Multi-Tenant LoadMaster WUI

 

1Introduction

Multi-Tenant LoadMaster is KEMP’s multi-tenancy product. It is a product where multiple independent instances of the KEMP LoadMaster and GEO LoadMaster can operate. These instances can be referred to as tenants or Virtual Network Functions (VNFs).

Each LoadMaster instance within Multi-Tenant LoadMaster can be deployed, stopped, started and updated at will.

1.1Document Purpose

The purpose of this document is to describe the various options in the Multi-Tenant LoadMaster Web User Interface (WUI).

For a high-level overview of the Multi-Tenant LoadMaster product and architecture, refer to the KEMP Multi-Tenant LoadMaster, Product Overview.

For instructional steps on how to perform certain tasks in the KEMP Multi-Tenant LoadMaster, refer to the Multi-Tenancy, Feature Description.

1.2Intended Audience

This document is intended to be read by anyone who is interested in learning about the features and functionality available in the KEMP Multi-Tenant LoadMaster product.

2Multi-Tenancy Web User Interface (WUI) Options

The sections below describe the WUI options for the Multi-Tenant LoadMaster.

2.1Initial VLM VNF Instantiation

After the Multi-Tenant LoadMaster installation is complete, and the password has been set, a prompt will appear asking if you would like to instantiate the first VLM VNF.

For further information and steps on the Multi-Tenant LoadMaster installation, refer to the relevant MT LoadMaster Installation Guide on the KEMP documentation page: http://kemptechnologies.com/documentation

Figure 2‑1: Initial VLM VNF Instantiation

A check box will be displayed which specifies whether or not the MT guests should utilise DHCP for initial IP configuration. If this is enabled, the initial IP address and default gateway of the guest VNF will be automatically obtained via DHCP, and you will not be prompted to set them. If this option is disabled, text boxes will allow you to specify the initial IP address and default gateway.

There are also radio buttons which allow you to specify whether you would like to instantiate a VLM VNF now or not. If you select Yes, the Create Instance screen will appear and you will be prompted to configure the settings for the VNF. If you select Not Right Now, you will be brought to the Multi-Tenant LoadMaster home page.

2.2Home

Figure 2‑2: Home page

Clicking the Home menu option displays the home page which presents a list of basic information regarding the Multi-Tenant LoadMaster.

The following information is displayed on this screen:

IP address: The IP address of the Multi-Tenant LoadMaster

Serial Number: The serial number of the Multi-Tenant LoadMaster

Boot Time: The time of the last server reboot

Multi Tenancy Manager Version: The firmware version of the Multi-Tenant LoadMaster

License: License details are listed here, such as the activation date and end date of the Multi-Tenant LoadMaster license

CPU Load: The percentage of load to the CPU of the Multi-Tenant LoadMaster appliances

Net Load: The load of each configured interface. There are two bars shown for each interface - one represents the percentage of inbound traffic and the other represents the percentage of outbound traffic.

2.3Instance Management

This section is where the administration of installed Virtual Network Functions (VNFs) occurs.

2.3.1Virtual Network Functions (VNF) Status

This screen lists all the available VNFs and their status.

Figure 2‑3: Status of Installed VNFs

At the top of the screen the currently committed resources are displayed, i.e. the number of cores in use and the amount of memory in use.

Allow Overcommitment of Resources

Selecting this check box allows resources to be overcommitted. This can have an impact on performance.

By default, Multi-Tenant LoadMaster will only start running instances which do not exceed the total amount of available hardware resources.

A table is displayed which contains information and operations pertaining to each VNF. There are a number of columns in this table:

Id: A unique identifier for each VNF

Name: A name to distinguish the VNF

Status: Shows whether the VNF is idle or running

IP Address: The IPv4 or IPv6 address of the VNF. If the VNF is running, this will be displayed as a clickable hyperlink which will bring you to the VNF.

The last column contains a list of Actions:

  • Start/Stop: Start/stop this VNF.
  • AutoStart/No AutoStart: Specify whether the system should auto-start this VNF upon reboot or not.
  • Configure: Modify the settings for this VNF, such as those relating to the memory, CPUs and IP addresses.
  • VNF Management: Administer this VNF including deploying application templates.
  • Delete: Delete this VNF. A VNF cannot be deleted if it is running. To delete a VNF, first stop the VNF, then click Delete.
2.3.1.1Configure a VNF

The Multi-Tenant LoadMaster creates one Virtual-Switch per physical/VLAN interface. In addition, 10 host local networks are created. The tenant’s vNICs connect either to one of these switches or to one of the host local networks. Each tenant can have up to 10 vNICs named ETH09.

Figure 2‑4: Configure VNF

On this screen the VNF settings can be modified.

The VNF has to be stopped in order to make changes on this screen. If the VNF has not been stopped, the fields on this screen will be greyed out. VNFs can be stopped on the VNF Status screen.

Name: The name of the VNF.

Memory: Select the amount of memory that is allocated to the VNF.

CPUs: Select the number of CPUs that have been allocated to the VNF.

The second half of this screen lists the interfaces for this VNF along with related operations.

VNF Interface: The interface number.

MAC Address: The Media Access Control (MAC) address of the VNF.

Physical Interface/Virtual Network: To select either a physical interface or virtual network and select the relevant interface.

Add Interface: Adds the interface.

Delete Interface: Deletes the interface.

The interfaces can only be configured when the VNF is not running.

Reset: Resets all values to the default settings.

Apply: Applies the changes to the VNFs.

2.3.1.2Manage a VNF

Figure 2‑5: Manage a VNF

Administrative functions can be performed to VNFs on this screen.

Backup VNF

Take a backup of the VNF.

The backup name includes a date and timestamp. This has a granularity of one minute. If more than one backup is created in the same minute, the original backup (with the same name) will be overwritten. If there is more than one minute between backup attempts, a separate file will be created.

Figure 2‑6: Manage VNFs

Display Backups

Shows a list of previous backups for this VNF.

Restore: Restore the backup to the VNF.

Download: Downloads the backup to the local machine.

Delete: Deletes the backup.

 

Templates

A list of Available Templates is displayed on the left. Templates can be moved to the Installed Templates list on the right by selecting them and clicking the right arrow. To remove templates, use the left arrow. Click Install Templates to apply the changes to the VNF.

2.3.2Package Management

Import VNF Package

Figure 2‑7: Install VNF Packages

Import a new VNF package.

Package: The name of the VNF package.

Version: The VNF package version.

Action:

  • Create Instance: Create an instance of this template.
  • Delete: Delete this template.
2.3.2.1Create a VNF Instance

Figure 2‑8: Create Instance

VNF Name: Specify the name of the VNF.

Initial IP address: Enter the initial IP address of the VNF.

Initial Default Gateway: Enter the initial default gateway of the VNF.

If the Enable DHCP for MT VNF(s) option is enabled (System Configuration > Miscellaneous Options > Network Options), the Initial IP address and Initial Default Gateway fields will not be displayed because the initial IP address and default gateway will be automatically obtained via DHCP.

Number of NICS: Select the number of Network Interface Console (NICs).

Number of CPUs: Select the number of CPUs that are required for this VNF.

Memory Requirement: Select the amount of memory required for this VNF.

Create VNF Now: Creates an instance of this VNF.

2.3.3Manage Templates

Application templates make the setting up of Virtual Services easier by automatically configuring the parameters for a Virtual Service. Before a template can be used to configure a Virtual Service, it must be imported and installed on the Multi-Tenant LoadMaster or a tenant LoadMaster.

Templates can be downloaded from www.kemptechnologies.com.

Figure 2‑9: Manage Templates

Click the Choose File button, select the template you wish to install and click the Add New Template button to install the selected template. This template then needs to be assigned to the VNF in the Manage VNF screen before it becomes available for use in the tenant LoadMaster. Refer to Section 2.3.1.2 for more information.

Figure 2‑10: Delete

Click the Delete button to remove the template.

For details on how to use a template to create and configure a new Virtual Service and where to obtain templates, please refer to the Virtual Services and Templates, Feature Description document.

2.4Statistics

2.4.1Real Time Statistics

Figure 2‑11: Statistics

The Statistics screen displays the activity and resources used of the Multi-Tenant LoadMaster.

2.4.1.1Committed Resources

Memory: The amount of total memory used for the committed resources. This relates to the VNFs.

Cores: The number of processor cores in use.

2.4.1.2Total CPU activity

This table displays the following CPU utilization information for a given Multi-Tenant LoadMaster:

Statistic

Description

User

The percentage of the CPU spent processing in user mode

System

The percentage of the CPU spent processing in system mode

Idle

The percentage of CPU which is idle

I/O Waiting

The percentage of the CPU spent waiting for I/O to complete

The sum of these 4 percentages will equal 100%.

Core Temp: The temperature for each CPU core is displayed for Multi-Tenant LoadMaster hardware appliances. Temperature will not show on a virtual statistics screen.

Figure 2‑12: CPU Details

CPU Details: The number buttons can be clicked in the CPU Details row to get more detailed statistics on each CPU, as shown in Figure 2‑12.

Memory usage

This bar graph shows the amount of memory in use and the amount of memory free for the host Multi-Tenant LoadMaster system.

Network activity

These bar graphs show the current network throughput on each interface.

2.4.2Historical Graphs

Figure 2‑13: Historical Graphs

The Historical Graphs screen provides a graphical representation of the Multi-Tenant LoadMaster statistics. These configurable graphs provide a visual indication of the traffic that is being processed by the Multi-Tenant LoadMaster.

There are graphs for the network activity on each interface. The time granularity can be specified by selecting one of the hour, day, month, quarter or year options.

In the case of the network activity on the interface graphs, you can choose which type of measurement unit you wish to use by selecting one of the Packet, Bits or Bytes options.

You can disable these graphs by disabling the Enable Historical Graphs check box in the WUI Settings screen. For more information on the WUI Settings section, refer to Section 2.5.11.1.

2.5System Configuration

2.5.1Interfaces

Describes the external network and internal network interfaces. The screen has the same information for the eth0 and eth1 Ethernet ports.

Figure 2‑14: Network Interface options

Within the Interface Address (address[/prefix]) text box you can specify the Internet address of this interface.

By default, the Speed of the link is automatically detected. In certain configurations, this speed is incorrect and must be forced to a specific value.

The Use for Default Gateway check box is only available if the Enable Alternate GW support is selected in the Network Options screen. If the settings being viewed are for the default interface this option will be greyed out and selected. To enable this option on another interface, go to the other interface by clicking it in the main menu on the left. Then this option is available to select.

Within the MTU field you can specify the maximum size of Ethernet frames that will be sent from this interface. The valid range is 512 - 9216.

The valid range of 512 - 9216 may not apply to VLMs as the range will be dependent on the hardware the VLM is running on. It is advised to check your hardware restrictions for supported MTU sizes.

Using the Additional addresses field allows the Multi-Tenant LoadMaster to give multiple addresses to each interface, as aliases. This is sometimes referred to as a “router on a stick”. It allows both IPv4 and IPv6 addresses in standard IP+CIDR format, so this can also be used to do a mixed mode of IPv4 and IPv6 addresses on the same interface. Any of the subnets that are added here will be available for both virtual IPs and real server IPs.

Adding a VLAN

Select the interface and then select the VLAN Configuration button.

Figure 2‑15: VLAN Id

Add the VLAN Id value and select the Add New VLAN menu option.

Repeat as needed. To view the VLANs, select the System Configuration > Interfaces menu option.

 

Removing a VLAN

To remove a VLAN select the System Configuration > Interfaces menu option and select the appropriate VLAN ID from the drop-down list.

Once selected, delete the IP and then click Set Address. Once the IP has been removed you will have the option to delete the VLAN, by clicking the Delete this VLAN button.

Repeat as needed. To view the VLANs select the System Configuration > Interfaces menu option and select the appropriate VLAN ID from the drop-down list.

2.5.2Host & DNS Configuration

2.5.2.1Hostname Configuration

Figure 2‑16: Set Hostname

Set Hostname

Set the hostname of the local machine by entering the hostname in the Current Hostname text box and clicking the Set Hostname button. Only alphanumeric characters are allowed.

DNS NameServer (IP Address)

Enter the IP address of a DNS server that will be used to resolve names locally on the Multi-Tenant LoadMaster in this field and click the Add button. A maximum of three DNS servers are allowed.

DNS Search Domains

Specify the domain name that is to be prepended to requests to the DNS Name Server in this field and click the Add button. A maximum of six Search Domains are allowed.

2.5.3Route Management

This option permits the configuration of default and static routes.

2.5.3.1Default Gateway

The LoadMaster requires a default gateway through which it can communicate with the Internet.

Figure 2‑17: Default Gateway

If both IPv4 and IPv6 addresses are being used on the Multi-Tenant LoadMaster, then both an IPv4 and IPv6 Default Gateway Address are required.

IPv4 and IPv6 default gateways must be on the same interface.

2.5.3.2Additional Routes

Figure 2‑18: Additional Routes

Further routes can be added. These routes are static and the gateways must be on the same network as the Multi-Tenant LoadMaster.

2.5.4System Administration

These options control the base-level operation of the Multi-Tenant LoadMaster. Many of these options will require a system reboot.

2.5.4.1User Management

Figure 2‑19: User Management

The User Management screen allows you to:

  • Change the appliance password
  • Change an existing user’s password by clicking the Password button in the Action section
  • Add a new user and associated password
  • Change the permissions for an existing user by clicking the Modify button in the Action section

User names can contain alphanumeric characters and periods and dashes (‘.’ and ‘_‘).

The Use RADIUS Server option allows you to determine whether the user will use RADIUS server authentication or not when logging on to the Multi-Tenant LoadMaster. The RADIUS Server details must be set up before this option can be used.

RADIUS server can be used to authenticate users who wish to log on to the Multi-Tenant LoadMaster. Multi-Tenant LoadMaster passes the user’s details to the RADIUS server and the RADIUS server informs Multi-Tenant LoadMaster whether the user is authenticated or not.

When Session Management is enabled, the Use RADIUS Server option is not available within this screen.

Figure 2‑20: Permissions

In this screen you may set the level of user permissions. This determines what configuration changes the user is allowed to perform. The primary user, bal, always has full permissions. Secondary users may be restricted to certain functions.

Named users, even those without User Administration privileges, can change their own passwords. When a named user clicks the System Administration > User Management menu option the Change Password screen appears.

Figure 2‑21: Change Password

From within this screen, users can change their own password. Once changed, a confirmation screen appears after which the users will be forced to log back in to Multi-Tenant LoadMaster using their new password.

2.5.5Update License

Figure 2‑22: Update License

This screen displays the activation date and the expiration date of the current license. Before updating the license in the Multi-Tenant LoadMaster, you must either contact your KEMP representative or use the Upgrade option. After you have contacted KEMP or used the Upgrade option, there are two ways to upgrade a license – via the Online method and via the Offline method. For more information and instructions, refer to the Licensing, Feature Description. A reboot may be required depending on which license you are applying.

Licensing is done in the Multi-Tenant LoadMaster and is based on the maximum number of tenants that can be started. This means that the LoadMaster tenants do not need to be licensed individually. 10 is number of tenants for the default Multi-Tenant LoadMaster license.

The Update License option is not available in tenant LoadMasters that were deployed using the KEMP Multi-Tenant LoadMaster product. This is because licensing is controlled at the Multi-Tenant LoadMaster level.

2.5.6System Reboot

Figure 2‑23: System Reboot

Reboot

Reboot the appliance.

Shutdown

Clicking this button attempts to power down the Multi-Tenant LoadMaster.

 

Reset Machine

Reset the configuration of the appliance with the exception of the license and username and password information.

2.5.7Update Software

Figure 2‑24: Update Software

Contact support to obtain the location of firmware patches and upgrades. Firmware downloads require Internet access. Detailed patch information is available at http://forums.kemptechnologies.com/

Update Machine

Once you have downloaded the firmware you can browse to the file and upload the firmware directly into the Multi-Tenant LoadMaster. The firmware will be unpacked and validated on the Multi-Tenant LoadMaster. If the patch is validated successfully you will be ask to confirm the release information. To complete the update you will need to reboot the appliance. This reboot can be deferred if needed.

 

Restore Software

If you have completed an update of the Multi-Tenant LoadMaster firmware you can use this option to revert to the previous build.

2.5.8Backup and Restore

Figure 2‑25: Backup and Restore

Create Backup File

Generate a backup of the Multi-Tenant LoadMaster. License information is not contained in the backup.

Restore Configuration

Browse to and restore a Multi-Tenant LoadMaster backup file.

Automated Backups

If the Enable Automated Backups check box is selected, the system may be configured to perform automated backups on a daily or weekly basis.

When to perform backup

Specify the time (24 hour clock) of backup. Also select whether to backup daily or on a specific day of the week. When ready, click the Set Backup Time button.

Remote user

Set the username required to access remote host.

Remote password

Set the password required to access remote host.

Remote host

Set the remote host name.

 

Remote Pathname

Set the location on the remote host to store the file.

Test Automated Backups

Clicking the Test Backup button performs a test to check if the automated backup configuration is working correctly. The results of the test can be viewed within the System Message File.

The Automated Backup transfer protocolis currently FTP only.

2.5.9Date/Time

You can manually configure the date and time of the Multi-Tenant LoadMaster or leverage a Network Time Protocol (NTP) server.

Figure 2‑26: Set Date and Time

NTP host(s)

Specify the host which is to be used as the NTP server. Multiple hosts can be entered by using a space-separated list.

The time zone must always be set manually.

2.5.10Logging Options

2.5.10.1System Log Files

Figure 2‑27: Log Files

Boot.msg File: Contains information, including the current version, during the initial starting of the Multi-Tenant LoadMaster.

Warning Message File: Contains warnings logged during the operation of the Multi-Tenant LoadMaster.

System Message File: Contains system events logged during the operation of Multi-Tenant LoadMaster. This includes both operating system-level and Multi-Tenant LoadMaster internal events.

Reset Logs: This will reset all log files.

Save all System Log Files: This saves the files to your computer. It can be useful to send log files to KEMP support when troubleshooting an issue.

2.5.10.1.1Debug Options

The Multi-Tenant LoadMaster has a range of features that will help you and KEMP Support staff with diagnosing connectivity issues. Clicking the Debug Options button will bring up the screen shown below.

Figure 2‑28: Debug Options

Enable IRQ Balance: Enable this option only after consulting with KEMP support staff.

Perform a PS: Performs a ps on the system.

Display Meminfo: Displays raw memory statistics.

Display Slabinfo: Displays raw slab statistics.

Perform an Ifconfig: Displays raw Ifconfig output.

Perform a Netstat: Displays Netstat output.

Reset Statistic Counters: Reset all statistic counters.

Ovs Logging Level: Specify the level of Open vSwitch logs to record. The default setting for this field is error.

Netconsole Host: The syslog daemon on the specified host will receive all critical kernel messages. The syslog server must be on the local LAN and the messages sent are UDP messages.

You can select which interface the Netconsole Host is set to via the Interface dropdown.

Please ensure that the netconsole host specified is on the selected interface as errors may occur if it is not.

Ping Host: Performs a ping on the specified host. The interface which the ping should be sent from can be specified in the Interface drop-down list. The Automatic option selects the correct interface to ping an address on a particular network.

Traceroute Host: Perform a traceroute of a specific host.

Kill MT Console (): Permanently disables all Multi-Tenant LoadMaster functions. The Multi-Tenant LoadMaster can be re-enabled by being relicensed.

Please do not kill your Multi-Tenant LoadMaster without consulting KEMP Technical Support first.

TCP dump

A TCP dump can be captured either by one or all Ethernet ports. Address and port parameters, as well as optional parameters may be specified. The maximum number of characters permitted in the optional field is 255.

You can stop and start the dump. You can also download it to a particular location.

2.5.10.2Syslog Options

The Multi-Tenant LoadMaster can produce various warning and error messages using the syslog protocol. These messages are normally stored locally.

Figure 2‑29: Syslog Options

It is also possible to configure the Multi-Tenant LoadMaster to transmit these error messages to a remote syslog server by entering the relevant IP address in the relevant text box and clicking Change Syslog Parameters.

Six different error message levels are defined and each message level may be sent to a different server. Notice messages are sent for information only; emergency messages normally require immediate user action.

Examples of the type of message that may be seen after setting up a Syslog server are below:

  • Emergency: Kernel-critical error messages
  • Critical: Unit has failed
  • Error: Authentication failure for root from 192.168.1.1
  • Warn: Interface is up/down
  • Notice: Time has been synced
  • Info: Local advertised Ethernet address

One point to note about syslog messages is they are cascading in an upwards direction. Thus, if a host is set to receive WARN messages, the message file will include message from all levels above WARN but none for levels below WARN.

We recommend you do not set all six levels for the same host because multiple messages for the same error will be sent to the same host.

To enable a syslog process on a remote Linux server to receive syslog messages from the Multi-Tenant LoadMaster, the syslog must be started with the “-r” flag.

2.5.10.3SNMP Options

With this menu, the SNMP configuration can be modified.

Figure 2‑30: SNMP Options

Enable SNMP

This check box enables or disables SNMP metrics. For example, this option allows the Multi-Tenant LoadMaster to respond to SNMP requests.

By default SNMP is disabled.

When the feature is enabled, the following traps are generated:

  • ColdStart: generic (start/stop of SNMP sub-system)
  • VsStateChange: (Virtual Service state change)
  • RsStateChange: (Real Server state change)

The information regarding all Multi-Tenant LoadMaster-specific data objects is stored in three enterprise-specific MIBs (Management Information Base).

ONE4NET-MIB.txt

enterprise id

IPVS-MIB.txt

Virtual Server stats

B-100-MIB.txt

Multi-Tenant LoadMaster configuration data

These MIBs (which can be found on the KEMP website) need to be installed on the SNMP manager machine in order to be able to request the performance-/config-data of the Multi-Tenant LoadMaster via SNMP.

The description of the counters can be taken from the Multi-Tenant LoadMaster MIBs (the description clause). Apart from just reading the MIB this can be done for Linux (nad ucdsnmp) with the command:

snmptranslate -Td -OS <oid>

where <oid> is the object identifier in question.

Example: <oid> = .1.3.6.1.4.1.one4net.ipvs.ipvsRSTable.rsEntry.RSConns

snmptranslate -Td –Ov .1.3.6.1.4.1.one4net.ipvs.ipvsRSTable.rsEntry.RSConns

.1.3.6.1.4.1.12196.12.2.1.12

RSConns OBJECT-TYPE

-- FROM IPVS-MIB

SYNTAXCounter32

MAX-ACCESSead-only

STATUScurrent

DESCRIPTION"the total number of connections for this RS"

::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) one4net(12196) ipvs(12) ipvsRSTable(2) rsEntry(1) 12 }

The data object defined in the Multi-Tenant LoadMaster MIBS is a superset to the counters displayed by the WUI.

The data objects on the Multi-Tenant LoadMaster are not writable, so only GET requests (GET, GET-NEXT, GET-BULK etc.) should be used.

Enable SNMP V3

This check box enables SNMP v3 metrics. SNMPv3 primarily added security and remote configuration enhancements to SNMP.

When this option is enabled, two additional fields become available - Username and Password.

The Username and Password must be set in order for SNMP v3 to work.

The password must be at least 8 characters long.

 

Authentication protocol

Select the relevant Authentication protocol - MD5 or SHA. SHA is a more secure protocol.

Privacy protocol

Select the relevant Privacy protocol - AES or DES. AES is a more secure protocol.

 

SNMP Clients

With this option, the user can specify from which SNMP management hosts the Multi-Tenant LoadMaster will respond to.

If no client has been specified, the Multi-Tenant LoadMaster will respond to SNMP management requests from any host.

 

SNMP Community String

This option allows the SNMP community string to be changed. The default value is “public”.

Allowed characters in the Community String are as follows: a-z, A-Z, 0-9, _.-@()?#%^+~!.

 

SNMP Contact

This option allows the SNMP Contact string to be changed. For example, this could be e-mail address of the administrator of the Multi-Tenant LoadMaster.

SNMP Location

This option allows the SNMP location string to be changed.

 

SNMP traps

When an important event happens to a Multi-Tenant LoadMaster, a Virtual Service or a Real Server, a trap is generated. These are sent to the SNMP trap sinks.

 

Enable/Disable SNMP Traps

This toggle option enables and disables the sending of SNMP traps.

SNMP traps are disabled by default.

 

Send SNMP traps from the shared address

This check box is only visible when the LoadMaster is in HA mode.

By default, SNMP traps are sent using the IP address of the master HA unit as the source IP address. Enabling this option will send SNMP traps from the master HA unit using the shared IP address.

 

SNMP Trap Sink1

This option allows the user to specify a list of hosts to which a SNMPv1 trap will be sent when a trap is generated.

 

SNMP Trap Sink2

This option allows the user to specify a list of hosts to which a SNMPv2 trap will be sent when a trap is generated.

2.5.10.4Email Options

This screen permits the configuration of email alerting for Multi-Tenant LoadMaster events. Email notification can be delivered for six predefined informational levels. Each level can have a distinct email address and each level supports multiple email recipients. Email alerting depends on a mail server, support for both an open relay mail server and a secure mail server is provided.

Figure 2‑31: Email Options

SMTP Server

Enter the FQDN or IP address of the mail server. If you are using FQDN please make sure to set the DNS Server.

 

Port

Specify the port of the SMTP server which will handle the email events.

 

Server Authorization (Username)

Enter the username if your mail server requires authorization for mail delivery. This is not required if you mail server does not require authorization.

 

Authorization Password

Enter the password if your mail server requires authorization for mail delivery. This is not a required if you mail server does not require authorization.

 

Local Domain

Enter the top-level domain, if your mail server is part of a domain. This is not a required parameter.

 

 

 

Connection Security

Select the type of security for the connection;

  • None
  • STARTTLS, if available
  • STARTTLS
  • SSL/TLS

 

Set Email Recipient

In the various Recipients text boxes, enter the email address that corresponds with the level of notification desired. Multiple email addresses are supported by a comma-separated list, such as:

Info Recipients: info@kemptechnologies.com, sales@kemptechnologies.com

Error Recipients: support@kemptechnologies.com

Clicking the Send Test Email to All Recipients button sends a test email to all the listed email recipients.

2.5.11Miscellaneous Options

2.5.11.1WUI Settings

Only the bal user or users with ‘All Permissions’ set can use this functionality. Users with different permissions can view the screen but all buttons and input fields are greyed out.

Figure 2‑32: WUI Settings

Enable Hover Help

Enables blue hover notes shown when the pointer is held over certain fields.

 

Message of the Day (MOTD)

Type in text into the field and click the Set MotD button. This message will be displayed within the Multi-Tenant LoadMaster home screen.

The maximum allowed message length is 5,000 characters. HTML is supported, but not required.

 

Set Statistics Display Size

This sets the maximum number of rows that can be displayed in the Statistics page. The allowable range is between 10 and 100 rows being displayed on the page.

 

End User License

Click the Show EULA button to display the Multi-Tenant LoadMaster End User License Agreement.

Supported TLS Protocols

Checkboxes are provided here which can be used to specify whether or not it is possible to connect to the Multi-Tenant LoadMaster WUI using the following protocols; SSLv3, TLS1.0, TLS1.1 or TLS1.2. TLS1.1 and TLS1.2 are enabled by default. It is not recommended to only have SSLv3 selected because SSLv3 is only supported by some old browsers. When connecting to the WUI via a web browser, the highest security protocol which is mutually supported by both the browser and the WUI will be used.

WUI Cipher set

Select the relevant cipher set to use for WUI access. For information on each of the cipher sets available, refer to Section 2.5.11.4.

Enable Historical Graphs

Enable the gathering of historical statistics for the Virtual Services and Real Servers.

2.5.11.2WUI Session Management

Figure 2‑33: WUI Session Management (bal user)

Session management is enabled by default on all Multi-Tenant LoadMasters initially deployed with firmware version MT_7.1.35 or above.

Only the bal user can enable or disable Session Management and/or Basic Authentication.

Users with the ‘All Permissions’ permission set can view the Enable Session Management, Require Basic Authentication and the Basic Authentication Password fields. However, users with the ‘All Permissions’ permission set can configure the Failed Login Attempts and Idle Session Timeout values.

Users with the ‘User Administration’ permissions set can view the screen but all buttons and input fields are greyed out.

All other users cannot view the WUI Session Management, Currently Active Users or Currently Blocked Users sections of the WUI Configuration screen.

When using WUI Session Management, it is possible to use one or two steps of authentication.

If the Enable Session Management check box is ticked and Require Basic Authentication is disabled, the user only needs to log in using their local username and password. Users are not prompted to log in using the bal or user logins.

If the Enable Session Management and Require Basic Authentication check boxes are both selected, there are two levels of authentication enforced in order to access the Multi-Tenant LoadMaster WUI. The initial level is Basic Authentication where users login using the bal or user logins, which are default usernames defined by the system.

Once logged in via Basic Authentication, the user then must log in using their local username and password to begin the session.

Enable Session Management

Selecting the Enable Session Management check box enables the WUI Session Management functionality. This will force all users to initially log in to the server using either the bal or user logins and then to login to the session using their normal credentials.

When this check box is selected, the user is required to log in to use Multi-Tenant LoadMaster.

LDAP users need to login using the full domain name. For example an LDAP username should be test@kemp.com and not just test.

Figure 2‑34: User Credentials

After a user has logged in, they may log out by clicking the button,, in the top right-hand corner of the screen.

Once the WUI Session Management functionality is enabled, all the WUI Session Management options appear.

Figure 2‑35: WUI Session Management

Require Basic Authentication

If WUI Session Management and Basic Authentication are both enabled, there are two levels of authentication enforced in order to access the Multi-Tenant LoadMaster WUI. The initial level is Basic Authentication where users login using the bal or user logins, which are default usernames defined by the system.

Once logged in via Basic Authentication, the user then must log in using their local username and password to begin the session.

 

Basic Authentication Password

The Basic Authentication password for the user login can be set by typing the password into the Basic Authentication Password text box and clicking the Set Basic Password button.

The password needs to be at least 8 characters long and should be a mix of alpha and numeric characters. If the password is considered to be too weak, a message appears asking you to enter a new password.

Failed Login Attempts

The number of times that a user can fail to login correctly before they are blocked can be specified within this text box. The valid values that may be entered are numbers between 1 and 999.

If a user is blocked, only the bal user or other users with All Permissions set can unblock a blocked user.

If the bal user is blocked, there is a ‘cool-down’ period of ten minutes before the bal user can login again.

 

Idle Session Timeout

The length of time (in seconds) a user can be idle (no activity recorded) before they are logged out of the session. The valid values that may be entered are numbers between 60 and 86400 (between one minute and 24 hours).

2.5.11.2.1Active and Blocked Users

Only the bal user or users with ‘All Permissions’ set can use this functionality. Users with ‘User Administration’ permissions set can view the screen but all buttons and input fields are greyed out. All other users cannot view this portion of the screen.

Figure 2‑36: Currently Active Users

Currently Active Users

The user name and login time of all users logged into the Multi-Tenant LoadMaster are listed in this section.

To immediately log out a user and force them to log back into the system, click the Force logout button.

To immediately log out a user and to block them from being able to log in to the system, click the Block user button. The user will not be able to log back in to the system until they are unblocked or until the Multi-Tenant LoadMaster reboots. Clicking the Block user button does not force the user to log off; to do this, click the Force logout button.

If a user exits the browser without logging off, that session will remain open in the currently active users list until the timeout has reached. If the same user logs in again, before the timeout is reached, it would be within a separate session.

 

Currently Blocked Users

The user name and login time of when the user was blocked are listed within this section.

To unblock a user to allow them to log in to the system, click the Unblock button.

2.5.11.3Remote Access

Figure 2‑37: Remote Access

Allow Remote SSH Access

You can limit the network from which clients can connect to the SSH administrative interface on Multi-Tenant LoadMaster.

 

Using

Specify which addresses that remote administrative SSH access to the Multi-Tenant LoadMaster is allowed.

 

Port

Specify the port used to access the Multi-Tenant LoadMaster via the SSH protocol.

 

Allow Web Administrative Access

Selecting this check box allows administrative web access to the Multi-Tenant LoadMaster. Disabling this option will stop access upon the next reboot.

Disabling web access is not recommended.

 

Using

Specify the addresses that administrative web access is to be permitted.

 

Port

Specify the port used to access the administrative web interface.

 

Administrative Default Gateway

When administering the Multi-Tenant LoadMaster from a non-default interface, this option allows the user to specify a different default gateway for administrative traffic only.

If the Administrative Default Gateway is being changed to another interface that is not accessible without proper routing, a static route into the Multi-Tenant LoadMaster should be added before changing the administrative interface IP. Once the routing is in please, the interface can be switched and the administrative default gateway can be selected if required. Then the static route can be removed.

 

RADIUS Server

Here you can enter the address of the RADIUS server that is to be used to validate user access to the Multi-Tenant LoadMaster. To use RADIUS server you have to specify the Shared Secret.

A Shared Secret is a text string that serves as a password between the Multi-Tenant LoadMaster and the RADIUS server.

The Revalidation Interval specifies how often a user should be revalidated by the RADIUS server.

RADIUS Server Configuration

To configure RADIUS to work correctly with Multi-Tenant LoadMaster, authentication must be configured on the RADIUS server and the RADIUS Reply-Message must be mapped to LoadMaster permissions.

The Reply-Message values correspond to LoadMaster permissions as shown in Table 1.

Reply-Message

LoadMaster Permission

real

Real Servers

vs

Virtual Services

rules

Rules

backup

System Backup

certs

Certificate Creation

cert3

Intermediate Certificates

certbackup

Certificate Backup

users

User Administration

Table 1: Reply-Message/ LoadMaster Permissions

The values in the Reply-Message should map to the user permissions page in the WUI as per Figure 39, with the exception of “All Permissions”:

Figure 39: LoadMaster Permissions

To configure the Windows version of RADIUS, please refer to Radius Authentication and Authorization, Technical Note on the KEMP website.

To configure the Linux FreeRADIUS server, please insert the text below into the /etc/freeradius/users file in the sections indicated within the file. The example below is to configure permissions for the user ‘LMUSER’.

LMUSER Cleartext-Password := "1fourall"

Reply-Message = "real,vs,rules,backup,certs,cert3,certbackup,users"

The /etc/freeradius/clients.conf file must also be configured to include the Multi-Tenant LoadMaster IP address. This file lists the IP addresses that are allowed to contact RADIUS.

 

Enable API Interface

Enables/disables the RESTful Application Program Interface (API).

 

Allow Update Checks

Allow the LoadMaster to regularly check the KEMP website for new software versions.

2.5.11.4Cipher Sets

Figure 2‑38: Cipher Set Management

Cipher Set

Select the cipher set to view/modify.

The system-defined cipher sets are as follows:

  • Default: The current default set of ciphers in the LoadMaster.
  • Default_NoRc4: The Default_NoRc4 cipher set contains the same ciphers as the default cipher set, except without the RC4 ciphers (which are considered to be insecure).
  • BestPractices: This is the recommended cipher set to use. This cipher set is for services that do not need backward compatibility - the ciphers provide a higher level of security. The configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7.
  • Intermediate_compatibility: For services that do not need compatibility with legacy clients (mostly Windows XP), but still need to support a wide range of clients, this configuration is recommended. It is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.
  • Backward_compatibility: This is the old cipher suite that works with clients back to Windows XP/IE6. This should be used as a last resort only.
  • WUI: This is the cipher set recommended to be used as the WUI cipher set. The WUI cipher set can be selected in the WUI Settings screen. For further information, refer to Section 2.5.11.1.
  • FIPS: Ciphers which conform to FIPS (Federal Information Processing Standards).
  • Legacy: This is the set of ciphers that were available on the old Multi-Tenant LoadMaster firmware (v7.0-10) before OpenSSL was updated.

Refer to the SSL Accelerated Services, Feature Description for a full list of the ciphers supported by the Multi-Tenant LoadMaster, and a breakdown of what ciphers are in each of the system-defined cipher sets.

KEMP Technologies can change the contents of these cipher sets as required based on the best available information.

Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. iThe Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear greyed out in the Available Ciphers list.

Changes cannot be made to a preconfigured cipher set. However, you can start with a preconfigured cipher set – make any changes as needed and then save the cipher set with a new custom name. Enter the new name in the Save as text box and click the Save button. Custom cipher sets can be used across different Virtual Services and can be assigned as the WUI cipher set.

It is not possible to delete preconfigured cipher sets. However, custom cipher sets can be deleted by selecting the relevant custom cipher set and clicking the Delete Cipher set button.

2.5.11.5Network Options

Figure 2‑39: Network Options

Enable Alternate GW support

If there is more than one interface enabled, this option provides the ability to move the default gateway to a different interface.

Enabling this option adds another option to the Interfaces screen – Use for Default Gateway.

 

Enable Strict IP Routing

When this option is selected, only packets which arrive at the machine over the same interface as the outbound interface are accepted.

Enable DHCP for MT VNF(s)

This check box specifies whether or not the MT guests should utilise DHCP for initial IP configuration. If this is enabled, the initial IP address and default gateway of the guest VNF will be automatically obtained via DHCP, and you will not be prompted to set them. If this option is disabled, text boxes will be displayed when creating an instance which allow you to specify the initial IP address and default gateway.

This check box is also displayed after the initial Multi-Tenant LoadMaster installation when you are prompted to instantiate an initial VLM VNF, but the option is called Use DHCP for guest VNF(s).

SDN Controller

Specify the address of an SDN controller to connect to.

HTTP(S) Proxy

Specify the HTTP(S) proxy server and port the Multi-Tenant LoadMaster will use to access the internet.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Licensing, Feature Description Virtual Services and Templates, Feature Description Multi-Tenancy, Feature Description KEMP Multi-Tenant LoadMaster, Product Overview Radius Authentication and Authorization, Technical Note SSL Accelerated Services, Feature Description

 

 

 

 

Document History

Date

Change

Reason for Change

Version

Resp.

Nov 2015

Release updates

Updates for MT_7.1-30

5.0

LB

Dec 2015

Minor updates

Enhancements made

6.0

LB

Jan 2016

Minor updates

Updated

7.0

LB

Mar 2016

Release updates

Updates for MT_7.1-34

8.0

LB

July 2016

Release updates

Updates for MT_7.1.35

9.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments