Barracuda Load Balancer Release Notes - Version 4.2.3.004

• Vulnerability fix: OpenSSL vulnerabilities outlined in CVE-2014-0224, CVE-2014-0198, CVE-2010-5298 addressed.

Version 4.2.3.003:

• Fixed: The system and API passwords are encrypted and stored in the local database. [BNSEC-1320 / BNLB-4322, BNSEC-1324 / BNLB-4323]
• Fixed: Private key associated with the signed certificate was not stored even though Assign Associated Key was enabled. This issue has been fixed now. [BNLB-4654]
• Fixed: Kernel issues that can lead to a system hang in some configurations. [BNLB-4423]

Firmware Version 4.2.2

New Features

• Created or updated the following guides to assist in deployment with the Barracuda Load Balancer. These guides are found in the Barracuda Networks TechLibrary:
  • New: VMware View Deployment.
  • New: Microsoft Exchange Server 2013 Deployment
  • Updated: Steps to deploy Microsoft Lync Mobility are included in How to Deploy with Microsoft Lync Server 2010
• Service Monitor HTTP tests now include the ability to perform a POST request. [BNLB-4225]
• Added option to select an interface when performing a Ping test. [BNLB-4098]
• Generate SNMP trap if available memory is less than 25%. [BNLB-4070]
• Replaced Protocol column in the Services table on the BASIC > Server Health page with Service Type. [BNLB-4009]
• Added host header to Microsoft SharePoint authentication check. [BNLB-3960]
• Can manually enable or disable standard ciphers. [BNLB-3920]
• Added a �Weighted Least Connections� load-balancing policy to client impersonation-enabled services. [BNLB-3846]
• Layer 7 FTP Proxy Services support using MLSD and MLST. [BNLB-3016] [BNLB-4248]
• Increased flexibility of content rules with regards to adding and monitoring servers. [BNLB-2875] [BNLB-4125]

Version 4.2.2.009:

• Fixed : OpenSSL vulnerability [ CVE-2014-0160 ] for TLS/DTLS Heartbleed attack has been addressed. [ BNLB-4774 ]

Version 4.2.2.008:

• Fixed : High severity vulnerability: arbitrary command execution, remotely exploitable, unauthenticated. [BNSEC-2001 / BNLB-4489]
• Fixed : Added ability to configure TLS version for SSL communication with real servers. [BNLB-4637]
• Fixed : In rare cases, usually involving authentication with a 401 status code, requests were dropped if the server responded prematurely. These are now forwarded correctly. [BNLB-3959]
• Fixed : Primary unit sends a higher priority VRRP advertisement when recovering from a failed state in manual failback mode. [BNLB-4493]
• Fixed : URL encoding is performed for the ampersand (&) character in URL Translations > Redirect Rules. [BNLB-4522]
• Fixed : When clustered, the two systems assume the correct active-passive state combination. [BNLB-4520]
• Fixed : The "Critical Events" number is displayed correctly on the BASIC > Status page. [BNLB-4505]
• Fixed : Alert messages are generated only for the Services which have "Enable Notification" set to Yes. [BNLB-4373]
• Fixed : Restored ability to create a bond interface after updating to firmware version 4.2.2.007. [BNLB-4531]
• Fixed : Fixed issue where web interface was listening on all available interface IP addresses, causing SSL enabled services to fail. [BNLB-4621]

Version 4.2.2.007:

• Behavior change: If you are using an SNMP monitor, make sure that its IP address is in the Allowed SNMP IP/Range table on the ADVANCED > SNMP Configuration page. If no IP addresses are entered in that field, SNMP access is not allowed. [BNLB-4551]
• Fixed : Issues with monitor groups for monitoring servers associated with content rules. [ BNLB-4476 ] [ BNLB-4478 ] [ BNLB-4480 ]
• Fixed : Client session for RDP traffic are not persisted to the correct server. [ BNLB-4387 ]

Version 4.2.2.006:

• Fixed : Fixed memory leak in Exchange 2010 deployments. [BNLB-4337]
• Fixed : Core system modules have been upgraded to resolve out of memory errors. [ BNLB-4327 ]
• Fixed : Improved GUI memory management and performance when system memory is low. [ BNLB-4123 ]
• Fixed : Show LAN interface configuration as unavailable in a virtual machine if the second adapter is not found. [BNLB-4274 ]
• Fixed : Cookie persistence is maintained during HA failover. [BNLB-4100]
• Fixed : Added multiplier tag option for Adaptive Scheduling for SNMP CPU (to account for multiple cores and differing behavior between Linux and Windows). [BNLB-4120]
• Fixed : Outlook client failover from one CAS to another occurs quickly. [BNLB-4133]
• Fixed : Outlook client is able to download a large mailbox (>1.5GB) when using RPC over HTTP. [BNLB-4231]
• Fixed : All configured SNAT rules are maintained even after failover and fallback. [BNLB-4232]
• Fixed : Custom cipher is not used if default cipher is selected. [BNLB-4258]
• Fixed : Load Balancing with weighted least connections and TCP Proxy works as expected. [BNLB-4310]
• Fixed : Last Resort Server setting is maintained after failover and failback. [BNLB-4348]
• Fixed : Data part of Active FTP connection uses VIP address rather than WAN IP address of the Load Balancer. The WAN IP address was used if IP Masquerading was turned on. [BNLB-2645]
• Fixed : When using Internet Explorer 9, Server Health page shows column checkboxes correctly. [BNLB-3565]
• Fixed : Disabled LAN management access option in UI while in High Availability mode. [BNLB-3634]
• Fixed : Redirect Rule element type pathinfo works as expected. [BNLB-4010]
• Fixed : Common name field in BASIC > Certificates page displays subject common name instead of issuer common name. [BNLB-4015]
• Fixed : CPU temperature displays correctly on the BASIC > Status page. [BNLB-4097]
• Fixed : BASIC > Server Health page shows correct value for traffic. [BNLB-4159]
• Fixed : If server is down/disabled/in maintenance mode, then the Adaptive Scheduling SNMP CPU test for that server returns value of 0. [BNLB-4182]
• Fixed : If Direct Server Return is enabled, SIP health check works correctly. [BNLB-4195]
• Fixed : SSH to servers works with Layer 4 TCP ALL port service. [BNLB-4201]
• Fixed : Added more log file maintenance routines to conserve disk space. [BNLB-4209], [BNLB-4221]
• Fixed : For GSLB, test for the first site shows accurate results in user interface. [BNLB-4251]
• Fixed : Only unique entries for HTTP content type in compression rules are allowed. [BNLB-4265]
• Fixed : UDP Proxy Service for port 123 (NTP) works when first created. [BNLB-4277]
• Fixed : When server is disabled and then re-enabled, the Traffic to Servers graph for that server shows accurate data instead of spikes. [BNLB-4333]
• Fixed : Service/server health probe failure reason appears in BASIC > Event Log, even if name of Service/server includes a '-' or '_'. [BNLB-4334]
• Fixed : Status and link speed display correctly for a bonded interface.[BNLB-3785]
• Fixed : Automated SMB backups work. [BNLB-3893]
• Fixed : Server restore alert email is sent when required by a group monitor test. [BNLB-4316]

Firmware Version 4.2.1

New Features

• Configure redirect rules across HTTP/HTTPS services. [BNLB-2599]
• 10G interface support. [BNLB-2916]
• Specify SSL protocols and ciphers to the frontend SSL. [BNLB-3995]
• Specify SSL protocols for the backend SSL. [BNLB-4059]

Version 4.2.1.007:

• Fixed : Resolved issue with potential SSH access to unit when not deployed behind a firewall. To completely disable remote support functionality, contact Barracuda Networks Technical Support. Reported by Stefan Viehböck, SEC Consult Vulnerability Lab (https://www.sec-consult.com). [ BNSEC-767 ]
• Fixed : SSH working with L4 TCP ALL Port service. [ BNLB-4201 ]

Version 4.2.1.006:

• Fixed : Multiple IP's are now handled correctly when passed in header configured in the 'Actual Client IP Header' parameter. [ BNLB-4090 ]
• Fixed : POST requests without a Content-Type header are now handled correctly.
• Fixed : CVE-2012-4929, CVE-2012-4930 on the possible vulnerability to SSL/TLS CRIME attack is addressed. [ BNLB-4022 ]
• Fixed : 'Service down' emails are triggered only when all the servers attached to the service are down. [ BNLB-4086 ]
• Fixed : Intermittent issue with rendering of existing services on the Service page. [ BNLB-3953 ]
• Fixed : Added support for prioritizing the order of Cipher suites. [BNLB-3920 ]

Version 4.2.1.004:

• Added: Configuration of maximum allowed length for a HTTP Header. [BNLB-3427]
• Fixed: Configure last resort servers for Content Rules. [BNLB-3485]
• Fixed: Speed/duplex mode remains unchanged after system reboot. [BNLB-3698]
• Fixed: Management IP configuration variable setting recognized. [BNLB-3870]
• Fixed: HTTP Cookies greater than 64Kb in size also allowed. [BNLB-3914]
• Fixed: Intermittent loss of access to the Barracuda Load Balancer web interface when HTTPS-only is enabled. [BNLB-3917]
• Fixed: Status of fan and temperature details now report properly on Barracuda Load Balancer model 640. [BNLB-3969]
• Fixed: Support tunnel opens as expected through Barracuda Cloud Control when Establish Connection To Barracuda Support Center is clicked. [BNLB-4030]
• Fixed: HttpOnly field for persistence cookie is configurable.[BNLB-3900]

Firmware Version 4.2

New Features

• Configure multiple physically segregated network(s).
• Configure Link Bond(s).
• Configure WAN and/or LAN IP Address on a VLAN or Link Bond.
• Configure a default gateway on the MGMT port.

Version 4.2.0.019:

• Fixed: Periodic management GUI outage when HTTPS/SSL Access-Only is set to Yes under ADVANCED > Secure Administration.
• Fixed: Management GUI outage when it has not been accessed for more than 10 days.
• Fixed: Layer 7 RDP service outage due to incorrect connection cleanup.

Version 4.2.0.016:

• Fixed: RDP Proxy now works correctly with token-based persistence.
• Fixed: Subscription Status under BASIC > Status page does shows garbled strings.
• Fixed: High Availability Failover/Failback is delayed if Outbound SMTP Host is not reachable.
• Fixed: SSL offloaded services will not accept client initiated renegotiation and will close the TCP connection instead.
• Fixed: Computation used to calculate the new weight of the server for SNMP CPU-based Adaptive Scheduling will also factor in the number of CPU cores in the server.
• Fixed: Rebooting the active unit in a High Availability setup in Manual Failback Mode results in it becoming active again.
• Fixed: A possible outage when the request contains more than 65000 cookies or a header which exceeds 1M in size is addressed. Barracuda Load Balancer now drops such requests.

Known Issues

• This firmware introduces a new optimized data store format for storing historical statistics which are displayed on the BASIC > Status page. The new format is incompatible with the data store used in firmware version 4.1 or earlier. After upgrade to 4.2, graphs display statistics collected only after the upgrade.

Firmware Version 4.1

New Features

• Added support for IPv6 addresses.
• IPS definitions have been updated to version 1.0.412. If you later revert to a previous firmware version, the IPS definitions will also revert to the previously installed version.
• You can now configure the management IP address from the Administrative Console. This was already available from the BASIC > IP Configuration page.
• Backups can now be encrypted using a key configured on the ADVANCED > Backup page.

Version 4.1.0.035:

• An alert email can be generated on High Availability failover or failback.
• If a cluster is broken, the configuration in the passive unit will be deleted. Previously, the Services were not removed, which could have resulted in an IP address conflict.
• For persistence based on HTTP cookie, you can now specify a cookie domain, path and secure option. The cookie domain and path is used to restrict the domains and/or path within which the cookie should be used. Enabling the secure option means the cookie will be used only in secure (SSL) connections.
• Persistence cookies are now tagged with the HttpOnly flag, forcing the client to use the cookie only when sending a request. Client side scripts will not be able to access these cookies.
• You can now associate an IP address with a different geographical region in the GSLB database.
• Fixed 500 error that occurred when making GSLB configuration changes when the Barracuda Load Balancer was offline.
• Fixed: Issue where upgrade to 4.1.0.030 on certain 340 systems caused an unrecoverable error.

Firmware Version 4.0

New Features

• Added SNI (Server Name Indication) support so that a load-balanced Service can host multiple certificates, one for each domain for which it handles traffic.
• Added support for a management port (the Ethernet port on the back side of the Barracuda Load Balancer).
• Enhanced caching and compression using content rules.
• The Barracuda Load Balancer is now available as a Virtual Appliance.
• Added a new Service type, UDP Proxy.
• Added the ability to create Monitor Groups, which contain one or more tests, on the ADVANCED > Monitor Groups page. A Monitor Group can be used as the Testing Method for a Service and/or Real Server.
• Services that perform SSL offloading now have a "secure" Service type. Existing Services that have the following types will be updated when this firmware version is installed.
  • Services with type TCP Proxy with SSL offloading enabled will have Service type Secure TCP Proxy.
  • Services with type Layer 7 - HTTP with SSL offloading enabled will have Service type Layer 7 - HTTPS.
  • Services with type Layer 7 - FTP with SSL offloading enabled will have Service type Layer 7 - FTPS.

Version 4.0.0.028:

• Added new Service Monitor testing methods for Microsoft SharePoint and SFTP (SSH File Transfer Protocol). [BNLB-1825, BNLB-2727]
• Can now turn on Source Network Address Translation while deployed in bridge-path mode. [BNLB-2547]
• Cookie persistence with a specific domain and optional path is now supported. [BNLB-2811]
• Added a new object, RealServerOperationStatus, to the SNMP MIB so that status of a Real Server can be queried using SNMP. [BNLB-2330]
• Added troubleshooting tools on the ADVANCED > Troubleshooting page to display the ARP table, routing table and interface MAC addresses for the Barracuda Load Balancer. [BNLB-2825]
• Added a tool on the ADVANCED > Troubleshooting page that creates a problem report package of configuration and other files that can be sent to Barracuda Networks Technical Support.
• Intrusion Prevention System (IPS) logs are now sent to the syslog server. [BNLB-2481]
• Community string for SNMP traps can be configured on the ADVANCED > SNMP Configuration page.
• Can now configure the standard SNMP Location object on the ADVANCED > SNMP Configuration page. [BNLB-3022]
• Improved accuracy of statistics for RDP Services on the BASIC > Server Health page. [BNLB-2810]
• Email notifications should be sent out promptly when the Service Monitor detects that a Real Server is down. [BNLB-1027, BNLB-2848]
• Fixed issue where Autodiscover (on BASIC > Services page) picked up server names instead of IP addresses and then did not recognize them as valid. [BNLB-2964]
• Load URL values for Layer 7 Services are now used correctly in all cases when doing adaptive scheduling. [BNLB-2952]
• Results of manual tests conducted on the Service Detail page are now displayed when using Firefox version 4.0 and later. [BNLB-2860]
• Fixed issue where port 705 was found open in some cases. [BNLB-2911]
• Fixed issue where the Failover/Failback button on the ADVANCED > High Availability page disappeared when failback was set to manual. [BNLB-2736]
• A more detailed description of the reason for failure of the manual Server Monitor tests is provided. [BNLB-2765]
• Port 8002 on WAN IP is now closed when in standalone mode. [BNLB-2913]