Forum Discussion
apasul_5707
Nimbostratus
NimbostratusConfigure BigIP to pass through http and https traffic
We are evaluating BigIP appliance for our SharePoint servers.
We have the http/https redirect configured on our IIS servers. How do I configure BigIP to just pass through http and https withouth trying to redirect http to https?
I installed the SSL certificate on the IIS servers, so I have NO for "SSL Encryption Question" in BigIP iApp.
I'm new at this, so I take any advice I get. Also, please let me know if you need more details about my configuration.
Thank you
apasul
hooleylistCirrostratus
Hi apasul,
Does the HTTP profile on the virtual server have rewrite redirects enabled? If so, you should be able to unlock the iApp and set this option to none to prevent TMM from rewriting response redirects.
Aaron
apasul_5707Hi Aaron,
Thanks for your response.
If I change the Redirect Rewrite to None, and have the IIS redirect rules enable, I cannot even get to the site from my computer, although is changing to https, so the IIS redirect works. If I brows to the site on the IIS server everything works fine, the http request gets redirected to https and I can do whatever I need to do with forms.
If I disable the redirect rules on IIS and configure BigIP to redirect and change the Redirect Rewrite to Matching or All, I can get to the site from my computer, the http request is redirected to https, I authenticate and open forms. However, at same spot in any form (first time I click the Next button inside a form) is throwing an error about some content not being able to be delived in https. I believe there are some http links harcoded into the forms, which per an F5 engineer is messing up. Also, he stated that there is no work around this, so we'll have to look into changing the forms, which is not a possible sollution for us.
Were you ever confronted with a similar scenario?
Thank you,
apasul- apasul_5707Here are some new info. The forms dont have harcoaded http links. Here is what it's happening:
When accessing the site through F5, the URL appears as:
https://site.domain.com/_layouts/FormServer.aspx?XmlLocation=http://site.domain.com/ElectronicForms/test%200423_4-23-2012_9008_S2A.xml&Source=http://site.domain.com/_layouts/ODNR.SP2010.MRMEPS/Router.aspx&DefaultItemOpen=1
Please note the location and the source URLs, pointing to http.
When accessing the site directly from the IIS/SharePoint servers, the URL appears as:
https://site.domain.com/_layouts/FormServer.aspx?XmlLocation=https://site.domain.com/ElectronicForms/test%200423_4-23-2012_9008_S2A.xml&Source=https://site.domain.com/_layouts/ODNR.SP2010.MRMEPS/Router.aspx&DefaultItemOpen=1
Once again, please note the location and the source URLs, pointing to https.
How can I configure BigIP to just pass the traffic through without changing the location and source from https to http?
Thank you,
apasul - hooleylistThe iApp is geared towards either performing SSL offloading or no use of SSL. When you say you have the certs/keys installed on the Sharepoint servers, do you want to pass the SSL through encrypted to the pool or do you want to do clientside and serverside SSL? Or do you want to have LTM load balance the HTTP traffic to an HTTP pool and pass the HTTPS through with no SSL decryption? If the latter, why? It's generally simpler and more secure to have LTM redirect all HTTP traffic to HTTPS using an HTTP virtual server and then decrypt the SSL on the HTTPS virtual server. If you want to reencrypt the serverside SSL you can do that as well.
Aaron - apasul_5707Aaron,
Doesn't really matter how I do it, as long as it works.
At this point I have the SSL and redirect configured on SharePoint. I was wondering if possible to have f5 configured to just pass the traffic through, nomatter what type is (http or https) withouth changing anything, and just balance the load betheen the nodes. Looks like is not doing that, but instead is changing the references from https to http (see previous post)
I can disable to redirect rules on the Sharepoint servers and let F5 to do all the work, but then I ran into the same issue with the mixed content.
I would like to try your suggestion "It's generally simpler and more secure to have LTM redirect all HTTP traffic to HTTPS using an HTTP virtual server and then decrypt the SSL on the HTTPS virtual server. If you want to reencrypt the serverside SSL you can do that as well.". As I mentioned already I'm new at this F5 stuff, so can you please give me some pointers?
Thank you,
apasul - hooleylistI'd try setting up the Sharepoint Alternate Access mapping to point to https://FQDN and then configure an HTTP virtual server that redirects to https://FQDN[HTTP::uri] and an HTTPS VS with a client SSL profile. If you want to re-encrypt on the serverside you can add a serverssl profile to the HTTPS VS and use a pool of the server(s) configured on port 443. If you're not doing server SSL you should use a port 80 pool.
Aaron - apasul_5707Aaron,
Thanks for all your help.
I was able to configure BigIP and SharePoint/IIS so I get the result I was looking for. I'm not sure if this is the best practice or the best way to do it, but here is what I've done: I configure SSL, install the Certificate and configure the redirect rule on the IIS/SharePoint servers so everything is switched to an https.
I configure a Virtual Server in F5 that just passes the traffic through, so for Service Port I selected "All ports". Also, for the Pool members I selected "All Services" for the Service Port. Now I don't have to deal with any iApp or iRules.
Now, all the traffic to the SharePoint sites is https, and this is what I was looking for.
Thanks again for your help.
apasul