Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager 7.2.52.0 Release Notes

ECS Connection Manager 7.2.52 is a feature and bug-fix release made available in October 2020. Please read the sections below before installing or upgrading.

Contents

Before You Upgrade (READ ME FIRST)
Supported Models for Upgrade
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
Rate Limiting / Quality of Service (QoS) for Incoming Connections
SSL Information in Client Request Headers
DHCPv6 Support
Radius 2 Factor + LDAP Enhancement
Content Rule Page Updates
Ability to use SNI in SubVS, as well as SNI-Hostname Pass Through
Permitted Groups in Multi-Domain Environment
HTTP/HTTPS Health Check OPTIONS Method Support
Quality of Service DSCP Pass Through Support
GEO: TXT Record Support
Change Notices
Best Practices Cipher Set Updated
Adjustable Timeout for KCD Connections
Per-VS Health Check Settings
Disabling SSL Master Secret Extension Handling
Modified EC Curves in ECS Connection Manager Client Hello
Enhanced HA Sync Parameters
Security Updates
Best Practices Cipher Set Updated
GEO: Response Contains Internal IP Address
Enhanced Server-Side KCD Authentication Cipher Option
Certificate Signing Request (CSR) Generation
Syslog and LDAPS Server Certificate Validity Checking
Enhanced Random Number Generator Seeding
Enhanced NTP Key Exchange Algorithms
Issues Resolved
New Known Issues
Existing Known Issues
Appendix A: Verifying Upgrade Image Signatures

 

Before You Upgrade (READ ME FIRST)

This release updates the BestPractices cipher set as shown in the section below and this change is effective immediately after upgrade to this release from ECS Connection Manager 7.2.51 or a previous release. This change is being made to improve ECS Connection Manager security and conform to the latest industry best practices. For more information on the cipher suites being removed from the set, please see the section Best Practices Cipher Set Updated, below.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher to the Virtual Services that are currently using the BestPractices cipher set. If you do not, any clients that depend on these ciphers being available will no longer be able to connect. After this is done, you can upgrade to ECS Connection Manager 7.2.52 and your services will continue to use the old ciphers.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set provided with ECS Connection Manager 7.2.52.

Supported Models for Upgrade

This release of ECS Connection Manager is supported on the Hardware and Virtual models shown in the table below.

Supported Virtual Models Supported Hardware Models

ECS Connection Manager VM1

ECS Connection Manager VM1

ECS-H1

ECS-H2

ECS-H3

ECS-H3M

ECS-H3-25G

ECS-H3-40G

ECS-H3-100G

 

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in ECS Connection Manager 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:

  • 7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE-preV7.2.51.0.checksum.xml
    Use this file when upgrading an ECS Connection Manager running a release prior to 7.2.51.
  • 7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE.checksum.xml
    Use this file when upgrading from 7.2.51 or repeating an upgrade to 7.2.52 (that is, ECS Connection Manager is already running 7.2.52.0 and you want to repeat the upgrade process).

See Appendix A for a table that shows you which XML file to use for signature verification based on your current release and the release to which you want to upgrade.

Downgrading to Earlier Versions

Downgrading a ECS Connection Manager running 7.2.52 to 7.2.51 can be performed using any desired Update Verification Options setting.

Downgrading to 7.2.50 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

New Features

The following new features have been added to this release.

Rate Limiting / Quality of Service for Incoming Connections

The ability to limit the number and rate of client connections to the ECS Connection Manager is now supported via controls on a new System Configuration > QoS/Limiting UI page. The following methods of limiting incoming connections are provided.

Global limits on all incoming connections to the ECS Connection Manager:

  • Concurrent connection limit
  • Connection per second (CPS) limit
  • Request per second (RPS) HTTP request limit

Client limits specified by network addresses or ranges of addresses:

  • Concurrent connection limit
  • Connection per second (CPS) limit
  • Request per second (RPS) HTTP request limit

URL-Based (or VS-based) RPS limits, specified by string-matching on specific URL fields:

  • Request URL
  • Host
  • User Agent

Client limit statistics appear in the system logs and are visualized in the UI on the Statistics > Real Time Statistics > Client Limits page. Note that this page is available in the UI only if there is at least one client limit enabled in the Rate Limiting screen.

SSL Information in Client Request Headers

A new check box, Add Received Cipher Name, has been added to the SSL Properties section for HTTP/HTTPS Virtual Services. This option is disabled by default which means there is no change from the behavior in previous releases. When this option is enabled, the ECS Connection Manager adds the headers described in the tables below.

The information obtained from these headers can be used in content rules by including the associated variables in the table below in the rule, which can then be used to make load balancing decisions based on, for example, the cipher used.

This information can also be useful, for example, as you maintain cipher sets over time; it allows you to see which ciphers are being used and can help you plan what ciphers to change or delete in the cipher sets. The Add Received Cipher Name check box must be enabled for these variables to work.

Header Description Content Rule Variable
X-SSL-Cipher The cipher used. ssl-cipher
X-SSL-Protocol The SSL protocol version used. ssl-version
X-SSL-Serialid The Virtual Service certificate serial number. ssl-serialid
X-SSL-ClientSerialid The client certificate serial number. ssl-clientserialid
X-SSL-SNIHost The value of the received SNI name. ssl-sni

The table below shows examples of header values.

Header Example Value
X-SSL-Cipher ECDHE-RSA-AES256-GCM-SHA384
X-SSL-Protocol TLSv1.2
X-SSL-Serialid 4900000006A2ABDC165ACEAD55000000000006
X-SSL-ClientSerialid 490000005D6898F3C7E590536100010000005D
X-SSL-SNIHost sni.test.com

DHCPv6 Support

Support for DHCPv6 (Dynamic Host Configuration Protocol for IPv6) has been added for initial ECS Connection Manager deployment and can optionally be enabled afterwards, if required.

On initial deployment, both DHCPv4 and DHCPv6 are enabled and attempt to obtain an IP address. After an IP address is obtained (either via DHCP or by assigning the fallback IPv4 address of 192.168.1.101), DHCP is disabled and will remain disabled until manually reactivated via the API or using the Enable DHCPv6 Client check box on the System Configuration > Logging Options > System Log Files > Debug Options page of the UI.

When this option is enabled, the DHCPv6 client runs on the primary interface to obtain an IPv6 address and will remain running across subsequent reboots until this option is disabled. It is recommended that DHCPv6 be disabled after an IPv6 address is obtained, unless you are running the system within an IPv6 network where running DHCPv6 during normal system operation is required.

RADIUS 2-Factor Plus LDAP Authentication

ECS Connection Manager now supports RADIUS 2-factor plus LDAP authentication for Single Sign On (SSO). To configure this:

  • Select RADIUS and LDAP as the Authentication Protocol when adding or modifying a client-side Single Sign On (SSO) domain in Virtual Services > Manage SSO. If the RADIUS server is configured to use two-factor authentication, the ECS Connection Manager will detect this automatically and perform RADIUS two-factor authentication.
  • Set the LDAP Endpoint and RADIUS Server(s) for this SSO domain. Note that ECS Connection Manager will use the credentials specified for the LDAP Endpoint configuration to contact the RADIUS and LDAP servers and verify client SSO credentials. So, these administrative credentials must be configured on all the RADIUS and LDAP servers in the domain.
  • Select Exchange or Blank as the SSO Image Set in the ESP Options section of the Virtual Service Modify screen.
  • Set the other parameters as appropriate for your configuration.

Content Rule Page Updates

A number of usability improvements have been made to the content rule functionality based on customer feedback. These enhancements are summarized below:

  • It is now possible to duplicate a content rule.
  • There is now an In Use column on the Content Rules page that indicates rule usage:
    • The star icon means the content rule is not assigned to any Virtual Services
    • The tick icon means the content rule is assigned to at least one Virtual Service. The number of assigned Virtual Services is displayed next to the tick icon. Hover over the tick icon to display the list of Virtual Services to which this content rule is assigned. [Note that the hover text only displays the first 20 assigned Virtual Services.]
  • Error handling for content rule creation has been improved - more detail is now provided when a content rule fails to get created.
  • It is now easier to reorder the priority of rules within a Virtual Service, using a new move option that allows you to specify the position to which the rule should be moved. Numbers are displayed on the page showing the content rules assigned to a Virtual Service to indicate the priority.

Ability to use SNI in SubVS, as well as SNI-Hostname Pass Through

The Server Name Indication (SNI) feature has been enhanced to support the following:

  • The ability to pass through the original hostname as the SNI hostname to the Real Server.
  • The ability to specify a different (manual) SNI hostname per SubVS. This is the same as the previous functionality to specify this on the parent Virtual Service (Reencryption SNI Hostname) but on the SubVS level with content switching.

These new features help with scenarios where you may want to consolidate as many services as possible to the least amount of IP addresses.

The Pass through SNI hostname check box is available in the SSL Properties section of the Virtual Service modify screen. When this is enabled and when re-encrypting, the received SNI hostname is passed through as the SNI to be used to connect to the Real Server. If the Virtual Server has a Reencryption SNI Hostname set, this overrides the received SNI. It is also possible to set the Reencryption SNI Hostname in a SubVS (in the Basic Properties section). If it is set in a SubVS, this overrides the parent Virtual Service value and/or the received SNI value.

Permitted Groups in Multi-Domain Environment

In previous releases, values specified for the Permitted Groups parameter in the Virtual Service ESP Options must be groups defined within the same domain (or sub-domain) in which the user profile is defined, or the group check will fail. With this release, a new Multi-Domain Permitted Group Check option has been introduced within ESP Options. Once enabled, ECS Connection Manager will check for permitted group membership within all sub-domains under the top-level domain. This option is disabled by default.

HTTP/HTTPS Health Check OPTIONS Method Support

A new HTTP/HTTPS health check option has been added to the Real Servers tab for all Virtual Services. When the Real Server Health Check Method is set to either HTTP Protocol or HTTPS Protocol, a new OPTIONS setting is available for the HTTP Method parameter. This specifies that the server will be marked up when ECS Connection Manager receives a 200 OK in response to an HTTP (or HTTPS) OPTIONS request sent by ECS Connection Manager.

The OPTIONS HTTP method requests a description of the permitted communication options from the server. A 200 OK response from the server contains a response body which can be optionally searched for specific text in order to provide an additional check. To search the response body, specify the search text in the Reply 200 Pattern text box that appears when you select the OPTIONS HTTP method. The server will be marked up if the provided text is found in the response body; otherwise, the server is marked down.

Quality of Service DSCP Pass Through Support

Support for the Differentiated Services Code Point (DSCP) architecture in previous releases allowed the setting of a specific DSCP option via the Virtual Service Quality of Service option (under Standard Options). A new option, Pass Through, has been added to the Quality of Service drop-down to support DSCP settings passed to ECS Connection Manager in the client connection. When this option is enabled and there is a DSCP option received in a client request, ECS Connection Manager will pass that DSCP option on to the server.  

GEO: DNS TXT Record Support

GEO has been enhanced to support a single Domain Name Service (DNS) TXT record that will be returned whenever GEO answers a TXT record request for any domain defined within GEO. A TXT (text) record is essentially unformatted data that can be used for almost any purpose, but typically contain information to be consumed by clients to classify a domain in some way, provide details about a domain, or specify resources available within a domain.

A new TXT Record parameter has been added to the Global Balancing > Miscellaneous Params UI page. In this release, the field is limited to a single string of 127 ASCII characters (without quotes). Multiple quoted strings and non-ASCII characters are not allowed. Future releases will expand TXT record functionality.

Change Notices

Best Practices Cipher Set Updated

In ECS Connection Manager firmware version 7.2.52, the BestPractices cipher set was updated. The cipher set is now based on the recommendations provided in the Use Secure Cipher Suites section of the following SSL Labs article: SSL and TLS Deployment Best Practices. The following table shows the ciphers that remain in the BestPractices cipher in 7.2.52 in the left column, and the ciphers removed from the set in the right column:

Carried Forward

Removed

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-DSS-AES256-GCM-SHA384

DHE-RSA-AES256-SHA256

DHE-DSS-AES256-SHA

DHE-RSA-AES256-SHA

DHE-RSA-AES128-GCM-SHA256

DHE-DSS-AES128-GCM-SHA256

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

DHE-DSS-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES128-SHA

ECDHE-ECDSA-AES128-SHA

In addition to the above, the following two ciphers were added to the BestPractices set:

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

Adjustable Timeout for KCD Connections

In previous releases, when Server Side Authentication is set to KCD (Kerberos Constrained Delegation) in a Virtual Service's ESP Options, ECS Connection Manager will always wait up to 2 seconds to determine whether or not the connection was rejected. Unfortunately, in configurations where large POSTs are common, this can lead to latency issues.

A new L7 Wait after POST parameter on the System Administration > Miscellaneous Options > L7 Configuration page of the UI allows you to set the time to wait for a server response, so that the timeout can be set appropriately for different configurations. The default value is 2000ms (or, 2 seconds). Valid values are 1 to 2000.

Per-VS Health Check Settings

In previous releases, health check settings were global-only, located on the Rule & Checking > Check Parameters UI page:

  • Check Interval
  • Connect Timeout
  • Retry Count

These settings now also appear within the Virtual Service Real Servers tab, so that you can tune health check behavior for specific VSs and SubVSs. By default, real server health checks use the global settings, and so the VS or SubVS settings change as the global settings change (as in previous releases). Once you change a check parameter on a VS or SubVS, however, the VS or SubVS setting will remain unchanged regardless of changes made to the global setting. The UI indicates whether the currently in-use value is the global value or is set to a custom value.

Disabling SSL Master Secret Extension Handling

ECS Connection Manager by default will process the SSL Master Secret Extension (as defined in RFC7627). This can cause problems for some legacy clients, so this behavior can be disabled by turning on the Disable Master Secret Handling option, found in the UI on the System Configuration > Miscellaneous Options > Network Options page.  Disable Master Secret Handling. By default, the ECS Connection Manager processes the Master Secret SSL Extension.

Modified EC Curves in ECS Connection Manager Client Hello

In previous releases, the ECS Connection Manager proposed the following EC curves for ECDHE ciphers in the client hello:

  • secp256r1
  • secp384r1
  • secp521r1
  • x25519
  • x448

The last two curves (x25519 and x448) are no longer supported to meet Common Criteria security requirements.

Enhanced HA Sync Parameters

When you select the Inter HA L4 TCP Connection Updates check box in the HA Parameters screen of the User Interface (UI), three new options appear: 

mceclip1.png

  • L4 Sync Threshold: The minimum number of incoming packets that a connection must receive before the connection is synchronized. The range of the threshold is from 0 to (the Sync Period -1). The default value is 3. 
  • L4 Sync Period: A connection is synchronized every time the number of its incoming packets modulus Sync Period equals the threshold. Valid values range from the Sync Threshold+1 to 255. The default value is 50. 
  • L4 Sync Refresh Period: The difference (in seconds) in the reported connection timer that triggers a new sync message. Valid values range from 0-10. The default value is 0. 

When the Sync Period and Sync Refresh Period are 0, syncs are only sent for state changes or only once when the packets match the Sync Threshold. 

These settings might be useful in a scenario where a load balanced application is using an SSH session that requires a secure token. Adjusting these settings appropriately could prevent the SSH session from failing when a HA failover occurs. 

There are some other settings that should also be configured to support SSH sessions: 

  • On ECS Connection Manager, the Switch to Preferred Server option should be set to No Preferred Server. 
  • An SSH keep-alive must be configured either on the client side (for example, ServerAliveInterval) or server-side (for example, ClientAliveInterval). 

Security Updates

The following changes to existing features and behavior have been made in this release to improve ECS Connection Manager's security profile.

Best Practices Cipher Set Updated

See the section above under Change Notices.

GEO: Response Contains Internal IP Address

In Version 7.2.50, a change was introduced that caused GEO responses to DNS requests for any FQDN defined within GEO to include an additional record that listed the internal IP address of a NATed ECS Connection Manager, rather than the public IP address. This issue has been addressed by instead returning "0.0.0.0" in the additional records sections unless a specific IP4 or IPv6 address is configured in the Global Balancing > Miscellaneous Params > Glue Record IP text box.

Enhanced Server-Side KCD Authentication Cipher Option

A new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of ECS Connection Manager's server side KCD connections to meet evolving security policies.

In previous release, KCD was configured to use RC4, DES, and DES3 ciphers for server connections; these ciphers could not be modified. With this release, you can now enable the Use AES 256 SHA1 KCD Cipher option on the Virtual Services > Manage SSO UI page to specify that the RC4, DES, and DES3 ciphers be disabled for server-side KCD and that the aes256-cts-hmac-sha1-96 cipher be used instead. This option can be enabled/disabled as needed within different server-side Single Sign On (SSO) configurations.

Certificate Signing Request (CSR) Generation

In previous releases, both the unsigned Certificate Signing Request (CSR) generated by ECS Connection Manager and the associated private key were displayed in the UI (or returned via the API). A new option has been provided to allow the private key to be managed more securely, preventing unintentional disclosure or improper handling of the private key by the user.

This new option appears only when the Certificates & Security > Remote Access > Self-Signed Certificate Handling option is set to EC certs with an EC signature -- which means that an elliptical curve cipher will be used for both the certificate and the digital signature.

Once the above option is selected, a new Display Private Key check box appears on the  Certificates & Security > Generate CSR UI page.

  • When Display Private Key is disabled (the default), the private key is not displayed in the UI after the CSR is created. The unsigned CSR is downloaded by the user as in previous releases. Once it is signed by a Certificate Authority, the user uploads the signed certificate to the ECS Connection Manager -- the difference from previous releases being that the user does not have to also upload the private key, since ECS Connection Manager maintains it internally when Display Private Key is disabled. If the saved private key matches the new certificate, the certificate gets imported and the saved private key is deleted. The stored private key is not encrypted but there is no access to it from the outside and it cannot be seen or displayed.
  • When Display Private Key is enabled, ECS Connection Manager behaves as in previous releases: the private key is displayed to the user and must be uploaded to ECS Connection Manager along with the private key.

Syslog and LDAPS Server Certificate Validity Checkingsecp256r1

ECS Connection Manager has been modified to use OCSP to check the validity of the server certificates supplied by syslog and LDAPS servers configured into the configuration. If these checks fail, connections to the server are not permitted.

Enhanced Random Number Generator Seeding

In previous releases, seeding the system random number generator was performed on all platforms using entropy sources that were available directly to the kernel after boot, providing an acceptably high level of entropy. Best practices in the industry (e.g., Common Criteria) have evolved to generally recommend that, when available, systems running on Intel architectures take advantage of Intel's Digital Random Number Generator (DRNG) software to provide additional entropy sources from the processor at boot time.

ECS Connection Manager has been enhanced to attempt to use the Intel DRNG architecture's RDSEED and RDRAND processor instructions to provide additional entropy for seeding the random number generator. This behavior is disabled by default; to enable:

  1. In the UI, navigate to Certificates & Security > Remote Access.
  2. Set the Self-Signed Certificate Handling option to EC certs with an EC signature.
  3. Reboot ECS Connection Manager.

On the next boot, ECS Connection Manager will attempt to use RDSEED as an entropy source and, if that fails, RDRAND. If successful, the message sslproxy: Initial Random Vector appears in the system log.

All current ECS Connection Manager hardware supports either RDSEED or RDRAND, as do many legacy hardware platforms.

If the processor does not support RDSEED/RDRAND, then ECS Connection Manager becomes unavailable due to the lack of an "approved" entropy source. The following occurs:

  • The UI displays only this message (no functionality):
    Could not start CC mode - system disabled.
  • A CRITICAL log message is created in the messages file:
    Cannot initialize RNG, CC mode disabled.
  • An authlog messages is also created.
    Failed to start RNG, CC mode not started.

To get out of this mode, you have to log into the system console, navigate to the Local Administration > Web Address screen, and select Confirm switch out of CC mode. Once the system restarts, you will be able to access the system as usual, but it will not operating in Common Criteria mode -- the kernel will generate entropy after boot as in previous releases. This is evidenced by the following authlog message:

User disabled CC mode.

 

Enhanced NTP Key Exchange Algorithms

The SHA-1 hashing algorithm has been added to the key types supported for NTP on the System Configuration > System Administration > Date/Time UI page. Click Show NTP Authentication Parameters to display the NTP Key Type parameter. Note that, in previous releases, SHA-1 was presented as a choice, but this was actually implementing the legacy SHA (a.k.a. SHA-0) hashing algorithm. This has also been corrected in this release, so that the three key types supported are now: MD5, SHA-1, and legacy SHA.

 

Issues Resolved

The following issues from previous ECS Connection Manager releases have been addressed in this release.

PD-15788
PD-15337

Login Security: Fixed a bug that caused two issues: (1) the Failed Login Attempts parameter is ignored and users are not getting locked out; and, (2) it is possible under specific circumstances for a user to be logged into another user's current session.

PD-15648

Logging: Fixed an issue where the full path of an intermediate certificate is recorded in the log when the certificate is deleted.

PD-15618

Clustering: Fixed an issue that prevents adding a ECS Connection Manager to an existing cluster if packet filtering is enabled.

PD-15585

SSL: Fixed an issue that, starting with V7.2.49, caused TLS 1.3 to be offered to clients even though it was disabled on the VS.

PD-15578

NTLM: In previous releases, when NTLM is enabled on a VS, the ECS Connection Manager reads the request headers, determines that the Authorization header is not present, and sends a 401 reply without waiting for any in-transit client data (such as a POST) to complete. This has been fixed; ECS Connection Manager will now wait for all data before sending a response.

PD-15563

Base System: Fixed an issue that caused spurious “kernel: hpet1: lost x rtc interrupts” messages to be seen in the logs.

PD-15521

GEO: Fixed issues with DNS requests returning the eth0 IP address and nonexistent NS/SOA names. These issues were introduced in  V7.2.49.1. As part of this work, a new check box was added to Global Balancing > Miscellaneous Params called Apply to Zone Only. When disabled (the default), the SOA parameters are returned for all Fully Qualified Domain Names (FQDNs). If this option is enabled, the Source of Authority (SOA) parameters are returned only for queries on the Zone.

PD-15496

WAF API: Fixed an issue where the getwafsettings call returns a different date for the last WAF update than is seen in the UI.

PD-15495

VS Alternate Source Addresses: In previous releases starting with V7.2.50, if a VS had a very large number of connections, an internal error could cause the ECS Connection Manager to ignore the Alternate Source Address. This problem has been fixed.

PD-15493

WAF: Fixed an issue where WAF enabled in audit mode is breaking connections to virtual services when the received data is in chunked format.

PD-15473

API: Fixed an issue that caused API calls containing files to fail if the API port is changed to anything other than 443.

PD-15471

API: Modified the ping, ping6, and traceroute APIs to support an FQDN or hostname as input.

PD-15470

GEO / DNS: Fixed an issue where the name resolution cache was not being flushed when the configuration was reloaded.

PD-15466

API: Fixed an issue with the getraidinfo and getraiddisksinfo APIs, where the response contained HTML-encoded angle brackets, instead of ASCII-encoded brackets.

PD-15451

GEO API: Fixed an issue (in the API only) where deleting a search domain using searchlist  resulted in a configuration file with a blank search entry. 

PD-15413

SSO: Fixed an issue that caused spurious ssomgr log messages containing “transcode_credentials_for_basic” if the Logon Transcode option is enabled on an SSO domain and a related VS is set to use Basic Authentication in ESP Options.

PD-15315

Powershell API: Added MatchBodyPrecedence and MatchBodyPrecedencePos parameters to the modvs command, so that body response rules can be promoted through the PS API.

PD-15312

API: The ability to upload an Error File for Not Available Redirection Handling in a Virtual Service or SubVS has been added to the API. (This functionality was added to the UI in a previous release).

PD-15281

API: Added IP address validation for the localbindaddr parameter value used in addvs and modvs.

PD-15235

GEO: Fixed an issue that caused location co-ordinates on a Site to be changed after disabling and re-enabling the GSLB feature. Location co-ordinates now persist after disabling and re-enabling GSLB.

PD-15118

SSH Load Balancing & Failover: Load balanced SSH session fails when a failover occurs. The SSH connection was disconnecting after 3 to 4 attempts of fail-over. This issue has been fixed so that the SSH Connection is maintained across a failover caused by hardware failure.

PD-14951

ESP Single Sign On: Fixed an issue that could cause Virtual Services to become unresponsive, accompanied by this message in the logs: "ssomgr: ERROR: ssomgr too many threads:128".

PD-14339

WAF: Fixed logging issues when disabling WAF remote logging, as well as redundant enable/disable log messages.

 

New Known Issues

The following issues appear for the first time in this release of ECS Connection Manager.

PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDN safter the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15396 GEO: LM sends a spurious "KEMP GEO" TXT record in DNS responses if the TXT record field is empty and the queried FQDN is not a sub-domain of the ZoneName.
PD-15367 TLS 1.3 Hardware Acceleration Performance: On the ECS-H1 and ECS-H3 hardware ECS Connection Manager's with a hardware SSL accelerator card installed, lower TLS 1.3 performance has been observed after upgrading to Versions 7.2.49.0 and above. The workaround is to disable the hardware acceleration card and use software SSL acceleration, which will provide improved performance. Please contact Kemp support for instructions.
PD-15354 SSO Timeout: In 7.2.51, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to actually be closed.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of ECS Connection Manager.

PD-15294 ESP Verify Bearer Header: ECS Connection Manager does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-14256 SNMP: The VS and RS IN/OUT OIDs are not displaying any data.
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12354
PD-10466
Hardware Support: All ECS Connection Manager models do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a ECS Connection Manager configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the ECS Connection Manager for both UI Authorization and ESP Authentication.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10136 Clustering: In a ECS Connection Manager cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 

Appendix A: Verifying Upgrade Image Signatures

This table shows you which XML file to use to verify the digital signature on an upgrade image, based on the currently running ECS Connection Manager version and the version to which you want to upgrade.

Current Release

Use this file to verify the digital signature on the 7.2.52 update image

7.2.52

7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE.checksum.xml

7.2.51

7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE.checksum.xml

7.2.50

7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.49.1

7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.49.0

7.2.52.0.19393.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml


Was this article helpful?
0 out of 0 found this helpful

Comments