Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.53.0 Release Notes

LMOS Version 7.2.53.0 is a feature and bug-fix release made available in March 2021. Please read the sections below before installing or upgrading to this GA release.

Contents

Before You Upgrade (READ ME FIRST)
Supported Models for Upgrade
Upgrade Path
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
Network Telemetry
Let's Encrypt Support
Bandwidth Rate Limiting & QoS
StoreFront Pre-Authentication (ESP) for Citrix Workspace/Receiver
Kemp Ingress Controller for Kubernetes
OpenID Connect Support
Increase strength of DHE key exchange keys for SSL/TLS to 4096
HA: Interface Reboot Feature
GEO: Additional Record Types Supported
GEO: Layer 7 HTTP/HTTPS Site Health Checks
Client Certificate Authentication with No Server Side Authentication
Change Notices
Enhanced ESP Client Session Logging
Changes Affecting Long-Lived UDP Connections
LoadMaster Change of Ownership - Improve existing workflow
Content Rules and 512-byte Response Limit
Cavium III SSL Accelerator Performance Switch
IRQ Pinning Default for LoadMaster MT VNFs
Certificate Signing Request (CSR) Generation Permissions
LoadMaster Licensing FQDN Change
GEO: Option to Prevent a Disabled GEO Cluster from Responding
Updated RSA Root Certificate for Self-Signed Certificates
Security Updates
NTLM Proxy Mode
Elliptical Curve CA Certificate Regenerated
OpenSSH Update
Updated Certificate PIV Support (Smartcard) for SSO & WUI
X.509 Certificate Format Updated
Outbound Connection Certificate Validation
Issues Resolved
New Known Issues
Existing Known Issues

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this LMOS release.

Generation of 4096-bit DHE Key

As with any update, an upgrade to this release should be done during a maintenance interval; and this is particularly true of LMOS 7.2.53.0 because of the update described in the section Increase strength of DHE key exchange keys for SSL/TLS to 4096:

During upgrade from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In LMOS 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve LoadMaster security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the LMOS 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported
Virtual
Models
Supported
Hardware
Models
Supported Bare Metal Models UNSUPPORTED
Hardware

Models
UNSUPPORTED
Virtual

Models
VLM-200
VLM-500
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO
VLM-MAX
LM-X1
LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400
LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M
LM-R320

LMB-1G
LMB-2G
LMB-5G
LMB-10G
LMB-MAX
LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500

LM-Exchange
LM-GEO
VLM-100
VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50.0 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.

Note that:

  • In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with this release; if upgrading from firmware 7.2.51.0 / 7.2.48.3 and above you can use the XML file provided with this release. If upgrading from any other firmware version you must following the upgrade path detailed in Kemp LoadMaster Firmware Upgrade Path article.
  • LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to this release, you can verify the digital signatures offline using a manual process documented on the support website.

Downgrading to Earlier Versions

Downgrading a LoadMaster running LMOS 7.2.53.0 to LMOS 7.2.51.0 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading to LMOS 7.2.50.0 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

New Features

Network Telemetry

LMOS version 7.2.53.0 expands the value it provides to customers with native support for export of Network Telemetry data to external collection and analysis devices – such as Kemp Flowmon Collector.

It does this by combining the power of the data available to LoadMaster (by virtue of being a key link in the application delivery chain) with the power of the Kemp Flowmon Probe’s ability to compile and export NetFlow/IPFIX telemetry data.

  • The Kemp Flowmon Probe aggregates network metadata natively on LoadMaster, enabling lightweight, yet incredibly detailed, network and application monitoring when interpreted by a NetFlow/IPFIX collector, such as the Kemp Flowmon Collector.
  • The Collector then stores, processes, and analyzes the flow data and enables comprehensive network monitoring, diagnostics, and troubleshooting, as well as zero-day threat and anomaly detection. Collector is completely customizable through its modular approach to analytic technology; you can choose the mix of Collector module that suit your deployment and data analysis goals.

In addition, a Dashboard Installer Script is provided that uses the Flowmon Collector RESTful API to create LoadMaster-specific dashboards that you can use as-is or modify to suit your needs.

Click Network Telemetry in the LoadMaster UI's main menu to download a demo of the Flowmon Collector and configure LoadMaster to export IPFIX protocol data to the Collector.

Let's Encrypt Support

Support for obtaining, managing, and automatically renewing certificates from the Let's Encrypt Certificate Authority (CA). In the UI, navigate to the Certificates & Security > Let's Encrypt Certs page. The main capabilities are:

  • A built-in LoadMaster ACME protocol client.
  • Client supports obtaining a certificate from Let’s Encrypt (LE) servers, as well as user-driven certificate renewal.
  • Users can create a new LE account via LoadMaster or use an already obtained account key. The key can have been previously obtained using another ACME client.
  • LoadMaster automatically configure a SubVS (and content rules) to automatically respond to the required domain ownership challenge from the LE server.  Note that only the HTTP-01 method of validating FQDN ownership is currently supported.
  • Certificates obtained using the LM ACME client are managed on a new UI page, and assigned to Virtual Services on the existing Manage Certificates page. They can be used for:
    • VS Decryption
    • VS Re-encryption
    • Administrative Login
  • Up to 10 SANs (Subject Alternative Names) can be specified per certificate request.

Bandwidth Rate Limiting & QoS

LoadMaster's Rate Limiting and QoS capabilities have been enhanced to support bandwidth limiting at three levels:

  • Global: across all clients accessing any VS
  • Client: for a single IP or a subnet accessing any VS
  • Virtual Service: for any client accessing a specific VS or SubVS

The global and client limits are available in the UI on the System Administration > QoS/Limiting page, at the bottom of the Global Limits and at the bottom of the Client Limiting accordion (which also contain the connection and request based limiting delivered in LMOS 7.2.52.0). A bandwidth limit set at the global level overrides one set at either the client or VS/SubVS levels.

Bandwidth limits can also be set on the Virtual Service (VS) and Sub-Virtual Service (SubVS) levels, using a new control at the bottom of the VS and SubVS Standard Options. A bandwidth limit set at the VS level overrides one set at the SubVS level. Similarly, a bandwidth limit set at the global level overrides one set at the Client, VS, or SubVS level.

In all cases, bandwidth limits are set in kilobits per second (Kbits/sec); the minimum setting is 16 and the maximum is 99999999. 

Bandwidth limiting statistics are available in the UI on the Statistics > Real Time Statistics > Client Limits > Bandwidth page. The top 10 clients that have been dropped due to bandwidth limiting are displayed for the last 30 seconds, the last 5 minutes, and the last 30 minutes.

StoreFront Pre-Authentication for Citrix Workspace and Receiver

In previous releases, clients using Citrix Workspace App (or its predecessor, Receiver) to log in to a LoadMaster Citrix StoreFront / Citrix Apps & Desktops configuration log in directly to Citrix StoreFront without any pre-authentication by the LoadMaster via ESP. Pre-authentication was available only by logging into the StoreFront infrastructure via LM using a browser, but this workflow is HTML5-dependent and not always implemented in StoreFront deployments.

In this release, clients can now take advantage of pre-authentication via ESP on LM using their Workspace or Receiver App. This workflow is supported by:

  • a new Client Authentication Mode named Pass Post has been added to the Virtual Service ESP Options section of the UI
  • an additional Virtual Service (VS) has been added to the existing StoreFront template to support direct Workspace access

No other changes were made to the UI or API. With the above, a user can successfully log in using POST-based authentication on the client side and Forms-Based Authentication (FBA) on the server side.

This enhancement is accompanied by updated VS templates and an updated Deployment Guide.

Kemp Ingress Controller for Kubernetes

Installation of the Kemp Ingress Controller (KIC) has been integrated with LoadMaster. Open the Virtual Services > Kubernetes Settings menu in the UI and click the Install button to begin installing KIC. This version of KIC supports the following capabilities:

  • Automated mapping of Kubernetes service object configuration to Kemp LoadMaster Virtual Service and Sub-Virtual Services.
  • Support for reading Kubernetes annotations to ingest metadata information about objects.
  • Capabilities for communication with a Kubernetes API server.

KIC supports two modes of operation:

  • Service Mode: A unique and original operating mode developed by Kemp. It allows NetOps Teams and AppDev Teams to work together more seamlessly despite different toolchains and working practices.
  • Ingress Mode: this is the standard Kubernetes Ingress Controller operating mode designed for cross-functional Teams operating purely through the Kubernetes API.

OpenID Connect Support

OpenID Connect enables client identities presented during Single Sign On (SSO) to LoadMaster Virtual Services to be verified through a third-party Oauth authorization server.This enables a wide variety of modern and legacy applications to be integrated into a single Identity and Access Management (IAM) framework. LoadMaster applications can now be integrated with any of a large number of OAuth 2.0 providers.

The Oauth Standard enables granular application access for an organization's users across multiple applications. Previously, LoadMaster only supported SAML for identity claim management, but with the addition of OpenID Connect customers can now also leverage a more lightweight protocol, with wider support for APIs, which is more mobile centric, and easier to set up.

To configure a Virtual Service to use OpenID Connect, create a Client-Side Single Sign On configuration under Virtual Services >Manage SSO. This SSO configuration can then be assigned to a Virtual Service under the service's ESP (Edge Security Pack) Options.

DHE Key Size Support Extended to 4096

By default, LoadMaster uses a 2048-bit key size for DHE key exchanges. Some government agencies are now requiring 4096-bit keys and this capability has been added to LoadMaster.

The key size is set on the System Configuration > Miscellaneous Options > Network Options page of the UI using the Size of SSL Diffie-Hellman Key Exchange drop-down list.

Please Note:

  • After upgrading from a version prior to 7.2.53.0, LoadMaster can take up to 30 minutes (on smaller models) to generate a new 4096-bit key. During this time, there will be an impact to CPU and memory available for load balancing traffic. The new option in the UI will not appear until the key is generated. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try logging in to the LoadMaster again.
  • Performance using the 4096-bit key will be at most 25% of the performance observed when using a 2048-bit key. This impact is not uncommon and is to be expected due to the increased overhead associated with doubling the size of the key.

HA: Interface Reboot Feature for L4 Connection Updates

A new High Availability (HA) option allows you to specify that a LoadMaster configured in HA will reboot if any configured interface loses connectivity with the network (i.e., experiences a link failure). The reboot occurs regardless of the LoadMaster's HA status (Primary or Standby).

This feature is primarily designed to be enabled only along with the Inter HA L4 TCP Connection Updates option, to facilitate L4 connection updates in HA. You should consult with Kemp Support before enabling the new interface reboot option.

When Hard Reboot on link Failure is enabled, the LoadMaster is forced to reboot if there is a link failure (that is, if an interface becomes unavailable). The new check box is available in the System Configuration > HA Parameters screen when both of these are true:

  • High Availability (HA) is configured
  • The Switch to Preferred Server option is set to No Preferred Server. This is necessary to prevent possible circular swapping between the active and standby LoadMaster units. 

GEO: Additional Record Types Supported

GEO Global Server Load Balancing (GSLB) has been enhanced to support additional record types for domains, as follows:

  • Multiple TXT and CNAME records per Fully Qualified Domain Name (FQDN).
  • One MX record per FQDN. 

These record types allow you to communicate domain resources to clients:

  • A TXT (text) record is essentially unformatted data that can be used for almost any purpose, but typically contains information to be consumed by clients to classify a domain in some way, provide details about a domain, or specify resources available within a domain. 
  • A CNAME (canonical name) record points a DNS name (such as www.example.com) to another DNS name (such as lb.example.com). This is typically used to define a website alias.
  • An MX (mail exchanger) record specifies the mail server responsible for accepting email messages on behalf of a domain. 

To configure records for a specific FQDN, a new Additional Records section has been added to the FQDN configuration page of the UI. Click Global Balancing > Manage FQDNs and then click Modify on the relevant FQDN.

GEO: Layer 7 HTTP/HTTPS Site Health Checks

Support was added to perform Layer7 (L7) HTTP and HTTPS health checks on back-end servers within GEO "sites" that are not handled from the LoadMaster for application delivery. In other words, site health determination can be enhanced directly from GEO by checking the health of back-end servers that are not being health-checked by LoadMaster (or another Application Delivery Controller (ADC)).

Only HTTP/1.1 is supported for these health checks.

To configure Layer 7 Health Checks for GEO FQDNs, open Global Balancing > Manage FQDNs, click Modify on the relevant FQDN, select the relevant Cluster, click Add Address, select HTTP or HTTPS as the Checker, and then choose from among the available options.

The status of the health check displays in the Availability column.

Client Certificate Authentication with No Server Side Authentication

In previous releases, when client certificate authentication was enabled for Single Sign On, it was required to also enabled KCD (Kerberos Constrained Delegation) on the server wide. With this release, support has been added for certificate-based client authentication with no authentication on the server side, for use in cases where ESP is needed only for pre-authentication via client certificate. This is configured in the UI by setting the Client Authentication Mode in the Virtual Services ESP Options to Client Certificate, and the Server Authentication Mode to None.

Change Notices

Enhanced ESP Client Session Logging

Client session logging for ESP-enabled Virtual Services has been enhanced to include additional session information: 

  • The initially created ESP session.
  • The time when the LoadMaster cleared the session from the cache. Note that if the entire cache is cleared, a single log message is recorded at the time of clearing, which notes that all existing sessions at that time were cleared form the cache.
  • If an ESP session is deleted (when the user logs out from the application, when the session expires, or the user enters invalid credentials). The time of when the LoadMaster cleared the session is also logged. 

You can view these logs by going to System Configuration > Logging Options > Extended Log Files in the LoadMaster User Interface (UI) and clicking View for ESP User Logs.

Changes Affecting Long-Lived UDP Connections

It is common for some applications (such as Citrix Virtual Desktop Infrastructure and Microsoft Always On VPN) to open UDP connections that last days or even weeks. To address persistence and port following issues seen for these long-lived UDP connections, the following two changes have been made to Layer 7 Virtual Services:

  • Increased Maximum Persistence Timeout: The maximum value of the persistence timeout setting has been increased from 7 days to 28 days. You can configure the persistence Timeout drop-down list after a persistence Mode is selected in the Standard Options section of the Virtual Service modify screen (Virtual Services > View/Modify Services > Modify). 
  • Persistence Refresh: If the persistence Timeout described above is set to 4 days or more, a Refresh Persist check box appears, which is disabled by default. When Refresh Persist is enabled, persistence table entries are auto-refreshed each day for long-lived connections. This is intended for use in long-lived UDP connection configurations where persistence is observed to not be maintained over periods longer than 4 days -- this could be caused by any number of issues that may or may not apply, such as very long idle times. Please consult with Kemp Support before enabling this option.

LoadMaster Change of Ownership Updates

The System Configuration > System Administration > License Management page has been updated to provide easier methods for changing system ownership and provide additional licensing information:

  • The Update License button was renamed to Update License/Owner. In addition to updating your LoadMaster license, this button can be used to change the ownership of the LoadMaster license (update the Kemp ID and password associated with the license). This can be done either online or offline.
  • The Serial Number of the license has been added to the top of the License Management screen for convenience, as it is required in various circumstances (e.g., getting support, offline licensing). 

Content Rules and 512-byte Response Limit

In previous releases, content rules are only applied to responses if the response body is larger than 512 bytes. This behavior has been modified so that:

  • The 512-byte limit doesn't apply to response body modification rules.
  • The 512-byte limit is only observed when compression is enabled. If compression is not enabled, then all content rules are applied regardless of response size.

Cavium III SSL Accelerator Performance Switch

Customers with LoadMaster hardware (e.g., an LM-X40) with a Cavium III hardware SSL accelerator installed have reported performance issues when using the Cavium III hardware with TLS 1.3. A new switch has been introduced on the Network Options page in the UI that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries, which do not exhibit the performance issues seen with the 1.1.1 libraries. Unfortunately, the older 1.0.2 libraries do not support TLS 1.3, so TLS 1.3 will not be available for incoming client connections after switching to the older libraries.

Please consult with Kemp Support before enabling this workaround. Also note:

  • Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.
  • When using the older 1.0.2 libraries, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.
  • If you switch from using the older 1.0.2 libraries to using the 1.1.1 libraries, TLS1.3 is automatically re-enabled on all Virtual Services. 
  • The library selection option is not available on LoadMasters that include the Cavium V accelerator hardware. Those cards do not support the older 1.0.2 libraries. 

Please note that these issues DO NOT affect LoadMasters that have the newer Cavium V hardware acceleration cards.

IRQ Pinning Default for LoadMaster MT VNFs

When using this or a subsequent release as a VNF node in a LoadMaster Multi-Tenant (MT) deployment, the IRQ Pinning option on LoadMaster is now enabled by default when the VNF is deployed to improve overall system performance.

As of LoadMaster firmware version 7.2.53.0 (and Long Term Support (LTS) version 7.2.48.3), the Interrupt Request (IRQ) pinning option is enabled on LoadMaster Virtual Network Function (VNF) builds that are deployed from Multi-Tenant LoadMasters. The reason for this default value change is because Kemp has seen an increase in LoadMaster VNF performance if IRQ pinning is enabled. You can access this option by going to System Configuration > Logging Options > System Log Files > Debug Options. 

Only change this option in consultation with Kemp Technical Support. 

Certificate Signing Request (CSR) Generation Permissions

If Self-Signed Certificate Handling is set to EC certs with an EC signature (in Certificates & Security > Remote Access), CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users can generate CSRs. 

LoadMaster Licensing FQDN Change

As of LoadMaster firmware version 7.2.53.0 (and Long Term Support (LTS) version 7.2.48.3) the LoadMaster licensing Fully Qualified Domain Name (FQDN) has changed. Previously, the FQDN was alsi.kemptechnologies.com. Now, it is licensing.kemp.ax. In some scenarios, Kemp recommends adding the licensing FQDN as an allowed URL on your firewall to ensure all licensing features work, including the downloading and updating of Web Application Firewall (WAF) rules. The URLs to allow vary depending on your LoadMaster firmware version: 

  • LoadMaster firmware version 7.2.53.0 or above (or 7.2.48.3 Long Term Support (LTS) and above): licensing.kemp.ax 
  • LoadMaster firmware versions below 7.2.53.0 (or below 7.2.48.3 LTS): alsi.kemptechnologies.com and alsi2.kemptechnologies.com 

GEO: Option to Prevent a Disabled GEO Cluster from Responding

By default in previous releases, when a GEO cluster is marked as disabled it will still respond to client queries. A new parameter named Disabled clusters are unavailable has been introduced. Disabled by default, this parameter when enabled causes requests to the cluster to be dropped if a GEO cluster is disabled. The cluster name on the Global Balancing > Manage FQDNs page of the UI will also be displayed in red text.

Updated RSA Root Certificate for Self-Signed Certificates

The expiration date of the RSA root certificate on the LoadMaster used for self-signed certs was updated from 2023 to 2038. This should not cause any issue with existing self-signed certificates generated on previous releases.

Security Updates

NTLM Proxy Mode

A new NTLM Proxy Mode option has been added that changes the behavior of NTLM to utilize the Real Server as a proxy for NTLM authentication validation, improving the security of the overall deployment.

After upgrade to this release, turn on NTLM Proxy Mode by doing the following:

  1. In the main menu, go to System Configuration > Miscellaneous Options > L7 Configuration.
  2. Enable the NTLM Proxy Mode check box. This changes the NTLM selection for Client Authentication Mode in all Virtual Services to NTLM-Proxy.  

NTLM Proxy Mode is enabled by default for all new deployments of LMOS 7.2.53.0 (and above), as well as the LTS release branch (7.2.48.4 and above).

Elliptical Curve CA Certificate Regenerated

LoadMaster's Elliptical Curve (EC) Certificate Authority (CA) certificate was regenerated for this release to address these issues in previous releases:

  • EC certificates generated using the previous certificate did not work.
  • Third-party EC certificates did not work with LoadMaster.

As a result, the following actions may be necessary if you are using EC certificates:

  • Any EC certificates generated from LoadMaster in previous releases will no longer be valid and will need to be regenerated. Kemp believes the number of these in use in the field is small.
  • If you are using an EC certificate for the WU, any LoadMaster user that has previously downloaded and installed the LoadMaster root certificate into their browser will need to download and install the new root certificate from LoadMaster after upgrade.

OpenSSH Update

The version of OpenSSH used by LoadMaster has been updated from OpenSSH_7.9p1 to OpenSSH_8.4p1, the latest version of OpenSSH available as of September 2020. Please see the OpenSSH release notes web page for more information.

Also note that with this release, LoadMaster no longer supports RSA keys for SSH login.

Updated Certificate PIV Support (Smartcard) for SSO & WUI

In LoadMaster firmware version 7.2.53.0, support was added in the Edge Security Pack (ESP) Single Sign On (SSO) functionality for Personal Identity Verification (PIV) smart cards. PIV guidance is to match certificate fields to "altsecurityidentities" in the Active Directory (AD). To support this, additional configuration options have been added to the modify SSO screen for SSO domains with the Authentication Protocol set to Certificates. Prior to LoadMaster firmware version 7.2.53.0, there was a check box called Check Certificate to User Mapping. As of version 7.2.53.0, this check box has changed to a drop-down list with the following values: 

  • Not Specified 
  • Subject 
  • Issuer and Subject
  • Issuer and Serial Number 

X.509 Certificate Format Updated

LoadMaster has been enhanced to use the X.509v3 certificate format, as defined in RFC 5280. [Previously, the X.509v1 format defined in RFC 1422 was used.]

Outbound Connection Certificate Validation

Certificate chain validation has been enhanced for all outbound connections:

  • The entire certificate chain sent by remote servers is verified back to the trusted signing Certificate Authority (CA).
  • For OCSP servers, the certificate must also contain the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field.

In all cases, the appropriate certificates for chain of trust validation will need to be uploaded to the LoadMaster certificate store.

Issues Resolved

PD-17606 UI SSL Certificate (Azure Only): In previous releases, for the Azure cloud only, the LoadMaster UI's SSL Certificate SAN (Subject Alternative Name) information was missing several fields: the LoadMaster Public IP Address, the DNS IP Address, and the Azure-LB IP Address (if applicable). These fields are now added to the Azure cloud LoadMaster UI certificate.
PD-17518 User Login Certificates: In previous releases, user certificates generated when adding a user with the "No Local Password" option enabled didn't contain any "Extended Key Usage" information. This issue has been fixed.
PD-17393 SPLA Licensing: Fixed an issue that caused a spurious deactivation message to be logged.
PD-17273 Content Switching: In previous releases, if a user adds a body response rule to a nested/cascaded Virtual Service, the LoadMaster strips all "Set-Cookie" headers from client requests to the VS. This bug has been fixed.
PD_17062

IPv6 Support: Fixed an issue that caused IPv6 services to stop responding after a adding a Virtual Service to the configuration; making another change causes the services to respond again. The way in which IPv6 interface state is managed on VS creation was updated to prevent this issue from occurring.

PD-16960 Logging / Security: Fixed a bug where the LoadMaster syslog server wasn't honoring the Outbound Connection Cipher Set setting when originating connections to a remote server.
PD-16937 Layer 7 (Chunked Content): When a Real Server returns chunked content, the LoadMaster can hang when processing the response and also experience memory exhaustion when under very high load. In addition, responses to client may also be compressed even if compression is not configured. Content-length header can also be incorrect if server response is chunked, above 954 MB, and body rules are in use. This issue has ben addressed so that LoadMaster no longer hangs and runs out of memory; doesn't compress content when not configured; and, the content-length header is correct for large responses.
PD-16812 Authentication (LDAPS): Fixed an issue that caused LDAPS debug information to be displayed when a client certificate without email information is presented for UI authentication.
PD-16664 Logging: Fixed an issue that caused call trace logs to be seen when using SSL Session ID persistence.
PD-16515 SSL Certificates: Fixed a bug (introduced in 7.2.51.0) that resulted in the Delete button for a certificate to be inactive even when the certificate was no longer used in any virtual services.
PD-16513 UI Authentication via LDAPS: Fixed a bug where LDAPS was not checking "Basic Constraints" as required for intermediate certs in a chain.
PD-16361 SSL Certificates: LoadMaster has been modified to reject an otherwise valid server certificate that lacks the Server Authentication purpose in the extendedKeyUsage field; no connection is established in this case.
PD-16342 Layer 7 POST Handling: Addressed various issues related to POST handling capabilities and error detection within L7, in particular with large POSTs and 401 responses from LoadMaster.
PD-16336 Single Sign On (SSO) API: Previously, it was not possible to kill an SSO session using the Username format via the API. This bug has been fixed.
PD-16335 Content Switching: Fixed issues seen when doing string replacement when the content is less than 512 bytes.
PD-16214 Single Sign On (SSO) with KCD: In previous releases, it was possible that under high loads, users may experience authentication issues when attempting to log into a virtual service with KCD configured. To mitigate against authentication issues, the KCD ticket creation mechanism has been enhanced to provide hourly detection and retry of service ticket expiry. In addition, doing an SSO flush will now result in the restarting of the SSO manager process (instead of only flushing SSO memory as in previous releases).
PD-16157 High Availability (HA) Status: On the Open Telecom platform only, LoadMasters configured into HA show a status of Active/Active if multiple health checks are being executed and these connections remain open for long periods. This bug has been fixed and HA status is now displayed appropriately.
PD-16156

LDAP: Enhanced the UI and API to support the hyphen character (-) in LDAP endpoint names.

PD-16151 Statistics UI: Fixed issues that caused display issues when looking at the Statistics page with over 102 Real Servers.
PD-16139 SNMP MIBs: Fixed an issue where the time stamps seen in LoadMaster SNMP output are 2 digits too long and don't comply with RFC 2578.
PD-16134

AWS Machine Instances: On the AWS cloud platform only, LM was observed not to boot properly when using certain newer machine sizes with BIOS versions above Version 9. This issue has been fixed.

PD-16122

Compression, Reliability and Stability: Fixed an issue with processing large amounts of chunked data from servers with compression enabled that could cause the system to become temporarily unavailable (and a failover to occur in High Availability mode). Changes were made to prevent the system from becoming unavailable so that the problem can be diagnosed.

PD-16057

Logging: In previous releases, various log messages included the file system location of the syslog configuration file. All such messages have been modified to remove the configuration file location.

PD-16056 Logging: Fixed an issue that cause FIPS-related system logs to appear on systems that were not FIPS-enabled.
PD-16032 GEO: Fixed an issue in the HA Partner code that could cause Partners in a cloud deployment to not synchronize properly.
PD-16028 Virtual Service SSL Properties: The Add Received Cipher Name parameter was observed to not enable passing of the received cipher name if the client accesses a SubVS rather than the VS. The system has been modified to always propagate SSL headers to the SubVS level.
PD-15982 WAF Rule Download: Addressed issues that caused WAF rule download to fail under various circumstances.
PD-15888 API: When a PUT request with data in the request body is received, LoadMaster will reset (RST) the connection. This has ben fixed so that LoadMaster will instead respond with an appropriate response code without attempting to reset the connection
PD-15881 User Interface: Fixed the Manage Certificates page to display IPv6 addresses in the correct format.
PD-15869

Adaptive Health Check Agent: Updated the adaptive health check mechanism to use HTTP 1.1 (instead of HTTP 1.0) when making Real Server connections.

PD-15860

Real Server Configuration: Fixed an issue where the parameter values of a Real Server that has been created with a DNS FQDN (instead of an IP address) cannot be modified.

PD-15828

Single Sign On (SSO): On previous releases, access may be denied during SSO when correct credentials have been supplied, along with log messages indicating "XSS attack dtcode 7". This issue occurs because in some cases LoadMaster is not properly handling SameSite cookie options contained in the client request. This issue has been fixed.

PD-15709 GEO: When using IP Range Selection Criteria scheduling, it was seen in previous releases that the DNS response can be incorrect when one IP range is a subset of another IP range. This bug was due to an internal issue has has been fixed.
PD-15646 API: Missing PowerShell API calls to allow the user to configure a custom cipher set have been added.
PD-15593 L7 Debugging: Added an option for L7 debug logs that adds the HTTP header information to the logs. When L7 Extended Debug is enabled, a new per-VS option called "Full Debug + HTTP Headers" is added to Virtual Services. This option is off by default, and should be enabled only on specific VSs being debugged.

 

New Known Issues

PD-17714

SSO (OpenID Connect): In Google Cloud, setting the Application Secret field in the OIDC SSO Configuration returns an error when a 24-character secret is entered: "Cannot set Application Secret: Invalid OIDC application secret". The workaround is to pad the secret with an additional 8 characters to make the string a minimum of 32 characters long.

PD-17707 Kubernetes Ingress Controller: Currently, the targetPort (in the service.yaml file) must be the same port specified as the servicepPort (in the ingress.yaml file).
PD-17700

Network Telemetry: Selecting an interface for export and then setting the Collector Endpoint does not enable export of data for that interface to the Collector. The workaround is to reset the Collector Endpoint -- remove the IP address from the text box, click Set Remote Address, add the IP address back into the text box, and click Set Remote Address again.

PD-17616

SSL Certificate Signing Request (CSR): A CSR generated on the LoadMaster uses a type of T61STRING for the Common Name. LoadMaster will be modified in a future release to use UTF8String to conform with RFC5280.

PD-17612 Licensing (Bandwidth): When calculating bandwidth for licensing limits, the limits are halved for Virtual Services with one or more SubVSs. This will be fixed in the next release.
PD-16707 SSO (Steering Groups): Currently, when LoadMaster detects a user logging in via SSO without the LoadMaster SSO cookie and matching an existing session, LoadMaster reassigns the same SSO cookie to the request; but, doesn't reassign the Steering Group cookie (even without cookies being cleared).This issue will be addressed in a future release.
PD-16113 GEO: The DNS response for TXT Records inserts the global TTL when the local setting is enabled on the FQDN.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDN safter the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15396 GEO: LM sends a spurious "KEMP GEO" TXT record in DNS responses if the TXT record field is empty and the queried FQDN is not a sub-domain of the ZoneName.
PD-15354 SSO Timeout: In LMOS 7.2.51.0, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to actually be closed.
PD-15294 ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-13899 ACLs and Real Servers: Real Servers located on networks on which LoadMaster also has an IP address are always allowed to access Virtual Services configured to use ports 22 (SSH), 25 (SMTP), 53 (DNS), 161 (SNMP), and 443(UI). Any access control list (ACL) settings on LoadMaster will be ignored for these Real Servers. For Layer 7 services, this issue can be worked around using Content Rules. The only workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492 Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354
PD-10466
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-12058 Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.
PD-11166 Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917 HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.
PD-10784 HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159 Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136 Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 

 


Comments