1. Kemp Support
2. Documentation
3. LoadMaster
4. Release Notes

LoadMaster 7.2.50.0 Release Notes

Updated: April 27, 2022 10:01

LMOS Version 7.2.50 is a feature and bug-fix release made available in April 2020. Please read the sections below before installing or upgrading.

Contents

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported Virtual Models	Supported Hardware Models		Supported Bare Metal Models	UNSUPPORTED Hardware Models	UNSUPPORTED Virtual Models
VLM-200 VLM-500 VLM-2000 VLM-3000 VLM-5000 VLM-10G VLM-GEO VLM-MAX	LM-X1 LM-X3 LM-X15 LM-X25 LM-X40 LM-2400 LM-3000 LM-3400 LM-4000 LM-5000	LM-5400 LM-5600 LM-8000 LM-8020 LM-8020M	LMB-1G LMB-2G LMB-5G LMB-10G LMB-MAX	LM-2000 LM-2200 LM-2500 LM-2600 LM-3500 LM-3600 LM-5300 LM-5500 LM-Exchange LM-GEO	VLM-100 VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

New Features

The following new features have been added to this release of LMOS.

JSON Web Token Support

A new Verify Bearer Header option has been added to the ESP Options accordion within a Virtual Service to support the validation of a JSON Web Token (JWT) in client requests. JWTs are used to pass authorizations (claims) that have been previously obtained to an application so that the user does not need to obtain those authorizations again to gain access.

The default setting for this option is off. Once this option is enabled, LoadMaster will look for an Authorizations header in the incoming request and determine if the header contains a valid JWT. The JWT payload in the header may be encrypted.

Two additional parameters for the Verify Bearer Header allow you to specify:

• The SSL certificate to be used to decrypt the token (if required).
• Up to 5 space-separated strings to match against the Audience Claim Field (aud) in the token. Providing the strings is optional; if they are provided, at least one string must match the Audience Claim Field's content or the token is rejected.

The client request will fail under any of these conditions:

• The Authorizations header:
  • does not exist in the incoming request.
  • exists in the incoming request but is empty.
• The content of the Authorizations header:
  • cannot be decrypted (if it is encrypted)
  • is not a valid JSON Web Token (as defined in RFC 7519).
  • does not contain the text string(s) specified (if any)

Otherwise, the connection is accepted and the JWT is passed back to the Real Servers along with the rest of the client request.

A JWT-enabled Virtual Service (VS) can be used in any case where a client is connecting to a service using a JWT already in the client's possession to pass authentication and authorization permissions to the application behind the JWT-enabled VS.

In some use cases, where the initial the access point and the acquisition of a JWT doesn't go through LoadMaster, LoadMaster may host only the JWT-enabled VS. In other configurations, LoadMaster will host both the initial VS that is accessed to obtain the JWT as well as the JWT-enabled VS.

UI Access Control

By default, the access control lists on the System Configuration > Network Setup > Packet Routing Filter page of the UI control access to the Virtual Services on LoadMaster, but not UI access. A new flag, Include WUI in the Black/White lists, also applies the access control lists to UI access, as follows:

• Enabling Include WUI in the Black/White lists allows the UI to be accessed only from the IP  address that enabled the check box. Attempts to log in from other IP addresses will be denied.
• If access to the UI is desired from  other IP addresses, they must be added to the Allowed List.
• Enabling the feature does not affect any current access to Virtual Services. For example:
  • If a user enables this feature from an IP address that is not in either the Allowed or Blocked lists, that IP address has access to the UI and access to all VSs.
  • A different IP address that is also not in either the Allowed or Blocked lists does not have access to the UI, but does have access to all VSs.

The last IP address from which a change to the access control options on this page wass made is listed on the page next to the Include WUI in the Black/White lists option.

Factory Reset Secure Delete

The Reset to Factory Defaults option on the System Configuration > System Administration > System Reboot page of the UI has been enhanced to securely delete all storage content so that no information formerly stored on the system can be obtained through any means. This returns the LoadMaster to the same state it was in before it was first deployed and licensed.

ESP Logging Common Event Format (CEF) Option

LoadMaster can now record and export Edge Security Pack (ESP) logs in the Common Event Format (CEF), a widely used log message format (maintained by Micro Focus) that provides a standard log message format so that data points are clearly labelled and the overall message is more easily consumable by humans as well as 3rd-party log collectors and analyzers. When used as a source format for monitored devices, CEF allows for easier overall log storage and analysis across a network of heterogeneous devices.

The Enable CEF Log Format check box is located on the System Configuration > Miscellaneous Options > L7 Configuration page and is disabled by default.

Once enabled, all of the logs on the System Configuration > Logging Options > Extended Log Files page will be recorded in CEF format. To export these logs, set the parameters on the System Configuration > Logging Options > Syslog Options page to point at your log collector/analyzer.

Minimum Password Length

A new control on the System Configuration > System Administration > User Management page allows you to set a global Minimum Password Size for local LoadMaster user logins. The default length is 8 characters and can be set to any value up to 16.

Securing Outbound Connections

In previous releases, not all outbound connections originated by LoadMaster were encrypted. A new control on the Remote Access UI page, Outbound Connection Cipher Set, allows you to select a pre-defined cipher set to be used for all outbound connections. The default setting is None, for backward compatibility. , including:

• remote logging (syslog)
• email notifications
• LDAP authentication
• OCSP certificate validation

OCSP Stapling for Outbound Connections

LoadMaster has been modified to apply Online Certificate Status Protocol (OCSP) stapling (if enabled) to verify certificates for all external connections originated by LoadMaster, except for re-encrypted connections to real servers.

Elliptic Curve Cipher Sets

Two new cipher sets have been added, as shown below, specifically for configurations that require elliptic curve ciphers:

ECDSA_Default

ECDSA_BestPractices

ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 DHE-DSS-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-DSS-AES256-SHA256 ECDHE-ECDSA-CAMELLIA256-SHA384 DHE-DSS-CAMELLIA256-SHA256 ECDHE-ECDSA-AES256-SHA DHE-DSS-AES256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM ECDHE-ECDSA-ARIA128-GCM-SHA256 DHE-DSS-ARIA128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 DHE-DSS-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-RC4-SHA DHE-DSS-AES128-SHA DHE-DSS-CAMELLIA128-SHA

ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA DHE-DSS-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA DHE-DSS-AES128-SHA256

Elliptic Curve Self-Signed Certificates

A new option on the Certificates & Security > Remote Access page of the UI allows you to select from among these options for self-signed certificates for Administrative Access:

• RSA self-signed certs: (Default) This is the only setting on legacy releases of LMOS. The certificate used will be an RSA certificate signed with the Kemp RSA root certificate.
• EC certs with a RSA signature: The certificate used will be an RSA certificate signed with the Kemp EC (elliptic curve) root certificate.
• EC certs with an EC signature: The certificate used will be an EC certificate signed with the Kemp EC (elliptic curve) root certificate.

Elliptic Curve Certificate Signing Requests

A Certificate Signing Request for an SSL Certificate can be created using the controls on the Certificates & Security > Generate CSR UI page. By default, CSRs generated by LoadMaster request an RSA-encrypted key. If you enable the Generate Elliptic Curve Request option on this page, LoadMaster instead requests an ECC (elliptic curve) key. Smaller ECC key sizes generally provide the same cryptographic strength as much larger RSA key sizes; and, so ECC keys are becoming increasingly common because of both the reduced storage footprint as well as processing resources required.

IRQ Pinning

For virtual LoadMaster deployments, LoadMaster has been enhanced to provide IRQ Pinning as an optional performance enhancement, via controls in the UI and API. When enabled, IRQ pinning can help LoadMaster distribute the system load to more efficiently use resources, which can help improve performance under specific load profiles. IRQ pinning is disabled by default.

Azure Support for 10 Gb Interfaces

Support for 10 Gb interfaces on the Azure cloud platform complements the 10 Gb interface capabilities introduced in previous releases of LMOS for the AWS platform. For details on how to choose 10 Gb capable machine sizes when deploying LoadMaster on Azure, see the LoadMaster Deployment Guide for Azure. 

API Support for Adding & Removing Non-Local Sorry Servers

The API has been enhanced to support adding a non-local Sorry server IP address and port within an existing VS:

• Powershell API: Set-AdcVirtualService command: set NonLocalSorryServer to true
• RESTful API: modvs cocmmand: set Non_Local to 1

Console Logging Enhancements

The system console interface has been enhanced to log all actions taken by a user logged into the console to improve troubleshooting and administrative accountability.

Change Notices

The following changes to existing LMOS features and behavior have been made in this release.

Signature Verification of Updates and Add-Ons Required By Default

Starting with this release, by default, signature verification files must be supplied with upgrade images and add-on packages on installation on the System Configuration > System Administration > Update Software page. Installation will not be permitted unless the usual update integrity checks and the additional signature verification check succeed.

This behavior can be controlled by changing the setting of the Update Verification Options setting on the System Configuration > Miscellaneous Options > WUI Settings page. There are three settings available:

• Required: (Default) The signature verification file settings are visible and providing the signature file is mandatory.
• Optional: The signature verification file settings are visible, but providing the signature file is optional.
• No verification file - deprecated: (Not Recommended) The verification file settings are not visible and providing the signature file is not possible in the UI. This is the legacy setting used in older LMOS releases and is included for backwards compatibility only.

Note that the update integrity checks mentioned above cannot be disabled and must always succeed in order for an installation to proceed.

URL Hash Scheduling Mechanism Optimization

In a previous release, the URL Hash scheduling method was introduced to support load balancing incoming traffic according to a value obtained by hashing components of the URL, and is one of the methods available to choose from the Scheduling Method drop-down in the Standard Options of a Virtual Service. In this release, improvements have been made in the hashing mechanism to better support Virtual Host Style addressing in request URLs, as well as the previously supported Path Style addressing.

GEO Limit for IP Addresses in an FQDN Increased from 16 to 64

The number of supported IP addresses that you can assign to a single FQDN defined within GEO has been increased from 16 to 64 to provide improved scalability for modern DNS configurations, as well as a better configuration experience.

GEO HA Configuration Issues in AWS and Azure Cloud Platforms

In previous releases, when deploying GEO in an HA configuration on either the Azure or AWS public clouds, the cluster and mapping menu IP addresses didn't get updated when the standby system takes the master (or active) role. This required a manual change on the newly active LoadMaster to correct the mapping. This issue has been addressed and new guidelines for creating a GEO HA configurations have been added to the HA for Azure guide and the HA for AWS guide.

VMware Hardware Compatibility Level

The LoadMaster VLM hardware version for the VMware platform has been raised from Version 7 to Version 10 (ESX/ESXi 5.5 and later). As in previous releases, LoadMaster is also compatible with later hardware versions. You can convert the VLM to a later hardware version by specifying that version when you deploy the VLM in VMware.

LDAP: Username Only Authentication to Real Server

In previous releases, the domain/username of the authenticating user would always be passed to the Real Server. This causes problems for Real Servers that only accept a username. With this release, a new POST Format Username Only option has been added that, when enabled, will only communicate the username to the back-end server. This option is disabled by default, to support the current behavior (posting the domain/username) for backward compatibility.

The POST Format Username Only option can be used with any of the Logon Format options supported by LoadMaster: Not Specified, Principalname, and Username.

Log Format Enhancements

The system log and ESP extended log messages have been enhanced to be compliant with Section 6 of RFC 5424. This will aid local troubleshooting as well as external analysis of LoadMaster log messages by 3rd-party log collector and analysis tools.

Azure Agent Version Upgrade

The Azure Linux Agent (waagent) has been upgraded to Version 2.2.41 to support deployments on the Azure cloud platform.

Custom HTML Files for Redirection Handling Added to Backup

The backup and restore subsytem has been enhanced to include all custom HTML files associated with redirection handling for a Virtual Service (VS) included in a backup archive, and to restore these files from the archive onto the target system along with the rest of the VS configuration.

Improved Metered Licensing Transitions

The License Update page has been modified to include a Kill License button that is intended to ease transitions from Permanent (PERM) and Temporary (TEMP) licenses to Metered (or MELA) licensing. This button will immediately remove the license from LoadMaster; you will be required to apply another valid license before you can regain access to the LoadMaster. This button should only be used after consultation with a Kemp Sales Associate so that the required licensing can be put into place and specific instructions for a seamless transition can be supplied before beginning the transition.

API Version 2 Enhancements (Beta)

The LMOS RESTful API has been enhanced to support the following new beta features:

• Key-based authentication has been added to the API with appropriate commands:
  • The addapikey command allows you to add up to 16 keys per user; with no arguments it returns a list of the current API keys. The list is circular -- if you attempt to define a 17th key, it overwrites the first key in the list.
  • Also provided are delapikey and listapikeys commands.
  • Note that in a future release of LMOS the certificate-based access method will be deprecated and the key-based method will become the recommended UI authentication method. Eventually, the certificate-based method will no longer be supported.
• The listapi command has been added to return a list of supported API commands along with the version of firmware running on the LoadMaster. This command will also work before the machine is licensed, so that the LMOS version can be confirmed prior to licensing.

In addition to the above, a new version of the API (Version 2) has been created that supports the following:

• API payloads are returned in JSON format.
• You can now have the API and the UI running on different ports (in previous releases they both run on port 443). Please note the following:
  • If you try and use the API on a port other than the one on which its running, LM returns an HTML  404 (not found) response.
  • If you try and use the UI on the port configured specifically for the API, an unreadable page and/or 404 responses are displayed (depending on the browser used).
  • It is possible to change the API port over the UI (after remote access is enabled). Setting the value to an empty string unsets the value so that it will then track the UI port. This can also be done via the API using the apiport parameter.

For more information, see the RESTful API documentation on the Kemp website.

Issues Resolved

The following issues from previous LMOS releases have been addressed in this release.

PD-14877	Virtual Service API: In previous releases, there was no API to change a VS address or port using Powershell. The Set-AdcVirtualService Powershell command has been enhanced to provide two new parameters (VSNewAddress and VSNewPort) that support modifying the VS address and port.
PD-14857	Single Sign On: Fixed an issue that caused a segmentation fault during an LDAP domain health check when the second bind attempt succeeds.
PD-14825	Single Sign On Logging: Fixed an issue that caused Single Sign On related log messages to be duplicated in more than one log file.
PD-14792	Secure Factory Reset: The factory reset option has been enhanced to securely reset the system configuration by not only deleting the files, but also erasing the content of the files from the disk so that any examination of the disk contents will not reveal any deleted data.
PD-14754	Server Side Re-encryption: Fixed a bug that caused server-side re-encryption to close connections with a TCP FIN/ACK sequence instead of the required TCP RST (reset) packet, when the Enable Reset on Close option is enabled.
PD-14748	Virtual Service SNAT: In previous releases, if you disable a Real Server in a VS that is using SNAT and then re-enabled the Real Server, SNAT is silently disabled for that Virtual Service. This bug has been fixed.
PD-14746	RADIUS Two-Factor Authentication: Fixed an issue that caused a segmentation fault when a challenge response from an OTP (one-time password) server does not contain PW_STATE AVP.
PD-14745	OCSP: LoadMaster has been updated to issue OCSP requests using HTTP 1.1 (previous releases used HTTP 1.0).
PD-14732	Access Control: In previous releases, an attempt to add an entry containing a wildcard port (*) to either the blacklist or the whitelist would fail. This issue has been fixed.
PD-14714	PS Command Output: Reconciled the output of the UI and API PS commands so that both follow the same format and present the same content.
PD-14644 PD-14550	HTTP/2 & Compression: In previous releases, if errors occur in HTTP/2 processing and compression is enabled, the system may reboot because the cache has not been properly released. This issue has been fixed.
PD-14495	Installation & Licensing: In version 7.2.49.1, a bug was iintroduced that caused an update license message to be displayed on first deployment. This bug has been fixed.
PD-14434	PowerShell API Certificate Limit: The PowerShell API is limited to about 1K characters for the list of certificate names, while the limit in the UI is a little under 8K. This issue in the API has been addressed.
PD-14374	HyperV Platform Boot Error: In previous releases, a fill_rand error was seen on the console during boot of a VLM on HyperV 2019. This issue has been fixed.
PD-14349	Virtual Service Templates: In previous releases, if a VS was exported as a template and had the Strict Transport Security Header field set to Add the Strict Transport Security Header - no subdomains or Add the Strict Transport Security Header - include subdomains, then the template would fail with a syntax error on import to any other LoadMaster. This issue has been fixed.
PD-14346	Remote Groups & User Permissions: Fixed an issue where user permissions may not be assigned correctly depending on the remote group selection order.
PD-14345	Single Sign On: Fixed an issue where extending the SSO Session Timeout and the Idle Timeout does not result in the extension of the expiry of the LoadMaster session cookie. As part of this fix, the upper limit for these timeouts was extended to 7 days (or 604800 seconds in the API).
PD-14327	GEO: Removed spurious log messages when an interface used for GEO requests hasn't been assigned an IP address.
PD-14303	Licensing (Cloud Platforms Only): In previous releases, if the license of a LoadMaster in an HA configuration is killed, the cloud health checks still succeed after the system reboots, so the slave HA unit never takes over the Master role. This issue has been fixed.
PD-14302	GEO: Fixed an issue where NXDOMAIN was incorrectly returned in response to certain DNS requests.
PD-14247	UI Login: Fixed issues that caused username/password prompts to be displayed for a local user configured for certificate-based login only.
PD-14177	Single Sign On API: Added support for the SingleSignOnMessage parameter to the Powershell API commands New-AdcVirtualService, Set-AdcVirtualService, and Set-AdcSubVirtualService.
PD-14128	Memory Usage: Fixed high memory usage associated with enabling both WAF and the JSON parser.
PD-13734	Single Sign On: Fixed an issue where a user session using one SSO domain would be ended if the same user logs in from the same IP address using a different domain.
PD-13756 PD-13642	LDAP Health Checks: Fixed an issue that caused LDAP health checks configured to use StartTLS to fail.

New Known Issues

The following issues appear for the first time in this release of LMOS.

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-14256	SNMP: The VS and RS IN/OUT OIDs are not displaying any data.
PD-12838	ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS.
PD-12616	WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492	Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354 PD-10466	Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237	HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147	ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-12058	Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.
PD-11861	RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.
PD-11166	Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.
PD-11044	Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917	HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.
PD-10784	HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.
PD-10586	GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490	Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474	Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193	Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188	Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159	Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136	Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816 PD-9476	WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765	GEO: DNS TCP requests from unknown sources are not supported.
PD-9507	Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375	Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

---

Comments