Edge Security With SSO and Authentication

Q: What authentication methods does Free Load Balancer support?

Free Load Balancer supports Active Directory, RADIUS, forms-based and two-factor authentication, including RSA SecurID. Administrators can combine these methods to match their organization's security requirements and existing identity infrastructure.

Q: Can Free Load Balancer replace Microsoft Forefront TMG?

The Free Load Balancer solution provides many of the same pre-authentication, SSO and reverse-proxy capabilities that organizations relied on in Microsoft Forefront TMG. It can serve as a modern replacement for TMG's authentication and security gateway functions while also delivering Layer 4 and Layer 7 load balancing and WAF capabilities that TMG did not offer.

Q: Does SSO work across all virtual services?

Yes. The Free Load Balancer SSO is designed to operate across virtual services configured on the platform. Once a user authenticates to one service, the session token grants access to other protected services without requiring additional logins, subject to group memberships and access policies.

Protecting internet-facing applications requires more than a firewall at the network perimeter. Organizations need to authenticate users before they access backend resources, enforce consistent access policies and defend against various attack types. The Progress® Kemp® Free Load Balancer solution includes integrated edge security, single sign-on (SSO) and advanced authentication capabilities that help teams build layered application security directly into their application management infrastructure without any licensing costs (for non-commercial uses — see below).

Download

What is Edge Security with SSO and Authentication?

Edge security refers to the practice of applying security controls at the network edge, the point where traffic enters the organization’s infrastructure or moves between separate networks. By intercepting and inspecting traffic at network borders, edge security creates an additional defensive layer against threats.

SSO and authentication capabilities complement edge security by also verifying user identity at the edge. Instead of allowing unauthenticated traffic to reach backend applications, a load balancer can challenge users to prove their identity before allowing access. Only authenticated and authorized users are permitted to access services beyond the edge of the network.

How Edge Authentication Works

The Free Load Balancer solution can handle the authentication process on behalf of backend applications through a mechanism called pre-authentication. When a user attempts to access a protected service, the Free Load Balancer solution intercepts the request, presents an authentication challenge and only forwards successful requests to the backend servers. This process works as follows:

Client Request

A user attempts to access a web application or service that is logically behind the load balancers.

Authentication Challenge

The Free Load Balancer solution presents a login form or authentication prompt that validates credentials against a configured identity provider, such as Active Directory or a RADIUS server.

Access Decision

If the user provides valid credentials and meets group membership or policy requirements, the Free Load Balancer solution can forward the request to the appropriate backend server. If authentication fails, the request is dropped and never reaches the backend infrastructure.

This approach removes the authentication burden from backend applications and centralizes identity verification at a manageable control point.

Why Edge Security and Authentication Matter

Deploying authentication and security controls at the network edge delivers measurable benefits that directly impact an organization's security posture, user experience and its operational efficiency.

Reduced Attack Surface

Pre-authentication helps prevent unauthenticated traffic from reaching backend servers. By validating user identity before forwarding requests, the Free Load Balancer solution helps block unauthorized access attempts, credential stuffing attacks and automated scanning tools from interacting with application infrastructure. Backend servers process traffic only from users who have already passed authentication checks, thereby supporting more efficient backend operations.

Centralized Access Control

Rather than configuring authentication independently on each backend application, organizations can manage access policies collectively. The Free Load Balancer solution integrates with existing identity infrastructure, including Active Directory and RADIUS servers, allowing administrators to apply consistent authentication requirements across all services. Group membership validation adds another layer of control, restricting access to specific applications based on a user's directory service group assignments.

Improved User Experience With SSO

Single sign-on allows authenticated users to move between multiple services behind the load balancer without having to re-enter their credentials. Assuming this doesn't conflict with a Zero-Trust model that mandates specific, separate authentication for each service or access request. The Free Load Balancer solution, like the commercial LoadMaster product, can operate as a Zero-Trust Access Gateway. SSO reduces friction for end users while supporting the organization’s security controls. SSO works across virtual services configured on the Free Load Balancer solution, providing a seamless experience regardless of how many backend applications a user needs to access.

Defense in Depth

Edge authentication works alongside the other Free Load Balancer security capabilities, including the Web Application Firewall (WAF), IPS/IDS and TLS/SSL encryption. Together, these features create multiple layers of defense. The WAF inspects traffic content for application-layer attacks, the IPS/IDS monitors for suspicious network patterns and pre-authentication verifies user identity, all before traffic reaches backend servers. This layered approach helps strengthen an organization's overall security posture.

Credential Attack Mitigation

Free Load Balancer includes soft lockout, which temporarily restricts access after multiple failed authentication attempts. This feature helps defend against brute-force and credential-stuffing attacks by slowing down automated tools that cycle through large volumes of username and password combinations. Combined with support for two-factor authentication, these capabilities make credential-based attacks significantly more difficult for threat actors to execute.

Authentication and Security Features in Free Load Balancer

The Free Load Balancer solution includes a broad set of authentication and edge security features running the same codebase as Progress’s commercial LoadMaster products. These features allow teams to model and test real-world security configurations without a commercial license.

Pre-Authentication

The Free Load Balancer solution challenges users to authenticate before forwarding requests to backend servers. This helps prevent unauthenticated traffic from ever reaching application infrastructure and gives administrators control over who can access protected services.

Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple virtual services without re-entering credentials. Free Load Balancer manages session tokens across services, reducing login friction while maintaining centralized authentication control. IT teams can also deploy Free Load Balancer in a way that fits into Zero-Trust deployments.

Active Directory Integration
Free Load Balancer integrates directly with Microsoft Active Directory (AD) for user authentication and group membership validation. Administrators can restrict access to specific applications based on AD group membership, applying granular access control policies without modifying backend applications.

RADIUS Authentication
For environments using RADIUS-based authentication infrastructure, Free Load Balancer supports RADIUS as an authentication backend. This allows organizations to leverage existing RADIUS deployments for load-balancer pre-authentication.

Two-Factor Authentication
The Free Load Balancer solution supports two-factor authentication, including RSA SecurID integration. Adding a second authentication factor beyond username and password helps protect against credential theft and unauthorized access, even if a user's primary credentials become compromised.

Customizable Forms-Based Authentication
Administrators can customize the login forms presented to users during the pre-authentication process. This allows organizations to brand the authentication experience and tailor it to their specific requirements.

Persistent Logging and Reporting
Free Load Balancer logs authentication events, providing visibility into access patterns, failed login attempts and potential security incidents. These logs support security monitoring and help teams identify suspicious authentication activity.

Notes on Free Load Balancer Restrictions
IT Teams frequently use Free Load Balancer for testing and development environments that mirror commercial deployments. You can also use it for non-revenue-generating deployments in production. However, it is limited to 20 Mbps of Layer-7 traffic throughput and to 50 SSL TPS. It lacks Active/Hot-standby redundancy and Multi-Node Clustering.

The WAF is the full commercial engine, but it doesn't include the robust rule set that a commercial LoadMaster support subscription provides. You can create or import any ModSecurity-compatible rules you need without restrictions.

Common Use Cases for Edge Security and Authentication

Free Load Balancer serves multiple deployment scenarios where organizations need to test and validate edge security and authentication configurations. While commercial LoadMaster licenses better suit mission-critical production deployments, the Free Load Balancer solution excels for designing, piloting and testing authentication architectures before production rollout, or for non-commercial application deployment projects. Organizations can upgrade to commercial LoadMaster licenses without reinstalling or reconfiguring their deployment. This preserves all configurations, operational knowledge and skill investments. Teams can develop expertise on the Free Load Balancer solution and transition to commercial licensing as technical or business requirements change.

Microsoft Application Security
Web Application Protection
Multi-Application SSO

Microsoft Application Security

Teams deploying Microsoft business applications on premises can use the Free Load Balancer solution to test pre-authentication and SSO configurations. The load balancer acts as a reverse proxy, authenticating users at the edge before granting access to Microsoft services, replacing legacy solutions such as Microsoft Forefront Threat Management Gateway (TMG).

Web Application Protection

Development and QA teams use the Free Load Balancer solution to validate WAF rules, authentication workflows and access control policies before deploying to production. Testing edge security configurations in a non-production environment helps identify misconfigurations that could either block legitimate users or leave applications exposed.

Multi-Application SSO

Organizations running multiple web applications use the Free Load Balancer solution to test SSO configurations across services. Teams can validate that users authenticate once and move between applications without interruption, verifying that session management and group-based access controls function correctly across the full application portfolio. They can also test how load balancers fit into any Zero-Trust models in use.

FAQs

What authentication methods does Free Load Balancer support?

Can Free Load Balancer replace Microsoft Forefront TMG?

Does SSO work across all virtual services?

Get Started with Free Load Balancer Today

Download Free Load Balancer now to start building an authentication infrastructure that supports strong security practices and efficient operations.