Edge Security Pack (ESP) Technical Deep Dive

This article describes the technical details of ESP implementation on the LoadMaster. For basic ESP details, refer to the ESP Feature Description.

 1.  Initial Client Request
 
When ESP is enabled, traffic hitting a particular Virtual Service requires authentication from the "Auth Provider" where applicable before the data is sent to the Real Server.
 
The typical transaction is as follows:
  1. Client request to Virtual Service with ESP enabled.
  2. User must be validated. This typically involves a prompt to the user (in most cases either Basic or Form-Based, discussed below).
  3. The other two cases are:
    • Delegate to Server: This means the connection is passed through to server with no Pre-Authentication. However, the request must still meet the requirements of the Allowed Virtual Hosts and Allowed Virtual Directories. The request is also logged in ESP Security logs, which makes this useful for connection tracking. See Section 4 ESP Logging
    • Client Certificates: This can be used in combination with Kerberos. Client must present a "Client Certificate" which will contain the User in the Common Name or SAN name.
  4. The user's credentials are validated by contacting the Auth Provider.
  5. If the user is validated, the connection is passed to the Real Server.
 
 
 
2.  Examine Basic and Form Based Authentication
Let us first examine the two main options for Client Authentication (2) above. These are Basic Authentication and Form-Based Authentication.
 
2.1 Basic Authentication
The user sees a simple Basic Authentication pop-up window and must fill in their credentials. In HTTP terms, this is simply a HTTP 401 response containing an Authentication Header (see Packet 3 in the packet stream below).
 
PACKET 3:
1. Request
GET https://mail.contoso.com/owa/ HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

2. Response
HTTP/1.1 401 Authorization Required
Date: Fri, 01 May 2015 10:17:11 GMT
Connection: close
Content-Length: 139
WWW-Authenticate: Basic realm="mail.contoso.com"
Content-Type: text/html

A 401 Authorization Required triggers the browser to display a "Basic" login pop-up:
 
Once the pop-up form is filled in, the client replies with an authorization header. The Authorization header is constructed with the username and password combined into a string "username:password". This is then encoded using the RFC2045-MIME variant of Base64 and preceded with "Basic". 
 
Note: For Basic Authentication this Username:Password is sent in all HTTP Requests. While it is encoded, you can view this in browser by using Browser Developer tools:
 - Examine the HTTP header
 - Copy the text in the Authorization Header
 - Use https://www.base64encode.org/
 - Use "Decode" to covert to ascii text. 
 
The credentials obtained by ESP from the user are then queried against the SSO Server configured in the SSO configuration and, if the credentials are correct, the user connection is passed through to the Real Server.
 
For Basic Authentication, the LoadMaster does not set any cookie. Instead, all queries through the LoadMaster must contain a Basic Authentication Header as would be the typical case when a browser is presented with a Basic Authentication pop-up. See the below example:
 
After getting the 401 Basic Auth pop-up, subsequent requests include a Basic Username:Password.
 
PACKET 5:
3. Request (but with Authorization included - this is simply the username and password input above)
GET https://mail.contoso.com/owa/ HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic YmdsZWVzb246MmZvdXJhbGw=

4. HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: OutlookSession=7361e4fbcf274c7fb746721b43f39dd0; path=/; HttpOnly
X-OWA-Version: 14.1.218.6
Set-Cookie: UserContext=d9966b5af3c64ba49a23d78c6ce5ed31; path=/
Set-Cookie: tzid=GMT Standard Time; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: owacsdc=1; path=/
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Fri, 01 May 2015 10:16:36 GMT
Content-Length: 18595

Note, Basic YmdsZWVzb246MmZvdXJhbGw= is the user credentials, but while this is not human-readable, it is simply translated.
 
Once this is successful, Subsequent Connections (example below) contain this same header that, in effect, contains Username and Password in each request.
 
PACKET 13: Subsequent Requets
 
5. Request
GET https://mail.contoso.com/owa/forms/premium/clientstrings.aspx?v=14.1.218.6&l=en-GB HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mail.contoso.com/owa/
Cookie: OutlookSession=7361e4fbcf274c7fb746721b43f39dd0; UserContext=d9966b5af3c64ba49a23d78c6ce5ed31; tzid=GMT Standard Time; owacsdc=1
Authorization: Basic YmdsZWVzb246MmZvdXJhbGw=
Connection: keep-alive
Cache-Control: max-age=0

6. Response
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip
Expires: Sun, 31 May 2015 10:16:36 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-OWA-Version: 14.1.218.6
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Fri, 01 May 2015 10:16:36 GMT
Content-Length: 11790
 
 
 
2.2  Form-Based Authentication
 Form-based authentication operates differently. For Form-Based authentication - instead of sending a 401 response as above, the LoadMaster redirects the client to a web form that is hosted on the LoadMaster. See the below example. This form can be customized if required. Refer to: https://support.kemptechnologies.com/hc/en-us/articles/202220783-Custom-Image-Set for instructions on how to customize the form.
 
The user requests https://mail.contoso.com/owa. The LoadMaster then redirects the user to https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=2258863274-166211317. The link includes a curlid which is different for each request. This is important because if the client successfully logs in through the form, the LoadMaster must be able to associate this login with the originally requested page so it can redirect the client back to it.
 
In this case, /owa is associated with curlid=2258863274-166211317.
 
See the transaction below:
 
1. Request /owa
GET https://mail.contoso.com/owa/ HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2. Response
Redirected to lm_auth_proxy which is the Loadmaster Authentication form using a 302 redirect.
HTTP/1.1 302 Found
Date: Fri, 01 May 2015 10:35:04 GMT
Connection: close
Content-Length: 68
Location: /lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=2258863274-166211317
Set-Cookie: lmdata6907abe78de6c948934551ebcd73034b=; path=/; domain=.contoso.com; expires=Thu, 01-Jan-1970 00:00:00 GMT
Content-Type: text/html

 
The Set-Cookie field is used by the LoadMaster to set a unique cookie for each session. This is what is then used for subsequent requests. If the cookie is not trusted, this causes ESP to fail and the form to simply refresh after login. 
 
Also, note that the Set-Cookie is associated with a domain. By default, this is a parsed version of the domain set under "Allowed Virtual Hosts" for the Virtual Service. The parsing involves removing the part up to the first dot. So, if "Allowed Virtual Hosts" is mail.contoso.com , the cookie is set for .contoso.com. This is to allow for single sign-on across multiple domains, for example, the same cookie can be used for other domains, for example, ecp.contoso.com, active-sync.contoso.com.
 
3. Client then retrieves the form page
Request
GET https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=2258863274-166211317 HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
 
4. Response
HTTP/1.1 200 OK
Date: Fri, 01 May 2015 10:35:04 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-cache,max-age=0,must-revalidate
Content-Length: 5371
Content-Type: text/html
  
 
 
When the user fills in the credentials to the form:
  
5. request
POST https://mail.contoso.com/lm_auth_proxy?LMLogon HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=2258863274-166211317
Cookie: pubpriv=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
 
6. response
HTTP/1.1 302 Found
Date: Fri, 01 May 2015 10:39:42 GMT
Connection: close
Content-Length: 68
Location: /owa/
Set-Cookie: lmdata6907abe78de6c948934551ebcd73034b=8753fa7fb262c91a4a26f0a5d4c445c3; path=/; domain=.contoso.com; httponly; secure;
Content-Type: text/html
 
Because the user is successfully logged in, this results in a redirect back to the originally requested URL (/OWA) (see the location header above). 
Note that the Set-Cookie field is set in the redirect. This cookie is contained in all subsequent requests and is the method that the LoadMaster knows this connection is allowed through.
 
The next connection from the client is to the original link, https://mail.contoso.com/owa/; however, this time it includes the cookie included. It is this cookie that is the key for connections being allowed through the LoadMaster ESP module.
 
7. Request with Cookie
 
GET https://mail.contoso.com/owa/ HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=2258863274-166211317
Cookie: pubpriv=0; lmdata6907abe78de6c948934551ebcd73034b=8753fa7fb262c91a4a26f0a5d4c445c3
Connection: keep-alive

8. Response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: OutlookSession=30b61a3bca0245fcae3a107d4035cce8; path=/; HttpOnly
X-OWA-Version: 14.1.218.6
Set-Cookie: UserContext=dd14bae57c754e4e844f7c386525d504; path=/
Set-Cookie: tzid=GMT Standard Time; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: owacsdc=1; path=/
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Fri, 01 May 2015 10:39:00 GMT
Content-Length: 18597
 
Note: If this part fails and debugging of the Web Traffic shows no cookie being sent by the client, it may be due to the client not trusting the lm-data sent by the LoadMaster. This may be due to trusted site settings on the browser. In particular, you should ensure the URL is in the Trusted Zone in Internet Explorer. 
 
From here on, subsequent connections are passed to the Real Server and users are allowed to get page content as long as they contain the lm-data cookie.
 
 
3. Server Side Authentication
 Here is an example Comparison of data sent from Client > LoadMaster and from LoadMaster > Real Server
 
1. Client -> LoadMaster
GET https://mail.contoso.com/owa/ HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=1540786804-187681552
Cookie: pubpriv=0; lmdata6907abe78de6c948934551ebcd73034b=adb130559b398f20759583ef85410d69
Connection: keep-alive


2. LoadMaster to Real Server
No.     Time           Source                Destination           Protocol Length Info
     75 100.615573000  10.110.0.160          10.110.0.150          HTTP     843    GET /owa/ HTTP/1.1
Hypertext Transfer Protocol
    GET /owa/ HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /owa/ HTTP/1.1\r\n]
            [GET /owa/ HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /owa/
        Request Version: HTTP/1.1
    Host: mail.contoso.com\r\n
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: en-US,en;q=0.5\r\n
    Accept-Encoding: gzip, deflate\r\n
    Referer: https://mail.contoso.com/lm_auth_proxy?DoLMLogin?curl=L2fowaL2f&curlid=1540786804-187681552\r\n
    Cookie: pubpriv=0; lmdata6907abe78de6c948934551ebcd73034b=adb130559b398f20759583ef85410d69\r\n
        Cookie pair: pubpriv=0
        Cookie pair: lmdata6907abe78de6c948934551ebcd73034b=adb130559b398f20759583ef85410d69
    Connection: keep-alive\r\n
   
Added by the LoadMaster
     Via: HTTPS/1.1 10.111.0.161:443\r\n
    X-Forwarded-For: 10.0.30.143\r\n
    X-Forwarded-For-Port: 53966\r\n
    FRONT-END-HTTP: ON\r\n
    Via: HTTPS/1.1 10.111.0.161:443\r\n
    X-ClientSide: 10.0.30.143:53966 -> 10.111.0.161:443\r\n
    Authorization: Basic YmdsZWVzb25AY29udG9zby5jb206MmZvdXJhbGw=\r\n
        Credentials: bgleeson@contoso.com:2fourall                               <-------------------------Normalised Username/Password. Domain added to this
    \r\n
 
Note above how the username/password passed from the LoadMaster to the Real Server is normalized. This means a user may just type their username but the LoadMaster authenticates using domain/user or user@domain depending on the SSO configuration.

3. Response: Real Server to LoadMaster
     Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Cache-Control: no-cache, no-store\r\n
    Pragma: no-cache\r\n
    Content-Type: text/html; charset=utf-8\r\n
    Content-Encoding: gzip\r\n
    Expires: -1\r\n
    Vary: Accept-Encoding\r\n
    Server: Microsoft-IIS/7.5\r\n
    Set-Cookie: OutlookSession=99ec00d738b34da28d763429b46d0acb; path=/; HttpOnly\r\n
    X-OWA-Version: 14.1.218.6\r\n
    Set-Cookie: UserContext=5c149a50c1114f99bdfcb4f60167ceef; path=/\r\n
    Set-Cookie: tzid=GMT Standard Time; path=/\r\n
    X-AspNet-Version: 2.0.50727\r\n
    Set-Cookie: owacsdc=1; path=/\r\n
    X-Powered-By: ASP.NET\r\n
    X-UA-Compatible: IE=EmulateIE7\r\n
    Date: Fri, 01 May 2015 16:33:07 GMT\r\n
    Content-Length: 17392\r\n
        [Content length: 17392]
    \r\n
   
<HTML CODE HERE>

4. Response: LoadMaster to client
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: OutlookSession=99ec00d738b34da28d763429b46d0acb; path=/; HttpOnly
X-OWA-Version: 14.1.218.6
Set-Cookie: UserContext=5c149a50c1114f99bdfcb4f60167ceef; path=/
Set-Cookie: tzid=GMT Standard Time; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: owacsdc=1; path=/
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Fri, 01 May 2015 16:33:07 GMT
Content-Length: 17392


5. NEXT Request from Client
GET https://mail.contoso.com/owa/14.1.218.6/themes/base/premium.css HTTP/1.1
Host: mail.contoso.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://mail.contoso.com/owa/
Cookie: pubpriv=0; lmdata6907abe78de6c948934551ebcd73034b=adb130559b398f20759583ef85410d69; OutlookSession=99ec00d738b34da28d763429b46d0acb; UserContext=5c149a50c1114f99bdfcb4f60167ceef; tzid=GMT Standard Time; owacsdc=1
Connection: keep-alive

6. Response from Server
HTTP/1.1 200 OK
Cache-Control: public,max-age=2592000
Content-Type: text/css
Content-Encoding: gzip
Last-Modified: Thu, 29 Jul 2010 16:39:30 GMT
Accept-Ranges: bytes
ETag: "08dab9d3c2fcb1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 01 May 2015 16:33:07 GMT
Content-Length: 45115

* Note on failed authentication: 
If the server response to the LoadMaster > RS traffic is as follows:
WWW-Authenticate Negotiate - this would indicate that the Server is not setup for Basic Authentication and is set up for NTLM or Kerberos. If the server is using basic authentication the response should be "WWW-Authenticate: Basic realm="<Realm of Server>
  
* Note about cookies:
The cookies used by ESP are Session Cookies by default. This means the cookie is available for this web browser session only. If the client opens a second browser - this cookie is not available and the LoadMaster sees the connection as brand new and presents the user with the login form. For some sessions, it is required that the SSO be available across multiple applications.
Form-based ESP use with SharePoint: Session cookies can result in problems when opening documents in another application, for example, opening a SharePoint Word document. As Word does not understand a form-based login page, it fails (in fact it  tries to open the HTML Form in Word).
 
 
4 ESP Logging
ESP Connection Log - This lists all IPs that hit an ESP-enabled Virtual Service.
ESP Security Log - This indicates all the successful logins.
ESP User Log:
 Jul 3 14:51:01 LM-2 l7log: 10.150.0.119:443: User exampleuser logged on from 10.0.30.110 Jul 3 14:51:01 LM-2 ssomgr: SSO-auth-token reused [user=bgleeson@contoso.com] [host=10.0.30.110] [vid=11/5]
 
  
Wrong username/password, for example failed authentication:
Jul  3 14:52:27 LM-2 l7log: 10.150.0.119:443: User exampleuser denied access from 10.0.30.110 
Jul  3 14:52:35 LM-2 l7log: 10.150.0.119:443: User asdasd denied access from 10.0.30.110 
 
LDAP User Normalization

See https://support.kemptechnologies.com/hc/en-us/articles/205466125 for details on how to test LDAP







Was this article helpful?

0 out of 0 found this helpful

Comments