LoadMaster 7.2.51.0 Release Notes

LMOS Version 7.2.51 is a feature and bug-fix release made available in July 2020. Please read the sections below before installing or upgrading.

Contents

Supported Models for Upgrade
Upgrade Path
Upgrade Patch XML File Verification Notes
Downgrading from Version 7.2.51
New Features
Citrix StoreFront Gateway for External Virtual Apps and Desktops
Rate Limiting of Real Servers
Redundant Key Distribution Center for KCD Authentication
UI Login Integration with Cisco ACS / ISE
Change Notices
Configurable KCD Authentication Request Wait Time
Specifying the Protocol for Remote Logging
Port Following on Generic Virtual Services in UI
Enhanced Single Sign On Log Messages
Security Updates
Assigning Intermediate Certificates to Virtual Services
Regeneration of SSH Host Key
Issues Resolved
New Known Issues
Existing Known Issues
Appendix A: Verifying Upgrade Image Signatures

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported
Virtual
Models
Supported
Hardware
Models
Supported Bare Metal Models UNSUPPORTED
Hardware

Models
UNSUPPORTED
Virtual

Models
VLM-200
VLM-500
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO
VLM-MAX
LM-X1
LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400
LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M
LM-R320

LMB-1G
LMB-2G
LMB-5G
LMB-10G
LMB-MAX
LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500

LM-Exchange
LM-GEO
VLM-100
VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:

7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-preV7.2.51.0.checksum.xml
Use this file when upgrading a LoadMaster running a release that is prior to LMOS 7.2.51.
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE.checksum.xml
Use this file when repeating an upgrade to LMOS 7.2.51 -- that is, LoadMaster is already running 7.2.51.0 and you want to repeat the upgrade process.

LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to 7.2.51, you can verify the digital signatures using a manual process documented on the support website.

See Appendix A for a table that shows you which XML file to use for signature verification based on your current release and the release to which you want to upgrade.

Downgrading from Version 7.2.51

Downgrading a LoadMaster running Version 7.2.51 using an earlier LMOS release image can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

[Note that XML file verification is not part of the process of switching the active LoadMaster partition to the LMOS release that was running on LoadMaster before the last update.]

New Features

The following new features have been added to this release of LMOS.

Citrix StoreFront Gateway for External Virtual Apps and Desktops

A new Virtual Service (VS) template and deployment guide have been introduced with LMOS 7.2.51 to deploy a Virtual Service as a Citrix StoreFront Gateway for external publishing of Citrix Virtual Apps and Desktops deployments, so that Internet clients can leverage Citrix's Virtual Desktop Infrastructure (VDI). In previous releases, LoadMaster only supported publishing to internal networks.

The Kemp-approved and tested template supports authentication of clients to a Citrix Storefront endpoint that provides access to Citrix Virtual Apps and Desktops resources. Clients can log in using Citrix Workspace App, Citrix Receiver, or a browser such as Edge, Chrome, Firefox, or Safari.

For more information and usgae instructions, please see the deployment guide and template available from Kemp's Documentation Web Page.

Rate Limiting of Real Servers

A new Real Server (RS) Connection Rate Limit parameter allows you to set a Connections Per Second (CPS) value between 0 and 100000, where 0 means “no limit” (the default) and any other integer is the RS open connection limit.

  • If the number of open connections to the RS reaches the limit set, then the RS is taken out of service (i.e., removed from the load balancing scheduling process) and all new connections will be scheduled for other RSs in the Virtual Service (or SubVS).
  • This includes new connections with persistence settings to the rate-limited RS; these will also be sent to another RS when the rate limit is exceeded.
  • No new connections will be sent to the rate limited RS until the current ‘rate limit period' expires and the RS is returned to the load balancing scheduling process. The ‘rate limit period’ is 0.1 seconds.

Redundant Key Distribution Center for KCD Authentication

When configuring an SSO Domain for Single Sign On with Kerberos Constrained Delegation (KCD) as the selected Authentication Protocol, you can now specify two servers in the Kerberos Key Distribution Center (KDC) text box, separated by a space. This provides a backup in case the current KDC becomes unavailable. The username and password used by both KDC servers must be the same.

UI Login Integration with Cisco ACS / ISE

When logging into the UI using RADIUS authentication via Cisco ACS or ISE, LoadMaster will now send an Attribute-Value Pair (AVP) to the server as part of the login request, which contains Kemp's Vendor ID. This AVP can be used by the server upon receipt to identify the device making the request as a LoadMaster.

Change Notices

Configurable KCD Authentication Request Wait Time

In previous releases, when KCD is enabled and LoadMaster sends a request that requires authentication, the LoadMaster waits up to 2 seconds to see if the request is rejected. This wait time is not configurable, giving the administrator no ability to control the amount of latency introduced.

Starting with this release, a new global L7 Wait After POST parameter has been added to the System Configuration > Miscellaneous Options > L7 Configuration page. The default value is 2000 milliseconds (ms), or 2 seconds. Permitted values range between 1 and 2000 ms.

Specifying the Protocol for Remote Logging

In previous releases, the remote logging functionality assumed the protocol to use based on the port specified: UDP for port 514 and TCP for all other ports. A new Remote Syslog Protocol control has been added to the System Configuration > System Administration > Logging Options > Remote Syslog page of the UI to either UDP, TCP, or TLS, independently of the port number.

Port Following on Generic Virtual Services in UI

In previous releases, it was only possible to configure port following on a Generic Virtual Service via the API. This capability has now been added to the UI.

Enhanced Single Sign On Log Messages

Improvements have been made to messages generated during normal operation to include additional events and information related to authentication and authorization that in previous releases were only exposed by enabling debug logging. Log messages generated in "ESP User Logs" under "Extended Log Files" now include success and failure messages that specify the username, domain, AAA server, AAA protocol, AAA result, error message, and other details.

Security Updates

The following changes to existing LMOS features and behavior have been made in this release to improve LoadMaster's security profile.

Assigning Intermediate Certificates to Virtual Services

Starting with this release, specific intermediate certificates can be assigned to Virtual Services, using controls within the SSL Options accordion in the UI. The default behavior, and the behavior in previous releases, is that all installed intermediate certificates will apply to a VS; this means that any client certificate presented that uses an intermediate certificate found on LoadMaster will be accepted and access to the VS will be granted. Once one or more intermediate certificates is selected in a VS configuration, only client certificates that have one of those specific intermediate certificates in their certificate chain will be granted access to the VS.

Regeneration of SSH Host Key

The LoadMaster host key that is used for SSH login can now be regenerated using controls on the system console. Log into the console and choose Local Administration > Regenerate SSH Host Keys to regenerate the key. Please note the following:

  • When you regenerate the LoadMaster's host key, all current SSH clients will need to be updated with the new public key. Clients will receive connection errors and be unable to connect until the new public key is added to the client's known_hosts file.
  • When LoadMaster is configured in either the High Availability or Clustering modes, the host keys on the two LoadMasters are automatically synchronized to maintain the SSH connection on which the configuration depends.
  • Note that in GEO Partnering mode, SSH host keys are not automatically synchronized, because GEO does not use a shared IP address and the information exchange between partners doesn't depend on SSH access.

Issues Resolved

The following issues from previous LMOS releases have been addressed in this release.

PD-15230 Stability: Fixed an issue where assigning a cipher set that contains all available ciphers to a VS could cause unexpected behavior.
PD-15206 ESP / SSO: When using ESP on a Virtual Service and Use for Session Timeout is enabled, a user is not completely logged out when an OWA session is terminated. This issue has been fixed.
PD-15202 RESTful API: Changing the remote syslog port using the API doesn't result in the new port being enabled. This bug has been fixed.
PD-15191 GEO: Addressed issues seen in the previous release that caused system slowness when making configuration changes, particularly on systems with a large number of FQDNs defined.
PD-15185 Logging: Modified the logging of SSL messages so that handshake failures and other errors (e.g., Unsupported Protocol, No Shared Cipher, Wrong Version Number) currently seen at the Fatal errors only setting are only reported when All Errors is selected.
PD-15184 RESTful API: Fixed an issue that intermittently caused the ssodomain/queryall API to return an error.
PD-15179 IPv6: IPv6 routing changes for standards conformance in the previous release caused IPv6 static routes to no longer be honored. This issue has been addressed by introducing a new option on the Debug Options page, Enable Layer 4 IPv6 Forwarding. This option is enabled by default to support pre-7.2.50 LoadMaster behavior and should be disabled if IPv6-standard-conformant behavior is required.
PD-15164 ESP Client Authentication: In LMOS 7.2.50, if the Client Auth Mode on a VS is set to Delegate to Server and the Certify Bearer Header option is enabled, modifying the Client Auth Mode to any other value results in client request failures. This issue has been fixed.
PD-15133 ESP SSO Logoff: In LMOS 7.2.50, an issue was introduced where Single Sign On sessions on LoadMaster were not being properly removed upon logoff, causing subsequent login attempts to fail. This issue has been fixed.
PD-15121 GEO Stability: Fixed an issue in LMOS 7.2.50 that caused GEO configurations of more than 165 FQDNs to become unresponsive.
PD-15097 OCSP: Fixed an issue that caused Real Server certificates to not be validated when Stapling is enabled.
PD-15094 GEO Stability: If the Use for GEO Responses and Requests option is enabled on multiple interfaces, then GEO may stop responding to DNS queries and log multiple spurious errors complaining about a bad IPv6 address. This bug has been fixed.
PD-15092 GEO Cluster Notifications: Fixed an issue that caused emergency/critical alerts to be logged repeatedly for administratively disabled clusters.
PD-15090 Powershell API: Unable to set the Alternate Source Address advanced VS option via the Powershell API Set-AdcVirtualService because the parameter name was incorrect. This has been fixed by modifying the API to use the LocalBindAddrs parameter.
PD-15054 Manage Services UI: Fixed an issue where the indicator for the SubVS with the highest numerical weight (a green star) did not move to the appropriate SubVS if another SubVS's weight changed so that it was higher than the SubVS with the indicator.
PD-15042 Licensing: Fixed an issue where trials couldn't be relicensed after expiry.
PD-15041 ESP Verify Bearer Header: Fixed issues that caused some valid JSON Web Tokens to be rejected when validated by LoadMaster.
PD-15040 ESP Verify Bearer Header Certificates: Updated LMOS to refuse to remove a certificate from the system if it is being used by a VS to verify bearer header tokens.
PD-15034 Compression: In previous releases, if compression and content switching are enabled and a client makes several requests over one connection that were destined for different real Servers, then only the first response was compressed. This issue has been addressed so that all responses are compressed.
PD-15021 VMware Deployment: VMware images have been modified so that the CLI will  no longer return the message "init ID S0 respawning too fast: disabled for 5 minutes".
PD-14985 ESP Single Sign On: Fixed an issue that caused a refresh of a login page to display an access denied page, even if the allowed virtual host and virtual directories were set to wildcards.
PD-14973 GEO Logging: Fixed an issue that caused these spuriouos log messages to appear repeatedly: "named: received control channel command 'stats'".
PD-14966 LoadMaster RESTful API: The modparams API, broken in the previous release, has been fixed.
PD-14963 GEO RESTful API: The showfqdn API display was partially broken in the previous release, omitting the Site Status. This issue has been fixed.
PD-14951 ESP Single Sign On: Fixed an issue that could cause Virtual Services to become unresponsive, accompanied by this message in the logs: "ssomgr: ERROR: ssomgr too many threads:128".
PD-14853 UI on Nutanix Platform: In previous releases, under the Real Time Statistics, the speed shown for interfaces on the Nutanix cloud platform was displayed as "-1". Now, the speed displayed will be dependent on the amount of load placed on the interfaces
PD-14742 Single Sign On: With Forms Based Authentication enabled and an idle or maximum session duration time set to 24 hours, logging out of an established session doesn't display the logout form as expected; instead the login form is displayed. The user then cannot log back into the system using that browser.  This issue has been fixed.
PD-14647 WAF Rules on AWS PAYG: Fixed issues associated with installing and updating WAF rules on AWS PAYG licensed LoadMasters.

 

New Known Issues

The following issues appear for the first time in this release of LMOS.

PD-15337 Single Sign On: Under certain conditions, login attempts are not being blocked after the failed login attempts threshold has been reached.
PD-15294 ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-14256 SNMP: The VS and RS IN/OUT OIDs are not displaying any data.
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492 Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354
PD-10466
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-12058 Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.
PD-11166 Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.
PD-11044 Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917 HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.
PD-10784 HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159 Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136 Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 

Appendix A: Verifying Upgrade Image Signatures

This table shows you which XML file to use to verify the digital signature on an upgrade image, based on the currently running LMOS version and the version to which you want to upgrade.

Upgrading From …

Upgrading To 7.2.51

7.2.51

7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE.checksum.xml

7.2.50

7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.49.1

7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.48.1 and below

Offline Validation Only

 

Was this article helpful?

1 out of 1 found this helpful

Comments