Technical Note - Kemp 360 Central Deployment Scripting
Contents
1 Introduction
Deployment scripting is a way to script and use LoadMaster features that have not yet been added into the Kemp 360 Central User Interface (UI). You can view the deployment scripts when deploying an application profile. The script uses JSON format. Refer to the Deployment Script Example section to see the general syntax and structure required which will help you when performing modifications.
You can use deployment scripting to configure the following features because they are not available in the Kemp 360 Central UI:
- ESP
- WAF
- Various advanced features not available in the UI
This document provides details on the syntax and parameters to use in deployment scripts.
2 Deployment Script Variables
Refer to the sections below for details about the variables you can use in deployment scripts.
2.1 General Variables
Refer to the table below for details about some general deployment script variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
custom_script_deployment |
Boolean |
true, false |
Custom script used - keep this as true |
| targets | List (1 String) | A single item list of a string with the IP address and port of the LoadMaster that the configuration will be deployed to | |
| profile | Object | An object that makes up nested objects to make up a profile |
2.2 Profile Variables
Refer to the table below for details about application profile variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
description |
String |
|
A description for the profile |
| name | String | The name of the profile. This must be unique. | |
| ldap_list | Object | An object list of LDAP configurations | |
| global_params | Object | An object of some configuration settings for Web Application Firewall (WAF) updates, black list updates, and non-local Real Server enabling | |
| sso_list | Object | An object list that makes up a group of Single Sign Ons (SSOs) | |
| vs_list | Object | An object list that makes up Virtual Services | |
| id | Int | The ID of the profile - do not change this |
2.3 Global_params Variables
Refer to the table below for details about some global parameters.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
non_local_rs |
Int |
0, 1 |
Enable a non-local Real Server on the LoadMaster |
| black_list_auto_update | String | 0, 1 | Boolean to enable or disable the automatic updating of the blacklist |
| black_list_auto_install | Object | Boolean to automatically install the blacklist | |
| black_list_install_time | Object | 0 - 23 | An integer to represent the hour of the day to install GEO blacklist updates |
| waf_auto_update | Object | Boolean to enable or disable the automatic updating of WAF rules | |
| waf_auto_install | Int | 0 - 23 | Boolean to enable or disable the automatic installation of WAF rules |
| waf_install_time | Int | 0 - 23 | An integer value to represent the hour of the day to install WAF rule updates |
2.4 Ldap_list Variables
Refer to the table below for details on the LDAP variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
server |
String |
None |
The IP address of the LDAP server |
| ldaptype | Int | 0, 1, 2 |
Represents different LDAP protocols: 0 - Unencrpted 1 - LDAPS 2 - StartTLS |
| name | String | The nickname of the LDAP server | |
| adminpass | String | The admin password for the LDAP server |
2.5 Sso_list Variables
Refer to the table below for details about SSO variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
domain |
String |
|
The nickname to provide to your configuration |
| server_side | Int | 0, 1 |
Specify server-side authentication: 0 - false 1 - true |
| reset_fail_tout | Int | The number of seconds that must elapse before the login attempts is set back to 0 | |
| cert_check_asi | Int | Only when selecting certificates - check the validity of a certificate checked against the altsecurityidentities attribute of a user | |
| cert_check_on | Int | Enabling this allows a fallback to check a Common Name when the Subject Alternate Name (SAN) is not available | |
| auth_type | String |
- ldap_unencrypted - ldap_starttls - ldap_ldaps - radius - kcd - certificates - radius_and_ldap_unencrypted - radius_and_ldap_starttls - radius_and_ldap_ldaps |
Specify the transport protocol to use with an authentication server (RSA is not supported) |
| logon_fmt | String |
- 'Not specified' - Principalname - Username - 'Username only' |
The string format for authenticating with LDAP/RADIUS |
| logon_fmt2 | String |
- 'not specified' - Principalname - Username |
The string format for authenticating to the server |
| logon_transcode | String | 0, 1 |
Enable or disable the transcode of login credentials: 0 - Disabled 1 - Enabled |
| idp_entity_id | String | Specify the Identity Service Provider (IdP) Entity ID. This is relevant when using SAML. | |
| idp_sso_url | String | Specify the IdP SSO URL | |
| idp_cert | String | Specify the Idp certificate to use for verification processing | |
| idp_matchcert | Int | 0, 1 |
If enabled, the assigned certificate must match in the SAML response: 0 - false 1 - true |
| radius_shared_secret | String | The shared secret to use between the RADIUS server and the LoadMaster | |
| radius_send_nas_id | String | If the radius_send_nas_id parameter is enabled, the radius_nas_id parameter is relevant. When specified, the value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier. | |
| max_failed_auths | Int | The maximum number of failed login attempts before the user is locked out. 0 means the user is never locked out. | |
| sp_entity_id | String | This is relevant when using SAML. This is the Service Provided (SP) entity ID. | |
| sp_cert | String | Optional sign in request | |
| sess_tout_idle_pub | Int | The session idle timeout in seconds in a public environment | |
| sess_tout_idle_priv | Int | The session idle timeout in seconds in a private environment | |
| sess_tout_type | String |
- idle_time - max_duration |
The type of session timeout |
| sess_tout_duration_pub | Int | The maximum duration timeout in seconds used in a public environment | |
| sess_tout_duration_priv | Int | The maximum duration timeout in seconds, used in a private environment | |
| kerberos_domain | String | The Kerberos realm | |
| kerberos_kdc | String | The Kerberos Key Distribution Center (KDC) | |
| kerberos_username | String | The Kerberos username | |
| kerberos_password | String | The Kerberos password |
2.6 Vs_list Variables
Refer to the table below for details about the Virtual Service variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
traffic_delivery_mode |
String |
server_pool subvs |
You can either attach a server pool or SubVS to a Virtual Service |
| subvs_id | Int | The ID of the SubVS. Set it to 0 if it is not a SubVS. | |
| traffic_delivery | Object | An object that makes up the default settings for a server pool | |
| subvs_list | Object | An object of nested SubVS objects | |
| security | Object | An object of all security settings for the Virtual Service | |
| certficate_mode | String |
- 'cert_repo' - 'cert_upload' |
The source of the certificate. Specifying cert_upload requires a key with certificate. |
| networking | Object | An object that has all network-related features for a Virtual Service | |
| properties | Object | An object that holds standard properties of the LoadMaster | |
| preprocess_rules | List | A list of pre-process rules (Virtual Service only) | |
| request_rules | List | A list of request rules (Virtual Service only) | |
| response_rules | List | A list of response rules (Virtual Service only) | |
| match_body_rules | List | A list of match body rules (Virtual Service only) | |
| content_rules | List | A list of content rules | |
| add_via | Int |
0 - Legacy Operation(X-Forwarded-For) 1 - X-Forwarded-For (+ Via) 2 - None 3 - X-ClientSide (+ Via) 4 - X-ClientSide (No Via) 5 - X-Forwarded-For (No Via) 6 - Via Only |
This corresponds to the Add HTTP Headers field in the LoadMaster UI. Select which headers to add to HTTP requests. X-ClientSide and X-Forwarded-For are only added to non-transparent connections. |
2.7 Traffic_delivery Variables
Refer to the table below for details about the traffic delivery variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
standby_addr |
String |
|
IP address when the service is unavailable. This must be used with the standby_port variable. |
| standby_port | Int | The port of the service when unavailable. This must be used with the standby_addr variable. | |
| persist | String |
- ssl - cookie - active-cookie - cookie-src - cookie-hash - cookie-hash-src - url - query-hash - hash - host - header - super - super-src - src - rdp - rdp-src - rdp-sb - rdp-sb-src - udpsip - none |
Specify the desired persistence mode. |
| persist_timeout | Int | The timeout for the session. | |
| persist_cookie | Int | You can set a cookie to be set with certain persistency modes that support cookies | |
| rs_pool_id | Int | The ID of the server pool you want to add to the SubVS | |
| redirect_error_url | String | The URL of the redirect | |
| redirect_error_code | Int | The redirect code | |
| check_type | String |
- icmp - https - http - tcp - smtp - nntp - ftp - telnet - pop3 - imap - rdp - bdata - ldap - none |
Specify which protocol to use to check the health of the Real Server. (The rs_pool_id check type attached overrides the standard check_type) |
Subvs_list Variables
Refer to the table below for details on the SubVS variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
subvs_configured |
Boolean |
- true - false |
This Boolean specifies if a SubVS is configured or not |
| temp_subvs_id | Int | This is a temporary SubVS ID. Do not change this value. | |
| advanced | Object | The advanced properties of a SubVS | |
| networking | Object | The networking section of a SubVS | |
| properties | Object | An object that makes up the Real Server features of a SubVS | |
| security | Object | An object of all security settings for the SubVS | |
| traffic_delivery | Object | An object that makes up the default settings for a server pool |
2.8 Networking Variables
Refer to the table below for details on networking variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
use_for_snat |
Int |
- 0 - 1 |
If enabled, replies from server pools use the same Virtual Service address as the source IP address. If disabled, the LoadMaster interface address is used. 0 - False 1 - True |
| transparency | Int |
- 0 - 1 |
If enabled, traffic arriving at the server pool has the client IP address. If disabled, traffic has the IP address of the LoadMaster. 0 - False 1 - True |
| subnet_originating | Object |
- 0 - 1 |
Set the request source IP address to the LoadMaster interface address. Note: You cannot enable this option if transparency is enabled. 0 - False 1 - True |
2.9 Properties Variables
Refer to the table below for details on the properties variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
enable |
Int |
- 0 - 1 |
Activate or deactivate the Virtual Service: 0 - Deactivated 1 - Activated |
| intercept | Int |
- 0 - 1 |
0 disables WAF (an WAF is ignored) 1 enables WAF |
| intercept_opts | List | The list of intercept options to enable | |
| alert_threshold | Int | The number to set the threshold for alerts | |
| intercept_post_other_content_types | List | POST content types for WAF | |
| waf_rules | List | The list of rules you want to add to WAF in the format ['<rule_type>/<rule_name>: <ids_to_disable>,<id_to_disable2>'] | |
| nickname | String | The nickname to give to the service | |
| port | Int | The port of the service | |
| protocol | String |
- tcp - udp |
The type of protocol for the Virtual Service |
| ip | String | The IP address of the Virtual Service | |
| vs_type | String |
- http - gen - http2 - tls |
The service type of the Virtual Service |
| server_init | Int |
0 - Normal Protocols 1 - SMTP 2 - SSH 3 - Other Server Initiating 4 - IMAP4 5 - MySQL 6 - POP3 |
By default, the LoadMaster will not initiate a connection with a Real Server until it has received some data from a client. This prohibits certain protocols from working because they need to communicate with the Real Server before transmitting data. If the Virtual Service uses one of these protocols, specify the protocol using the server_init parameter to enable it to work correctly. |
| start_tls_mode | Int |
0 - HTTP/HTTPS 1 - SMTP (STARTTLS if requested) 2 - SMTP (STARTTLS always) 3 - FTP 4 - IMAP 6 - POP3 |
If you want to set the start_tls_mode to 0 (HTTP/HTTPS), the Service Type (vs_type)needs to be set to HTTP/HTTPS (http) for this to work |
| critical | Int |
- 0 - 1 |
Mark the parent Virtual Service down if not available. 0 - False 1 - True |
| status | Int | Enable or disable the SubVS | |
| limit | Int | The amount of connections that can connect to the SubVS | |
| Weight | Int | The weight of the SubVS |
2.10 Advanced Variables
Refer to the table below for details on the advanced variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
allow_http_2 |
Int |
- 0 - 1 |
0 - HTTP2 disabled 1 - HTTP2 enabled |
| qos | String |
- Normal Service - Minimize-Cost - Maximize-Reliability - Maximize-Throughput - Minimize-Delay |
The quality of service for the Virtual Service |
| extra_ports | List | A list of extra ports the Virtual Service will use. A maximum of 510 ports can be set. | |
| idle_time | Int | The number of seconds before an idle connection is closed. If this is set to 0, the default LoadMaster timeout applies. | |
| alt_address | String | An alternative address for the Virtual Service | |
| verify | Object | An object to represent malicious handling that makes use of Snort. The rules can be ignored, dropped, or rejected. | |
| DefaultGW | String | The IP address of the default gateway |
2.11 Verify Variables
Refer to the table below for details on the verify variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
handling |
String |
- intrusion - drop |
Intrusion sends a reject. Drop will drop the connection. |
| warnings | Boolean |
- true - false |
Turn warnings on or off. 0 - False (off) 1 - True (on) |
| verify | Object | An object to represent malicious handling that makes use of Snort. The rules can be ignored, dropped, or rejected. |
2.12 Security Variables
Refer to the table below for details on the security variables.
|
Parameter |
Type |
Choices |
Comment |
|---|---|---|---|
|
cipher_id |
String |
|
The ID of the cipher set. Custom and predefined cipher sets use different IDs. |
| cipher_set | String |
- Default - Default_NoRc4 - BestPractices - Intermediate_compatibility - Backward_compatibility - WUI - FIPS - Legacy - Null_Ciphers - <NameOfCustomCipherSet> |
The name of the cipher set to use |
| cipher_source | List |
- Kemp - custom |
A list of extra ports the Virtual Service will use. There is a maximum of 510 ports that can be set. |
| need_host_name | Int |
- 0 - 1 |
Specify if the host name of SNI required. 0 - False 1 - True |
| ssl_acceleration | Int |
- 0 - 1 |
Enable or disable SSL. 0 - False 1 - True |
| ssl_reencrypt | Int | After offloading, re-encrypt again | |
| ssl_reverse | Int | Turn on ssl_reverse. This setting depends on the vs_type in use. | |
| cert_name | String | The name or ID of the certificate. Do not change this value. | |
| cert_mode | String |
- 'cert_repo' - 'cert_upload' |
The source of the certificate. Using cert_upload requires a key with the certificate. |
3 Deployment Script Example
Here is an example deployment script:
{
"targets": ["10.0.0.10:443"],
"profile": {
"name": "Profile 1",
"description": "Basic Profile",
"global_params": {
"black_list_auto_update": 1,
"black_list_auto_install": 1,
"black_list_install_time": 12,
"waf_auto_update": 1,
"waf_auto_install": 1,
"waf_install_time": 12,
"non_local_rs": 1
},
"sso_list": {
"1":{
"sp_cert": "38FCF8174F0E9FCF1318FC5758E8F5BC5BD6EA6D",
"ldap_password": "",
"sp_entity_id": "sp_entity_id",
"logon_domain": "lugabuba",
"logon_fmt": "Principalname",
"logon_transcode": "1",
"sess_tout_idle_pub": "919",
"server_side": "0",
"testpass": "",
"idp_logoff_url": "https://www.def.com/url/logoff",
"idp_cert": "a",
"idp_entity_id": "test_abc",
"domain": "SAML",
"auth_type": "SAML",
"logon_fmt2": "Username",
"sess_tout_duration_pub": "1801",
"idp_sso_url": "https://www.def.com/url/abc",
"idp_match_cert": "0",
"sess_tout_type": "max duration",
"radius_shared_secret": ""
}
},
"ldap_list": {
"1": {
"server": "10.20.34.114",
"ldaptype": "Unencrypted",
"name": "LDAPTEST2",
"adminuser": "dodanu"
},
"2":{
"server": "10.20.34.114",
"ldaptype": "Unencrypted",
"name": "LDAPTEST3",
"adminuser": "dodanu"
}
},
"vs_list": {
"1": {
"advanced": {},
"certificate_mode": "unset",
"networking": {
"subnet_originating": 1
},
"properties": {
"enable": "y",
"nickname": "VS1",
"port": "80",
"protocol": "tcp",
"vs_type": "http",
"ip": "10.35.53.100"
},
"security": {},
"subvs_id": 0,
"subvs_list": {},
"temp_subvs_id": 0,
"traffic_delivery": {
"rs_pool_id": 1
},
"traffic_delivery_mode": "unset",
"vs_configured": "configured"
},
"2": {
"advanced": {},
"certificate_mode": "cert_upload",
"networking": {},
"properties": {
"enable": "y",
"nickname": "VS2",
"port": "443",
"protocol": "tcp",
"vs_type": "http",
"ip": "10.35.53.101"
},
"security": {
"cipher_id": 6,
"cipher_set": "WUI",
"cipher_source": "kemp",
"ssl_acceleration": 1
},
"subvs_id": 22,
"subvs_list": {
"21": {
"advanced": {
"qos": "Normal-Service"
},
"networking": {
"subnet_originating": 1
},
"properties": {
"content_rules": [
1
],
"critical": 1,
"limit": 0,
"nickname": "SubVS1",
"status": 1,
"vs_type": "http",
"weight": 1000
},
"subvs_configured": true,
"traffic_delivery": {
"persist": "src",
"persist_timeout": 3600,
"rs_pool_id": 1
}
},
"1": {
"advanced": {},
"networking": {},
"properties": {
"critical": 1,
"limit": "5",
"nickname": "SubVS2",
"vs_type": "http",
"weight": 1000
},
"subvs_configured": true,
"traffic_delivery": {
"rs_pool_id": 1
}
}
},
"temp_subvs_id": 2,
"traffic_delivery": {},
"traffic_delivery_mode": "subvs",
"vs_configured": "configured"
}
}
}
}
Last Updated Date
This document was last updated on 28 August 2020.