Supported TLS Protocols

Check boxes are provided here which can be used to specify whether or not it is possible to connect to the LoadMaster WUI using the following protocols; SSLv3, TLS1.0, TLS1.1, TLS1.2, or TLS1.3. TLS1.1, TLS1.2, and TLS1.3 are enabled by default. It is not recommended to only have SSLv3 selected because SSLv3 is only supported by some old browsers. When connecting to the WUI using a web browser, the highest security protocol which is mutually supported by both the browser and the WUI will be used.

Note: If FIPS mode is enabled, the only available options are TLS1.1 and TLS1.2.

WUI Cipher set

Select the relevant cipher set to use for WUI access. For information on each of the cipher sets available, refer to the Cipher Sets section.

TLS1.3 Cipher sets

Select the cipher sets for the TLS1.3 protocol to be allowed using any combination of supported ciphers over an Admin WUI access protocols. By default, the following three cipher sets are enabled:

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_GCM_SHA256

Note: The TLS1.3 cipher sets only become available when the TLS1.3 protocol is enabled.
Note: TLS1.3 ciphers are always available regardless of whether the selected cipher set contains any TLS1.3 ciphers, which is how the OpenSSL libraries behave. TLS1.3 ciphers can only be removed from offered ciphers by disabling the TLS1.3 protocol (which is not recommended).
CAUTION: Disabling all three default cipher sets may cause loss of connectivity to the LoadMaster.

Intermediate and CA Certificates

The default behavior for UI access authentication is to accept a client certificate validated by any of those in the trusted LoadMaster store. In LoadMaster firmware version 7.2.55, users can now specify the specific Intermediate Certificate to be used to validate the Client Certificate for UI access authentication.

Available certificates are listed in the Available Certificates select list on the left. To assign or unassign a certificate, select it and click the right or left arrow button. Then click Set WUI Intermediate Certificates. Multiple certificates can be selected by holding Ctrl on your keyboard and clicking each required certificate.

Note: In LoadMaster firmware version 7.2.55, support was added for Intermediate and CA Certificates. By default, all intermediate certificates are listed under All Certificates list used for WUI access. If any certificate is moved from All Certificates list to Available Certificates list, then the All Certificates list is renamed to Assigned Certificates list. In this scenario the certificates listed in Assigned Certificates list will be used for WUI access.

WUI Session Management

Session management is enabled by default on all LoadMasters initially deployed with LTS firmware versions or above.

Note: If you perform a factory reset of the LoadMaster, you must enable the Enable Session Management check box and disable the Require Basic Authentication check box to successfully run APIv2 (JSON-format) requests.

The level of user permissions determine what WUI Session Management fields can be seen and modified. Refer to the table below for a breakdown of permissions.

Control

Bal user

User with ‘All Permissions’

User with ‘User Administration’ permissions

All other users

Session Management

Modify

View

View

None

Require Basic Authentication

Modify

View

View

None

Basic Authentication Password

Modify

View

View

None

Failed Login Attempts

Modify

Modify

View

None

Idle Session Timeout

Modify

Modify

View

None

Limit Concurrent Logins

Modify

Modify

View

Pre-Auth Click Through Banner

Modify

Modify

View

None

Currently Active Users

Modify

Modify

View

None

Currently Blocked Users

Modify

Modify

View

None

When using WUI Session Management, it is possible to use one or two steps of authentication.

If Enable Session Management check box is ticked and Require Basic Authentication is disabled, the user only needs to log in using their local username and password. Users are not prompted to log in using the bal or user logins.

If the Enable Session Management and Require Basic Authentication check boxes are both selected, there are two levels of authentication enforced to access the LoadMaster WUI. The initial level is Basic Authentication where users log in using the bal or user logins, which are default usernames defined by the system.

The purpose of the user user is so that administrators can provide credentials of the user user to people, instead of providing the bal credentials. The password for the user user, can be set by configuring the Basic Authentication Password text box. Only the bal user is permitted to set the Basic Authentication Password.

Once logged in using Basic Authentication, the user then must log in using their local username and password to begin the session.

Enable Session Management

Selecting the Enable Session Management check box enables the WUI Session Management functionality. This will force all users to log in to the session using their normal credentials.

When this check box is checked, the user is required to login to continue to use the LoadMaster.

Note: LDAP users need to login using the full domain name. For example; an LDAP username should be test@progress.com and not just test.

After a user has logged in, they may log out by clicking the Logout button, , in the top right-hand corner of the screen.

Once the WUI Session Management functionality is enabled, all the WUI Session Management options appear.

Require Basic Authentication

If WUI Session Management and Basic Authentication are both enabled, there are two levels of authentication enforced to access the LoadMaster WUI. The initial level is Basic Authentication where users log in using the bal or user logins, which are default usernames defined by the system.

Once logged in with Basic Authentication, the user then must log in using their local username and password to begin the session.

Basic Authentication Password

The Basic Authentication password for the user login can be set by typing the password into the Basic Authentication Password text box and clicking the Set Basic Password button.

The password needs to be at least 8 characters long and should be a mix of alpha and numeric characters. If the password is considered to be too weak, a message appears asking you to enter a new password.

Only the bal user is permitted to set the Basic Authentication password.

Failed Login Attempts

The number of times that a user can fail to login correctly before they are blocked can be specified within this text box. The valid values that may be entered are numbers between 1 and 999.

If a user is blocked, only the bal user or other users with All Permissions set can unblock a blocked user.

If the bal user is blocked, there is a 'cool-down' period of 10 minutes before the bal user can login again. The bal user is unblocked if there are no login attempts for 10 minutes.

Idle Session Timeout

The length of time (in seconds) a user can be idle (no activity recorded) before they are logged out of the session. The valid values that may be entered are numbers between 60 and 86400 (between one minute and 24 hours).

Note: Any page that refreshes automatically will not time out from the WUI Idle Session Timeout setting. For example, the Real Time Statistics page, GSLB Statistics page, WAF False Positive Analysis page, and so on.

Limit Concurrent Logins

This option enables LoadMaster administrators to limit the maximum number of concurrent login sessions logins a single user can have to the LoadMaster WUI at any one time.

The values that can be selected range from 0 to 9.

A value of 0 allows an unlimited number of logins.

The value entered represents the total number and is inclusive of any bal user logins.

Pre-Auth Click Through Banner

Set the pre-authentication click through banner that is displayed before the LoadMaster WUI login page. This field can contain plain text or HTML code but not JavaScript. For security purposes, you cannot use the (single quote) and (double-quote) characters. This field accepts up to 5,000 characters.
Note: Line breaks in the Pre-Auth Click Through Banner field in the LoadMaster UI must be in HTML code (such as <br/> or <p> tags).

Active and Blocked Users

Only the bal user or users with ‘All Permissions’ set can use this functionality. Users with ‘User Administration’ permissions set can view the screen but all buttons and input fields are greyed out. All other users cannot view this portion of the screen.

Currently Active Users

The user name and login time of all users logged into the LoadMaster are listed within this section.

To immediately log out a user and force them to log back into the system, click the Force logout button.

To block a user from being able to log in to the system, click the Block user button. The user will not be able to log back in to the system until they are unblocked or until the LoadMaster reboots. Clicking the Block user button does not force the user to log off, to do this, click the Force logout button.

If a user exits the browser without logging off, that session will remain open in the currently active users list until the timeout has reached. If the same user logs in again, before the timeout is reached, it would be within a separate session.

Currently Blocked Users

The user name and login time of when the user was blocked are listed within this section.

To unblock a user to allow them to login to the system, click the Unblock button.