Allow Remote SSH Access

You can limit the network from which clients can connect to the SSH administrative interface on LoadMaster.

Using

Specify which addresses that remote administrative SSH access to the LoadMaster is allowed.

Note: Only the ‘bal’ user has rights to access the LoadMaster using SSH.
Note: As of LoadMaster firmware version 7.2.48.4 Long Term Support (LTS) and 7.2.53, RSA keys are no longer supported for SSH access to the LoadMaster. If you are using RSA keys for SSH access and you are upgrading to one of these versions (or above) you must move to another key type. There are two key types available as an alternative to the RSA keys: ecdsa-sha2-nistp384 and ssh-ed25519

Port

Specify the port used to access the LoadMaster using the SSH protocol.

SSH Pre-Auth Banner

Set the SSH pre-authentication banner, which is displayed before the login prompt when logging in using SSH. This field accepts up to 5,000 characters.

Allow Web Administrative Access

Selecting this check box allows administrative web access to the LoadMaster. Disabling this option will stop access upon the next reboot. Click Set Administrative Access to apply any changes to this field.

Note: Disabling web access is not recommended.
Note: It is critical to the security of your appliance that you use a dedicated network interface for management traffic; refer to the LoadMaster Hardening Technical Note for further details.

Using

Specify the addresses that administrative web access is to be permitted. Click Set Administrative Access to apply any changes to this field. You need to reconnect to the WUI using the new address after the change is applied.

Port

Specify the port used to access the administrative web interface. Click Set Administrative Access to apply any changes to this field. You need to reconnect to the WUI using the new port after the change is applied.

Admin Default Gateway

When administering the LoadMaster from a non-default interface, this option allows the User to specify a different default gateway for administrative traffic only. Click Set Administrative Access to apply any changes to this field.

Allow Multi Interface Access

Enabling this option allows the WUI to be accessed from multiple interfaces. When this option is enabled, a new option appears in each of the interface screens (System Configuration > eth<n>) called Allow Administrative WUI Access. When both of these options are enabled, the WUI can be accessed from the IP address of the relevant interface(s) and any Additional addresses configured for that interface. Click Set Administrative Access to apply any changes to this field.

Note: The certificate used by default to secure WUI connections specifies the initial WUI IP address, and so will not work for WUI connections on other interfaces. If you enable the WUI on multiple interfaces, you will need to install a wildcard certificate for the WUI. For more information on certificates, refer to the SSL Accelerated Services Feature Description.
Note: Enabling the WUI on multiple interfaces can have a performance impact on the system. There is a maximum of 64 network interfaces that can be tracked. There are a maximum of 1024 total addresses where the system will listen on.

RADIUS Server

Here you can enter the address of the RADIUS server that is to be used to validate user access to the LoadMaster. To use a RADIUS server, you have to specify the Shared Secret.

A Shared Secret is a text string that serves as a password between the LoadMaster and the RADIUS server.

The Revalidation Interval specifies how often a user should be revalidated by the RADIUS server.

RADIUS Server Configuration

To configure RADIUS to work correctly with the LoadMaster, authentication must be configured on the RADIUS server and the RADIUS Reply-Message must be mapped to LoadMaster permissions.

The Reply-Message values correspond to LoadMaster permissions as shown in the table below.

Reply-Message

LoadMaster Permission

real

Real Servers

vs

Virtual Services

rules

Rules

backup

System Backup

certs

Certificate Creation

cert3

Intermediate Certificates

certbackup

Certificate Backup

users

User Administration

geo

GEO Configuration

The values in the Reply-Message should map to the user permissions page in the WUI as per Figure 119, with the exception of “All Permissions”:

To configure the Linux FreeRADIUS server, please insert the text below into the /etc/freeradius/users file in the sections indicated within the file. The example below is to configure permissions for the user ‘LMUSER’.

LMUSER Cleartext-Password := "1fourall"Reply-Message = "real,vs,rules,backup,certs,cert3,certbackup,users"

The /etc/freeradius/clients.conf file must also be configured to include the LoadMaster IP address. This file lists the IP addresses that are allowed to contact RADIUS.

Note: When Session Management is enabled, the RADIUS Server options are not available within this screen. Please refer to the WUI Authentication and Authorization section for further information on how to configure RADIUS Server when Session Management is enabled.

Enable API Interface

Enables/disables the RESTful Application Program Interface (API). You can also specify the port used to access the API interface. If the port is unset, you can access the API over the web interface port. Some things to note are as follows:

  • If you try to use the API on a port other than one on which its running, the LoadMaster returns a HTML 404 (not found) response.

  • If you try to use the WUI on the port configured specifically for the API, an unreadable page and/or 404 response is displayed (depending on the browser used).

  • You can set the API port value to an empty string which will unset the value. If the API port is not set, the WUI port is used.

Self-Signed Certificate Handling

Select the type of self-signed certificates that the system will use. The options are described below:

  • RSA self-signed certs: By default, these are RSA certificates that are signed with the Progress Kemp RSA root certificate.
  • EC certs with a RSA signature: The LoadMaster can generate an EC certificate also signed by the original RSA Progress Kemp root certificate.
  • EC certs with an EC signature: The LoadMaster can generate an EC certificate signed by the Progress Kemp EC root certificate. In this mode, any CSRs generated will also be EC.
Note: If Self-Signed Certificate Handling is set to EC certs with an EC signature, CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users (regardless of their permissions) can generate CSRs.
Note: If Self-Signed Certificate Handling is set to an EC mode and Random Number Generation (RNG) fails (for example, if the hardware does not support it like on legacy systems) a message will display on the home screen saying Could not start CC mode - system disabled and the WUI is unusable. This also generates a critical log message saying Cannot initialize RNG, CC mode disabled and an authlog saying Failed to start RNG, CC mode not started.To get out of this mode, you must use the isetup menu (either using the console or SSH). Navigate to Local Admin > Web Address > Confirm switch out of CC mode. This option is only shown when the LoadMaster is in this state. This allows the system to work as usual (but not in Common Criteria (CC) mode).

You should not switch from RSA self-signed certs to EC certs with an EC signature directly. If you do this, connections will fail because there is no EC Progress Kemp Certificate Authority (CA) certificate. To work around this, you must first switch from RSA self-signed certs to EC certs with a RSA signature.

Then, download the new EC Progress Kemp CA certificate by clicking Download ECC Root Cert in the bottom-right of the WUI under the main menu after refreshing the page. After you have downloaded the certificate, you can switch to EC certs with an EC signature with no loss of connection.

Outbound Connection Cipher Set

This option allows you to select a pre-defined cipher set to use for all outbound connections, including:

  • Remote logging (syslog)

  • Email notifications

  • LDAP authentication

  • OCSP certificate validation

  • Re-encrypted client requests

  • HTTPS health checks

The default setting is None - Outbound Default, which means there is no specific cipher set chosen. However, the outbound connection is encrypted and the LoadMaster defaults to all ciphers available for the agreed TLS protocol.

This is global for all outbound connections. For information on each of the cipher sets available, refer to the Cipher Sets section.

Note: The LoadMaster applies Online Certificate Status Protocol (OCSP) stapling (if enabled) to verify certificates for all outbound connections originated by LoadMaster, except for re-encrypted connections to Real Servers.

Admin Login Method

Note: This option will only appear if Session Management is enabled. For further information on Session Management, refer to the Admin WUI Access section or the User Management Feature Description.

Specify the login option for access to the LoadMaster WUI. The following options are available:

Note: The Pre-Auth Click Through Banner in the Admin WUI Access screen must be set for all Admin Login Method options to be made available.

  • Password Only Access (default): This option provides access using the username and password only – there is no access using client certificates.

  • Password or Client certificate: The user can log in using either the username/password or using a valid client certificate. If a valid client certificate is in place, the username and password is not required.The client will be asked for a certificate. If a client certificate is supplied, the LoadMaster will check for a match. The LoadMaster checks if the certificate is a match with one of the local certificates, or checks if the Subject Alternative Name (SAN) or Common Name (CN) of the certificate is a match. The SAN is used in preference to the CN when performing a match. If there is a match, the user is allowed access to the LoadMaster. This works both using the API and user interface.An invalid certificate will not allow access.If no client certificate is supplied, the LoadMaster will expect that a username and password is supplied (for the API) or will ask the user to enter a password using the standard WUI login page.

  • Client certificate required: Access is only allowed with the use of a client certificate. It is not possible to log in using the username and password. SSH access is not affected by this (only the bal user can log in using SSH).

  • Client certificate required (Verify via OCSP): This is the same as the Client certificate required option, but the client certificate is verified using an OCSP service. The OCSP Server Settings must be configured for this to work. For further information on the OCSP Server Settings, refer to the Cipher Sets section.

Note: In LoadMaster firmware version 7.2.53 and above, the OCSP server settings do not need to be configured in the LoadMaster if the certificate has an Authority Information Access (AIA) extension. The LoadMaster attempts to connect with the provided AIA. For further details on the functionality introduced, refer to the section WUI Authentication and Authorization.

Some points to note regarding the client certificate methods are below:

  • The bal user does not have a client certificate. Therefore, it is not possible to log into the LoadMaster as bal using the Client certificate required methods. However, a non-bal user can be created and granted All Permissions. This will allow the same functionality as the bal user.
  • There is no log out option for users that are logged in to the WUI using client certificates, as it is not possible to log out (if the user did log out the next access would automatically log them back in again). The session is terminated when the page is closed, or when the browser is restarted.

For further information on client certificate WUI authentication, including step-by-step instructions on how to configure it, please refer to the User Management Feature Description.

Allow Client Certificate Login Without Locally Installed User Certificate

Enabling this option allows client certificate logins for local users even if the client certificate has been deleted from the LoadMaster. By default, this option is enabled. The Allow Client Certificate Login Without Locally Installed User Certificate option is only visible if one of the Client certificate values is selected for the Admin Login Method. To set the Admin Login Method to a Client certificate option, you must set a Pre-Auth Click Through Banner in Certificates & Security > Admin WUI Access.

Enable Software FIPS 140-2 level 1 Mode

Note: FIPS mode cannot be enabled if Session Management is disabled. For further information on Session Management, refer to the Admin WUI Access section.

Switch to FIPS 140-2 level 1 certified mode for this LoadMaster. The LoadMaster must be rebooted to activate.

Note: Before switching to FIPS mode, you must export your certificates (Certificates & Security > Backup/Restore Certs). Then, after switching to FIPS mode, reset the UI certificates, restore your certificates and then use the correct certificate that you want for the UI.
Note: A number of warnings will appear before enabling FIPS. If FIPS is enabled on a LoadMaster, it cannot easily be disabled. If FIPS has been enabled and you want to disable it, please contact Progress Kemp Support.

When a LoadMaster is in FIPS level 1 mode - FIPS-1 will appear in the top-right of the LoadMaster WUI.

FIPS level 1 has a different set of ciphers to a non-FIPS LoadMaster. There is a Default cipher set and there are no other system-defined cipher sets to choose from.

Note: If FIPS is enabled, you cannot use RADIUS authentication.

Enable Kemp Analytics

Enables statistical and usage data to be sent to Progress Kemp for analysis. This data is strictly about product usage, enabled capabilities, and statistics. No sensitive user data, or traffic of any kind is either collected or communicated. For more information, visit the following page: Kemp Analytics Disclosure and Usage.