ZXTM 4.2r2 -> 18th February 2008 ================================ ZXTM 4.2r2 is a minor revision to the ZXTM product family. We recommend that all customers upgrade to the latest version. Platform Availability for ZXTM 4.2r2 ------------------------------------ * Linux x86, x86_64 - Kernel 2.6 (2.6.8+) * FreeBSD x86 5 (5.3+) * FreeBSD x86 6 (6.1+) * Solaris 10 (x86 and x86_64) * Solaris 8, 9, 10 (SPARC) * Hardware Appliances: 2000, 5000, 7000, 7400 appliances * Virtual Appliances: VMware VI3 (ESX 3.0, ESX 3.5) Windows Virtual Server 2005R2 ZXTM Software and ZXTM Appliance changes ---------------------------------------- - Traffic IP Groups Improve detection of the ZXTM software locking up, to ensure fail over doesn't happen unnecessarily. Fix a memory leak on Solaris and FreeBSD with ARP broadcasts Fix sending ARP broadcasts on Solaris when the e1000g driver is being used. - HTTP Content Caching Ensure the correct page is served from the Content Cache when the Host header and an absolute URI in the HTTP request do not match. Fix a problem with the Content Cache UI page that could occasionally cause a 500 error to be displayed. Ensure large pages that are being compressed using ZXTM's Content Compression feature are correctly inserted into the HTTP Content Cache. - SSL Fix a serious problem where an invalid SSL record could cause ZXTM to keep attempting to read from a client stopping other traffic from being handled. Ensure that the pkcs#11 library is located on the Sun Niagara servers. Avoid a spurious warning when "ssld!accel" is enabled, but no ssld library is specified. Update the 'ssl.sslSessionID()' function to work for SSL pass-through virtual servers. - User Interface Fix an issue with the status applet using Flash 9.0.115.0, that causes "incorrect signature (-5)" errors in the event log. Store Historical Activity graph information for 90 days by default (this can be altered by changing the statd!days setting on the Global Settings UI page). Ensure that the cache of Historical Activity graphs is cleared occasionally. Fix adding nodes that start with a '0' or contain '.0' as part of the hostname. Relax hostname validation to allow '_' characters. Improve speed of Rules catalog page when there are lots of Rules and Virtual Servers. Include more networking diagnostic information in the technical support report. Ensure that the RuleBuilder constructs rules correctly when inspecting HTTP headers containing a '-' (such as User-Agent). Ensure that the locale setting does not break backups created using the SOAP API. Fix the Diagnose SOAP API to correctly reference "DetectionDate" rather than "DetectionTime" in responses. - Other changes Fix connection counting logic which under some circumstances could cause an assert failure. Fix an occasional crash when serving FTP traffic. Fix processing of request 'Connection' headers to avoid incorrectly marking a request as non-keepalive. Ensure that parameters for cookies are correctly set for the 'monitor application cookies' session persistence type. Fix a situation where, under some circumstances, ZXTM could end up in an infinite loop while performing a DNS resolve. Improve performance when spawning processes on Solaris. Fix a small memory leak when a Service Protection class is reconfigured. Fix an infinite loop in the string.iReplaceAll() TrafficScript function. Ensure that when a previously failing monitor is added back into a pool the node status is updated correctly. ZXTM Appliance changes only --------------------------- - Fix a race condition that could cause a restart of the hardware monitoring daemon. - Updated VMware tools package to latest version available for ESX 3.5. (ZXTM Virtual Appliance). ZXTM 4.2r1 -> 6th September 2007 ================================ ZXTM 4.2r1 is a minor revision to the ZXTM product family. We recommend that all customers upgrade to the latest version. Platform Availability for ZXTM 4.2r1 ------------------------------------ * Linux x86, x86_64 (Kernel 2.6.8+) * FreeBSD x86 5.3+ and 6.1+ * Solaris 10 (x86 and x86_64) * Solaris 8+ (SPARC) * Hardware Appliances: 2000, 5000, 7000, 7400 appliances * Virtual Appliances: VMware VI3, Windows Virtual Server 2005R2 ZXTM Software and ZXTM Appliance changes ---------------------------------------- - HTTP Content Caching Fix a race condition on multi-CPU machines that could cause a serious software failure. Fix a potential crash if content caching is used with very long URLs. Ensure that the Content Cache is limited to 3 Gb in 32-bit builds of ZXTM. Ensure the amount of physical memory is read correctly on FreeBSD. Fix a situation where the wrong 'Vary' header could be used when performing a lookup in the content cache. Ensure that Content Cache statistics do not get cleared accidentally. - Fault Tolerance Traffic IP Addresses will now failover if traffic stops being served due to a serious lockup of part of ZXTM. Alter IGMP group behaviour: when a network cable is reconnected, pause for a short period before joining the IGMP group to ensure that the switch has noticed the reconnection. Alter how ARP messages are sent on Solaris and FreeBSD to ensure that the ARP cache doesn't get updated incorrectly. Improve multicast listening to ensure we listen for multicast messages on all network cards even if IP addresses change. - Service Protection Service Protection alerts and log messages can now be disabled by setting the log_time for a class to 0. Requests dropped due a service protection rate limit being exceeded are now correctly logged. - Other changes Fix a situation that could delete the ZXTM configuration, causing ZXTM to fail to startup. Include more diagnostic information in the technical support report. Disabling passive monitoring now works correctly with UDP protocols. Deleting a configuration backup will now log an entry to the audit log. Custom TCP monitors now no longer need a 'write_string'. Fix the names of the "VirtualServer -> BitsOut" and "Network Interfaces -> InterfaceTxBitsLo" current activity counters. Workaround a problem on FreeBSD that could stop ZXTM accepting new connections for Virtual Servers. Fix a problem with the 'max_retries' setting that, if it was set to '1', could cause the error page to incorrectly be sent to clients. Fix a potential crash when using an 'SSL passthrough' virtual server. Improve error message if the nCipher Remote File System can not be contacted. ZXTM will now work correctly if 'state_sync_time' is set to '0' net.dns.resolveHost() now resolves addresses of the form 1.2.3.4.zen.spamhaus.org correctly. ZXTM Appliance changes only --------------------------- - Licenses bound to a MAC address will now work correctly with network cards that are part of a trunk or that don't have an IP address assigned. - Improvements have been made to the RAID checking to ensure more failures are reported (ZXTM 7000 and ZXTM 7400 only) - Improve IRQ balancing across CPUs to improve network performance (ZXTM 5000, ZXTM 7000 and ZXTM 7400 only) - Ensure that deleting and then re-creating a network trunk works correctly. - Fix a memory leak when IP Transparency is enabled. - Add a fix for some harmless kernel assertion failures. ZXTM 4.2 -> 5th July 2007 ========================= ZXTM 4.2 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, stability improvements and bug fixes. Customers are recommended to upgrade to the new version to take advantage of the changes. Platform Availability for ZXTM 4.2 ---------------------------------- * Linux x86, x86_64, IA64 (Kernel 2.6.8+) * FreeBSD x86 5.3+ and 6.1+ * Solaris 10 (x86 and x86_64) * Solaris 8+ (SPARC) * Windows x86, x86_64 (Windows Server 2003r2) Note that on Solaris 8, x86 systems may need to install patch 109148-07 to use ZXTM 4.2 New features in 4.2 ------------------- - Improved web caching The web cache in ZXTM has been upgraded to provide improved hit rates, by sharing content better on multi-CPU machines. The SOAP API and web-based interface also allows users to explore the contents of the cache, and to invalidate parts of the cache to ensure new content reaches users. Cache sizes over 4Gb are now supported on 64 bit architectures. - J2EE session persistence A new persistence class has been introduced to handle Java session persistence (used in WebLogic, for example). This lets ZXTM track sessions used by these applications, both URL-based and cookie-based, to ensure that the correct node is used to handle each client's requests. - NetHSM support Support has been added for the nCipher NetHSM security device, which provides additional security when using SSL. Please see the documentation for details of how to use NetHSM with ZXTM. - SOAP API extended The SOAP API now provides calls to diagnose the status of ZXTM and to manage backups. The new web caching features are also accessible via the API. - Improved activity monitoring The current activity charting tools can now plot a range of system statistics, such as CPU usage, memory usage and raw network traffic. Statistics for individual machines can now be graphed. - Forward Proxy capability In addition to load balancing across pre-configured pools of servers, the new Forward Proxy capability lets ZXTM route traffic to any local or remote machines. This functionality is controlled via TrafficScript, and can be used in a variety of ways, for example, users can dynamically configure the load balancing (e.g. retrieving a set of servers to use from an external database), or ZXTM can be used as a generic proxy (e.g. a HTTP proxy or SSL proxy). - DNS updates ZXTM will re-resolve any hostnames used in its configuration if the IP addresses of the hostnames change. This makes ZXTM easier to use when re-arranging your network. This does not create any additional points of failure - if the DNS servers are unreachable, ZXTM will continue to operate. - Solaris SSL acceleration support ZXTM now supports the PKCS #11 SSL acceleration provided by some Solaris platforms, such as Niagara. - TrafficScript * Core changes ++, --, += and -= operators have been added. string.left() and string.right() chop strings into pieces. string.count() will count the number of occurrences of a pattern in a string, which makes list processing easier. string.find() and string.findr() can now take a start position. counter.increment() can now increment counters by a supplied amount. pool.select() and pool.use() have been extended so that a specific machine can be selected to send this request to. This machine does not have to be a node in a pool; it can be any machine on the Internet. This is the basis of the new 'Forward Proxy' feature. pool.activeNodes() used to include draining nodes in its count. It now does not include them, so that a return value of >0 really does mean that there are nodes available to use. string.unescape() understands Microsoft's proprietary % u-encoding and refuses to convert illegal %-escaped hex values. RuleBuilder actions can now insert the client's IP address and port into HTTP headers using %REMOTE_IP% and %REMOTE_PORT%. * IP changes request.getDestIP() returns the original destination IP address that a client connected to. This differs from request.getLocalIP() if the connection was redirected via a firewall rule. * HTTP changes http.changeSite() makes it simple to redirect users to the same path on a differently named website, e.g. redirecting .co.uk to .com. http.request.head() allows TrafficScript to make HTTP HEAD requests. http.getHeaderNames() and http.getResponseHeaderNames() return a list of all the HTTP headers present in the request/response. http.sendResponse() now supports keep-alive responses, and will try to keep-alive connections to clients (if enabled in the virtual server). ZXTM Appliance changes in 4.2 ----------------------------- 4.2 represents a major upgrade of the ZXTM Appliance software. You should refer to the article on the ZXTM KnowledgeHub (http://knowledgehub.zeus.com) for instructions on how to upgrade your ZXTM Appliance from 4.1 to 4.2. The upgrade will preserve all your configuration, and you can roll back to 4.1 should you require it. - Link Trunking / Aggregation The appliance UI allows ZXTM to aggregate two or more network ports together to form a fault-tolerant and higher-speed link. Traffic will be shared across the ports, and the 'trunked' channel will be resilient to the failure of any individual network cable. To enable this feature, configure two or more network cards with the same IP and the trunking will be applied. To use the link aggregation feature, ZXTM should be plugged into a switch that supports the IEEE 802.3ad standard. This enables the switch to detect the trunked links. Otherwise, you may have to configure the switch manually. Other changes in 4.2 -------------------- - HTTP improvements HTTP headers are now preserved with their original case. Prior to 4.2, ZXTM would correct the capitalization of all headers to make them consistent, e.g. 'X-MAGIC-header' would be converted to 'X-Magic-Header'. Now, the original header capitalization will be preserved. Note that all TrafficScript functions relating to HTTP headers have always been case-insensitive. - Multi-CPU scalability Several improvements have been made to further improve the scalability of ZXTM on machines with many CPUs or cores. Systems with 16+ cores should see particular improvements in start-up and running speeds. - Improved log timings A new logging macro '%R' will record the total time of a connection, measured from when ZXTM received the request until the last byte of data was sent back to the client. - Passive monitoring option ZXTM's passive monitoring checks can be disabled if required. This means that ZXTM will only classify nodes as not working based on the 'active monitors' set up by the user. Failures when handling real traffic (e.g. timeouts, network failures) will not be used to determine the availability of services. This may be useful if ZXTM is load balancing services that do not always respond to some types of requests. - Backup wizards Two wizards have been added to the web-based UI to make downloading and uploading backups simpler. - SSL Changes TLS 1.1 has been disabled by default. This used to be enabled in ZXTM 4.1. It is now no longer enabled because some web servers do not work properly with TLS 1.1 and will drop these connections. (e.g. some versions of WebLogic). It can be re-enabled from the global settings page. 4096 bit SSL keys are now supported in ZXTM. - Rate shaping timeouts ZXTM was applying the wrong timeout to connections that were paused by a rate shaping class. The 'connect_timeout' time was used, rather than the general 'timeout' time. The result was that connections could be dropped sooner than expected. This has now been fixed. - UDP/IP Transparency IP Transparency is now supported for ZXTM Appliance customers and software customers using version 1.3 of the transparency module available from the KnowledgeHub (http://knowledgehub.zeus.com). - Traffic IP Groups Traffic IP Groups using the 'keeptogether' flag that contain 'passive' machines will now work as expected. Before upgrading to 4.2 is recommended that you mark all machines as active, once the upgrade is complete these machines can be set to 'passive' again. - Alerting Alert emails are now RFC 822 compliant. Other changes supplied in previous minor revisions of 4.1 --------------------------------------------------------- * Rate Shaping classes using a context will now shape connections correctly. * Fixed potential crash when viewing the Content Cache UI page when some items in the cache had expired. * Fixed potential memory corruption when using the net.dns.resolveIP() TrafficScript function. * Ensure that connection.discard() can be called from a response rule. * Re-advertise IGMP membership when a Traffic Manager re-establishes contact with the network after a failure. * When communication times out with the email server used to send alert messages ensure we use the correct machine in the event log line. * Improved Current Activity graphs to avoid incorrect or missing data points occasionally being displayed for some values. * Fixed potential DoS against the administration server. * Fix a problem on FreeBSD 6 with kqueue support that can occasionally cause sockets to be incorrectly closed. * Workaround a memory leak in getprotobyname() in some Debian/Edgy libc versions. * Under certain circumstances, SSL encryption to backends could leak memory in the zeus.zxtm and zeus.monitor processes. This leak has now been fixed. * Fixed long certificate chain parsing to avoid incorrect signature errors during SSL encryption to backend nodes. * X509 Certificate Signing Requests now use the SHA-1 hash algorithm and include the 'attributes' section (required by some certificate authorities). * Allow backend nodes to request a new SSL handshake when performing SSL encryption (used by IIS for client certificate authentication). * Crash fixed in TLS 1.1 handling of block ciphers. Until systems are upgraded, customers are recommended to disable TLS 1.1 support on the System -> Global Settings page. (TLS 1.0 is unaffected by this issue). * Fixed crash when using Rate Shaping classes with long names. * Prevent connection stalls to slow clients if TrafficScript responds to the first request on a connection with request.sendResponse(). * License key files which don't end with a newline are now correctly handled when joining a cluster. * Cookie names for the 'Monitor application cookies' session persistence type can now contain '.' characters. * A potential dead-lock when replicating configuration has been fixed. * Improved FreeBSD 6 support, including working kqueue support. * TrafficScript functions now use entries from /etc/hosts when resolving host names and IP addresses. * Improved keepalive support through HTTP proxies. * Fixed a bug in the HTTP monitor that could cause it to be unable to detect a failure of a node. * Fixed a situation where traffic for a Traffic IP address is sent to the wrong Traffic Manager. * Fixed description for 'globals.uptime' OID. * Improved description for 'webcache!size' configuration key. * Ensure that the TrafficScript global settings only appear once. * Ensure the default email server is preserved over upgrades. * Calculation of the final data point on the Historical Activity graphs has been improved. * Improved memory usage when performing upgrades through the User interface. * Fixed bug which could lead to configuration file corruption when the filesystem ran out of free space. * A potential dead-lock when joining a cluster, or replicating configuration has been fixed. * Update Western Australia timezone information. * Improve IP traffic routing. If the management port is on the same subnet as another network interface, additional steps will be taken to ensure that only management network packets will be routed to/from the management port. * Fixed a bug that could cause an appliance to become uncontactable with certain network configurations. * Fixed detection of the ZXTM 2000 LB appliance. * Fixed a problem with NAT rules that could cause a spurious error to be generated. (ZXTM Appliance) * Updated SNMP agent to ensure network interface counters wrap correctly. (ZXTM Appliance) * Updated VMware tools package to latest version available for ESX 3.0.1. (ZXTM Virtual Appliance) ZXTM 4.1 -> 4th September 2006 ============================== ZXTM 4.1 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, and many stability improvements and bug fixes over previous releases. You are recommended to upgrade when convenient to take advantage of the changes. Platform Availability for ZXTM 4.1 ---------------------------------- * Linux x86, x86_64, IA64 * FreeBSD x86 4.2+, 5.3+ and 6.1+ * Solaris 8+ (x86 and SPARC) * Solaris 10 (x86_64) After 31st January 2007, Zeus will no longer provide product revisions for FreeBSD 4.x. New features in 4.1 ------------------- - Request Rate Shaping Request Rate Shaping allows ZXTM to limit the rate at which individual requests to particular services are made. These rates can be applied globally across all users of a service, or individually to a particular user. The rates can be applied per-second and per-minute, allowing fine grained control over policy. Request Rate Shaping can be controlled and queried using the 'rate.use' and 'rate.getBackLog' TrafficScript functions. Request Rate Shaping is included in the ZXTM software and the ZXTM 5000, 7000 and 7400 Appliances. It is not available in ZXTM LB software or the ZXTM 2000 Appliance. - Session Persistence A new Named Node session persistence class allows a TrafficScript rule to specify which node a request should be routed to, using the connection.setPersistenceNode() TrafficScript function. - Session migration between services ZXTM will now automatically migrate active sessions between services that are running on the same node, but are on different ports. This allows a client to browse a site over HTTP and then perform payment over HTTPS with all requests being persisted to the same node. - TrafficScript Warning messages are now emitted when unexpected escape sequences (such as '\.') are used. These are often used incorrectly in regular expressions when '\\.' was meant. Existing TrafficScript rules will continue to work as before. For further information on string escaping regular expressions refer to section 2.9 of the TrafficScript reference guide. * Core changes Bitwise operators have been added to allow improved handling of binary protocols: ~ (NOT), & (AND), | (OR), ^ (XOR), << (LEFT SHIFT), >> (RIGHT SHIFT) string.replace() (and variants) allow replacement of one string inside another, without the use of regular expressions. string.findr() searches for a search string from the end of a given string. rule.getState() returns whether a rule is being run as a request or response rule. rule.getName() returns the name of the currently executing rule. request.getToS() and response.getToS() allow reading of the ToS flag that had previously been set on a request or response by another TrafficScript function. * HTTP Changes http.doesFormParamExist() determines whether a form parameter exists in the HTTP request. http.compress.enable() turns on compression for a particular request if the client supports it. http.compress.disable() disables compression for a particular request. http.getHostHeader() returns a normalized version of the host header. http.scrubRequestHeaders() allows control over the valid headers that are passed to a node. * Time functions: sys.time.highres() returns the time with sub-second accuracy. This can be used to calculate accurate times for responses or other actions. sys.localtime.format() and sys.gmtime.format() can be used to format a time-stamp into a readable string. All the sys.time.* functions can now take an optional Unix time argument (previously they always acted on the current time). * Pool selection When the 'trafficscript!variable_pool_use' setting is enabled pool.use() and pool.select() can now take a variable as an argument. By default they still require a literal string. * User Counters Using the new 'counter.increment' TrafficScript function a rule can count how many times an action is performed. These counters can be graphed from the User Interface or using SNMP. - Control API New functions in the existing Control API interfaces have been added to support new features. New interfaces in 4.1 include: * System.Cache - functions to query the Content Cache, including the current cache contents. * System.Connections - allows retrieving the list of active and recent connections. * System.MachineInfo - functions to get some information about the machine and software. * System.LicenseKeys - enables management of license keys on the system, allowing uploading, deleting and listing of license keys. * System.Log - provides functions to get the error log and audit log * System.AccessLogs - on the ZXTM Appliance this allows querying what access logs are available for downloading. * Catalog.Rate - provides functions to manage the Request Rate Shaping classes. - Content Caching The default cache size is now 20% of available memory instead of 100Mb. This default can be altered using the 'webcache!size' setting on the Global Settings page The statistics shown on the 'Content Cache' page no longer include expired entries, and memory usage counting is much more accurate. Two new RuleBuilder functions have been added to mark a response as uncacheable and to make a response cacheable for a particular time. - Fault tolerance changes: Where possible ZXTM will use IGMPv2 for improved compatibility with a variety of switches. Failover performance has been greatly improved with a large number of Traffic IP addresses. For example, 2 active ZXTMs managing 1000 Traffic IP addresses can failover in approximately 7 seconds. The amount of ICMP traffic used in regular connectivity checks has been reduced. Connectivity checks and failover time is not affected by this change. - Health monitoring The Full HTTP monitor may be configured with a regular expression that matches the web page content returned by a working node. Health Monitor scripts are now provided a '--node' argument that identifies the name of the node. A User Interface page has been added to allow management of Health Monitor scripts. - SSL Changes TLS 1.1 (RFC 4346) is now supported and enabled by default. SSLv2 support is disabled on the admin server by default. SSLv2 has known security weaknesses and unless absolutely required it is recommended that you leave it disabled. The new 'ssl.clientCert()' TrafficScript function will return the PEM encoded version of the client certificate that was provided by the client when performing SSL decryption. - NTLM Support ZXTM fully supports NTLM authentication with IIS web servers. - HTTP Chunking Chunked HTTP requests are now fully supported. - Service Protection A new 'rate_timer' setting enables configuration of the interval that the 'max_connection_rate' setting is assessed. This allows control over whether the limit applies per-minute (the default) or per-second. ZXTM Appliance changes in 4.1 ----------------------------- 4.1 represents a major upgrade of the ZXTM Appliance software. You should refer to the article on the ZXTM KnowledgeHub (http://knowledgehub.zeus.com) for instructions on how to upgrade your ZXTM Appliance from 4.0 to 4.1. - System configuration All aspects of system configuration (networking, security, time etc) are configured through the web based Admin Server. - Hardware diagnostics The alerting system and user interface will report problems with the underlying hardware, such as failure of a redundant power supply (on supported Appliance platforms). - Access Logging Access logs are now automatically rotated and old ones are deleted. Logs can be viewed and downloaded from the user interface, or using 'scp'. - SNMP SNMP information from the underlying OS is now available. Both SNMP v1 and v2c are supported. Other changes in 4.1 -------------------- - Session Persistence Fixed a problem with UDP and session persistence when using a service that sends no responses. - Health Monitoring Fixed a monitor failure when using SSL on the back-end servers and ZXTM receives a 'close notify' alert. - SSL Changes Fixed misreporting client IP addresses when using SSL and ZXTM's SSL extensions (when forwarding to another ZXTM). Other changes supplied in previous minor revisions of 4.0 ---------------------------------------------------------- * Fixed an issue where a malformed HTTP request could cause a ZXTM process to hang or crash. * Fixed memory leak when using some XML TrafficScript functions. * When editing a TCP transaction monitor the 'write_string' key no longer disappears. * The 'Reboot' button now functions correctly on all platforms. * It is now possible to manage Pools that use the Weighted Round Robin load balancing algorithm using the SOAP API. * Access Logging and the Admin Server Connections page now correctly report the HTTP status code. * Fixed an issue where under certain circumstances traffic was sent to Nodes that a monitor has marked as failed. This could cause unnecessary alerts to be sent. * connection.sleep(0) now returns immediately rather than sleeping forever. * Multicast messages (used for Traffic IP Groups) are now sent over all networks even if there is a management network configured. This behaviour can be altered using the "flipper!use_bindip" key on the Global Settings UI page. * Backups from earlier versions of ZXTM that are uploaded to the UI will be automatically upgraded. * Fixed problem with bandwidth restrictions when applied in a Service Protection rule. * Improved universal session persistence: it can now be used fully in response rules. * Improved performance on ZXTM Appliance series when IP Transparency is not being used. * Extra validation on forms in the web-based user interface. ZXTM 4.0 -> 20th October 2005 ============================= ZXTM 4.0 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, and many stability improvements and bug fixes over previous releases. You are recommended to upgrade when convenient to take advantage of the changes. Platform Availability for ZXTM 4.0 ---------------------------------- * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86, x86_64) * FreeBSD (x86) Key new features in 4.0 ----------------------- - HTTP Content Caching ZXTM 4.0 includes a full HTTP Content Cache for web content. Common web responses are cached locally, and ZXTM can respond to subsequent requests directly, thus reducing the load on the server nodes and improving the performance of the hosted HTTP services. ZXTM's Content Cache fully supports RFC 2616 Cache-Control and Vary headers as well as legacy Expires headers. Fine-grained control of the cache can be achieved using the new http.cache.* TrafficScript functions, and Differentiated Caching allows a TrafficScript rule to manage multiple variants of the same response. Content Caching is an optional ZXTM feature. - IP Transparency IP Transparency ensures that ZXTM perserves the IP address of the remote client when forwarding requests to a back-end server. Without this capability, the request appears to originate from the ZXTM machine. IP Transparency can be selectively controlled by TrafficScript. A TrafficScript rule can use the request.setRemoteIP() function to spoof the source IP address of a request, for example, when an upstream proxy does not preserve the source IP address. IP Transparency is only supported on the ZXTM 2000, 5000 and 7000 Appliance series. - ZXTM Control API The ZXTM Control API is a standards-conformant SOAP-based API that makes it possible for other applications to query and modify the configuration of a ZXTM cluster. For example, a network monitoring or intrusion detection system may reconfigure ZXTM's traffic management rules as a result of abnormal network traffic; a server provisioning system could reconfigure ZXTM when new servers came online. The ZXTM Control API can be used by any programming language and application environment that supports SOAP services. The ZXTM Control API is available on all ZXTM software and appliances. It is not available on ZXTM LB software or appliances. - RuleBuilder The RuleBuilder has been significantly improved, and several conditions and actions have been added. The RuleBuilder is a visual interface that make it easy to construct TrafficScript rules. - Configuration Audit Log All configuration changes, whether via the ZXTM Admin Server or via the ZXTM Control API, are recorded in an internal Audit log for later inspection. - Configuration Backup Management Backup Management allows the ZXTM administrator to save, restore and compare various versions of the ZXTM's configuration. Configuration Backups can be exported and imported. - Dedicated Management Port ZXTM can be configured with a dedicated management port so that all management traffic is restricted to a single, dedicated management network. Note that Linux 2.6 kernels earlier than 2.6.12 do not correctly handle management port traffic. - Bandwidth Management ZXTM can impose bandwidth controls on request traffic to the back-end server nodes, either on a per-pool basis, or using the new request.setBandwidthClass() TrafficScript function. Bandwidth Management is an optional ZXTM feature. - TrafficScript Type of Service functions The new request.setToS() and response.setToS() TrafficScript functions can be used to set the Type-of-Service flags in the IP header of requests and responses managed by ZXTM. Other changes in 4.0 -------------------- - Recent Connections list The Connections report in the Activity Monitor now reports recently completed connections as well as current connections. - Session Persistence Cookies ZXTM now encrypts all session persistence cookies. - Cluster Diagnosis ZXTM's problem diagnosis has been extended, and ZXTM can identify and accurately report a wider range of cluster-related problems. - Other new TrafficScript functions http.redirect() can be used in request and response rules to succinctly send a redirect response to a remote client. http.getMultipartAttachment() makes it easier to parse incoming HTTP requests that contain Multipart body data. http.getRawQueryString() returns the querystring from the HTTP request without applying any URL unescaping. - Traffic IP Groups The new 'keeptogether' setting ensures that all IP addresses in a Traffic IP Group are raised on the same ZXTM traffic manager. This is useful when using IP Transparency in an Active-Standby configuration. ZXTM 3.1 -> 24th February 2005 ============================== Platform Availability for ZXTM 3.1 ---------------------------------- * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86, x86_64) * FreeBSD (x86) ZXTM Load Balancer ------------------ ZXTM is now available in a Load Balancer edition, which shares the core technology with ZXTM, but has a feature set suitable for simple Load Balancing, rather than advanced Traffic Management. Contact sales@zeus.com for more information. Other changes in 3.1 -------------------- - SSL SSL performance on Linux IA64 has been improved. TLS 1.1 is now supported, although it is turned off by default. Use the Global Settings page to enable it. - Bandwidth management FTP data connections are now assigned to the configured bandwidth class. - TrafficScript Response rules can now use the http.request.get() and http.request.post() functions. http.request.get() and http.request.post() now provide access to the full HTTP headers returned. http.request.get() and http.request.post() can now perform SSL requests. Service level monitoring and bandwidth classes can now be set using the TrafficScript RuleBuilder. - User Interface The timeout control for the user interface is now configured per group, so different classes of users can have different timeout settings. Individual data points on the Current Activity page can now be examined by moving the mouse pointer over the graph. If you have a large number of virtual servers, the main page will now offer the choice of sorting them by name or port. The status applet can now be detached from the main user interface, which allows it to be used as a separate monitoring tool. Extra system information is now shown on the user interface, as well as the ability to reboot a machine remotely by an admin. The Config Summary page now displays more information, such as which Bandwidth classes are used. ZXTM 3.0 -> 9th December 2004 ============================= Platform Availability for ZXTM 3.0 ---------------------------------- ZXTM 3.0 can be installed on the following platforms: * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86) * FreeBSD (x86) Key New Features in 3.0 ----------------------- * Service Level Monitoring ZXTM monitors response times from back-end nodes, and can alert the system administrator when the responses times fall below a configured threshold. Service Level classes are assigned to virtual servers, and can be changed on the fly for individual connections using TrafficScript. TrafficScript can also be used to monitor Service Level classes and take proactive action when a class fails to meet its target. The Activity Monitor can provide real-time graphing of Service Level performance. New TrafficScript functions for Service Level monitoring: connection.setServiceLevelClass() - Set the class for a connection connection.getServiceLevelClass() - Get the class for a connection slm.conforming() - Get the percent of connections that meet the response time target slm.threshold() - Get the threshold for the percent of connections that need to to conform to mark the SLM as ok slm.isOK() - Find out if a Service Level is being met This optional feature is enabled via the license key. * Bandwidth management ZXTM can enforce bandwidth limits on particular services or individual request types. Bandwidth classes can be assigned on a per-request basis using TrafficScript. New TrafficScript functions for Bandwidth management: connection.setBandwidthClass() - Set the class for a connection connection.getBandwidthClass() - Get the class for a connection Bandwidth measurements are propagated between ZXTM machines to ensure total bandwidth is managed across the cluster. This optional feature is enabled via the license key. * Session Persistence Session persistence information is now configured in separate classes that are assigned to individual pools. Session persistence classes can also be assigned to individual connections using TrafficScript. Session Persistence classes can be shared between multiple pools, which can be used to provide seamless transfer of clients between virtual servers (for example, from HTTP to HTTPS sites) with no loss of session information. New TrafficScript functions for Session persistence: connection.setPersistence() - Set the persistence method for a connection connection.getPersistence() - Get the persistence method for a connection connection.setPersistenceKey() - Set the data used to key the universal persistence algorithm Session persistence mappings are propagated between ZXTM machines to ensure sessions remain persistent even after a failure in a ZXTM machine. * TrafficScript improvements Response Rules -------------- TrafficScript rules can now run when a response is received. This allows ZXTM to execute TrafficScript rules which alter responses, (response rewriting, modification of HTTP headers), or even discard an unacceptable response and retry the request against a different node. New TrafficScript functions for response rules: response.get() - Get the response data response.getLength() - Get the amount of data in the response response.getLine() - Get a line from the response data response.set() - Set the response data response.append() - Append to the response data response.close() - Close the connection to the back-end node response.flush() - Send response data to the client response.getRemoteIP() - Get the IP address of the back-end node response.getRemotePort() - Get the port of the back-end node response.getLocalIP() - Get the IP address connected to the node response.getLocalPort() - Get the port used to talk to the node http.getResponseBody() - Get the HTTP response body http.setResponseBody() - Set the HTTP response body http.getResponseHeader() - Get an HTTP response header http.responseHeaderExists() - Test if an HTTP response header exists http.setResponseHeader() - Set an HTTP response header http.removeResponseHeader() - Remove an HTTP response header http.scrubResponseHeaders() - Send only certain response headers http.getResponseCookie() - Get an HTTP response cookie http.setResponseCookie() - Set an HTTP response cookie http.removeResponseCookie() - Remove an HTTP response cookie http.getResponseCode() - Get the HTTP response code (e.g. 200) http.setResponseCode() - Set the HTTP response code For more information on response rules, refer to the TrafficScript Manual. Improved Request Rules ---------------------- New TrafficScript functions have been added to make it easier for Request Rules to reliably parse persistent protocols such as POP3 or SMTP, and to make it easier to manage the connections to the client and the server. request.endsWith() - Indicate where the current request ends request.endsAt() - Indicate the length of the current request request.retry() - Retry a request against a node request.getRetries() - How many times has a request been retried request.isResendable() - Find out if the request can be resent request.avoidNode() - Avoid using a named node on a retry request.sendResponse() - Send a response for a request For more information and examples on complex connection handling techniques, refer to the TrafficScript manual. Other changes ------------- Some functions, mostly associated with request handling, have been re-named to avoid confusion with the new response rule functionality. The old versions continue to exist, but are marked as deprecated, and warnings will appear when checking the syntax of a rule in the user interface, and on the diagnosis page. lang.ord() and lang.chr() now work as expected. Other new TrafficScript functions: string.encrypt() - Encrypt a string, preventing alteration by clients string.decrypt() - Decrypt an encrypted string string.htmlEncode() - Encode a string so that it is HTML safe string.htmlDecode() - Decode HTML entities string.sprintf() - Format a string, like the standard sprintf xml.validate.xsd() - Validate an XML document against an XML schema resource.getmtime() - Get the time a resource file was altered pool.activeNodes() - Get the number of working nodes in a pool pool.select() - Specify the pool for a connection, without stopping rules processing connection.data.set() - Retrieve per-connection data connection.data.get() - Store per-connection data connection.getNode() - Get the name of the node used by a connection connection.getPool() - Get the name of the pool used by a connection connection.getVirtualServer() - Get the name of the Virtual Server manging the connection http.setCookie() - Set an HTTP cookie in a request http.removeCookie() - Remove an HTTP cookie from a request http.getFormParm() - Read a form parameter from a query string or POST data http.removeHeader() - Remove an HTTP header from a request Changed functions: string.regexmatch() - Can now perform case insensitive matches string.regexsub() - Can now perform case insensitive matches http.request.get() - Extra request headers can now be specified http.request.post() - Extra request headers can now be specified Other changes in 3.0 -------------------- * PCRE regex library ZXTM now uses the PCRE regular expression library (see http://www.pcre.org). This provides consistent regular expression interpretation across all the platforms supported by ZXTM. PCRE provides perl-compatible regular expressions which differ slightly from POSIX regular expressions. In the vast majority of cases, no changes to TrafficScript regular expressions will be needed. * Improved MIME type auto-detection MIME type auto-detection now uses a larger database of MIME type signatures, and should be considerably more useful. * Performance improvements ZXTM 3.0 contains a number of performance improvements to increase the speed and decrease the memory usage of individual connections. * User interface improvements The ZXTM User interface has been improved, to provide a cleaner, easier to use admin interface. ZXTM 2.0r1 -> 1st July 2004 =========================== ZXTM 2.0r1 is a minor revision of Zeus Extensible Traffic Manager 2.0, containing several enhancements and bug fixes. You are recommended to upgrade when convenient to take advantage of the improvements. Program Alterations and Bug Fixes since 2.0 ------------------------------------------- * TrafficScript: Additional functions make it easier to parse binary datastreams: lang.char() and lang.ord() convert between integers and ascii characters; string.intToBytes() and string.bytesToInt() convert between integers and network-order byte strings; string.dottedToBytes() and string.bytesToDotted() convert between IP addresses and network-order byte strings; string.intToBER() and string.BERToInt() convert between integers and BER-encoded integers; string.replaceBytes() and string.insertBytes() give easy ways to modify unparsed strings. Additional functions make it easier to manage external resources: resource.exists() checks whether an external resource file exists; resource.getMD5() returns an external resource file's MD5 hash. * UI: The status applet chart graphs relative traffic amounts for each virtual server. * Bug fixes: improvements to the connection handling, SSL and TrafficScript to resolve several stability problems. ZXTM 2.0 -> 30th April 2004 =========================== Zeus Extensible Traffic Manager (ZXTM) is a powerful Internet traffic management platform that delivers improved availability, scalability, manageability and security for networked applications. The ZXTM platform contains the following components: * Core Traffic Manager software: The software can be installed on one or more machines ('traffic managers') to create a ZXTM cluster. The software accepts and processes network requests before distributing them across back-end server nodes. * Distributed Administration and Configuration: Each traffic manager provides a secure web-based Admin Server. All the traffic managers in a ZXTM cluster share their configuration, so any Admin Server can be used to manage the cluster. * Fault Tolerance: A ZXTM cluster containing two or more traffic managers can operate in a fully fault-tolerant mode. Platform Availability for ZXTM 2.0 ---------------------------------- ZXTM 2.0 can be installed on the following platforms: * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86) * FreeBSD (x86) Key new features in ZXTM 2.0 ---------------------------- Manageability Improvements: * Revised Admin Server user interface. * SNMP support. * Fine-grained user-based control of read and write access to the Admin Server. * Status Applet, Diagnosis and Configuration Summaries give a clear overview of the activity, health and configuration of the system. * Configuration can be backed up, restored and migrated between clusters. Health Monitoring: * ZXTM actively monitors back-end nodes and can raise alerts or execute custom corrective actions if a failure is detected. * Custom monitors can monitor a wide range of services and failure types. SSL Re-encryption: * Any TCP traffic may be encrypted by ZXTM before forwarding on to a server. * HTTPS traffic may be decrypted, managed locally and re-encrypted for full end-to-end security. * Full support for SSL authentication and authorisation using server and client certificates, certificate authorities and CRLs. Service Protection: * ZXTM restricts concurrent connections and new connection rates from individual clients to mitigate against connection-flooding attacks. * ZXTM validates the correctness of HTTP requests, and can protect against a range of HTTP-based attacks. * Custom protection rules to reject requests based on content can be used to protect against web worms and viruses. * Configurable attack logging. * Test and debug modes allow protection policies to be tested without affecting service. Content Compression: * HTTP and HTTPS content can be compressed on-the-fly. XML Validation and Transformation: * ZXTM can validate and translate incoming XML data using XSLT. * Translated data can be used in traffic routing decisions, and to offload translation from back-end servers. TrafficScript: * Additional TrafficScript functions extend the capabilities of ZXTM, including the ability to contact external services to assist in traffic rewriting and routing decisions. Activity Monitoring: * Real-time activity monitoring of traffic through the ZXTM cluster. * Activity statistics available via SNMP. * Activity can be graphed and analysed within the Admin Server, or exported to an external analysis package. * Active Connection reports to describe the precise, instantaneous state of the cluster. Historical Activity: * Historical traffic activity statistics are maintained for analysis. * Can be graphed and analysed within the Admin Server, or exported to an external analysis package. Traffic Logging: * Comprehensive, configurable traffic logging. Documentation: * Improved context-sensitive on-line help. * Updated Getting Started guide. * Added comprehensive User Manual. * Added TrafficScript manual. ZXTM 2.0 Early Adopter Release -> 7th November 2003 =================================================== Key Features in ZXTM 2.0 EA --------------------------- Protocol Support: ZXTM 2.0 supports all TCP-based protocols, and simple UDP-based protocols. It includes specialised protocol-handling support for HTTP and FTP. Load Balancing and Session Persistence: Load Balancing algorithms effectively distribute traffic across a number of back-end server nodes. Session Persistence methods can be used to preserve application-level sessions. Traffic Inspection and Manipulation: TrafficScript rules can be used to inspect and manipulate traffic, and make alternative routing decisions based on the traffic type and contents. SSL Decryption: SSL Decryption allows the traffic managers to decrypt incoming SSL traffic prior to inspection, manipulation and load balancing. Fault Tolerance: Traffic Managers can detect and avoid failures in the back-end server nodes. A ZXTM cluster containing two or more traffic managers can operate in a variety of fully fault-tolerant modes, resistant to failures in both the back-end server nodes and the traffic manager machines. Supported Platforms ------------------- ZXTM 2.0 EA can be installed on the following platforms: * Linux (x86, IA64, x86_64, PPC) * Solaris (SPARC, x86) * FreeBSD (x86) Known issues in ZXTM 2.0 EA --------------------------- Parallel installations: ZXTM can be installed as a fault-tolerant cluster of machines which automatically share their configuration. New machines should be added sequentially to a ZXTM cluster, to ensure that configuration is consistent across the cluster. Scripting the ./configure installation process to add many machines to the same cluster in parallel is not supported.