ECS Connection Manager 7.2.51.0 Release Notes
ECS Connection Manager Version 7.2.51 is a feature and bug-fix release made available in July 2020. Please read the sections below before installing or upgrading.
Contents
Upgrade Patch XML File Verification Notes
Downgrading from Version 7.2.51
New Features
Citrix StoreFront Gateway for External Virtual Apps and Desktops
Rate Limiting of Real Servers
Redundant Key Distribution Center for KCD Authentication
UI Login Integration with Cisco ACS / ISE
Change Notices
Configurable KCD Authentication Request Wait Time
Specifying the Protocol for Remote Logging
Port Following on Generic Virtual Services in UI
Enhanced Single Sign On Log Messages
Security Updates
Updated NIST FIPS Cryptographic Module Certification
Assigning Intermediate Certificates to Virtual Services
Regeneration of SSH Host Key
Issues Resolved
New Known Issues
Existing Known Issues
Appendix A: Verifying Upgrade Image Signatures
Supported Models for Upgrade
This release of ECS Connection Manager is supported on the Hardware and Virtual models shown in the table below.
| Supported Virtual Models | Supported Hardware Models | |
|
ECS Connection Manager VM1 ECS Connection Manager VM1 |
ECS-H1 ECS-H2 ECS-H3 ECS-H3M ECS-H3-25G ECS-H3-40G ECS-H3-100G |
|
Upgrade Patch XML File Verification Notes
By default, verification of the digital signature on upgrade images is required in ECS Connection Manager 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:
See Appendix A for a table that shows you which XML file to use for signature verification based on your current release and the release to which you want to upgrade.
Downgrading from Version 7.2.51
Downgrading an ECS Connection Manager running Version 7.2.51 using an earlier release image can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.
New Features
The following new features have been added to this release of ECS Connection Manager.
Citrix StoreFront Gateway for External Virtual Apps and Desktops
A new Virtual Service (VS) template and deployment guide have been introduced with ECS Connection Manager 7.2.51 to deploy a Virtual Service as a Citrix StoreFront Gateway for external publishing of Citrix Virtual Apps and Desktops deployments, so that Internet clients can leverage Citrix's Virtual Desktop Infrastructure (VDI). In previous releases, ECS Connection Manager only supported publishing to internal networks.
The Kemp-approved and tested template supports authentication of clients to a Citrix Storefront endpoint that provides access to Citrix Virtual Apps and Desktops resources. Clients can log in using Citrix Workspace App, Citrix Receiver, or a browser such as Edge, Chrome, Firefox, or Safari.
For more information and usage instructions, please see the deployment guide and template available from Kemp's Citrix Page.
Rate Limiting of Real Servers
A new Real Server (RS) Connection Rate Limit parameter allows you to set a Connections Per Second (CPS) value between 0 and 100000, where 0 means “no limit” (the default) and any other integer is the RS open connection limit.
- If the number of open connections to the RS reaches the limit set, then the RS is taken out of service (i.e., removed from the load balancing scheduling process) and all new connections will be scheduled for other RSs in the Virtual Service (or SubVS).
- This includes new connections with persistence settings to the rate-limited RS; these will also be sent to another RS when the rate limit is exceeded.
- No new connections will be sent to the rate limited RS until the current ‘rate limit period' expires and the RS is returned to the load balancing scheduling process. The ‘rate limit period’ is 0.1 seconds.
Redundant Key Distribution Center for KCD Authentication
When configuring an SSO Domain for Single Sign On with Kerberos Constrained Delegation (KCD) as the selected Authentication Protocol, you can now specify two servers in the Kerberos Key Distribution Center (KDC) text box, separated by a space. This provides a backup in case the current KDC becomes unavailable. The username and password used by both KDC servers must be the same.
UI Login Integration with Cisco ACS / ISE
When logging into the UI using RADIUS authentication via Cisco ACS or ISE, ECS Connection Manager will now send an Attribute-Value Pair (AVP) to the server as part of the login request, which contains Kemp's Vendor ID. This AVP can be used by the server upon receipt to identify the device making the request as an ECS Connection Manager.
Change Notices
Configurable KCD Authentication Request Wait Time
In previous releases, when KCD is enabled and ECS Connection Manager sends a request that requires authentication, the ECS Connection Manager waits up to 2 seconds to see if the request is rejected. This wait time is not configurable, giving the administrator no ability to control the amount of latency introduced.
Starting with this release, a new global L7 Wait After POST parameter has been added to the System Configuration > Miscellaneous Options > L7 Configuration page. The default value is 2000 milliseconds (ms), or 2 seconds. Permitted values range between 1 and 2000 ms.
Specifying the Protocol for Remote Logging
In previous releases, the remote logging functionality assumed the protocol to use based on the port specified: UDP for port 514 and TCP for all other ports. A new Remote Syslog Protocol control has been added to the System Configuration > System Administration > Logging Options > Remote Syslog page of the UI to either UDP, TCP, or TLS, independently of the port number.
Port Following on Generic Virtual Services in UI
In previous releases, it was only possible to configure port following on a Generic Virtual Service via the API. This capability has now been added to the UI.
Enhanced Single Sign On Log Messages
Improvements have been made to messages generated during normal operation to include additional events and information related to authentication and authorization that in previous releases were only exposed by enabling debug logging. Log messages generated in "ESP User Logs" under "Extended Log Files" now include success and failure messages that specify the username, domain, AAA server, AAA protocol, AAA result, error message, and other details.
Security Updates
The following changes to existing ECS Connection Manager features and behavior have been made in this release to improve ECS Connection Manager's security profile.
Updated NIST FIPS Cryptographic Module Certification
Kemp has updated its NIST FIPS Cryptographic Module Certification, the new certificate can be viewed on the NIST website here.
Assigning Intermediate Certificates to Virtual Services
Starting with this release, specific intermediate certificates can be assigned to Virtual Services, using controls within the SSL Options accordion in the UI. The default behavior, and the behavior in previous releases, is that all installed intermediate certificates will apply to a VS; this means that any client certificate presented that uses an intermediate certificate found on ECS Connection Manager will be accepted and access to the VS will be granted. Once one or more intermediate certificates is selected in a VS configuration, only client certificates that have one of those specific intermediate certificates in their certificate chain will be granted access to the VS.
Regeneration of SSH Host Key
The ECS Connection Manager host key that is used for SSH login can now be regenerated using controls on the system console. Log into the console and choose Local Administration > Regenerate SSH Host Keys to regenerate the key. Please note the following:
- When you regenerate the ECS Connection Manager's host key, all current SSH clients will need to be updated with the new public key. Clients will receive connection errors and be unable to connect until the new public key is added to the client's known_hosts file.
- When ECS Connection Manager is configured in either the High Availability or Clustering modes, the host keys on the two ECS Connection Manager's are automatically synchronized to maintain the SSH connection on which the configuration depends.
- Note that in GEO Partnering mode, SSH host keys are not automatically synchronized, because GEO does not use a shared IP address and the information exchange between partners doesn't depend on SSH access.
Issues Resolved
| PD-15230 | Stability: Fixed an issue where assigning a cipher set that contains all available ciphers to a VS could cause unexpected behavior. |
| PD-15206 | ESP / SSO: When using ESP on a Virtual Service and Use for Session Timeout is enabled, a user is not completely logged out when an OWA session is terminated. This issue has been fixed. |
| PD-15202 | RESTful API: Changing the remote syslog port using the API doesn't result in the new port being enabled. This bug has been fixed. |
| PD-15191 | GEO: Addressed issues seen in the previous release that caused system slowness when making configuration changes, particularly on systems with a large number of FQDNs defined. |
| PD-15185 | Logging: Modified the logging of SSL messages so that handshake failures and other errors (e.g., Unsupported Protocol, No Shared Cipher, Wrong Version Number) currently seen at the Fatal errors only setting are only reported when All Errors is selected. |
| PD-15184 | RESTful API: Fixed an issue that intermittently caused the ssodomain/queryall API to return an error. |
| PD-15179 | IPv6: IPv6 routing changes for standards conformance in the previous release caused IPv6 static routes to no longer be honored. This issue has been addressed by introducing a new option on the Debug Options page, Enable Layer 4 IPv6 Forwarding. This option is enabled by default to support pre-7.2.50 ECS Connection Manager behavior and should be disabled if IPv6-standard-conformant behavior is required. |
| PD-15164 | ESP Client Authentication: In ECS Connection Manager version 7.2.50, if the Client Auth Mode on a VS is set to Delegate to Server and the Certify Bearer Header option is enabled, modifying the Client Auth Mode to any other value results in client request failures. This issue has been fixed. |
| PD-15133 | ESP SSO Logoff: In ECS Connection Manager version 7.2.50, an issue was introduced where Single Sign On sessions on ECS Connection Manager were not being properly removed upon logoff, causing subsequent login attempts to fail. This issue has been fixed. |
| PD-15121 | GEO Stability: Fixed an issue in ECS Connection Manager version 7.2.50 that caused GEO configurations of more than 165 FQDNs to become unresponsive. |
| PD-15097 | OCSP: Fixed an issue that caused Real Server certificates to not be validated when Stapling is enabled. |
| PD-15094 | GEO Stability: If the Use for GEO Responses and Requests option is enabled on multiple interfaces, then GEO may stop responding to DNS queries and log multiple spurious errors complaining about a bad IPv6 address. This bug has been fixed. |
| PD-15092 | GEO Cluster Notifications: Fixed an issue that caused emergency/critical alerts to be logged repeatedly for administratively disabled clusters. |
| PD-15090 | Powershell API: Unable to set the Alternate Source Address advanced VS option via the Powershell API Set-AdcVirtualService because the parameter name was incorrect. This has been fixed by modifying the API to use the LocalBindAddrs parameter. |
| PD-15054 | Manage Services UI: Fixed an issue where the indicator for the SubVS with the highest numerical weight (a green star) did not move to the appropriate SubVS if another SubVS's weight changed so that it was higher than the SubVS with the indicator. |
| PD-15042 | Licensing: Fixed an issue where trials couldn't be relicensed after expiry. |
| PD-15041 | ESP Verify Bearer Header: Fixed issues that caused some valid JSON Web Tokens to be rejected when validated by ECS Connection Manager. |
| PD-15040 | ESP Verify Bearer Header Certificates: Updated ECS Connection Manager to refuse to remove a certificate from the system if it is being used by a VS to verify bearer header tokens. |
| PD-15034 | Compression: In previous releases, if compression and content switching are enabled and a client makes several requests over one connection that were destined for different real Servers, then only the first response was compressed. This issue has been addressed so that all responses are compressed. |
| PD-15021 | VMware Deployment: VMware images have been modified so that the CLI will no longer return the message "init ID S0 respawning too fast: disabled for 5 minutes". |
| PD-14985 | ESP Single Sign On: Fixed an issue that caused a refresh of a login page to display an access denied page, even if the allowed virtual host and virtual directories were set to wildcards. |
| PD-14973 | GEO Logging: Fixed an issue that caused these spurious log messages to appear repeatedly: "named: received control channel command 'stats'". |
| PD-14966 | ECS Connection Manager RESTful API: The modparams API, broken in the previous release, has been fixed. |
| PD-14963 | GEO RESTful API: The showfqdn API display was partially broken in the previous release, omitting the Site Status. This issue has been fixed. |
| PD-14951 | ESP Single Sign On: Fixed an issue that could cause Virtual Services to become unresponsive, accompanied by this message in the logs: "ssomgr: ERROR: ssomgr too many threads:128". |
| PD-14742 | Single Sign On: With Forms Based Authentication enabled and an idle or maximum session duration time set to 24 hours, logging out of an established session doesn't display the logout form as expected; instead the login form is displayed. The user then cannot log back into the system using that browser. This issue has been fixed. |
New Known Issues
The following issues appear for the first time in this release of ECS Connection Manager.
| PD-15337 | Single Sign On: Under certain conditions, login attempts are not being blocked after the failed login attempts threshold has been reached. |
| PD-15294 | ESP Verify Bearer Header: ECS Connection Manager does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token. |
| PD-15172 | ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service. |
Existing Known Issues
The following issues appeared in the Release Notes for the previous release of ECS Connection Manager.
| PD-14943 | Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds. |
| PD-14256 | SNMP: The VS and RS IN/OUT OIDs are not displaying any data. |
| PD-12838 | ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS. |
| PD-12616 | WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
| PD-12354 PD-10466 |
Hardware Support: All ECS Connection Manager models do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
| PD-12237 | HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state. |
| PD-12147 | ESP / RADIUS: In a CS Connection Manager configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
| PD-11861 | RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the CS Connection Manager for both WUI Authorization and ESP Authentication. |
| PD-11044 | SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
| PD-10586 | GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
| PD-10490 | Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
| PD-10474 | Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios. |
| PD-10193 | Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
| PD-10188 | Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available. |
| PD-10159 | Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
| PD-10136 | Clustering: In a CS Connection Manager cluster configuration, a new node can be added with the same IP address as an existing node. |
| PD-9816 PD-9476 |
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
| PD-9765 | GEO: DNS TCP requests from unknown sources are not supported. |
| PD-9507 | Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
| PD-9375 | SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
Appendix A: Verifying Upgrade Image Signatures
This table shows you which XML file to use to verify the digital signature on an upgrade image, based on the currently running ECS Connection Manager version and the version to which you want to upgrade.
|
Upgrading From … |
Upgrading To 7.2.51 |
|
7.2.51 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE.checksum.xml |
|
7.2.50 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml |
|
7.2.49.1 |
7.2.51.0.18987.RELEASE.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml |