Need to redirect request for http://opw-centrix-dts to http://opw-centrix-dts/disputetracking
What is the best method to do this?
Thanks.
↧
http redirect
↧
Slow logon's through RD Gateway
Hi there, hope you can help.
Servers: Windows Server 2012 R2 Standard
I have 2 LB(s) running Vers:7.0-8e(VMware) and have configured a Virtual Service (RDWEB)
Service Name RDWEB
Service Type HTTP/HTTPS
Transparency Disabled
Persistence Source IP Address , 1 hour, round robin
QoS Normal Service
SSL Accel Enabled, Reencrypt with certificate installed
Real Servers HTTPS Protocol, Checked Port: 443
Remote Desktop Server IP Default Gateway is configured as the Kemp internal interface.
However, I cannot access the internet and every Published RemoteApp and RDWEB icon takes around 1 minute and 15 seconds to load before entering the credentials. Once the credentials are entered, the application takes another 2 or 3 seconds to load. Each subsequent application is instant.
I have this all working on vers:7.0-4 without a problem. The Firewall is port forwards to the Load Balancers.
If I take the Kemp's out of the equation and log in, opening the applications is instantaneous.
Can you point me in the direction of where to look?
Many thanks in advance.
↧
↧
disconnected users with loadmaster en sonicwall sra 4200
Hello,
This question is laying also with kemp but i hope someone here know something because it become critical.
We have a virtuel office in our DMZ ,people connect from anywhere to this appliance. after this the people click on a link and then they go to the LM with rdp .This work fine, but when it goes to 50 users they all kicked out at the same time. I can't find anything in the log but is it possible that the problem is that all the users are connected from 1 ipadres ( from the sonicwall).
there are also people connected to the same VIP without the sonicwall of the LM and they have no problem
This question is laying also with kemp but i hope someone here know something because it become critical.
We have a virtuel office in our DMZ ,people connect from anywhere to this appliance. after this the people click on a link and then they go to the LM with rdp .This work fine, but when it goes to 50 users they all kicked out at the same time. I can't find anything in the log but is it possible that the problem is that all the users are connected from 1 ipadres ( from the sonicwall).
there are also people connected to the same VIP without the sonicwall of the LM and they have no problem
↧
What is the "Issue with L7 Drain Time has been resolved" in v7.0-10?
There is no information on what the issue was that has been resolved.
I am experiencing Outlook password prompts after disabling a Real Server and the 3700 sec drain time ends. I did not have this problem before upgrading to 7.0.6.
Is this the issue that has been resolved in 7.0-10?
I am experiencing Outlook password prompts after disabling a Real Server and the 3700 sec drain time ends. I did not have this problem before upgrading to 7.0.6.
Is this the issue that has been resolved in 7.0-10?
↧
Vulnerability scan is complaining about TLS renegotiation vulnerability.
We have a LM 2100 running balancer version 4.3-68.20091211-0754. Is there anyway we can config the LM to refuse TLS renegotiation from clients(CVE-2009-3555)? I know it is an old Kemp and not supported but I literally need to pass this one last scan and I would love to be able to do it with out having to make a lot of changes to my infrastructure. Thanks.
↧
↧
Outlook cannot configured
This is the message when i want to create a new mailboxuser.
Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action."
Have i got to set the default gateway of the CAS Server to the shared ip.
Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action."
Have i got to set the default gateway of the CAS Server to the shared ip.
↧
cannot save changes in Miscellaneous Options
I have 2 new virtual kemp loadmasters.
When I change something like disable SNAT or Enable Alternate GW support the Changes does not get saved. I have tried disable hover help but same problem. I have tried IE 8 and IE 11..
Then I did the same changes in Firefox and voila they get saved and I can continue my work..
Regards Jonas
↧
automatically snort pattern update via script
Here's a bash script for automatally update snort pattern on loadmaster. Just customize variables "slb_url" and "loginpwd".
--- begin script ---
#!/bin/sh
src_pattern_file="https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz";
local_pattern_file="/tmp/`echo $src_pattern_file | rev | cut -d'/' -f1 | rev`"
slb_url="https://####"
snortrule_upload_form="/progs/doconfig/l7detect/set"
slb_success_pattern='<script>parent.hidetip();alert("Rules correctly installed");</script>'
loginname="bal"
loginpwd="###"
err_mail_to="mail1@host.com,mail2@host.com"
err_mail_subject="Kemp Serverloadbalancer"
err_mail_prefix="Dear admin,\n\nthe following error occoured while updating snort pattern on Kemp Technologies server loadbalancer $slb_url with script $(hostname -s).$(hostname -d)@$0:\n\n"
function send_mail {
err_mail_text="${err_mail_prefix}$1"
# echo $err_mail_text
echo -e $err_mail_text |\
mailx -s "$err_mail_subject" $err_mail_to
}
# download pattern file
output="Downloading $src_pattern_file "
echo -n "$output"
wget -q -O $local_pattern_file $src_pattern_file
error_code=`echo $?`
if [ $error_code -eq 0 ]
then
echo "ok"
else
echo "failed"
send_mail "${output}failed"
exit $error_code
fi
# upload pattern to slb
if !( [ -s $local_pattern_file ] && [ -r $local_pattern_file ] )
then
output="$local_pattern_file not readable or 0 byte"
echo $output
send_mail $output
rm -f $local_pattern_file 2>&1 > /dev/null
exit 1
fi
output="Logging on to $slb_url and uploading "
echo -n "$output"
upload_result=`curl --insecure --form dfile=\@$local_pattern_file $slb_url$snortrule_upload_form --user $loginname:$loginpwd 2>&1 | cat`
if [[ "$upload_result" == *"$slb_success_pattern"* ]] && [ $? -eq 0 ]
then
echo "ok"
else
echo "failed"
send_mail "${output}failed"
exit 1
fi
# remove pattern file
output="Removing $local_pattern_file "
echo -n "$output"
rm -f $local_pattern_file
if [ -e $local_pattern_file ]
then
echo "failed"
send_mail "${output}failed"
exit 1
else
echo "ok"
fi
exit 0
--- end script ---
--- begin script ---
#!/bin/sh
src_pattern_file="https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz";
local_pattern_file="/tmp/`echo $src_pattern_file | rev | cut -d'/' -f1 | rev`"
slb_url="https://####"
snortrule_upload_form="/progs/doconfig/l7detect/set"
slb_success_pattern='<script>parent.hidetip();alert("Rules correctly installed");</script>'
loginname="bal"
loginpwd="###"
err_mail_to="mail1@host.com,mail2@host.com"
err_mail_subject="Kemp Serverloadbalancer"
err_mail_prefix="Dear admin,\n\nthe following error occoured while updating snort pattern on Kemp Technologies server loadbalancer $slb_url with script $(hostname -s).$(hostname -d)@$0:\n\n"
function send_mail {
err_mail_text="${err_mail_prefix}$1"
# echo $err_mail_text
echo -e $err_mail_text |\
mailx -s "$err_mail_subject" $err_mail_to
}
# download pattern file
output="Downloading $src_pattern_file "
echo -n "$output"
wget -q -O $local_pattern_file $src_pattern_file
error_code=`echo $?`
if [ $error_code -eq 0 ]
then
echo "ok"
else
echo "failed"
send_mail "${output}failed"
exit $error_code
fi
# upload pattern to slb
if !( [ -s $local_pattern_file ] && [ -r $local_pattern_file ] )
then
output="$local_pattern_file not readable or 0 byte"
echo $output
send_mail $output
rm -f $local_pattern_file 2>&1 > /dev/null
exit 1
fi
output="Logging on to $slb_url and uploading "
echo -n "$output"
upload_result=`curl --insecure --form dfile=\@$local_pattern_file $slb_url$snortrule_upload_form --user $loginname:$loginpwd 2>&1 | cat`
if [[ "$upload_result" == *"$slb_success_pattern"* ]] && [ $? -eq 0 ]
then
echo "ok"
else
echo "failed"
send_mail "${output}failed"
exit 1
fi
# remove pattern file
output="Removing $local_pattern_file "
echo -n "$output"
rm -f $local_pattern_file
if [ -e $local_pattern_file ]
then
echo "failed"
send_mail "${output}failed"
exit 1
else
echo "ok"
fi
exit 0
--- end script ---
↧
Setting up HA for multiple DMZs using trunks.
Greetings everyone. First time poster. After some quick searches and not finding quite what we are trying to do I decided to try the forums.
Our goal is to setup two LM-5300s in a HA configuration to load balance for multiple DMZs. Here are two diagrams showing basic logical and L3 layouts
![image]()
L3 layout
![image]()
Each DMZ uses the firewall as the gateway for all inbound and outbound traffic. Can the 5300s be setup as multiple one-armed LBs using trunks (and bonds)? If not, can the 5300s be setup in DMZ2 and serve as a LB for DMZ2 as well as the other DMZs?
Thank you.
Our goal is to setup two LM-5300s in a HA configuration to load balance for multiple DMZs. Here are two diagrams showing basic logical and L3 layouts
L3 layout
Each DMZ uses the firewall as the gateway for all inbound and outbound traffic. Can the 5300s be setup as multiple one-armed LBs using trunks (and bonds)? If not, can the 5300s be setup in DMZ2 and serve as a LB for DMZ2 as well as the other DMZs?
Thank you.
↧
↧
Moving management to bonded interface
Hello Support,
We currently have 2 LM-3600’s in a HA configuration.
Eth0 is configured as a Management interface in a separate Management VLAN.
In Eth1 we have a direct cable connect between the 2 LM’s.
Eth2, 3 and 4 is bonded as a 3 Gbps interface. On this interface we have a separate VLAN for the virtual services. The default gateway is configured on this VLAN.
Our real servers are on another separate VLAN (non-local).
We have some problems that clients in the Management VLAN cannot connect to the virtual services. This is caused by the return-path from the LM to the client (client is direct connected to Management interface) and the firewall blocks this traffic.
Is it possible to reconfigure the LM’s into a one-arm configuration?
I want to achieve this by moving the management to the bonded interface on the same VLAN as the virtual services, so that Eth0 is not used anymore. Eth1 will still be used with a direct cable.
Is this configuration supported?
Can the bond also be configured with 4 interfaces (eth2, 3, 4 and 5) to a 4Gbps interface?
What is the maximum of interfaces in a bond?
With regards,
Peter
↧
SMTP
I have LoadMasters in HA running version 7.0.10 in two arm load balancing SMTP (Using Template with ESP) across two Exchange 2010 servers all of which works so far. (OWA etc also working)
Now the problem the Servers Gateways are set to the internal VIP Address which is in the same subnet as the Servers but outbound SMTP does not route outbound
A packet capture shows SMTP reaching the LoadMasters eth1 interface (So shows gateway correct on Servers) but never leaves the internet facing eth0 (Default route is on this interface)
I believe as I don't see anything leaving eth0 then something has not been correctly set that is needed but I can't see what it is
↧
2-Arm Setup with Clients on both sides
Hey
we want to extend our 1-arm setup into a 2-arm setup, and I want to verify our plan for this.
we have 2 LM-2600s (7.0-4), load balancing Exchange services in a 1-arm HA setup.
The Exchange servers and the LMs are in a data center, on the same network, in the same IP subnet, and the Exchange servers are using the LMs as their gateway address.
Our clients are coming from other sites on different subnets, all in one big internal WAN.
Now we want to connect the LMs to the DMZ, to load balance Exchange access from the internet clients. This is the plan:
1. On the LMs, move the current LAN from eth0 to eth1, and connect the DMZ to the eth0 ports
2. The LM default gateway is changing from the normal gateway in the internal network, to the internet facing DMZ gateway
3. We put in an 'Additional Route' on the LMs, to use the normal internal gateway for any 10.0.0.0/8 business
4. We give the Virtual Service on the LMs an 'Alternate Address' in its options, and add its DMZ IP in there.
Does that make sense to you? I'm not overly confident, because none of the examples in the documentation describe a setup where you have clients on both the network side and the farm side (eth0 & eth1). So the virtual service is being accessed internally by an 10.0.0.0/8 address and externally by a public IP address.
Two essential questions:
1. Is that the right way to have two IPs for that service? Just adding the DMZ IP as an 'Alternate Address' in the VS options?
2. We are doing the full HA setup on the DMZ side, eth0, with shared IP and HA checks. And we will have that on the internal side, eth1, too. Is that fine or a stupid idea?
Thanks
Felix
we want to extend our 1-arm setup into a 2-arm setup, and I want to verify our plan for this.
we have 2 LM-2600s (7.0-4), load balancing Exchange services in a 1-arm HA setup.
The Exchange servers and the LMs are in a data center, on the same network, in the same IP subnet, and the Exchange servers are using the LMs as their gateway address.
Our clients are coming from other sites on different subnets, all in one big internal WAN.
Now we want to connect the LMs to the DMZ, to load balance Exchange access from the internet clients. This is the plan:
1. On the LMs, move the current LAN from eth0 to eth1, and connect the DMZ to the eth0 ports
2. The LM default gateway is changing from the normal gateway in the internal network, to the internet facing DMZ gateway
3. We put in an 'Additional Route' on the LMs, to use the normal internal gateway for any 10.0.0.0/8 business
4. We give the Virtual Service on the LMs an 'Alternate Address' in its options, and add its DMZ IP in there.
Does that make sense to you? I'm not overly confident, because none of the examples in the documentation describe a setup where you have clients on both the network side and the farm side (eth0 & eth1). So the virtual service is being accessed internally by an 10.0.0.0/8 address and externally by a public IP address.
Two essential questions:
1. Is that the right way to have two IPs for that service? Just adding the DMZ IP as an 'Alternate Address' in the VS options?
2. We are doing the full HA setup on the DMZ side, eth0, with shared IP and HA checks. And we will have that on the internal side, eth1, too. Is that fine or a stupid idea?
Thanks
Felix
↧
High Availability for Exchange 2010 Hub Transport on Kemp VLM 2000 ?
We have 2 Exchange 2010 with multi role setup and using Kemp VLM 2000 for CAS array. Can we also setup hub transport load balancing/high availability on kemp ? Does it support smtp port 25 traffic. So that we can use that Virtual name for smtp connection on another site exchange or non microsoft server ?
Thanks
Amit
↧
↧
IMAP not working correctly
We have implemented IMAP as a VS against Exchange 2010 (VLM Vers:5.1-40).
I have a specific IMAP client which doesn't work correctly if going through the VS, but it works just fine directly against any of the RS,i.e. the CAS servers.
If I telnet the VS on port 143, I don't immidately get the *OK The Microsoft Exchange IMAP4 etc. is ready, only if I press a key. If I telnet the RS directly, I get the OK immediately.
I suspect this is causing the IMAP client to misbehave.
Any suggestions?
Soren
I have a specific IMAP client which doesn't work correctly if going through the VS, but it works just fine directly against any of the RS,i.e. the CAS servers.
If I telnet the VS on port 143, I don't immidately get the *OK The Microsoft Exchange IMAP4 etc. is ready, only if I press a key. If I telnet the RS directly, I get the OK immediately.
I suspect this is causing the IMAP client to misbehave.
Any suggestions?
Soren
↧
2-arm setup, how to manage Exchange-Servers?
Hi All,
I configured 2 EX 2013 multirole servers with DAG and configured a VLM-1000 in 2-arm setup for transparency.
Hosts: EX-1 and EX-2, the virtual IP is registered with: CAS
Now, the both EX-boxes uses the Loadmaster as the default gateway. We have a lot of VLANs, from now on, we can not manage the boxes nor by RDP neither by any other protocol directly (SMB, Backup-Agent etc.) from any other VLAN/Network anymore (ok, I could add a virtual Service for RDP, this worked...)
I added a separate NIC on a different VLAN on each Exchange-Server and set network-routes to networks who need direct access to each single host. This works so far, everything seems to be fine.
Is this a recommended setup by Kemp? What would you suggest in order to archieve this goal in a 2-arm setup?
I got some side-effects with this setup: Now you get a lot of hazzle around with the automatic network configuration for MAPI and replication-networks in relation to the DAG.
The MAPI-Network will be defined by the NIC-adapter option "Register this connection’s address in DNS", but I don't want to register the NIC for the Loadmasters network in DNS as long as you can't use this hostname to access the server directly from any other VLAN - our admins have to use the management IP, accessing the real hostname will end in timeouts (but they reply to echo-requests), this is confusing. Ok I could register an alternate hostename eg. EX-1-MGMT or so. But to the most of us use the host EX-1 is just EX-1 and nothing else. You type in the the real hostname in RDP-client and get lost...
Unfortunately, enabling the option to register DNS on the management-NIC will lead to the circumstance, that the MAPI-network of the DAG will be bound to this network and not to the Kemp-Network (directing to the clients) anymore - this makes no sense to me.
Thus I added static DNS entries for both management NIC-IPs (EX-1, EX-2), there are no DNS entries for the IPs of the adapters going to the Kemp. The Kemp-NICs are configured to register DNS (but they can not override the manual set entries), now the correct network is enabled for MAPI-Traffic. I hope, this will not lead to any other problem - still unsure now.
What would you suggest?
Kind regards
Yoda
I configured 2 EX 2013 multirole servers with DAG and configured a VLM-1000 in 2-arm setup for transparency.
Hosts: EX-1 and EX-2, the virtual IP is registered with: CAS
Now, the both EX-boxes uses the Loadmaster as the default gateway. We have a lot of VLANs, from now on, we can not manage the boxes nor by RDP neither by any other protocol directly (SMB, Backup-Agent etc.) from any other VLAN/Network anymore (ok, I could add a virtual Service for RDP, this worked...)
I added a separate NIC on a different VLAN on each Exchange-Server and set network-routes to networks who need direct access to each single host. This works so far, everything seems to be fine.
Is this a recommended setup by Kemp? What would you suggest in order to archieve this goal in a 2-arm setup?
I got some side-effects with this setup: Now you get a lot of hazzle around with the automatic network configuration for MAPI and replication-networks in relation to the DAG.
The MAPI-Network will be defined by the NIC-adapter option "Register this connection’s address in DNS", but I don't want to register the NIC for the Loadmasters network in DNS as long as you can't use this hostname to access the server directly from any other VLAN - our admins have to use the management IP, accessing the real hostname will end in timeouts (but they reply to echo-requests), this is confusing. Ok I could register an alternate hostename eg. EX-1-MGMT or so. But to the most of us use the host EX-1 is just EX-1 and nothing else. You type in the the real hostname in RDP-client and get lost...
Unfortunately, enabling the option to register DNS on the management-NIC will lead to the circumstance, that the MAPI-network of the DAG will be bound to this network and not to the Kemp-Network (directing to the clients) anymore - this makes no sense to me.
Thus I added static DNS entries for both management NIC-IPs (EX-1, EX-2), there are no DNS entries for the IPs of the adapters going to the Kemp. The Kemp-NICs are configured to register DNS (but they can not override the manual set entries), now the correct network is enabled for MAPI-Traffic. I hope, this will not lead to any other problem - still unsure now.
What would you suggest?
Kind regards
Yoda
↧
Authentication
Hi,
Can i set two LDAP sources for authentication and can i use client side certyficates?
↧
OWA Logon with NTLM does not work
Hello,
I have a configuration with two LM 2600. We are load balancing Exchange 2010 in a two armed config using SNAT.
OWA was setup with SSL Accelleration turned of, but transparency on,
The OWA VDIR on Exchange is configured to use Basic/NTLM authentication.
However, Clients get prompted for credential when they connect to OWA.
So my question is: Is NTLM authentication thru KEMP LM possible at all.
If yes, it would be great if you have some hints what could be wrong with my config...
Thanks
Christian Schindler
I have a configuration with two LM 2600. We are load balancing Exchange 2010 in a two armed config using SNAT.
OWA was setup with SSL Accelleration turned of, but transparency on,
The OWA VDIR on Exchange is configured to use Basic/NTLM authentication.
However, Clients get prompted for credential when they connect to OWA.
So my question is: Is NTLM authentication thru KEMP LM possible at all.
If yes, it would be great if you have some hints what could be wrong with my config...
Thanks
Christian Schindler
↧
↧
HA Cluster not working
Hi,
I had a VLM-1000 on trial and added the Exchange core template and made a few other changes to the config. Since then I have introduced a second VLM-1000. Both VMs have one NIC in the Server VLAN and a second NIC in a private vSwitch for cluster communication.
I am trying to enable a HA cluster but it is not working. Both VLMs are now fully licensed and I have configured a shared IP on the LAN interface on both VLMs. I am getting a green box with an A in it but the other is red and down. I did follow the steps of configuring the primary, reboot and then configured the secondary.
1. Will the primary node replicate the Exchange template and any other settings across to the second node?
2. Does Eth 1 need a shared IP since it will only be used for cluster communication?
3. If I reset both VLMs, do I have to contact support for re-licensing?
3 Any advice on troubleshooting this?
I had a VLM-1000 on trial and added the Exchange core template and made a few other changes to the config. Since then I have introduced a second VLM-1000. Both VMs have one NIC in the Server VLAN and a second NIC in a private vSwitch for cluster communication.
I am trying to enable a HA cluster but it is not working. Both VLMs are now fully licensed and I have configured a shared IP on the LAN interface on both VLMs. I am getting a green box with an A in it but the other is red and down. I did follow the steps of configuring the primary, reboot and then configured the secondary.
1. Will the primary node replicate the Exchange template and any other settings across to the second node?
2. Does Eth 1 need a shared IP since it will only be used for cluster communication?
3. If I reset both VLMs, do I have to contact support for re-licensing?
3 Any advice on troubleshooting this?
↧
Tutorial: How to add HSTS (Http Strict Transport Security)
What ist HSTS?
Http Strict Transport Security is standard declared in IETF RFC 6797 on 19 November 2012. It tells a client to access its webservice only via secure channel https in further cases. This should should avoid man-in-the-middle-attacks because the client knows the webservice is available only via secure http.
How is is implemented?
The server sends a response header "Strict-Transport-Security" to all the clients requests. A value "max-age=31536000" for example tells the client, that it should access the server for the next 12 months only via https. So what we need to do is, just add the header to all responses. This is done this way:
1. Go to "Rules & Checking > Content Rules"
2. "Create New" rule with these parameters:
- Rule Name: HSTS
- Rule Type: Add Header
- Header Field to be Added: Strict-Transport-Security
- Value of Header Field to be Added: max-age=31536000 (= one year, service must be available available securly at least the next 12 months)
- Perform If Flag Set: [Unset]
3. Via "Virtual Services > View/Modify Services > Modify" select your virtual https service
4. Go to "Advanced Properties" section and click on "HTTP Header Modifications"
5. On "Response Rules" select the "HSTS" rule and click back.
Done.
If you like, test your service on https://www.ssllabs.com/ssltest/
↧
disable Secure Client-Initiated Renegotiation
Hi,
is there a way to disable Secure Client-Initiated Renegotiation?
There seems to be a DOS-Risk.
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
Regards
Tim
is there a way to disable Secure Client-Initiated Renegotiation?
There seems to be a DOS-Risk.
https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
Regards
Tim
↧