LMOS Version 7.2.51 is a feature and bug-fix release made available in July 2020. Please read the sections below before installing or upgrading.
Contents
Upgrade Path
Upgrade Patch XML File Verification Notes
Downgrading from Version 7.2.51
New Features
Citrix StoreFront Gateway for External Virtual Apps and Desktops
Rate Limiting of Real Servers
Redundant Key Distribution Center for KCD Authentication
UI Login Integration with Cisco ACS / ISE
Change Notices
Configurable KCD Authentication Request Wait Time
Specifying the Protocol for Remote Logging
Port Following on Generic Virtual Services in UI
Enhanced Single Sign On Log Messages
Security Updates
Updated NIST FIPS Cryptographic Module Certification
Assigning Intermediate Certificates to Virtual Services
Regeneration of SSH Host Key
Issues Resolved
New Known Issues
Existing Known Issues
Appendix A: Verifying Upgrade Image Signatures
Supported Models for Upgrade
This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).
Supported Virtual Models |
Supported Hardware Models |
Supported Bare Metal Models | UNSUPPORTED Hardware Models |
UNSUPPORTED Virtual Models |
|
VLM-200 VLM-500 VLM-2000 VLM-3000 VLM-5000 VLM-10G VLM-GEO VLM-MAX |
LM-X1 LM-X3 LM-X15 LM-X25 LM-X40 LM-2400 LM-3000 LM-3400 LM-4000 LM-5000 |
LM-5400 LM-5600 LM-8000 LM-8020 LM-8020M LM-R320 |
LMB-1G LMB-2G LMB-5G LMB-10G LMB-MAX |
LM-2000 LM-2200 LM-2500 LM-2600 LM-3500 LM-3600 LM-5300 LM-5500 LM-Exchange LM-GEO |
VLM-100 VLM-1000 |
If your model number is not listed above, please see the list of End of Life models.
Upgrade Path
You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.
Upgrade Patch XML File Verification Notes
By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:
LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to 7.2.51, you can verify the digital signatures using a manual process documented on the support website.
See Appendix A for a table that shows you which XML file to use for signature verification based on your current release and the release to which you want to upgrade.
Downgrading from Version 7.2.51
Downgrading a LoadMaster running Version 7.2.51 using an earlier LMOS release image can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.
[Note that XML file verification is not part of the process of switching the active LoadMaster partition to the LMOS release that was running on LoadMaster before the last update.]
New Features
The following new features have been added to this release of LMOS.
Citrix StoreFront Gateway for External Virtual Apps and Desktops
A new Virtual Service (VS) template and deployment guide have been introduced with LMOS 7.2.51 to deploy a Virtual Service as a Citrix StoreFront Gateway for external publishing of Citrix Virtual Apps and Desktops deployments, so that Internet clients can leverage Citrix's Virtual Desktop Infrastructure (VDI). In previous releases, LoadMaster only supported publishing to internal networks.
The Kemp-approved and tested template supports authentication of clients to a Citrix Storefront endpoint that provides access to Citrix Virtual Apps and Desktops resources. Clients can log in using Citrix Workspace App, Citrix Receiver, or a browser such as Edge, Chrome, Firefox, or Safari.
For more information and usgae instructions, please see the deployment guide and template available from Kemp's Documentation Web Page.
Rate Limiting of Real Servers
A new Real Server (RS) Connection Rate Limit parameter allows you to set a Connections Per Second (CPS) value between 0 and 100000, where 0 means “no limit” (the default) and any other integer is the RS open connection limit.
- If the number of open connections to the RS reaches the limit set, then the RS is taken out of service (i.e., removed from the load balancing scheduling process) and all new connections will be scheduled for other RSs in the Virtual Service (or SubVS).
- This includes new connections with persistence settings to the rate-limited RS; these will also be sent to another RS when the rate limit is exceeded.
- No new connections will be sent to the rate limited RS until the current ‘rate limit period' expires and the RS is returned to the load balancing scheduling process. The ‘rate limit period’ is 0.1 seconds.
Redundant Key Distribution Center for KCD Authentication
When configuring an SSO Domain for Single Sign On with Kerberos Constrained Delegation (KCD) as the selected Authentication Protocol, you can now specify two servers in the Kerberos Key Distribution Center (KDC) text box, separated by a space. This provides a backup in case the current KDC becomes unavailable. The username and password used by both KDC servers must be the same.
UI Login Integration with Cisco ACS / ISE
When logging into the UI using RADIUS authentication via Cisco ACS or ISE, LoadMaster will now send an Attribute-Value Pair (AVP) to the server as part of the login request, which contains Kemp's Vendor ID. This AVP can be used by the server upon receipt to identify the device making the request as a LoadMaster.
Change Notices
Configurable KCD Authentication Request Wait Time
In previous releases, when KCD is enabled and LoadMaster sends a request that requires authentication, the LoadMaster waits up to 2 seconds to see if the request is rejected. This wait time is not configurable, giving the administrator no ability to control the amount of latency introduced.
Starting with this release, a new global L7 Wait After POST parameter has been added to the System Configuration > Miscellaneous Options > L7 Configuration page. The default value is 2000 milliseconds (ms), or 2 seconds. Permitted values range between 1 and 2000 ms.
Specifying the Protocol for Remote Logging
In previous releases, the remote logging functionality assumed the protocol to use based on the port specified: UDP for port 514 and TCP for all other ports. A new Remote Syslog Protocol control has been added to the System Configuration > System Administration > Logging Options > Remote Syslog page of the UI to either UDP, TCP, or TLS, independently of the port number.
Port Following on Generic Virtual Services in UI
In previous releases, it was only possible to configure port following on a Generic Virtual Service via the API. This capability has now been added to the UI.
Enhanced Single Sign On Log Messages
Improvements have been made to messages generated during normal operation to include additional events and information related to authentication and authorization that in previous releases were only exposed by enabling debug logging. Log messages generated in "ESP User Logs" under "Extended Log Files" now include success and failure messages that specify the username, domain, AAA server, AAA protocol, AAA result, error message, and other details.
Security Updates
The following changes to existing LMOS features and behavior have been made in this release to improve LoadMaster's security profile.
Updated NIST FIPS Cryptographic Module Certification
Kemp has updated its NIST FIPS Cryptographic Module Certification, the new certificate can be viewed on the NIST website here.
Assigning Intermediate Certificates to Virtual Services
Starting with this release, specific intermediate certificates can be assigned to Virtual Services, using controls within the SSL Options accordion in the UI. The default behavior, and the behavior in previous releases, is that all installed intermediate certificates will apply to a VS; this means that any client certificate presented that uses an intermediate certificate found on LoadMaster will be accepted and access to the VS will be granted. Once one or more intermediate certificates is selected in a VS configuration, only client certificates that have one of those specific intermediate certificates in their certificate chain will be granted access to the VS.
Regeneration of SSH Host Key
The LoadMaster host key that is used for SSH login can now be regenerated using controls on the system console. Log into the console and choose Local Administration > Regenerate SSH Host Keys to regenerate the key. Please note the following:
- When you regenerate the LoadMaster's host key, all current SSH clients will need to be updated with the new public key. Clients will receive connection errors and be unable to connect until the new public key is added to the client's known_hosts file.
- When LoadMaster is configured in either the High Availability or Clustering modes, the host keys on the two LoadMasters are automatically synchronized to maintain the SSH connection on which the configuration depends.
- Note that in GEO Partnering mode, SSH host keys are not automatically synchronized, because GEO does not use a shared IP address and the information exchange between partners doesn't depend on SSH access.
Issues Resolved
The following issues from previous LMOS releases have been addressed in this release.
PD-15230 | Stability: Fixed an issue where assigning a cipher set that contains all available ciphers to a VS could cause unexpected behavior. |
PD-15206 | ESP / SSO: When using ESP on a Virtual Service and Use for Session Timeout is enabled, a user is not completely logged out when an OWA session is terminated. This issue has been fixed. |
PD-15202 | RESTful API: Changing the remote syslog port using the API doesn't result in the new port being enabled. This bug has been fixed. |
PD-15191 | GEO: Addressed issues seen in the previous release that caused system slowness when making configuration changes, particularly on systems with a large number of FQDNs defined. |
PD-15185 | Logging: Modified the logging of SSL messages so that handshake failures and other errors (e.g., Unsupported Protocol, No Shared Cipher, Wrong Version Number) currently seen at the Fatal errors only setting are only reported when All Errors is selected. |
PD-15184 | RESTful API: Fixed an issue that intermittently caused the ssodomain/queryall API to return an error. |
PD-15179 | IPv6: IPv6 routing changes for standards conformance in the previous release caused IPv6 static routes to no longer be honored. This issue has been addressed by introducing a new option on the Debug Options page, Enable Layer 4 IPv6 Forwarding. This option is enabled by default to support pre-7.2.50 LoadMaster behavior and should be disabled if IPv6-standard-conformant behavior is required. |
PD-15164 | ESP Client Authentication: In LMOS 7.2.50, if the Client Auth Mode on a VS is set to Delegate to Server and the Certify Bearer Header option is enabled, modifying the Client Auth Mode to any other value results in client request failures. This issue has been fixed. |
PD-15133 | ESP SSO Logoff: In LMOS 7.2.50, an issue was introduced where Single Sign On sessions on LoadMaster were not being properly removed upon logoff, causing subsequent login attempts to fail. This issue has been fixed. |
PD-15121 | GEO Stability: Fixed an issue in LMOS 7.2.50 that caused GEO configurations of more than 165 FQDNs to become unresponsive. |
PD-15097 | OCSP: Fixed an issue that caused Real Server certificates to not be validated when Stapling is enabled. |
PD-15094 | GEO Stability: If the Use for GEO Responses and Requests option is enabled on multiple interfaces, then GEO may stop responding to DNS queries and log multiple spurious errors complaining about a bad IPv6 address. This bug has been fixed. |
PD-15092 | GEO Cluster Notifications: Fixed an issue that caused emergency/critical alerts to be logged repeatedly for administratively disabled clusters. |
PD-15090 | Powershell API: Unable to set the Alternate Source Address advanced VS option via the Powershell API Set-AdcVirtualService because the parameter name was incorrect. This has been fixed by modifying the API to use the LocalBindAddrs parameter. |
PD-15054 | Manage Services UI: Fixed an issue where the indicator for the SubVS with the highest numerical weight (a green star) did not move to the appropriate SubVS if another SubVS's weight changed so that it was higher than the SubVS with the indicator. |
PD-15042 | Licensing: Fixed an issue where trials couldn't be relicensed after expiry. |
PD-15041 | ESP Verify Bearer Header: Fixed issues that caused some valid JSON Web Tokens to be rejected when validated by LoadMaster. |
PD-15040 | ESP Verify Bearer Header Certificates: Updated LMOS to refuse to remove a certificate from the system if it is being used by a VS to verify bearer header tokens. |
PD-15034 | Compression: In previous releases, if compression and content switching are enabled and a client makes several requests over one connection that were destined for different real Servers, then only the first response was compressed. This issue has been addressed so that all responses are compressed. |
PD-15021 | VMware Deployment: VMware images have been modified so that the CLI will no longer return the message "init ID S0 respawning too fast: disabled for 5 minutes". |
PD-14985 | ESP Single Sign On: Fixed an issue that caused a refresh of a login page to display an access denied page, even if the allowed virtual host and virtual directories were set to wildcards. |
PD-14973 | GEO Logging: Fixed an issue that caused these spuriouos log messages to appear repeatedly: "named: received control channel command 'stats'". |
PD-14966 | LoadMaster RESTful API: The modparams API, broken in the previous release, has been fixed. |
PD-14963 | GEO RESTful API: The showfqdn API display was partially broken in the previous release, omitting the Site Status. This issue has been fixed. |
PD-14951 | ESP Single Sign On: Fixed an issue that could cause Virtual Services to become unresponsive, accompanied by this message in the logs: "ssomgr: ERROR: ssomgr too many threads:128". |
PD-14853 | UI on Nutanix Platform: In previous releases, under the Real Time Statistics, the speed shown for interfaces on the Nutanix cloud platform was displayed as "-1". Now, the speed displayed will be dependent on the amount of load placed on the interfaces |
PD-14742 | Single Sign On: With Forms Based Authentication enabled and an idle or maximum session duration time set to 24 hours, logging out of an established session doesn't display the logout form as expected; instead the login form is displayed. The user then cannot log back into the system using that browser. This issue has been fixed. |
PD-14647 | WAF Rules on AWS PAYG: Fixed issues associated with installing and updating WAF rules on AWS PAYG licensed LoadMasters. |
New Known Issues
The following issues appear for the first time in this release of LMOS.
PD-15337 | Single Sign On: Under certain conditions, login attempts are not being blocked after the failed login attempts threshold has been reached. |
PD-15294 | ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token. |
PD-15172 | ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service. |
Existing Known Issues
The following issues appeared in the Release Notes for the previous release of LMOS.
PD-14943 | Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds. |
PD-14256 | SNMP: The VS and RS IN/OUT OIDs are not displaying any data. |
PD-12838 | ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS. |
PD-12616 | WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
PD-12492 | Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package. |
PD-12354 PD-10466 |
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
PD-12237 | HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state. |
PD-12147 | ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
PD-12058 | Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-11861 | RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11166 | Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
PD-11044 | Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-10917 | HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 | HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10586 | GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10490 | Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 | Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios. |
PD-10193 | Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 | Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available. |
PD-10159 | Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10136 | Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-9816 PD-9476 |
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 | GEO: DNS TCP requests from unknown sources are not supported. |
PD-9507 | Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9375 | Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
Appendix A: Verifying Upgrade Image Signatures
This table shows you which XML file to use to verify the digital signature on an upgrade image, based on the currently running LMOS version and the version to which you want to upgrade.
Upgrading From … |
Upgrading To 7.2.51 |
7.2.51 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE.checksum.xml |
7.2.50 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml |
7.2.49.1 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml |
7.2.48.1 and below |
Offline Validation Only |