Edge Security Pack (ESP) : Feature Description

Edge Security Pack (ESP)
Feature Description
Edge Security
Pack (ESP)
Feature Description
VERSION: 1.10
UPDATED: JULY 2014
Copyright © 2002 - 2014 KEMP Technologies, Inc. All Rights Reserved. Page 1 / 26
Feature Description
Copyright Notices
Copyright © 2002-2014 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP
Technologies logo are registered trademarks of KEMP Technologies, Inc..
KEMP Technologies, Inc. reserves all ownership rights for the LoadMaster product line including software
and documentation. The use of the LoadMaster Exchange appliance is subject to the license agreement.
Information in this guide may be modified at any time without prior notice.
Microsoft Windows is a registered trademarks of Microsoft Corporation in the United States and other
countries. All other trademarks and service marks are the property of their respective owners.
Limitations: This document and all of its contents are provided as-is. KEMP Technologies has made efforts
to ensure that the information presented herein are correct, but makes no warranty, express or implied,
about the accuracy of this information. If any material errors or inaccuracies should occur in this document,
KEMP Technologies will, if feasible, furnish appropriate correctional notices which Users will accept as the
sole and exclusive remedy at law or in equity. Users of the information in this document acknowledge that
KEMP Technologies cannot be held liable for any loss, injury or damage of any kind, present or prospective,
including without limitation any direct, special, incidental or consequential damages (including without
limitation lost profits and loss of damage to goodwill) whether suffered by recipient or third party or from
any action or inaction whether or not negligent, in the compiling or in delivering or communicating or
publishing this document.
Any Internet Protocol (IP) addresses, phone numbers or other data that may resemble actual contact
information used in this document are not intended to be actual addresses, phone numbers or contact
information. Any examples, command display output, network topology diagrams, and other figures
included in this document are shown for illustrative purposes only. Any use of actual addressing or contact
information in illustrative content is unintentional and coincidental.
Portions of this software are; copyright (c) 2004-2006 Frank Denis. All rights reserved; copyright (c) 2002
Michael Shalayeff. All rights reserved; copyright (c) 2003 Ryan McBride. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE ABOVE COPYRIGHT HOLDERS ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ABOVE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of the above
copyright holders..
Portions of the LoadMaster software are copyright (C) 1989, 1991 Free Software Foundation, Inc. -51
Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA- and KEMP Technologies Inc. is in full compliance
of the GNU license requirements, Version 2, June 1991. Everyone is permitted to copy and distribute
verbatim copies of this license document, but changing it is not allowed.
Portions of this software are Copyright (C) 1988, Regents of the University of California. All rights reserved.
Feature Description
Redistribution and use in source and binary forms are permitted provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and
other materials related to such distribution and use acknowledge that the software was developed by the
University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Portions of this software are Copyright (C) 1998, Massachusetts Institute of Technology
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without
limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions
of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Portions of this software are Copyright (C) 1995-2004, Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be
held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original
software. If you use this software in a product, an acknowledgment in the product documentation would
be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the
original software.
3. This notice may not be removed or altered from any source distribution.
Portions of this software are Copyright (C) 2003, Internet Systems Consortium
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is
hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING
ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and
6,970,933
Feature Description
Table of Contents
1 Introduction .................................................................................................................................... 5
2 The LoadMaster Edge Security Pack (ESP) ...................................................................................... 6
2.1.1 End Point Authentication for Pre-Auth .............................................................................. 6
2.1.2 Persistent Logging and Reporting for User Logging ........................................................... 7
2.1.3 Single Sign-On Across Virtual Services ............................................................................... 7
2.1.4 LDAP Authentication from the LoadMaster to the Active Directory ................................. 7
2.1.5 Basic Authentication Communication from a Client to the LoadMaster ........................... 7
3 Setting up a Virtual Service with ESP .............................................................................................. 8
3.1 Create a Single Sign-On (SSO) Domain.................................................................................... 8
3.2 Create a Content-Matching Rule .......................................................................................... 10
3.3 Create a Virtual Service ......................................................................................................... 11
3.4 Configure a Simple Mail Transfer Protocol (SMTP) ESP Service ........................................... 15
4 ESP Web User Interface (WUI) Options ........................................................................................ 17
4.1 ESP Options ........................................................................................................................... 17
4.1.1 SMTP Virtual Services and ESP ......................................................................................... 22
4.2 Debug Options ...................................................................................................................... 22
4.2.1 Flush SSO Authentication Cache ...................................................................................... 22
4.2.2 Linear SSO Log Files .......................................................................................................... 22
4.3 Logging Options .................................................................................................................... 23
References ............................................................................................................................................ 25
Document History ................................................................................................................................. 26
Feature Description
1 Introduction
KEMP has built a large and loyal install base across a range of market segments, applications and
geographies. These include a large number of customers who have deployed KEMP’s LoadMaster
load balancers in conjunction with Microsoft workloads. As a part of the solution for Microsoft
workloads, a key component has historically been Microsoft’s Forefront Threat Management
Gateway (TMG). One key feature of TMG was that it offered customers a way to publish and
protect workload servers such as Exchange Client Access Servers especially in Internet-facing
deployments where a clean separation between critical infrastructure and the public internet is
essential.
KEMP Technologies has extended the successful LoadMaster platform with a security feature pack
called Edge Security Pack (ESP) to build on the existing core technologies which has enabled
successful joint deployments of TMG and LoadMaster in internet-facing Microsoft workloads.
Feature Description
2 The LoadMaster Edge Security Pack (ESP)

The KEMP Edge Security Pack (ESP) pack delivers a solution using the KEMP LoadMaster line of
load balancers to customers who would have previously deployed TMG to publish their Microsoft
applications.
Figure 2-1 Application deployments simplified by LoadMaster with the ESP
The KEMP ESP offers the following key features:

 End point authentication for pre-auth
 Persistent logging and reporting for user logging
 Single Sign-On (SSO) across Virtual Services
 LDAP Authentication from the LoadMaster to the Active Directory
 Basic authentication communication from a client to the LoadMaster
A reboot is required after upgrading older versions of the LoadMaster to an

ESP license.
2.1.1 End Point Authentication for Pre-Auth

Clients who are trying to access Virtual Services on the LoadMaster will have to provide
Authentication information which will be used by the ESP to validate the clients’ right to access
the service. In the event of success, the client is enabled to access the service, and in the event of
failure the client will be blocked until valid credentials are provided.
Feature Description
2.1.2 Persistent Logging and Reporting for User Logging

When clients try to access a service this will be logged in the LoadMaster as part of the ESP logs.
This will allow monitoring by the administrator.
2.1.3 Single Sign-On Across Virtual Services

The LoadMaster is designed to handle multiple virtual services supporting unique workloads.
These Virtual Services can be joined together by associating them with the same Single Sign-On
(SSO) Domain. SSO in ESP will enable clients to only enter the authentication information when
accessing the first Virtual Service and then this same information will be used to access other
services associated with the Single Sign-On Domain. Therefore, a client accessing Exchange will
also be able to access SharePoint and other workloads if they are associated with the same Single
Sign-On Domain.
2.1.4 LDAP Authentication from the LoadMaster to the Active Directory

Active Directory is the standard Authentication Provider for Microsoft workloads. LoadMaster
will support the key connection types between the LoadMaster and the Active Directory.
2.1.5 Basic Authentication Communication from a Client to the

LoadMaster
LoadMaster with ESP currently supports basic and form-based authentication between the client
and the LoadMaster, providing clients with an optimum authentication experience.
Large and small businesses are deploying large numbers of internet-facing applications to support
ever expanding business requirements. This rapidly growing number of servers needs to be
scalable and highly reliable. Above all, the access to these servers and services needs to be secure.
With the addition of ESP, the KEMP LoadMaster will continue to deliver on customer security
requirements for internet facing applications in a world without Microsoft Forefront TMG, while
continuing to address requirements for feature-rich and cost-effective scalability and high
reliability.
Feature Description
3 Setting up a Virtual Service with ESP

This section details the various steps required to configure ESP on a Virtual Service.
In order to enable ESP functionality on an encrypted service, an SSL

certificate must be imported to the LoadMaster. The certificate must contain
a private key. This document assumes that the certificate has already been
imported correctly.
For further details on how to configure SSL Certificates, please reference

the SSL Accelerated Services, Feature Description document
3.1 Create a Single Sign-On (SSO) Domain
The maximum number of SSO domains that are allowed is 128.
Follow the steps below to create an SSO domain:

1. Log in to the LoadMaster.
2. Select Virtual Services in the main menu and select Manage SSO Domains.
Figure 3-1: Add SSO Domain
3. Enter the name of the domain in the Domain field and click the Add button.
Figure 3-2: LDAP Settings
4. Select LDAP-Unencrypted as the Authentication protocol.
The other authentication protocols - LDAP-StartTLS, LDAP-LDAPS,

RADIUS and RSA-SecurID - can be selected if the Active Directory
environment is configured for it.
Feature Description
For more information on the RSA-SecurID protocol, including steps on

how to configure it, refer to the RSA Two Factor Authentication, Feature
Description.
5. In the LDAP Server(s) field, enter a space-separated list of domain controllers to be

used for authentication. Then, click the Set LDAP Server(s) option.
6. Select the relevant Logon format. The login format comprises of two options, as
outlined below:
principalname: Selecting this as the Logon format means that the client does not
need to enter the domain when logging in, for example name@domain.com. The
SSO domain entered in the corresponding text box will be used as the domain in
this case.
When using RADIUS as the Authentication protocol the value in this SSO
domain field must exactly match for the login to work. It is case sensitive.
username: Selecting this as the logon format means that the client needs to enter
the domain and username, for example domain\name@domain.com.
7. Specify the number of Failed Login Attempts that a user can have before their
account is locked out. Click Set Failed Login Attempts.
When a user is locked out, all existing logins for that user will be
terminated, along with future logins.
8. Enter the amount of time (in seconds) that you would like to Reset Failed Login
Attempt Counter after. Click Set Reset-Failed Timeout.
9. Enter the amount of time (in seconds) after which a blocked user account will be
unblocked in the Unblock Timeout text box. Click Set Unblock Timeout.
10. Enter the relevant value(s) in the public and private idle time and max duration
text box(es) and click the relevant button(s) as appropriate. The timeout value that
will be applied depends on whether the user selects public or private on the login
screen.
11. Select the relevant option for use value (either max duration or idle time).
12. In the Test User and Test User Password fields, enter credentials of a user account
for the SSO Domain. The LoadMaster will use this information in a health check of
the Authentication Server. This health check is performed every 20 seconds. This
20 second health check is hard coded and cannot be modified.
13. Click OK.
It is also possible to unlock blocked users from the Manage Domain screen.
To do this, simply click the unlock button for the relevant blocked user.
Feature Description
3.2 Create a Content-Matching Rule

Follow the steps below to create a content-matching rule:
In this particular example we will create a Content Rules and a Virtual

Service for the owa Exchange 2013 service.
1. In the menu on the left, click Rules & Checking and select Content Rules.
2. Click the Create New … button.
Figure 3-3: Create Rule Screen
3. Enter the Rule Name, for example owa.

4. Ensure the Rule Type is set to Content Matching.
5. Ensure that Match Type is set to Regular Expression.
6. Enter the Pattern in the Match String textbox, for example ^/owa* for the Outlook Web
Access (OWA) virtual directory.
7. Tick the Ignore Case checkbox.
8. Click the Create Rule button.
This rule is not doing anything yet. It needs to be added to a Virtual Service. Follow the steps in
the next section to create a Virtual Service and add the rule to it.
Feature Description
3.3 Create a Virtual Service

Follow the steps below to create a Virtual Service with ESP. In this example we will configure an
owa for Exchange 2013 service.
1. In the menu on the left, click Virtual Services and select Add New.
Figure 3-4: Parameters for the Virtual Service
2. Enter the Virtual Address, for example 10.11.0.157.
This is the Virtual IP address of the Virtual Service. It must be unique and
not in use by any other device on the network.
3. Enter 443 as the Port number as all workloads will be accessing Exchange 2013 using
HTTPS.
Creating Virtual Services for other protocols is outside the scope of this
document.
4. Enter the desired Service Name, for example Exchange 2013 owa.
5. Ensure that tcp is selected as the Protocol.
6. Click the Add this Virtual Service button.
7. Expand the SSL Properties section.
Figure 3-5: SSL Properties
8. Select the Enabled checkbox.

9. Select the Reencrypt checkbox.
10. Click the Add New button.
Feature Description
Figure 3-6: Import Certificate
11. Click Import Certificate.
Figure 3-7: Install Certificate
12. Click the first Choose File button.

13. Browse to and select the relevant certificate.
14. Click the second Choose File button.
15. Browse to and select the relevant Key File.
16. Enter the Pass Phrase.
17. Enter a name for the certificate in the Certificate Identifier text box.
18. Click Save.
19. Click OK.
20. Select View/Modify Services in the main menu.
21. Click Modify on the relevant Virtual Service.
22. Expand the Standard Options section.
Figure 3-8: Standard Options
23. Ensure that None is selected as the Persistence Options Mode.

24. Ensure that round robin is selected as the Scheduling Method.
25. In the parent VS modify screen, expand the Advanced Properties section.
Feature Description
Figure 3-9: Advanced Properties
26. Click the Enable button for Content Switching.

27. Click the Show Selection Rules button to open the Match Rules page.
28. Select the rule that we previously created and click the Add button.
29. Click the Back button.
30. Expand the ESP Options section.
Figure 3-10: ESP Options
31. Select the Enable ESP check box.

32. Select the relevant Domain that was created within the SSO Domain drop-down list.
33. Enter the relevant hosts in the Allowed Virtual Hosts text box, for example
mail.example.com.
More than one host can be provided by using a space-separated list.

Wildcards can also be used, for example *kempdemo.com.
The Allowed Virtual Hosts text box should contain host names, not IP
addresses.
Feature Description
34. Enter any directories that can be accessed by the Virtual Services, for example
/owa* in the Allowed Virtual Directories text box.
35. Click the Set Allowed Directories button.
If a SubVS needs to allow more than one virtual directory, use a space-
separated list. Optionally, a wildcard character can be used, for example /*
to allow all virtual directories.
36. Enter all the virtual directories that will not be pre-authorized by this Virtual Service,
for example, /owa/guid* in the Pre-Authorization Excluded Directories field.
37. Click the Set Excluded Directories button.
The Globally Unique Identifier (GUID) is unique to each organization. To

find the correct GUID, run the following command on the Exchange Server:
Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like

“OrganizationCapabilityClientExtensions”} | f1 exchangeGUID,
primarysmtpaddress
38. Enter any groups that are allowed to access this Virtual Service in the Permitted
Groups text box.
Multiple groups can be entered but the group names must be separated by a
semi-colon.
The following characters are not allowed in permitted group names:
/:+*
39. Click Set Permitted Groups.

40. Select Form Based in the Client Authentication Mode drop-down list.
41. Select Basic Authentication in the Server Authentication Mode drop-down menu.
42. Select an SSO Image Set, if required.
Custom SSO image sets can be created and uploaded to the LoadMaster. For
more information, refer to the Custom Authentication Form, Technical
Note.
43. Enter a message in the SSO Greeting Message field, if required.
The SSO Greeting Message can have up to 255 characters. The field accepts
HTML code, so the users can insert their own an image can be entered if
desired. The grave accent character ( ` ) is not supported. If this character is
entered in the SSO Greeting Message, the character will not display in the
output, for example a`b`c becomes abc.
44. Enter /owa/logoff.owa in the Logoff String text box.
Feature Description
In a customized environment, if the OWA logoff string has been changed,

the modified logoff string must be entered here.
45. If required, select the Display Public/Private Option which will show a public/private
option on the login screen. When this option is enabled, the timeout value will be
determined based on which option the user selects. The timeout values are set in the
manage SSO domain screen. For more information on the timeout fields, refer to Section
3.1. When the user selects Private their username is stored for that session.
46. Select the relevant option in the Use Session or Permanent Cookies field.
Permanent cookies should only be used when using single sign on with
SharePoint or similar services.
47. Expand the Real Servers section.

48. Enter /OWA/healthcheck.htm as the URL.
49. Select GET from the HTTP Method drop-down list.
50. Click the Add New… button.
Figure 3-11: Real Server parameters
51. Enter the relevant Real Server Address.

52. Enter 80 as the port.
53. Click Add This Real Server.
You can check the status of the Virtual Service by selecting Virtual Services > View/Modify
Services in the main menu.
3.4 Configure a Simple Mail Transfer Protocol (SMTP) ESP

Service
In an SMTP Virtual Service (with 25 as the Port), the ESP feature is available when the Enable ESP
check box is selected, but there is a reduced set of options. To configure an SMTP ESP Service,
follow the steps below:
1. In the menu on the left, click Virtual Services and select View/Modify Services.
2. Click the Add New button.
Feature Description
Figure 3-12: Add a new Virtual Service Screen
3. Enter the Virtual IP Address for the Virtual Service in the Virtual Address text box.
4. Enter 25 in the Port text box.
5. Enter a recognizable Service Name, for example SMTP ESP.
6. Click the Add this Virtual Service button.
7. Expand the ESP Options section.
8. Select Enable ESP.

9. Ensure the Connection Logging check box is selected.
10. Specify the domains permitted by this virtual service in the Permitted Domains filed.
For example, if the Virtual Service should receive SMTP traffic from john@kemp.com,
then kemp.com must be specified in this field.
11. Click the Set Permitted Domains button.
12. Add any Real Servers, as needed, in the Real Servers section.
To check the status of the Virtual Service, select Virtual Services > View/Modify Virtual Services.
Feature Description
4 ESP Web User Interface (WUI) Options

The sections below describe the ESP WUI Options.
4.1 ESP Options

The ESP feature must be enabled before the options can be configured. To enable the ESP
function, please select the Enable ESP checkbox.
Figure 4-1: Enable ESP
The full ESP Options will appear.
The ESP feature can only be enabled if the Virtual Service is an HTTP,
HTTPS or SMTP Virtual Service
Enable ESP
Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox.
ESP Logging
There are three types of logs stored in relation to the ESP feature. Each of these logs can be
enabled or disabled by selecting or deselecting the relevant checkbox. The types of log include:
 User Access: logs recording all user logins

 Security: logs recording all security alerts
 Connection: logs recording each connection
Logs are persistent and can be accessed after a reboot of the LoadMaster. The ESP logs can be
found by navigating to System Configuration > Logging Options > ESP Log Files in the main menu
of the LoadMaster WUI.
Feature Description
SSO Domain
Select the Single Sign-On (SSO) Domain within which the Virtual Service will be included.
Please refer to Section 3.1 for further information on configuring SSO Domains. An SSO Domain
must be configured in order to correctly configure the ESP feature.
Allowed Virtual Hosts
The Virtual Service will only be allowed access to specified virtual hosts. Any virtual hosts that are
not specified will be blocked.
Enter the virtual host name(s) in the Allowed Virtual Hosts field and click the Set Allowed Virtual
Hosts button to specify the allowed virtual hosts.
Multiple domains may be specified within the text box allowing many domains to be associated
with the SSO Domain.
The use of regular expressions is allowed within this text box.
If this text box is left blank, the Virtual Service will be blocked.
Allowed Virtual Directories

The Virtual Service will only be allowed access to the specified virtual directories, within the
allowed virtual hosts. Any virtual directories that are not specified will be blocked.
Enter the virtual directory name(s) in the Allowed Virtual Directories text box and click the Set
Allowed Virtual Directories button to specify the allowed virtual directories.
The use of Regular expressions is allowed within this text box.
Pre-Authorization Excluded Directories
Any virtual directories specified within this field will not be pre-authorized on this Virtual Service
and will be passed directly to the relevant Real Servers.
Permitted Groups
Specify the groups that are allowed to access this Virtual Service. When set, if a user logs in to a
service published by this Virtual Service, the user must be a member of at least one of the
groups specified. Up to 10 groups are supported per Virtual Service. Performance may be
impacted if a large number of groups are entered. Groups entered in this field are validated via a
Lightweight Directory Access Protocol (LDAP) query.
Some guidelines about this field are as follows:
 The group(s) specified must be valid groups on the Active Directory behind the SSO
domain associated with the Virtual Service
 The group(s) listed must be separated by a semi-colon
A space-separated list does not work because most groups contain a space in
the name, for example Domain Users.
Feature Description
 The authentication protocol of the SSO domain must be LDAP

 The groups should be specified by name, not by fully distinguished name
Client Authentication Mode

Specifies how clients attempting to connect to the LoadMaster are authenticated. There are three
types of methods available:
 None: no client authentication is required

 Basic Authentication: standard Basic Authentication is used
 Form Based: clients must enter their user details within a form to be authenticated on the
LoadMaster
Server Authentication Mode

Specifies how the LoadMaster is authenticated by the Real Servers. There are two types of
methods available:
 None: no client authentication is required
 Basic Authentication: standard Basic Authentication is used
If None is selected as the Client Authentication Mode, then None is automatically selected as the
Server Authentication Mode. Similarly if either Basic Authentication or Form Based are selected
as the Client Authentication Mode, then Basic Authentication is automatically selected as the
Server Authentication Mode.
SSO Image Set

This option is only available if Form Based is selected as the Client Authentication Mode. There is
an option for which form to use to gather the user’s Username and Password. There are two
default form options; Exchange and Blank. English is the default language for the image sets.
There are also options to display the form and error messages in other languages – Brazilian
Portuguese and French Canadian.
Feature Description
 Exchange Form
Figure 4-3: Exchange Form
The Exchange Form contains the KEMP Logo.

 Blank Form
Figure 4-4: Blank Form
The Blank Form does not contain the KEMP logo.
It is possible to upload a custom SSO image set. For more information, refer to the Custom
Authentication Form, Technical Note.
SSO Greeting Message

The login forms can be further customized by adding text. Enter the text to appear on the form
within the SSO Greeting Message text box and click the Set SSO Greeting Message button.
The SSO Greeting Message text box accepts HTML code, so an image can be entered if so
desired. The message can have up to 255 characters.
The grave accent character ( ` ) is not supported. If this character is entered

in the SSO Greeting Message, the character will not display in the output,
for example a`b`c becomes abc.
Feature Description
Logoff String
Normally this field should be left blank. For OWA Virtual Services, the Logoff String should be set
to /owa/logoff.owa or in customized environments, the modified Logoff String needs to be
specified in this text box.
Display Public/Private Option
Figure 4-5: Public/Private Option
Enabling this check box displays a public/private option on the log in page. The session and idle
timeout depend on what option the user selects when logging in. If the user selects private their
username gets stored.
Virtual Service Status

When View/Modify Services is clicked in the main menu, the Virtual Service status is displayed.
Figure 4-6: Health check OK
When the health check status is OK, the Status on the Virtual Services screen will be set to Up.
Figure 4-7: Security Down Status
When ESP is enabled, a new status is available; Security Down.
Feature Description
The LoadMaster will check the health status of the authentication server every 20 seconds. If the
authentication server cannot be reached then the Virtual Service goes into a Security Down
state where no new users will be allowed to access the Virtual Service. Existing connections will
not be affected until their connection times out.
4.1.1 SMTP Virtual Services and ESP

If an SMTP Virtual Service (with 25 as the port) is created, the ESP feature is available when the
Enable ESP checkbox is selected but with a reduced set of options.
Figure 4-8: SMTP ESP Options
Enable ESP
Enable or disable the ESP feature set by selecting or deselecting the Enable ESP check box.
Connection Logging
Logging of connections can be enabled or disabled by selecting or deselecting the Connection
Logging check box.
Permitted Domains
All the permitted domains that are allowed to be received by this Virtual Service must be
specified here. For example, if the Virtual Service should receive SMTP traffic from
john@kemp.com, then the kemp.com domain must be specified in this field. When entering
more than one domain, separate them with a space.
4.2 Debug Options

There are a couple of ESP-specific Debug Options in the WUI. These are described below.
4.2.1 Flush SSO Authentication Cache

Clicking the Flush SSO Cache button flushes the Single Sign-On cache on the LoadMaster. This has
the effect of logging off all clients using Single Sign-On and forces the clients to re-connect to the
LoadMaster.
4.2.2 Linear SSO Log Files

By default, older log files are deleted to make room for newer log files, so that the filesystem does
not become full. By default, the last 30 days of logs are stored. Selecting the Linear SSO Log Files
check box prevents older files from being deleted.
Feature Description
When using Linear SSO Logging, if the log files are not periodically removed
and the file system becomes full, access to Virtual Services with ESP enabled
will be blocked, preventing unlogged access to the Virtual Service. Access to
non-ESP enabled Virtual Services are unaffected by the Linear SSO Log File
feature.
4.3 Logging Options

The ESP Options screen provides options for logs relating to the ESP feature. These logs are
persistent and will be available after a LoadMaster reboot. To view all the options click the
icons.
Figure 4-9: ESP Logging Options Screen
There are three types of log files relating to ESP stored on the LoadMaster:
 ESP Connection Log: logs recording each connection
 ESP Security Log: logs recording all security alerts
 ESP User Log: logs recording all user logins
To view the logs please click the relevant View button.
The logs viewed can be filtered by a number of methods. To view logs between a particular date
range, select the relevant dates in from and to fields and click the View button. It is possible to
view logs for as far back as they have been stored. By default, logs are stored for the last 30 days.
One or more archived log files can be viewed by selecting the relevant file(s) from the list of file
names and clicking the View button. The logs can be filtered by entering a word(s) or regular
expression in the filter field and clicking on the View field.
Clear ESP Logs

ESP logs can be deleted by selecting a relevant date range and clicking the Clear button.
Feature Description
If a date range is not selected, the ESP logs will not be deleted.
Specific log files can be deleted by filtering on a specific date range, selecting one or more
individual log files in the log file list or selecting a specific log type (connection, security or user) in
the log file list and clicking the Clear button. Click OK on any warning messages.
Save ESP Logs

All ESP logs can be saved to a file by clicking the Save button. This will save a file to your machine.
Specific log files can be saved by filtering on a specific date range, selecting one or more individual
log files in the log file list or selecting a specific log type (connection, security or user) in the log
file list and clicking the Save button.
Feature Description
References
Unless otherwise specified, the following documents can be found at
http://www.kemptechnologies.com/documentation.
Web User Interface (WUI), Configuration Guide
RSA Two Factor Authentication, Feature Description
Custom Authentication Form, Technical Note
SSL Accelerated Services, Feature Description
Feature Description
Document History
Date Change Reason for Change Version Resp.
June 2013 Initial draft Initial draft of document 1.0 LB
July 2013 Release updates Minor release updated for 7.0-6 1.1 LB
Sep 2013 Minor change Additional information added 1.2 LB
Nov 2013 Minor change Aesthetic change 1.3 LB
Feb 2014 Release updates Updates for 7.0-12a release 1.4 LB
Mar 2014 Release updates Updates for 7.0-14 release 1.5 LB
Mar 2014 Release updates Updates for 7.0-14a release 1.6 LB
Apr 2014 Release updates Updates for 7.1-16 release 1.7 LB
May 2014 Improvements made General improvements 1.8 LB
June 2014 Minor updates Defects fixed 1.9 LB
July 2014 Release updates Updates for 7.1-18a 1.10 LB

Edge Security Pack (ESP) : Feature Description

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Edge Security Pack (ESP) : Feature Description

Uploaded by

Copyright:

Available Formats

Edge Security Pack (ESP)

2 The LoadMaster Edge Security Pack (ESP)

Figure 2-1 Application deployments simplified by LoadMaster with the ESP

The KEMP ESP offers the following key features:

A reboot is required after upgrading older versions of the LoadMaster to an

2.1.1 End Point Authentication for Pre-Auth

2.1.2 Persistent Logging and Reporting for User Logging

2.1.3 Single Sign-On Across Virtual Services

2.1.4 LDAP Authentication from the LoadMaster to the Active Directory

2.1.5 Basic Authentication Communication from a Client to the

3 Setting up a Virtual Service with ESP

In order to enable ESP functionality on an encrypted service, an SSL

For further details on how to configure SSL Certificates, please reference

3.1 Create a Single Sign-On (SSO) Domain

The maximum number of SSO domains that are allowed is 128.

Follow the steps below to create an SSO domain:

Figure 3-1: Add SSO Domain

Figure 3-2: LDAP Settings

4. Select LDAP-Unencrypted as the Authentication protocol.

The other authentication protocols - LDAP-StartTLS, LDAP-LDAPS,

For more information on the RSA-SecurID protocol, including steps on

5. In the LDAP Server(s) field, enter a space-separated list of domain controllers to be

3.2 Create a Content-Matching Rule

In this particular example we will create a Content Rules and a Virtual

Figure 3-3: Create Rule Screen

3. Enter the Rule Name, for example owa.

3.3 Create a Virtual Service

Figure 3-4: Parameters for the Virtual Service

2. Enter the Virtual Address, for example 10.11.0.157.

Figure 3-5: SSL Properties

8. Select the Enabled checkbox.

Figure 3-6: Import Certificate

11. Click Import Certificate.

Figure 3-7: Install Certificate

12. Click the first Choose File button.

Figure 3-8: Standard Options

23. Ensure that None is selected as the Persistence Options Mode.

Figure 3-9: Advanced Properties

26. Click the Enable button for Content Switching.

Figure 3-10: ESP Options

31. Select the Enable ESP check box.

More than one host can be provided by using a space-separated list.

The Globally Unique Identifier (GUID) is unique to each organization. To

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like

The following characters are not allowed in permitted group names:

39. Click Set Permitted Groups.

43. Enter a message in the SSO Greeting Message field, if required.

44. Enter /owa/logoff.owa in the Logoff String text box.

In a customized environment, if the OWA logoff string has been changed,

47. Expand the Real Servers section.

Figure 3-11: Real Server parameters

51. Enter the relevant Real Server Address.

3.4 Configure a Simple Mail Transfer Protocol (SMTP) ESP

Figure 3-12: Add a new Virtual Service Screen

Figure 3-13: ESP Options

8. Select Enable ESP.

4 ESP Web User Interface (WUI) Options

4.1 ESP Options

Figure 4-1: Enable ESP

The full ESP Options will appear.

Figure 4-2: ESP Options

 User Access: logs recording all user logins

Allowed Virtual Directories