Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager 7.2.53.0 Release Notes

ECS Connection Manager 7.2.53.0 is a feature and bug-fix release made available in March 2021. Please read the sections below before installing or upgrading.

Contents

Before You Upgrade (READ ME FIRST)
Supported Models for Upgrade
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
Network Telemetry
Let's Encrypt Support
Bandwidth Rate Limiting & QoS
StoreFront Pre-Authentication (ESP) for Citrix Workspace/Receiver
Kemp Ingress Controller for Kubernetes
OpenID Connect Support
Increase strength of DHE key exchange keys for SSL/TLS to 4096
HA: Interface Reboot Feature
GEO: Additional Record Types Supported
GEO: Layer 7 HTTP/HTTPS Site Health Checks
Client Certificate Authentication with No Server Side Authentication
Change Notices
Enhanced ESP Client Session Logging
Changes Affecting Long-Lived UDP Connections
ECS Connection Manager Change of Ownership - Improve existing workflow
Content Rules and 512-byte Response Limit
Cavium III SSL Accelerator Performance Switch
Certificate Signing Request (CSR) Generation Permissions
ECS Connection Manager Licensing FQDN Change
GEO: Option to Prevent a Disabled GEO Cluster from Responding
Updated RSA Root Certificate for Self-Signed Certificates
Security Updates
NTLM Proxy Mode
Elliptical Curve CA Certificate Regenerated
OpenSSH Update
Updated Certificate PIV Support (Smartcard) for SSO & WUI
X.509 Certificate Format Updated
LDAPS and Syslog Server Certificate Validation
Issues Resolved
New Known Issues
Existing Known Issues

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this release.

Generation of 4096-bit DHE Key

As with any update, an upgrade to this release should be done during a maintenance interval; and this is particularly true of 7.2.53.0 because of the update described in the section Increase strength of DHE key exchange keys for SSL/TLS to 4096:

During upgrade from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller ECS Connection Managers, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve ECS Connection Managers security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the ECS Connection Manager 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of ECS Connection Manager is supported on the Hardware and Virtual models shown in the table below.

Supported Virtual Models Supported Hardware Models

ECS Connection Manager VM1

ECS Connection Manager VM1

ECS-H1

ECS-H2

ECS-H3

ECS-H3M

ECS-H3-25G

ECS-H3-40G

ECS-H3-100G

 

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.

Note that:

  • In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with this release; use the same XML file regardless of the ECS Connection Manager version from which you are upgrading.

Downgrading to Earlier Versions

Downgrading ECS Connection Managers running 7.2.53.0 to 7.2.52.0 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading 7.2.50 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

New Features

Network Telemetry

ECS Connection Manager version 7.2.53.0 expands the value it provides to customers with native support for export of Network Telemetry data to external collection and analysis devices – such as Kemp Flowmon Collector.

It does this by combining the power of the data available to ECS Connection Manager (by virtue of being a key link in the application delivery chain) with the power of the Kemp Flowmon Probe’s ability to compile and export NetFlow/IPFIX telemetry data.

  • The Kemp Flowmon Probe aggregates network metadata natively on ECS Connection Manager, enabling lightweight, yet incredibly detailed, network and application monitoring when interpreted by a NetFlow/IPFIX collector, such as the Kemp Flowmon Collector.
  • The Collector then stores, processes, and analyzes the flow data and enables comprehensive network monitoring, diagnostics, and troubleshooting, as well as zero-day threat and anomaly detection. Collector is completely customizable through its modular approach to analytic technology; you can choose the mix of Collector module that suit your deployment and data analysis goals.

In addition, a Dashboard Installer Script is provided that uses the Flowmon Collector RESTful API to create ECS Connection Manager-specific dashboards that you can use as-is or modify to suit your needs.

Click Network Telemetry in the ECS Connection Managers UI's main menu to download a demo of the Flowmon Collector and configure ECS Connection Manager to export IPFIX protocol data to the Collector.

Let's Encrypt Support

Support for obtaining, managing, and automatically renewing certificates from the Let's Encrypt Certificate Authority (CA). In the UI, navigate to the Certificates & Security > Let's Encrypt Certs page. The main capabilities are:

  • A built-in ECS Connection Manager ACME protocol client.
  • Client supports obtaining a certificate from Let’s Encrypt (LE) servers, as well as user-driven certificate renewal.
  • Users can create a new LE account via ECS Connection Manager or use an already obtained account key. The key can have been previously obtained using another ACME client.
  • ECS Connection Manager automatically configure a SubVS (and content rules) to automatically respond to the required domain ownership challenge from the LE server.  Note that only the HTTP-01 method of validating FQDN ownership is currently supported.
  • Certificates obtained using the LM ACME client are managed on a new UI page, and assigned to Virtual Services on the existing Manage Certificates page. They can be used for:
    • VS Decryption
    • VS Re-encryption
    • Administrative Login
  • Up to 10 SANs (Subject Alternative Names) can be specified per certificate request.

Bandwidth Rate Limiting & QoS

ECS Connection Manager's Rate Limiting and QoS capabilities have been enhanced to support bandwidth limiting at three levels:

  • Global: across all clients accessing any VS
  • Client: for a single IP or a subnet accessing any VS
  • Virtual Service: for any client accessing a specific VS or SubVS

The global and client limits are available in the UI on the System Administration > QoS/Limiting page, at the bottom of the Global Limits and at the bottom of the Client Limiting accordion (which also contain the connection and request based limiting delivered in 7.2.52). A bandwidth limit set at the global level overrides one set at either the client or VS/SubVS levels.

Bandwidth limits can also be set on the Virtual Service (VS) and Sub-Virtual Service (SubVS) levels, using a new control at the bottom of the VS and SubVS Standard Options. A bandwidth limit set at the VS level overrides one set at the SubVS level. Similarly, a bandwidth limit set at the global level overrides one set at the Client, VS, or SubVS level.

In all cases, bandwidth limits are set in kilobits per second (Kbits/sec); the minimum setting is 16 and the maximum is 99999999. 

Bandwidth limiting statistics are available in the UI on the Statistics > Real Time Statistics > Client Limits > Bandwidth page. The top 10 clients that have been dropped due to bandwidth limiting are displayed for the last 30 seconds, the last 5 minutes, and the last 30 minutes.

StoreFront Pre-Authentication for Citrix Workspace and Receiver

In previous releases, clients using Citrix Workspace App (or its predecessor, Receiver) to log in to a ECS Connection Manager Citrix StoreFront / Citrix Apps & Desktops configuration log in directly to Citrix StoreFront without any pre-authentication by the ECS Connection Manager via ESP. Pre-authentication was available only by logging into the StoreFront infrastructure via LM using a browser, but this workflow is HTML5-dependent and not always implemented in StoreFront deployments.

In this release, clients can now take advantage of pre-authentication via ESP on LM using their Workspace or Receiver App. This workflow is supported by:

  • a new Client Authentication Mode named Pass Post has been added to the Virtual Service ESP Options section of the UI
  • an additional Virtual Service (VS) has been added to the existing StoreFront template to support direct Workspace access

No other changes were made to the UI or API. With the above, a user can successfully log in using POST-based authentication on the client side and Forms-Based Authentication (FBA) on the server side.

This enhancement is accompanied by updated VS templates and an updated Deployment Guide.

Kemp Ingress Controller for Kubernetes

Installation of the Kemp Ingress Controller (KIC) has been integrated with ECS Connection Manager. Open the Virtual Services > Kubernetes Settings menu in the UI and click the Install button to begin installing KIC. This version of KIC supports the following capabilities:

  • Automated mapping of Kubernetes service object configuration to Kemp ECS Connection Manager Virtual Service and Sub-Virtual Services.
  • Support for reading Kubernetes annotations to ingest metadata information about objects.
  • Capabilities for communication with a Kubernetes API server.

KIC supports two modes of operation:

  • Service Mode: A unique and original operating mode developed by Kemp. It allows NetOps Teams and AppDev Teams to work together more seamlessly despite different toolchains and working practices.
  • Ingress Mode: this is the standard Kubernetes Ingress Controller operating mode designed for cross-functional Teams operating purely through the Kubernetes API.

OpenID Connect Support

OpenID Connect enables client identities presented during Single Sign On (SSO) to ECS Connection Manager Virtual Services to be verified through a third-party Oauth authorization server. This enables a wide variety of modern and legacy applications to be integrated into a single Identity and Access Management (IAM) framework. ECS Connection Manager applications can now be integrated with any of a large number of OAuth 2.0 providers.

The Oauth Standard enables granular application access for an organization's users across multiple applications. Previously, ECS Connection Manager only supported SAML for identity claim management, but with the addition of OpenID Connect customers can now also leverage a more lightweight protocol, with wider support for APIs, which is more mobile centric, and easier to set up.

To configure a Virtual Service to use OpenID Connect, create a Client-Side Single Sign On configuration under Virtual Services >Manage SSO. This SSO configuration can then be assigned to a Virtual Service under the service's ESP (Edge Security Pack) Options.

DHE Key Size Support Extended to 4096

By default, ECS Connection Manager uses a 2048-bit key size for DHE key exchanges. Some government agencies are now requiring 4096-bit keys and this capability has been added to ECS Connection Manager.

The key size is set on the System Configuration > Miscellaneous Options > Network Options page of the UI using the Size of SSL Diffie-Hellman Key Exchange drop-down list.

Please Note:

  • After upgrading from a version prior to 7.2.53.0, ECS Connection Manager can take up to 30 minutes (on smaller models) to generate a new 4096-bit key. During this time, there will be an impact to CPU and memory available for load balancing traffic. The new option in the UI will not appear until the key is generated. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try logging in to the ECS Connection Manager again.
  • Performance using the 4096-bit key will be at most 25% of the performance observed when using a 2048-bit key. This impact is not uncommon and is to be expected due to the increased overhead associated with doubling the size of the key.

HA: Interface Reboot Feature for L4 Connection Updates

A new High Availability (HA) option allows you to specify that a ECS Connection Manager configured in HA will reboot if any configured interface loses connectivity with the network (i.e., experiences a link failure). The reboot occurs regardless of the ECS Connection Manager's HA status (Primary or Standby).

This feature is primarily designed to be enabled only along with the Inter HA L4 TCP Connection Updates option, to facilitate L4 connection updates in HA. You should consult with Kemp Support before enabling the new interface reboot option.

When Hard Reboot on link Failure is enabled, the ECS Connection Manager is forced to reboot if there is a link failure (that is, if an interface becomes unavailable). The new check box is available in the System Configuration > HA Parameters screen when both of these are true:

  • High Availability (HA) is configured
  • The Switch to Preferred Server option is set to No Preferred Server. This is necessary to prevent possible circular swapping between the active and standby ECS Connection Manager units. 

GEO: Additional Record Types Supported

GEO Global Server Load Balancing (GSLB) has been enhanced to support additional record types for domains, as follows:

  • Multiple TXT and CNAME records per Fully Qualified Domain Name (FQDN).
  • One MX record per FQDN. 

These record types allow you to communicate domain resources to clients:

  • A TXT (text) record is essentially unformatted data that can be used for almost any purpose, but typically contains information to be consumed by clients to classify a domain in some way, provide details about a domain, or specify resources available within a domain. 
  • A CNAME (canonical name) record points a DNS name (such as www.example.com) to another DNS name (such as lb.example.com). This is typically used to define a website alias.
  • An MX (mail exchanger) record specifies the mail server responsible for accepting email messages on behalf of a domain. 

To configure records for a specific FQDN, a new Additional Records section has been added to the FQDN configuration page of the UI. Click Global Balancing > Manage FQDNs and then click Modify on the relevant FQDN.

GEO: Layer 7 HTTP/HTTPS Site Health Checks

Support was added to perform Layer7 (L7) HTTP and HTTPS health checks on back-end servers within GEO "sites" that are not handled from the ECS Connection Manager for application delivery. In other words, site health determination can be enhanced directly from GEO by checking the health of back-end servers that are not being health-checked by ECS Connection Manager (or another Application Delivery Controller (ADC)).

Only HTTP/1.1 is supported for these health checks.

To configure Layer 7 Health Checks for GEO FQDNs, open Global Balancing > Manage FQDNs, click Modify on the relevant FQDN, select the relevant Cluster, click Add Address, select HTTP or HTTPS as the Checker, and then choose from among the available options.

The status of the health check displays in the Availability column.

Client Certificate Authentication with No Server Side Authentication

In previous releases, when client certificate authentication was enabled for Single Sign On, it was required to also enabled KCD (Kerberos Constrained Delegation) on the server wide. With this release, support has been added for certificate-based client authentication with no authentication on the server side, for use in cases where ESP is needed only for pre-authentication via client certificate. This is configured in the UI by setting the Client Authentication Mode in the Virtual Services ESP Options to Client Certificate, and the Server Authentication Mode to None.

Change Notices

Enhanced ESP Client Session Logging

Client session logging for ESP-enabled Virtual Services has been enhanced to include additional session information: 

  • The initially created ESP session.
  • The time when the ECS Connection Manager cleared the session from the cache. Note that if the entire cache is cleared, a single log message is recorded at the time of clearing, which notes that all existing sessions at that time were cleared form the cache.
  • If an ESP session is deleted (when the user logs out from the application, when the session expires, or the user enters invalid credentials). The time of when the ECS Connection Manager cleared the session is also logged. 

You can view these logs by going to System Configuration > Logging Options > Extended Log Files in the ECS Connection Manager User Interface (UI) and clicking View for ESP User Logs.

Changes Affecting Long-Lived UDP Connections

It is common for some applications (such as Citrix Virtual Desktop Infrastructure and Microsoft Always On VPN) to open UDP connections that last days or even weeks. To address persistence and port following issues seen for these long-lived UDP connections, the following two changes have been made to Layer 7 Virtual Services:

  • Increased Maximum Persistence Timeout: The maximum value of the persistence timeout setting has been increased from 7 days to 28 days. You can configure the persistence Timeout drop-down list after a persistence Mode is selected in the Standard Options section of the Virtual Service modify screen (Virtual Services > View/Modify Services > Modify). 
  • Persistence Refresh: If the persistence Timeout described above is set to 4 days or more, a Refresh Persist check box appears, which is disabled by default. When Refresh Persist is enabled, persistence table entries are auto-refreshed each day for long-lived connections. This is intended for use in long-lived UDP connection configurations where persistence is observed to not be maintained over periods longer than 4 days -- this could be caused by any number of issues that may or may not apply, such as very long idle times. Please consult with Kemp Support before enabling this option.

ECS Connection Manager Change of Ownership Updates

The System Configuration > System Administration > License Management page has been updated to provide easier methods for changing system ownership and provide additional licensing information:

  • The Update License button was renamed to Update License/Owner. In addition to updating your ECS Connection Manager license, this button can be used to change the ownership of the ECS Connection Manager license (update the Kemp ID and password associated with the license). This can be done either online or offline.
  • The Serial Number of the license has been added to the top of the License Management screen for convenience, as it is required in various circumstances (e.g., getting support, offline licensing). 

Content Rules and 512-byte Response Limit

In previous releases, content rules are only applied to responses if the response body is larger than 512 bytes. This behavior has been modified so that:

  • The 512-byte limit doesn't apply to response body modification rules.
  • The 512-byte limit is only observed when compression is enabled. If compression is not enabled, then all content rules are applied regardless of response size.

Cavium III SSL Accelerator Performance Switch

Customers with ECS Connection Manager hardware (ECS H1 Rev 01 & 02 and ECS H3 Rev 01) with a Cavium III hardware SSL accelerator installed have reported performance issues when using the Cavium III hardware with TLS 1.3. A new switch has been introduced on the Network Options page in the UI that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries, which do not exhibit the performance issues seen with the 1.1.1 libraries. Unfortunately, the older 1.0.2 libraries do not support TLS 1.3, so TLS 1.3 will not be available for incoming client connections after switching to the older libraries.

Please consult with Kemp Support before enabling this workaround. Also note:

  • Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.
  • When using the older 1.0.2 libraries, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.
  • If you switch from using the older 1.0.2 libraries to using the 1.1.1 libraries, TLS1.3 is automatically re-enabled on all Virtual Services. 
  • The library selection option is not available on ECS Connection Manager that include the Cavium V accelerator hardware. Those cards do not support the older 1.0.2 libraries. 

Please note that these issues DO NOT affect ECS Connection Manager that have the newer Cavium V hardware acceleration cards (ECS-H2 Rev 01, ECS H3 Rev 02, ECS H3 25G Rev 01, ECS H3 40G Rev 01, ECS H3 100G Rev 01 & ECS H3 M Rev 01).

Certificate Signing Request (CSR) Generation Permissions

If Self-Signed Certificate Handling is set to EC certs with an EC signature (in Certificates & Security > Remote Access), CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users can generate CSRs. 

ECS Connection Manager Licensing FQDN Change

As of ECS Connection Manager firmware version 7.2.53.0 the licensing Fully Qualified Domain Name (FQDN) has changed. Previously, the FQDN was alsi.kemptechnologies.com. Now, it is licensing.kemp.ax. In some scenarios, Kemp recommends adding the licensing FQDN as an allowed URL on your firewall to ensure all licensing features work, including the downloading and updating of Web Application Firewall (WAF) rules. The URLs to allow vary depending on your ECS Connection Manager firmware version: 

  • ECS Connection Manager firmware version 7.2.53.0 or above: licensing.kemp.ax 
  • ECS Connection Manager firmware versions below 7.2.53.0: alsi.kemptechnologies.com and alsi2.kemptechnologies.com 

GEO: Option to Prevent a Disabled GEO Cluster from Responding

By default in previous releases, when a GEO cluster is marked as disabled it will still respond to client queries. A new parameter named Disabled clusters are unavailable has been introduced. Disabled by default, this parameter when enabled causes requests to the cluster to be dropped if a GEO cluster is disabled. The cluster name on the Global Balancing > Manage FQDNs page of the UI will also be displayed in red text.

Updated RSA Root Certificate for Self-Signed Certificates

The expiration date of the RSA root certificate on the ECS Connection Manager used for self-signed certs was updated from 2023 to 2038. This should not cause any issue with existing self-signed certificates generated on previous releases.

Security Updates

NTLM Proxy Mode

A new NTLM Proxy Mode option has been added that changes the behavior of NTLM to utilize the Real Server as a proxy for NTLM authentication validation, improving the security of the overall deployment.

After upgrade to this release, turn on NTLM Proxy Mode by doing the following:

  1. In the main menu, go to System Configuration > Miscellaneous Options > L7 Configuration.
  2. Enable the NTLM Proxy Mode check box. This changes the NTLM selection for Client Authentication Mode in all Virtual Services to NTLM-Proxy.  

NTLM Proxy Mode is enabled by default for all new deployments of 7.2.53.0 and above.

Elliptical Curve CA Certificate Regenerated

ECS Connection Manager's Elliptical Curve (EC) Certificate Authority (CA) certificate was regenerated for this release to address these issues in previous releases:

  • EC certificates generated using the previous certificate did not work.
  • Third-party EC certificates did not work with ECS Connection Manager.

As a result, the following actions may be necessary if you are using EC certificates:

  • Any EC certificates generated from ECS Connection Manager in previous releases will no longer be valid and will need to be regenerated. Kemp believes the number of these in use in the field is small.
  • If you are using an EC certificate for the WU, any ECS Connection Manager user that has previously downloaded and installed the ECS Connection Manager root certificate into their browser will need to download and install the new root certificate from ECS Connection Manager after upgrade.

OpenSSH Update

The version of OpenSSH used by ECS Connection Manager has been updated from OpenSSH_7.9p1 to OpenSSH_8.4p1, the latest version of OpenSSH available as of September 2020. Please see the OpenSSH release notes web page for more information.

Also note that with this release, ECS Connection Manager no longer supports RSA keys for SSH login.

Updated Certificate PIV Support (Smartcard) for SSO & WUI

In ECS Connection Manager firmware version 7.2.53.0, support was added in the Edge Security Pack (ESP) Single Sign On (SSO) functionality for Personal Identity Verification (PIV) smart cards. PIV guidance is to match certificate fields to "altsecurityidentities" in the Active Directory (AD). To support this, additional configuration options have been added to the modify SSO screen for SSO domains with the Authentication Protocol set to Certificates. Prior to ECS Connection Manager firmware version 7.2.53.0, there was a check box called Check Certificate to User Mapping. As of version 7.2.53.0, this check box has changed to a drop-down list with the following values: 

  • Not Specified 
  • Subject 
  • Issuer and Subject
  • Issuer and Serial Number 

X.509 Certificate Format Updated

ECS Connection Manager has been enhanced to use the X.509v3 certificate format, as defined in RFC 5280. [Previously, the X.509v1 format defined in RFC 1422 was used.]

LDAPS and Syslog Server Certificate Validation

ECS Connection Manager has been enhanced to validate the entire certificate chain sent by remote LDAPS and Syslog servers, when the system is configured to use ECDSA certificates with ECDSA signatures. This setting is located on the Certificates & Security > Remote Access page of the UI.

Issues Resolved

PD-17518 User Login Certificates: In previous releases, user certificates generated when adding a user with the "No Local Password" option enabled didn't contain any "Extended Key Usage" information. This issue has been fixed.
PD-17393 SPLA Licensing: Fixed an issue that caused a spurious deactivation message to be logged.
PD-17273 Content Switching: In previous releases, if a user adds a body response rule to a nested/cascaded Virtual Service, the ECS Connection Manager strips all "Set-Cookie" headers from client requests to the VS. This bug has been fixed.
PD-16960 Logging / Security: Fixed a bug where the ECS Connection Manager syslog server wasn't honoring the Outbound Connection Cipher Set setting when originating connections to a remote server.
PD-16937 Layer 7 (Chunked Content): When a Real Server returns chunked content, the ECS Connection Manager can hang when processing the response and also experience memory exhaustion when under very high load. In addition, responses to client may also be compressed even if compression is not configured. Content-length header can also be incorrect if server response is chunked, above 954 MB, and body rules are in use. This issue has ben addressed so that ECS Connection Manager no longer hangs and runs out of memory; doesn't compress content when not configured; and, the content-length header is correct for large responses.
PD-16812 Authentication (LDAPS): Fixed an issue that caused LDAPS debug information to be displayed when a client certificate without email information is presented for UI authentication.
PD-16664 Logging: Fixed an issue that caused call trace logs to be seen when using SSL Session ID persistence.
PD-16515 SSL Certificates: Fixed a bug (introduced in 7.2.51) that resulted in the Delete button for a certificate to be inactive even when the certificate was no longer used in any virtual services.
PD-16513 UI Authentication via LDAPS: Fixed a bug where LDAPS was not checking "Basic Constraints" as required for intermediate certs in a chain.
PD-16361 SSL Certificates: ECS Connection Manager has been modified to reject an otherwise valid server certificate that lacks the Server Authentication purpose in the extendedKeyUsage field; no connection is established in this case.
PD-16342 Layer 7 POST Handling: Addressed various issues related to POST handling capabilities and error detection within L7, in particular with large POSTs and 401 responses from ECS Connection Manager.
PD-16336 Single Sign On (SSO) API: Previously, it was not possible to kill an SSO session using the Username format via the API. This bug has been fixed.
PD-16335 Content Switching: Fixed issues seen when doing string replacement when the content is less than 512 bytes.
PD-16214 Single Sign On (SSO) with KCD: In previous releases, it was possible that under high loads, users may experience authentication issues when attempting to log into a virtual service with KCD configured. To mitigate against authentication issues, the KCD ticket creation mechanism has been enhanced to provide hourly detection and retry of service ticket expiry. In addition, doing an SSO flush will now result in the restarting of the SSO manager process (instead of only flushing SSO memory as in previous releases).
PD-16157 High Availability (HA) Status: On the Open Telecom platform only, ECS Connection Managers configured into HA show a status of Active/Active if multiple health checks are being executed and these connections remain open for long periods. This bug has been fixed and HA status is now displayed appropriately.
PD-16156

LDAP: Enhanced the UI and API to support the hyphen character (-) in LDAP endpoint names.

PD-16151 Statistics UI: Fixed issues that caused display issues when looking at the Statistics page with over 102 Real Servers.
PD-16139 SNMP MIBs: Fixed an issue where the time stamps seen in ECS Connection Manager SNMP output are 2 digits too long and don't comply with RFC 2578.
PD-16122

Compression, Reliability and Stability: Fixed an issue with processing large amounts of chunked data from servers with compression enabled that could cause the system to become temporarily unavailable (and a failover to occur in High Availability mode). Changes were made to prevent the system from becoming unavailable so that the problem can be diagnosed.

PD-16057

Logging: In previous releases, various log messages included the file system location of the syslog configuration file. All such messages have been modified to remove the configuration file location.

PD-16032 GEO: Fixed an issue in the HA Partner code that could cause Partners in a cloud deployment to not synchronize properly.
PD-16028 Virtual Service SSL Properties: The Add Received Cipher Name parameter was observed to not enable passing of the received cipher name if the client accesses a SubVS rather than the VS. The system has been modified to always propagate SSL headers to the SubVS level.
PD-15982 WAF Rule Download: Addressed issues that caused WAF rule download to fail under various circumstances.
PD-15888 API: When a PUT request with data in the request body is received, ECS Connection Manager will reset (RST) the connection. This has ben fixed so that ECS Connection Manager will instead respond with an appropriate response code without attempting to reset the connection
PD-15881 User Interface: Fixed the Manage Certificates page to display IPv6 addresses in the correct format.
PD-15869

Adaptive Health Check Agent: Updated the adaptive health check mechanism to use HTTP 1.1 (instead of HTTP 1.0) when making Real Server connections.

PD-15860

Real Server Configuration: Fixed an issue where the parameter values of a Real Server that has been created with a DNS FQDN (instead of an IP address) cannot be modified.

PD-15828

Single Sign On (SSO): On previous releases, access may be denied during SSO when correct credentials have been supplied, along with log messages indicating "XSS attack dtcode 7". This issue occurs because in some cases ECS Connection Manager is not properly handling SameSite cookie options contained in the client request. This issue has been fixed.

PD-15709 GEO: When using IP Range Selection Criteria scheduling, it was seen in previous releases that the DNS response can be incorrect when one IP range is a subset of another IP range. This bug was due to an internal issue has has been fixed.
PD-15646 API: Missing PowerShell API calls to allow the user to configure a custom cipher set have been added.
PD-15593 L7 Debugging: Added an option for L7 debug logs that adds the HTTP header information to the logs. When L7 Extended Debug is enabled, a new per-VS option called "Full Debug + HTTP Headers" is added to Virtual Services. This option is off by default, and should be enabled only on specific VSs being debugged.

 

New Known Issues

PD-17714

SSO (OpenID Connect): In Google Cloud, setting the Application Secret field in the OIDC SSO Configuration returns an error when a 24-character secret is entered: "Cannot set Application Secret: Invalid OIDC application secret". The workaround is to pad the secret with an additional 8 characters to make the string a minimum of 32 characters long.

PD-17707 Kubernetes Ingress Controller: Currently, the targetPort (in the service.yaml file) must be the same port specified as the servicepPort (in the ingress.yaml file).
PD-17616

SSL Certificate Signing Request (CSR): A CSR generated on the ECS Connection Manager uses a type of T61STRING for the Common Name. ECS Connection Manager will be modified in a future release to use UTF8String to conform with RFC5280.

PD-17612 Licensing (Bandwidth): When calculating bandwidth for licensing limits, the limits are halved for Virtual Services with one or more SubVSs. This will be fixed in the next release.
PD-16707 SSO (Steering Groups): Currently, when ECS Connection Manager detects a user logging in via SSO without the ECS Connection Manager SSO cookie and matching an existing session, ECS Connection Manager reassigns the same SSO cookie to the request; but, doesn't reassign the Steering Group cookie (even without cookies being cleared).This issue will be addressed in a future release.
PD-16113 GEO: The DNS response for TXT Records inserts the global TTL when the local setting is enabled on the FQDN.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of ECS Connection Manager.

PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDN safter the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15396 GEO: LM sends a spurious "KEMP GEO" TXT record in DNS responses if the TXT record field is empty and the queried FQDN is not a sub-domain of the ZoneName.
PD-15354 SSO Timeout: In 7.2.51, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to actually be closed.
PD-15294 ESP Verify Bearer Header: ECS Connection Manager does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12354
PD-10466
Hardware Support: All ECS Connection Manager models do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a ECS Connection Manager configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the ECS Connection Manager for both WUI Authorization and ESP Authentication.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10136 Clustering: In a ECS Connection Manager cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 


Was this article helpful?
0 out of 0 found this helpful

Comments