Anybody have any luck configuring BlackBerry Social Network Application Proxy on LTMs???

Hey Brian. Lots of long and (mostly interesting) posts like this today. Nothing wrong with the iRule but you are persisting using the JSESSIONID, not balancing - bad language from Blackberry there. What load balancing method are you actually using? Round Robin?

 

 

OK, so onto the main point;

 

-Firstly, you need to create a custom Universal Persistence profile and select the iRule you've created there.

 

-Secondly, you need to assign that profile to the Virtual Server.

 

 

That covers the persistence but it looks like you have SSL issues too. Is the requirement to have the LTM terminate the SSL and for it to be clear text from there? Please elaborate.

Steve,

 

 

Thanks for the response. I'll try to answer your questions as best I can.

 

 

First... I am using Round Robin for both Pools configured.

 

 

Secondly...I did create the Universal Persistence profile and assign the above iRule to it with a custom timeout value of 300 seconds. However when I try to apply this iRule to the Virtual Server it says I cannot because I am not using an http profile. My assumption is I shouldn't be using the http profile as both URLs are ssl.

 

 

I created the self signed cert and exported it so that the Design guys could import it onto their MDS Servers. The Servers were chirping about invalid certs. I couldn't even tell you for sure if the data needs to be encrypted straight through or terminated on the LTM. The Design guys indicated that the URLs were configured when the app is configured and they are unable to change them from ssl to http.

 

 

I've got a Webex with the Blackberry support team tomorrow morning. Hopefully they can give me some insight as to how this bloody application works!!!

Steve,

 

 

One thing I forgot to ask was couldn't we just use the LTM to persist the traffic via cookies or source address persistance? Not sure why JSESSIONID is their only suggestion.

OK, so I think your issue is really with the SSL and overall design (although I would recommend least connects as the lb method). Based on the fact you need end to end SSL (based on the comment from the 'design guys') you have a couple of options;

 

 

1) As you suggest, use a different persistence method that doesn't require LTM to decrypt and inspect the payload - this doesn't make use of lots of LTM features but should work just fine if you can find a suitable persistence method. This is probably not what BB would want.

 

2) Install a suitable (what that means for you I don't know) SSL certificate and create a CLientSSL profile, assign that, a HTTP profile and the persistence profile to the VS on LTM. SSL traffic will be decrypted and can be inspected and you can make use of caching, compression and other features. Install a suitable SSL certificate on the real servers, create a bog standard ServerSSL profile on LTM and assign to the same VS. Now traffic between the LTM and real servers will be re-encrypted and there won't be any issues with https links in responses.

 

 

From a configuration point of view this is pretty standard stuff LTM wise and option 2) provides suitable security and acceleration and will help you with future troubleshooting as you'll be able to run packet captures on the F5 and capture unencrypted traffic.

 

 

How you handle the SSL side of things is another story, that's influenced more by company and security policy, InfoSec and the server side requirements. In my experience, I've typically used a public, CA signed cert client side (i.e. installed on the LTM) and private, self-signed certs server side (installed on the servers).

i understand you have to apply both clientssl and serverssl profiles on the virtual server. you may have to import certificate and key from server (i.e. mailsnap) into bigip and set them in the clientssl profile. i believe you can use default serverssl profile (i.e. no need change anything in default serverssl profile). then, apply http profile and jsessionid irule to the virtual server.

Well we are making progress....

 

 

We were able to download the files off the Sharepoint site onto the Blackyberry after making a bunch of changes to the BES. The issue I'm still having is related to the JESSIONID Universal Persistance Profile. When this is applied to the Virtual Server the Blackberry is unable to retrieve the file. We are receiving a "Server Error - Session Expired" notification. When I switch to Source Address Affinity we are able to get the file without any issues.

 

 

Any ideas on what might be wrong with my Universal Persistance Profile?? Only modifications I made to the standard Universal Profile was to applying the JSESSIONID irule and setting the timout value to 300 seconds.

Any ideas on what might be wrong with my Universal Persistance Profile?? Only modifications I made to the standard Universal Profile was to applying the JSESSIONID irule and setting the timout value to 300 seconds.is 300s timeout recommendation from blackberry?

 

 

can you try tcpdump on bigip to see what is going on?

 

 

e.g.

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

 

x.x.x.x is virtual server ip

 

y.y.y.y is pool member (server) ip

We were able to get it working. I had to do two things to make it happen.

 

 

1. I changed the iRule from the one above to this..

 

 

when HTTP_REQUEST {

 

Log details for the request

 

set log_prefix "[IP::client_addr]:[TCP::client_port]"

 

log local0. "$log_prefix: Request to [HTTP::uri] with cookie: [HTTP::cookie value JSESSIONID]"

 

 

Check if there is a JSESSIONID cookie

 

if { [HTTP::cookie "JSESSIONID"] ne "" }{

 

Persist off of the cookie value with a timeout of 1 hour (300 seconds)

 

persist uie [string tolower [HTTP::cookie "JSESSIONID"]] 300

 

 

Log that we're using the cookie value for persistence and the persistence key if it exists.

 

log local0. "$log_prefix: Used persistence record from cookie. Existing key? [persist lookup uie [string tolower [HTTP::cookie "JSESSIONID"]]]"

 

 

} else {

 

Parse the jsessionid from the path. The jsessionid, when included in the URI, is in the path,

 

not the query string: /path/to/file.ext;jsessionid=1234?param=value

 

set jsess [findstr [string tolower [HTTP::path]] "jsessionid=" 11]

 

 

Use the jsessionid from the path for persisting with a timeout of 1 hour (300 seconds)

 

if { $jsess != "" } {

 

persist uie $jsess 300

 

 

Log that we're using the path jessionid for persistence and the persistence key if it exists.

 

log local0. "$log_prefix: Used persistence record from path: [persist lookup uie $jsess]"

 

}

 

}

 

}

 

when HTTP_RESPONSE {

 

Check if there is a jsessionid cookie in the response

 

if { [HTTP::cookie "JSESSIONID"] ne "" }{

 

Persist off of the cookie value with a timeout of 1 hour (300 seconds)

 

persist add uie [string tolower [HTTP::cookie "JSESSIONID"]] 300

 

 

log local0. "$log_prefix: Added persistence record from cookie: [persist lookup uie [string tolower [HTTP::cookie "JSESSIONID"]]]"

 

}

 

}

 

 

2. I enabled One Connect on the Virtual Server

 

 

We are still experiencing slow response times but I believe that to be on the BES Side of things as the lag is still there when bypassing the LTM.

 

 

One thing I'd like someone to confirm for me is when troubleshooting JSESSIONID Persistance should I not be able to see the info in the /var/log/ltm file???? What level of logging needs to be enabled to see any traffic???

 

 

Thanks for all the help on this everyone!!!