Allow Connection Scaling over 64K Connections

Under very high load situations, Port Exhaustion can occur. Enabling this option will allow the setting of Alternate Source Addresses which can be used to expand the number of local ports available.

Note: If more than 64K concurrent connections are required, enable the Allow Connection Scaling over 64K Connections option and set the Virtual Service IP as the alternate address in the Alternate Source Addresses input field. This allows each Virtual Service to have its own pool of source ports.
Note: Transparent Virtual Services are capped at 64K concurrent connections. This limit is on a per Virtual Service basis.
Note: If, after selecting this option, you set some Alternate Source Addresses, you will not be able to deselect the Allow connection scaling over 64K Connections option.

Always Check Persist

By default, the L7 module will only check persist on the first request of a HTTP/1.1 connection. Selecting Yes for this option will check the persistence on every request. Selecting Yes – Accept Changes means that all persistence changes will be saved, even in the middle of a connection.

Add Port to Active Cookie

When using active cookies, the LoadMaster creates the cookie from (among other things) the IP address of the client. However, if many clients are behind a proxy server, all of those clients come from the same IP address. Turning this on adds the clients source port to the string as well, making it more random.

Conform to RFC

This option addresses parsing the header of a HTTP request in conformance with RFC 1738.

The request consists of 3 parts: GET /pathname HTTP/1.1 and when "conform" is on, the LoadMaster scans through the pathname until it finds a space. It then presumes that the next thing is HTTP/1.x. If the pathname contains spaces and the browser is conformant to the RFC, the pathname will have the spaces escaped to "%20" so the scan for a space will function correctly.

However, on some non-conformant browsers, spaces are not escaped and the wrong pathname is processed. And since the system cannot find the HTTP/1.x, the LoadMaster will reject the request.

Turning off this feature forces the LoadMaster to assume that the pathname extends to the last space on the line. It is then assumed that what follows is HTTP/1.x. So making pathnames with spaces in them useable – however, it is non-conformant to the RFC 1738.

Close on Error

If the LoadMaster has to send back a failure report to the client, for example if a file is newer in the cache; this forces the LoadMaster to close the connection after sending the response. You can continue using the connection after sending a failure report, but some systems could become confused. This option forces the close instead of continuing.

Add Via Header In Cache Responses

The relevant HTTP RFC states that proxies should add a Via header to indicate that something came from the cache. Unfortunately, older LoadMaster versions did not do this. This check box is used to enable backward compatibility with older versions (if needed).

Real Servers are Local

The LoadMaster has an automatic detection of local/non-local clients for the purpose of transparency (selective transparency). This works well in most cases, but it does not work well if the client is actually a Real Server. Turning this option on helps the LoadMaster to determine that a Real Server is actually local, therefore making selective transparency work.

When this option is enabled in a two-armed environment (with clients and Real Servers on the second interface) the Real Servers are treated as if they are local to the clients, that is, non-transparent. If the Real Servers are on a completely different network, then they cannot be local and will always be treated as not local. Local is defined as being on the same network.

Enabling this option requires careful network topology planning and should not be attempted before contacting the Progress Kemp Support team.

Drop Connections on RS Failure

This is useful for Microsoft Outlook users whereby it closes the connection immediately when a Real Server failure is detected.

Exchange users should always select this option. The Idle Connection Timeout option is also set to 86400 at the same time. For further information, refer to the Microsoft Exchange 2010 Deployment Guide.

Drop at Drain Time End and L7 Connection Drain Time (secs)

These two options control how existing connections are handled when a Real Server in a Layer 7 Virtual Service is disabled. They do not apply to Virtual Services operating at Layer 4.

Drop at Drain Time End is disabled by default, which means that the L7 Connection Drain Time setting is not enforced. In this case, when a Real Server is disabled, no new connections will be sent to the Real Server and all existing connections are immediately closed.

When Drop at Drain Time End is enabled:

  • No new connections will be sent to the Real Server unless there is a valid persistence record for the client present on the LoadMaster.
  • Existing non-persistent connections (that is, connections from a client with no matching persistence record on LoadMaster) are closed immediately.
  • Existing persistent connections to the Real Server remain open until the L7 Connection Drain Time expires. Setting the drain time to 0 forces all the connections to be dropped immediately when a Real Server is disabled. The default setting is 300 seconds.

Note the following for Virtual Services with SubVSs:

  • When a Real Server in a SubVS is disabled, the L7 Connection Drain Time setting is effective only when the Persistence Options value is set in the SubVS configuration. If persistence is set on the parent Virtual Service level instead, then a default 10-second drain time is enforced for the Real Server. So, in the following scenario:
    • If the Persistence Options are set in the parent Virtual Service, and;
    • There are no Persistence Options set in the SubVS, and;
    • The global L7 Connection Drain Time setting is not set to 0;
    The 10-second drain time overrides the L7 Connection Drain Time in this specific case.
  • The L7 Connection Drain Time does not apply when a SubVS is disabled.

L7 Authentication Timeout (secs)

This option supports the integration with 3rd party, multi-factor, authentication solutions which may have secondary processes such as SMS or telephone verification. This setting determines how long (in seconds) the SSO form waits for authentication verification to complete before timing out.

L7 Client Token Timeout (secs)

The duration of time (in seconds) to wait for the client token while the process of authentication is ongoing (used for RSA SecurID and RADIUS authentication). The range of valid values is 60 to 300. The default value is 120.

L7 Wait after POST(ms)

In LoadMaster firmware version 7.2.51, a new option was introduced that is applicable when performing Kerberos Constrained Delegation (KCD) back-end authentication. The field is called L7 Wait after POST. This option is configurable in the LoadMaster User Interface (UI). The L7 Wait after POST option allows you to change the length of time to wait for a 401 response from a POST before sending the remainder of the POST body. Valid values for the wait period range from 1 to 2000 milliseconds (ms). The default value is 2000. If KCD is not being used, this option has no effect.

Additional L7 Header

This enables Layer 7 header injection for HTTP/HTTPS Virtual Services. Header injection can be set to X-ClientSide (LoadMaster specific), X-Forwarded-For, or None. The default value is X-Forwarded-For.

100-Continue Handling

Determines how 100-Continue Handling messages are handled. The available options are:

  • RFC-2616 Compliant: conforms with the behavior as outlined in RFC-2616
  • Require 100-Continue: forces the LoadMaster to wait for the 100-Continue message
  • RFC-7231 Compliant: ensures the LoadMaster does not wait for 100-Continue messages. This is the default value.
Note: Modifying how 100 Continue messages are handled by the system requires an understanding of the relevant technologies as described in the RFCs listed above. It is recommended that you speak with a Progress Kemp Technical Support engineer before making changes to these settings.

Allow Empty POSTs

By default the LoadMaster blocks POSTs that do not contain a Content-Length or Transfer-Encoding header to indicate the length of the requests payload. When the Allow Empty POSTs option is enabled, such requests are assumed to have no payload data and are therefore not rejected.

Note: In version 7.1-24 and later releases, the supported Content-Length limit has been increased to 2TB (from 2GB).

Allow Empty HTTP Headers

By default, this option is disabled. If this option is disabled, the LoadMaster drops (does not process) any HTTP header that has an empty value. The LoadMaster only drops the header with an empty value, not the whole request. If this option is enabled, the LoadMaster processes headers with empty values and forwards them to the Real Server.

Force Complete RS Match

By default, when the LoadMaster is trying to locate a Real Server for use with content switching, it tries to use the same Real Server as currently selected, even if the port is not the same. Enabling this option forces the port to also be compared.

Least Connection Slow Start

When using the Least Connection or Weighted Least Connection scheduling methods, a period can be specified globally using the Least Connection Slow Start field during which the number of new connections are throttled and gradually increased to a Real Server which has come online and has returned to the scheduling process. When any Real Server is brought back into service and the Least Connection Slow Start is set to a non-zero value, the LoadMaster throttles new traffic to the Real Server so that is it not potentially overwhelmed by a sudden stream of traffic. Under testing, the observed Connections Per Second (CPS) rate limit is observed to grow slowly over the specified time period until the full Real Server connection capacity is permitted. The slow start applies regardless of the reason the Real Server was removed from the scheduling process (for example, manually disabled, rate-limited, and so on).

The value of this Slow Start period can be between 0 (disabled - this is the default) and 600 seconds.

The Least Connection Slow Start feature can be used in conjunction with the Connection Rate Limit feature that was introduced in LoadMaster firmware version 7.2.51.

Share SubVS Persistence

By default, each SubVS of a Virtual Service has an independent persistence table. Enabling this option will allow the SubVS to share this information. For this to work, the persistence mode must be the same on all SubVSs within that Virtual Service. A reboot is required to activate this option.

Note: The only Persistence Mode that cannot be shared is SSL Session ID.

When setting up shared SubVS persistence, there are some requirements to get this feature fully functional:

  • All Real Servers in the SubVS need to be the same
  • The Persistence Mode needs to be the same across all SubVSs
  • The timeouts need to be set with the same timeout value

If the above requirements are not correct, the persistence may not work correctly either within the SubVS or across the SubVSs.

Log Insight Message Split Interval

The Log Insight Split Interval value controls how many syslog messages should be sent to each server in the pool before moving to the next server. For example, if there are three Log Insight nodes and the Log Insight Message Split Interval is set to 1 - a single message is sent to server A, and then to server B and then server C before again distributing a message to server A.

Include User Agent Header in User Logs

When enabled, the User Agent header field gets added to the User Logs.

Use CEF Log Format

When enabled, the ESP logs are generated in Common Event Format (CEF). CEF log format is easily consumable for Security Information and Event Management (SIEM) tools, such as; Splunk, SolarWinds, LogRhythm, AlienVault, and so on.

SSO Maximum Threads

The maximum number of allowed threads for SSO authentication attempts. The range of valid values is 64 to 1024. The default value is 128.

NTLM Proxy Mode

In LoadMaster firmware version 7.2.48.4 Long Term Support (LTS) and 7.2.53, the NTLM Proxy Mode option was added to the LoadMaster. When upgrading from an older version of LoadMaster firmware to one of these versions (or above) the NTLM Proxy Mode option is not enabled by default. As a result, you must manually enable NTLM Proxy Mode after upgrading.

For all new deployments of LoadMasters after 7.2.48.4 LTS or 7.2.53, NTLM Proxy Mode is enabled by default.

When NTLM Proxy Mode is enabled, NTLM authorization works against the Real Servers. If NTLM Proxy Mode is disabled, the old insecure NTLM processing is performed.

Note: We highly recommend ensuring that NTLM Proxy Mode is enabled.

When NTLM Proxy Mode is enabled globally, the Client Authentication Mode in Virtual Services is called NTLM-Proxy. If NTLM Proxy Mode is disabled globally, the Client Authentication Mode in Virtual Services is called NTLM.