Edge Security Pack (ESP)

Similar documents
Splunk. Splunk. Deployment Guide

NTLM NTLM. Feature Description

RSA Two Factor Authentication

Adobe Connect. Adobe Connect. Deployment Guide

LoadMaster VMware Horizon (with View) 6. Deployment Guide

VMware vcenter Log Insight Manager. Deployment Guide

Epic. Epic Systems. Deployment Guide

Moodle. Moodle. Deployment Guide

Packet Trace Guide. Packet Trace Guide. Technical Note

Migration Tool. Migration Tool (Beta) Technical Note

KEMP Driver for Red Hat OpenStack. KEMP LBaaS Red Hat OpenStack Driver. Installation Guide

Hyper-V - Windows 2012 and 8. Virtual LoadMaster for Microsoft Hyper-V on Windows Server 2012, 2012 R2 and Windows 8. Installation Guide

LoadMaster Clustering

SDN Adaptive Load Balancing. Feature Description

LoadMaster for Azure (Marketplace Classic Interface)

Configuring Real Servers for DSR

MS Lync MS Lync Deployment Guide

LoadMaster VMware Horizon Access Point Gateway

MS Skype for Business. Microsoft Skype for Business Deployment Guide

LoadMaster Clustering (Beta)

Health Checking. Health Checking. Feature Description

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Web Application Firewall (WAF) Feature Description

VMware Horizon Workspace. VMware Horizon Workspace 1.5. Deployment Guide

Content Switching with Exchange and Lync-related Workloads

SSL Accelerated Services. SSL Accelerated Services for the LM FIPS. Feature Description

GEO. Feature Description GEO VERSION: 1.4 UPDATED: MARCH Feature Description

Web User Interface (WUI) LM5305 FIPS

Condor for Cisco UCS B-Series Blade Servers

DirectAccess. Windows Server 2012 R2 DirectAccess. Deployment Guide

Exchange 2016 Deployment Guide. Exchange Deployment Guide

Virtual LoadMaster for Xen (Para Virtualized)

Virtual LoadMaster for KVM (Para Virtualized)

Web User Interface (WUI) LM FIPS

iwrite technical manual iwrite authors and contributors Revision: 0.00 (Draft/WIP)

Web User Interface (WUI)

Microsoft Exchange Microsoft Exchange Deployment Guide

Bar Code Discovery. Administrator's Guide

Open Source Used In Cisco Configuration Professional for Catalyst 1.0

LoadMaster Deployment Guide

Enterprise Payment Solutions. Scanner Installation April EPS Scanner Installation: Quick Start for Remote Deposit Complete TM

Command Line Interface (CLI)

Simba Cassandra ODBC Driver with SQL Connector

Tenable Hardware Appliance Upgrade Guide

IETF TRUST. Legal Provisions Relating to IETF Documents. Approved November 6, Effective Date: November 10, 2008

Open Source Used In TSP

IETF TRUST. Legal Provisions Relating to IETF Documents. February 12, Effective Date: February 15, 2009

Ecma International Policy on Submission, Inclusion and Licensing of Software

Documentation Roadmap for Cisco Prime LAN Management Solution 4.2

Cover Page. Video Manager User Guide 10g Release 3 ( )

Ecma International Policy on Submission, Inclusion and Licensing of Software

Copyright PFU LIMITED

PageScope Box Operator Ver. 3.2 User s Guide

ColdFusion Builder 3.2 Third Party Software Notices and/or Additional Terms and Conditions

Edge Security Pack (ESP) Feature Description

Dell Change Auditor 6.5. Event Reference Guide

SDLC INTELLECTUAL PROPERTY POLICY

KEMP LoadMaster. KEMP LoadMaster. Product Overview

Additional License Authorizations for HPE OneView for Microsoft Azure Log Analytics

AD FS v3. Deployment Guide

Management Software Web Browser User s Guide

Fujitsu ScandAll PRO V2.1.5 README

User Guide. Calibrated Software, Inc.

CA File Master Plus. Release Notes. Version

HYCU SCOM Management Pack for F5 BIG-IP

Open Source and Standards: A Proposal for Collaboration

Juniper Networks Steel-Belted Radius Carrier

Copyright PFU LIMITED 2016

Intel Stress Bitstreams and Encoder (Intel SBE) 2017 AVS2 Release Notes (Version 2.3)

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Installing the Shrew Soft VPN Client

Sophos Endpoint Security and Control standalone startup guide

Technics Audio Player User Guide

Microsoft Dynamics. Deployment Guide

Trimble. ecognition. Release Notes

Azure Multi-Factor Authentication. Technical Note

Cloud Access Manager Overview

MagicInfo Express Content Creator

Panasonic Audio Player 2 User Guide

Mile Terms of Use. Effective Date: February, Version 1.1 Feb 2018 [ Mile ] Mileico.com

Bar Code Discovery. Administrator's Guide

Control4/HomeKit Appliance User Manual. User Manual. June Version Varietas Software, LLC.

MyCreditChain Terms of Use

User Manual. Date Aug 30, Enertrax DAS Download Client

XEP-0099: IQ Query Action Protocol

HALCoGen TMS570LS31x Help: example_sci_uart_9600.c

MS Exchange 2016 Deployment Guide

SkyPilot OS Installation: Fedora Core 5

Conettix Universal Dual Path Communicator B465

This file includes important notes on this product and also the additional information not included in the manuals.

End User License Agreement

PRODUCT SPECIFIC LICENSE TERMS Sybase Enterprise Portal Version 5 Application Edition ( Program )

Use in High-Safety Applications

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Cover Page. Site Studio Tutorial Setup Guide 10g Release 3 ( )

Migrating Performance Data to NetApp OnCommand Unified Manager 7.2

[The BSD License] Copyright (c) Jaroslaw Kowalski

PRODUCT SPECIFIC LICENSE TERMS Sybase Enterprise Portal Version 5 Enterprise Edition ( Program )

Data Deduplication Metadata Extension

Encrypted Object Extension

Transcription:

Edge Security Pack (ESP) VERSION: 1.2 UPDATED: SEPTEMBER 2013 Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 22

Copyright Notices Copyright 2002-2013 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies logo are registered trademarks of KEMP Technologies, Inc.. KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software and documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement. Information in this guide may be modified at any time without prior notice. Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and service marks are the property of their respective owners. Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts to ensure that the information presented herein are correct, but makes no warranty, express or implied, about the accuracy of this information. If any material errors or inaccuracies should occur in this document, KEMP Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the sole and exclusive remedy at law or in equity. Users of the information in this document acknowledge that KEMP Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective, including without limitation any direct, special, incidental or consequential damages (including without limitation lost profits and loss of damage to goodwill) whether suffered by recipient or third party or from any action or inaction whether or not negligent, in the compiling or in delivering or communicating or publishing this document. Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact information used in this document are not intended to be actual addresses, phone numbers or contact information. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual addressing or contact information in illustrative content is unintentional and coincidental. Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002 Michael Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of the above copyright holders.. Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance of the GNU license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 2 / 22

Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Portions of this software are Copyright (C) 2003, Internet Systems Consortium Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Used, under license, U.S. Patent No. 6,473,802 and 6,374,300 Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 3 / 22

Table of Contents 1 Introduction... 5 2 The LoadMaster Edge Security Pack (ESP)... 6 2.1.1 End Point Authentication for Pre-Auth... 6 2.1.2 Persistent Logging and Reporting for User Logging... 7 2.1.3 Single Sign On Across Virtual Services... 7 2.1.4 LDAP Authentication from the LoadMaster to the Active Directory... 7 2.1.5 NTLM and Basic Authentication Communication from a Client to the LoadMaster... 7 3 Setting up a Virtual Service with ESP... 8 3.1 Create a Single Sign-On (SSO) Domain... 8 3.2 Create a Content-matching Rule... 9 3.3 Create a Virtual Service... 10 3.4 Configure an SMTP ESP Service... 12 4 ESP Web User Interface (WUI) Options... 14 4.1 ESP Options... 14 4.1.1 SMTP Virtual Services and ESP... 17 4.2 Debug Options... 18 4.2.1 Flush SSO Authentication Cache... 18 4.2.2 Linear SSO Logfiles... 18 4.3 Logging Options... 19 References... 21 Document History... 22 Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 4 / 22

1 Introduction KEMP has built a large and loyal install base across a range of market segments, applications and geographies. These include a large number of customers who have deployed KEMP s LoadMaster load balancers in conjunction with Microsoft workloads. As a part of the solution for Exchange, Lync or SharePoint, a key component has historically been Microsoft s Forefront Threat Management Gateway (TMG). One key feature of TMG was that it offered customers a way to publish and protect workload servers such as Exchange Client Access Servers especially in Internet-facing deployments where a clean separation between critical infrastructure and the public internet is essential. Now that End of Sale for TMG has arrived, KEMP Technologies has extended the successful LoadMaster platform with a new security feature pack to build on the existing core technologies such as the Reverse Proxy function which has enabled successful joint deployments of TMG and LoadMaster in internet-facing Microsoft applications. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 5 / 22

2 The LoadMaster Edge Security Pack (ESP) The KEMP Edge Security Pack (ESP) pack delivers a solution using the KEMP LoadMaster line of load balancers to customers who would have previously deployed TMG to publish their Microsoft applications. Figure 2-1 Application deployments simplified by LoadMaster with the ESP The KEMP ESP offers the following key features: End Point Authentication for Pre-Auth Persistent Logging and Reporting for User Logging Single Sign On (SSO) Across Virtual Services LDAP Authentication from the LoadMaster to the Active Directory NTLM and Basic Authentication Communication from a Client to the LoadMaster A reboot is required after upgrading a LoadMaster to an ESP license. 2.1.1 End Point Authentication for Pre-Auth Clients who are trying to access virtual services on the LoadMaster will have to provide Authentication information which will be used by the ESP to validate the clients right to access Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 6 / 22

the service. In the event of success the client is enabled to access the service, and in the event of failure the client will be blocked until valid credentials are provided. 2.1.2 Persistent Logging and Reporting for User Logging When clients try to access a service this will be logged on the LoadMaster as part of the ESP. This will allow monitoring by the administrator. 2.1.3 Single Sign On Across Virtual Services LoadMaster is designed to handle multiple virtual services supporting unique workloads. These virtual services can be joined together into Single Sign On groups. The ESP will enable clients to only enter the authentication information for the first virtual service and then this same information will be used to access other services in the Single Sign On group. Therefore a client accessing Exchange will also be able to access SharePoint and other workloads if they are configured in a Single Sign On group. 2.1.4 LDAP Authentication from the LoadMaster to the Active Directory Active Directory is the standard for the Authentication Provider for Microsoft workloads. LoadMaster will support the key connection types between LoadMaster and the Active Directory. 2.1.5 NTLM and Basic Authentication Communication from a Client to the LoadMaster LoadMaster with ESP will support key authentication types -- Basic and NTLM -- between client and the LoadMaster providing clients with an optimum authentication experience. Large and small businesses are deploying large numbers of internet-facing applications to support ever expanding business requirements. This rapidly growing number of servers needs to be scalable and highly reliable. Above all, the access to these servers and services needs to be secure. With the addition of the ESP, the KEMP LoadMaster will continue to deliver on customer security requirements for internet facing applications in a world without Forefront TMG, while continuing to address requirements for feature-rich and cost-effective scalability and high reliability. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 7 / 22

3 Setting up a Virtual Service with ESP This section details the various steps required to configure ESP on a Virtual Service. In order to enable ESP functionality, an SSL certificate must be imported to the LoadMaster. The certificate must contain a private key. This document assumes that the certificate has already been imported correctly. For further details on how to configure SSL Certificates, please reference the SSL Accelerated Services, Configuration Guide document 3.1 Create a Single Sign-On (SSO) Domain Follow the steps below to create an SSO domain: 1. Log in to the LoadMaster. 2. Click Virtual Services option in the main menu and select Manage SSO Domains. Figure 3-1: Add SSO Domain 3. Enter the name of the domain in the Domain field and click the Add button. Figure 3-2: LDAP Settings 4. Select Not encrypted as the LDAP protocol. StartTLS or LDAPS can be selected if the Active Directory environment is configured for it. 5. Select the relevant Logon format. principalname: Selecting this as the Logon format means that the client does not need to enter the domain when logging in, for example name@domain.com. The name of the SSO domain added in the LoadMaster will be used as the domain in this case. username: Selecting this as the Logon format means that the client needs to enter the domain and username, for example domain\name@domain.com. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 8 / 22

6. In the LDAP Server(s) field, enter a space-separated list of domain controllers to be used for authentication. Then, click the Set LDAP Server(s) option. 7. In the Test User and Test User Password fields, enter credentials of a user account for your SSO Domain. The LoadMaster will use this information in a health check of the LDAP Server. This health check is performed every 20 seconds. 8. Click OK. 3.2 Create a Content-matching Rule Follow the steps below to create a content-matching rule: In this particular example we will create a Content Rules and a VS for the owa Exchange 2013 service 1. In the menu on the left, click Rules & Checking and select Content Rules: 2. Click the Create New button. Figure 3-3: Create Rule Screen 3. Enter the Rule Name, for example owa. 4. Ensure the Rule Type is set to Content Matching. 5. Ensure that Match Type is set to Regular Expression. 6. Enter the Pattern in the Match String texbox, for example ^/owa* for the OWA virtual directory. 7. Tick the Ignore Case checkbox. 8. Click the Create Rule button. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 9 / 22

3.3 Create a Virtual Service Follow the steps below to create a Virtual Service with ESP. In this example we will configure an owa for Exchange 2013 service. 1. In the menu on the left, click Virtual Services and select Add New. Figure 3-4: Parameters for the Virtual Service 2. Enter the Virtual Address, for example 10.11.0.157. This is the virtual IP. It must be unique and not in use by any other device on the network. 3. Enter 443 as the Port number as all workloads will be accessing Exchange 2013 using HTTPS. Creating Virtual Services for other protocols is outside the scope of this document. 4. Enter the desired Service Name, for example Exchange 2013 owa. 5. Ensure that tcp is selected as the Protocol. 6. Click the Add this Virtual Service button. 7. Expand the SSL Properties section. Figure 3-5: SSL Properties 8. Select the Enabled checkbox. 9. Select the Reencrypt checkbox. 10. Expand the Standard Options section. 11. Ensure that none is selected as the Persistence Options mode 12. Ensure that round robin is selected as the Scheduling Method 13. In the parent VS modify screen, in the Advanced Properties section, click the Enable button for Content Switching. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 10 / 22

14. Click the HTTP Selection Rules button to open the Match Rules page. 15. Select the rule that we previously created and click on the Add button 16. Click the Back button. 17. Expand the ESP Options section. Figure 3-6: ESP Options 18. Select the Enable ESP checkbox. 19. Select the relevant Domain that was created within the SSO Domain drop-down list. 20. Enter the relevant hosts in the Allowed Virtual Hosts field, for example mail.kempdemo.com. More than one host can be provided by using a space-separated list. Wildcards can also be used, for example *kempdemo.com. The Allowed Virtual Hosts field should contain host names, not IP addresses. 21. Enter any directories that can be accessed by the VS, for example /owa* in the Allowed Virtual Directories field. 22. Click the Set Allowed Directories button. If a SubVS needs to allow more than one virtual directory, use a spaceseparated list. Optionally, a wildcard character can be used, for example /* to allow all virtual directories. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 11 / 22

23. Enter all the virtual directories that will not be pre-authorized by this VS, for example, /owa/guid@smtpdomain* in the Pre-Authorization Excluded Directories field. 24. Click the Set Excluded Directories button. GUID and smtpdomain are unique to each organization. 25. Select Form Based in the Client Authentication Mode drop-down menu. 26. Select Basic Authentication in the Server Authentication Mode drop-down menu. 27. Enter a message in the SSO Greeting Message field, if required. 28. The SSO Greeting Message field accepts HTML code, so the users can insert their own image if desired. The message can have up to 255 characters.ensure the Logoff String field is empty. 29. Expand the Real Servers section 30. Enter /OWA/healthcheck.htm as the URL in the Real Server Check Parameters. 31. Select GET from the HTTP Method drop-down list. 3.4 Configure an SMTP ESP Service To configure an SMTP ESP Service, follow the steps below: 1. In the menu on the left, click Virtual Services and select View/Modify Services. Click the Add New button. 2. Enter the Virtual IP Address in the Virtual Address field. 3. Enter 25 in the Port field. 4. Click the Add this Virtual Service button. 5. In the ESP Options section, tick Enable ESP. Figure 3-7: Add a new Virtual Service Screen Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 12 / 22

Figure 3-8: ESP Options 6. Ensure the Connection Logging checkbox is ticked. 7. Specify the domains permitted by this virtual service in the Permitted Domains filed. 8. Click the Permitted Domains button. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 13 / 22

4 ESP Web User Interface (WUI) Options The sections below describe the ESP WUI Options. 4.1 ESP Options The ESP feature must be enabled before the options can be configured. To enable the ESP function, please select the Enable ESP checkbox. The full ESP Options screen will appear. Figure 4-1: Enable ESP The ESP feature can only be enabled if the Virtual Service is an HTTP, HTTPS or SMTP Virtual Service Figure 4-2: ESP Options Enable ESP Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox ESP Logging There are three types of logs stored in relation to the ESP feature. Each of these logs can be enabled or disabled by selecting or deselecting the relevant checkbox. The types of log include: User Access: logs recording all user logins Security: logs recording all security alerts Connection: logs recording each connection Logs are persistent and can be accessed after a reboot of the LoadMaster. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 14 / 22

SSO Domain Select the Single Sign-On (SSO) Domain within which the Virtual Service will be included. Please refer to Section 3.1 for further information on configuring SSO Domains. An SSO Domain must be configured in order to correctly configure the ESP feature. Allowed Virtual Hosts The Virtual Service will only be allowed access to specified virtual hosts. Any virtual hosts that are not specified will be blocked. Enter the virtual host name(s) in the Allowed Virtual Hosts field and click on the Set Allowed Virtual Hosts button to specify the allowed virtual hosts. Multiple domains may be specified within the field allowing many domains to be associated with the SSO Domain. The use of Regular expressions is allowed within this field. If this field is left blank, then the Virtual Service will be blocked Allowed Virtual Directories The Virtual Service will only be allowed access to the specified virtual directories, within the allowed virtual hosts. Any virtual directories that are not specified will be blocked. Enter the virtual directory name(s) in the Allowed Virtual Directories field and click on the Set Allowed Virtual Directories button to specify the allowed virtual directories. The use of Regular expressions is allowed within this field. Pre-Authorization Excluded Directories Any virtual directories specified within this field will not be pre-authorized on this Virtual Service and will be passed directly to the relevant Real Servers. Client Authentication Mode Specifies how clients attempting to connect to the LoadMaster are authenticated. There are three types of methods available: None: no client authentication is required Basic Authentication: standard Basic Authentication is used Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 15 / 22

Form Based: clients must enter their user details within a form to be authenticated on the LoadMaster Server Authentication Mode Specifies how the LoadMaster is authenticated by the Real Servers. There are two types of methods available: None: no client authentication is required Basic Authentication: standard Basic Authentication is used If None is selected as the Client Authentication Mode, then None is automatically selected as the Server Authentication mode. Similarly if either Basic Authentication or Form Based are selected as the Client Authentication Mode, then Basic Authentication is automatically selected as the Server Authentication mode. SSO Image Set This option is only available if Form Based is selected as the Client Authentication Mode. There is an option for which form to use to gather the user s Username and Password. There are two form options, Exchange and Blank. There are also options to display the form and error messages in other languages.. Exchange Form The Exchange Form contains the KEMP Logo Figure 4-3: Exchange Form Blank Form The Blank Form does not contain the large KEMP logo Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 16 / 22

Figure 4-4: Blank Form SSO Greeting Message The login forms can be further customized by adding text. Enter the text that to appear on the form within the SSO Greeting Message field and click on the Set SSO Greeting Message button. The SSO Greeting Message field accepts HTML code, so the users can insert their own image if so desired. The message can have up to 255 characters. Logoff String Normally this field should be left blank as the LoadMaster detects user s logging out of OWA by the default Logoff String. However in customized environments, administrators may have modified the OWA logoff string. If so, the modified Logoff String needs to be specified within this field. VS Status When View/Modify Services is clicked in the main menu the VSs status will be displayed. When ESP is enabled a new status is available; Security Down. Figure 4-5: Security Down Status The LoadMaster will check the health status of the authentication server every 20 seconds. If the authentication server cannot be reached then the VS goes into a Security Down state where no new users will be allowed to access the VS. Existing connections will not be affected until their connection times out. 4.1.1 SMTP Virtual Services and ESP If an SMTP Virtual Service (with 25 as the port) is created, the ESP feature is available when the Enable ESP checkbox is selected but with a reduced set of options. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 17 / 22

Figure 4-6: SMTP ESP Options Enable ESP Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox. Connection Logging Logging of connections can be enabled or disabled by selecting or deselecting the Connection Logging checkbox. Permitted Domains All the permitted domains that are allowed to be received by this Virtual Service must be specified here. For example, if the Virtual Service should receive SMTP traffic from john@kemp.com, then the kemp.com domain must be specified in this field. 4.2 Debug Options There are a couple of ESP-specific Debug Options in the WUI. These are described below. 4.2.1 Flush SSO Authentication Cache Clicking the Flush SSO Cache button flushes the Single Sign-On cache on the LoadMaster. This has the effect of logging off all clients using Single Sign-On to connect to the LoadMaster. 4.2.2 Linear SSO Logfiles By default older log files are deleted to make room for newer log files, so that the filesystem does not become full. Selecting the Linear SSO Logfiles checkbox prevents older files from being deleted. When using Linear SSO Logging, if the log files are not periodically removed and the file system becomes full, access to Virtual Services with ESP enabled will be blocked, preventing unlogged access to the virtual service. Access to non-esp enabled virtual services are unaffected by the Linear SSO Logfile feature. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 18 / 22

4.3 Logging Options The ESP Options screen provides options for logs relating to the ESP feature. These logs are persistent and will be available after a LoadMaster reboot. To view all the options click on the icons. Figure 4-7: ESP Logging Options Screen There are three types of log files relating to ESP stored on the LoadMaster: ESP Connection Logs: logs recording each connection ESP Security Logs: logs recording all security alerts ESP User Logs: logs recording all user logins To view the logs please click on the relevant View button. The logs viewed can be filtered by a number of methods. To view logs between a particular date range, select the relevant dates in the from and to fields and click on the View button. One or more archived log files can be viewed by selecting the relevant file(s) from the list of file names and clicking the View button. The logs can be filtered by entering a word(s) or regular expression in the filter field and clicking on the View field. Clear ESP Logs All ESP logs can be deleted by clicking the Clear button. Specific log files can be deleted by filtering on a specific date range, selecting one or more individual log files in the log file list or selecting a specific log type (connection, security or user) in the log file list and clicking the Clear button. Click OK on any warning messages. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 19 / 22

Save ESP Logs All ESP logs can be saved to a file by clicking the Save button. Specific log files can be saved by filtering on a specific date range, selecting one or more individual log files in the log file list or selecting a specific log type (connection, security or user) in the log file list and clicking the Save button. Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 20 / 22

References The following items are referenced within this document 1. Web User Interface, Interface Description http://www.kemptechnologies.com/documentation 2. SSL Accelerated Services, Configuration Guide http://www.kemptechnologies.com/documentation Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 21 / 22

Document History Date Change Reason for Change Version Resp. Jun-2013 Initial draft Initial draft of document v1.0 LB July-2013 Release updates Minor release updated for 7.0-6 V1.1 LB September- 2013 Minor change Additional information added V1.2 LB Copyright 2002-2013 KEMP Technologies, Inc. All Rights Reserved. Page 22 / 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback