Enable Server NAT

This option enables Server Network Address Translation (SNAT). If this is disabled, the Real Server IP address is used when connecting.

If this is enabled, addresses that are of the same address family (IPv4/IPv6) as the primary address of the default gateway are NATed to the “primary address”. If the Use Address for Server NAT is enabled in the Virtual Service, the Virtual Service address will be used. For further information on the Use Address for Server NAT option, refer to the Standard Options section.

If the source address is not in the same family as the primary address, then the address will be SNATed to the first additional address which is on the same network as the default gateway for that address family.

For example, if the primary address of the default interface is an IPv6 address, then IPv6 addresses will be SNATed to that address. If the primary address is an IPv4 address, then IPv6 addresses will be SNATed to the first additional address (IPv6) which is on the same network as the IPv6 default gateway.

Similarly, if the primary address of the default interface is an IPv4 address, then IPv4 addresses will be SNATed to that address. If the primary address is an IPv6 address, then IPv4 addresses will be SNATed to the first additional address (IPv4) which is on the same network as the IPv4 default gateway.

Note: FTP and SNAT do not work together reliably all the time so this configuration is not supported.

Connection Timeout (secs)

The length of time (in seconds) that a connection may remain idle before it is closed. This value is independent of the Persistence Timeout value.

Setting a value of 0 will reset the value to the default setting of 660 seconds.

Enable Non-Local Real Servers

Allow non-local Real Servers to be assigned to Virtual Services. This may be needed if the LoadMaster can only have one interface and the Real Servers are on a different network to the interface. This option is enabled by default.

Enable Alternate GW support

If there is more than one interface enabled, this option provides the ability to move the default gateway to a different interface.

Enabling this option adds another option to the Interfaces screen – Use for Default Gateway.

Note: The Enable Alternate GW support option will appear on a different screen in GEO only LoadMasters.
Note: Alternate default gateway support is not permitted in a cloud environment.

Enable TCP Timestamps

The LoadMaster can include timestamps in the SYN on both connections from clients and connections to Real Servers.

Note: Note this may impact connections that are NATed and should only be enabled on consultation with Progress Kemp Customer Support.

Enable TCP Keepalives

By default the TCP keepalives are enabled which improves the reliability of TCP connections that are long lived (SSH sessions). Keepalives are not usually required for normal HTTP/HTTPS services, but may be required for FTP services, for example.

The keepalive messages are sent from the LoadMaster to the Real Server and to the client. Therefore, if the client is on a mobile network, there may be an issue with additional data traffic.

Enable Reset on Close

When this setting is disabled (the default), unencrypted and encrypted TCP connections to the LoadMaster on both the client and server sides are closed using the standard TCP exchange of FIN and ACK packets. In situations where a Virtual Service is under a high incoming connection load, the ability to establish new connections to the Virtual Service can be improved by turning on Enable Reset on Close; this tells the LoadMaster to close TCP connections with a single TCP RST (reset) packet, rather than the normal TCP closing exchange.

Subnet Originating Requests

With this option enabled, the source IP address of non-transparent requests will come from the LoadMaster’s address on the relevant subnet, that is, the subnet where the Real Server is located or the subnet of the gateway that can route to the Real Server (if the Real Server is non-local and configured to use static route). For more information on configuring a static route, refer to the following knowledge base article: Creating a Static Route.

This is the global option/setting.

Note: It is recommended that the Subnet Originating Requests option is enabled on a per-Virtual Service basis.

When the global option is disabled, the per Virtual Service Subnet Originating Requests option takes precedence, that is, it can be enabled or disabled per Virtual Service. This can be set in the Standard Options section of the Virtual Services properties screen (if Transparency is disabled). For more information on the per Virtual Service option, refer to the Standard Options section.

Note: If this option is switched on for a Virtual Service that has SSL re-encryption enabled, all connections currently using the Virtual Service will be terminated because the process that handles the connection must be killed and restarted.

Enable Strict IP Routing

When this option is selected, only packets which arrive at the machine over the same interface as the outbound interface are accepted.

Note: The Use Default Route Only option may be a better way to achieve this.

Handle non HTTP Uploads

Enabling this option ensures that non HTTP uploads (such as FTP uploads) function correctly.

Enable Connection Timeout Diagnostics

By default, connection timeout logs are not enabled. This is because they may cause too many unnecessary logs. If you wish to generate logs relating to connection timeouts, select the Enable Connection Timeout check box.

Legacy TCP Timewait Handling

Enable this option to revert to the legacy mode of reusing TCP timewait connections.

Note: Only enable the Legacy TCP Timewait Handling option after consulting with Progress Kemp Support.

Force Real Server Certificate Checking

By default, when re-encrypting traffic the LoadMaster does not check the certificate provided by the Real Server. This option forces the LoadMaster to verify that the certificate on the Real Server is valid, that is, the certificate authority and expiration are OK. This includes all intermediate certificates.

Use Default Route Only

Forces traffic from Virtual Services that have a Virtual Service gateway set, to only be routed to the interface where the Virtual Service gateway is located.

This setting can allow the LoadMaster to be directly connected to client networks without returning traffic directly, by using the Virtual Service gateway instead.

Note: Enabling this option affects all Virtual Services that have a Virtual Service gateway set.
Note: Other network options may affect routing such as Subnet Originating Requests, refer to the Routing Feature Description document for further details.

For further details on the Use Default Route Only option, refer to the Use Default Route Only section of the Routing Feature Description.

HTTP(S) Proxy

This option allows clients to specify the HTTP(S) proxy server and port the LoadMaster will use to access the internet. This must be an IP address and port (not an FQDN).

Local Reserved Ports

A single port, or list of comma-separated ports, that will not be used when initiating connections to Real Servers. Some things to note about this field are as follows:

  • Ports specified in the list must be between 1024 and 63999 (inclusive).

  • A port cannot appear more than once in the list.

  • The total length of the list cannot exceed 128 characters.

  • If you are making changes to an existing list, the entire list of ports must be specified.

This option would be used to remove specific ports from the list of ports used by the system to communicate with back-end Real Servers, typically because:

  • those ports are dedicated for some other purpose than load balancing

  • and, it is either desired that no connections are made to that server port for load balancing purposes, or that the server will simply drop load balancing connections received on that port.

Warning: To protect against port exhaustion during periods of heavy traffic, LoadMaster uses a wide set of ports (1024 to 63999). Significantly reducing the number of these ports available for connections to Real Servers could lead to port exhaustion (that is, dropped server-side connections), so best practice is to keep the number of ports removed low – a single-digit percentage of all ports.