Forum Discussion
NimbostratusHow to make F5 to response with a perticular domain name?
Hi Guys,
I ran into a weird issue and here’s the picture:
- SOURCE.SERVER.COM – Source Server the request coming from (Microsoft System Center Operations Manager (SCOM) Agent)
- F5.VIP.com.au – F5 Virtual Server (LTM v11)
- 4 NODE servers – Microsft SCOM 2012 a. DESTINATION.NODE1.LOCAL b. DESTINATION.NODE2.LOCAL c. DESTINATION.NODE3.LOCAL d. DESTINATION.NODE4.LOCAL
When the communication happens directly from the source to destination without the F5 it works fine. SOURCE.SERVER.COM sends a request to a Management Server on TCP 5723 and presents a certificate. Management server validates certificate trust and communicates its name and certificate information back to SOURCE.SERVER.COM. A secure connection is established.
This is falling over through F5 because SOURCE.SERVER.COM is expecting this sort of communication: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > SOURCE.SERVER.COM
What’s happening is: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > DESTINATION.NODE1.LOCAL (2, 3 or 4) 3. DESTINATION.NODE1.LOCAL > F5.VIP.com.au 4. F5.VIP.com.au then passes response from DESTINATION.NODE1.LOCAL > SOURCE.SERVER.COM
This means that F5.VIP.com.au is responding to SOURCE.SERVER.COM with the name DESTINATION.NODE1.LOCAL but the expected name is F5.VIP.com.au, this makes certificate authentication fail.
We need: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > DESTINATION.NODE1.LOCAL (2, 3 or 4) 3. DESTINATION.NODE1.LOCAL > F5.VIP.com.au 4. F5.VIP.com.au then passes response from DESTINATION.NODE1.LOCAL as F5.VIP.com.au > SOURCE.SERVER.COM
This should make all communication appear to be To/From F5.VIP.com.au. ie. 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > SOURCE.SERVER.COM
No certificate is configured on the F5 and the VirtualServer is configured on port 5723.
Hope this make sense. What iRule should I write to achieve this.
Please feel free to ask if you need more clarification.
Thanks
Rana
5 Replies
Vitaliy_SavransNacreous
Rana, look for this link, maybe it would be useful for you.
Virtualrana_132Hi Vitaliy,
Thanks for your reply and I followed the link. Unfortunately I already tried the suggestions on that link before my post here, but didn't solved the problem.
I think I need to write an iRule and would appreciate some suggestion/guidance.
Thanks
Rana
- nitass
Employee
does it fail because subject in server's certificate (destination.nodeX.local) does not match fqdn (f5.vip.com.au) client requests or something else?
- Virtualrana_132
No, SOURCE.SERVER.COM is expecting f5.vip.com.au in the return traffic but it is receiving DESTINATION.NODE1.LOCAL and breaks.
What I did was created a host file on the SOURCE.SERVER.COM, used the virtualserver IP and said it is DESTINATION.NODE1.LOCAL NOT f5.vip.com.au.
Hostfile: 102.54.94.97 DESTINATION.NODE1.LOCAL
And it worked, because now it goes out to DESTINATION.NODE1.LOCAL (instead of f5.vip.com.au) and received DESTINATION.NODE1.LOCAL as before and works.
Hope this makes sense and thanks for looking into it.
By the way, It is for MS System Center Operations Manager (Source is the agent and Destination is the DESTINATION.NODE1.LOCAL with the F5 in the middle)
P.S: using a hostfile is not an option as we have 100s of source
- nitass
if i do not misunderstand, to make it work you need f5.vip.com.au certificate, don't you?
so, ssl offloading on f5 (clientssl with client authentication and serverssl) should solve it, shouldn't it?
sol14783: Overview of the Client SSL profile (11.x)
http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.htmlsol14806: Overview of the Server SSL profile (11.x)
http://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
