable GEO,
on a LoadMaster which has GEO functionality, in the main menu, select Global Balancing and Disable
GSLB.

If the filter is not activated, the LoadMaster also acts as a simple IP-forwarder.

When the filter is activated, it restricts traffic to the LoadMaster but client-to-LoadMaster access to
Virtual Services is unaffected. Real Server initiated traffic that is processed on the LoadMaster with SNAT
is also unaffected.

The Reject/Drop blocked packets and Restrict traffic to Interfaces fields will not be displayed if the
Packet Routing Filter is disabled.

Reject/Drop blocked packets

When an IP packet is received from a host, which is blocked using the Access Control Lists (ACLs), the
request is normally ignored (dropped). The LoadMaster may be configured to return an ICMP reject
packet, but for security reasons it is usually best to drop any blocked packets silently.

Restrict traffic to Interfaces

This setting enforces restrictions upon routing between attached subnets.

Add Blocked Address(es)

The LoadMaster supports a blacklist Access Control List (ACL) system. Any host or network entered
into the ACL will be blocked from accessing any service provided by the LoadMaster.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 154
Web User Interface (WUI)
10 System Configuration

The ACL is only enabled when the Packet Filter is enabled. The whitelist allows a specific IP address or
address range access. If the address or range is part of a larger range in the blacklist, the whitelist will take
precedence for the specified addresses.

If a user does not have any addresses listed in their blacklist and only has addresses listed in their
whitelist, then only connections from addresses listed on the whitelist are allowed and connections from
all other addresses are blocked.

This option allows a user to add or delete a host or network IP address to the Access Control List. In
addition to IPv4 addresses - IPv6 addresses are allowed in the lists if the system is configured with an
IPv6 address family. Using a network specifier specifies a network.

For example, specifying the address 192.168.200.0/24 in the blacklist will block all hosts on the
192.168.200 network.

A static port Virtual Service, with an access list defined to block particular traffic, will not work correctly if
you also have a wildcard Virtual Service on the same IP address. The wildcard Virtual Service will accept
the traffic after the static port Virtual Service denies it.

It is recommended to use a separate IP address in this case to avoid unexpected behavior resulting
from this interaction.

10.1.6 VPN Management

The VPN Management link/screen will only be available if the LoadMaster is licensed for IPsec
tunneling.

For further information on IPsec tunneling, including step-by-step instructions on how to set it up, refer
to the IPsec Tunneling, Feature Description.

Connection Name

Specify a unique name to identify the connection.

Create

Create a uniquely identifiable connection with the specified name.

View/Modify

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 155
Web User Interface (WUI)
10 System Configuration

View or modify the configuration parameters for this connection.

Delete

Delete this connection.

All associated configuration will be permanently deleted. A connection can be deleted at any time, even
if it is running.

10.1.6.1 View/Modify VPN Connection

When initially creating a connection, or when modifying a connection, the View/Modify VPN
Connection screen appears.

Local IP Address

Set the IP address for the local side of the connection.

In non-HA mode, the Local IP Address should be the LoadMaster IP address, that is, the IP address of
the default gateway interface.

In HA-mode, the Local IP Address should be the shared IP address. This will be automatically populated
if HA has already been configured. For more information on setting up tunneling in a HA configuration,
refer to the next section.

Local Subnet Address

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 156
Web User Interface (WUI)
10 System Configuration

When the Local IP Address is set the Local Subnet Address text box is automatically populated. The
local IP can be the only participant if applicable, given the /32 CIDR. Review the Local Subnet Address
and update it if needed. Ensure to click Set Local Subnet Address to apply the setting, whether the
address has been changed or not. Multiple local subnets can be specified using a comma-separated list.
Up to 10 IP addresses can be specified.

Remote IP Address

Set the IP address for the remote side of the connection. In the context of an Azure endpoint, this IP
address is expected to be the public-facing IP address for the Virtual Private Network (VPN) Gateway
device.

Remote Subnet Address

Set the subnet for the remote side of the connection. Multiple remote subnets can be specified using a
comma-separated list. Up to 10 IP addresses can be specified.

Perfect Forward Secrecy

Activate or deactivate the Perfect Forward Secrecy option.

The cloud platform being used will determine what the Perfect Forward Secrecy option should be set
to. Perfect Forward Secrecy is needed for some platforms but is unsupported on others. To find out
what will work with your cloud platform, refer to the IPsec Tunneling, Feature Description document.

Local ID

Identification for the local side of the connection. This may be the local IP address. This field is
automatically populated with the same address as the Local IP Address if the LoadMaster is not in HA
mode.

If the LoadMaster is in HA mode, the Local ID field will be automatically set to %any. This value cannot be
updated when the LoadMaster is in HA mode.

Remote ID

Identification for the remote side of the connection. This may be the remote IP address.

Pre Shared Key (PSK)

Enter the pre-shared key string.

Save Secret Information

Generate and save the connection identification and secret information.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 157
Web User Interface (WUI)
10 System Configuration

10.2 HA and Clustering

This section in the WUI is only called HA and Clustering if you have a LoadMaster license with clustering
enabled. If you do not have clustering, this section will be called HA Parameters and you will not see the
screen shown above. If clustering has been configured, this section will be called Cluster Control.

This screen describes both HA Mode and Clustering. Select the relevant option and click Confirm to
continue.

Once clustering is configured, the HA mode options will be unavailable.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 158
Web User Interface (WUI)
10 System Configuration

10.2.1 HA Mode

If you are using the LoadMaster for Azure product, refer to the Azure HA Parameters section.

The role of the appliance can be changed by setting the HA Mode. If HA (First) Mode or HA (Second)
Mode is selected as the HA Mode, a prompt will appear reminding to add a shared IP. Changing the HA
Mode will require a reboot, so after the details are set, click the Reboot button provided. Once the
LoadMaster has rebooted, the HA menu option will be available in the System Configuration section
provided the role is not Non HA Mode. HA will NOT work if both machines are specified the same.

When logged into the HA cluster, use the shared IP address to view and set full functionality to the pair.
If you log into the direct IP address of either one of the devices the menu options are quite different (see
menus below). Logging into one of the LoadMaster directly is usually reserved for maintenance.

When a LoadMaster is in HA mode, the following screen appears when you select the HA Parameters
menu option.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 159
Web User Interface (WUI)
10 System Configuration

HA Status

At the top of the screen, next to the time, icons are shown to denote the real-time status of the
LoadMaster units in the cluster. There will be an icon for each unit in the cluster. You can open the WUI
for the first or second HA unit by clicking the relevant status icon.

The possible icons are:

Green The unit is online and operational and the HA units are correctly paired.
(with A) The A in the middle of the square indicates that this is the master (active) unit.

Green The unit is online and operational and the HA units are correctly paired.
(without The absence of an A in the middle of the square indicates that this is not the
A) master unit (standby).
The unit is not operational. It may be offline or misconfigured. The unit is not ready
Red/Yellow
to take over. It may be offline or incorrectly paired.
When the unit reboots more than 3 timesin 5 minutes it moves into a pacified
state. In this state the machine is only accessible using the direct machine WUI (not
the shared WUI), and, it is not participating in any HA activity, that is, no changes
Blue
from the master are received and it will not take over if the master fails. To remove
the unit from the pacified state, log in to the pacified LoadMaster through SSH or
the console and reboot.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 160
Web User Interface (WUI)
10 System Configuration

The machine is in an indeterminate state and may require a reboot to return to

operation. In some cases, this may mean Bboth machines are active, that is, both
Grey
are set to master, and something has gone seriously wrong. CALLall KEMP Support
for assistance with this issue, if rebooting does not solve it.
If the HA status squares are not appearing in the WUI, it probably means that HA is
No HA
not enabled. Go to System Administration and select the HA option. Ensure the
icons
HA Mode is set to either First or Second.

In HA mode each LoadMaster will have its own IP address used only for diagnostic purposes directly on
the unit. The HA pair have a shared IP address over which the WUI is used to configure and manage the
pair as a single entity.

Both HA1 and HA2 must be on the same subnet with the same default gateway and be in the same
physical site. They must not be separated by an intra-site link and must use the same gateway to return
traffic.

HA Mode

If using a single LoadMaster, select Non-HA Mode. When setting up HA mode, one LoadMaster must be
set to HA (First) and the other HA (Second). If they are both set to the same option, HA will not operate.

KEMP supplies a license that is HA enabled for each HA unit and specifies the first or second unit.
Therefore, it is not recommended that you change this option until you have discussed the issue with
KEMP Support.

HA Timeout

The time that the Master machine must be unavailable before a switchover occurs. With this option, the
time it takes an HA cluster to detect a failure can be adjusted from 3 seconds to 15 seconds in 3 second
increments. The default value is 9 seconds. A lower value will detect failures sooner, whereas a higher
value gives better protection against a DOS attack.

HA Initial Wait Time

How long after the initial boot of a LoadMaster, before the machine decides that it should become active.
If the partner machine is running, then this value is ignored. This value can be changed to mitigate the
time taken for some intelligent switches to detect that the LoadMaster has started and to bring up the
link.

HA Virtual ID

When using multiple HA LoadMaster clusters on the same network, this value uniquely identifies each
cluster so that there are no potential unwanted interactions.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 161
Web User Interface (WUI)
10 System Configuration

All LoadMasters on the network that are or will be configured into HA pairs must be assigned unique HA
Virtual ID numbers.

As of the 7.2.36 release, the LoadMaster selects a virtual ID based on the shared IP address of the first
configured interface (the last 8 bits). It is selected and displayed once both the shared address and the
partner address have been set. You can change the value to whatever you want (in the range 1 255) or
you can keep it at the value it already selected. Please ensure the virtual ID is unique on each LoadMaster
on the network.

Switch to Preferred Server

By default, neither partner in a HA cluster has priority. So that when a machine restarts after a
switchover, the machine becomes the slave and stays in that state until forced to Master. Specifying a
preferred host means that when this machine restarts, it will always try to become master and the
partner will revert to slave mode. If a preferred server is specified, this will result in a double failover
event because if the master unit fails, the slave unit will take over as master and when the preferred unit
comes back up it will take over as master.

HA Update Interface

The interface used to synchronize the HA information within the HA cluster.

Force Partner Update

Immediately forces the configuration from the active to standby unit without waiting for a normal
update.

Inter HA L4 TCP Connection Updates

When using L4 services, enabling updates will allow L4 connections to be maintained across a HA
switchover by sharing the connection table. This option is ignored for L7 services.

Inter HA L7 Persistence Updates

When using L7 services, enabling this option will allow persistence information to be shared between the
HA partners. If an HA failover occurs, the persistence information will not be lost. Enabling this option can
have a significant performance impact.

HA Multicast Interface

The network interface used for multicast traffic which is used to synchronize Layer 4 and Layer 7 traffic
when Inter-HA Updates are enabled.

Use Virtual MAC Addresses

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 162
Web User Interface (WUI)
10 System Configuration

Enabling this option forces the MAC address to switch between a HA pair during a switchover which is
useful when gratuitous ARPs (used in communicating changes in HA IP addresses to switches) are not
allowed.

This option is only available for hardware LoadMasters.

10.2.1.1 Azure HA Parameters

This screen is only available in LoadMaster for Azure products.

Azure HA Mode

Select the required HA mode for this unit. There are three options:

Master HA Mode

Slave HA Mode

Non HA Mode

If you are only using a single LoadMaster, select Non HA Mode.

When using HA mode, one machine must be specified as the Master and the second machine must be
specified as the Slave.

HA will not work if both units have the same value selected for the Azure HA Mode.

Synchronization of Virtual Service settings only occurs from the master to the slave. Changes made to
the master will be replicated to the slave. However, changes made to the slave are never replicated to
the master.

If the master unit fails, connections will be directed to the slave unit. The master unit is the master and
will never become the slave, even if it fails. Similarly, the slave unit will never become the master. When
the master unit comes back up, connections will automatically be directed to the master unit again.

You can tell, at a glance, which unit is the master, and which is the slave, by checking the mode in the top
bar of the LoadMaster.

Partner Name/IP

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 163
Web User Interface (WUI)
10 System Configuration

Specify the host name or IP address of the HA partner unit.

Health Check Port

Set the port over which the health check will be run. The port must be the same on both the master and
slave unit in order for HA to function correctly.

10.2.1.2 AWS HA Parameters

This screen is only available in LoadMaster for Amazon Web Services (AWS) products.

AWS HA Mode

Select the required HA mode for this unit. There are three options:

Master HA Mode

Slave HA Mode

Non HA Mode

If you are only using a single LoadMaster, select Non HA Mode.

When using HA mode, one machine must be specified as the Master and the second machine must be
specified as the Slave.

HA will not work if both units have the same value selected for the AWS HA Mode.

Synchronization of Virtual Service settings only occurs from the master to the slave. Changes made to
the master will be replicated to the slave. However, changes made to the slave are never replicated to
the master.

If the master unit fails, connections will be directed to the slave unit. The master unit is the master and
will never become the slave, even if it fails. Similarly, the slave unit will never become the master. When
the master unit comes back up, connections will automatically be directed to the master unit again.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 164
Web User Interface (WUI)
10 System Configuration

You can tell, at a glance, which unit is the master, and which is the slave, by checking the mode in the top
bar of the LoadMaster.

Partner Name/IP

Specify the host name or IP address of the HA partner unit.

Health Check Port

Set the port over which the health check will be run. The port must be the same on both the master and
slave unit in order for HA to function correctly.

10.2.2 Cluster Control

The Cluster Control option will only be available on LoadMasters which have a clustering license. To add
the clustering feature to your license, please contact a KEMP representative. For further information on
clustering, refer to the LoadMaster Clustering, Feature Description.

Create New Cluster: If setting up a new cluster, click this button.

Add to Cluster: Add this LoadMaster to an already existing cluster.

When the Create New Cluster button is clicked, the screen above will appear which prompts to set the
shared IP address of the cluster. The shared IP address is the address which will be used to administer
the cluster.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 165
Web User Interface (WUI)
10 System Configuration

When the Create a New Cluster button is clicked, the LoadMaster reboots. A message will appear asking
to reconnect to the shared IP address that was just set.

After creating a cluster, the Cluster Control screen in the WUI of the shared IP address will allow the
addition of LoadMaster nodes into the cluster.

A LoadMaster can only be added to a cluster when the cluster is available and the LoadMaster is waiting
to join the cluster. Refer to the LoadMaster Clustering, Feature Description for further information and
steps.

The Cluster Control screen, in the shared IP address WUI, displays details for each of the nodes in the
cluster.

Show Options: Clicking the Show Options button will display the Cluster Parameters section which
contains two additional fields which can be used to set the Cluster Virtual ID and Node Drain Time. For
further information, refer to the LoadMaster Clustering, Feature Description.

ID: The cluster ID.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 166
Web User Interface (WUI)
10 System Configuration

Address: The IP address of the LoadMaster node. If a second IP address appears in brackets after the
first one - the second IP address is the IP address of the interface port. Icons are displayed depending on
the status:

Icon Status Description

Admin The node is the primary control node.

Disabled The node is disabled - connections will not be sent to that node.

Starting The node is starting (enabling).

Up The node is up.

Down The node is down.

The node has been disabled and the connections are being shut down in an orderly
fashion. Drain stopping lasts for 10 seconds by default. This can be updated by
Draining
changing the Node Drain Time value on the Cluster Control screen. For more
information, refer to the LoadMaster Clustering, Feature Description.

Operation: The different operations that can be performed in relation to the notes:

Disable: Disable the node. Nodes that are disabled will first go through drain stopping. During the
drain stopping time, the connections are shut down in an orderly fashion. After the drain, the node
will be disabled and no traffic will be directed to that node.

Enable: Enable the node. When a node comes up, it will not be immediately be brought into
rotation. It will only come online after it has been up for 30 seconds.

Delete: Delete a node from the cluster. When a node is deleted it becomes a regular single
LoadMaster instance. If the LoadMaster is later added back in to the cluster, any configuration
changes that have been made in the shared IP address will propagate to the node LoadMaster.

Reboot: When performing a cluster-wide firmware update, a Reboot button will appear on this
screen after uploading the firmware update patch. For step-by-step instructions on how to perform
a cluster-wide firmware update, refer to the LoadMaster Clustering, Feature Description.

Add New Node: Add a new node with the specified IP address to the cluster.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 167
Web User Interface (WUI)
10 System Configuration

10.2.2.1 Cluster Parameters

When the Show Options button is clicked, the Cluster Parameters section appears. This section
contains two additional WUI options - Cluster Virtual ID and Node Drain Time.

Cluster Virtual ID

When using multiple clusters or LoadMaster HA systems on the same network, the virtual ID identifies
each cluster so that there are no potential unwanted interactions. The cluster virtual ID is set to 1 by
default, but it can be changed if required. Valid IDs range from 1 to 255. Changes made to an admin
Loadmaster propagate across all nodes in the cluster.

Node Drain Time

When a node is disabled, the connections that are still being served by the node are allowed to continue
for the amount of seconds specified in the Node Drain Time text box. No new connections will be
handled by the node during this time. The Node Drain Time is set to 10 seconds by default, but it can be
changed if required. Valid values range from 1 to 600 (seconds).

During the drain time the status changes to Draining until the specified drain time elapses.

When the drain time has elapsed the status changes to disabled.

10.3 System Administration

These options control the base-level operation of the LoadMaster. It is important to know that applying
changes to these parameters in a HA pair must be done using the floating management IP. Many of
these options will require a system reboot. When configuring these parameters, only the active system
in a pair is affected.

10.3.1 User Management

The content below describes the different user management WUI fields. For further information on user
management and WUI authentication, refer to the User Management, Feature Description.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 168
Web User Interface (WUI)
10 System Configuration

The Change Password section can be used to change the appliance password. This is a local change only
and does not affect the password of the partner appliance in a HA deployment.

The Local Users section lists any existing local users. Two options are available for existing users:

Modify: Change details for an existing local user, such as their permissions and password. For
further information, refer to the Modify User section.

Delete: Delete the relevant user.

New users can be added in the Add User section.

Usernames can be a maximum of 64 characters long. Usernames can start with a digit and can contain
alphanumeric characters, in addition to the following special characters:

=~^._+#@\/-

Passwords must be a minimum of 8 and a maximum of 64 characters long. All characters are allowed,
except \`.

The Use RADIUS Server option allows you to determine if RADIUS server authentication will be used
when the user is logging in to the LoadMaster. The RADIUS Server details must be setup before this
option can be used.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 169
Web User Interface (WUI)
10 System Configuration

When RADIUS authentication is in use, the LoadMaster passes the users details to the RADIUS server
and the RADIUS server informs the LoadMaster whether the user is authenticated or not. For further
details on how to configure the RADIUS Server details please refer to the WUI Authentication and
Authorization section and the RADIUS Authentication and Authorization, Technical Note.

When Session Management is enabled, the Use RADIUS Server option is not available within this
screen. Please refer to the WUI Authentication and Authorization section for further information on
how to configure RADIUS Server when Session Management is enabled.

When Session Management is enabled, a check box called No Local Password will be displayed in the
Add User section. This option can be enabled if client certificate authentication will be used to
authenticate this user when they are accessing the LoadMaster. To enable client certificate
authentication, set the Admin Login Method in the Remote Access screen. For further information,
refer to the Remote Access section or the User Management, Feature Description.

10.3.1.1 Modify User

In this screen you may set the level of user permissions. This determines what configuration changes the
user is allowed to perform. The primary user (bal) always has full permissions. Secondary users may be
restricted to certain functions.

For further information regarding user permissions, please refer to the KEMP LoadMaster, Product
Overview.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 170
Web User Interface (WUI)
10 System Configuration

The Change Password section can be used to modify a users password. It is also possible to enable and
disable RADUIS server authentication for a user.

When Session Management is enabled, the Use RADIUS Server option is not available within this
screen. Please refer to the WUI Authentication and Authorization section for further information on
how to configure RADIUS Server when Session Management is enabled.

When Session Management is enabled, a check box called No Local Password will be displayed in the
Change Password section. This option can be enabled if client certificate authentication will be used to
authenticate this user when they are accessing the LoadMaster. To enable client certificate
authentication, set the Admin Login Method in the Remote Access screen. For further information,
refer to the Remote Access or the User Management, Feature Description.

Named users, even those without User Administration privileges, can change their own passwords.
When a named user clicks the System Administration > User Management menu option the Change
Password screen appears.

From within this screen, users can change their own password. Passwords must be a minimum of 8 and a
maximum of 64 characters long. All characters are allowed, except \`. Once changed, a confirmation
screen appears after which the users will be forced to log back in to the LoadMaster using their new
password.

In the Local Certificate section, a certificate can be generated for the user. A Passphrase can be
optionally set which is used to encrypt the private key. Once that certificate has been downloaded, it can
be used as a client certificate to allow password-less access to the LoadMaster API. Users with User
Administration permissions are able to manage local certificates for themselves and other users.

To enable client certificate authentication to the LoadMaster, set the Admin Login Method in the
Remote Access screen. For further information, please refer to the Remote Access section or the User
Management, Feature Description.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 171
Web User Interface (WUI)
10 System Configuration

10.3.2 Update License

This screen displays the activation date and the expiration date of the current license. Before updating
the license in the LoadMaster, you must either contact your KEMP representative, or use the Upgrade
option. After you have contacted KEMP or used the upgrade option, there are two ways to update a
license using the Online method and using the Offline method. Refer to the sections below to find out
details about the screens for each method.

For more information and instructions, refer to the Licensing, Feature Description.

10.3.2.1 Online Method

To upgrade the license using the online method, the LoadMaster must be connected to the internet. You
will need to enter your KEMP ID and Password to license using the online method.

10.3.2.2 Offline Method

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 172
Web User Interface (WUI)
10 System Configuration

To upgrade the license using the offline method, you need to enter license text in the LoadMaster. You
can either get this from KEMP or using the Get License link.

A reboot may be required depending on which license you are applying. If upgrading to an ESP license, a
reboot is required after the update.

10.3.2.3 Debug Checks

If you try to license and there are any issues, a number of checks are performed automatically and the
results and associated error message are displayed.

These checks perform the following tasks:

Ping Default Gateway

Ping DNS Servers

Ping Licensing Server

10.3.3 System Reboot

Reboot

Reboot the appliance.

Shutdown

Clicking this button attempts to power down the LoadMaster. If, for some reason, the power down fails,
it will at a minimum halt the CPU.

Reset Machine

Reset the configuration of the appliance with exception of the license and username and password
information. This only applies to the active appliance in a HA pair.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 173
Web User Interface (WUI)
10 System Configuration

10.3.4 Update Software

Contact support to obtain the location of firmware patches and upgrades. Firmware downloads require
Internet access. Detailed patch information is available at http://forums.kemptechnologies.com/

Update Machine

After you have downloaded the firmware you can browse to the file and upload the firmware directly into
LoadMaster. The firmware will be unpacked and validated on LoadMaster. If the patch is validated
successfully you will be ask to confirm the release information. To complete the update you will need to
reboot the appliance. This reboot can be deferred if needed.

Update Cluster

The Update Cluster option will only be available on LoadMasters which have a clustering license. To
add the clustering feature to your license, please contact a KEMP representative. For further
information on clustering, refer to the LoadMaster Clustering, Feature Description.

The firmware on all LoadMasters in a cluster can be updated using the shared IP address by clicking the
Update Cluster button. For step-by-step instructions on how to perform a cluster-wide software update,
refer to the LoadMaster Clustering, Feature Description.

Restore Software

If you have completed an update of LoadMasters firmware you can use this option to revert to the
previous build.

Installed Addon Packages

Add-on packages can be installed in the KEMP LoadMaster. Add-on packages provide features that are
additional to those already included in the LoadMaster. KEMP Technologies plan on creating further add-
on packages in the future.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 174
Web User Interface (WUI)
10 System Configuration

Add-On packages can be downloaded from the KEMP Technologies website:

www.kemptechnologies.com

To install an add-on package, click Choose File, browse to and select the file and click Install Addon
Package. A reboot is required in order for the add-on package to be fully installed. If an add-on package
of the same name is uploaded, the existing one will be overwritten/updated.

If an installed add-on package cannot be started, the text will display in red and the hover text will show
that the package could not be started.

10.3.5 Backup/Restore

Create Backup File

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 175
Web User Interface (WUI)
10 System Configuration

Generate a backup that contains the Virtual Service configuration, the local appliance information and
statistics data. License information and SSL Certificate information is not contained in the backup.

For ease of identification, the Backup file name includes the LoadMasters hostname.

By default, the LoadMaster includes a Netstat output in backups taken. When this is included, backups
take longer to complete. You can stop the Netstat output from being included by disabling the Include
Netstat in Backups option in the Debug Options screen (System Configuration > Logging Options >
System Log Files >Debug Options).

Restore Backup

When performing a restore (from a remote machine), the user may select what information should be
restored: the VS Configuration only, LoadMaster Base Configuration only, Geo Configuration or a
combination of the three options.

It is not possible to restore a single machine configuration onto a HA machine and vice versa.

It is not possible to restore a configuration with ESP-enabled Virtual Services onto a machine which is
not enabled for ESP.

Automated Backups

If the Enable Automated Backups check box is selected, the system may be configured to perform
automated backups on a daily or weekly basis.

For ease of identification, the Backup file name includes the LoadMasters hostname.

If the automated backups are not being performed at the correct time, ensure the NTP settings are
configured correctly. For further information, refer to the Date/Time section.

When to perform backup

Specify the time (24 hour clock) of backup. Also select whether to backup daily or on a specific day of the
week. When ready, click the Set Backup Time button.

In some situations, spurious error messages may be displayed in the system logs, such as:

Dec 8 12:27:01 KEMP_1 /usr/sbin/cron[2065]: (system) RELOAD (/etc/crontab)

Dec 8 12:27:01 KEMP_1 /usr/sbin/cron[2065]: (CRON) bad minute (/etc/crontab)

These can be safely ignored and the automated backup will likely still complete successfully.

Backup Method

Select the file transfer method for automated backups:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 176
Web User Interface (WUI)
10 System Configuration

Ftp (insecure)

scp (secure)

If using scp, identity information must be supplied (using the Remote Identity value field).

Remote user

Set the username required to access remote host.

Remote Identity value

If using scp as the backup method, the Remote Identity value must be provided. This is the SSH private
key generated using ssh-keygen on the remote scp server.

Remote password

The Remote password is used when the Backup Method is set to Ftp (insecure). Set the password
required to access remote host. This field accepts alpha-numeric characters and most non-alphanumeric
characters. Disallowed characters are as follows:

Control characters

(apostrophe)

` (grave)

The delete character

Remote host

Set the remote host name.

Remote Pathname

Set the location on the remote host to store the file.

Test Automated Backups

Clicking the Test Backup button performs a test to check if the automated backup configuration is
working correctly. The results of the test can be viewed within the System Message File.

The Automated Backup transfer protocolis currently FTP only.

10.3.6 Date/Time
You can manually configure the date and time of LoadMaster or leverage an NTP server.

NTP host(s)

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 177
Web User Interface (WUI)
10 System Configuration

Specify the host which is to be used as the NTP server. NTP is a strongly preferred option for a HA cluster.
For a single unit it is at the users discretion. Clicking the Set NTP host button will refresh the time based
on the details configured.

If you do not have a local NTP server, refer to www.pool.ntp.org for a list of public NTP server pools
which can be used.

The time zone must always be set manually.

Show NTP Authentication Parameters/Disable NTP Authentication

The LoadMaster supports NTPv4 which uses cryptographic signing to query a secure NTP server. This
uses a simple authorization scheme which uses a shared secret and key to validate that the response
from the server is actually valid. Enable the Show NTP Authentication Parameters check box to display
the parameters that are needed to support NTP authenticated requests. If you select the Show NTP
Authentication Parameters checkbox and change any of the parameters, the name of the check box
changes to Disable NTP Authentication.

NTP Key Type

Select either the MD5 or SHA-1 NTP key type.

For the NTPv4 feature to work, a file must be created on the server (/etc/ntp.keys), which has the
following format:
<keyid> M <secret string>
...
<keyid> M <secret string>
To enable the use of the key, specify the keyid in the trustedkey line of /etc/ntp.conf, for
example, if the keyid is 5 then you have to specify trustedkey5. The trustedkey value can take
multiple values, for example trustedkey 1 2 3 4 5 9 10).

NTP Shared Secret

The NTP shared secret string. The NTP secret can be a maximum of 20 ASCII characters long or 40
hexadecimal characters long.

NTP Key ID

Select the NTP key ID. The values range from 1 to 99. Different key IDs can be used for different servers.

10.4 Logging Options

Logging of LoadMaster events can be both pushed and also pulled from the appliance. It is important to
note that log files on LoadMaster are not historical, if the appliance reboots the logs are reset. It is
important to keep a record of events generated on LoadMaster on a remote facility.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 178
Web User Interface (WUI)
10 System Configuration

10.4.1 System Log Files

Boot.msg File - contains information, including the current version, during the initial starting of
LoadMaster.

Warning Message File - contains warnings logged during the operation of LoadMaster.

System Message File - contains system events logged during the operation of LoadMaster. This includes
both operating system-level and LoadMaster internal events.

Nameserver Log File - show the DNS name server log.

Nameserver Statistics - show the latest name server statistics.

IPsec IKE Log - show the IPsec IKE log.

WAF Event Log - contains logs for most recently triggered WAF rules.

Audit LogFile - contains a log for each action which is performed by a user; either using the API or the
WUI. This will only function if session management is enabled. For further information on session
management, refer to the Admin WUI Access section.

Reset Logs - will reset ALL log files.

Save all System Log Files - is used if you need to send logs to KEMP support as part of a support effort.
Click this button, save the files to your PC and forward them to KEMP support.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 179
Web User Interface (WUI)
10 System Configuration

10.4.1.1 Debug Options

The LoadMaster has a range of features that will help you and KEMP Support staff with diagnosing
connectivity issues. Clicking Debug Options brings up the screen shown below.

WARNING KEMP Technologies does not recommend using debug commands during normal
operation. They should ideally only be used in conjunction with a KEMP Support Technicians
recommendations.

Note: Debug commands have performance impacts on the LoadMaster and may expose your system
to additional security vulnerabilities during the time they are running.

Disable All Transparency

Disables transparency on every Virtual Service and forces them to use Layer 7. Use with caution.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 180
Web User Interface (WUI)
10 System Configuration

Enable L7 Debug Traces

Generates log traffic in the message files. Due to the large amount of files being logged it slows down L7
processing.

Perform an l7adm

Displays raw statistics about the L7 subsystem.

Enable WAF Debug Logging

Enable WAF debug traces.

This generates a lot of log traffic. It also slows down WAF processing. Only enable this option when
requested to do so by KEMP Technical Support. KEMP does not recommend enabling this option in a
production environment.

The WAF debug logs are never closed and they are rotated if they get too large. WAF needs to be
disabled and re-enabled in all WAF-enabled Virtual Service settings in order to re-enable the debug logs.
Alternatively, perform a rule update, with rules that are relevant for the Virtual Service(s).

Enable IRQ Balance

Enable this option only after consulting with KEMP support staff.

Enable TSO

Enable TCP Segmentation Offload (TSO).

Only modify this option after consultation with KEMP Technical Support. Changes to this option will
only take affect after a reboot.

Enable Bind Debug Traces

Enable bind debug trace logs for GEO.

Perform a PS

Performs a ps on the system.

Display Meminfo

Displays raw memory statistics.

Display Slabinfo

Displays raw slab statistics.

Perform an Ifconfig

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 181
Web User Interface (WUI)
10 System Configuration

Displays raw Ifconfig output.

Perform a Netstat

Displays Netstat output.

Include Netstat in Backups

By default, the LoadMaster includes a Netstat output in backups taken. When this is included, backups
take longer to complete. You can stop the Netstat output from being included by disabling this option.

Reset Statistic Counters

Reset all statistics counters to zero and delete any old graphs. This also deletes the Round Robin
Database (RRD) files but these files are automatically recreated when needed.

Flush OCSPD Cache

When using OCSP to verify client certificates, OCSPD caches the responses it gets from the OCSP server.
This cache can be flushed by pressing this button. Flushing the OCSPD cache can be useful when testing,
or when the Certificate Revocation List (CRL) has been updated.

Enable SSOMGR Debug Traces

Enabling this option will record any login attempts to the SSO domains configured on the LoadMaster.
When this option is enabled, the logs are stored in the SSOMGR Audit Logs in the Extended Log Files
screen. For further information on these log files, refer to the Extended Log Files section.

Stop IPsec IKE Daemon

Stop the IPsec IKE daemon on the LoadMaster.

If this button is clicked, the connection for all tunnels will go down.

Perform an IPsec Status

Display the raw IPsec status output.

Enable IKE Debug Level Logs

Control the IPsec IKE log level.

Flush SSO Authentication Cache

Clicking the Flush SSO Cache button flushes all Single Sign-On (SSO) records, resets all authentication
server statuses, resets the KCD domain (if relevant) and re-reads the configuration. This has the effect of
logging off all clients using Single Sign-On to connect to the LoadMaster.

Linear SSO Logfiles

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 182
Web User Interface (WUI)
10 System Configuration

By default, older log files are deleted to make room for newer log files, so that the filesystem does not
become full. Selecting the Linear SSO Logfiles check box prevents older files from being deleted.

When using Linear SSO Logging, if the log files are not periodically removed and the file system becomes
full, access to ESP-enabled Virtual Services will be blocked, preventing unlogged access to the virtual
service. Access to non-ESP enabled Virtual Services are unaffected by the Linear SSO Logfile feature.

Netconsole Host

The syslog daemon on the specified host will receive all critical kernel messages. The syslog server must
be on the local LAN and the messages sent are UDP messages.

You can select which interface the Netconsole Host is set to using the Interface dropdown.

Please ensure that the netconsole host specified is on the selected interface as errors may occur if it is
not.

Ping Host

Performs a ping on the specified host. The interface which the ping should be sent from can be specified
in the Interface drop-down list. The Automatic option selects the correct interface to ping an address on
a particular network.

The interface tries to determine if the address to ping is an IPv4 or IPv6 address and selects the correct
command to perform the ping. For an address in numeric form this is simple, however this is not
possible for non-numeric addresses so they will always be treated as an IPv4 address.

Ping6 Host

Perform a ping6 of a specific IPv6 host.

Traceroute Host

Perform a traceroute of a specific host.

Kill LoadMaster

Permanently disables all LoadMaster functions. The LoadMaster can be re-enabled by being relicensed.

Please do not kill your LoadMaster without consulting KEMP Technical Support.

The Kill LoadMaster option will not be available in LoadMasters which are tenants of the KEMP
Condor.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 183
Web User Interface (WUI)
10 System Configuration

TCP dump

A TCP dump can be captured either by one or all Ethernet ports. Address and port parameters, as well as
optional parameters may be specified. The maximum number of characters permitted in the Options
text box is 255.

You can stop and start the dump. You can also download it to a particular location. The results of the TCP
dump can then be analysed in a packet trace analyser tool such as Wireshark.

For more information, refer to the Packet Trace Guide, Technical Note.

10.4.2 Extended Log Files

The Extended Log Files screen provides options for logs relating to the ESP and WAF features. These logs
are persistent and will be available after a LoadMaster reboot. To view all of the options click on the
icons.

The WAF logs are not generated in real time they can be up to two minutes behind what the WAF
engine is actually processing.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 184
Web User Interface (WUI)
10 System Configuration

A number of different log files are stored on the LoadMaster:

ESP Connection Log: logs recording each connection.

ESP Security Log: logs recording all security alerts.

ESP User Log: logs recording all user logins.

WAF Audit Logs: recording WAF logs based on what has been selected for the Audit mode drop-
down list in the WAF Options section of the Virtual Service modify screen. The number listed in each
log entry corresponds to the ID of the Virtual Service. To get the Virtual Service ID, first ensure that

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 185
Web User Interface (WUI)
10 System Configuration

the API interface is enabled (Certificates & Security > Remote Access > Enable API Interface). Then,
in a web browser address bar, enter https://<LoadMasterIPAddress>/access/listvs. Check the index
of the Virtual Service. This is the number that corresponds to the number on the audit log entry.

SSOMGR Audit Logs: logs relating to SSO authentication attempts. To enable these logs, enable the
SSOMGR Debug Traces option in the Debug Options screen.

To view the logs please select the relevant options and click the relevant View button.

Some of the logs can be filtered by a number of methods. If you wish to view logs between a particular
date range, select the relevant dates in the from and to fields and click the View button. One or more
archived log files can be viewed by selecting the relevant file(s) from the list of file names and clicking the
View button. You can filter the log files by entering a word(s) or regular expression in the filter field and
clicking on the View field.

The SSOMGR log file gets compressed at midnight each day as long as the file is not empty (if SSOMGR
Debug Traces is enabled in the Debug Options screen). When a compressed file (.gz) is created, it is
named with a datestamp. When the SSOMGR file is compressed, a new SSOMGR file is created and this
file then gets written to when the relevant logs are generated. oThe LoadMaster holds up to six
compressed SSOMGR log files at any one time. When the compressed file is seven days old it is removed.

Clear Extended Logs

All extended logs can be deleted by clicking the Clear button.

Specific log files can be deleted by filtering on a specific date range, selecting one or more individual log
files in the log file list or selecting a specific log type (for example connection, security or user) in the log
file list and clicking the Clear button. Click OK on any warning messages.

Save Extended Logs

All Extended logs can be saved to a file by clicking the Save button.

Specific log files can be saved by filtering on a specific date range, selecting one or more individual log files
in the log file list or selecting a specific log type (for example connection, security or user) in the log file list
and clicking the Save button.

10.4.3 Syslog Options

The LoadMaster can produce various warning and error messages using the syslog protocol. These
messages are normally stored locally.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 186
Web User Interface (WUI)
10 System Configuration

It is also possible to configure the LoadMaster to transmit these error messages to a remote syslog
server by entering the relevant IP address in the Syslog host text box, selecting the severity and clicking
Add Syslog Host.

To delete a hosts entry, set the severity level to None.

Six different error message levels are defined and each message level may be sent to a different server.
Notice messages are sent for information only; Emergency messages normally require immediate user
action.

Up to 10 individual IP addresses can be specifieds. If there were more than 10 hosts configured in a
previous LoadMaster version, after upgrading - all entries are displayed but no more can be added.

Examples of the type of message that may be seen are shown below:

Emergency: Kernel-critical error messages

Critical: Unit 1 has failed and unit 2 is taking over as master (in a HA setup)

Error: Authentication failure for root from 192.168.1.1

Warn: Interface is up/down

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 187
Web User Interface (WUI)
10 System Configuration

Notice: Time has been synced

Info: Local advertised Ethernet address

One point to note about syslog messages is they are cascading in an upwards direction. Thus, if a host
is set to receive WARN messages, the message file will include message from all levels above WARN but
none for levels below.

You can also specify a non-standard port for syslog transfer by entering it into the Remote Syslog Port
text box and clicking Set Port.

To enable a syslog process on a remote Linux server to receive syslog messages from the LoadMaster,
the syslog must be started with the -r flag.

10.4.4 SNMP Options

With this menu, the SNMP configuration can be modified.

On Dell LoadMasters, you can retrieve hardware statistics such as temperature, fan speed, power
supply voltage current, and so on, using SNMP. These values are only available using SNMP.

Enable SNMP

This check box enables or disables SNMP metrics. For example, this option allows the LoadMaster to
respond to SNMP requests.

By default, SNMP is disabled.

When the feature is enabled, the following traps are generated:

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 188
Web User Interface (WUI)
10 System Configuration

ColdStart: generic (start/stop of SNMP sub-system)

VsStateChange: (Virtual Service state change)

RsStateChange: (Real Server state change)

HaStateChange: (HA configuration only: LoadMaster failover)

When using SNMP monitoring of ESP-enabled Virtual Services that were created using a template,
ensure to monitor each SubVS directly rather than relying on the master service. This is because the
Authentication Proxy sub-service will always be marked as up and, as a consequence, so will the master
service.

The information regarding all LoadMaster-specific data objects is stored in three enterprise-specific MIBs
(Management Information Base).

MIB file Related Data

IPVS-MIB.txt Virtual Server stats
B-100-MIB.txt L7 LoadMaster configuration and status info
ONE4NET-MIB.txt Enterprise ID

These MIBs (located on the KEMP documentation page - http://kemptechnologies.com/documentation)

need to be installed on the SNMP manager machine in order to be able to request the
performance/config-data of the LoadMaster using SNMP.

The description of the counters can be taken from the LoadMaster MIBs (the description clause). Apart
from just reading the MIB this can be done for Linux (and ucdsnmp) with the command:

snmptranslate -Td -OS <oid>

where <oid> is the object identifier in question.

Example: <oid> = .1.3.6.1.4.1.one4net.ipvs.ipvsRSTable.rsEntry.RSConns

snmptranslate -Td Ov
.1.3.6.1.4.1.one4net.ipvs.ipvsRSTable.rsEntry.RSConns.1.3.6.1.4.1.12196.12.2.1.12

RSConns OBJECT-TYPE

-- FROM IPVS-MIB

SYNTAXCounter32

MAX-ACCESSread-only

STATUScurrent

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 189
Web User Interface (WUI)
10 System Configuration

DESCRIPTION"the total number of connections for this RS"

::= {iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) one4net(12196) ipvs(12) ipvsRSTable(2)
rsEntry(1) 12 }

The KEMP OID is called one4net for legacy reasons.

The data object defined in the LoadMaster MIBS is a superset to the counters displayed by the WUI.

The data objects on the LoadMaster are not writable, so only GET requests (GET, GET-NEXT, GET-BULK,
and so on) should be used.

Enable SNMP V3

This check box enables SNMPv3 metrics. SNMPv3 primarily added security and remote configuration
enhancements to SNMP.

When this option is enabled, two additional fields become available - Username and Password.

The Username and Password must be set in order for SNMPv3 to work.

The password must be at least 8 characters long.

Authentication protocol

Select the relevant Authentication protocol - MD5 or SHA. SHA is recommended.

Privacy protocol

Select the relevant Privacy protocol - AES or DES. AES is recommended.

SNMP Clients

With this option, the user can specify from which SNMP management hosts the LoadMaster will respond
to.

If no client has been specified, the LoadMaster will respond to SNMP management requests from any
host.

SNMP Community String

This option allows the SNMP community string to be changed. The default value is public.

Allowed characters in the Community String are as follows: a-z, A-Z, 0-9, _.-@()?#%^+~!.

Contact

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 190
Web User Interface (WUI)
10 System Configuration

This option allows the SNMP Contact string to be changed. For example, this could be e-mail address of
the administrator of the LoadMaster.

SNMP Location

This option allows the SNMP location string to be changed.

This field accepts the following characters:

a-z A-Z 0-9 _ . - ; , = : {} @ () ? # % ^ + ~ !

Do not enter a hashtag symbol (#) as the first character in the Location.

SNMP traps

When an important event happens to a LoadMaster a Virtual Service or to a Real Server, a trap is
generated. These are sent to the SNMP trap sinks. If a change is made, the LoadMaster waits for all
changes to finish and then waits five seconds before reading it. At that point, all changes will have
stabilized and SNMP traps can then be sent. If there are any state changes within the five second wait,
the state changes are handled and then the wait is restarted.

Enable/Disable SNMP Traps

This toggle option enables and disables the sending of SNMP traps.

SNMP traps are disabled by default.

Send SNMP traps from the shared address

This check box is only visible when the LoadMaster is in HA mode.

By default, SNMP traps are sent using the IP address of the master HA unit as the source IP address.
Enabling this option will send SNMP traps from the master HA unit using the shared IP address.

SNMP Trap Sink1

This option allows the user to specify a list of hosts to which a SNMPv1 trap will be sent when a trap is
generated.

SNMP Trap Sink2

This option allows the user to specify a list of hosts to which a SNMPv2 trap will be sent when a trap is
generated.

10.4.5 Email Options

This screen permits the configuration of email alerting for LoadMaster events. Email notification can be
delivered for six predefined informational levels. Each level can have a distinct email address and each

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 191
Web User Interface (WUI)
10 System Configuration

level supports multiple email recipients. Email alerting depends on a mail server, support for both an
open relay mail server and a secure mail server is provided.

SMTP Server

Enter the FQDN or IP address of the mail server. If you are using FQDN please make sure to set the DNS
Server.

Port

Specify the port of the SMTP server which will handle the email events.

Server Authorization (Username)

Enter the username if your mail server requires authorization for mail delivery. This is not required if you
mail server does not require authorization.

Authorization Password

Enter the password if your mail server requires authorization for mail delivery. This is not a required if
you mail server does not require authorization.

Local Domain

Enter the top-level domain, if your mail server is part of a domain. This is not a required parameter.

Connection Security

Select the type of security for the connection;

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 192
Web User Interface (WUI)
10 System Configuration

None

STARTTLS, if available

STARTTLS

SSL/TLS

Set Email Recipient

In the various Recipients text boxes, enter the email address that corresponds with the level of
notification desired. Notifications will be sent for the level of severity, plus anything with a higher severity
so there is no need to enter the email address in multiple text boxes as that will lead to duplicate
notifications being sent. For example, any email address entered into the Critical Recipients text box will
get critical emails, but will also get emergency emails.

Multiple email addresses are supported by a comma-separated list, such as:

Info Recipients: [email protected], [email protected]

Error Recipients: [email protected]

Clicking the Send Test Email to All Recipients button sends a test email to all the listed email recipients.

An example email alert is shown above. The Subject of the email contains the relevant highest alert level.
There can be multiple alerts in a single email - they are collated together for a period of 30 seconds to
avoid flooding inboxes.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 193
Web User Interface (WUI)
10 System Configuration

10.4.6 SDN Log Files

The SDN Log Files screen provides options for logs relating to the SDN feature. To view all of the options
click the icons.

View SDNstats Logs

To view the SDNstats logs please select the relevant log files and click View.

The sdnstats.log file is the main, rolling log file. The .gz files are backups of logs for a particular day.

One or more archived log files can be viewed by selecting the relevant file(s) from the list of file names
and clicking the View button. The log files can be filtered by entering a word(s) or regular expression in
the filter field and clicking the View button.

View SDNstats Traces

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 194
Web User Interface (WUI)
10 System Configuration

This option is only available if SDNstats debug logging is enabled (System Configuration > Logging
Options > SDN Log Files > Debug Options > Enable Debug Log).

To view the SDNstats logs please select the relevant log files and click View.

One or more archived log files can be viewed by selecting the relevant file(s) from the list of file names
and clicking View. The log files can be filtered by entering a word(s) or regular expression in the filter field
and clicking View.

The traces show probing results this indicates if the LoadMaster can successfully communicate with the
SDN controller.

Clear Logs

All SDN logs can be deleted by clicking the Clear button.

A specific range of log files can be filtered by specifying a date range using the from and to fields.
Specifying a date range will simply select the relevant log files that apply in the right-hand box. Individual
log files can still be selected/deselected as needed on the right.

Important: If the sdnstats.log file is selected, all logs in that file will be cleared, regardless of what dates
are selected in the date range fields.

Save Extended Logs

All SDN logs can be saved to a file by clicking the Save button.

Specific log files can be saved by filtering on a specific date range and/or selecting one or more individual
log files in the log file list in the log file list and clicking the Save button.

10.4.6.1 Debug Options

To get to the SDN Debug Options screen, click the Debug Options button on the SDN Log Files screen.

Enable Debug Log

Enable SDNstats debug logging.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 195
Web User Interface (WUI)
10 System Configuration

To view the SDN Statistics logs, open System Configuration > Logging Options > SDN Log Files, select
the log file you wish to view and click the View button.

Debug logging should only be enabled when troubleshooting because it will impact performance of the
LoadMaster.

Restart SDNstats service

When troubleshooting issues with SDN, the entire SDN service can be restarted. Restarting the
connection will not affect any traffic connections - it just restarts the connection between the
LoadMaster and the SDN controller.

If successful the Process ID will change to a new id.

The Process ID can be found by clicking the Debug button in System Configuration > Logging Options >
System LogFiles and clicking the ps button.

This will restart the connection to all attached SDN controllers.

SDNstats mode

There are two modes that can be used to gather the SDN statistics.

The mode can be set by going to System Configuration > Logging Options > SDN Log Files > Debug
Options and setting the SDNstats mode.

The modes are described below:

Mode 1: When set to mode 1, the statistics are taken from the switch port that is connected to the
server and the statistics are relayed back to the LoadMaster.

Mode 2: When set to mode 2, the information is taken from all of the switch ports along the path.

10.5 Miscellaneous Options

10.5.1 WUI Settings
Only the bal user or users with All Permissions set can use this functionality. Users with different
permissions can view the screen but all buttons and input fields are greyed out.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 196
Web User Interface (WUI)
10 System Configuration

Enable Hover Help

Enables blue hover notes shown when the pointer is held over a field.

Message of the Day (MOTD)

Type in text into the field and click the Set MotD button. This message will be displayed within the
LoadMaster Home screen.

If WUI Session Management is enabled, the MOTD is displayed on the login screen rather than the Home
screen.

The maximum allowed message length is 5,000 characters. HTML is supported, but not required. Single
quotes () and double quotes () are not allowed, though you can use the equivalent HTML character
codes. For example, entering &#34it&#39s allowed&#34 would result in a MOTD of its allowed.

Set Statistics Display Size

This sets the maximum number of rows that can be displayed in the Statistics page. The allowable range
is between 10 and 100 rows being displayed on the page.

End User License

Click the Show EULA button to display the LoadMaster End User License Agreement.

Enable Historical Graphs

Enable the gathering of historical statistics for the Virtual Services and Real Servers.

Collect All Statistics

By default, this option is disabled. This means that only the statistics for the Virtual Services and Real
Servers that are configured to be displayed on the home page are collected. Enabling this option will
force the LoadMaster to collect statistics for all Virtual Services and Real Servers.

If there are a large number of Virtual Services and Real Servers this option can cause CPU utilization to
become very high.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 197
Web User Interface (WUI)
10 System Configuration

10.5.2 L7 Configuration

Allow Connection Scaling over 64K Connections

Under very high load situations, Port Exhaustion can occur. Enabling this option will allow the setting of
Alternate Source Addresses which can be used to expand the number of local ports available.

If more than 64K concurrent connections are required, enable the Allow Connection Scaling over 64K
Connections option and set the Virtual Service IP as the alternate address in the Alternate Source
Addresses input field. This allows each Virtual Service to have its own pool of source ports.

Transparent Virtual Services are capped at 64K concurrent connections. This limit is on a per Virtual
Service basis.

If, after selecting this option, you set some Alternate Source Addresses, you will not be able to deselect
the Allow connection scaling over 64K Connections option.

Always Check Persist

By default, the L7 module will only check persist on the first request of a HTTP/1.1 connection. Selecting
Yes for this option will check the persistence on every request. Selecting Yes Accept Changes means
that all persistence changes will be saved, even in the middle of a connection.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 198
Web User Interface (WUI)
10 System Configuration

Add Port to Active Cookie

When using active cookies, the LoadMaster creates the cookie from (among other things) the IP address
of the client. However, if many clients are behind a proxy server, all of those clients come from the same
IP address. Turning this on adds the clients source port to the string as well, making it more random.

Conform to RFC

This option addresses parsing the header of a HTTP request in conformance with RFC 1738.

The request consists of 3 parts: GET /pathname HTTP/1.1 and when "conform" is on, the LoadMaster
scans through the pathname until it finds a space. It then presumes that the next thing is HTTP/1.x. If the
pathname contains spaces and the browser is conformant to the RFC, the pathname will have the spaces
escaped to "%20" so the scan for a space will function correctly.

However, on some non-conformant browsers, spaces are not escaped and the wrong pathname is
processed. And since the system cannot find the HTTP/1.x, the LoadMaster will reject the request.

Turning off this feature forces the LoadMaster to assume that the pathname extends to the last space on
the line. It is then assumed that what follows is HTTP/1.x. So making pathnames with spaces in them
useable however, it is non-conformant to the RFC 1738.

Close on Error

If the LoadMaster has to send back a failure report to the client, for example if a file is newer in the cache;
this forces the LoadMaster to close the connection after sending the response. You can continue using
the connection after sending a failure report, but some systems could become confused. This option
forces the close instead of continuing.

Add Via Header In Cache Responses

The relevant HTTP RFC states that proxies should add a Via header to indicate that something came from
the cache. Unfortunately, older LoadMaster versions did not do this. This check box is used to enable
backward compatibility with older versions (if needed).

Real Servers are Local

The LoadMaster has an automatic detection of local/non-local clients for the purpose of transparency
(selective transparency). This works well in most cases, but it does not work well if the client is actually a
Real Server. Turning this option on helps the LoadMaster to determine that a Real Server is actually local,
therefore making selective transparency work.

When this option is enabled in a two-armed environment (with clients and Real Servers on the second
interface) the Real Servers are treated as if they are local to the clients, that is, non-transparent. If the
Real Servers are on a completely different network, then they cannot be local and will always be treated
as not local. Local is defined as being on the same network.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 199
Web User Interface (WUI)
10 System Configuration

Enabling this option requires careful network topology planning and should not be attempted before
contacting the KEMP Support team.

Drop Connections on RS Failure

This is useful for Microsoft Outlook users whereby it closes the connection immediately when a Real
Server failure is detected.

Exchange users should always select this option. The Idle Connection Timeout option is also set to 86400
at the same time. For further information, refer to the MS Exchange 2010, Deployment Guide.

Drop at Drain Time End

If enabled, all open connections to disabled Real Servers will be dropped at the end of the Real Servers
Drain Stop Time or immediately if there are no persist entries associated with the Real Server.

L7 Authentication Timeout (secs)

This option supports the integration with 3rd party, multi-factor, authentication solutions which may
have secondary processes such as SMS or telephone verification. This setting determines how long (in
seconds) the SSO form waits for authentication verification to complete before timing out.

L7 Client Token Timeout (secs)

The duration of time (in seconds) to wait for the client token while the process of authentication is
ongoing (used for RSA SecurID and RADIUS authentication). The range of valid values is 60 to 300. The
default value is 120.

L7 Connection Drain Time (secs)

L7 Connection Drain Time impacts only new connections. Existing connections will continue relaying
application data to a disabled server until that connection is terminated, unless the Drop at Drain Time
End checkbox is selected.

Setting the L7 Connection Drain Time (secs) to 0 will force all the connections to be dropped
immediately when a Real Server is disabled.

If the service is operating at Layer 4, drain stop does not apply. In this case, the persistence record is
discarded, the connection is scheduled to an enabled and healthy server and a new persistence record is
created.

New TCP connections will not be sent to disabled servers and sent to enabled and healthy servers if:

Persistence is not enabled or

A persistence record for the connection exists and is not expired or

If the Real Server is down or

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 200
Web User Interface (WUI)
10 System Configuration

If the Drain Stop timer has expired

If all the above conditions are not true, the connection is sent to the specified server and the persistence
record is refreshed.

The drain stop timer does not impact existing connections.

Additional L7 Header

This enables Layer 7 header injection for HTTP/HTTPS Virtual Services. Header injection can be set to X-
ClientSide (KEMP LoadMaster specific), X-Forwarded-For, or None.

100-Continue Handling

Determines how 100-Continue Handling messages are handled. The available options are:

RFC-2616 Compliant: conforms with the behavior as outlined in RFC-2616

Require 100-Continue: forces the LoadMaster to wait for the 100-Continue message

RFC-7231 Compliant: ensures the LoadMaster does not wait for 100-Continue messages

Modifying how 100 Continue messages are handled by the system requires an understanding of the
relevant technologies as described in the RFCs listed above. It is recommended that you speak with a
KEMP Technical Support engineer before making changes to these settings.

Allow Empty POSTs

By default the LoadMaster blocks POSTs that do not contain a Content-Length or Transfer-Encoding
header to indicate the length of the requests payload. When the Allow Empty POSTs option is enabled,
such requests are assumed to have no payload data and are therefore not rejected.

In version 7.1-24 and later releases, the supported Content-Length limit has been increased to 2TB
(from 2GB).

Force Complete RSMatch

By default, when the LoadMaster is trying to locate a Real Server for use with content switching, it tries to
use the same Real Server as currently selected, even if the port is not the same. Enabling this option
forces the port to also be compared.

Least Connection Slow Start

When using the Least Connection or Weighted Least Connection scheduling methods, a period can be
specified during which the number of connections are restricted to a Real Server which has come online
and gradually increased. This ensures that the Real Server is not overloaded with an initial flood of
connections.

The value of this Slow Start period can be between 0 and 600 seconds.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 201
Web User Interface (WUI)
10 System Configuration

Share SubVS Persistence

By default, each SubVS of a Virtual Service has an independent persistence table. Enabling this option will
allow the SubVS to share this information. In order for this to work, the persistence mode must be the
same on all SubVSs within that Virtual Service. A reboot is required to activate this option.

The only Persistence Mode that cannot be shared is SSL Session ID.

When setting up shared SubVS persistence, there are some requirements to get this feature fully
functional:

All Real Servers in the SubVS need to be the same

The Persistence Mode needs to be the same across all SubVSs

The timeouts need to be set with the same timeout value

If the above requirements are not correct, the persistence may not work correctly either within the
SubVS or across the SubVSs.

10.5.3 Network Options

Enable Server NAT

This option enables Server Network Address Translation (SNAT). If this is disabled, the Real Server IP
address is used when connecting.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 202
Web User Interface (WUI)
10 System Configuration

If this is enabled, addresses that are of the same address family (IPv4/IPv6) as the primary address of the
default gateway are NATed to the primary address. If the Use Address for Server NAT is enabled in the
Virtual Service, the Virtual Service address will be used. For further information on the Use Address for
Server NAT option, refer to the Standard Options section.

If the source address is not in the same family as the primary address, then the address will be SNATed to
the first additional address which is on the same network as the default gateway for that address family.

For example, if the primary address of the default interface is an IPv6 address, then IPv6 addresses will be
SNATed to that address. If the primary address is an IPv4 address, then IPv6 addresses will be SNATed to
the first additional address (IPv6) which is on the same network as the IPv6 default gateway.

Similarly, if the primary address of the default interface is an IPv4 address, then IPv4 addresses will be
SNATed to that address. If the primary address is an IPv6 address, then IPv4 addresses will be SNATed to
the first additional address (IPv4) which is on the same network as the IPv4 default gateway.

Connection Timeout (secs)

The length of time (in seconds) that a connection may remain idle before it is closed. This value is
independent of the Persistence Timeout value.

Setting a value of 0 will reset the value to the default setting of 660 seconds.

Enable Non-Local Real Servers

Allow non-local Real Servers to be assigned to Virtual Services. This may be needed if the LoadMaster can
only have one interface and the Real Servers are on a different network to the interface.

Enable Alternate GW support

If there is more than one interface enabled, this option provides the ability to move the default gateway
to a different interface.

Enabling this option adds another option to the Interfaces screen Use for Default Gateway.

The Enable Alternate GW support option will appear on a different screen in GEO only LoadMasters.

Enable TCP Timestamps

The LoadMaster can include timestamps in the SYN on both connections from clients and connections to
Real Servers.

Note this may impact connections that are NATed and should only be enabled on consultation with
KEMP Customer Support.

Enable TCP Keepalives

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 203
Web User Interface (WUI)
10 System Configuration

By default the TCP keepalives are enabled which improves the reliability of TCP connections that are long
lived (SSH sessions). Keepalives are not usually required for normal HTTP/HTTPS services, but may be
required for FTP services, for example.

The keepalive messages are sent from the LoadMaster to the Real Server and to the client. Therefore, if
the client is on a mobile network, there may be an issue with additional data traffic.

Enable Reset on Close

When this option is enabled, the LoadMaster will close its connection with the Real Servers by using
RESET instead of the normal close handshake. This only makes a difference under high loads of many
connections.

Subnet Originating Requests

With this option enabled, the source IP address of non-transparent requests will come from the
LoadMasters address on the relevant subnet, that is, the subnet where the Real Server is located or the
subnet of the gateway that can route to the Real Server (if the Real Server is non-local and behind a static
route).

This is the global option/setting.

It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service
basis.

When the global option is disabled, the per Virtual Service Subnet Originating Requests option takes
precedence, that is, it can be enabled or disabled per Virtual Service. This can be set in the Standard
Options section of the Virtual Services properties screen (if Transparency is disabled). For more
information on the per Virtual Service option, refer to the Standard Options section.

If this option is switched on for a Virtual Service that has SSL re-encryption enabled, all connections
currently using the Virtual Service will be terminated because the process that handles the connection
must be killed and restarted.

Enable Strict IP Routing

When this option is selected, only packets which arrive at the machine over the same interface as the
outbound interface are accepted.

The Use Default Route Only option may be a better way to achieve this.

Handle non HTML Uploads

Enabling this option ensures that non-HTML uploads (such as FTP uploads) function correctly.

Enable Connection Timeout Diagnostics

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 204
Web User Interface (WUI)
10 System Configuration

By default, connection timeout logs are not enabled. This is because they may cause too many
unnecessary logs. If you wish to generate logs relating to connection timeouts, select the Enable
Connection Timeout check box.

Enable SSL Renegotiation

By default, the LoadMaster allows a client to automatically renegotiate during an SSL transaction.
Unchecking this option causes SSL connections to terminate if a renegotiation is requested by the client.

Force Real Server Certificate Checking

By default, when re-encrypting traffic the LoadMaster does not check the certificate provided by the Real
Server. This option forces the LoadMaster to verify that the certificate on the Real Server is valid, that is,
the certificate authority and expiration are OK. This includes all intermediate certificates.

Size of SSL Diffie-Hellman Key Exchange

Select the strength of the key used in the Diffie-Hellman key exchanges. If this value is changed, a reboot
is required in order to use the new value. The default value is 2048 Bits.

Use Default Route Only

Forces traffic from Virtual Services that have default route entries set, to be only routed to the interface
where the Virtual Services default route is located. This setting can allow the LoadMaster to be directly
connected to client networks without returning traffic directly using the adjacent interface.

Enabling this option affects all Virtual Services in the same network.

HTTP(S) Proxy

This option allows clients to specify the HTTP(S) proxy server and port the LoadMaster will use to access
the internet.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 205
Web User Interface (WUI)
10 System Configuration

10.5.4 AFE Configuration

Maximum Cache Size

This defines how much memory can be utilized by the cache in megabytes. The Maximum Cache Size
defines how much of the main memory should be assigned to the cache. It can never be more than one
fifth of the total memory of the machine. Assigning more memory for the cache will reduce the amount
of memory available for connections and persist entries. In a system that is correctly configured, there
should be enough memory for a full cache and all connections that the system that is expected to
handle. If this is not the case, the system could run out of memory.

Cache Virtual Hosts

When this option is disabled, the cache presumes there is only one virtual host supported on the Real
Server. Enabling this option allows the cache to support multiple virtual hosts which have different
content.

File Extensions Not to Cache

A list of files types that should not be cached.

File Extensions Not to Compress

A list of file types that should not be compressed.

Detection Rules

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 206
Web User Interface (WUI)
10 System Configuration

Select the relevant detection rules and click the Install New Rules button to install them.

If you are implementing SNORT rules, please remember the following:

The destination port must be $HTTP_PORTS

A msg may be optionally set

The flow must be set to to_server,established

The actual filter may be either content or pcre

Additional http_ parameters may be set

The classtype must be set to a valid value

To get updated or customized SNORT rules, please refer to the SNORT website:
https://www.snort.org/.

Detection Level

Supports four levels of what to do when problems are encountered:

Low only logging with no rejection

Default only critical problems rejected

High Serious and critical problems rejected

Paranoid All detected problems rejected

Client Limiting:

It is possible to set a limit of the number of connections per second from a given host (limits up to 100K
are allowed). After setting the "default limit" to a value, the system allows you to set different limits for
specific hosts/networks so you can limit a network and/or host.

If you set a network and a host on that network, the host should be placed first since the list is processed
in the order that it is displayed.

To turn client limiting off, set the Client Connection Limiter value to 0.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 207
Web User Interface (WUI)
10 System Configuration

10.5.5 SDN Configuration

Add New

Add a new SDN controller connection.

Modify

Modify an existing SDN controller connection.

Delete

Delete an existing SDN controller connection.

10.5.5.1 SDN Controller Settings

When adding a new SDN controller connection, initially a screen will appear asking for the Cluster, IPv4
address and Port. After an SDN controller connection has been added, the settings can be updated by
clicking Modify on the SDN Statistics screen.

Cluster

The cluster that the SDN controller will be a member of.

Keep the Cluster field set to the default value.

IPv4

The IPv4 address of the SDN controller.

Port

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 208
Web User Interface (WUI)
10 System Configuration

The port of the SDN controller WUI.

The default Port for the HP VAN Controller is 8443.

The default Port for the OpenDaylight SDN controller is 8181.

HTTPS

Use HTTP/HTTPS to access the SDN controller.

User

The username to be used to access the SDN controller.

Password

The password of the user to be used to access the SDN controller.

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 209
Web User Interface (WUI)
References

References
Unless otherwise specified, the below documents can be found on
http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description

RSA Two Factor Authentication, Feature Description

Content Rules, Feature Description

LoadMaster 5.1 to 6.0 Migration, Technical Note

Header Modification Guide, Technical Note

GEO, Feature Description

GEO, Product Overview

GEO Sticky DNS, Feature Description

Packet Trace Guide, Technical Note

VMware Tools Add-On Package, Feature Description

Custom Authentication Form, Technical Note

Port Following, Feature Description

SSL Accelerated Services, Feature Description

Kerberos Constrained Delegation, Feature Description

Hardware Security Module (HSM), Feature Description

IPsec Tunneling, Feature Description

KEMP LoadMaster, Product Overview

SDN Adaptive Load Balancing, Feature Description

DoD Common Access Card (CAC) Authentication, Feature Description

RESTful API, Interface Description

Licensing, Feature Description

Radius Authentication and Authorization, Technical Note

LoadMaster Clustering, Feature Description

MS Exchange 2010, Deployment Guide

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 210
Web User Interface (WUI)
References

RADIUS Authentication and Authorization, Technical Note

User Management, Feature Description

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 211
Web User Interface (WUI)
Document History

Document History
Date Change Reason for Change Ver. Resp.
June 2015 Release updates Updates for 7.1-28 release 1.34 LB
July 2015 Release updates Updates for 7.1-28a release 3.0 LB
Aug 2015 Minor changes Enhancements made 4.0 LB
Sep 2015 Release updates Updates for 7.1-30 release 5.0 LB
Dec 2015 Minor changes Enhancements made 6.0 LB
Jan 2016 Minor changes Updated Copyright Notices 7.0 LB
Mar 2016 Minor changes Enhancements made 8.0 LB
May 2016 Minor changes Enhancements made 9.0 LB
July 2016 Release updates Updates for 7.1.35 release 10.0 LB
Aug 2016 Minor changes Enhancements made 11.0 LB
Oct 2016 Release updates Updates for 7.2.36 release 12.0 LB
Jan 2017 Release updates Updates for 7.2.37 release 13.0 LB
Mar 2017 Release updates Updates for 7.2.38 release 14.0 LB

Copyright 2002 - 2017 KEMP Technologies, Inc. All Rights Reserved. 212