For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Mar 01, 2012

F5 SSL to backend server issue

Hi Guys,

 

 

I'm having a hard time creating an SSL VIP here.

 

I'm using the virtual edition 10.1 appliance.

 

I'm trying to configure this scenario:

 

 

Client => SSL => F5 => SSL => Backend SharePoint server

 

 

I use a standard type Virtual server

 

I configured a client SSL profile with a certificate

 

I configured a server SSL profile with a certificate

 

 

I'm using the same certificat on the SSl server profile and the SharePoint server

 

 

I'm using IE and FireFox.

 

Connection is established and I get a timeout message after several seconds.

 

 

Am I missing something here.

 

 

When I use the Perfomance HTTP type (bypassing Decryption/Encryption on the F5 box) the connection works fine.

 

 

I'm not an F5 expert by the way, just a SharePoint guy playing with the F5 virtual edition. I've been using the SharePoint template and SSL offloading on the F5 box for a while without issues and now I want to go full HTTPS to backend servers.

 

 

Thanks for your help

 

 

 

 

microsoft
partner

18 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Mar 01, 2012
    Hi Joe,

     

    Strictly speaking, you don't need to use the same cert for the serverssl profile that you do for clientssl/SharePoint server. You can use the default cert for serverssl since it's never used to authenticate a client; we only need to to guarantee that the BIGIP opens an encrypted "client" connection to the back end server. However that shouldn't be causing this problem, either.

     

     

    I assume that since it works using a Performance virtual that you have correctly configured Alternate Access Mappings in SharePoint central admin. Remove any http, OneConnect, and persistence profiles assigned to the standard virtual server one by one to try and pinpoint the problem. I would also have a look at IIS logs or packet captures if possible, they may hold a clue to what's going on.

     

    Mike

     

     

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    Hi Mike,

     

     

    Thanks for the quick reply.

     

    I switched to standard type and put httpprofile to none but i get a message saying that at least an http or fasthttp profile is required.

     

    If I choose http in the http profile dropdown menu no good :-)

     

    And step by step guide on how to configure a standard virtual server to meet my needs?

     

    I'm using self signed certs on all servers now. I was using internal PKI certs before. still no luck.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Mar 01, 2012
    Our deployment guide for SharePoint and version 10 is here: http://www.f5.com/pdf/deployment-guides/f5-sharepoint-2010-dg.pdf

     

     

    You will need to remove objects that depend on the http profile first before you can remove it-the cookie persistence profile for example.
  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    OK. I created a new virtual server.

     

    Type = Standard

     

    Protocol = TCP

     

    Oneconnect = None

     

    Ntlm Conn Pool = None

     

    HTTP Profile = None

     

    FTP Profile = None

     

    SSL Profile (client) = clientssl

     

    SS Profile (Server) = serverssl

     

    Diameter Profile = one

     

    SIP Profile = None

     

    VLAN and Tunnel Traffic = ALL Vlan and tunnels

     

     

    Result = NO GOOD

     

     

    When I change the type to Performance HTTP = > It works and I get Access to the Sharepoint Site using HTTPS.

     

     

    I did a net monitor trace on the SharePoint server => when the virtual server is in standard type = > no SSL traffic is hitting the server !!!!!!

     

     

    I must be missing something in the virtual server configuration when decryption/encryption is needed :-(
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Mar 01, 2012
    With netmon, do you see unencrypted traffic coming from the BIG-IP to the SharePoint server when using the standard virtual, or do you see no traffic at all?
  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    Yes, I see unencrypted traffic coming from the F5 box when using the Standard type Virtual server but absolutely no encrypted traffic.

     

    As soon as I switch to Performance HTTP TLS traffic flows freely to the Sharepoint server !!!!

     

    Any pre-requisites for this kind of decryption/encryption scenario?

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    Yes, I see unencrypted traffic coming from the F5 box when using the Standard type Virtual server but absolutely no encrypted traffic.

     

    As soon as I switch to Performance HTTP TLS traffic flows freely to the Sharepoint server !!!!

     

    Any pre-requisites for this kind of decryption/encryption scenario?

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    I see Protocol Name = TCP traffic on port 443 between the LTM and the SharePoint in standard type.

     

    I see Protocol Name = TLS + Protocol Name = TCP traffic on port 443 between the LTM and the SharePoint in Performance HTTP Type.
  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Mar 01, 2012
    I don't have this profile !! I'm using LTM VE 10.1.

     

    Is that an HTTP Profile ? can it be created?