Zeus Traffic Manager 6.0r3 -> 20th January 2010 =============================================== Zeus Traffic Manager 6.0r3 is a minor revision to the Zeus product family, containing a number of bug fixes and improvements. We recommend that all customers upgrade to this version. Platform Availability for 6.0r3 ------------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+, 2.6.22+ for IPv6) * Solaris 10 (SPARC) * Solaris 10 (x86 and x86_64) * OpenSolaris 2009.6 (x86_64) * Hardware Appliances: 2000, 3000, 5000, 7000, 7400, 8000 and 9000 appliances * Virtual Appliances: VMware vSphere 4.0, VI3 (3.5), XenServer 5.5, OracleVM 2.1 Zeus Software and Zeus Appliance changes ---------------------------------------- - SSL Fix a potential crash when handling SSL pass-through traffic with non-conforming clients. Support the sha1WithRSA certificate signature algorithm. - Content Caching Ensure content caching works correct with a Last-Modified header of "Thu, 01 Jan 1970 00:00:00 GMT" when the client doesn't send an If-Modified-Since header. - SIP Ensure different SIP sessions from the same client port aren't always load balanced to the same node. - Other Fixed a potential corruption of the session persistence cache information, which could potentially cause a spin or crash. Ensure the Current Activity pages don't perform unncessary (and time consuming) DNS lookups. Fix a rare timing issue that could cause a POST request to stall if the node finishes processing the POST before the entire POST body has been uploaded. Ensure System.Stats.getPerPoolNodeState() and System.Stats.getNodeState() SOAP calls return the correct data. Updated geolocation IP mappings. - Zeus Appliance OS The operating system has been updated to fix some non-remotely exploitable security vulnerabilities. Time zone data has been updated. Zeus Traffic Manager 6.0r2 -> 2nd December 2009 =============================================== Zeus Traffic Manager 6.0r2 is a minor revision to the Zeus product family, containing a number of bug fixes and improvements. We recommend that all customers upgrade to this version. Platform Availability for 6.0r2 ------------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+, 2.6.22+ for IPv6) * Solaris 10 (SPARC) * Solaris 10 (x86 and x86_64) * OpenSolaris 2009.6 (x86_64) * Hardware Appliances: 2000, 3000, 5000, 7000, 7400, 8000 and 9000 appliances * Virtual Appliances: VMware vSphere 4.0, VI3 (3.5), XenServer 5.5, OracleVM 2.1 Zeus Software and Zeus Appliance changes ---------------------------------------- - SSL Disable unsafe SSL/TLS renegotiations by default. This prevents a serious 'man in the middle' vulnerability present in all compliant SSL implementations. The behavior is controlled using the new 'ssl!ssl3_allow_rehandshake' Global Setting. - Control API Fixed the Conf.Extra Control API WSDL file to ensure it uses the correct namespace. - CLI Fixed the 'show TrafficIP' command so that disabled Traffic IP groups don't cause an error. - UI Fixed an error that could cause a "500 Internal Error" when a user accessed an administration page that they didn't have access to. Zeus Traffic Manager 6.0r1 -> 10th November 2009 ================================================ Zeus Traffic Manager 6.0r1 is a minor revision to the Zeus product family, containing a number of bug fixes and improvements. We recommend that all customers upgrade to this version. Platform Availability for 6.0r1 ------------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+, 2.6.22+ for IPv6) * Solaris 10 (SPARC) * Solaris 10 (x86 and x86_64) * OpenSolaris 2009.6 (x86_64) * Hardware Appliances: 2000, 3000, 5000, 7000, 7400, 8000 and 9000 appliances * Virtual Appliances: VMware vSphere 4.0, VI3 (3.5), XenServer 5.5, OracleVM 2.1 Zeus Software and Zeus Appliance changes ---------------------------------------- - HTTP Fixed a problem with content caching where a '304 Not Modified' response could be returned without a trailing \r\n. This affected customers who did not have the 'webcache!verbose' option enabled. Improved processing of HTTP/1.1 chunked responses, where Zeus used to delay sending a terminating \r\n. The System.Cache.getCacheContent SOAP call can now retrieve more than 1024 entries. Previously, there was a hard-coded limit. - FTP Fixed multi-line responses with specialist FTP servers. - SLM Clarified the 'SLM shared class limit exceeded' message. - Other changes Fixed a crash that could occur when the configuration option 'node_connclose' was enabled for a pool. Fixed a problem with opening the event log file with different permissions from those of the zeus.zxtm process. Limited the number and size of core files included in a Technical Support Report download. Fixed a bug that prevented backups taken through the UI being re-imported using the CLI. Updated geolocation IP mappings. Zeus Appliance changes only --------------------------- The operating system has been updated to fix some non-remotely exploitable security vulnerabilities. SNMP service has been updated to the latest upstream bug fixes. This is a precautionary upgrade - we do not believe that Zeus Appliances are affected by the issues that are fixed. Corrected the Networking page, which claimed to be running on Amazon's EC2 service when it wasn't. Time zone data has been updated. Zeus Traffic Manager 6.0 -> 20th October 2009 ============================================== Zeus Traffic Manager 6.0 is a major revision of the Zeus product family, containing a large number of performance and functionality enhancements and bug fixes. Customers are recommended to upgrade to this version to take advantage of the changes. Platform Availability for 6.0 ----------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+, 2.6.22+ for IPv6) * Solaris 10 (SPARC) * Solaris 10 (x86 and x86_64) * OpenSolaris 2009.6 (x86_64) * Hardware Appliances: 2000, 3000, 5000, 7000, 7400, 8000 and 9000 appliances * Virtual Appliances: VMware vSphere 4.0, VI3 (3.5), XenServer 5.5, OracleVM 2.1 Notes on Upgrading ------------------ Upgrading is supported directly from older versions of ZXTM. It is no longer necessary to upgrade through each major release (e.g. you can now upgrade from ZXTM 4.2 to Zeus Traffic Manager 6.0 directly). Note: When upgrading from an older version through the administration server, you might see 'Unknown Config Key' messages in your event log before 6.0 starts. These are caused by the old version not knowing about newly upgraded keys, and can be safely ignored. In addition, any actions that are attached to the 'configuration file modified' event might get triggered. This is normal behavior, and can be safely ignored. New Platforms in 6.0 ==================== - Amazon Elastic Compute Cloud (EC2) Zeus Traffic Manager and Zeus Load Balancer are available in Amazon's EC2. Instances are charged by the hour using the DevPay payment system. Standard and premium support is also available using DevPay. For more information on Zeus and EC2 visit: http://www.zeus.com/ec2 - Xen Virtual Appliance A fully supported Virtual Appliance is available for Xen based virtual environments, including Citrix XenServer 5.5 and OracleVM 2.1. - OpenSolaris 2009.6 Zeus Traffic Manager is supported on OpenSolaris 2009.6 (x86_64). Note: on OpenSolaris it is necessary to disable 'tcp fusion' support. For more information, refer to: http://knowledgehub.zeus.com/faqs/2009/10/20/opensolaris_disable_tcp_fusion Major features in 6.0 ===================== - Zeus Application Firewall Module Zeus Application Firewall Module (Zeus AFM) is installed via the 'Upgrade' page of an existing Zeus Traffic Manager software or Appliance installation. Zeus AFM support for a virtual server is configured using a simple toggle on the main Virtual Server -> Edit page in the administration server. The Diagnose administration server will detect common problems with a Zeus AFM installation and point the user to a suggested remedy. - Bandwidth Management Bandwidth management functionality is available on all platforms (previously it was limited to Linux platforms only). Bandwidth Limits are applied by the traffic manager software (rather than inside the Linux kernel). This allows for more flexible limits, such as per-connection limits. Bandwidth limits can now be applied to outgoing UDP traffic. - Administration server remote authentication The Administration server can authenticate users against remote LDAP and RADIUS services. This allows for the use of centralized authentication systems to manage access to the admin server. The 'admin' user is no longer required, and some actions that used to require a user to be in the 'admin' group are now controlled by group permission flags. Affected actions are clearing the event log, clearing the content cache, upgrading a traffic manager, joining and leaving a cluster, using the Control API and logging into an Appliance console. - Command line interface The traffic manager can now be configured using a command line interface (CLI). The CLI can be run from "$ZEUSHOME/zxtm/bin/zcli". The CLI uses the Control API to inspect and update the configuration. It also allows you to summarize object configurations, such as Virtual Server and Pool configurations, and view statistics for objects. - Disk backed content caching It is now possible to configure the HTTP Content Cache to be backed onto a disk, allowing for cache sizes greater than the amount of system memory available. Disk backed caching is optimized to work with Solid State Disks (SSDs). Support for the disk backed cache is enabled using the 'webcache!disk' global setting. - Connection failure reporting Connection failures between the traffic manager and the client or node can now be logged in detail to the event log. This feature makes it easier to discover why a client received an error page, and provides more information on exactly what was wrong with the connection. This functionality is disabled by default, but can be enabled on the the Virtual Server's Connection Management page. 'log!server_connection_failures' will log failures between the traffic manager and nodes, and 'log!client_connection_failures' will log failures between clients and the traffic manager. It is possible to log these events to a file other than the main Event Log using the Alerting page. The default HTTP error page has been altered to provide a simple "Service Unavailable" message to clients, this can be customized on the Virtual Server -> Connection Management page. - Streaming HTTP responses from TrafficScript and Java Extensions HTTP responses can now be streamed to clients rather than needing to construct the entire response in memory before sending it back. This allows response rules to process data more efficiently, for example when filtering HTTP responses. TrafficScript rules can stream responses using the new 'http.stream.*' functions. Java Extensions will automatically stream responses. - TrafficScript and Java geolocation Add geolocation support for IPv4 addresses. This allows location information such as the country or state to be looked up for an IPv4 address. It is also possible to calculate the distance between two IP addresses to help geographic load balancing. TrafficScript rules can use the new 'geo.*' functions. Java Extensions can use the 'ZXTMHttpServletRequest.geo*' functions. - Multi-Hosted Traffic IP addresses Traffic IP addresses can now be raised on all active traffic managers in the Traffic IP group at the same time. This allows publishing a single IP address in DNS while still maintaining active-active redundancy. This functionality requires a Zeus Appliance or the 'zcluster' Linux kernel module available from http://knowledgehub.zeus.com. - TrafficScript TrafficScript now supports the following new syntax: 'for' loops, e.g. for( $i = 0 ; $i < 10 ; $i++ ) { ... } 'do, while' loops, e.g. do { ... } while( $i < 10 ); \xHH hexadecimal escaping in double quoted strings, for example "\x0a" is equivalent to "\n". Single quoted strings - meaning fewer characters have to be escaped in strings, for example '\[\]' is equivalent to "\\[\\]", which can make regular expressions easier to write The following TrafficScript functions have been added: 'http.cache.exists()' returns true if the page requested is in the HTTP Content Cache. 'http.cache.respondIfCached()' sends a page from the HTTP Content Cache to the client if that page has been cached (and the client accepts a cached response). 'rate.use.noQueue()' uses a Rate class without queueing the connection if the limit has been exceeded. The return values of the function can be used to determine if the limit has been exceeded. 'string.gmtime.parse()' has been extended to parse time strings of the form "2009-02-20 17:01:02". 'string.hashsha256()', 'string.hashsha384()', 'string.hashsha512()' hash the input using the SHA-2 family of hash functions. 'http.getFormParamNames()' returns the names of all form parameters in the HTTP query string and POST body. 'string.hash()' returns a simple hash (an integer) based on the contents of the string. The returned value should not be relied on to be consistent across different releases of the software. 'data.getMemoryFree()' returns the free space available for storing information with 'data.set()'. 'http.request.get()', 'http.request.head()' and 'http.request.post()' now fill in an error message in '$2' if they fail. 'request.sendResponse()' now works correctly for UDP virtual servers. The TrafficScript editor in the user interface has been significantly improved on modern browsers. It provides syntax highlighting, auto indentation and line numbers. The editor can also be manually resized. Behavior changes ================ - Node monitoring is per-Pool Monitoring (both active and passive) of Nodes is per-Pool, allowing one application server on a Node to fail without stopping another application server served from the same IP endpoint from being used. This behavior affects the following: - SNMP traps for node events also contain the Pool name. - Node failure events are now configured per-Pool. - New perPoolNode SNMP tables have been added. The old tables are still available for compatibility. - Generic TrafficScript functions Some generic request and response manipulation functions are no longer permitted for HTTP, SIP and RTSP virtual servers. Protocol specific functions should be used instead. The affected functions are: request.getline() request.set() request.sendresponse() request.skip() request.endswith() request.endsat() response.set() response.flush() - Event logs The main event logs have been moved from the old location of $ZEUSHOME/zxtm/log/errors into $ZEUSHOME/log. Symlinks remain in the old location for compatibility. In the Zeus Appliance, the log files are all now stored on the /logs partition. Additionally the event logs are rotated periodically to avoid them consuming too much space. Other changes in 6.0 ==================== - Request Logging Request logs can be sent to a remote syslog server. Request Logging can be disabled for individual requests using the new 'request.setLogEnabled()' TrafficScript function. New logging macros have been added for bytes sent to (%o) and received from (%O) a node. Zeus Traffic Manager no longer crashes when trying to close a stale NFS file handle. - Zeus Control API The Control API is now available in Zeus Load Balancer. SOAP Exceptions have been added to the Control API, providing information about failures in an easier to understand format. Access to the Control API is controlled by a Group permission flag. The Control API can be used to upload and download backups and extra files (such as Java classes, Monitor programs etc). The following Control API functionality has been added: The 'System.Management' API allows restarting the traffic manager software and rebooting the operating system. 'System.Log.getAuditLogLines()' returns the specified number of audit log lines. 'Alerting.Action.testAction()' emits a test event. Additionally, the following bugs have been fixed: 'System.Log.getAuditLog()' now works correctly in timezones with a negative offset from GMT. The timestamp reported for backups in the 'System.Backups' API is correct after an upgrade. - Traffic IP Groups Traffic IP Groups can be individually disabled to prevent addresses being raised. When joining a cluster it is now possible to select whether or not to join Traffic IP groups, and whether to join as an active or passive member or the groups. Automatic failback can be disabled so a traffic manager will not automatically take traffic from other members of the cluster when it recovers after a failure. Heartbeat messages between traffic managers can be configured to use unicast UDP messages rather than multicast. This can help in situations where multicast messages aren't propagated around a network correctly. Unicast heartbeat messages can be enabled on the Global Settings page using the 'flipper!heartbeat_method' configuration key. - HTTP Content Cache Requests for byte ranges of files inside the cache are now supported, including support for the If-Range header. The ETag header is also now used when performing cache lookups. A Group permission flag has been added for clearing the Content Cache so that permission can be delegated from 'admin' users. Searches in the Content Cache are now case insensitive. If a response is compressed, a 'Vary: Accept-Encoding' header will now be added so that the Content Cache doesn't return compressed pages to clients that don't support them. The default 'webcache!max_file_size' is now relative to the total size of the content cache (defaulting to 2%). The 'webcache!control_out' setting now always overrides any other Cache-Control header in the cached response. - SNMP The state of the pool (e.g. active, disabled, draining, etc) is now available as 'poolState'. Bulk collection of SNMP values (either directly or using the Current Activity page) has been improved to reduce the communications overhead and reduce the likelihood of timeouts. The 'poolBytesIn' and 'poolBytesOut' values have been swapped around to be consistent with their descriptions in the MIB. 'poolBytesIn' now correctly counts data coming into the traffic manager from the nodes. Previously it counted data sent by the traffic manager to the nodes. - Alerting The location of the main Event Log can now be altered without restarting the software. Sending events via syslog to an IPv6 address is now supported. The port for syslog servers can now be configured. It is now possible to configure some events to bypass the main event log and log to a separate file. The Alerting -> Event Type page will now display the short name (corresponding to the SNMP trap name) for individual events. - Pools and Nodes 'node_fail_time' and 'node_connection_attempts' are now configured per-Pool, rather than globally. Monitor failures are now no longer reported for unused Pools (failures are still reported for all Pools if the 'trafficscript!variable_pool_use' option is enabled). Nodes can be disabled in a Pool to prevent them being sent any traffic or monitored. An option, 'node_connclose', has been added to optionally close all client connections when a node fails. Nodes that only resolve to IPv6 addresses are now used correctly. A warning is now emitted when receiving an invalid Content-Length header from a backend node. HTTP 0.9 responses from nodes in response to HTTP 1.x requests are now sent directly to the client rather than retrying the request. The weighted round robin algorithm has been improved to minimize repeated use of the same node when weights differ significantly. The round robin load balancing counter is now shared across cores on multi-core machines. - User Interface The Connections page will now report the HTTP Host header as it is after TrafficScript rules have been processed, rather than as it was supplied by the client. The accuracy of the Current Activity graphs has been improved. Rules can now be altered on the Virtual Server -> Rules page when an SSL certificate is soon going to expire. Rules can now be re-ordered on the Virtual Server -> Rules page by dragging and dropping them. Failed nodes will now be highlighted on the Pool -> Edit page. Performance of the Audit Log page with a large audit log file has been improved. Downloading connection data is no longer limited to 100 connections. IP address fields in the RuleBuilder now accept IP addresses in CIDR format. The status applet will now correctly detect issues with Traffic IP addresses. Filters have been added to the Event Log and Audit Log pages to help log file analysis. The wording on the Diagnosis page has been altered when a Node is failing due to passive monitoring. The time the Node first failed and the last time a connection was attempted are both reported. The User Interface will now no longer hang when processing large numbers of blocked IP addresses in a Service Protection class. Numerous minor UI improvements have also been made. - Technical Support Some additional diagnostic information is included in the Technical Support Report. Values of sensitive keys (such as password and access keys) are now masked out. The 'trace' program can now trace multiple types of processes (e.g. the traffic manager parent and children) at the same time. Information on running processes from /proc is now collected. - Miscellaneous The global 'maxfds' setting now defaults to 1048576. A warning will now also be emitted if setting this limit fails. The global 'listen_queue_size' setting now defaults to the system value. Bandwidth classes are now correctly applied to newly raised interfaces. 'http.request.post()' now honors the (optional) 'timeout' parameter. Previously, a value of 0 (zero) was always used regardless of the actual parameter supplied. When the parameter was not supplied, the default value of 5 was used correctly. It is now possible to disable client connection timeouts by setting the 'connect_timeout' configuration key to 0 on the Virtual Server's Connection Management page. A new SNMP integer 'serviceLevelCurrentConns' has been added to track the number of connections associated with an SLM class. HTTP responses compressed using 'deflate' are now automatically uncompressed when using 'http.getresponsebody()'. Uncompressing 'deflated' responses is also supported in the new TrafficScript functions 'http.stream.readResponse()' and 'http.stream.readBulkResponse()' and when passing response body data to Java Extensions. The correct IP address is now inserted into HTTP requests when passing encrypted traffic through multiple virtual servers. The timeout for state replication between traffic managers can now be configured using the 'state_sync_timeout' configuration key. Appliance changes ================= SSH and console logins will appear in the audit log. The home directory (for all users) is now /root (rather than /). An event is now emitted when a request log is deleted due to the log partition filling up. VLANs and bonded interfaces now work together. Accuracy of Bandwidth Management classes on the Appliances has been improved. VMware Tools has been updated to the version provided in vSphere 4.0 (Zeus Virtual Appliance only). The 'sar' monitoring program and 'rsync' have been added. Other changes supplied in previous minor revisions of 5.1 --------------------------------------------------------- - XML The XML library has been updated to fix the recent security vulnerabilities (CVE-2009-2414 and CVE-2009-2416). - Usage Tracking Usage and platform information is periodically reported back to Zeus. This information will help Zeus prioritize future product and platform developments. For details of the information transmitted, please refer to http://knowledgehub.zeus.com/faqs/2009/04/15/usage_tracking - HTTP Perform additional checks for invalid header field names before processing HTTP requests. The total response time (%R) for keepalive HTTP connections now correctly measures from when the HTTP request was received, not from when the previous HTTP response was sent to the node. - Monitors Resolved a bug whereby, after upgrading from a previous version, FTP monitors could not have SSL enabled or receive multi-line greeting messages from servers. Add a 'From' header field to requests generated by SIP monitors. Ensure the monitor process correctly restarts when terminated. - TrafficScript Allow the size of the TrafficScript regular expression cache to be modified. This can be altered using 'trafficscript!regex_cache_size' key on the Global Settings page. Remove the 4 GB limit on how much shared memory can be allocated for functions such as data.set. Fix a potential crash when using variables inside TrafficScript subroutines. Add new TrafficScript functions ssl.getClientCloseAlert, ssl.setClientCloseAlert, ssl.getServerCloseAlert and ssl.setServerCloseAlert. These can be used to dictate whether SSL connections are teminated with an SSL close alert. Fix a bug that could cause an invalid compilation error to occur when using floating-point literals in TrafficScript. Fix a potential crash when using string.regexEscape with an empty string as the argument. 'sys.hostname()' now works correctly (previously it failed for the first 3 seconds). 'pool.activenodes()' now works correctly when passive monitoring is disabled. Performance when using 'http.getBody()' to read a large POST body has been massively improved. - FTP Ensure FTP data connections are closed correctly when no data is transferred across them. - SSL Add support for X509 certificates signed using the SHA-2 family of hash functions. Add an option for virtual servers and pools to select whether to send SSL close alerts when connections are closed. This is disabled by default. Automatically downgrade connections to the highest SSL version that is enabled if a client requests a version of the protocol that is greater than this. Ensure that protocol version of an SSL session that is retrieved from the cache is supported. Fix a potential memory leak when performing Diffie-Hellman server key exchanges. Bypass X509 extension checks when a server presents a self-signed SSL certificate. A rare crash with SSL connections and Service Protection has been fixed. Fix a bug where a client would request the re-use of an SSL session with the wrong SSL version, and the traffic manager would incorrectly restore the session on the wrong version. The version used is now stored, and attempts to re-use a session with a mismatched version is rejected. SSLv2 server hello messages are now parsed correctly (SSLv2 is disabled by default). - Zeus Control API New API revision 1.2 changes System.Cache elements bytes_used, num_lookups, num_hits, hits and size_matching_items from ints to longs. Improve the startup time of the SOAP API server. Add System.Stats.getRules, System.Stats.getActionNumber and System.Stats.getEventNumber functions. Ensure that System.Log.getErrorLogLines correctly encodes responses. Apply various fixes for the Alerting.EventType interface, including implementing the get, set, add and remove functions for NodeNames and CustomEvents, adding the ability to include a customEvent string array when creating an Event Type, allowing a trafficscript_ALL Event that matches all custom TrafficScript Events and correctly deletes all Events of a particular type when a type_ALL Event is added. Remove the Catalog.Monitor.getProtocol function. Fix the Pool.getNodesLastUsed function for multi-CPU machines. An incompatibility between PHP and the Control API has been fixed. - SLM Fix a potential crash when stopping a virtual server that is using an SLM class with active connections. When a virtual server is deleted, ensure that any connections registered with an SLM class are immediately deregistered from that class. - SNMP Correctly update the timeLastConfigUpdate and eventsMatched counters. Remove SNMP counters for Actions that are internal to the traffic manager, such as writing to the Event Log. Fix Action and Event SNMP counters - previously the number of Actions and Events were not counted. The 'snmp!allow' configuration key now works as expected. The 'monitorNumber' integer now correctly counts the number of monitors created. The 'ruleNumber' integer has been added. - Java Ensure that the character set specified in setContentType is honored. - Fault Tolerance Ensure that if the same IP is used to check both frontend and backend connectivity then both are flagged as being contactable when a ping response is received from that IP. Fix a bug that meant a child process could crash but not exit completely and therefore not get restarted by the parent process. - Alerting Add the CA certificate expired, CA certificate about to expire, CRL out of date, SSL certificate expired and SSL certificate about to expire Events to the built-in 'SSL Certificate Expiry' Event Type. Permit spaces in custom TrafficScript Events. Fix a potential crash that could be caused by naming an Action 'Event Log'. Verbose logging of Alert emails can now be used to diagnose communication issues with the SMTP server. Under some circumstances Alert emails could stop being sent, this has been fixed. - UI Improvements Correctly display SSL certificate names that contain encoded characters. Move the 'Pool contains no valid backend nodes' Event into the Pools category. Correctly display nCipher NetHSM options on the Global Settings page. Ensure the Content Cache page does not timeout too quickly when retrieving information about the cache. Fix a bug that stopped new SSL certificates being added to the Admin Interface's security page. Sign the default Admin Interface SSL certificate using SHA-1 instead of MD5. Ensure that the number of active connections for each node are correctly displayed on the Draining Nodes page. Report errors relating to Action configurations correctly on the Alerting page. Ensure that the correct permissions are checked when downloading request logs. Show comparison of request log formats for different backups on the backup comparison page. Show ZFS file systems in the machine information section of the Traffic Managers page. Display additional text from the license key in the title bar and login page of the administration interface. Do not try to display the contents of an Event Log file that does not exist. The configuration is now correctly replicated across the cluster when applying a Rule edit to a single Virtual Server. The Draining page now correctly reports the time since the last connection. The applet will now update when lots of Virtual Servers are running. Virtual Server ports reported by the applet in tooltips are now correct. The 'ftp_support_rfc_2428' pool configuration key is now visible in the user interface to specify whether a backend node supports the EPRT and EPSV ftp commands. The node listing on the Historical Activity user interface page is now sorted. A TrafficScript rule containing #"# will now be processed correctly in the user interface (this bug did not affect the internal rule execution). The UI help for Bandwidth classes has been fixed to mention that the bandwidth limit is configured in kbits/second (previously it incorrectly claimed that the limit was configured in bytes per second). - Other changes The virtual server 'max_client_buffer' and 'max_server_buffer' configuration keys now work in all circumstances. Previously an issue with streaming large files to slow clients could cause excess memory usage. Daylight saving time changes will now be correctly detected on recent Linux versions. Ensure that all references to deleted log files are closed so associated storage space is released. Fix a potential crash that could occur when a client sends multiple requests without waiting for a response and the traffic manager generates its own response to the first of these requests. Remove the unused log!statelines config key. Ensure that group permissions are upgraded correctly. Fix a race condition that might result in a connection being closed early when selected from a pool of connections to a back-end node. Fix POST requests on NTLM-authenticated connections sometimes returning a 'no suitable nodes' error despite there being nodes available. Fix a race condition that resulted in messages about nodes failing sometimes not being reported on multiple-CPU installations. Permit underscores in traffic manager hostnames. Check that a machine's hostname can be resolved before attempting to add it to the cluster. Fix a potential crash when the parent and children processes are communicating with each other on 64-bit SPARC/Solaris machines. Fix a bug limiting the number of interfaces that are checked for IPv6 addresses. Fix a potential crash in the perceptive load-balancing algorithm. Block license keys for platforms SunOS 4, SCO, SINIX and BSDI. Installation will now succeed on Linux glibc 2.10 platforms, such as Fedora 11. Hostnames that resolve to multiple IP addresses in /etc/hosts are now correctly handled. Hostname resolution will now work correctly after /etc/hosts is modified. License keys now report if they aren't valid because a network interface isn't plugged in. Failure messages from ARP broadcasts on Solaris and FreeBSD will now be correctly reported. Generating a Technical Support Report now no longer times out due to a large /proc/net/rt_cache file. The SIP monitor has been changed to send a more compliant URI in its OPTIONS message (it now is of the form sip:zxtm@). The Call-Id has also been changed to be of the form @. Zeus Appliance changes only --------------------------- Java has been updated to JRE 6 update 15 to fix the recent security vulnerability (CVE-2009-2625) vSphere 4.0 is now fully supported (Virtual Appliance only). A memory limit in the kernel has been increased to avoid degraded network performance when the network is under high load. Various packages have been updated. Improve performance on all Zeus appliances. Add console-tools to the appliance. Report network duplex errors correctly. Do not report an error if the IPMI mask is set to 0.0.0.0. Improve error reporting when performing a minor upgrade. The z-expand-logs-partition script has been fixed so that partitions always end on cylinder boundaries (Zeus Virtual Appliance only). ZXTM 5.1 -> 8th December 2008 ============================= ZXTM 5.1 is a major revision of the ZXTM product family, containing a large number of performance and functionality enhancements and bug fixes. Customers are recommended to upgrade to this version to take advantage of the changes. Platform Availability for ZXTM 5.1 ---------------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+, 2.6.22+ for IPv6) * FreeBSD x86 6 (6.1+) * FreeBSD x86 7 (7.0+) * Solaris 8, 9, 10 (SPARC) * Solaris 10 (x86 and x86_64) * Hardware Appliances: 2000, 3000, 5000, 7000, 7400, 8000 and 9000 appliances * Virtual Appliances: VMware VI3 (ESX 3.0, ESX 3.5) Notes on Upgrading ------------------ When upgrading from an older version through the ZXTM UI, you may see error messages in your ZXTM log shortly before ZXTM 5.1 starts, for example: WARN Line 4: Unknown config key 'ftp_data_source_port' WARN Line 5: Unknown config key 'ftp_data_bind_low' These messages are due to the old version of ZXTM warning about incompatibility with the new FTP data port configuration option in 5.1 and can safely be ignored. New features in 5.1 ------------------- - Alerting ZXTM now provides a flexible mechanism for responding to internally generated events such as node failures, SSL certificates which are close to expiry and Traffic IP address failovers. It is possible to respond to events individually, or group related events together. ZXTM ships with a default Event Type which corresponds to the Alerting options used in earlier releases. Previously, ZXTM could only write a message to its log, send a standard e-mail or raise a standard SNMP trap when an event occurred. It is now possible to control, in detail, what actions it should take. The supported actions are: * contacting a SOAP web service * raising a specific SNMP trap * logging to syslog on the local machine or a remote host * logging to a custom file * running a custom script Alerting can be configured through both the ZXTM UI and the SOAP API. - HTTP Content Caching HTTP caching performance and scalability across several CPUs has been improved significantly. A new configuration key 'webcache!refresh_time' can be set to cause ZXTM to refresh cached pages before they are due to expire. This can prevent the backend server experiencing a surge of requests when a page expires from the cache. webcache!refresh_time is set to 2 seconds by default. - SSL ZXTM now supports the Niagara 2 Crypto Provider (N2CP) hardware on Sun UltraSPARC T2 processors. N2CP is used automatically when present. The Sun Crypto Accelerator 6000 PCI-E card is now supported for SSL acceleration on Solaris 10 (x86_64 and SPARC). It is possible to create cryptographic keys directly on the card using the ZXTM UI. ZXTM now supports the TLSv1 server_name extension. This makes it possible to run multiple SSL sites with different certificates on the same IP address and port. The following TrafficScript functions make it possible to query and set the server_name that is used: ssl.getTLSServerName() returns the server name used for the current connection ssl.setTLSServerName() sets the server name to be used for the current connection The TrafficScript function ssl.clientCertSerial() now returns a hex-encoded representation of the client certificate's serial number. Previously it returned the serial number in decimal. The decimal representation is now available through a new function, ssl.clientCertSerialDec(). The following TrafficScript functions have been added for inspecting the server SSL certificate that ZXTM is using for the current connection: ssl.serverCertName() returns a string containing the certificate's name ssl.serverCertCommonName() returns a string containing the certificate's common name ssl.serverCertIssuer() returns a string containing information about the certificate's issuer ssl.serverCertPublicKey() returns a string containing information about the certificate's public key ssl.serverCertStartDate() returns an integer representing the certificate's start date in seconds since the epoch ssl.serverCertEndDate() returns an integer representing the certificate's expiry date in seconds since the epoch ssl.serverCertVersion() returns a string containing the SSL version used with the certificate ssl.serverCertHash() returns a string containing the certificate's hex-encoded MD5 hash ssl.serverCertSerial() returns a string containing the certificate's hex-encoded serial number ssl.serverCertSubject() returns a string containing the certificate's subject field ssl.serverCertAlgorithm() returns a string describing the algorithms being used by the certificate ssl.serverCert() returns a string containing a PEM-encoded version of the entire certificate ssl.serverSiteName() returns a string containing the hostname or IP address that was used to select the current certificate, or a blank string if the default certificate was used ZXTM now supports Diffie-Hellman key exchange, which enables 'perfect forward secrecy' for SSL connections. TLSv1.1 is now enabled by default. Weak SSL ciphers with key lengths less than 128 bits are now disabled by default. - FTP ZXTM now supports a form of the FTPS protocol commonly called 'SSL-wrapped FTPS'. In this form of FTPS the control channel is SSL/TLS protected and the data channel is either always plaintext or always protected, depending on configuration. Protected connections are initiated within an SSL/TLS wrapper and there are no protocol extensions of the sort used in RFC4217 FTPS. ZXTM does not currently support RFC4217 FTPS. It is now possible to configure which port ZXTM will use as the source port for active-mode FTP connections. The source port is set using the 'ftp_data_source_port' configuration key. To use a privileged source port, below 1024, it is also necessary to set the 'ftp_data_bind_low' global configuration key. When 'ftp_data_bind_low' is set, ZXTM must retain some root privileges; if it is not set, ZXTM can completely drop root privileges. - Live log viewer It is now possible to view live updates to a virtual server's request logs (formerly called access logs) within the ZXTM UI. - Status Applet The status applet no longer requires Adobe Flash to be installed. It also no longer requires access to port 9070 on the ZXTM. - TrafficScript Data stored using data.set() can now be read using data.get() in other ZXTM processes. Previously, such data could only be read in the process in which it was stored. The data.reset() function now accepts an optional prefix argument. When called with an argument, data.reset() only removes keys that begin with the supplied prefix. When called without an argument, it removes all keys, as before. The connection.data.set() and connection.data.get() functions can now be used with UDP connections. Previously, they were only available for TCP connections. The amount of data that can be returned by a call to request.getLine() is now restricted to trafficscript!memory_warning bytes (configurable on the Global Settings page). Previously, this function would continue reading data until it encountered an end-of-line character, potentially consuming a large amount of memory. The following TrafficScript functions have been added: string.randomBytes() returns a string of random characters string.extractHost() and string.extractPort() return the host and port parts of an address string.containsI(), string.findI(), string.startsWithI() and string.endsWithI() are case-insensitive versions of the equivalent existing functions string.gmtime.parse() parses the supplied string as a time stamp and returns the time in seconds since the epoch (1st Jan 1970) TrafficScript now supports the append assignment (.=) operator string.iReplace() and string.iReplaceAll() have been renamed to string.replaceI() and string.replaceAllI(). The old names are deprecated. - SOAP API The following SOAP API calls have been added: System.MachineInfo.getAllClusterMachines() returns network addresses and software version information for all machines in a cluster System.MachineInfo.getZeusHome() returns the path to the ZXTM installation directory ($ZEUSHOME) - SNMP ZXTM now collects performance counters for caches, rules, rate shaping classes, idle connections and data stored by the TrafficScript data.set() function. Counter values are also available in the UI. - Development Licensing Development Licenses are now rate limited to 10 requests per second over 10 concurrent connections. The UI now indicates when ZXTM is running with a Development License. ZXTM Appliance changes only --------------------------- - Appliance OS upgrade The ZXTM Appliance Operating System has been upgraded significantly in this release. - UI improvements The UI now shows a warning if a redundant PSU has been removed from the ZXTM 8000 appliance. In this state, the Appliance will not be able to withstand the failure of the remaining PSU. - OVF Virtual Appliance ZXTM VA is now available in Open Virtual Machine Format (OVF). This makes it possible to import the Virtual Appliance directly into VMware ESX Server. Previously, it was necessary to convert the VA image before importing it. - VLANs It is now possible to configure VLAN interfaces through the ZXTM UI. - Technical Support Report Some additional diagnostic information about Machine Check Exceptions is included in the Technical Support Report. Other changes in 5.1 -------------------- - TrafficScript Ensure that http.setResponseBody() works correctly for HTTP/0.9 responses. Ensure that http.getResponseBody() works correctly when requesting a small number of bytes from the beginning of a compressed response. Ensure that ssl_strict_verify works correctly with SSL sites whose hostnames resolve to multiple IP addresses, when used as forward proxy nodes in TrafficScript. - Java Extensions Fixed a potential lock-up in the Java runner. Fixed a bug that could cause a child process to crash if the license key is updated to include Java support after an earlier child crash. - Caching Ensure that ZXTM only sets the X-Cache-Info header to 'caching' if an object is being added to the cache. Previously, it would mistakenly set this header under certain conditions if the object was cacheable but had not in fact been cached because of lack of space. Fixed a bug which mistakenly caused all port numbers ending in 80 or 443 to be stripped from URLs in the Content Cache Activity page. This made it difficult to differentiate between some connections to servers running on different ports but the same IP address. Now only ports 80 and 443 will be stripped from URLs. - Clustering Corrected a problem which could cause Extra File additions and deletions not to be propagated automatically throughout a cluster. Resolved an issue which could cause a mismatched communications key cluster error when a ZXTM is moved from one cluster to another immediately after initial configuration. Synchronize node status information across ZXTM processes. This ensures that all processes on a ZXTM machine agree on what nodes are available and that node failures are reported once, rather than by each process. The flipper!monitor_rate configuration key has been renamed to flipper!monitor_interval. - SSL Ensure that the SSL client version number is checked correctly for TLS clients greater than version 1.0. Ensure that when an SSL certificate is deleted, it is also removed from the configuration of any Virtual Server that was using it. Fixed a problem with the handling of export strength ciphers. - DNS ZXTM now randomizes DNS transaction IDs. See CERT vulnerability note VU#800113: http://www.kb.cert.org/vuls/id/800113 - ZXTM Appliances Ensure that renaming a clustered ZXTM Appliance correctly updates Traffic IP configuration. Ensure that the temporary installation directory is removed when upgrading a ZXTM Appliance. Fixed a problem that could cause a deleted interface not to be taken down correctly if a gateway was configured on it. - Passive monitoring ZXTM now always logs meaningful error messages for node failures. Previously, some node errors were reported as "Unknown Error". - UI improvements The Support page now contains a link to these Release Notes. It is now possible to restart the Java Extension runner from the UI. The disk usage display in the System page is now more reliable and does not show device and libc filesystems on Solaris. Problems caused by special characters in rule names, pool names and virtual server names have been corrected. Corrected a spurious audit log message caused by restoring unsaved changes in RuleBuilder. The historical activity graph can now plot incoming and outgoing data rates for virtual servers, pools and nodes. Previously it could only plot rates for data flowing out, towards the client. The 'Access Logs' page has been renamed to 'Request Logs'. The System.AccessLogs interface in the SOAP API has also been renamed to System.RequestLogs. The old interface has been deprecated. Numerous minor UI improvements have also been made. - Technical Support Fixed a problem which caused the 'trace' debugging program to fail if run under an account with a username longer than 8 characters. - Miscellaneous Fixed a memory leak which could occur when deleting a Pool. Fixed a potential assertion failure caused by assigning a connection to a non-existent rate shaping class. Ensure that ZXTM correctly rewrites the IP version in SDP when rewriting a SIP connection from IPv4 to IPv6, or vice versa. Changes to the udp_port_smp setting now take effect straight away. Previously, it was necessary to stop and restart the Virtual Server after changing this setting. If possible, ZXTM now uses the MD5 hash algorithm to store user passwords securely, allowing passwords longer than 8 characters. ZXTM now supports a 'weighted least connections' load balancing algorithm. It is similar to the 'least connections' algorithm but also takes into consideration a weighting factor for each node. Historical activity logs (stored in $ZEUSHOME/zxtm/log/statd) now take up much less disk space on multi-CPU machines. - Zeusbench ZXTM now ships with Zeusbench, an HTTP benchmarking application. Zeusbench is installed in $ZEUSHOME/admin/bin/zeusbench. Zeusbench is not covered by Zeus support contracts. Other changes supplied in previous minor revisions of 5.0 --------------------------------------------------------- - XML Updated XML library to libxml2 2.6.32 to fix denial of service vulnerability CVE-2008-3281 in earlier library versions. Updated XSLT library to version 1.1.24. This vulnerability is present if you are using the XML functions in TrafficScript. - DNS Improve handling of DNS responses: If a DNS server replies to a AAAA query with an empty response (instead of NXDOMAIN), still process the response to the A query. - HTTP Content Caching Fix a potential assertion failure when caching a response which contains a very large 'Vary' header in the request. - Fault Tolerance Send an email alert when the status of a ZXTM in a cluster changes even if the machine it is running on is not hosting any Traffic IP addresses. This informs administrators of a single point of failure in an active-passive configuration. Fix delayed startup of ZXTM when there are queued emails to send. Previously, the emails were sent before ZXTM was started. Now, the emails are sent after ZXTM starts up. - SOAP API Add support for non-ASCII characters (such as umlauts) in the names of Virtual Servers, Pools etc. Previously, SOAP calls involving such names failed. Fix a problem where the name of the array returned by Catalog.Rule.getRuleNames() did not match the name of the array in the corresponding WSDL file. - Configuration The default value of the configuration key 'multiple_accept' is now 'No'. This improves the distribution of connections across CPUs on multi-CPU and multi-core machines. - TrafficScript Fix a potential assertion failure when using request.skip(). Avoid a potential crash when using http.getResponse() in a request rule. Improve request.avoidNode() to ensure that no draining nodes are used to serve the request. - SSL Increase the number of X509 OIDs ZXTM recognizes, and improve the way it handles unknown OIDs. Prevent a potential crash when renaming a certificate that is in use. Fix a bug where a client would request the re-use of an SSL session with the wrong SSL version, and ZXTM would incorrectly restore the session on the wrong version. ZXTM now stores what version the session is using and refuses to re-use the session unless the request version matches. Fix an issue where ZXTM didn't check the SSL minimum version for SSL3 connections and would try to force the client to use a version it didn't support. Resolve problems with SSL cache handling that could lead to lookups always failing and hence to incorrect counters and broken SSL2 sessions. Fix a potential crash when handling SSL pass-through traffic with non-conforming clients. - RTSP Fix a bug that led to loss of the RTCP packets related to an RTSP session when an RTSP virtual server was listening on an IP address on a different subnet from the back-end. - Java Fix an issue that caused responses made by non-HTTP servlets running in request rules to be lost. Ensure that ServletInputStream.read() doesn't return invalid values. Always load a new version of a Servlet when requested via the UI or SOAP. - UI Improvements Resolve a problem that prevented RuleBuilder from being used with Internet Explorer 7 (IE7). Correctly display the Traffic IP groups used by a virtual server in its 'Edit' page and prevent deletion of Traffic IP groups that are in use. Automatically adjust the configuration of all virtual servers using a Traffic IP group when the group is renamed. When uploading files to the 'Extra' directory, strip off any path component provided by the browser. This prevents problems seen when uploading files using Internet Explorer 7. The configuration key ssl_cache_size can now be set to 0 to disable session cache. Fix a condition that prevented changing the 'Listening on address' setting of a virtual server to an IPv6 address if the virtual server was using the 'discard' pool. Improve display of SSL certificate issuer and subject fields when the text representation contains raw object IDs. Switch to non-compact display mode on the Virtual Servers and Pools pages if the number of virtual servers or pools falls below the limit that triggers the compact mode. Improve support for chained certificates in the UI to allow chains with more than one intermediate certificate. Previously such chains could only be configured via the command line. Fix a bug that led to failures of the NetHSM wizard. Do not offer Cavium libraries on platforms where they are not available (FreeBSD and Solaris). Fix a validation problem that prevented specification of balancing weights other than the default for IPv6 nodes. Fix static route verification on the Appliance. Two routes will only conflict if they have the same netmask, rather than if they represent the same subnet. - Other changes Change the way ZXTM detects that a node has died when passive monitoring is enabled for the pool. Each request is tried once against each node that is thought to be alive. When a node has failed to respond to three requests without succeeding on a request it is marked as dead. The previous behavior, trying the same request more than once against the same node even after it had failed to respond to the request, could in some scenarios lead to ZXTM hammering the node in question for up to two seconds. Note that this change does not affect failure detection by active monitoring. Fix a potential crash when a Bandwidth class is renamed while ZXTM is processing traffic to a pool using that class. Fix a condition on Solaris where ZXTM would use an invalid file descriptor. Make spawning of new processes more efficient on FreeBSD. Fix the validation of HTTP response codes in RuleBuilder. When specifying a node, allow IPv6 addresses that start with ':'. Fix a bug that could lead to the ZXTM parent process becoming stuck in an infinite loop if the host had tentative IP addresses. Upgrade libpcre to version 7.7 and patch a vulnerability (CVE-2008-2371). Fix a glitch that caused PKCS#11 support to be missing in SPARC builds of ZXTM 5.0. Improve Cookie rewriting by doing a case-insensitive match on the keys 'domain', 'path', and 'secure'. When a connection is closed by a peer, ZXTM now reports the error message "Connection closed by peer". The error message reported previously ("Connection reset by peer") was confusing. - ZXTM Appliances Improved robustness under very high load for certain network ports on the 2000, 3000 and 8000 appliances. Improve scaling when using IP transparency. Upgrade vmware-tools to the latest version from ESX 3.5 update 2 (ZXTM Virtual Appliance only). Fix a DoS vulnerability in the net-snmp package (CVE-2007-5846). Support higher number of sockets in the TIME_WAIT state to prevent new sockets from getting dropped. Fix an issue that caused all SSH connections, even legitimate ones, to be rejected in certain configurations when access restrictions were enabled. ZXTM 5.0 -> 20th May 2008 ========================= ZXTM 5.0 is a major revision of the ZXTM product family, containing a large number of performance and functionality enhancements, stability improvements and bug fixes. Customers are recommended to upgrade to this version to take advantage of the changes. Platform Availability for ZXTM 5.0 ---------------------------------- * Linux x86, x86_64 - Kernel 2.6 (2.6.8+) * FreeBSD x86 6 (6.1+) * FreeBSD x86 7 (7.0+) * Solaris 8, 9, 10 (SPARC) * Solaris 10 (x86 and x86_64) * Hardware Appliances: 2000, 5000, 7000, 7400 appliances * Virtual Appliances: VMware VI3 (ESX 3.0, ESX 3.5) Windows Virtual Server 2005R2 Solaris SPARC now requires a 64 bit capable processor. Linux x86 now requires glibc 2.3 or later. Notes on Upgrading ------------------ When upgrading from an older version of ZXTM through the Web UI, you may get error messages in your ZXTM log shortly before ZXTM 5.0 starts, for example: SERIOUS:monitors/SIP UDP: Unknown monitor scope: sip SERIOUS:monitors/RTSP: Unknown monitor scope: rtsp WARN:monitors/SIP UDP: Line 1: Unknown config key These messages are due to the old version of ZXTM warning about incompatibility with the new SIP/RTSP monitors in 5.0, and can safely be ignored. New features in 5.0 ------------------- - Java Extensions Java Extensions extend TrafficScript to allow code that inspects and modifies requests and responses to be written in the powerful Java language. ZXTM provides supporting Java classes that give Java Extensions access to ZXTM's protocol parsing features. - IPv6 Support IPv6 is now supported. ZXTM may also be configured as an IPv4 to IPv6 gateway. On Linux, kernel 2.6.22 or later is required to support IPv6. Note that neither the UI nor SOAP interface are yet accessible via IPv6 and that the IP Transparency and NAT features of the ZXTM Appliance are not supported with IPv6. - SIP Support ZXTM now supports the SIP protocol. A large number of SIP specific functions have been added to TrafficScript. - RTSP Support ZXTM now supports the RTSP protocol. A large number of RTSP specific functions have been added to TrafficScript. - ASP Session Persistence A new session persistence type has been introduced to track ASP and ASP.NET sessions. - SSL Management of SSL decryption for large numbers of SSL sites has been made easier by allowing a single virtual server to present different SSL certificates depending on the IP address to which the client connected. This is configured on the Virtual Server's SSL Decryption page. ZXTM now supports the Niagara Crypto Provider (NCP) hardware on Sun UltraSPARC T1 and T2 processors. NCP is now used automatically for SSL operations. The Cavium NITROX (CN 1000 series) and NITROX II (CN 2000 series) Security Processors are now supported for SSL acceleration on Linux (x86 and x86_64). - TrafficScript Subroutines can now be created in TrafficScript to reduce code duplication. Variables declared inside subroutines are locally scoped. The following is an example of a subroutine declaration: sub add_args ($num1, $num2) { return ($num1 + $num2); } The following TrafficScript functions have been added: data.remove("key") deletes the key-value pair previously stored by a call to data.set("key", "value"). http.getRequest() returns the full HTTP request headers, but does not include any body data. http.getResponse() returns the full HTTP response headers, but does not include any body data. http.getResponseVersion() returns the HTTP version string returned in the response from a back-end server. string.normalizeIPAddress() returns the most compact string representation of an IP address. This is particularly useful for comparisons of IPv6 addresses. string.regexEscape() returns a version of its parameter suitable for using inside a regex match as a string literal. string.URLEncode() encodes the supplied string to make it safe for including in URLs. It converts unsafe characters to percent+hex form. - SOAP API All counters available via SNMP and the activity graphs are now also available directly via the new System.Stats SOAP API. - Miscellaneous The $ZEUSHOME/zxtm/conf/extra directory can now be managed through the UI, from a new tab: Catalogs -> 'Extra Files'. ZXTM now exposes the hostname of the server on which it is running via SNMP using the standard "sysName" OID. It is now possible to select multiple nodes in one pass when using the drain/undrain and remove node wizards. The connection and rate limiting features of a service protection class can now be disabled by setting the limits to 0, enabling other service protection features such as access restrictions to be used without forcing the imposition of connection limiting. Added a new protocol type "DNS (TCP)". Enabling a new system setting "client_first_opt" causes ZXTM to defer connection processing until the client has sent some data. This setting may improve performance, but connect_timeout will not be honored for client first protocols if the timeout occurs before the client has sent any data, due to behavior of the Linux and FreeBSD kernels. This tunable has no effect on Solaris. Other changes in 5.0 -------------------- - Session Persistence Fixed a bug with the 'monitor application cookie' session persistence type that caused persistence problems when this type was used with back-end servers that use upper case characters in the names of cookie parameters. Fixed an issue with UDP and session persistence that could cause requests to be sent to a dead node even when the persistence failure mode was set to "new node". - ZXTM Appliances Appliance SSH keys will now be preserved over major upgrades. Fixed a race condition that could cause a harmless "SERIOUS ... Config incorrectly set" error message to be generated when adding a new user or changing a user's password on a ZXTM appliance. The appliance no longer allows the administrator to try to set two default routes. Resolved an issue that made it impossible to use the UI to delete access logs from Internet Explorer 7. - SSL Fixed an issue with support for nCipher NetHSM whereby there were intermittent problems loading private key files on servers with multiple CPUs. UI now silently discards trailing white space in SSL certificate Common Names instead of raising an error. - SOAP API Two of the session persistence types whose somewhat obscure internal names were accidentally exposed in the SOAP API have been renamed to make their purpose more obvious. The session persistence type "sardine" has been renamed "transparent", and "kipper" renamed "monitor-cookies". The old names are deprecated. Fixed a race condition that could cause changes made through the SOAP interface to be lost if two SOAP calls attempted to make changes simultaneously. - Backups Backups made from the config summary page will now have a correct timestamp. Backups restored from a file using the restore wizard will be upgraded automatically if they were taken using an older version of ZXTM. Editing the description of a backup will no longer change the backup's timestamp. - Virtual Appliances Resolved an issue that could cause the clock to jump on x86_64 processors. - Installation and upgrades Fixed bug that caused an error to be shown during installation on systems that lacked /etc/inittab. Ensured that the last 1000 lines of the error log are copied into the new $ZEUSHOME/zxtm/log directory during an upgrade. Improved argument checking of the $ZEUSHOME/zxtm/bin/rollback script so that it won't accept a non-existent version as a rollback target. - UI Improvements Presentation of the Traffic IP groups summary on the Traffic IP groups page has been improved for Traffic IP groups containing large numbers of IPs. Summary pages in the UI (such as Services -> Virtual Servers) now switch to a condensed format when the number of objects exceeds 20. Improved error handling on the Virtual Server SSL Decryption page in the UI. Commas, whitespace or colons may now be used as separators in the SSL ciphers list. Fixed bug whereby used nodes appeared in the unused section of the config summary when it was sorted in reverse order. The UI now makes it clear that changing some global settings will force a restart of ZXTM. Numerous minor UI improvements have been made. - Fault Tolerance ZXTM now varies the ICMP identifier in the ping packets it uses to check the availability of front and back-end network connectivity. This prevents failover problems with older Checkpoint firewalls. Cleared up some unnecessary error messages generated when one of the ZXTMs in a cluster becomes uncontactable. - Technical Support Report Included some additional diagnostic information in the technical support report. The filename of the technical support report now includes the hostname of the machine that generated it. Fixed a problem that prevented technical support reports being generated correctly on Solaris. Resolved an issue that made it difficult to obtain a technical support report from a Linux server that was experiencing high load. - Miscellaneous Invalid license keys will no longer be stored if an attempt is made to upload them. Fixed an issue whereby FTP virtual servers would incorrectly account for data uploaded as data downloaded. Fixed a bug with the perceptive load balancing algorithm that could cause dead nodes to be used if there was only one working node in the pool. It is now possible to log response headers in the access logs for pages served from the web cache. Fixed a problem with SMTP protocol parsing that could cause connections to stall when using request.endsWith(). Fixed a problem on Linux and FreeBSD whereby the connect_timeout setting for client first protocols was not honored. Various global settings have been renamed to make their purpose clearer (upgrading will automatically migrate the configuration): max_keepalive -> max_idle_connections backend_timeout -> idle_connection_timeout max_retries -> node_connection_attempts dead_time -> node_fail_time Resolved issue whereby ZXTM was keeping file handles open on rotated/deleted error logs, which prevented disk space being freed until the next ZXTM restart. Improved the performance of UDP virtual servers that listen on multiple IP addresses on SMP machines. ZXTM now always adds "Vary: Accept-Encoding" headers when compression is enabled, so that compressed and uncompressed versions of web pages are cached separately. Fixed an issue with SUSE Enterprise Linux 9 that caused the ZXTM init scripts to be run too early if the 'chkconfig' command was used to enable or disable ZXTM start-up. Fixed a bug that could cause ZXTM to generate spurious warnings when sending alert emails. Fixed a bug that could cause a crash if a running interface had no IP address assigned to it. Fixed a memory leak in the rate shaping class. Fixed a bug that would cause ZXTM to stop automatically checking DNS entries for nodes, this would prevent DNS updates propagating to ZXTM's configuration. Other changes supplied in previous minor revisions of 4.2 --------------------------------------------------------- - Traffic IP Groups Improve detection of the ZXTM software locking up, to ensure fail over doesn't happen unnecessarily. Fix a memory leak on Solaris and FreeBSD with ARP broadcasts Fix sending ARP broadcasts on Solaris when the e1000g driver is being used. - HTTP Content Caching Ensure the correct page is served from the Content Cache when the Host header and an absolute URI in the HTTP request do not match. Fix a problem with the Content Cache UI page that could occasionally cause a 500 error to be displayed. Ensure large pages that are being compressed using ZXTM's Content Compression feature are correctly inserted into the HTTP Content Cache. Fix a race condition on multi-CPU machines that could cause a serious software failure. Fix a potential crash if content caching is used with very long URLs. Ensure that the Content Cache is limited to 3 Gb in 32-bit builds of ZXTM. Ensure the amount of physical memory is read correctly on FreeBSD. Fix a situation where the wrong 'Vary' header could be used when performing a lookup in the content cache. Ensure that Content Cache statistics do not get cleared accidentally. - SSL Fix a serious problem where an invalid SSL record could cause ZXTM to keep attempting to read from a client stopping other traffic from being handled. Ensure that the pkcs#11 library is located on the Sun Niagara servers. Avoid a spurious warning when "ssld!accel" is enabled, but no ssld library is specified. Update the 'ssl.sslSessionID()' function to work for SSL pass-through virtual servers. - User Interface Fix an issue with the status applet using Flash 9.0.115.0, that causes "incorrect signature (-5)" errors in the event log. Store Historical Activity graph information for 90 days by default (this can be altered by changing the statd!days setting on the Global Settings UI page). Ensure that the cache of Historical Activity graphs is cleared occasionally. Fix adding nodes that start with a '0' or contain '.0' as part of the hostname. Relax hostname validation to allow '_' characters. Improve speed of Rules catalog page when there are lots of Rules and Virtual Servers. Include more networking diagnostic information in the technical support report. Ensure that the RuleBuilder constructs rules correctly when inspecting HTTP headers containing a '-' (such as User-Agent). Ensure that the locale setting does not break backups created using the SOAP API. Fix the Diagnose SOAP API to correctly reference "DetectionDate" rather than "DetectionTime" in responses. - Fault Tolerance Traffic IP Addresses will now failover if traffic stops being served due to a serious lockup of part of ZXTM. Alter IGMP group behaviour: when a network cable is reconnected, pause for a short period before joining the IGMP group to ensure that the switch has noticed the reconnection. Alter how ARP messages are sent on Solaris and FreeBSD to ensure that the ARP cache doesn't get updated incorrectly. Improve multicast listening to ensure we listen for multicast messages on all network cards even if IP addresses change. - Service Protection Service Protection alerts and log messages can now be disabled by setting the log_time for a class to 0. Requests dropped due a service protection rate limit being exceeded are now correctly logged. - Other changes Fix a situation that could delete the ZXTM configuration, causing ZXTM to fail to startup. Include more diagnostic information in the technical support report. Disabling passive monitoring now works correctly with UDP protocols. Deleting a configuration backup will now log an entry to the audit log. Custom TCP monitors now no longer need a 'write_string'. Fix the names of the "VirtualServer -> BitsOut" and "Network Interfaces -> InterfaceTxBitsLo" current activity counters. Workaround a problem on FreeBSD that could stop ZXTM accepting new connections for Virtual Servers. Fix a problem with the 'max_retries' setting that, if it was set to '1', could cause the error page to incorrectly be sent to clients. Fix a potential crash when using an 'SSL passthrough' virtual server. Improve error message if the nCipher Remote File System can not be contacted. ZXTM will now work correctly if 'state_sync_time' is set to '0' net.dns.resolveHost() now resolves addresses of the form 1.2.3.4.zen.spamhaus.org correctly. Fix connection counting logic which under some circumstances could cause an assert failure. Fix an occasional crash when serving FTP traffic. Fix processing of request 'Connection' headers to avoid incorrectly marking a request as non-keepalive. Ensure that parameters for cookies are correctly set for the 'monitor application cookies' session persistence type. Fix a situation where, under some circumstances, ZXTM could end up in an infinite loop while performing a DNS resolve. Improve performance when spawning processes on Solaris. Fix a small memory leak when a Service Protection class is reconfigured. Fix an infinite loop in the string.iReplaceAll() TrafficScript function. Ensure that when a previously failing monitor is added back into a pool the node status is updated correctly. - ZXTM Appliances Fix a race condition that could cause a restart of the hardware monitoring daemon (ZXTM Appliance only). Licenses bound to a MAC address will now work correctly with network cards that are part of a trunk or that don't have an IP address assigned. License keys bound to IP addresses are now correctly re-checked when raised IP addresses change. Previously ZXTM could become stuck in an unlicensed state if it was started before networking was available. Improvements have been made to the RAID checking to ensure more failures are reported (ZXTM 7000 and ZXTM 7400 only) Improve IRQ balancing across CPUs to improve network performance (ZXTM 5000, ZXTM 7000 and ZXTM 7400 only) Ensure that deleting and then re-creating a network trunk works correctly. Fix a memory leak when IP Transparency is enabled. Add a fix for some harmless kernel assertion failures. Updated VMware tools package to latest version available for ESX 3.5. (ZXTM Virtual Appliance). ZXTM 4.2 -> 5th July 2007 ========================= ZXTM 4.2 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, stability improvements and bug fixes. Customers are recommended to upgrade to the new version to take advantage of the changes. Platform Availability for ZXTM 4.2 ---------------------------------- * Linux x86, x86_64, IA64 (Kernel 2.6.8+) * FreeBSD x86 5.3+ and 6.1+ * Solaris 10 (x86 and x86_64) * Solaris 8+ (SPARC) * Windows x86, x86_64 (Windows Server 2003r2) Note that on Solaris 8, x86 systems may need to install patch 109148-07 to use ZXTM 4.2 New features in 4.2 ------------------- - Improved web caching The web cache in ZXTM has been upgraded to provide improved hit rates, by sharing content better on multi-CPU machines. The SOAP API and web-based interface also allows users to explore the contents of the cache, and to invalidate parts of the cache to ensure new content reaches users. Cache sizes over 4Gb are now supported on 64 bit architectures. - J2EE session persistence A new persistence class has been introduced to handle Java session persistence (used in WebLogic, for example). This lets ZXTM track sessions used by these applications, both URL-based and cookie-based, to ensure that the correct node is used to handle each client's requests. - NetHSM support Support has been added for the nCipher NetHSM security device, which provides additional security when using SSL. Please see the documentation for details of how to use NetHSM with ZXTM. - SOAP API extended The SOAP API now provides calls to diagnose the status of ZXTM and to manage backups. The new web caching features are also accessible via the API. - Improved activity monitoring The current activity charting tools can now plot a range of system statistics, such as CPU usage, memory usage and raw network traffic. Statistics for individual machines can now be graphed. - Forward Proxy capability In addition to load balancing across pre-configured pools of servers, the new Forward Proxy capability lets ZXTM route traffic to any local or remote machines. This functionality is controlled via TrafficScript, and can be used in a variety of ways, for example, users can dynamically configure the load balancing (e.g. retrieving a set of servers to use from an external database), or ZXTM can be used as a generic proxy (e.g. a HTTP proxy or SSL proxy). - DNS updates ZXTM will re-resolve any hostnames used in its configuration if the IP addresses of the hostnames change. This makes ZXTM easier to use when re-arranging your network. This does not create any additional points of failure - if the DNS servers are unreachable, ZXTM will continue to operate. - Solaris SSL acceleration support ZXTM now supports the PKCS #11 SSL acceleration provided by some Solaris platforms, such as Niagara. - TrafficScript * Core changes ++, --, += and -= operators have been added. string.left() and string.right() chop strings into pieces. string.count() will count the number of occurrences of a pattern in a string, which makes list processing easier. string.find() and string.findr() can now take a start position. counter.increment() can now increment counters by a supplied amount. pool.select() and pool.use() have been extended so that a specific machine can be selected to send this request to. This machine does not have to be a node in a pool; it can be any machine on the Internet. This is the basis of the new 'Forward Proxy' feature. pool.activeNodes() used to include draining nodes in its count. It now does not include them, so that a return value of >0 really does mean that there are nodes available to use. string.unescape() understands Microsoft's proprietary % u-encoding and refuses to convert illegal %-escaped hex values. RuleBuilder actions can now insert the client's IP address and port into HTTP headers using %REMOTE_IP% and %REMOTE_PORT%. * IP changes request.getDestIP() returns the original destination IP address that a client connected to. This differs from request.getLocalIP() if the connection was redirected via a firewall rule. * HTTP changes http.changeSite() makes it simple to redirect users to the same path on a differently named website, e.g. redirecting .co.uk to .com. http.request.head() allows TrafficScript to make HTTP HEAD requests. http.getHeaderNames() and http.getResponseHeaderNames() return a list of all the HTTP headers present in the request/response. http.sendResponse() now supports keep-alive responses, and will try to keep-alive connections to clients (if enabled in the virtual server). ZXTM Appliance changes in 4.2 ----------------------------- 4.2 represents a major upgrade of the ZXTM Appliance software. You should refer to the article on the ZXTM KnowledgeHub (http://knowledgehub.zeus.com) for instructions on how to upgrade your ZXTM Appliance from 4.1 to 4.2. The upgrade will preserve all your configuration, and you can roll back to 4.1 should you require it. - Link Trunking / Aggregation The appliance UI allows ZXTM to aggregate two or more network ports together to form a fault-tolerant and higher-speed link. Traffic will be shared across the ports, and the 'trunked' channel will be resilient to the failure of any individual network cable. To enable this feature, configure two or more network cards with the same IP and the trunking will be applied. To use the link aggregation feature, ZXTM should be plugged into a switch that supports the IEEE 802.3ad standard. This enables the switch to detect the trunked links. Otherwise, you may have to configure the switch manually. Other changes in 4.2 -------------------- - HTTP improvements HTTP headers are now preserved with their original case. Prior to 4.2, ZXTM would correct the capitalization of all headers to make them consistent, e.g. 'X-MAGIC-header' would be converted to 'X-Magic-Header'. Now, the original header capitalization will be preserved. Note that all TrafficScript functions relating to HTTP headers have always been case-insensitive. - Multi-CPU scalability Several improvements have been made to further improve the scalability of ZXTM on machines with many CPUs or cores. Systems with 16+ cores should see particular improvements in start-up and running speeds. - Improved log timings A new logging macro '%R' will record the total time of a connection, measured from when ZXTM received the request until the last byte of data was sent back to the client. - Passive monitoring option ZXTM's passive monitoring checks can be disabled if required. This means that ZXTM will only classify nodes as not working based on the 'active monitors' set up by the user. Failures when handling real traffic (e.g. timeouts, network failures) will not be used to determine the availability of services. This may be useful if ZXTM is load balancing services that do not always respond to some types of requests. - Backup wizards Two wizards have been added to the web-based UI to make downloading and uploading backups simpler. - SSL Changes TLS 1.1 has been disabled by default. This used to be enabled in ZXTM 4.1. It is now no longer enabled because some web servers do not work properly with TLS 1.1 and will drop these connections. (e.g. some versions of WebLogic). It can be re-enabled from the global settings page. 4096 bit SSL keys are now supported in ZXTM. - Rate shaping timeouts ZXTM was applying the wrong timeout to connections that were paused by a rate shaping class. The 'connect_timeout' time was used, rather than the general 'timeout' time. The result was that connections could be dropped sooner than expected. This has now been fixed. - UDP/IP Transparency IP Transparency is now supported for ZXTM Appliance customers and software customers using version 1.3 of the transparency module available from the KnowledgeHub (http://knowledgehub.zeus.com). - Traffic IP Groups Traffic IP Groups using the 'keeptogether' flag that contain 'passive' machines will now work as expected. Before upgrading to 4.2 is recommended that you mark all machines as active, once the upgrade is complete these machines can be set to 'passive' again. - Alerting Alert emails are now RFC 822 compliant. Other changes supplied in previous minor revisions of 4.1 --------------------------------------------------------- * Rate Shaping classes using a context will now shape connections correctly. * Fixed potential crash when viewing the Content Cache UI page when some items in the cache had expired. * Fixed potential memory corruption when using the net.dns.resolveIP() TrafficScript function. * Ensure that connection.discard() can be called from a response rule. * Re-advertise IGMP membership when a Traffic Manager re-establishes contact with the network after a failure. * When communication times out with the email server used to send alert messages ensure we use the correct machine in the event log line. * Improved Current Activity graphs to avoid incorrect or missing data points occasionally being displayed for some values. * Fixed potential DoS against the administration server. * Fix a problem on FreeBSD 6 with kqueue support that can occasionally cause sockets to be incorrectly closed. * Workaround a memory leak in getprotobyname() in some Debian/Edgy libc versions. * Under certain circumstances, SSL encryption to backends could leak memory in the zeus.zxtm and zeus.monitor processes. This leak has now been fixed. * Fixed long certificate chain parsing to avoid incorrect signature errors during SSL encryption to backend nodes. * X509 Certificate Signing Requests now use the SHA-1 hash algorithm and include the 'attributes' section (required by some certificate authorities). * Allow backend nodes to request a new SSL handshake when performing SSL encryption (used by IIS for client certificate authentication). * Crash fixed in TLS 1.1 handling of block ciphers. Until systems are upgraded, customers are recommended to disable TLS 1.1 support on the System -> Global Settings page. (TLS 1.0 is unaffected by this issue). * Fixed crash when using Rate Shaping classes with long names. * Prevent connection stalls to slow clients if TrafficScript responds to the first request on a connection with request.sendResponse(). * License key files which don't end with a newline are now correctly handled when joining a cluster. * Cookie names for the 'Monitor application cookies' session persistence type can now contain '.' characters. * A potential dead-lock when replicating configuration has been fixed. * Improved FreeBSD 6 support, including working kqueue support. * TrafficScript functions now use entries from /etc/hosts when resolving host names and IP addresses. * Improved keepalive support through HTTP proxies. * Fixed a bug in the HTTP monitor that could cause it to be unable to detect a failure of a node. * Fixed a situation where traffic for a Traffic IP address is sent to the wrong Traffic Manager. * Fixed description for 'globals.uptime' OID. * Improved description for 'webcache!size' configuration key. * Ensure that the TrafficScript global settings only appear once. * Ensure the default email server is preserved over upgrades. * Calculation of the final data point on the Historical Activity graphs has been improved. * Improved memory usage when performing upgrades through the User interface. * Fixed bug which could lead to configuration file corruption when the filesystem ran out of free space. * A potential dead-lock when joining a cluster, or replicating configuration has been fixed. * Update Western Australia timezone information. * Improve IP traffic routing. If the management port is on the same subnet as another network interface, additional steps will be taken to ensure that only management network packets will be routed to/from the management port. * Fixed a bug that could cause an appliance to become uncontactable with certain network configurations. * Fixed detection of the ZXTM 2000 LB appliance. * Fixed a problem with NAT rules that could cause a spurious error to be generated. (ZXTM Appliance) * Updated SNMP agent to ensure network interface counters wrap correctly. (ZXTM Appliance) * Updated VMware tools package to latest version available for ESX 3.0.1. (ZXTM Virtual Appliance) ZXTM 4.1 -> 4th September 2006 ============================== ZXTM 4.1 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, and many stability improvements and bug fixes over previous releases. You are recommended to upgrade when convenient to take advantage of the changes. Platform Availability for ZXTM 4.1 ---------------------------------- * Linux x86, x86_64, IA64 * FreeBSD x86 4.2+, 5.3+ and 6.1+ * Solaris 8+ (x86 and SPARC) * Solaris 10 (x86_64) After 31st January 2007, Zeus will no longer provide product revisions for FreeBSD 4.x. New features in 4.1 ------------------- - Request Rate Shaping Request Rate Shaping allows ZXTM to limit the rate at which individual requests to particular services are made. These rates can be applied globally across all users of a service, or individually to a particular user. The rates can be applied per-second and per-minute, allowing fine grained control over policy. Request Rate Shaping can be controlled and queried using the 'rate.use' and 'rate.getBackLog' TrafficScript functions. Request Rate Shaping is included in the ZXTM software and the ZXTM 5000, 7000 and 7400 Appliances. It is not available in ZXTM LB software or the ZXTM 2000 Appliance. - Session Persistence A new Named Node session persistence class allows a TrafficScript rule to specify which node a request should be routed to, using the connection.setPersistenceNode() TrafficScript function. - Session migration between services ZXTM will now automatically migrate active sessions between services that are running on the same node, but are on different ports. This allows a client to browse a site over HTTP and then perform payment over HTTPS with all requests being persisted to the same node. - TrafficScript Warning messages are now emitted when unexpected escape sequences (such as '\.') are used. These are often used incorrectly in regular expressions when '\\.' was meant. Existing TrafficScript rules will continue to work as before. For further information on string escaping regular expressions refer to section 2.9 of the TrafficScript reference guide. * Core changes Bitwise operators have been added to allow improved handling of binary protocols: ~ (NOT), & (AND), | (OR), ^ (XOR), << (LEFT SHIFT), >> (RIGHT SHIFT) string.replace() (and variants) allow replacement of one string inside another, without the use of regular expressions. string.findr() searches for a search string from the end of a given string. rule.getState() returns whether a rule is being run as a request or response rule. rule.getName() returns the name of the currently executing rule. request.getToS() and response.getToS() allow reading of the ToS flag that had previously been set on a request or response by another TrafficScript function. * HTTP Changes http.doesFormParamExist() determines whether a form parameter exists in the HTTP request. http.compress.enable() turns on compression for a particular request if the client supports it. http.compress.disable() disables compression for a particular request. http.getHostHeader() returns a normalized version of the host header. http.scrubRequestHeaders() allows control over the valid headers that are passed to a node. * Time functions: sys.time.highres() returns the time with sub-second accuracy. This can be used to calculate accurate times for responses or other actions. sys.localtime.format() and sys.gmtime.format() can be used to format a time-stamp into a readable string. All the sys.time.* functions can now take an optional Unix time argument (previously they always acted on the current time). * Pool selection When the 'trafficscript!variable_pool_use' setting is enabled pool.use() and pool.select() can now take a variable as an argument. By default they still require a literal string. * User Counters Using the new 'counter.increment' TrafficScript function a rule can count how many times an action is performed. These counters can be graphed from the User Interface or using SNMP. - Control API New functions in the existing Control API interfaces have been added to support new features. New interfaces in 4.1 include: * System.Cache - functions to query the Content Cache, including the current cache contents. * System.Connections - allows retrieving the list of active and recent connections. * System.MachineInfo - functions to get some information about the machine and software. * System.LicenseKeys - enables management of license keys on the system, allowing uploading, deleting and listing of license keys. * System.Log - provides functions to get the error log and audit log * System.AccessLogs - on the ZXTM Appliance this allows querying what access logs are available for downloading. * Catalog.Rate - provides functions to manage the Request Rate Shaping classes. - Content Caching The default cache size is now 20% of available memory instead of 100Mb. This default can be altered using the 'webcache!size' setting on the Global Settings page The statistics shown on the 'Content Cache' page no longer include expired entries, and memory usage counting is much more accurate. Two new RuleBuilder functions have been added to mark a response as uncacheable and to make a response cacheable for a particular time. - Fault tolerance changes: Where possible ZXTM will use IGMPv2 for improved compatibility with a variety of switches. Failover performance has been greatly improved with a large number of Traffic IP addresses. For example, 2 active ZXTMs managing 1000 Traffic IP addresses can failover in approximately 7 seconds. The amount of ICMP traffic used in regular connectivity checks has been reduced. Connectivity checks and failover time is not affected by this change. - Health monitoring The Full HTTP monitor may be configured with a regular expression that matches the web page content returned by a working node. Health Monitor scripts are now provided a '--node' argument that identifies the name of the node. A User Interface page has been added to allow management of Health Monitor scripts. - SSL Changes TLS 1.1 (RFC 4346) is now supported and enabled by default. SSLv2 support is disabled on the admin server by default. SSLv2 has known security weaknesses and unless absolutely required it is recommended that you leave it disabled. The new 'ssl.clientCert()' TrafficScript function will return the PEM encoded version of the client certificate that was provided by the client when performing SSL decryption. - NTLM Support ZXTM fully supports NTLM authentication with IIS web servers. - HTTP Chunking Chunked HTTP requests are now fully supported. - Service Protection A new 'rate_timer' setting enables configuration of the interval that the 'max_connection_rate' setting is assessed. This allows control over whether the limit applies per-minute (the default) or per-second. ZXTM Appliance changes in 4.1 ----------------------------- 4.1 represents a major upgrade of the ZXTM Appliance software. You should refer to the article on the ZXTM KnowledgeHub (http://knowledgehub.zeus.com) for instructions on how to upgrade your ZXTM Appliance from 4.0 to 4.1. - System configuration All aspects of system configuration (networking, security, time etc) are configured through the web based Admin Server. - Hardware diagnostics The alerting system and user interface will report problems with the underlying hardware, such as failure of a redundant power supply (on supported Appliance platforms). - Access Logging Access logs are now automatically rotated and old ones are deleted. Logs can be viewed and downloaded from the user interface, or using 'scp'. - SNMP SNMP information from the underlying OS is now available. Both SNMP v1 and v2c are supported. Other changes in 4.1 -------------------- - Session Persistence Fixed a problem with UDP and session persistence when using a service that sends no responses. - Health Monitoring Fixed a monitor failure when using SSL on the back-end servers and ZXTM receives a 'close notify' alert. - SSL Changes Fixed misreporting client IP addresses when using SSL and ZXTM's SSL extensions (when forwarding to another ZXTM). Other changes supplied in previous minor revisions of 4.0 ---------------------------------------------------------- * Fixed an issue where a malformed HTTP request could cause a ZXTM process to hang or crash. * Fixed memory leak when using some XML TrafficScript functions. * When editing a TCP transaction monitor the 'write_string' key no longer disappears. * The 'Reboot' button now functions correctly on all platforms. * It is now possible to manage Pools that use the Weighted Round Robin load balancing algorithm using the SOAP API. * Access Logging and the Admin Server Connections page now correctly report the HTTP status code. * Fixed an issue where under certain circumstances traffic was sent to Nodes that a monitor has marked as failed. This could cause unnecessary alerts to be sent. * connection.sleep(0) now returns immediately rather than sleeping forever. * Multicast messages (used for Traffic IP Groups) are now sent over all networks even if there is a management network configured. This behaviour can be altered using the "flipper!use_bindip" key on the Global Settings UI page. * Backups from earlier versions of ZXTM that are uploaded to the UI will be automatically upgraded. * Fixed problem with bandwidth restrictions when applied in a Service Protection rule. * Improved universal session persistence: it can now be used fully in response rules. * Improved performance on ZXTM Appliance series when IP Transparency is not being used. * Extra validation on forms in the web-based user interface. ZXTM 4.0 -> 20th October 2005 ============================= ZXTM 4.0 is a major revision of the ZXTM product family, containing a large number of performance and functionality improvements, and many stability improvements and bug fixes over previous releases. You are recommended to upgrade when convenient to take advantage of the changes. Platform Availability for ZXTM 4.0 ---------------------------------- * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86, x86_64) * FreeBSD (x86) Key new features in 4.0 ----------------------- - HTTP Content Caching ZXTM 4.0 includes a full HTTP Content Cache for web content. Common web responses are cached locally, and ZXTM can respond to subsequent requests directly, thus reducing the load on the server nodes and improving the performance of the hosted HTTP services. ZXTM's Content Cache fully supports RFC 2616 Cache-Control and Vary headers as well as legacy Expires headers. Fine-grained control of the cache can be achieved using the new http.cache.* TrafficScript functions, and Differentiated Caching allows a TrafficScript rule to manage multiple variants of the same response. Content Caching is an optional ZXTM feature. - IP Transparency IP Transparency ensures that ZXTM perserves the IP address of the remote client when forwarding requests to a back-end server. Without this capability, the request appears to originate from the ZXTM machine. IP Transparency can be selectively controlled by TrafficScript. A TrafficScript rule can use the request.setRemoteIP() function to spoof the source IP address of a request, for example, when an upstream proxy does not preserve the source IP address. IP Transparency is only supported on the ZXTM 2000, 5000 and 7000 Appliance series. - ZXTM Control API The ZXTM Control API is a standards-conformant SOAP-based API that makes it possible for other applications to query and modify the configuration of a ZXTM cluster. For example, a network monitoring or intrusion detection system may reconfigure ZXTM's traffic management rules as a result of abnormal network traffic; a server provisioning system could reconfigure ZXTM when new servers came online. The ZXTM Control API can be used by any programming language and application environment that supports SOAP services. The ZXTM Control API is available on all ZXTM software and appliances. It is not available on ZXTM LB software or appliances. - RuleBuilder The RuleBuilder has been significantly improved, and several conditions and actions have been added. The RuleBuilder is a visual interface that make it easy to construct TrafficScript rules. - Configuration Audit Log All configuration changes, whether via the ZXTM Admin Server or via the ZXTM Control API, are recorded in an internal Audit log for later inspection. - Configuration Backup Management Backup Management allows the ZXTM administrator to save, restore and compare various versions of the ZXTM's configuration. Configuration Backups can be exported and imported. - Dedicated Management Port ZXTM can be configured with a dedicated management port so that all management traffic is restricted to a single, dedicated management network. Note that Linux 2.6 kernels earlier than 2.6.12 do not correctly handle management port traffic. - Bandwidth Management ZXTM can impose bandwidth controls on request traffic to the back-end server nodes, either on a per-pool basis, or using the new request.setBandwidthClass() TrafficScript function. Bandwidth Management is an optional ZXTM feature. - TrafficScript Type of Service functions The new request.setToS() and response.setToS() TrafficScript functions can be used to set the Type-of-Service flags in the IP header of requests and responses managed by ZXTM. Other changes in 4.0 -------------------- - Recent Connections list The Connections report in the Activity Monitor now reports recently completed connections as well as current connections. - Session Persistence Cookies ZXTM now encrypts all session persistence cookies. - Cluster Diagnosis ZXTM's problem diagnosis has been extended, and ZXTM can identify and accurately report a wider range of cluster-related problems. - Other new TrafficScript functions http.redirect() can be used in request and response rules to succinctly send a redirect response to a remote client. http.getMultipartAttachment() makes it easier to parse incoming HTTP requests that contain Multipart body data. http.getRawQueryString() returns the querystring from the HTTP request without applying any URL unescaping. - Traffic IP Groups The new 'keeptogether' setting ensures that all IP addresses in a Traffic IP Group are raised on the same ZXTM traffic manager. This is useful when using IP Transparency in an Active-Standby configuration. ZXTM 3.1 -> 24th February 2005 ============================== Platform Availability for ZXTM 3.1 ---------------------------------- * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86, x86_64) * FreeBSD (x86) ZXTM Load Balancer ------------------ ZXTM is now available in a Load Balancer edition, which shares the core technology with ZXTM, but has a feature set suitable for simple Load Balancing, rather than advanced Traffic Management. Contact sales@zeus.com for more information. Other changes in 3.1 -------------------- - SSL SSL performance on Linux IA64 has been improved. TLS 1.1 is now supported, although it is turned off by default. Use the Global Settings page to enable it. - Bandwidth management FTP data connections are now assigned to the configured bandwidth class. - TrafficScript Response rules can now use the http.request.get() and http.request.post() functions. http.request.get() and http.request.post() now provide access to the full HTTP headers returned. http.request.get() and http.request.post() can now perform SSL requests. Service level monitoring and bandwidth classes can now be set using the TrafficScript RuleBuilder. - User Interface The timeout control for the user interface is now configured per group, so different classes of users can have different timeout settings. Individual data points on the Current Activity page can now be examined by moving the mouse pointer over the graph. If you have a large number of virtual servers, the main page will now offer the choice of sorting them by name or port. The status applet can now be detached from the main user interface, which allows it to be used as a separate monitoring tool. Extra system information is now shown on the user interface, as well as the ability to reboot a machine remotely by an admin. The Config Summary page now displays more information, such as which Bandwidth classes are used. ZXTM 3.0 -> 9th December 2004 ============================= Platform Availability for ZXTM 3.0 ---------------------------------- ZXTM 3.0 can be installed on the following platforms: * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86) * FreeBSD (x86) Key New Features in 3.0 ----------------------- * Service Level Monitoring ZXTM monitors response times from back-end nodes, and can alert the system administrator when the responses times fall below a configured threshold. Service Level classes are assigned to virtual servers, and can be changed on the fly for individual connections using TrafficScript. TrafficScript can also be used to monitor Service Level classes and take proactive action when a class fails to meet its target. The Activity Monitor can provide real-time graphing of Service Level performance. New TrafficScript functions for Service Level monitoring: connection.setServiceLevelClass() - Set the class for a connection connection.getServiceLevelClass() - Get the class for a connection slm.conforming() - Get the percent of connections that meet the response time target slm.threshold() - Get the threshold for the percent of connections that need to to conform to mark the SLM as ok slm.isOK() - Find out if a Service Level is being met This optional feature is enabled via the license key. * Bandwidth management ZXTM can enforce bandwidth limits on particular services or individual request types. Bandwidth classes can be assigned on a per-request basis using TrafficScript. New TrafficScript functions for Bandwidth management: connection.setBandwidthClass() - Set the class for a connection connection.getBandwidthClass() - Get the class for a connection Bandwidth measurements are propagated between ZXTM machines to ensure total bandwidth is managed across the cluster. This optional feature is enabled via the license key. * Session Persistence Session persistence information is now configured in separate classes that are assigned to individual pools. Session persistence classes can also be assigned to individual connections using TrafficScript. Session Persistence classes can be shared between multiple pools, which can be used to provide seamless transfer of clients between virtual servers (for example, from HTTP to HTTPS sites) with no loss of session information. New TrafficScript functions for Session persistence: connection.setPersistence() - Set the persistence method for a connection connection.getPersistence() - Get the persistence method for a connection connection.setPersistenceKey() - Set the data used to key the universal persistence algorithm Session persistence mappings are propagated between ZXTM machines to ensure sessions remain persistent even after a failure in a ZXTM machine. * TrafficScript improvements Response Rules -------------- TrafficScript rules can now run when a response is received. This allows ZXTM to execute TrafficScript rules which alter responses, (response rewriting, modification of HTTP headers), or even discard an unacceptable response and retry the request against a different node. New TrafficScript functions for response rules: response.get() - Get the response data response.getLength() - Get the amount of data in the response response.getLine() - Get a line from the response data response.set() - Set the response data response.append() - Append to the response data response.close() - Close the connection to the back-end node response.flush() - Send response data to the client response.getRemoteIP() - Get the IP address of the back-end node response.getRemotePort() - Get the port of the back-end node response.getLocalIP() - Get the IP address connected to the node response.getLocalPort() - Get the port used to talk to the node http.getResponseBody() - Get the HTTP response body http.setResponseBody() - Set the HTTP response body http.getResponseHeader() - Get an HTTP response header http.responseHeaderExists() - Test if an HTTP response header exists http.setResponseHeader() - Set an HTTP response header http.removeResponseHeader() - Remove an HTTP response header http.scrubResponseHeaders() - Send only certain response headers http.getResponseCookie() - Get an HTTP response cookie http.setResponseCookie() - Set an HTTP response cookie http.removeResponseCookie() - Remove an HTTP response cookie http.getResponseCode() - Get the HTTP response code (e.g. 200) http.setResponseCode() - Set the HTTP response code For more information on response rules, refer to the TrafficScript Manual. Improved Request Rules ---------------------- New TrafficScript functions have been added to make it easier for Request Rules to reliably parse persistent protocols such as POP3 or SMTP, and to make it easier to manage the connections to the client and the server. request.endsWith() - Indicate where the current request ends request.endsAt() - Indicate the length of the current request request.retry() - Retry a request against a node request.getRetries() - How many times has a request been retried request.isResendable() - Find out if the request can be resent request.avoidNode() - Avoid using a named node on a retry request.sendResponse() - Send a response for a request For more information and examples on complex connection handling techniques, refer to the TrafficScript manual. Other changes ------------- Some functions, mostly associated with request handling, have been re-named to avoid confusion with the new response rule functionality. The old versions continue to exist, but are marked as deprecated, and warnings will appear when checking the syntax of a rule in the user interface, and on the diagnosis page. lang.ord() and lang.chr() now work as expected. Other new TrafficScript functions: string.encrypt() - Encrypt a string, preventing alteration by clients string.decrypt() - Decrypt an encrypted string string.htmlEncode() - Encode a string so that it is HTML safe string.htmlDecode() - Decode HTML entities string.sprintf() - Format a string, like the standard sprintf xml.validate.xsd() - Validate an XML document against an XML schema resource.getmtime() - Get the time a resource file was altered pool.activeNodes() - Get the number of working nodes in a pool pool.select() - Specify the pool for a connection, without stopping rules processing connection.data.set() - Retrieve per-connection data connection.data.get() - Store per-connection data connection.getNode() - Get the name of the node used by a connection connection.getPool() - Get the name of the pool used by a connection connection.getVirtualServer() - Get the name of the Virtual Server manging the connection http.setCookie() - Set an HTTP cookie in a request http.removeCookie() - Remove an HTTP cookie from a request http.getFormParm() - Read a form parameter from a query string or POST data http.removeHeader() - Remove an HTTP header from a request Changed functions: string.regexmatch() - Can now perform case insensitive matches string.regexsub() - Can now perform case insensitive matches http.request.get() - Extra request headers can now be specified http.request.post() - Extra request headers can now be specified Other changes in 3.0 -------------------- * PCRE regex library ZXTM now uses the PCRE regular expression library (see http://www.pcre.org). This provides consistent regular expression interpretation across all the platforms supported by ZXTM. PCRE provides perl-compatible regular expressions which differ slightly from POSIX regular expressions. In the vast majority of cases, no changes to TrafficScript regular expressions will be needed. * Improved MIME type auto-detection MIME type auto-detection now uses a larger database of MIME type signatures, and should be considerably more useful. * Performance improvements ZXTM 3.0 contains a number of performance improvements to increase the speed and decrease the memory usage of individual connections. * User interface improvements The ZXTM User interface has been improved, to provide a cleaner, easier to use admin interface. ZXTM 2.0r1 -> 1st July 2004 =========================== ZXTM 2.0r1 is a minor revision of Zeus Extensible Traffic Manager 2.0, containing several enhancements and bug fixes. You are recommended to upgrade when convenient to take advantage of the improvements. Program Alterations and Bug Fixes since 2.0 ------------------------------------------- * TrafficScript: Additional functions make it easier to parse binary datastreams: lang.char() and lang.ord() convert between integers and ascii characters; string.intToBytes() and string.bytesToInt() convert between integers and network-order byte strings; string.dottedToBytes() and string.bytesToDotted() convert between IP addresses and network-order byte strings; string.intToBER() and string.BERToInt() convert between integers and BER-encoded integers; string.replaceBytes() and string.insertBytes() give easy ways to modify unparsed strings. Additional functions make it easier to manage external resources: resource.exists() checks whether an external resource file exists; resource.getMD5() returns an external resource file's MD5 hash. * UI: The status applet chart graphs relative traffic amounts for each virtual server. * Bug fixes: improvements to the connection handling, SSL and TrafficScript to resolve several stability problems. ZXTM 2.0 -> 30th April 2004 =========================== Zeus Extensible Traffic Manager (ZXTM) is a powerful Internet traffic management platform that delivers improved availability, scalability, manageability and security for networked applications. The ZXTM platform contains the following components: * Core Traffic Manager software: The software can be installed on one or more machines ('traffic managers') to create a ZXTM cluster. The software accepts and processes network requests before distributing them across back-end server nodes. * Distributed Administration and Configuration: Each traffic manager provides a secure web-based Admin Server. All the traffic managers in a ZXTM cluster share their configuration, so any Admin Server can be used to manage the cluster. * Fault Tolerance: A ZXTM cluster containing two or more traffic managers can operate in a fully fault-tolerant mode. Platform Availability for ZXTM 2.0 ---------------------------------- ZXTM 2.0 can be installed on the following platforms: * Linux (x86, IA64, x86_64) * Solaris (SPARC, x86) * FreeBSD (x86) Key new features in ZXTM 2.0 ---------------------------- Manageability Improvements: * Revised Admin Server user interface. * SNMP support. * Fine-grained user-based control of read and write access to the Admin Server. * Status Applet, Diagnosis and Configuration Summaries give a clear overview of the activity, health and configuration of the system. * Configuration can be backed up, restored and migrated between clusters. Health Monitoring: * ZXTM actively monitors back-end nodes and can raise alerts or execute custom corrective actions if a failure is detected. * Custom monitors can monitor a wide range of services and failure types. SSL Re-encryption: * Any TCP traffic may be encrypted by ZXTM before forwarding on to a server. * HTTPS traffic may be decrypted, managed locally and re-encrypted for full end-to-end security. * Full support for SSL authentication and authorisation using server and client certificates, certificate authorities and CRLs. Service Protection: * ZXTM restricts concurrent connections and new connection rates from individual clients to mitigate against connection-flooding attacks. * ZXTM validates the correctness of HTTP requests, and can protect against a range of HTTP-based attacks. * Custom protection rules to reject requests based on content can be used to protect against web worms and viruses. * Configurable attack logging. * Test and debug modes allow protection policies to be tested without affecting service. Content Compression: * HTTP and HTTPS content can be compressed on-the-fly. XML Validation and Transformation: * ZXTM can validate and translate incoming XML data using XSLT. * Translated data can be used in traffic routing decisions, and to offload translation from back-end servers. TrafficScript: * Additional TrafficScript functions extend the capabilities of ZXTM, including the ability to contact external services to assist in traffic rewriting and routing decisions. Activity Monitoring: * Real-time activity monitoring of traffic through the ZXTM cluster. * Activity statistics available via SNMP. * Activity can be graphed and analysed within the Admin Server, or exported to an external analysis package. * Active Connection reports to describe the precise, instantaneous state of the cluster. Historical Activity: * Historical traffic activity statistics are maintained for analysis. * Can be graphed and analysed within the Admin Server, or exported to an external analysis package. Traffic Logging: * Comprehensive, configurable traffic logging. Documentation: * Improved context-sensitive on-line help. * Updated Getting Started guide. * Added comprehensive User Manual. * Added TrafficScript manual. ZXTM 2.0 Early Adopter Release -> 7th November 2003 =================================================== Key Features in ZXTM 2.0 EA --------------------------- Protocol Support: ZXTM 2.0 supports all TCP-based protocols, and simple UDP-based protocols. It includes specialised protocol-handling support for HTTP and FTP. Load Balancing and Session Persistence: Load Balancing algorithms effectively distribute traffic across a number of back-end server nodes. Session Persistence methods can be used to preserve application-level sessions. Traffic Inspection and Manipulation: TrafficScript rules can be used to inspect and manipulate traffic, and make alternative routing decisions based on the traffic type and contents. SSL Decryption: SSL Decryption allows the traffic managers to decrypt incoming SSL traffic prior to inspection, manipulation and load balancing. Fault Tolerance: Traffic Managers can detect and avoid failures in the back-end server nodes. A ZXTM cluster containing two or more traffic managers can operate in a variety of fully fault-tolerant modes, resistant to failures in both the back-end server nodes and the traffic manager machines. Supported Platforms ------------------- ZXTM 2.0 EA can be installed on the following platforms: * Linux (x86, IA64, x86_64, PPC) * Solaris (SPARC, x86) * FreeBSD (x86) Known issues in ZXTM 2.0 EA --------------------------- Parallel installations: ZXTM can be installed as a fault-tolerant cluster of machines which automatically share their configuration. New machines should be added sequentially to a ZXTM cluster, to ensure that configuration is consistent across the cluster. Scripting the ./configure installation process to add many machines to the same cluster in parallel is not supported.