L7 Authentication Timeout

When configuring ESP, users can set the L7 Authentication Timeout (secs) option.

This option supports the integration with third party, multi-factor, authentication solutions which may have secondary processes such as SMS or telephone verification. This setting determines how long (in seconds) the SSO form waits for authentication verification to complete before timing out.

L7 Client Token Timeout (secs)

The duration of time (in seconds) to wait for the client token while the process of authentication is ongoing (used for RSA SecurID and RADIUS authentication). The range of valid values is 60 to 300. The default value is 120.

Include User Agent Header in User Logs

When enabled, the User Agent header field gets added to the User Logs.

Use CEF Log Format

When enabled, the ESP logs are generated in Common Event Format (CEF). CEF log format is easily consumable for Security Information and Event Management (SIEM) tools, such as; Splunk, SolarWinds, LogRhythm, AlienVault, and so on.

SSO Maximum Threads

The maximum number of allowed threads for SSO authentication attempts. The range of valid values is 64 to 1024. The default value is 128.

NTLM Proxy Mode

In LoadMaster firmware version 7.2.48.4 Long Term Support (LTS) and 7.2.53, the NTLM Proxy Mode option was added to the LoadMaster. When upgrading from an older version of LoadMaster firmware to one of these versions (or above) the NTLM Proxy Mode option is not enabled by default. As a result, you must manually enable NTLM Proxy Mode after upgrading.

For all new deployments of LoadMasters after 7.2.48.4 LTS or 7.2.53, NTLM Proxy Mode is enabled by default.

When NTLM Proxy Mode is enabled, NTLM authorization works against the Real Servers. If NTLM Proxy Mode is disabled, the old insecure NTLM processing is performed.

Note: We highly recommend ensuring that NTLM Proxy Mode is enabled.

When NTLM Proxy Mode is enabled globally, the Client Authentication Mode in Virtual Services is called NTLM-Proxy. If NTLM Proxy Mode is disabled globally, the Client Authentication Mode in Virtual Services is called NTLM.

Default ESP Cookie SameSite Processing

This option allows you to set the default value of the SameSite option for cookies sent by the LoadMaster during ESP processing. The SameSite attribute tells browsers when and how to process cookies in first-party or third-party situations. SameSite is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.

The following are the SameSite options:

  • SameSite option not added

  • SameSite=None: Signals that the cookie data can be shared with third parties/external sites (for advertising, embedded content, etc).

  • SameSite=LAX: Signals that the cookie may be used as a first party cookie but may also be used when accessing the site from an external site via a link clicked by the user.

  • SameSite=Strict: It is a subset of lax and only enables the cookie be used in first party context and excludes its use when accessing via an incoming link from an external site.