Professional Documents
Culture Documents
Feature Description
Edge Security
Pack (ESP)
Feature Description
VERSION: 1.10
UPDATED: JULY 2014
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 26
Edge Security Pack (ESP)
Feature Description
Copyright Notices
Copyright © 2002-2014 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP
Technologies logo are registered trademarks of KEMP Technologies, Inc..
KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software
and documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement.
Information in this guide may be modified at any time without prior notice.
Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other
countries. All other trademarks and service marks are the property of their respective owners.
Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts
to ensure that the information presented herein are correct, but makes no warranty, express or implied,
about the accuracy of this information. If any material errors or inaccuracies should occur in this document,
KEMP Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the
sole and exclusive remedy at law or in equity. Users of the information in this document acknowledge that
KEMP Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective,
including without limitation any direct, special, incidental or consequential damages (including without
limitation lost profits and loss of damage to goodwill) whether suffered by recipient or third party or from
any action or inaction whether or not negligent, in the compiling or in delivering or communicating or
publishing this document.
Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact
information used in this document are not intended to be actual addresses, phone numbers or contact
information. Any examples, command display output, network topology diagrams, and other figures
included in this document are shown for illustrative purposes only. Any use of actual addressing or contact
information in illustrative content is unintentional and coincidental.
Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002
Michael Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of the above
copyright holders..
Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51
Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance
of the GNU license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute
verbatim copies of this license document, but changing it is not allowed.
Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 2 / 26
Edge Security Pack (ESP)
Feature Description
Redistribution and use in source and binary forms are permitted provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and
other materials related to such distribution and use acknowledge that the software was developed by the
University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without
limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions
of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be
held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original
software. If you use this software in a product, an acknowledgment in the product documentation would
be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the
original software.
3. This notice may not be removed or altered from any source distribution.
Portions of this software are Copyright (C) 2003, Internet Systems Consortium
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is
hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING
ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and
6,970,933
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 3 / 26
Edge Security Pack (ESP)
Feature Description
Table of Contents
1 Introduction .................................................................................................................................... 5
2 The LoadMaster Edge Security Pack (ESP) ...................................................................................... 6
2.1.1 End Point Authentication for Pre-Auth .............................................................................. 6
2.1.2 Persistent Logging and Reporting for User Logging ........................................................... 7
2.1.3 Single Sign-On Across Virtual Services ............................................................................... 7
2.1.4 LDAP Authentication from the LoadMaster to the Active Directory ................................. 7
2.1.5 Basic Authentication Communication from a Client to the LoadMaster ........................... 7
3 Setting up a Virtual Service with ESP .............................................................................................. 8
3.1 Create a Single Sign-On (SSO) Domain.................................................................................... 8
3.2 Create a Content-Matching Rule .......................................................................................... 10
3.3 Create a Virtual Service ......................................................................................................... 11
3.4 Configure a Simple Mail Transfer Protocol (SMTP) ESP Service ........................................... 15
4 ESP Web User Interface (WUI) Options ........................................................................................ 17
4.1 ESP Options ........................................................................................................................... 17
4.1.1 SMTP Virtual Services and ESP ......................................................................................... 22
4.2 Debug Options ...................................................................................................................... 22
4.2.1 Flush SSO Authentication Cache ...................................................................................... 22
4.2.2 Linear SSO Log Files .......................................................................................................... 22
4.3 Logging Options .................................................................................................................... 23
References ............................................................................................................................................ 25
Document History ................................................................................................................................. 26
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 4 / 26
Edge Security Pack (ESP)
Feature Description
1 Introduction
KEMP has built a large and loyal install base across a range of market segments, applications and
geographies. These include a large number of customers who have deployed KEMP’s LoadMaster
load balancers in conjunction with Microsoft workloads. As a part of the solution for Microsoft
workloads, a key component has historically been Microsoft’s Forefront Threat Management
Gateway (TMG). One key feature of TMG was that it offered customers a way to publish and
protect workload servers such as Exchange Client Access Servers especially in Internet-facing
deployments where a clean separation between critical infrastructure and the public internet is
essential.
KEMP Technologies has extended the successful LoadMaster platform with a security feature pack
called Edge Security Pack (ESP) to build on the existing core technologies which has enabled
successful joint deployments of TMG and LoadMaster in internet-facing Microsoft workloads.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 5 / 26
Edge Security Pack (ESP)
Feature Description
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 6 / 26
Edge Security Pack (ESP)
Feature Description
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 7 / 26
Edge Security Pack (ESP)
Feature Description
3. Enter the name of the domain in the Domain field and click the Add button.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 8 / 26
Edge Security Pack (ESP)
Feature Description
When using RADIUS as the Authentication protocol the value in this SSO
domain field must exactly match for the login to work. It is case sensitive.
username: Selecting this as the logon format means that the client needs to enter
the domain and username, for example domain\name@domain.com.
7. Specify the number of Failed Login Attempts that a user can have before their
account is locked out. Click Set Failed Login Attempts.
When a user is locked out, all existing logins for that user will be
terminated, along with future logins.
8. Enter the amount of time (in seconds) that you would like to Reset Failed Login
Attempt Counter after. Click Set Reset-Failed Timeout.
9. Enter the amount of time (in seconds) after which a blocked user account will be
unblocked in the Unblock Timeout text box. Click Set Unblock Timeout.
10. Enter the relevant value(s) in the public and private idle time and max duration
text box(es) and click the relevant button(s) as appropriate. The timeout value that
will be applied depends on whether the user selects public or private on the login
screen.
11. Select the relevant option for use value (either max duration or idle time).
12. In the Test User and Test User Password fields, enter credentials of a user account
for the SSO Domain. The LoadMaster will use this information in a health check of
the Authentication Server. This health check is performed every 20 seconds. This
20 second health check is hard coded and cannot be modified.
13. Click OK.
It is also possible to unlock blocked users from the Manage Domain screen.
To do this, simply click the unlock button for the relevant blocked user.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 9 / 26
Edge Security Pack (ESP)
Feature Description
1. In the menu on the left, click Rules & Checking and select Content Rules.
2. Click the Create New … button.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 10 / 26
Edge Security Pack (ESP)
Feature Description
This is the Virtual IP address of the Virtual Service. It must be unique and
not in use by any other device on the network.
3. Enter 443 as the Port number as all workloads will be accessing Exchange 2013 using
HTTPS.
Creating Virtual Services for other protocols is outside the scope of this
document.
4. Enter the desired Service Name, for example Exchange 2013 owa.
5. Ensure that tcp is selected as the Protocol.
6. Click the Add this Virtual Service button.
7. Expand the SSL Properties section.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 11 / 26
Edge Security Pack (ESP)
Feature Description
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 12 / 26
Edge Security Pack (ESP)
Feature Description
The Allowed Virtual Hosts text box should contain host names, not IP
addresses.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 13 / 26
Edge Security Pack (ESP)
Feature Description
34. Enter any directories that can be accessed by the Virtual Services, for example
/owa* in the Allowed Virtual Directories text box.
35. Click the Set Allowed Directories button.
If a SubVS needs to allow more than one virtual directory, use a space-
separated list. Optionally, a wildcard character can be used, for example /*
to allow all virtual directories.
36. Enter all the virtual directories that will not be pre-authorized by this Virtual Service,
for example, /owa/guid* in the Pre-Authorization Excluded Directories field.
37. Click the Set Excluded Directories button.
38. Enter any groups that are allowed to access this Virtual Service in the Permitted
Groups text box.
Multiple groups can be entered but the group names must be separated by a
semi-colon.
/:+*
Custom SSO image sets can be created and uploaded to the LoadMaster. For
more information, refer to the Custom Authentication Form, Technical
Note.
The SSO Greeting Message can have up to 255 characters. The field accepts
HTML code, so the users can insert their own an image can be entered if
desired. The grave accent character ( ` ) is not supported. If this character is
entered in the SSO Greeting Message, the character will not display in the
output, for example a`b`c becomes abc.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 14 / 26
Edge Security Pack (ESP)
Feature Description
45. If required, select the Display Public/Private Option which will show a public/private
option on the login screen. When this option is enabled, the timeout value will be
determined based on which option the user selects. The timeout values are set in the
manage SSO domain screen. For more information on the timeout fields, refer to Section
3.1. When the user selects Private their username is stored for that session.
46. Select the relevant option in the Use Session or Permanent Cookies field.
Permanent cookies should only be used when using single sign on with
SharePoint or similar services.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 15 / 26
Edge Security Pack (ESP)
Feature Description
3. Enter the Virtual IP Address for the Virtual Service in the Virtual Address text box.
4. Enter 25 in the Port text box.
5. Enter a recognizable Service Name, for example SMTP ESP.
6. Click the Add this Virtual Service button.
7. Expand the ESP Options section.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 16 / 26
Edge Security Pack (ESP)
Feature Description
The ESP feature can only be enabled if the Virtual Service is an HTTP,
HTTPS or SMTP Virtual Service
Enable ESP
Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox.
ESP Logging
There are three types of logs stored in relation to the ESP feature. Each of these logs can be
enabled or disabled by selecting or deselecting the relevant checkbox. The types of log include:
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 17 / 26
Edge Security Pack (ESP)
Feature Description
SSO Domain
Select the Single Sign-On (SSO) Domain within which the Virtual Service will be included.
Please refer to Section 3.1 for further information on configuring SSO Domains. An SSO Domain
must be configured in order to correctly configure the ESP feature.
Allowed Virtual Hosts
The Virtual Service will only be allowed access to specified virtual hosts. Any virtual hosts that are
not specified will be blocked.
Enter the virtual host name(s) in the Allowed Virtual Hosts field and click the Set Allowed Virtual
Hosts button to specify the allowed virtual hosts.
Multiple domains may be specified within the text box allowing many domains to be associated
with the SSO Domain.
The use of regular expressions is allowed within this text box.
If this text box is left blank, the Virtual Service will be blocked.
The group(s) specified must be valid groups on the Active Directory behind the SSO
domain associated with the Virtual Service
The group(s) listed must be separated by a semi-colon
A space-separated list does not work because most groups contain a space in
the name, for example Domain Users.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 18 / 26
Edge Security Pack (ESP)
Feature Description
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 19 / 26
Edge Security Pack (ESP)
Feature Description
Exchange Form
It is possible to upload a custom SSO image set. For more information, refer to the Custom
Authentication Form, Technical Note.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 20 / 26
Edge Security Pack (ESP)
Feature Description
Logoff String
Normally this field should be left blank. For OWA Virtual Services, the Logoff String should be set
to /owa/logoff.owa or in customized environments, the modified Logoff String needs to be
specified in this text box.
Enabling this check box displays a public/private option on the log in page. The session and idle
timeout depend on what option the user selects when logging in. If the user selects private their
username gets stored.
When the health check status is OK, the Status on the Virtual Services screen will be set to Up.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 21 / 26
Edge Security Pack (ESP)
Feature Description
The LoadMaster will check the health status of the authentication server every 20 seconds. If the
authentication server cannot be reached then the Virtual Service goes into a Security Down
state where no new users will be allowed to access the Virtual Service. Existing connections will
not be affected until their connection times out.
Enable ESP
Enable or disable the ESP feature set by selecting or deselecting the Enable ESP check box.
Connection Logging
Logging of connections can be enabled or disabled by selecting or deselecting the Connection
Logging check box.
Permitted Domains
All the permitted domains that are allowed to be received by this Virtual Service must be
specified here. For example, if the Virtual Service should receive SMTP traffic from
john@kemp.com, then the kemp.com domain must be specified in this field. When entering
more than one domain, separate them with a space.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 22 / 26
Edge Security Pack (ESP)
Feature Description
When using Linear SSO Logging, if the log files are not periodically removed
and the file system becomes full, access to Virtual Services with ESP enabled
will be blocked, preventing unlogged access to the Virtual Service. Access to
non-ESP enabled Virtual Services are unaffected by the Linear SSO Log File
feature.
There are three types of log files relating to ESP stored on the LoadMaster:
ESP Connection Log: logs recording each connection
ESP Security Log: logs recording all security alerts
ESP User Log: logs recording all user logins
To view the logs please click the relevant View button.
The logs viewed can be filtered by a number of methods. To view logs between a particular date
range, select the relevant dates in from and to fields and click the View button. It is possible to
view logs for as far back as they have been stored. By default, logs are stored for the last 30 days.
One or more archived log files can be viewed by selecting the relevant file(s) from the list of file
names and clicking the View button. The logs can be filtered by entering a word(s) or regular
expression in the filter field and clicking on the View field.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 23 / 26
Edge Security Pack (ESP)
Feature Description
If a date range is not selected, the ESP logs will not be deleted.
Specific log files can be deleted by filtering on a specific date range, selecting one or more
individual log files in the log file list or selecting a specific log type (connection, security or user) in
the log file list and clicking the Clear button. Click OK on any warning messages.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 24 / 26
Edge Security Pack (ESP)
Feature Description
References
Unless otherwise specified, the following documents can be found at
http://www.kemptechnologies.com/documentation.
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 25 / 26
Edge Security Pack (ESP)
Feature Description
Document History
Date Change Reason for Change Version Resp.
July 2013 Release updates Minor release updated for 7.0-6 1.1 LB
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 26 / 26