Forum Discussion
NimbostratusHelp with Port Translation
Apologies in advance if this is the wrong forum or place to ask this question, but I can't seem to figure this out.
We have a Java Web Server application (ManageEngine's AD Self Service) that uses port 9251. We would like to use our F5 to create a virtual server such that we can give our users a simple URL instead of
I created a new virtual server with a new IP and then created a pool with just the webserver in it, set it to use HTTPS and specified port 9251. I used the java keytool to export the server cert & key (from our internal Enterprise Root CA). I created an SSL Server profile, specified the cert & key, left everything else default. On the virtual server, I specified the SSL Server profile, and at the moment, am just leaving the Client profile as 'none', so they can it over port 80.
Do I need some kind of iRule to make this happen? Any tips, hints, help greatly appreciated.
Forget to mention, we have a BIG-IP 1600 , running 10.2.3
Thanks,
Eugene
15 Replies
Ajmal_2608This should work fine, and iRule is not required in your case as of now, you may need if you want to control something later.
In case its not working, then please post the VIP, Pool and SSL profile config
-Ajmal
eugenix_116516Here are the relevant portions from the config. I've tried changing this around numerous ways and cannot get it to work. e.g. no server side SSL profile, default serverssl profile, custom SSL profile, etc. I also tried just setting up the virtual server to use the same port as the backend server, 9251, and still no go. Thanks again for the help,
monitor ADSS_TEST {
defaults from https
dest 192.168.2.63:9251
send "GET /showLogin.cc\r\n"
profile clientssl BHADTOOLS_CLIENT {
defaults from clientssl
key "PAG-WIldCard.key"
cert "PAG-WIldCard.crt"
chain none
ca file none
ciphers "DEFAULT"
options dont insert empty fragments
modssl methods disable
cache size 262144
cache timeout 3600
renegotiate enable
renegotiate period indefinite
renegotiate size indefinite
renegotiate max record delay 10
secure renegotiation require
handshake timeout 60
alert timeout 60
unclean shutdown enable
strict resume disable
nonssl disable
profile http bhadtools {
defaults from http
oneconnect transformations enable
header insert none
header erase none
fallback none
response selective chunk
lws width 80
lws separator none
redirect rewrite matching
max header size 32768
max requests 0
pipelining enable
insert xforwarded for disable
fallback status none
response headers allowed none
encrypt cookies none
profile serverssl BHADTOOLS {
defaults from serverssl
key "BHADTOOLS_3.key"
cert "BHADTOOLS_3.crt"
chain none
ca file none
ciphers "DEFAULT"
options dont insert empty fragments
modssl methods disable
renegotiate enable
renegotiate period indefinite
renegotiate size indefinite
secure renegotiation request
unclean shutdown enable
strict resume disable
handshake timeout 60
alert timeout 60
cache size 262144
cache timeout 3600
pool BHADTOOLS {
monitor all ADSS_TEST
members 192.168.2.63:9251 {}
virtual ADSS_Test {
srcport change
snat automap
pool BHADTOOLS
destination 192.168.250.138:https
ip protocol tcp
profiles {
BHADTOOLS {
serverside
}
BHADTOOLS_CLIENT {
clientside
}
http {}
tcp {}
}
Mark_CloutierI think I am having a similar problem, ltm load balancing/proxying two IBM Sametime proxy servers. Client hits LTM on port 443, LTM does ssl termination, sends to proxy server on 9443, proxy responds with a redirection to a login page, using port 9443, I want to change that port back to 443 before sending that redirection to the client. Is there a simple way to do that, or is a matter of an irule rewriting the server response?
- Mark_Cloutieralso forgot to mention, mine is a 3600 running 11.2...
- Mark_Cloutieralso forgot to mention, mine is a 3600 running 11.2...
- Ajmal_2608
Hmmm,
The configuration looks bit messy, will you mind deleting and reconfiguring them ? If yes then use the below config lines (copy and paste them), do take backup of existing config in case you need to revert.
============================================= Config Begins ============================================
Seeing your configuration, I am assuming that your box is running 10.x
Deletion of existing objects
b virtual ADSS_Test delete
b pool BHADTOOLS delete
b profile clientssl BHADTOOLS_CLIENT delete
b monitor ADSS_TEST delete
Creating them again
b monitor ADSS_TEST '{
defaults from https
dest *:9251
recv "HTTP/1\.(0|1) (2|3)"
send "GET /showLogin.cc HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible \r\nConnection: Close\r\nHost: \r\n\r\n"
}'
b profile clientssl BHADTOOLS_CLIENT '{
defaults from clientssl
key "PAG-WIldCard.key"
cert "PAG-WIldCard.crt"
ca file none
crl file none
peer cert mode ignore
}'
b pool BHADTOOLS '{
lb method member least conn
monitor all ADSS_TEST
members {
192.168.2.63:9251 {}
}
}'
b virtual ADSS_Test '{
snat automap
pool BHADTOOLS
fallback persist source_addr
destination 192.168.250.138:https
ip protocol tcp
profiles {
http {}
BHADTOOLS_CLIENT {
clientside
}
serverssl {
serverside
}
tcp {}
}
}'
============================================= Config Ends ============================================
In case you want to revert then do not save the confg, and you can use the command "b load" to reload the saved configuration files with old settings.
Also please make sure that the pool is up.
Let me know if you still face issues.
- eugenix_116516
Ajmal,
Thank you so much. In order to delete and add these, just copy these lines into an ssh session?
Regards,
Eugene
- eugenix_116516Ok, I had to remove the single quotes outside the brackets on those config lines for the profiles, monitors, pools, and virtual servers to work pasting it into the command line
I didn't have a persistence profile name: cookies_SABASESSIONID , so created one based off the cookie parent with the same settings.
It still is doing a similar thing, where it I get a cert error when I first hit the IP for 192.168.250.138 (since the cert is for our domain name), once I click accept/trust, I get a page cannot be displayed error. - Ajmal_2608
Ignore the cookie, I copied it and forget to remove, now corrected the earlier post.
If you have access to a shell prompt like bp> then yes you need to remove the single quotes.
Is your pool showing up ?
b pool show, you may also check it from GUI (Local Traffic >> Pool >> Name of the pool >> color red/green/blue etc.)If its red then try changing the monitor of the pool to http and see if it works, if not then you may check the server is running the service or not (port 9251 in this case)
pool BHADTOOLS '{
lb method member least conn
monitor all http
members {
192.168.2.63:9251 {}
}
}
We can fix the certificate error later.
- eugenix_116516Yes, Pool showed up as green, virtual server all looks to be working correctly
The server is up and is responding on port 9251
In a browser if I go to the server directly at https://192.168.2.63:9251
It returns back: https://192.168.2.63:9251/showLogin.cc?logoutFromSSO=true
I'm not sure if it is running a script initially, but basically, that takes you to the login page for the web site.
If I try to browse the virtual server IP, I get the page cannot be displayed.
