Kemp 360 Central Deployment Scripting

1 Introduction

Deployment scripting is a way to script and use LoadMaster features that have not yet been added into the Kemp 360 Central User Interface (UI). You can view the deployment scripts when deploying an application profile. The script uses JSON format. Refer to the Deployment Script Example section to see the general syntax and structure required which will help you when performing modifications.

You can use deployment scripting to configure the following features because they are not available in the Kemp 360 Central UI:

  • ESP
  • WAF
  • Various advanced features not available in the UI

This document provides details on the syntax and parameters to use in deployment scripts.

2 Deployment Script Variables

Refer to the sections below for details about the variables you can use in deployment scripts.

2.1 General Variables

Refer to the table below for details about some general deployment script variables.

Parameter

Type

Choices

Comment

custom_script_deployment

Boolean

true, false

Custom script used - keep this as true

targets List (1 String)   A single item list of a string with the IP address and port of the LoadMaster that the configuration will be deployed to
profile Object   An object that makes up nested objects to make up a profile

2.2 Profile Variables

Refer to the table below for details about application profile variables.

Parameter

Type

Choices

Comment

description

String

 

A description for the profile

name String   The name of the profile. This must be unique.
ldap_list Object   An object list of LDAP configurations
global_params Object   An object of some configuration settings for Web Application Firewall (WAF) updates, black list updates, and non-local Real Server enabling
sso_list Object   An object list that makes up a group of Single Sign Ons (SSOs)
vs_list Object   An object list that makes up Virtual Services
id Int   The ID of the profile - do not change this

2.3 Global_params Variables

Refer to the table below for details about some global parameters.

Parameter

Type

Choices

Comment

non_local_rs

Int

0, 1

Enable a non-local Real Server on the LoadMaster

black_list_auto_update String 0, 1 Boolean to enable or disable the automatic updating of the blacklist
black_list_auto_install Object   Boolean to automatically install the blacklist
black_list_install_time Object 0 - 23 An integer to represent the hour of the day to install GEO blacklist updates
waf_auto_update Object   Boolean to enable or disable the automatic updating of WAF rules
waf_auto_install Int 0 - 23 Boolean to enable or disable the automatic installation of WAF rules
waf_install_time Int 0 - 23 An integer value to represent the hour of the day to install WAF rule updates

2.4 Ldap_list Variables

Refer to the table below for details on the LDAP variables.

Parameter

Type

Choices

Comment

server

String

None

The IP address of the LDAP server

ldaptype Int 0, 1, 2

Represents different LDAP protocols:

0 - Unencrpted

1 - LDAPS

2 - StartTLS

name String   The nickname of the LDAP server
adminpass String   The admin password for the LDAP server

2.5 Sso_list Variables

Refer to the table below for details about SSO variables.

Parameter

Type

Choices

Comment

domain

String

 

The nickname to provide to your configuration

server_side Int 0, 1

Specify server-side authentication:

0 - false

1 - true

reset_fail_tout Int   The number of seconds that must elapse before the login attempts is set back to 0
cert_check_asi Int   Only when selecting certificates - check the validity of a certificate checked against the altsecurityidentities attribute of a user
cert_check_on Int   Enabling this allows a fallback to check a Common Name when the Subject Alternate Name (SAN) is not available
auth_type String

- ldap_unencrypted

- ldap_starttls

- ldap_ldaps

- radius

- kcd

- certificates

- radius_and_ldap_unencrypted

- radius_and_ldap_starttls

- radius_and_ldap_ldaps

Specify the transport protocol to use with an authentication server (RSA is not supported)
logon_fmt String

- 'Not specified'

- Principalname

- Username

- 'Username only'

The string format for authenticating with LDAP/RADIUS
logon_fmt2 String

- 'not specified'

- Principalname

- Username

The string format for authenticating to the server
logon_transcode String 0, 1

Enable or disable the transcode of login credentials:

0 - Disabled

1 - Enabled

idp_entity_id String   Specify the Identity Service Provider (IdP) Entity ID. This is relevant when using SAML.
idp_sso_url String   Specify the IdP SSO URL
idp_cert String   Specify the Idp certificate to use for verification processing
idp_matchcert Int 0, 1

If enabled, the assigned certificate must match in the SAML response:

0 - false

1 - true

radius_shared_secret String   The shared secret to use between the RADIUS server and the LoadMaster
radius_send_nas_id String   If the radius_send_nas_id parameter is enabled, the radius_nas_id parameter is relevant. When specified, the value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier.
max_failed_auths Int   The maximum number of failed login attempts before the user is locked out. 0 means the user is never locked out.
sp_entity_id String   This is relevant when using SAML. This is the Service Provided (SP) entity ID.
sp_cert String   Optional sign in request
sess_tout_idle_pub Int   The session idle timeout in seconds in a public environment
sess_tout_idle_priv Int   The session idle timeout in seconds in a private environment
sess_tout_type String

- idle_time

- max_duration

The type of session timeout
sess_tout_duration_pub Int   The maximum duration timeout in seconds used in a public environment
sess_tout_duration_priv Int   The maximum duration timeout in seconds, used in a private environment
kerberos_domain String   The Kerberos realm
kerberos_kdc String   The Kerberos Key Distribution Center (KDC)
kerberos_username String   The Kerberos username
kerberos_password String   The Kerberos password

2.6 Vs_list Variables

Refer to the table below for details about the Virtual Service variables.

Parameter

Type

Choices

Comment

traffic_delivery_mode

String

server_pool

subvs

You can either attach a server pool or SubVS to a Virtual Service

subvs_id Int   The ID of the SubVS. Set it to 0 if it is not a SubVS.
traffic_delivery Object   An object that makes up the default settings for a server pool
subvs_list Object   An object of nested SubVS objects
security Object   An object of all security settings for the Virtual Service
certficate_mode String

- 'cert_repo'

- 'cert_upload'

The source of the certificate. Specifying cert_upload requires a key with certificate.
networking Object   An object that has all network-related features for a Virtual Service
properties Object   An object that holds standard properties of the LoadMaster
preprocess_rules List   A list of pre-process rules (Virtual Service only)
request_rules List   A list of request rules (Virtual Service only)
response_rules List   A list of response rules (Virtual Service only)
match_body_rules List   A list of match body rules (Virtual Service only)
content_rules List   A list of content rules
add_via Int

0 - Legacy Operation(X-Forwarded-For)

1 - X-Forwarded-For (+ Via)

2 - None

3 - X-ClientSide (+ Via)

4 - X-ClientSide (No Via)

5 - X-Forwarded-For (No Via)

6 - Via Only

This corresponds to the Add HTTP Headers field in the LoadMaster UI. Select which headers to add to HTTP requests. X-ClientSide and X-Forwarded-For are only added to non-transparent connections.

2.7 Traffic_delivery Variables

Refer to the table below for details about the traffic delivery variables.

Parameter

Type

Choices

Comment

standby_addr

String

 

IP address when the service is unavailable. This must be used with the standby_port variable.

standby_port Int   The port of the service when unavailable. This must be used with the standby_addr variable.
persist String

- ssl

- cookie

- active-cookie

- cookie-src

- cookie-hash

- cookie-hash-src

- url

- query-hash

- hash

- host

- header

- super

- super-src

- src

- rdp

- rdp-src

- rdp-sb

- rdp-sb-src

- udpsip

- none

Specify the desired persistence mode.
persist_timeout Int   The timeout for the session.
persist_cookie Int   You can set a cookie to be set with certain persistency modes that support cookies
rs_pool_id Int   The ID of the server pool you want to add to the SubVS
redirect_error_url String   The URL of the redirect
redirect_error_code Int   The redirect code
check_type String

- icmp

- https

- http

- tcp

- smtp

- nntp

- ftp

- telnet

- pop3

- imap

- rdp

- bdata

- ldap

- none

Specify which protocol to use to check the health of the Real Server. (The rs_pool_id check type attached overrides the standard check_type)

Subvs_list Variables

Refer to the table below for details on the SubVS variables.

Parameter

Type

Choices

Comment

subvs_configured

Boolean

- true

- false

This Boolean specifies if a SubVS is configured or not

temp_subvs_id Int   This is a temporary SubVS ID. Do not change this value.
advanced Object   The advanced properties of a SubVS
networking Object   The networking section of a SubVS
properties Object   An object that makes up the Real Server features of a SubVS
security Object   An object of all security settings for the SubVS
traffic_delivery Object   An object that makes up the default settings for a server pool

2.8 Networking Variables

Refer to the table below for details on networking variables.

Parameter

Type

Choices

Comment

use_for_snat

Int

- 0

- 1

If enabled, replies from server pools use the same Virtual Service address as the source IP address.

If disabled, the LoadMaster interface address is used.

0 - False

1 - True

transparency Int

- 0

- 1

If enabled, traffic arriving at the server pool has the client IP address.

If disabled, traffic has the IP address of the LoadMaster.

0 - False

1 - True

subnet_originating Object

- 0

- 1

Set the request source IP address to the LoadMaster interface address.

Note: You cannot enable this option if transparency is enabled.

0 - False

1 - True

2.9 Properties Variables

Refer to the table below for details on the properties variables.

Parameter

Type

Choices

Comment

enable

Int

- 0

- 1

Activate or deactivate the Virtual Service:

0 - Deactivated

1 - Activated

intercept Int

- 0

- 1

0 disables WAF (an WAF is ignored)

1 enables WAF

intercept_opts List   The list of intercept options to enable
alert_threshold Int   The number to set the threshold for alerts
intercept_post_other_content_types List   POST content types for WAF
waf_rules List   The list of rules you want to add to WAF in the format ['<rule_type>/<rule_name>: <ids_to_disable>,<id_to_disable2>']
nickname String   The nickname to give to the service
port Int   The port of the service
protocol String

- tcp

- udp

The type of protocol for the Virtual Service
ip String   The IP address of the Virtual Service
vs_type String

- http

- gen

- http2

- tls

The service type of the Virtual Service
server_init Int

0 - Normal Protocols

1 - SMTP

2 - SSH

3 - Other Server Initiating

4 - IMAP4

5 - MySQL

6 - POP3

By default, the LoadMaster will not initiate a connection with a Real Server until it has received some data from a client. This prohibits certain protocols from working because they need to communicate with the Real Server before transmitting data. If the Virtual Service uses one of these protocols, specify the protocol using the server_init parameter to enable it to work correctly.
start_tls_mode Int

0 - HTTP/HTTPS

1 - SMTP (STARTTLS if requested)

2 - SMTP (STARTTLS always)

3 - FTP

4 - IMAP

6 - POP3

If you want to set the start_tls_mode to 0 (HTTP/HTTPS), the Service Type (vs_type)needs to be set to HTTP/HTTPS (http) for this to work
critical Int

- 0

- 1

Mark the parent Virtual Service down if not available.

0 - False

1 - True

status Int   Enable or disable the SubVS
limit Int   The amount of connections that can connect to the SubVS
Weight Int   The weight of the SubVS

2.10 Advanced Variables

Refer to the table below for details on the advanced variables.

Parameter

Type

Choices

Comment

allow_http_2

Int

- 0

- 1

0 - HTTP2 disabled

1 - HTTP2 enabled

qos String

- Normal Service

- Minimize-Cost

- Maximize-Reliability

- Maximize-Throughput

- Minimize-Delay

The quality of service for the Virtual Service
extra_ports List   A list of extra ports the Virtual Service will use. A maximum of 510 ports can be set.
idle_time Int   The number of seconds before an idle connection is closed. If this is set to 0, the default LoadMaster timeout applies.
alt_address String   An alternative address for the Virtual Service
verify Object   An object to represent malicious handling that makes use of Snort. The rules can be ignored, dropped, or rejected.
DefaultGW String   The IP address of the default gateway

2.11 Verify Variables

Refer to the table below for details on the verify variables.

Parameter

Type

Choices

Comment

handling

String

- intrusion

- drop

Intrusion sends a reject.

Drop will drop the connection.

warnings Boolean

- true

- false

Turn warnings on or off.

0 - False (off)

1 - True (on)

verify Object   An object to represent malicious handling that makes use of Snort. The rules can be ignored, dropped, or rejected.

2.12 Security Variables

Refer to the table below for details on the security variables.

Parameter

Type

Choices

Comment

cipher_id

String

 

The ID of the cipher set. Custom and predefined cipher sets use different IDs.

cipher_set String

- Default

- Default_NoRc4

- BestPractices

- Intermediate_compatibility

- Backward_compatibility

- WUI

- FIPS

- Legacy

- Null_Ciphers

- <NameOfCustomCipherSet>

The name of the cipher set to use
cipher_source List

- Kemp

- custom

A list of extra ports the Virtual Service will use. There is a maximum of 510 ports that can be set.
need_host_name Int

- 0

- 1

Specify if the host name of SNI required.

0 - False

1 - True

ssl_acceleration Int

- 0

- 1

Enable or disable SSL.

0 - False

1 - True

ssl_reencrypt Int   After offloading, re-encrypt again
ssl_reverse Int   Turn on ssl_reverse. This setting depends on the vs_type in use.
cert_name String   The name or ID of the certificate. Do not change this value.
cert_mode String

- 'cert_repo'

- 'cert_upload'

The source of the certificate. Using cert_upload requires a key with the certificate.

3 Deployment Script Example

Here is an example deployment script:

{
	"targets": ["10.0.0.10:443"],
	"profile": {
		"name": "Profile 1",
		"description": "Basic Profile",
		"global_params": {
			"black_list_auto_update": 1,
			"black_list_auto_install": 1,
			"black_list_install_time": 12,
			"waf_auto_update": 1,
			"waf_auto_install": 1,
			"waf_install_time": 12,
			"non_local_rs": 1
		},
		"sso_list": {
			"1":{ 
				"sp_cert": "38FCF8174F0E9FCF1318FC5758E8F5BC5BD6EA6D", 
				"ldap_password": "", 
				"sp_entity_id": "sp_entity_id", 
				"logon_domain": "lugabuba", 
				"logon_fmt": "Principalname", 
				"logon_transcode": "1", 
				"sess_tout_idle_pub": "919", 
				"server_side": "0", 
				"testpass": "", 
				"idp_logoff_url": "https://www.def.com/url/logoff", 
				"idp_cert": "a", 
				"idp_entity_id": "test_abc", 
				"domain": "SAML", 
				"auth_type": "SAML", 
				"logon_fmt2": "Username", 
				"sess_tout_duration_pub": "1801", 
				"idp_sso_url": "https://www.def.com/url/abc", 
				"idp_match_cert": "0", 
				"sess_tout_type": "max duration", 
				"radius_shared_secret": ""
			}
		},
		"ldap_list": {
		"1": { 
				"server": "10.20.34.114", 
				"ldaptype": "Unencrypted", 
				"name": "LDAPTEST2", 
				"adminuser": "dodanu" 
		},
		"2":{ 
				"server": "10.20.34.114", 
				"ldaptype": "Unencrypted", 
				"name": "LDAPTEST3", 
				"adminuser": "dodanu" 
			}
		},
		"vs_list": {
	"1": {
			"advanced": {},
			"certificate_mode": "unset",
			"networking": {
				"subnet_originating": 1
			},
			"properties": {
				"enable": "y",
				"nickname": "VS1",
				"port": "80",
				"protocol": "tcp",
				"vs_type": "http",
				"ip": "10.35.53.100"
			},
			"security": {},
			"subvs_id": 0,
			"subvs_list": {},
			"temp_subvs_id": 0,
			"traffic_delivery": {
				"rs_pool_id": 1
			},
			"traffic_delivery_mode": "unset",
			"vs_configured": "configured"
		},
		"2": {
			"advanced": {},
			"certificate_mode": "cert_upload",
			"networking": {},
			"properties": {
				"enable": "y",
				"nickname": "VS2",
				"port": "443",
				"protocol": "tcp",
				"vs_type": "http",
				"ip": "10.35.53.101"
			},
			"security": {
				"cipher_id": 6,
				"cipher_set": "WUI",
				"cipher_source": "kemp",
				"ssl_acceleration": 1
			},
			"subvs_id": 22,
			"subvs_list": {
				"21": {
					"advanced": {
						"qos": "Normal-Service"
					},
			"networking": {
				"subnet_originating": 1
			},
			"properties": {
							"content_rules": [
					1
				],
				"critical": 1,
				"limit": 0,
				"nickname": "SubVS1",
				"status": 1,
				"vs_type": "http",
				"weight": 1000
			},
			"subvs_configured": true,
			"traffic_delivery": {
				"persist": "src",
				"persist_timeout": 3600,
				"rs_pool_id": 1
			}
		},
		"1": {
			"advanced": {},
			"networking": {},
			"properties": {
				"critical": 1,
				"limit": "5",
				"nickname": "SubVS2",
				"vs_type": "http",
				"weight": 1000
			},
			"subvs_configured": true,
			"traffic_delivery": {
				"rs_pool_id": 1
			}
		}
	},
	"temp_subvs_id": 2,
	"traffic_delivery": {},
	"traffic_delivery_mode": "subvs",
	"vs_configured": "configured"
}
}
}
}

Last Updated Date

This document was last updated on 28 August 2020.

Was this article helpful?

0 out of 0 found this helpful

Comments