Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager 7.2.55.0 Release Notes

ECS Connection Manager Version 7.2.55.0 is a feature and bug-fix release made available in September 2021. Please read the sections below before installing or upgrading to this GA release.

Contents

Before You Upgrade (READ ME FIRST)
Supported Models for Upgrade
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
WAF: Clearing the False Positive Analysis Counters and Events
WAF: Configurable OWASP POST Body Size
WAF: Remote Logging TLS Version
GEO: Capacity, Performance, and UI Enhancements
Change Notices
SSL Renegotiation Disabled By Default
Ciphers Use for Re-encryption
Network Telemetry VLAN Enhancement
Increased Size Limitation for SSO Custom Form Images
RPS Limiting UI Removed for Non-Offloaded HTTPS Port 443 VSs
Security Updates
Update OpenSSL to Version 1.1.1k
Strict Transport Security Header Settings
Single Sign On: SameSite and Secure Options
Console Support for WUI Cipher Reset
Certificate Chain of Trust for UI Authentication
Console Security Update
ACL Security Update
Issues Resolved
New Known Issues
Existing Known Issues

 

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this release.

Generation of 4096-bit DHE Key

During an upgrade to this version from a version prior to v7.2.53.0, a new 4096-bit DHE key is generated. On smaller ECS Connection Managers, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In v7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to v7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve ECS Connection Manager security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the ECS Connection Manager 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of ECS Connection Manager is supported on the Hardware and Virtual models shown in the first three columns of the table below.

Supported Virtual Models Supported Hardware Models

ECS Connection Manager VM1

ECS Connection Manager VM2

ECS-H1

ECS-H2

ECS-H3

ECS-H3M

ECS-H3-25G

ECS-H3-40G

ECS-H3-100G

 

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in v7.2.50.0 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.

Note that:

  • In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with the v7.2.53.0 release; if upgrading from firmware v7.2.51.0 and above you can use the XML file provided with this release. If upgrading from any other firmware version please see the release notes for that firmware version.

Downgrading to Earlier Versions

Downgrading an ECS Connection Manager running v7.2.55.0 to v7.2.51.0 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading to v7.2.50.0 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

New Features

The following new features have been added since the previous release.

WAF: Clearing the False Positive Analysis Counters and Events

A Reset FPA Counters button has been added to the Web Application Firewall > False Positive Analysis page (which also clears the events table). If desired, the Download button at the top right of the Latest Events table can be used to download the current list of events before clearing.

WAF: Configurable OWASP POST Body Size

In previous releases, the maximum Request Body Size Limit for a POST body was hard coded to 1048576 bytes (1 MB). This setting is now configurable in the Virtual Service (and SubVS) API and UI settings. The default remains 1048576 bytes, with a supported range of 1024 bytes to 10485760 bytes (10 MB). This setting is available in a WAF-enabled Virtual Service under WAF Advanced Options. The Inspect HTTP POST Request Bodies option must be enabled before this new control is visible in the UI.

WAF: Remote Logging TLS Version

In previous releases, the updated WAF remote logging facility (Web Application Firewall > Export Logs) was not negotiating TLS versions above TLS 1.0. In v7.2.55, WAF has been modified to use the Certificates & Security > Remote Access > Outbound Connection Cipher Set setting for handshake negotiation.

Network Telemetry VLAN Enhancement

In previous releases, Network Telemetry could not be enabled on a VLAN with an IP address if the underlying interface was not also assigned an IP address. In this release, Network Telemetry can be enabled on a VLAN regardless of whether the underlying interface has an IP address.

Network Telemetry is an add-on package. After you upgrade to v7.2.55.0, do one of the following to get the latest package:

  • If you're installing Network Telemetry for the first time, navigate to Network Telemetry in the ECS Connection Manager main menu and click Install to get the latest add-on package.
  • If you installed Network Telemetry on an earlier release, then after upgrading to v7.2.55.0 you can get the latest version of the add-on as follows:
    1. Go to the Other Downloads page on the Kemp website.
    2. Click on the Network Telemetry Flowmon Add-On link.
    3. The download page lists the add-on packages for both the latest GA release and for the LTS (Long Term Support) release. Click on the link for the v7.2.55.0 add-on.
    4. Once the download is complete, unzip the archive. There will be two files: the add-on image and an XML file.
    5. Navigate to System Configuration > System Administration > Software Update in the ECS Connection Manager UI. The bottom section of the screen should look like this:

mceclip1.png

    1. Click the Browse buttons to upload the software package and the XML verification file.
    2. Once the files are uploaded, click Install Addon Package.
    3. Once the package is installed, click OK on the confirmation message that appears. The Version Installed in the screen above should now be 7.2.55.0.nnnnn.RELEASE.

Note: In a small number of cases, ECS Connection Manager needs to be rebooted to complete the add-on upgrade. If the Flowmon add-on package appears in red text in the screen above, a reboot is required. Navigate to System Configuration > System Administration > Reboot System and click Reboot. Otherwise, the package is ready to use after you install or update it.

GEO: Capacity, Performance, and UI Enhancements

GEO capacity and performance have been improved in this release:

  • In previous releases, the number of Fully Qualified Domain Names (FQDNs) that can be defined is limited to 256 total FQDNs. With this release, significant improvements to processing and performance have resulted in the removal of this limitation. The practical limit to the number of FQDNs supported will be determined by available system resources -- including the amount of load balanced traffic being handled by ECS Connection Manager. As a rule of thumb, an FQDN with 64 IP addresses consumes about 2MB of memory.
  • The global limit of 1024 IP addresses and records has also been removed. [Note: the limit of 64 IP addresses per FQDN remains.]
  • Modifications to the FQDN UI support the above limitation changes and the UI should be generally more responsive than in previous releases.

Change Notices

SSL Renegotiation Disabled By Default

Starting with v7.2.55, the System Configuration > Miscellaneous Options > L7 Configuration > SSL Renegotiation setting will be disabled by default, as a recommended security best practice. There are many published vulnerabilities with renegotiation and TLS 1.3 removes support for it completely. Note that this change applies to both new deployments and upgrades.

Ciphers Use for Re-encryption

In previous releases, the ciphers used for re-encryption connections to Real Servers was not configurable. All re-encryption connections now use the same set of ciphers used by other outbound connections, as specified by the Certificates & Security >Remote Access > Outbound Connection Cipher Set setting.

Increased Size Limitation for SSO Custom Form Images

The size limitation for images provided in custom image sets for Forms Based single sign on has been increased from 256 KB to 1 MB.

RPS Limiting UI Removed for Non-Offloaded HTTPS Port 443 VSs

The QoS/Limiting option for rate limiting by HTTP Requests per Second (RPS) will no longer appear in the UI for HTTPS Virtual Services on port 443 with SSL Acceleration disabled. SSL Acceleration must be enabled or this option will not appear -- the SSL connection must be terminated on ECS Connection Manager for this option to work.

Security Updates

Update OpenSSL to Version 1.1.1k

The version of OpenSSL on ECS Connection Manager has been updated from 1.1.1 (no letter) to 1.1.1k, to address various issues in the previously supported release. See the OpenSSL 1.1.1 Release Notes page for more information on the differences between 1.1.1k and previous releases.

Strict Transport Security Header Settings

HTTP Strict Transport Security (HSTS) allows a server (in this case ECS Connection Manager) to set a header in client responses that instructs the client to force all subsequent connections to use HTTPS and to disregard any attempt to load any resource in that domain (and possibly its subdomains) over HTTP.

The Strict-Transport-Security header has various associated settings, none of which were exposed in the UI in previous releases. With this release, all settings are available through both the API and the UI. In the UI, they are exposed as follows:

  • The default maximum age of all Strict-Transport-Security headers set by ECS Connection Manager is 31536000 seconds (365 days/1 year). This global value can be modified on the System Configuration > Miscellaneous Options > L7 Configuration page by setting L7 Security Header Age to the desired number of seconds. Two years (63072000 seconds) is a commonly used value; the largest value that can be set is three years (94608000 seconds).
  • The content of the Strict-Transport-Security header can be customized for each Virtual Service in the SSL Properties section of the VS configuration:
    • Don't add the Strict Transport Security Header: This is the default value.
    • Add the Strict Transport Security Header -- no subdomains: Adds the header only to client responses in the domain, not for any subdomains.
    • Add the Strict Transport Security Header -- include subdomains: Adds the header to client responses in the domain and all subdomains.
    • Add the Strict Transport Security Header -- no subdomains + preload: Adds the header only to client responses in the domain, not for any subdomains; allow the use of HSTS preloading, if supported by the client browser.
    • Add the Strict Transport Security Header -- include subdomains + preload: Adds the header to client responses in the domain and all subdomains; allow the use of HSTS preloading, if supported by the client browser.

See the following links for more information and guidelines on setting the HSTS header; also see this explanation of HSTS preloading.

Single Sign On: SameSite and Secure Options

Single Sign On data connections in previous release didn't include either a "SameSite" or "Secure" parameter in the Set-Cookie header. With this release, the "Secure" parameter is now always sent and, by default, the "SameSite" parameter is not added. These options can be set globally or per-Virtual Service:

  • The global setting on the System Configuration > Miscellaneous Options > L7 Configuration page can be set to the following values:
    • SameSite Option Not Added (the default value, compatible with previous releases)
    • None
    • Lax
    • Strict
  • The Virtual Service setting appears under ESP Options when ESP is enabled and Client Authentication Mode is set to Forms Based. The default value at this level is the System Default setting, which means it's the same as the global setting. The other values shown above can also be set at the VS level.

Console Support for WUI Cipher Reset

The system console has been enhanced to support resetting the cipher set used by the ECS Connection Manager UI, for use cases where setting a cipher set improperly may cause the UI to be unreachable. To use this facility:

  1. Log into the system console using the hardware or hypervisor console capability, or via SSH.
  2. At the ECS Connection Manager Configuration menu, select Local Administration > Web Address > Restore Admin WUI access to default mode.

This command does the following:

  • Resets the Certificates & Security > Admin WUI Access > WUI Cipher Set parameter to the default WUI cipher set.
  • Resets the Certificates & Security > Remote Access > Self-signed Certificate Handling parameter to the default (RSA self-signed certs).

Certificate Chain of Trust for UI Authentication

The ability to specify the intermediate and Certificate Authority (CA) certificates to be used to validate a client certificate presented for login to the UI has been added to the API and to the Certificates & Security > WUI Access Options UI page. Controls have been added to the top of the page under Admin WUI Options that list all the intermediate and CA certificates currently installed on ECS Connection Manager and allow you to select the certificate(s) that will be used to validate client certificates presented for login. Any client certificates presented whose chain of trust cannot be validated using the selected CA and Intermediate certificates will be denied access. The default is to check against all existing certificates.

Console Security Update

The system console has been updated to close vulnerabilities present in the CLI in previous releases that could allow an already authenticated user to obtain a privileged shell.

Issues Resolved

PD-18853

Logging - ESP CEF Format Logs: Fixed various issues that could cause incorrect information to be displayed in the ESP Common Event Format (CEF) format logs.

PD-18852

Console Security: Addressed security issues in the console interface that could allow an authenticated user to gain access to a privileged shell.

PD-18831

Let's Encrypt: Fixed errors that caused domain names to be compared in a case-sensitive manner, instead of case-insensitive.

PD-18784

Logging - ESP Performance: Addressed issues with date calculations that could cause ESP logging to consume significant CPU resources.

PD-18737

HTTP/2 Performance: Fixed issues related to clients that are accepting data slower than real servers are sending data that could negatively affect HTTP/2 performance.

PD-18727

Access Control Lists (ACLs): In previous releases, an ACL entry that denies access to a Virtual Service would be ignored (and access allowed) under these conditions:

  • the VS uses port 443
  • the VS is assigned an IP that is located on a network interface on which the User Interface (UI) is not running

This issue has been fixed.

PD-18597

Statistics for Client Limiting: Fixed an issue that resulted in no limiting statistics being displayed after activating "generate limiter statistics".

PD-18594

HTTP/2 File Access: Customers reported HTTP/2 failures when accessing files using either a MAC client using Safari or Linux clients using the curl command, where the real server reports a broken pipe. The workaround was to disable HTTP/2. This bug has been fixed.

PD-18525

WAF: Fixed an issue where enabling WAF on a Virtual Service did not enable statistics to be displayed.

PD-18479

WAF: Fixed a bug that resulted in the counters for Top 10 Countries being reset when WAF is enabled/disabled and stop displaying data.

PD-18478

WAF: Fixed a bug that caused response rules to not be processed properly, resulting in WAF not blocking attacks that should have been blocked.

PD-18469

Kubernetes Ingress Controller: Moved internal logs that occur under some circumstances to the debug log.

PD-18466

WAF: Fixed issues that could cause a segmentation fault or reboot when the WAF configuration is modified while there is traffic passing through the WAF engine.

PD-18454

ESP Post-Pass Authentication: Fixed a bug that broke the "Post-Pass" authentication method (and hence broke preauthentication for Citrix Workspace App deployments).

PD-18448

Health Checking: Fixed a bug that broke the Show Headers button for the HTTP Protocol and HTTPS Protocol Real Server Check Methods.

PD-18440

WAF: Addressed an issue with connection timeouts that caused the log message "Hit connection limit 64000" to appear and WAF processing to stop when a remote real server fails.

PD-18437

API V2 (JSON): Fixed an issue with the addvs command that caused a segmentation fault when an invalid configuration is supplied.

PD-18423

API V2 (JSON): Fixed issues with several commands where the JSON output returned was either incorrect or empty.

PD-18295

WAF: Modified the permitted characters for custom WAF rule and data files to also include period and dash characters. The full set of supported characters includes: all alphanumeric characters, period (.), dash (-), and underscore (_).

PD-18292

SNMP: Fixed an issue that could cause the SNMP daemon to exit when many real servers are configured.

PD-18268

HTTPS Virtual Services: In previous releases, users become unable to connect to an HTTPS Virtual Service and messages like this appear in the ECS Connection Manager log: "kernel: L7: Error binding socket -98.". This issue has been fixed.

PD-18244

Virtual Service UI: Fixed issues associated with missing UI controls after converting a VS from Generic to HTTP-HTTP/2-HTTPS.

PD-18202

LDAP UI Access: Fixed an issue that could allow an invalid user to get UI access.

PD-18144

GEO Clustering: Fixed an issue that caused GEO cluster checks to fail with the log message "logger: error receiving the file from the remote LM".

PD-18140

Logging - ESP: Added ESP user logs when flushing the SSO cache.

PD-18137

WAF: Fixed a bug in Custom Rules selection that required selecting 'drupal' to enable any custom rules.

PD-18098

WAF PowerShell API: Added the AlertThreshold parameter to the addvs command.

PD-18043

Real Servers: Fixed an issue where ECS Connection Manager failed to pass data to a Real Server with an Elliptical Curve (EC) certificate.

PD-18041

SubVS Multiple Connect: In previous releases, when Enable Multiple Connect is turned on for a SubVS, some connections will close if the server response body was empty. This issue has been fixed.

PD-18028

WUI Login: In previous releases, certificate based login will fail unless the CN (Common Name) in the certificate includes an emailAddress attribute. This bug has been fixed.

PD-17973

Single Sign On - LDAP: Fixed issues associated with LDAP SSO no longer working after an upgrade to v7.2.53. The issues appeared in conjunction with log messages like the following:
ssomgr: ... Couldn't bind: [LDAP-AD] [ip-addresses-omitted]: 32, No such object
ssomgr: do_sso_ldap_check: Could not get ldap_result for (credentials-omitted): 32 [No such object]

PD-17947

IPv6 and Packet Filtering: Fixed an issue that prevented IPv6 traffic from a Real Server (acting as a client) was not forwarded by the ECS Connection Manager when packet filtering was enabled.

PD-17934

QoS / Client Limiting: Fixed an issue that could cause client limiting to thrash between limiting and not limiting a client.

PD-17931

Content Response Rules: Fixed an issue that caused performance issues when attempting to apply a response rule to an empty file.

PD-17876

QoS/Limiting: Fixed an issue that could cause a kernel panic when limiting UDP traffic.

PD-17867

Historical Graphs UI: Addressed an issue that caused some graphs to disappear from the page following upgrade to v7.2.53.

PD-17719

RADIUS Health Checks: Fixed an issue where RADIUS health checks with very long re-authentication times stop working after upgrade to v7.2.52.

PD-17601

Syslog CEF Logging: Fixed issues where Common Event Format logging is enabled and some user logs are improperly merged because of spurious characters (%5c) in the login string.

PD-17451

API V2 (JSON): Fixed an issue where the listfqdns API V2 was returning and invalid JSON response with duplicate keys. The parameters are now properly wrapped inside an array.

PD-15585

TLS Handshake: For some applications (e.g., IOS Mail App or Android 10 Skype App), ECS Connection Manager does not properly downgrade the TLS version used when TLS 1.3 is requested but is not configured on the Virtual Service. This bug has been fixed.

New Known Issues

PD-19175 ESP User Logs: It is possible that the domain name reported in a login message and an associated kill session message do not match.
PD-19108

GEO: Modifying an FQDN entry displays a spurious error on the system console, similar to the one shown below. The FQDN is modified properly.

<FQDN>:794 Uncaught ReferenceError: disp_addrr_elements is not defined
    at <FQDN>:794
(anonymous) @ <FQDN>:794
PD-19093 GEO: Cannot configure GEO into partnering mode unless there is at least one FQDN already defined.
PD-18646 Certificate-Based Administrative Login: Using a certificate that does not have a SAN attribute (i.e., no Principal Name) results in a failed login attempt.
PD-18615 GEO: No statistics (queries per second, etc.) are displayed for a site if the FQDN is configured to use the "All Available" Selection Criteria.

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of ECS Connection Manager.

PD-18099 Client Certificates: Authentication may be denied if multiple "Other names" are present in the client certificate.
PD-18021 Content Rule UI: Display is incorrect when the 'Ignore case' option is enabled.
PD-17933 ESP: When ESP sends data, it sets the Set-Cookie header without a samesite parameter, which causes some browsers to interpret this as "samesite=lax" and possibly refuse to deliver content.
PD-17927 LDAP UI Access: Under certain circumstances, a user that has no LDAP credentials can gain access to the UI.
PD-16140 GEO: TXT records are blank after 1024 IP addresses are added to an FQDN.
PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDNs after the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15354 SSO Timeout: In v7.2.51.0, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to be closed.
PD-15294 ESP Verify Bearer Header: ECS Connection Manager does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-13899 ACLs and Real Servers: Real Servers located on networks on which ECS Connection Manager also has an IP address are always allowed to access Virtual Services on that network interface regardless of any access control list (ACL) settings on ECS Connection Manager. For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12354
PD-10466
Hardware Support: The ECS Connection Manager models do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In an ECS Connection Manager configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the ECS Connection Manager for both WUI Authorization and ESP Authentication.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 WAF: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. This problem has been fixed.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10136 Clustering: In an ECS Connection Manager cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.


Was this article helpful?
0 out of 0 found this helpful

Comments