AppDirector

Release Notes
Version 2.14
February 10, 2011

North America
Radware Inc.
575 Corporate Dr., Lobby 1
Mahwah, NJ 07430
Tel: (888) 234-5763
International
Radware Ltd.
22 Raoul Wallenberg St.
Tel Aviv 69710, Israel
Tel: 972 3 766 8666
www.radware.com

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 2 -

Radware announces the release of AppDirector version 2.14. These release notes describe new
features since the last released version of AppDirector, 2.13.
Table of Contents
Supported Platforms and Modules ............................................................................................... 2
Upgrade Path .................................................................................................................................. 3
Upgrade Procedure ...................................................................................................................... 3
Other Upgrade Considerations ..................................................................................................... 3
Whats New ..................................................................................................................................... 3
Online Configuration Synchronization ........................................................................................... 4
Master/Slave Roles................................................................................................................... 4
Activation .................................................................................................................................. 4
Slave Device Behavior .............................................................................................................. 5
TCP Pooling ................................................................................................................................. 6
Whats Changed ............................................................................................................................. 6
NAT for Outbound Traffic Enhancements (first introduced in 1.07) ............................................... 7
RADIUS Persistency Enhancements (first introduced in 1.07) ...................................................... 7
Back-End SSL User-defined Cipher.............................................................................................. 8
Block all traffic on VLAN in Backup ............................................................................................... 8
Support LRP between different versions ....................................................................................... 8
BGP Initialization Delay (Introduced in 2.14.03) ............................................................................ 8
SIP Aging on Session End (Introduced in 2.14.03) ....................................................................... 8
Back-end Segmentation (Introduced in 2.14.03) ........................................................................... 8
No Service page (Introduced in 2.14.03)....................................................................................... 9
Back-end SSL Enhancements (Introduced in 2.14.03).................................................................. 9
Number of Trunks on ODS3 (Introduced in 2.14.03) .................................................................... 9
RADIUS Load Balancing Enhancements (Introduced in 2.14.03) ................................................. 9
Connection Management Enhancements (Introduced in 2.14.03) ................................................. 9
Increased SSL Authentication CA depth (Introduced in 2.14.03) ................................................ 10
Increased Syslog Servers Number (Introduced in 2.14.03) ......................................................... 10
HTTP/S Health Check Enhancements (Introduced in 2.14.03) ................................................... 10
DNS Layer 7 Farm Selection (Introduced in 2.14.03) .................................................................. 10
Related Documentation ............................................................................................................... 10

Supported Platforms and Modules

This version is supported by the following platforms:
Platform
Notes and Exceptions
OnDemand Switch 1 v1/v2
OnDemand Switch 2 v1/v2.
OnDemand Switch 1 XL
OnDemand Switch 2 XL
OnDemand Switch VL
OnDemand Switch VL XL
OnDemand Switch 3 v2
OnDemand Switch 3 XL
Page 2

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 3 -

For more information on platform specifications, refer to the Radware Installation and
Maintenance Guide.
This version includes the following modules:
Module
Supported Version
Notes and Exceptions
Application Security 2.06.10
(IPS, DoS and
BDoS)
APSolute OS
10.31-08.06
This version will be supported by APSolute Insite 2.89.
Upgrade Path
You can upgrade to this version from any of the following previous versions of AppDirector:

1.06 and 1.07 (not for OnDemand Switch 3)

2.x

Upgrade Procedure

General upgrade instructions are found in the Radware Installation and Maintenance Guide.
Other Upgrade Considerations

OnDemand Switch 1 v.1 and OnDemand Switch 2 v.1 platforms can be upgraded to this
version (if device has at least 2GB of RAM), however the Application Acceleration Engine
and its services will not be available.
OnDemand Switch 3 v.1 platform cannot be upgraded to this version.
OnDemand Switch 1, 2, and 3 hardware version can be identified as follows:
a. The label on the back of the device will include a "version 2" note for version 2 (no
note for version 1).
b. View device information

For OnDemand Switch 1 & 2, if in the Platform field no version is mentioned,

check if a Hard-Disk is installed in the device if the installed device is version
2. If not, then it is a version 1 device.

For OnDemand Switch 3, if in the Platform field no version is mentioned, it is

a version 1 device.
From version 2.11 and later the use of a passphrase to protect PKI Private Keys is enforced.
Any Private Key that did not have a passphrase defined during its creation (in earlier
versions) will be automatically set with the default passphrase radware" during the upgrade
process. This passphrase is required during PKI components export operations.

Whats New
This section describes the new features and components introduced in this version.

Page 3

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 4 Online Configuration Synchronization

For primary and secondary devices to work properly in a redundant configuration they must have
consistent configuration. AppDirector 2.14 introduces online configuration synchronization
capability that saves device administrators the tedious error-prone manual process otherwise
required to ensure that the redundant devices are synchronized at all times.
Note: In versions lower than 2.14.03 this capability is only supported for a pair of devices using
VRRP in an Active-Backup scenario. Starting with 2.14.03, AppDirector supports Configuration
Synchronization for the Active-Active scenario. This is enabled by a new parameter that allows you
to define the preferred state (Master or Backup) of each VR on the device.
Master/Slave Roles

This capability operates in a Master/Slave mode. The Master device is the only one that can be
configured by the administrator, the Slave device is configured by Master device only. Automatic
configuration synchronization is achieved by providing online update of the configuration:
- Master device sends each configuration transaction to the Slave
- Master device performs full synchronization of Slave device after disconnection, failed Slave
update, etc.
The roles of the devices are set manually and never change dynamically in contrast to the VRRP
active ownership.
- The configuration sync roles are independent of the device redundancy operation mode
(Active/Backup). It is though required to set the primary device as configuration master.
- The configuration sync will consider the VRRP status when having to reboot the slave device
(after configuration changes that require reboot). If the configuration slave is the VRRP active
device, then reboot is suppressed in order to avoid unnecessary failover that will cause
connection disruption. Master will wait for the VRRP role to switch over and only then issue
reboot.
Activation

Pre-requisites
In order for the auto-configuration sync to work, the master and slave devices must match as
follows:
1. Hardware platform type.
2. Memory size.
3. License (license upgrading will have to be done manually on both devices, since each license
is bound to a specific machine).
4. Software version. Software upgrade will also be done manually on each device. During that
time, the configuration sync must be disabled.
5. Network topology, meaning parallel ports connected to the same subnets.

Page 4

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 5 -

6. Before the configuration is synced for the first time, there must be at least one matching IP
interface (same subnet, same interface) on the two devices.
7. The SSH Management Interface must be enabled and use the same application port on both
devices.
The master device checks all these conditions (except 5 that is under administrator responsibility)
and will not start synchronization if one of them is not met.
To start configuration synchronization:
1. Configure Device Role - Master on the master device and Slave on the slave device
2. Configure Synchronization Session Password on each device with the same value.
The configuration synchronization starts immediately. From that moment, each configuration change
made on the master device is synchronized on the slave device.
Note: For each IP interface configured on the master device a Peer IP address must be configured
(to be used as IP interface on the slave device).
Starting with version 2.14.03 AppDirector allows you to select the exact IP interface over which
configuration synchronization is to be performed, as well as an alternate connection. If this is
changed while devices are connected to the Configuration Synchronization session, the change will
only take effect after the Reconnect Slave command is performed.
Slave Device Behavior

While the online configuration synchronization is enabled the slave device cannot be directly
configured by user, with the exception of a few parameters that are not synchronized and can thus be
configured directly on the slave device. These parameters are marked in both master and slave
device GUI.
Parameters that are not synchronized and can be configured directly on a slave device are:
Device Name
VRRP Global Admin Status
OSPF Router ID
Layer 2 Interface parameters
Diagnostics menu
Client Table filters
The parameters configured as excluded from sync in the Master device
Configuration Synchronization Device Role and Session Password

Statistics resets
o Farm server
o Farm TCP splitting
o Physical server
o Config Sync
Page 5

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 6 -

Clear Tables
o Dynamic Proximity table
o ARP table
o Routing Table
o Trap Log

Debug configuration

Terminal configuration

Internal configuration commands (system internal)

In addition the user can perform software and license upgrade only directly on a slave device as well
as any non-configuration commands (such as ping, telnet, etc).
There are additional configuration synchronization that can be tweaked and the configuration
synchronization status and statistics can be monitored at all times- see User Guide for details.
TCP Pooling
In a connection pooled environment, a pool of server connections in maintained for servicing client
connections. When a client requests a connection, an unused connection is selected from the server
pool and used to service the request. When the client request is complete, the server connection is
returned to the pool and the client connection dropped.
This has the effect of reducing the overhead imposed by establishing and tearing down the TCP
connection with the server, improving the responsiveness of the application.
AppDirector now supports TCP connection pooling for generic TCP applications. AppDirector
maintains back-end connection pool per server for each service (L4 policy) and reuses these
connections for multiple front end connections/clients.
To enable TCP Pooling the user must:
Create a TCP Policy (new object type) with Back-End Connection Pooling enabled. User can
also define the pool size (default is 10,000) and the Back-End Connection Idle timeout
(default 60 sec).
Attach the TCP Policy to the virtual service (Layer 4 policy) for which TCP pooling must be
applied.
When TCP Pooling is enabled for a certain Layer 4 policy, Client NAT must be enabled and
configured for all farm servers connected to that Layer 4 policy Client NAT wizard can be used).
Note: TCP Policy cannot be attached to an HTTP service (Layer 4 policy). For HTTP service, HTTP
multiplexing can be enabled via HTTP Policy.
Whats Changed
Page 6

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 7 -

This section describes changes to existing features and components introduced in this version.
NAT for Outbound Traffic Enhancements (first introduced in 1.07)

Previously AppDirector supported the following options for NATting outbound traffic:
- Static NAT using VIP for traffic from servers managed by AppDirector (Server NAT). For
servers that are attached to several VIPs a random VIP is selected.
- Dynamic NAT using non-VIP NAT address for traffic from any station behind AppDirector
(Outbound NAT).
Now AppDirector supports additional options for Outbound NAT using VIP:
- Dynamic NAT using VIP
- Static NAT using VIP allows to define the VIP to be used for each server.
To configure the new Outbound NAT options:
- In the Outbound NAT Address entry you can now configure a VIP as a NAT address (a range of
1 only)
- In the Outbound NAT Intercept entry, when attaching a VIP Outbound NAT Address, you can
configure whether the NAT Type is Dynamic or Static N:1.
Note:
- When Outbound NAT Address is VIP, NAT will be performed for all clients from the Outbound
NAT Intercept range it is user responsibility to ensure the range includes only stations that are
configured as farm servers on AppDirector.
Remove Entry On Session End
It is now possible to configure for Server NAT and per Outbound NAT intercepted range whether
the Client Table entries should be aged when session end is detected or not (wait for inactivity
aging).
RADIUS Persistency Enhancements (first introduced in 1.07)

RADIUS persistency via generic DSID mechanism

A new lookup mode was added to Text Match persistency rules RADIUS attribute. This new
lookup mode enables you to define a RADIUS attribute according to which persistency is
maintained in either learning (table) mode or hash mode. This also provides support for RADIUS
persistency where the persistency parameter appears only in the first RADIUS reply, not in the first
RADIUS request.
Note: If a RADIUS AVP number is configured in a farm RADIUS Attribute parameter, a Text
Match persistency rule with lookup mode RADIUS Attribute and Hash Persistency Method is
automatically generated for that farm.
Application with RADIUS persistency
Page 7

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 8 -

AppDirector enables you to maintain server persistency between RADIUS and application sessions
for client. This can be achieved by learning the persistency parameter from the RADIUS Accept
response (usually client IP) and looking for the same parameter in the application requests, usually
with the help of Pattern Match persistency rule.
When the client IP appears in the application data (TCP payload) you can configure in the Pattern
Match persistency rule whether to interpret the extracted value as IP string or binary value.
Also the Pattern Mask length was increased to 16 octets (32 characters).
Back-End SSL User-defined Cipher

On back-end SSL AppDirector allowed to choose between Low, Medium or High strength cipher.
Now administrator can configure its own cipher.
Block all traffic on VLAN in Backup

To prevent any packet spillage via a backup device in bridge configuration (Regular VLAN), you
have the option to block all traffic (previously only broadcast traffic was blocked).The previous
values of the Backup in VLAN parameter were renamed for better clarity:

Enable -> Block Broadcast

Disable -> Forward Traffic

Support LRP between different versions

This allows you to use different versions in different global sites (especially required when there are
different platforms, with no common version, used in different sites). This change can work with
devices running 1.07.14DL build 24 and up, but cannot work with devices running 2.0 and 2.10.
BGP Initialization Delay (Introduced in 2.14.03)

Administrators can now configure the time to wait (in seconds) at device startup before establishing
BGP connections. The values range between 15 and 120 seconds.
SIP Aging on Session End (Introduced in 2.14.03)

When the Session Mode is set to Remove on Session End, the connection record (Client Table
entry) is aged 5 seconds after the session end was identified. However for SIP, the standard requires
32 seconds. Now this parameter can be configured.
Back-end Segmentation (Introduced in 2.14.03)

This new Segment parameter allows you to control segmentation behavior when farms attached to a
certain Layer 4 policy do not belong to the same segment as the Layer 4 policy. Options enable you
to either perform segmentation (sending traffic to the Layer 4 policy segment NHR and not directly
Page 8

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 9 -

to the selected server) or not to perform segmentation (forwarding traffic directly to the selected
server).
No Service page (Introduced in 2.14.03)

AppDirector can answer with a user-defined "Sorry" page when a service is not available (a farm has
no available servers). This page is sent using the code - 200 OK.
Now AppDirector allows you to configure the code to be used for the "Sorry" page per farm.
Back-end SSL Enhancements (Introduced in 2.14.03)

AppDirector now supports the following additional scenarios:

1. SSL offloading is required on the front-end, but on the back-end some of the Layer 7 services
require back-end SSL and some do not.
To support this scenario:
Attach an SSL policy to the Layer 4 service defining both the front-end and back-end
SSL
On those farms to which no back-end SSL should be performed, you can define that
no back-end SSL is to be performed.
2. Clear-text traffic is received on the front-end, but SSL encryption is required on the backend. To support this scenario configure SSL Policy where Front-End is disabled and BackEnd is enabled.
Number of Trunks on ODS3 (Introduced in 2.14.03)

The number of trunks available on ODS 3 was increased to 7.

RADIUS Load Balancing Enhancements (Introduced in 2.14.03)

Previously RADIUS-aware load balancing (Layer 7 persistency and farm selection) was available
only on standard RADIUS ports. Now these capabilities can be supported for any application port
used by your RADIUS application.
Connection Management Enhancements (Introduced in 2.14.03)

The farm Close Session at Aging parameter enabled you to request that AppDirector send a RST
command to a server when one of its connection was aged due to inactivity. Now it also allows you
to request that AppDirector send RST to the client when one of its connection is aged due to
inactivity.

Page 9

AppDirector version 2.14 Release Notes

Date: February 10, 2011
Page - 10 Increased SSL Authentication CA depth (Introduced in 2.14.03)

During SSL based client authentication (client certfificate), the certificate authority (CA) must be
matched to the trusted CA defined in the Authentication policy. The number of Certificate
Authorities (CA) in the chain lookup was increased to 100. This will allow support for client
authentication with proxy certificates.
Increased Syslog Servers Number (Introduced in 2.14.03)

AppDirector can now send syslog messages to up to 5 servers.

HTTP/S Health Check Enhancements (Introduced in 2.14.03)

In the HTTP and HTTPS health checks you can now include a user-specified header (for example
User-Agent).
DNS Layer 7 Farm Selection (Introduced in 2.14.03)

AppDirector now enables you to perform Layer 7 farm selection for DNS, as local traffic load
balancing or in combination with global traffic load balancing.
The DNS Layer 7 farm selection uses the same mechanism used for DNS resolution (see Host
Names) instead of the Layer 7 policies mechanism. For this purpose a new parameter, DNS Action,
was added to Host Names and Regexp Host Names entries. This parameter enables you to define
whether to perform DNS resolution or to forward DNS traffic to farm.
For more details please see User Guide.

Related Documentation
The following documentation is related to this version:
Radware Installation and Maintenance Guide
AppDirector User Guide
AppDirector Maintenance Release Notes
For the latest Radware product documentation, download it from
http://www.radware.com/Customer/Portal/default.asp

2010 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of
Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the
U.S.A.

Page 10