Forward Original Host Name

Question

We have a site that was accessed via TMG. The host name though is different from the internal site name. In TMG this wasn't an issue as there is an option to "forward the original host header instead of the site name".&nbsp;
So for example in TMG the host name is given as name.company.com but the internal site name is servername.domain.company.com&nbsp;
When browsing the site via TMG the typed in host name remains the same when hitting then site and no translation occurs. Via BIG-IP LTM though the host name is changed to the internal site name in the address bar resulting in certificate errors.&nbsp;
Is there a way in BIG-IP LTM to replicate what TMG was doing previously?&nbsp;

kevin_stewart · Answer

This generally involves replacing the HTTP Host header inbound. That's probably what TMG is doing.
when HTTP_REQUEST {
    HTTP::header replace Host "servername.domain.company.com"
}

brad_parker · Answer

You will probably want to use an iRUle or LTM policy to rewrite the hostname to the back-end server for your internal host header.  i.e
when HTTP_REQUEST {
    if {[HTTP::host] equals "name.company.com"}{
        HTTP::host "servername.domain.company.com"
    }
}

veato · Answer

Unfortunately the public URL (name.company.com) is still be rewritten/redirected to the internal site name (servername.domain.company.com) when using the above as an iRule&nbsp;

kevin_stewart · Answer

If you look at a packet capture on the internal VIP you'll definitely see that the HTTP host header is changing. Despite that there may be other things causing the server to do what it's doing. At a minimum you should perform a client side HTTPwatch or Fiddler capture to see what the server is doing and how the client is reacting, as there a few ways to counteract the various behaviors. For example, if the server is just blindly sending a redirect to itself for a different URI, you can catch that and rewrite it:
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location "name.company.com"
    }
}

If the server is sending back an HTML page that has references to DOM objects using the absolute URL it knows (servername.domain.company.com), then you can catch those with a STREAM profile and iRule:
when HTTP_REQUEST {
    HTTP::header remove Accept-Encoding
    STREAM::disable
}
when HTTP_RESPONSE {
    if { [HTTP::header Content-Type] contains "text" } {
        STREAM::expression {@servername.domain.company.com@name.company.com@}
        STREAM::enable
    }
}

In both of these cases you're rewriting the URLs being presented to the client, which is most likely what you'll need if simply rewriting the inbound Host header isn't enough.

Forum Discussion

Forward Original Host Name

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Related Content

F5 Distributed Cloud Origin Server Subset Rules

(HTTP) Redirection via Arbitrary Host Header

F5 Distributed Cloud - Mitigation for Cross Tenant Origin Exposure (CTOE)

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

DevCentral Connects hosts Capture the Flag!

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS