appd-2_14-rn

8/10/2019 appd-2_14-rn

1/10

North America

Radware Inc.

575 Corporate Dr., Lobby 1Mahwah, NJ 07430Tel: (888) 234-5763

International

Radware Ltd.

22 Raoul Wallenberg St.Tel Aviv 69710, IsraelTel: 972 3 766 8666

www.radware.com

AppDirector

Release Notes

Version 2.14February 10, 2011

8/10/2019 appd-2_14-rn

2/10

AppDirector version 2.14 Release NotesDate:February 10, 2011

Page- 2 -

Page 2

Radware announces the release of AppDirector version 2.14. These release notes describe new

features since the last released version of AppDirector, 2.13.

Table of ContentsSupported Platforms and Modules ............................................................................................... 2Upgrade Path .................................................................................................................................. 3

Upgrade Procedure ...................................................................................................................... 3Other Upgrade Considerations ..................................................................................................... 3

Whats New..................................................................................................................................... 3Online Configuration Synchronization ........................................................................................... 4

Master/Slave Roles................................................................................................................... 4Activation.................................................................................................................................. 4Slave Device Behavior.............................................................................................................. 5

TCP Pooling ................................................................................................................................. 6Whats Changed............................................................................................................................. 6

NAT for Outbound Traffic Enhancements (first introduced in 1.07) ............................................... 7RADIUS Persistency Enhancements (first introduced in 1.07) ...................................................... 7Back-End SSL User-defined Cipher .............................................................................................. 8Block all traffic on VLAN in Backup ............................................................................................... 8Support LRP between different versions ....................................................................................... 8BGP Initialization Delay (Introduced in 2.14.03) ............................................................................ 8SIP Aging on Session End (Introduced in 2.14.03) ....................................................................... 8Back-end Segmentation (Introduced in 2.14.03) ........................................................................... 8No Service page (Introduced in 2.14.03)....................................................................................... 9Back-end SSL Enhancements (Introduced in 2.14.03).................................................................. 9Number of Trunks on ODS3 (Introduced in 2.14.03) .................................................................... 9RADIUS Load Balancing Enhancements (Introduced in 2.14.03) ................................................. 9

Connection Management Enhancements (Introduced in 2.14.03) ................................................. 9Increased SSL Authentication CA depth (Introduced in 2.14.03) ................................................ 10Increased Syslog Servers Number (Introduced in 2.14.03) ......................................................... 10HTTP/S Health Check Enhancements (Introduced in 2.14.03) ................................................... 10DNS Layer 7 Farm Selection (Introduced in 2.14.03) .................................................................. 10

Related Documentation ............................................................................................................... 10

Supported Platforms and Modules

This version is supported by the following platforms:

Platform Notes and ExceptionsOnDemand Switch 1 v1/v2

OnDemand Switch 2 v1/v2.

OnDemand Switch 1 XL


OnDemand Switch VL

OnDemand Switch VL XL

OnDemand Switch 3 v2


8/10/2019 appd-2_14-rn

3/10


Page- 3 -

Page 3

For more information on platform specifications, refer to theRadware Installation and

Maintenance Guide.

This version includes the following modules:

Module Supported Version Notes and Exceptions

Application Security(IPS, DoS and

BDoS)

2.06.10

APSolute OS 10.31-08.06

This version will be supported by APSolute Insite 2.89.

Upgrade PathYou can upgrade to this version from any of the following previous versions of AppDirector:

1.06 and 1.07 (not for OnDemand Switch 3)

2.x

Upgrade Procedure

General upgrade instructions are found in theRadware Installation and Maintenance Guide.

Other Upgrade Considerations

OnDemand Switch 1 v.1 and OnDemand Switch 2 v.1 platforms can be upgraded to thisversion (if device has at least 2GB of RAM), however the Application Acceleration Engineand its services will not be available.

OnDemand Switch 3 v.1 platform cannot be upgraded to this version.

OnDemand Switch 1, 2, and 3 hardware version can be identified as follows:a. The label on the back of the device will include a "version 2" note for version 2 (no

note for version 1).

b. View device information For OnDemand Switch 1 & 2, if in the Platform field no version is mentioned,

check if a Hard-Disk is installed in the device if the installed device is version2. If not, then it is a version 1 device.

For OnDemand Switch 3, if in the Platform field no version is mentioned, it isa version 1 device.

From version 2.11 and later the use of a passphrase to protect PKI Private Keys is enforced.Any Private Key that did not have a passphrase defined during its creation (in earlierversions) will be automatically set with the default passphrase radware" during the upgrade

process. This passphrase is required during PKI components export operations.

Whats NewThis section describes the new features and components introduced in this version.

8/10/2019 appd-2_14-rn

4/10


Page- 4 -

Page 4

Online Configuration Synchronization

For primary and secondary devices to work properly in a redundant configuration they must have

consistent configuration. AppDirector 2.14 introduces online configuration synchronizationcapability that saves device administrators the tedious error-prone manual process otherwise

required to ensure that the redundant devices are synchronized at all times.

Note:In versions lower than 2.14.03 this capability is only supported for a pair of devices using

VRRP in an Active-Backup scenario. Starting with 2.14.03, AppDirector supports ConfigurationSynchronization for the Active-Active scenario. This is enabled by a new parameter that allows you

to define the preferred state (Master or Backup) of each VR on the device.

Master/Slave Roles

This capability operates in a Master/Slave mode. The Master device is the only one that can beconfigured by the administrator, the Slave device is configured by Master device only. Automaticconfiguration synchronization is achieved by providing online update of the configuration:

-Master device sends each configuration transaction to the Slave-Master device performs full synchronization of Slave device after disconnection, failed Slave

update, etc.

The roles of the devices are set manually and never change dynamically in contrast to the VRRP

active ownership.

-The configuration sync roles are independent of the device redundancy operation mode(Active/Backup). It is though required to set the primary device as configuration master.

-The configuration sync will consider the VRRP status when having to reboot the slave device(after configuration changes that require reboot). If the configuration slave is the VRRP active

device, then reboot is suppressed in order to avoid unnecessary failover that will cause

connection disruption. Master will wait for the VRRP role to switch over and only then issue

reboot.

Activation

Pre-requisites

In order for the auto-configuration sync to work, the master and slave devices must match as

follows:

1. Hardware platform type.2. Memory size.3. License (license upgrading will have to be done manually on both devices, since each license

is bound to a specific machine).4. Software version. Software upgrade will also be done manually on each device. During that

time, the configuration sync must be disabled.

5. Network topology, meaning parallel ports connected to the same subnets.

8/10/2019 appd-2_14-rn

5/10


Page- 5 -

Page 5

6. Before the configuration is synced for the first time, there must be at least one matching IPinterface (same subnet, same interface) on the two devices.

7. The SSH Management Interface must be enabled and use the same application port on bothdevices.

The master device checks all these conditions (except 5 that is under administrator responsibility)

and will not start synchronization if one of them is not met.

To start configuration synchronization:

1. Configure Device Role - Master on the master device and Slave on the slave device2. Configure Synchronization Session Password on each device with the same value.

The configuration synchronization starts immediately. From that moment, each configuration change

made on the master device is synchronized on the slave device.

Note: For each IP interface configured on the master device a Peer IP address must be configured(to be used as IP interface on the slave device).

Starting with version 2.14.03 AppDirector allows you to select the exact IP interface over which

configuration synchronization is to be performed, as well as an alternate connection. If this ischanged while devices are connected to the Configuration Synchronization session, the change will

only take effect after the Reconnect Slave command is performed.

Slave Device Behavi or

While the online configuration synchronization is enabled the slave device cannot be directly

configured by user, with the exception of a few parameters that are not synchronized and can thus beconfigured directly on the slave device. These parameters are marked in both master and slave

device GUI.

Parameters that are not synchronized and can be configured directly on a slave device are:

Device Name

VRRP Global Admin Status

OSPF Router ID

Layer 2 Interface parameters

Diagnostics menu

Client Table filters

The parameters configured as excluded from sync in the Master device

Configuration Synchronization Device Role and Session Password

Statistics resets

o Farm server

o Farm TCP splitting

o Physical server

o Config Sync

8/10/2019 appd-2_14-rn

6/10


Page- 6 -

Page 6

Clear Tables

o Dynamic Proximity table

o ARP table

o Routing Table

o Trap Log

Debug configuration

Terminal configuration

Internal configuration commands (system internal)

In addition the user can perform software and license upgrade only directly on a slave device as well

as any non-configuration commands (such as ping, telnet, etc).

There are additional configuration synchronization that can be tweaked and the configuration

synchronization status and statistics can be monitored at all times- see User Guide for details.

TCP Pool ing

In a connection pooled environment, a pool of server connections in maintained for servicing client

connections. When a client requests a connection, an unused connection is selected from the server

pool and used to service the request. When the client request is complete, the server connection is

returned to the pool and the client connection dropped.

This has the effect of reducing the overhead imposed by establishing and tearing down the TCPconnection with the server, improving the responsiveness of the application.

AppDirector now supports TCP connection pooling for generic TCP applications. AppDirector

maintains back-end connection pool per server for each service (L4 policy) and reuses these

connections for multiple front end connections/clients.To enable TCP Pooling the user must:

Create a TCP Policy (new object type) with Back-End Connection Pooling enabled. User canalso define the pool size (default is 10,000) and the Back-End Connection Idle timeout

(default 60 sec).

Attach the TCP Policy to the virtual service (Layer 4 policy) for which TCP pooling must be

applied.When TCP Pooling is enabled for a certain Layer 4 policy, Client NAT must be enabled and

configured for all farm servers connected to that Layer 4 policy Client NAT wizard can be used).

Note:TCP Policy cannot be attached to an HTTP service (Layer 4 policy). For HTTP service, HTTPmultiplexing can be enabled via HTTP Policy.

Whats Changed

8/10/2019 appd-2_14-rn

7/10


Page- 7 -

Page 7

This section describes changes to existing features and components introduced in this version.

NAT for Outbound Traffic Enhancements (first introduced in 1.07)Previously AppDirector supported the following options for NATting outbound traffic:

-Static NAT using VIP for traffic from servers managed by AppDirector (Server NAT). Forservers that are attached to several VIPs a random VIP is selected.

-Dynamic NAT using non-VIP NAT address for traffic from any station behind AppDirector(Outbound NAT).

Now AppDirector supports additional options for Outbound NAT using VIP:

-Dynamic NAT using VIP-Static NAT using VIPallows to define the VIP to be used for each server.

To configure the new Outbound NAT options:-In the Outbound NAT Address entry you can now configure a VIP as a NAT address (a range of

1 only)

-In the Outbound NAT Intercept entry, when attaching a VIP Outbound NAT Address, you canconfigure whether the NAT Type is Dynamic or Static N:1.

Note:

-When Outbound NAT Address is VIP, NAT will be performed for all clients from the OutboundNAT Intercept rangeit is user responsibility to ensure the range includes only stations that areconfigured as farm servers on AppDirector.

Remove Entry On Session EndIt is now possible to configure for Server NAT and per Outbound NAT intercepted range whether

the Client Table entries should be aged when session end is detected or not (wait for inactivityaging).

RADIUS Persistency Enhancements (first introduced in 1.07)

RADIUS persistency via generic DSID mechanism

A new lookup mode was added to Text Match persistency rulesRADIUS attribute. This new

lookup mode enables you to define a RADIUS attribute according to which persistency ismaintained in either learning (table) mode or hash mode. This also provides support for RADIUS

persistency where the persistency parameter appears only in the first RADIUS reply, not in the first

RADIUS request.

Note:If a RADIUS AVP number is configured in a farm RADIUS Attribute parameter, a Text

Match persistency rule with lookup mode RADIUS Attribute and Hash Persistency Method is

automatically generated for that farm.

Application with RADIUS persistency

8/10/2019 appd-2_14-rn

8/10


Page- 8 -

Page 8

AppDirector enables you to maintain server persistency between RADIUS and application sessionsfor client. This can be achieved by learning the persistency parameter from the RADIUS Accept

response (usually client IP) and looking for the same parameter in the application requests, usuallywith the help of Pattern Match persistency rule.When the client IP appears in the application data (TCP payload) you can configure in the Pattern

Match persistency rule whether to interpret the extracted value as IP string or binary value.

Also the Pattern Mask length was increased to 16 octets (32 characters).

Back-End SSL User-defined Cipher

On back-end SSL AppDirector allowed to choose between Low, Medium or High strength cipher.Now administrator can configure its own cipher.

Block all traffic on VLAN in Backup

To prevent any packet spillage via a backup device in bridge configuration (Regular VLAN), you

have the option to block all traffic (previously only broadcast traffic was blocked).The previousvalues of the Backup in VLAN parameter were renamed for better clarity:

Enable -> Block Broadcast

Disable -> Forward Traffic

Support LRP between different versions

This allows you to use different versions in different global sites (especially required when there aredifferent platforms, with no common version, used in different sites). This change can work with

devices running 1.07.14DL build 24 and up, but cannot work with devices running 2.0 and 2.10.

BGP Initialization Delay (Introduced in 2.14.03)

Administrators can now configure the time to wait (in seconds) at device startup before establishingBGP connections. The values range between 15 and 120 seconds.

SIP Aging on Session End (Introduced in 2.14.03)

When the Session Mode is set to Remove on Session End, the connection record (Client Tableentry) is aged 5 seconds after the session end was identified. However for SIP, the standard requires

32 seconds. Now this parameter can be configured.

Back-end Segmentation (Introduced in 2.14.03)

This new Segment parameter allows you to control segmentation behavior when farms attached to acertain Layer 4 policy do not belong to the same segment as the Layer 4 policy. Options enable you

to either perform segmentation (sending traffic to the Layer 4 policy segment NHR and not directly

8/10/2019 appd-2_14-rn

9/10


Page- 9 -

Page 9

to the selected server) or not to perform segmentation (forwarding traffic directly to the selectedserver).

No Service page (Introduced in 2.14.03)

AppDirector can answer with a user-defined "Sorry" page when a service is not available (a farm has

no available servers). This page is sent using the code - 200 OK.Now AppDirector allows you to configure the code to be used for the "Sorry" page per farm.

Back-end SSL Enhancements (Introduced in 2.14.03)

AppDirector now supports the following additional scenarios:

1. SSL offloading is required on the front-end, but on the back-end some of the Layer 7 services

require back-end SSL and some do not.To support this scenario:

Attach an SSL policy to the Layer 4 service defining both the front-end and back-endSSL

On those farms to which no back-end SSL should be performed, you can define thatno back-end SSL is to be performed.

2. Clear-text traffic is received on the front-end, but SSL encryption is required on the back-end. To support this scenario configure SSL Policy where Front-End is disabled and Back-

End is enabled.

Number of Trunks on ODS3 (Introduced in 2.14.03)The number of trunks available on ODS 3 was increased to 7.

RADIUS Load Balancing Enhancements (Introduced in 2.14.03)

Previously RADIUS-aware load balancing (Layer 7 persistency and farm selection) was available

only on standard RADIUS ports. Now these capabilities can be supported for any application port

used by your RADIUS application.

Connection Management Enhancements (Introduced in 2.14.03)

The farm Close Session at Aging parameter enabled you to request that AppDirector send a RSTcommand to a server when one of its connection was aged due to inactivity. Now it also allows you

to request that AppDirector send RST to the client when one of its connection is aged due to

inactivity.

8/10/2019 appd-2_14-rn

10/10


Page- 10 -

Page 10

Increased SSL Authentication CA depth (Introduced in 2.14.03)

During SSL based client authentication (client certfificate), the certificate authority (CA) must be

matched to the trusted CA defined in the Authentication policy. The number of CertificateAuthorities (CA) in the chain lookup was increased to 100. This will allow support for client

authentication with proxy certificates.

Increased Syslog Servers Number (Introduced in 2.14.03)

AppDirector can now send syslog messages to up to 5 servers.

HTTP/S Health Check Enhancements (Introduced in 2.14.03)

In the HTTP and HTTPS health checks you can now include a user-specified header (for example

User-Agent).

DNS Layer 7 Farm Selection (Introduced in 2.14.03)

AppDirector now enables you to perform Layer 7 farm selection for DNS, as local traffic loadbalancing or in combination with global traffic load balancing.

The DNS Layer 7 farm selection uses the same mechanism used for DNS resolution (see Host

Names) instead of the Layer 7 policies mechanism. For this purpose a new parameter, DNS Action,

was added to Host Names and Regexp Host Names entries. This parameter enables you to definewhether to perform DNS resolution or to forward DNS traffic to farm.

For more details please see User Guide.

Related Documentation

The following documentation is related to this version:

Radware Installation and Maintenance Guide

AppDirector User Guide

AppDirector Maintenance Release Notes

For the latest Radware product documentation, download it fromhttp://www.radware.com/Customer/Portal/default.asp

2010 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks ofRadware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in theU.S.A.
http://www.radware.com/Customer/Portal/default.asphttp://www.radware.com/Customer/Portal/default.asphttp://www.radware.com/Customer/Portal/default.asp

appd-2_14-rn

Documents