Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Mar 07, 2013

F5 UAG SharePoint 2010 (NO DIRECT ACCESS)

Hi Guys,

 

I cannot find any info on using UAG with F5 in non integrated NLB mode and without DirectAccess. We are using UAG to publish SharePoint sites.

 

Just to share my config and get feedback on how to optimize it:

 

here is my config:

 

F5 VIP (UAG VIP) => 2 UAG servers (Array with Non integrated NLB) => F5 VIP (SharePoint) => 2 SharePoint servers

 

So connections to UAG servers are load balanced by the first UAG VIP and The Connections from the UAG servers are load balanced by the second SharePoint VIP to the sharepoint servers.

 

 

My concerns are about the NLB setting and VIP configurations needed to make this setup as optimized as possible.

 

So far we only created basic VIPs and monitors. The setup is working.

 

I read here (http://blogs.technet.com/b/edgeacce...dered.aspx) that the OneNetProfile is to be avoided on UAG vips.

 

So any advices, hints or links about this config are welcome.

 

Thanks.

 

 

  • By default, cookies are host-based, meaning they are tied to the host name. When you click the link of webapp2 your browser sees this as a new connection for which it has no cookies. And no cookie, no persistence. So ultimately you need to be able to persist across host names, irrespective to the fact they're on the same VIP. The built-in cookie persistence profile doesn't have the ability to set a domain cookie, so that isn't an option. Other persistence methods, however, do allow you to "match across". Source address persistence is an obvious option if you control the IP space. Otherwise is there anything in the link to webapp2 that comes from webapp1? Another domain cookie? You may even consider rolling your own cookie persistence to set a value that the browser will faithfully transmit to both hosts.

     

  • OK. webapp01 and webapp02 belong to the same domain = webapp1.mydomain.com and webapp2.mydomain.com.

     

    would an irule do the job in this case? I understand source_addr would but this type of persistence has its limits and performance impact.

     

  • found this irule in an old thread : (https://devcentral.f5.com/community/group/aft/7214/asg/50)

     

     

    when HTTP_RESPONSE {

     

    set cookies [HTTP::cookie names]

     

    look for a persistence cookie being set

     

    if { $cookies contains "BIGipServer" } {

     

    rewrites all cookies being set

     

    foreach cookie_name $cookies {

     

    set cookie_value [HTTP::cookie $cookie_name]

     

    HTTP::cookie remove $cookie_name

     

    HTTP::cookie insert name $cookie_name value $cookie_value domain "mydomain.com" path "/" }

     

    }

     

    }

     

     

    tried it and does not seem to work !

     

  • Yes, I believe that will work. Watch in your Fiddler trace if the first request to webapp2 contains the BIGIPServer cookie.
  • small update here: everything works now and here is how the setup has been done:

     

     

    client => https = UAG VIP (SNAT + generic persistence profile + above cookie irule based on the mydomain.com => ssl => UAG servers => ssl => SharePoint VIP (SNAT) => ssl => SharePoint Servers.

     

     

    this line in the irule has been changed :

     

    if { $cookies contains "BIGipServer" } {

     

    to

     

    if { $cookies contains "BIGipServerUAGVIPPOONAME" } {

     

    this is because we have too BIGipServer cookies in the chain, one for UAG and the second for SharePoint. so if we check for the string "BIGipServer" only we overwrite both cookies wiith the same UAG cookie and we loose the sharepoint cookie.

     

     

    We enabled SNAT because the UAG and the SharePoint servers do not go through the F5 to communicate. SNAT forces them to. We enabled x-forwarded-for on both VIPs to log client ips in case we need t in the future.

     

     

    We did test Source_addr persistence but it was not a valid option since persistence is not maintained when the request for webapp1.mydomain.com comes from one proxy server ip and the webapp2.mydomain.com comes from another proxy server ip in the same user session.

     

     

    thank you all for your suggestions.

     

     

     

    • wng_98840's avatar
      wng_98840
      Icon for Nimbostratus rankNimbostratus
      Hi JoetheFifth, Would it be possible to post up the irule you are using for this setup? When you mention 'generic persistence profile' do you mean 'universal' ? We are experiencing some SP2010 rendering issues within the same scenario as you have posted. Thanks, Bill
  • what is your exact setup. Mine does not use AAM. so unique url from end to end. and https from end to end. cleint => ssl => bigip uag vip => ssl => bigip sps vip => ssl => sps server.