This section refers to the ESP Options section of the Virtual Service modify screen. To get to this section – in the LoadMaster WUI go to Virtual Services > View/Modify Services, click Modify on the relevant Virtual Service and then expand the ESP Options section. The ESP Options are also available for SubVSes.

The ESP feature must be enabled before the options can be configured. To enable the ESP function, please select the Enable ESP checkbox.

The full ESP Options will appear.

Note: The ESP feature can only be enabled if the Virtual Service is an HTTP, HTTPS, or SMTP Virtual Service.

Enable ESP

Enable or disable the ESP feature set by selecting or deselecting the Enable ESP checkbox.

ESP Logging

There are three types of logs stored in relation to the ESP feature. Each of these logs can be enabled or disabled by selecting or deselecting the relevant checkbox. The types of log include:

  • User Access: logs recording all user logins. These logs include the full URL the client IP has requested, along with the Uniform Resource Identifier (URI).

  • Security: logs recording all security alerts

  • Connection: logs recording each connection

Logs are persistent and can be accessed after a reboot of the LoadMaster. The ESP logs can be found by navigating to System Configuration > Logging Options > Extended Log Files in the main menu of the LoadMaster WUI.

Note: When using SNMP monitoring of ESP-enabled Virtual Services that were created using a template, ensure to monitor each SubVS directly rather than relying on the master service. This is because the Authentication Proxy sub-service will always be marked as up and, as a consequence, so will the master service.

Client Authentication Mode

Specifies how clients attempting to connect to the LoadMaster are authenticated. The following are the types of methods available:

  • Delegate to Server: the authentication is delegated to the server

  • Basic Authentication: standard Basic Authentication is used

  • Form Based: clients must enter their user details within a form to be authenticated on the LoadMaster

Note: Please keep in mind - if UTF-8 encoding is utilized, the maximum number of characters for the username or password which is used to access an ESP-enabled Virtual Service is (in theory) 30 characters each. However, if a combination of 1 and 2 byte characters are used, this limit could be increased. The maximum limit is 63 characters each if the characters are all 1 byte encoded.

  • Client Certificate: clients must present the certificate which is verified against the issuing authority

  • NTLM/NTLM-Proxy: NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name and a one-way hash of the user’s password

Note: NTLM does not forward credentials to the LoadMaster when Windows 10 Credential Guard is enabled.

  • SAML: The LoadMaster supports SAML, playing the role of a SAML service provider. The service provider provides secure, gated access to a resource.

  • Pass Post: In LoadMaster firmware version 7.2.53, a new mode called Pass Post was introduced. With this change introduced, users with valid credentials using the Workspace client app can successfully log in (using Single Sign On (SSO)) using POST-based authentication on the client side and Form Based Authentication (FBA) on the server side and access is granted to the VDI workspace.

  • OIDC/OAUTH: Open ID Connect (OIDC) is an authentication protocol based on the OAuth2 protocol used to enable Single Sign On of users across multiple applications via a single Identity Provider. OIDC uses the standardized message flows from OAuth2 to provide identity services.

Note: The remaining fields in the ESP Options section will change based on what is selected as the Client Authentication Mode.

SSO Domain

Select the Single Sign-On (SSO) Domain within which the Virtual Service is included.

Please refer to the Create a Single Sign-On (SSO) Domain section for further information on configuring SSO Domains. An SSO Domain must be configured to correctly configure the ESP feature.

Note: Only SSO domains with the Configuration type of Inbound Configuration are shown as options in this SSO Domain field.

Alternative SSO Domains

Many organizations use extranets to share information with customers and partners. It is likely that extranet portals will have users from two or more Active Directory domains. Rather than authenticating users from individual domains one at a time, assigning Alternative SSO Domains gives the ability to simultaneously authenticate users from two or more domains using one Virtual Service.

Note: This option appears only when more than one domain has been configured and when the Authentication Protocol for the SSO domains are set to LDAP.

Please refer to the Create a Single Sign-On (SSO) Domain section for further information on configuring SSO Domains.

Before configuring the ESP Options to use Alternative SSO Domains ensure that, in the SSL Properties section, the Enabled and Reencrypt tick boxes are selected.

The domain name which appears in the SSO Domain drop-down list is the default domain. This is also the domain which is used if only one is configured.

Previously configured alternative domains appear in the Available Domain(s) list.

To assign alternative SSO Domains:

  1. Highlight each of the domains you wish to assign and click the > button. An assigned domain is a domain which can be authenticated using a particular Virtual Service. All domains which appear as available may be assigned to a Virtual Service.
  2. Click the Set Alternative SSO Domains button to confirm the updated list of Assigned Domain(s).
  3. Choose Basic Authentication from the Server Authentication Mode drop-down list.
Note: When logging in to a domain using the ESP form, users should enter the name of the SSO Domain if an alternative domain needs to be accessed. If no domain name is entered in the username, users are, by default, logged on the domain entered in the default SSO Domain drop-down list.

To view the status of the Virtual Services, click Virtual Services and View/Modify Services.

A list of the Virtual Services displays showing the current status of each service.

If alternative domains are assigned and there is an issue with a particular domain, the affected domain name is indicated in the Status column.

Allowed Virtual Hosts

The Virtual Service will only be allowed access to specified virtual hosts. Any virtual hosts that are not specified are blocked.

Enter the virtual host name(s) in the Allowed Virtual Hosts field and click the Set Allowed Virtual Hosts button to specify the allowed virtual hosts. Multiple, space-separated host names can be entered here.

Multiple domains may be specified within the text box allowing many domains to be associated with the SSO Domain.

The use of regular expressions is allowed within this text box. The LoadMaster supports Shell regular expressions in this field, where * is a wild card and ? is a single character. An example is *.example.com which indicates all sub-domains under example.com.

Note: If you use quotes in regular expressions in the LoadMaster WUI, there are limitations. You should consider using the API instead because those limitations do not exist in the API. For more information, refer to the section Limitations of Using Regular Expressions in the LoadMaster WUI.
Note: If the Allowed Virtual Hosts field is left blank, the Virtual Service is blocked. However, when the Client Authentication Mode is set to Delegate to Server, leaving this field blank does not block traffic.
Note: If the Virtual Service IP address is entered in the Allowed Virtual Hosts field, the login process will fail. For testing purposes, please modify your Hosts file if a proper DNS entry cannot be made.

Allowed Virtual Directories

The Virtual Service will only be allowed access to the specified virtual directories, within the allowed virtual hosts. Any virtual directories that are not specified are blocked.

Enter the virtual directory name(s) in the Allowed Virtual Directories text box and click the Set Allowed Virtual Directories button to specify the allowed virtual directories. Multiple space-separated names can be entered here.

The use of Shell regular expressions is allowed within this text box.

Note: If the Allowed Virtual Directories is left blank, the Virtual Service is blocked. However, when the Client Authentication Mode is set to Delegate to Server, leaving this field blank does not block traffic.

Pre-Authorization Excluded Directories

Any virtual directories specified within this field will not be pre-authorized on this Virtual Service and are passed directly to the relevant Real Servers. Multiple space-separated directories can be entered here.

The use of Shell regular expressions is allowed within this text box.

Permitted Groups

Specify the groups that are allowed to access this Virtual Service. When set, if a user logs in to a service published by this Virtual Service, the user must be a member of at least one of the groups specified.

Note: When using the Permitted Groups field in ESP Options, ensure that the selected Permitted Groups must exist inside the configured SSO domain. For example, if the SSO Domain is set to webmail.example and the selected permitted groups are part of .example.com domain instead of webmail domain, it will not work. In this case user needs to set the domain .example.com to function correctly.

If a user attempts to log in and they are not a member of a permitted group, a message will appear in the logs, similar to the example below:

Blocked access, user exampleuser primary group qa not in approved groups for VS172.21.42.11

Multiple groups are supported per Virtual Service up to a maximum of 2048 characters in length. Performance may be impacted if a large number of groups are entered. Groups entered in this field are validated using a Lightweight Directory Access Protocol (LDAP) query.

Some guidelines about this field are as follows:

  • All groups specified must be valid on the Active Directory behind the SSO domain associated with the Virtual Service
  • Multiple groups must be separated by a semi-colon
Note: A space-separated list does not work because most groups contain a space in the name, for example IT Users.
  • Do not use the Domain Users group because it is a default primary group for new users.
  • The authentication protocol of the SSO domain must be LDAP
  • The groups should be specified by Common Name, not by fully distinguished name, for example Test Group
  • When using permitted groups in SubVSs, if you have groups called OWAGroup and ECPGroup, for example, users in each group have access to each other's SubVS. This is due to the single sign on nature of ESP.
  • Permitted groups only work when the LDAP Endpoint has a username in the format username@domain.com or just administrator/Admin (as long as it is an administrator account), or if there is no username configured.
  • Do not enter the same group name in both the Permitted Groups and Steering Groups fields. This causes a conflict. When you specify a steering group, it is assumed to behave like a permitted group, so you do not need to enter the same group in both the Permitted Groups and Steering Groups fields.

Permitted Groups SID(s)

This field is the equivalent of the Permitted Groups field. If specifying permitted groups, you can complete either the Permitted Groups field or the Permitted Groups SID(s) field (security identifiers).

In the Permitted Group SID(s) field you can specify the Group SIDs that are allowed to access this Virtual Service. After you type the groups, click Set Permitted Group SIDs.

This field allows a list of group SIDs of up to 64 bytes in length (192 characters in the format NN NN NN).

Each group is separated by a semi-colon. Spaces are used to separate bytes in certain group SIDs. Here is an example:

S-1-5-21-3763804817-1170992687-1336323834-1151

SIDs can be found by using the get-adgroup-Identity GroupName command.

Include Nested Groups

This field relates to the Permitted Groups setting. Enable this option to include nested groups in the authentication attempt. If this option is disabled, only users in the top-level group are granted access. If this option is enabled, users in both the top-level and first sub-level group are granted access. There is a theoretical limit of approximately six nested groups.

Multi Domain Permitted Groups

In LoadMaster firmware version 7.2.52, a new check box was added to the ESP Options section of the Virtual Service modify screen called Multi Domain Permitted Groups. This check box is configurable with the following client authentication modes:

  • Basic Authentication

  • Form Based

  • Client Certificate

  • NTLM

When Multi Domain Permitted Groups is enabled, the LoadMaster checks for permitted group membership within all sub-domains under the top-level domain.

Note: The Multi Domain Permitted Groups option works with the Permitted Groups, Permitted Group SID(s), and Include Nested Groups.

If Multi Domain Permitted Groups is disabled, users must be in the same domain or sub-domain that the user profile is defined, or the group check fails.

The Multi Domain Permitted Groups option is disabled by default.

The Include Nested Groups option works with Multi Domain Permitted Groups. For example, if you have group1 in server1 and group2 inside group1 in the same server with different users, those users can be authenticated if both Include Nested Groups and Multi Domain Permitted Groups are enabled.

Steering Groups

Steering groups can be used to steer client traffic to individual Real Servers in a Virtual Service based on the Active Directory (AD) group membership of users initiating client traffic. An example scenario would be a Virtual Service which has four Real Servers. Two Real Servers could be configured to have a primary association with Active Directory Group 1 and two Real Servers could be configured to have a primary association with AD Group 2. When a user attempts to access the Virtual Service, their group membership will be verified and the information used to steer their request to the appropriate Real Servers. If the Real Servers selected based on group membership are not available, the default behavior is to fall back to the assigned scheduling method for the Virtual Service.

For further information, refer to the ESP Steering Groups Technical Note.

Note: Steering groups are not available if using Basic Authentication or SAML authentication.

Enter the Active Directory group names that will be used for steering traffic in the Steering Groups field and click Set Steering Groups.

Use a semi-colon to separate multiple group names. Multiple groups are supported per Virtual Service up to a maximum of 2048 characters in length.

The steering group index number will correspond to the location of the group in this list.

Do not enter the same group name in both the Permitted Groups and Steering Groups fields. This causes a conflict. When you specify a steering group, it is assumed to behave like a permitted group, so you do not need to enter the same group in both the Permitted Groups and Steering Groups fields.

SSO Image Set

This option is only available if Form Based is selected as the Client Authentication Mode. There is an option for which form to use to gather the user’s Username and Password. There are three default form options; Exchange, Blank and Dual Factor Authentication. English is the default language for the image sets. There are also options to display the form and error messages in other languages – Brazilian Portuguese and French Canadian.

The Exchange Form contains the Progress Kemp Logo.

The Blank Form does not contain the Progress Kemp logo.

The Dual Factor Authentication form contains four fields - two for the remote credentials and two for the internal credentials.

Note: The Dual Factor Authentication image set should only be used with the RADIUS and LDAP authentication protocol.

It is possible to upload a custom SSO image set. For more information, refer to the Custom Authentication Form, Technical Note

If CAPTCHA is enabled, the CAPTCHA box appears on the ESP login page.

SSO Greeting Message

The login forms can be further customized by adding text (for example the Authorized Access Only! text in the following screenshot). Enter the text to appear on the form within the SSO Greeting Message text box and click the Set SSO Greeting Message button.

Note: The SSO Greeting Message displays up to 255 characters. Any ASCII character is accepted and will be displayed in the message, with two exceptions: the grave accent character ( ` ) and the single quote ( ’ ). If a grave accent character is used in the SSO Greeting Message, the character will not display in the output, for example a`b`c becomes abc. If a single quote is used, users will not be able to log in.
Note: In addition to ASCII characters, HTML-encoded characters are also accepted and can be used to display non-ASCII characters in the login form; just type HTML-encoded characters into the SSO Greeting Message text box in the LoadMaster. For example, for the letter Ä, you must type the HTML-encoded code for this letter, for example, Ä. For further information, please see: List of XML and HTML character entity references.

Logoff String

This option is only available if Form Based or SAML is selected as the Client Authentication Mode. Specify the string that the LoadMaster should use to detect a logout event. Normally this field should be left blank. For OWA Virtual Services, the Logoff String should be set to /owa/logoff.owa; or, in customized environments, a modified Logoff String needs to be specified in this text box. Multiple logoff strings can be specified by using a space-separated list. You can enter up to 255 characters in this field.

Note: If the URL to be matched contains sub-directories before the specified string, the logoff string will not be matched. Therefore, the LoadMaster will not log the user off.

Additional Authentication Header

This option is only available if SAML or OIDC/OAUTH is selected as the Client Authentication Mode. Specify the name of the HTTP header. This header is added to the HTTP request from the LoadMaster to the Real Server and its value is set to the user ID for the authenticated session. You can enter up to 255 characters in this field.

When validating the token from the Identity Provider (IdP), the LoadMaster checks the claims (attributes) in the following sequence:
  • preferred_username
  • UPN
  • unique_name
  • email

For example, if the preferred_username is not available then the UPN is used. If the UPN is also not available, then unique_name or email is used for token validation.

Display Public/Private Option

Enabling this check box displays a public/private option on the login page. The session and idle timeout depend on what option the user selects when logging in. If the user selects This is a private computer, then their credentials are saved on the client computer. If the user is on a public or shared computer, they should use the default option, which does not save their credentials locally.

Disable Password Form

Enabling this option removes the password field from the login page. This may be needed when password validation is not required, for example if using RSA SecurID authentication in a singular fashion. By default, this option is disabled.

Enable Captcha

Select this check box to allow CAPTCHA verification on the login page.

Note: The LoadMaster only supports CAPTCHA v2.
Note: The Client Authentication Mode must be set to Form Based for the Enable Captcha check box to be visible.
CAUTION: All CAPTCHA parameters must be set before it can be used.
CAUTION: Both the LoadMaster and the client machine must be able to access Google for this to work.

Before the CAPTCHA has been correctly answered, the submit button on the login form is disabled.If the user does not submit the form within two minutes of answering the CAPTCHA, the CAPTCHA times out (Google-specified timeout), and the user must verify a new CAPTCHA (the submit button is disabled until the new CAPTCHA has been verified).

Use Session or Permanent Cookies

Three options are available to select for this field:

  • Session Cookies Only: This is the default and most secure option
  • Permanent Cookies only on Private Computers: Sends permanent cookies only on private computers
  • Permanent Cookies Always: Sends permanent cookies in all situations
Note: Permanent cookies only work with Internet Explorer (IE) and IE must be set to accept Third Party Cookies and the site must be added to the Trusted Sites.
Note: The expiry time of a permanent cookie can be set by configuring the Session Timeout fields in the modify SSO screen. The maximum value is 7 days (604800 seconds).

Specify if the LoadMaster should send session or permanent cookies to the client browser when logging in.

Note: Permanent cookies should only be used when using single sign on with services that have sessions spanning multiple applications, such as SharePoint.

User Password Change URL

This is relevant when using client-side forms-based authentication and LDAP. Specify the URL that users can use to change their password, for example https://mail.kempqakcd.net/owa/auth/expiredpassword.aspx?url=/owa/auth.owa

If a user’s password has expired, or if they must reset their password, this URL and the User Password Change Dialog Message is displayed on the login form.

This URL must be entered in the ESP Pre-Authorization Excluded Directories field - this is required to bypass pre-authentication.

If using this expired password functionality in an Exchange 2010 environment:

  • The Pre-Authorization Excluded Directories must be set to /owa/auth.owa /owa/auth* /owa/14.3.123.3**. 14.3.123.3 is the sub-path of the Exchange server that must be added to the excluded directories.
  • When changing passwords, users cannot use a User Principal Name (UPN) (for example, joebloggs@example.com) in the Domain\user name field in the Change Password window, unless Exchange 2010 SP1 RU3 or later is deployed on the Client Access servers.

For further information, refer to the following Microsoft TechNet article: https://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

User Password Change Dialog Message

This text box is only visible if something is set for the User Password Change URL text box. Specify the text to be displayed on the login form when the user must reset their password. Special characters are not permitted in this field.

Note: If the User Password Change URL field is set, you must also set the User Password Change Dialog Message because both settings are required when a user attempts to change their password. If ESP is enabled on the SubVS level, you must set the password expiry/change configuration on the first SubVS in the SubVS list (for example, if the Exchange template is used this is the Authentication Proxy SubVS).

User Password Expiry Warning

By default, SSO users are notified about the number of days before they must change their password. If you disable this option, the password expiry notification will not appear on the login forms.

You can specify the number of days to show the warning before the password is expired. The default value for this field is 15 days. The range is 1 to 30 days. This field is only visible if the Client Authentication Mode is set to Form Based and the User Password Change URL is set.

The user is notified when the password has expired. The language of the warning text is based on the SSO Image Set that is selected (English, French, or Portuguese).

Verify Bearer Header

Enable this check box to verify the authenticity of a JSON Web Token (JWT) included in the Authorizations header of incoming client requests. If the Authorization header field is present in the client request, it is passed back to the Real Server.

There is an additional capability that verifies if the token is valid. This is done by comparing the text provided in the Bearer Header Validation Text field to the contents of the "aud" field of the token included in the Auth header. If this text is present and the match fails - there is no connection made. Another capability is to also check the signature on the token. To do this, you must upload and select a certificate in the Bearer Header Validation Certificate drop-down list. If a certificate is selected and the validation fails - there is no connection made.

Note: The Verify Bearer Header field (and the two fields detailed below) are only available if the Client Authentication Mode is set to Delegate to Server.

Bearer Header Validation Certificate

This option is only visible if the Verify Bearer Header check box is selected.

Specify the name of the relevant certificate from the Bearer Header Validation Certificate drop-down list (this must be first uploaded to the LoadMaster by going to Certificates & Security > SSL Certificates > Import Certificate) containing a Public Key used to validate the authenticity of the JSON Web Token Signature. This is used when doing JSON web token validation.

Bearer Header Validation Text

This option is only visible if the Verify Bearer Header check box is selected.

You can optionally enter up to 5 comma-separated strings to match against the Audience Claim Field (aud) in the token. If provided, at least one string must match the Audience Claim Field's content or the token is rejected.

Server Authentication Mode

Specifies how the LoadMaster is authenticated by the Real Servers. There are three types of methods available:

  • None: no client authentication is required
  • Basic Authentication: standard Basic Authentication is used
  • KCD: Kerberos Constrained Delegation (KCD) is used. For further information, refer to the Kerberos Constrained Delegation, Feature Description.
  • Server Token: On reception and verification of the SAML response, the LoadMaster requests a long-lived token. The LoadMaster then builds a redirection URL with the token specified.
Note: You can only select Server Token as the Server Authentication Mode if SAML is selected as the Client Authentication Mode.
  • Form Based: When Form Based authentication is selected, the Form Authentication Path field appears.
Note: You can only select Form Based as the Server Authentication Mode if Foam Based is selected as the Client Authentication Mode.
  • When you enter a value in the Form Authentication Path field and click the Set Path button, the Form POST Format and Post Format Username Only fields appear. The username and password from the client-side, form-based authentication is injected into the form POST format to build the POST body.
  • This feature is predominantly used in Microsoft Exchange deployments and has only been tested with Exchange 2013 and 2016. Therefore, the following strings do not need to be explicitly configured for Exchange 2013/2016. They are used by default in the implementation:
    • Form Authentication Path: /owa/auth.owa
    • Form POST Format:
      destination=%s#authRedirect=true&flags=4&forcedownlevel=0&username=%s&password=%s&passwordText=&isUtf8=1
Note: The Form POST Format field only becomes visible when the Form Authentication Path is set.
Note: If the deployment is not Exchange, we recommend that the settings are evaluated based on the required interaction with the Real Server and subsequently set appropriately.

POST Format Username Only

Enable this option to send the username only (without the domain part) in the server-side form based authentication POST request.

When choosing a specific Client Authentication Mode protocol, it is important to understand what Server Authentication Mode protocols are compatible:

Client Authentication Mode

Compatible Server Authentication Mode

Delegate to Server

None

Basic Authentication

Basic Authentication
Form Based Basic Authentication
KCD
Form Based
None
NTLM KCD
None
NTLM-Proxy NTLM-Proxy
NTLM-Proxy KCD
Client Certificate KCD
Client Certificate None

In LoadMaster firmware version 7.2.53, support was added for Client Certificate client authentication with no server side authentication. For further details, refer to the following section: Client Certificate Authentication with No Server Side Authentication.
SAML KCD
SAML None
SAML Server Token

Server Side configuration

Note: This option is only visible when the Server Authentication mode value is set to KCD. For further information, please refer to the Kerberos Constrained Delegation, Feature Description.

Select the SSO domain for the server side configuration. Only SSO domains which have the Configuration type set to Outbound Configuration are shown here.

Token Server FQDN

Note: This option is only visible when the Server Authentication mode value is set to Server Token.

Set the FQDN for the token server. When set, LoadMaster contacts the token server at the given FQDN during sign-on and obtains a permanent access token from that token server. If this parameter is unset, then LoadMaster obtains the token from the Real Server (as in previous releases).

Virtual Service Status

When View/Modify Services is clicked in the main menu, the Virtual Service status is displayed.

When the health check status is OK, the Status on the Virtual Services screen is set to Up.

When ESP is enabled, a new status is available; Security Down.

The LoadMaster will check the health status of the authentication server every 20 seconds. If the authentication server cannot be reached, then the Virtual Service goes into a Security Down state where no new users are allowed to access the Virtual Service. Existing connections will not be affected until their individual connection timeouts expire.