Enable Server NAT

This option enables Server Network Address Translation (SNAT). If this is disabled, the Real Server IP address is used when connecting.

If this is enabled, addresses that are of the same address family (IPv4/IPv6) as the primary address of the default gateway are NATed to the “primary address”. If the Use Address for Server NAT is enabled in the Virtual Service, the Virtual Service address will be used. For further information on the Use Address for Server NAT option, refer to the Standard Options section.

If the source address is not in the same family as the primary address, then the address will be SNATed to the first additional address which is on the same network as the default gateway for that address family.

For example, if the primary address of the default interface is an IPv6 address, then IPv6 addresses will be SNATed to that address. If the primary address is an IPv4 address, then IPv6 addresses will be SNATed to the first additional address (IPv6) which is on the same network as the IPv6 default gateway.

Similarly, if the primary address of the default interface is an IPv4 address, then IPv4 addresses will be SNATed to that address. If the primary address is an IPv6 address, then IPv4 addresses will be SNATed to the first additional address (IPv4) which is on the same network as the IPv4 default gateway.

Note: FTP and SNAT do not work together reliably all the time so this configuration is not supported.

Connection Timeout (secs)

The length of time (in seconds) that a connection may remain idle before it is closed. This value is independent of the Persistence Timeout value.

Setting a value of 0 will reset the value to the default setting of 660 seconds.

Enable Non-Local Real Servers

Allow non-local Real Servers to be assigned to Virtual Services. This may be needed if the LoadMaster can only have one interface and the Real Servers are on a different network to the interface. This option is enabled by default.

Enable Alternate GW support

If there is more than one interface enabled, this option provides the ability to move the default gateway to a different interface.

Enabling this option adds another option to the Interfaces screen – Use for Default Gateway.

Note: The Enable Alternate GW support option will appear on a different screen in GEO only LoadMasters.
Note: Alternate default gateway support is not permitted in a cloud environment.

Enable TCP Timestamps

The LoadMaster can include timestamps in the SYN on both connections from clients and connections to Real Servers.

Note: Note this may impact connections that are NATed and should only be enabled on consultation with Progress Kemp Customer Support.

Enable TCP Keepalives

By default the TCP keepalives are enabled which improves the reliability of TCP connections that are long lived (SSH sessions). Keepalives are not usually required for normal HTTP/HTTPS services, but may be required for FTP services, for example.

The keepalive messages are sent from the LoadMaster to the Real Server and to the client. Therefore, if the client is on a mobile network, there may be an issue with additional data traffic.

Enable Reset on Close

When this setting is disabled (the default), unencrypted and encrypted TCP connections to the LoadMaster on both the client and server sides are closed using the standard TCP exchange of FIN and ACK packets. In situations where a Virtual Service is under a high incoming connection load, the ability to establish new connections to the Virtual Service can be improved by turning on Enable Reset on Close; this tells the LoadMaster to close TCP connections with a single TCP RST (reset) packet, rather than the normal TCP closing exchange.

Subnet Originating Requests

With this option enabled, the source IP address of non-transparent requests will come from the LoadMaster’s address on the relevant subnet, that is, the subnet where the Real Server is located or the subnet of the gateway that can route to the Real Server (if the Real Server is non-local and configured to use static route). For more information on configuring a static route, refer to the following knowledge base article: Creating a Static Route.

This is the global option/setting.

Note: It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service basis.

When the global option is disabled, the per Virtual Service Subnet Originating Requests option takes precedence, that is, it can be enabled or disabled per Virtual Service. This can be set in the Standard Options section of the Virtual Services properties screen (if Transparency is disabled). For more information on the per Virtual Service option, refer to the Standard Options section.

Note: If this option is switched on for a Virtual Service that has SSL re-encryption enabled, all connections currently using the Virtual Service will be terminated because the process that handles the connection must be killed and restarted.

Enable Strict IP Routing

When this option is selected, only packets which arrive at the machine over the same interface as the outbound interface are accepted.

Note: The Use Default Route Only option may be a better way to achieve this.

Handle non HTTP Uploads

Enabling this option ensures that non HTTP uploads (such as FTP uploads) function correctly.

Enable Connection Timeout Diagnostics

By default, connection timeout logs are not enabled. This is because they may cause too many unnecessary logs. If you wish to generate logs relating to connection timeouts, select the Enable Connection Timeout check box.

Legacy TCP Timewait Handling

Enable this option to revert to the legacy mode of reusing TCP timewait connections.

Note: Only enable the Legacy TCP Timewait Handling option after consulting with Progress Kemp Support.

Enable SSL Renegotiation

When SSL renegotiation is enabled on the LoadMaster, either the client or server can initiate renegotiation within an established SSL session. If disabled, any attempt by either party to renegotiate will result in termination of the connection. In FIPS mode, this setting has no effect because SSL renegotiation is not supported under FIPS compliance.

Force Real Server Certificate Checking

By default, when re-encrypting traffic the LoadMaster does not check the certificate provided by the Real Server. This option forces the LoadMaster to verify that the certificate on the Real Server is valid, that is, the certificate authority and expiration are OK. This includes all intermediate certificates.

Disable Master Secret Handling

In LoadMaster firmware version 7.2.52, the Disable Master Secret Handling check box was added. By default, the LoadMaster processes the Master Secret SSL Extension. This can cause problems for some legacy clients so it is possible to disable the processing of Master Secret SSL Extension by selecting the Disable Master Secret Handling check box.

Size of SSL Diffie-Hellman Key Exchange

Select the strength of the key used in the Diffie-Hellman key exchanges. If this value is changed, a reboot is required to use the new value. The default value is 2048 Bits.

As of LoadMaster firmware version 7.2.53, you can select 4096 as a value in the Size of SSL Diffie-Hellman Key Exchange drop-down list.

After upgrading from a version prior to 7.2.53, it can take up to 30 minutes (on smaller models) to generate the 4k key. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try restart the login process.

CAUTION: During the upgrade from a version prior to 7.2.53, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular Virtual Service traffic. So, we strongly recommend that this update be performed in a maintenance interval.

Performance, when using the 4k key, will result in a significant degradation of performance compared to when using the 2K key.

Log SSL errors

Set the level of SSL error reporting in the logs. By default, the LoadMaster will not log common SSL alerts. You can increase the verbosity of SSL error logging by setting this value to either of the following:

  • Fatal errors only - only fatal errors are logged
  • Include Client errors – this setting logs all client errors reported to the LoadMaster.
  • All errors – this setting logs all SSL errors observed in the LoadMaster, including all common alerts and warnings that may or may not indicate an actual issue.

OpenSSL Version

By default, the LoadMaster uses the latest version of OpenSSL. This may cause performance problems on heavily-loaded sites. It is possible using the OpenSSL version field to switch back to the old library which should alleviate some of these problems. Using the old library means that there is no support for TLS 1.3. Therefore, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.

If you switch from using the old library to using the current library in the OpenSSL Version field, TLS1.3 is automatically re-enabled on all Virtual Services.

Note: This option is not applicable for Cavium5 machines - those cards do not support the old libraries. Therefore, this option is not applicable following LoadMaster/ECS Connection Manager models:

- LM-X25

- LM-X40 Rev 05

- LM-X40M

- LM XHC 25G/40G/100G

- ECS Connection Manager H3 Rev 02

- ECS Connection Manager H3M

- ECS Connection Manager H3 25G/40G/100G

For these LoadMaster models, the OpenSSL Version field is available but the LoadMaster will continue to use the current OpenSSL implementation even if the OpenSSL Version field is set to Use older SSL library - no TLS 1.3.

CAUTION: Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.

Use Default Route Only

Forces traffic from Virtual Services that have a Virtual Service gateway set, to only be routed to the interface where the Virtual Service gateway is located.

This setting can allow the LoadMaster to be directly connected to client networks without returning traffic directly, by using the Virtual Service gateway instead.

Note: Enabling this option affects all Virtual Services that have a Virtual Service gateway set.
Note: Other network options may affect routing such as Subnet Originating Requests, refer to the Routing Feature Description document for further details.

For further details on the Use Default Route Only option, refer to the Use Default Route Only section of the Routing Feature Description.

HTTP(S) Proxy

This option allows clients to specify the HTTP(S) proxy server and port the LoadMaster will use to access the internet. This must be an IP address and port (not an FQDN).