WUI Settings

Only the bal user or users with ‘All Permissions’ set can use this functionality. Users with different permissions can view the screen but all buttons and input fields are grayed out.

Enable Hover Help

Enables blue hover notes shown when the pointer is held over certain fields.

Message of the Day (MOTD)

Type in text into the field and click the Set MotD button. This message will be displayed within the Multi-Tenant LoadMaster home screen.

Note: The maximum allowed message length is 5,000 characters. HTML is supported, but not required.

Set Statistics Display Size

This sets the maximum number of rows that can be displayed in the Statistics page. The allowable range is between 10 and 100 rows being displayed on the page.

End User License

Click the Show EULA button to display the Multi-Tenant LoadMaster End User License Agreement.

Supported TLS Protocols

Checkboxes are provided here which can be used to specify whether or not it is possible to connect to the Multi-Tenant LoadMaster WUI using the following protocols; SSLv3, TLS1.0, TLS1.1 or TLS1.2. TLS1.1 and TLS1.2 are enabled by default. It is not recommended to only have SSLv3 selected because SSLv3 is only supported by some old browsers. When connecting to the WUI using a web browser, the highest security protocol which is mutually supported by both the browser and the WUI will be used.

WUI Cipher set

Select the relevant cipher set to use for WUI access. For information on each of the cipher sets available, refer to the Cipher Sets section.

Enable Historical Graphs

Enable the gathering of historical statistics for the Virtual Services and Real Servers.

WUI Session Management

Session management is enabled by default on all Multi-Tenant LoadMasters initially deployed with firmware version MT_7.1.35 or above.

Only the bal user can enable or disable Session Management and/or Basic Authentication.

Users with the ‘All Permissions’ permission set can view the Enable Session Management, Require Basic Authentication and the Basic Authentication Password fields. However, users with the ‘All Permissions’ permission set can configure the Failed Login Attempts and Idle Session Timeout values.

Users with the ‘User Administration’ permissions set can view the screen but all buttons and input fields are grayed out.

All other users cannot view the WUI Session Management, Currently Active Users or Currently Blocked Users sections of the WUI Configuration screen.

When using WUI Session Management, it is possible to use one or two steps of authentication.

If the Enable Session Management check box is ticked and Require Basic Authentication is disabled, the user only needs to log in using their local username and password. Users are not prompted to log in using the bal or user logins.

If the Enable Session Management and Require Basic Authentication check boxes are both selected, there are two levels of authentication enforced in order to access the Multi-Tenant LoadMaster WUI. The initial level is Basic Authentication where users login using the bal or user logins, which are default usernames defined by the system.

Once logged in using Basic Authentication, the user then must log in using their local username and password to begin the session.

Enable Session Management

Selecting the Enable Session Management check box enables the WUI Session Management functionality. This will force all users to initially log in to the server using either the bal or user logins and then to login to the session using their normal credentials.

When this check box is selected, the user is required to log in to use Multi-Tenant LoadMaster.

Note: LDAP users need to login using the full domain name. For example an LDAP username should be test@progress.com and not just test.

After a user has logged in, they may log out by clicking the button,, in the top right-hand corner of the screen.

Once the WUI Session Management functionality is enabled, all the WUI Session Management options appear.

Require Basic Authentication

If WUI Session Management and Basic Authentication are both enabled, there are two levels of authentication enforced in order to access the Multi-Tenant LoadMaster WUI. The initial level is Basic Authentication where users login using the bal or user logins, which are default usernames defined by the system.

Once logged in using Basic Authentication, the user then must log in using their local username and password to begin the session.

Basic Authentication Password

The Basic Authentication password for the user login can be set by typing the password into the Basic Authentication Password text box and clicking the Set Basic Password button.

The password needs to be at least 8 characters long and should be a mix of alpha and numeric characters. If the password is considered to be too weak, a message appears asking you to enter a new password.

Failed Login Attempts

The number of times that a user can fail to login correctly before they are blocked can be specified within this text box. The valid values that may be entered are numbers between 1 and 999.

If a user is blocked, only the bal user or other users with All Permissions set can unblock a blocked user.

If the bal user is blocked, there is a ‘cool-down’ period of ten minutes before the bal user can login again.

Idle Session Timeout

The length of time (in seconds) a user can be idle (no activity recorded) before they are logged out of the session. The valid values that may be entered are numbers between 60 and 86400 (between one minute and 24 hours).

Active and Blocked Users

Only the bal user or users with ‘All Permissions’ set can use this functionality. Users with ‘User Administration’ permissions set can view the screen but all buttons and input fields are grayed out. All other users cannot view this portion of the screen.

Currently Active Users

The user name and login time of all users logged into the Multi-Tenant LoadMaster are listed in this section.

To immediately log out a user and force them to log back into the system, click the Force logout button.

To immediately log out a user and to block them from being able to log in to the system, click the Block user button. The user will not be able to log back in to the system until they are unblocked or until the Multi-Tenant LoadMaster reboots. Clicking the Block user button does not force the user to log off; to do this, click the Force logout button.

If a user exits the browser without logging off, that session will remain open in the currently active users list until the timeout has reached. If the same user logs in again, before the timeout is reached, it would be within a separate session.

Currently Blocked Users

The user name and login time of when the user was blocked are listed within this section.

To unblock a user to allow them to log in to the system, click the Unblock button.

Remote Access

Allow Remote SSH Access

You can limit the network from which clients can connect to the SSH administrative interface on Multi-Tenant LoadMaster.

Using

Specify which addresses that remote administrative SSH access to the Multi-Tenant LoadMaster is allowed.

Port

Specify the port used to access the Multi-Tenant LoadMaster using the SSH protocol.

Allow Web Administrative Access

Selecting this check box allows administrative web access to the Multi-Tenant LoadMaster. Disabling this option will stop access upon the next reboot.

Note: Disabling web access is not recommended.

Using

Specify the addresses that administrative web access is to be permitted.

Port

Specify the port used to access the administrative web interface.

Administrative Default Gateway

When administering the Multi-Tenant LoadMaster from a non-default interface, this option allows the user to specify a different default gateway for administrative traffic only.

Note: If the Administrative Default Gateway is being changed to another interface that is not accessible without proper routing, a static route into the Multi-Tenant LoadMaster should be added before changing the administrative interface IP. Once the routing is in please, the interface can be switched and the administrative default gateway can be selected if required. Then the static route can be removed.

Enable API Interface

Enables/disables the RESTful Application Program Interface (API).

Allow Update Checks

Allow the Multi-Tenant LoadMaster to regularly check the Progress Kemp website for new software versions.

WUI Authentication and Authorization

WUI Authorization Options

Click the WUI Authorization Options button on the Remote Access screen to display the WUI Authentication and Authorization screen. This option is only available when Session Management is enabled.

The WUI Authentication and Authorization screen enables the administration of the available authentication (login) and authorization (allowed permissions) options.

Authentication

Users must be authenticated before logging on to the Multi-Tenant LoadMaster. The Multi-Tenant LoadMaster allows authentication of users to be performed using the RADIUS and LDAP authentication methods as well as Local User authentication.

When all authentication methods are selected, the Multi-Tenant LoadMaster attempts to authenticate users using the authentication methods in the following order:

  1. RADIUS
  2. LDAP
  3. Local Users

For example, if the RADIUS server is not available then the LDAP server is used. If the LDAP server is also not available, then Local User authentication methods are used.

If neither RADIUS nor LDAP authentication methods are selected, then the Local User authentication method is selected by default.

The consequence of this ordering is that when a local user (that is using a local password) logs in to the LoadMaster and they do not exist in the RADIUS or LDAP configuration, error messages appear in the log for the RADIUS and LDAP authentication checks, even though local password authentication succeeds.

Authorization

The Multi-Tenant LoadMaster allows the users to be authorized by either RADIUS or using Local User authorization. The user’s authorization decides what level of permissions the user has and what functions on the Multi-Tenant LoadMaster they are allowed to perform.

Note: The RADIUS Authentication check box must be enabled to use the RADIUS Authorization method. Authentication is for access (to ensure the user has a valid username and password) and authorization is used for permissions.

When both authorization methods are selected, the Multi-Tenant LoadMaster initially attempts to authorize the user using RADIUS. If this authorization method is not available, the Multi-Tenant LoadMaster attempts to authorize the user using the Local User authorization. Authorization using LDAP is not supported.

If neither RADIUS nor LDAP authentication methods are selected, then the Local User authentication method is selected by default.

You must configure the RADIUS server that you are using to authorize the same user permissions that appear on the WUI's user permissions page (with the exception of 'All Permissions'). The Reply-Message returned by the RADIUS server indicates the permissions it is allowing. On a Linux system, the message looks similar to the following:

LMUSER Cleartext-Password := "1fourall"Reply-Message = "real,vs,rules,backup,certs,cert3,certbackup,users"

The preceding example is of a RADIUS user configuration on a RADIUS server deployed on a Linux system. The LoadMaster determines the user's permissions from the "Reply-Message" (the permissions are similar to the ones for a local WUI user on the LoadMaster).

Note: The bal user is always authenticated and authorized using the Local User authentication and authorization methods. Disabling Local User authentication does not lock out the bal user. Bal is an admin/super user and is allowed to log in to the LoadMaster WUI even if Local User Authentication is disabled on the LoadMaster.

RADIUS Server Configuration

RADIUS Server

The IP address and Port of the RADIUS Server that is to be used to authenticate user WUI access to the Multi-Tenant LoadMaster.

Shared Secret

This input field is for the Shared Secret of the RADIUS Server.

A Shared Secret is a text string that serves as a password between the Multi-Tenant LoadMaster and the RADIUS server.

Backup RADIUS Server

The IP address and Port of the backup RADIUS Server that is to be used to authenticate user WUI access to the Multi-Tenant LoadMaster. This server will be used in case of failure of the main RADIUS Server.

Backup Shared Secret

This text box is to enter the Shared Secret of the backup RADUS Server.

Revalidation Interval

Specifies how often a user should be revalidated by the RADIUS server.

Send NAS Identifier

If this check box is disabled (default), a NAS identifier is not sent to the RADIUS server. If it is enabled, a Network Access Server (NAS) identifier string is sent to the RADIUS server. By default, this is the hostname. Alternatively, if a value is specified in the RADIUS NAS Identifier text box, this value is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

Sending the NAS identifier serves two purposes:

  • It helps to classify the device type that is sending the request as opposed to simply sending the host IP address which makes troubleshooting and consuming logs easier.
  • It enables customized authentication responses to be sent back from the server based on the identifier.

RADIUS NAS Identifier

If the Send NAS Identifier check box is selected, the RADIUS NAS Identifier field is shown. When specified, this value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed.

LDAP

LDAP Server

Specify the LDAP server to use. You can also specify a port number, if required.

Backup LDAP Server

The IP address and Port of the backup LDAP Server that is to be used to authenticate user WUI access to the Multi-Tenant LoadMaster. This server will be used in case of failure of the main LDAP Server.

LDAP Protocol

Select the transport protocol to use when communicating with the LDAP server.

Note: If you create an SSO domain with the Authentication Protocol set to Certificates, ensure to set the LDAP Protocol to LDAPS.

Revalidation Interval

Specify how often you should revalidate the user with the LDAP server.

Local Users

Use ONLY if other AAA services fail

When selected, the Local Users authentication and authorization methods are used only if the RADIUS and/or LDAP authentication and authorization services fail to respond/time out.

Test AAA for User

To test a user’s credentials, enter their username and password in the Username and Password fields and click the Test User button.

A message appears to inform you whether the user is validated or not. This is a useful utility to check a user’s credentials without having to log in or out.

Cipher Sets

Cipher Set

Select the cipher set to view/modify.

The system-defined cipher sets are as follows:

  • Default: The cipher set that is configured on the Multi-Tenant LoadMaster on a fresh installation. This cipher set is geared towards backwards compatibility with previous releases of the Multi-Tenant LoadMaster.
  • Default_NoRc4: A more secure version of the default set that does not contain any RC4 ciphers, which are considered to be insecure on modern networks.
  • BestPractices: This is the recommended cipher set to use on the Multi-Tenant LoadMaster and it is updated occasionally to reflect current industry best practices. It does not include older and legacy cipher sets, which may be required by older browser and application deployments.
  • Intermediate_compatibility: This cipher set includes some ciphers that are required by older browser and service implementations that are still seen in the field.
  • Backward_compatibility: This cipher set provides maximum backward compatibility for clients back to Windows XP/IE6 at the risk of using less secure ciphers.
    Note: The Backward_compatibility cipher set should be used as a last resort only.
  • WUI: This is the default cipher set used by the administrative user interface. It can be changed by using the controls under Certificates & Security > Admin WUI Access.
  • FIPS: This set contains only ciphers that conform to Federal Information Processing Standards (FIPS) 140-2 level 1 standard and should be used only in those deployments that require it.
  • Legacy: This cipher set is provided solely for upgrade compatibility for legacy LoadMaster firmware versions (v7.0-10 and previous). After upgrade to a modern version of LoadMaster, it is recommended to choose a more secure cipher set.

To find out what ciphers are in each cipher set, go to Certificates & Security > Cipher Sets. Select the relevant Cipher Set.

Note: Progress Kemp can change the contents of these cipher sets as required based on the best available information.

Two lists are displayed – Available Ciphers and Assigned Ciphers. These lists can be filtered by typing some text into the Filter text boxes provided. The Filter text boxes will only allow you to enter valid text which is contained in the cipher names, for example ECDHE. If invalid text is entered, the text box will turn red and the invalid text is deleted.

Ciphers can be dragged and dropped to/from the Available and Assigned lists as needed. Ciphers which are already assigned will appear greyed out in the Available Ciphers list.

Changes cannot be made to a preconfigured cipher set. However, you can start with a preconfigured cipher set – make any changes as needed and then save the cipher set with a new custom name. Enter the new name in the Save as text box and click the Save button. Custom cipher sets can be used across different Virtual Services and can be assigned as the WUI cipher set.

It is not possible to delete preconfigured cipher sets. However, custom cipher sets can be deleted by selecting the relevant custom cipher set and clicking the Delete Cipher set button.

Network Options

Enable Alternate GW support

If there is more than one interface enabled, this option provides the ability to move the default gateway to a different interface.

Enabling this option adds another option to the Interfaces screen – Use for Default Gateway.

Enable Strict IP Routing

When this option is selected, only packets which arrive at the machine over the same interface as the outbound interface are accepted.

Enable DHCP for MT VNF(s)

This check box specifies whether or not the MT guests should utilise DHCP for initial IP configuration. If this is enabled, the initial IP address and default gateway of the guest VNF will be automatically obtained using DHCP, and you will not be prompted to set them. If this option is disabled, text boxes will be displayed when creating an instance which allow you to specify the initial IP address and default gateway.

This check box is also displayed after the initial Multi-Tenant LoadMaster installation when you are prompted to instantiate an initial VLM VNF, but the option is called Use DHCP for guest VNF(s).

SDN Controller

Specify the address of an SDN controller to connect to.

HTTP(S) Proxy

Specify the HTTP(S) proxy server and port the Multi-Tenant LoadMaster will use to access the internet.