Kemp LoadMaster

This blog post is intended to provide technical guidance on how to deploy Multi-Factor Authentication (MFA) with Google Authenticator (CAPTCHA) using Kemp LoadMaster load balancer to a Microsoft Exchange backend application server(s). This will leverage the Kemp Edge Security Pack (ESP) standard functionality.The blog post focuses on integration with Google Authenticator (CAPTCHA) using the HMAC-based Onetime Password algorithm using LinOTP via RADIUS.More information on Google Authenticator is available here. More information on Google CAPTCHA v2 account is available here. More information on LinOTP is available here.High Level OverviewIn the architecture above you can see a diagram of the components involved in this flow. These are described as follows:Client connects to their Exchange server. This is terminated on the Kemp LoadMaster load balancer. The Kemp LoadMaster Edge Security Pack (ESP) is configured to redirect the client to the Kemp authentication form.The Kemp LoadMaster proxies the clients credentials to LinOTP via RADIUS.LinOTP responds to the Kemp LoadMaster with an Access Challenge.The Kemp LoadMaster presents the client with a second login page.The client opens their Google Authenticator App and enters their Second Factor Token.The client enters their Second Factor Token to the Kemp LoadMaster second login page.The Kemp LoadMaster sends the Second Factor Token to the LinOTP server.In the successful case, the LinOTP server responds with an “Access Accept” response.The client is now redirected back to the original URL which contains an LMDATA Authentication Cooke.The Kemp LoadMaster forwards the request to the Exchange Server by POSTing the clients credentials.Configuration RequirementsThis section outlines the configuration requirements to enable this functionality:LinOTP server (Alternatively any MFA authentication server like RSA can be used)Google Captcha account, available hereMicrosoft Exchange backend with OWA configured for “Forms Based”Kemp LoadMaster with Enterprise / Enterprise Plus subscription (or Trial license)Kemp firmware release v7.2.49 (or greater)LinOTP Configuration This section outlines the LinOTP configuration that is required to support this:To configure RADIUS clients, login to LinOTP under the RADIUS client as shown below, with the LoadMaster credentialsTo enrol users, Login to LinOTP under Click on Enrol and select Token settings > Google Authenticator compliant. Fill in the appropriate sections including a pin that is statically configured for that user.5. Using the Google Authenticator app to scan the 2D barcode that is presented. This will create a token, for example TOTP0010CD19, which can be viewed in the ‘Token View’ tab of LinOTP and is also presented on the Google Authenticator Application also.Kemp LoadMaster ConfigurationThis

Section outlines the Kemp LoadMaster configuration that is required to support this:To configure the LinOTP endpoint, go to Virtual Services > Manage SSO > New SSOEnter the details of the LinOTP RADIUS serverTo configure the Virtual Service, go to Virtual Service > ESP OptionsEnter the details of the CAPTCHA and the SSO Image Set configured to ‘Exchange’Authentication with Google AuthenticatorThis section outlines the screens that user will be presented with as part of the workflow.The Kemp LoadMaster will present the initial login page including the Google Authenticator CAPTCHA. The CAPTCHA presented will depend on how it has been configured in your Google account.The Username / Password is that which has been configured on the LinOTP server.Once the Username, Password and CAPTCHA are verified, the Kemp LoadMaster will request a pin. This pin is the 6-digit one-time password from your Google Authenticator Application.The pin will be verified by LinOTP and once successful will allow access to the Microsoft Exchange farm on the backend. Posted on January 24, 2020

Set to work from that directory run:C:\Users\User_Name\kemp_python_demo> pip install python_kemptech_apipip should successfully install the python_kemptech_api library.Run the following command to confirm that your environment is setup and the library is installed correctly:C:\Users\User_Name\kemp_python_demo> python -c "import python_kemptech_api; print(type(python_kemptech_api))"This should result in the following output:Code SnippetAt this point our environmental installation is complete. Let’s create a script that lists all the Virtual Services that are in the LoadMaster. Open up your favorite text editor or IDE and paste the following block. Make sure that the code snippet maintains its tabbing and edit the appropriate variables.# -*- coding: UTF-8 -*-from python_kemptech_api import LoadMaster as loadmasterLoadMaster_IP = "" # Your LoadMaster’s administrative IP# Note: To improve security, avoid using plaintext login and passwords and consider using environmental variables instead.LoadMaster_User = "" # Your LoadMaster’s Login UserLoadMaster_Password = "" # Your LoadMaster’s User’s PasswordLoadMaster_Port = "443" # By default this is 443.lm = loadmaster(LoadMaster_IP, LoadMaster_User, LoadMaster_Password, LoadMaster_Port)virtual_services = lm.get_virtual_services()for each_virtual_service in virtual_services:print(each_virtual_service)Running the code in Linux / Mac OSXSave the file as `”demo.py”` and run:~/kemp_python_demo $: python demo.pyIf everything worked correctly you should see the script output something like:Virtual Service TCP 192.168.1.4:80 on LoadMaster 192.168.1.3Running the code in WindowsSave the file as `”demo.py”` and run:C:\Users\User_Name\kemp_python_demo> python demo.pyIf everything worked correctly you should see the script output something like:Virtual Service TCP 192.168.1.4:80 on LoadMaster 192.168.1.3Updating the SDK libraryIf you’re interested in keeping up to date with the KEMP Python SDK you can runpip install python-kemptech-api --upgradeTo upgrade the library using python’s pip package manager.Viewing new changesThe KEMP Python SDK can be downloaded as a tar.gz file by visiting In this package is a CHANGES.rst file that contains a list of new changes to the project.Congratulations. You’ve successfully created your first Python script for your LoadMaster. The Python SDK has numerous features and functions that make automating

One of our goals at KEMP is to help our customers move faster. The LoadMaster provides a user-friendly web interface and a REST API to aid in this ideal. In order to make development on top of our REST API easier, KEMP offers a Python SDK that is constantly improving. If you’re interested in using the Python SDK for automation, the following “hello world” walkthrough will help you get setup and running quickly.RequirementsTo get started using the Python SDK you’ll need the following:Python > 2.7 or 3.4PipVirtualenv (Linux / Mac OSX, optional)A development environment that can connect to your LoadMaster’s administrative IP addressA LoadMaster with the “Enable API Interface” option enabledTo enable your LoadMaster’s API interface Login to the WUI, go to: Certificates & Security – Remote Access – Enable API InterfaceScreenshot of LoadMaster 7.2.36.2 WUIGetting setup: Linux / Mac OSXThis tutorial expects users of Linux and Mac OSX to be capable of installing python, pip and virtualenv without assistance.Create the directory `kemp_python_demo` and change your current working directory to it. Next, run the following commands:~/kemp_python_demo $: virtualenv .~/kemp_python_demo $: source bin/activate~/kemp_python_demo $: pip install python-kemptech-apiRun the following command to confirm that your environment is setup and the library is installed correctly:~/kemp_python_demo $: python -c "import python_kemptech_api; print(type(python_kemptech_api))"This should result in the following output:DemonstrationGetting setup: WindowsAt the time of this blog post the newest stable version of Python for Windows is Python 3.6 which you can download here. This tutorial expects you’ve downloaded the “Windows x86-64 executable installer.” Once you’ve downloaded the installer, run it and check the “Add Python 3.6 to PATH” checkbox.When the installation is complete go to: Start – Run – cmd. Next, create a directory `kemp_python_demo` and change your current working directory to it. Example:C:\Users\User_Name> mkdir kemp_python_demoC:\Users\User_Name>cd kemp_python_demoC:\Users\User_Name\kemp_python_demo>Once the directory is created and your prompt is

Automate endpoint configuration by directing external traffic to your Kubernetes Cluster.With LoadMaster, you won’t have to worry about virtual services and ingress policies as it automatically provisions them through the Kubernetes API and adapts to any changes in your configuration. It routes traffic directly to the Kubernetes Pods and allows microservices containers to be managed alongside traditional monolithic applications. Additionally, it can apply advanced enterprise load balancing services like Web Application Firewall (WAF), Access Management, Global Server Load Balancing (also known as GEO) and L7 Service traffic management.It is the simplest, most robust and scalable way to publish Kubernetes containers and monolithic applications via a single controller.ConclusionKubernetes makes the use of containers manageable even when the numbers in use hit the hundreds or even thousands. If you are deploying software across multiple platforms in the cloud or on-premises, containers are the modern way to do it and Kubernetes is the way to manage those deployments.If you haven’t delved into the world of Kubernetes (or containers, for that matter), there are plenty of places where you can try both in the cloud to see if this deployment model could enhance and simplify your application deployments. See the Kubernetes and Docker links in the reference below for jumping-off points. Visit the Kemp Ingress Controller for Kubernetes page to learn how LoadMaster can help you deliver your containerized infrastructure via Kubernetes.ReferencesKubernetes Web Site - Web Site - Getting Started - Posted on April 9, 2024