Forum Discussion

Scott_27805's avatar
Scott_27805
Icon for Nimbostratus rankNimbostratus
Mar 21, 2012

HTTPS Passthrough not working

In our current environment we use SSL offloading for our Exchange 2010 Outlook Web Access through our F5. We need to stop this just for the MRSProxy service and not any other traffic to the server. I created the iRule below and applied it to the virtual server. However we are still seeing the requests for this URL come through on port 80 instead of 443 in the IIS logs on the OWA server. Can anyone help and tell me where I went wrong? Thanks.

 

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{

 

SSL::disable clientside

 

}

 

}

 

 

We are seeing GET /EWS/mrsproxy.svc – 80 in the IIS log and we should get GET /EWS/mrsproxy.svc - 443
application delivery
dev
devops
iRules
  • Scott_27805's avatar
    Scott_27805
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    No. They are configured for 80 and 443. I can go directly to any of the pool members by their individual IP addresses and hit the URL on 443 without issue.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 21, 2012
    You would need to disable SSL for the serverside connection and select a pool with member(s) on port 80: 

    
when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{
    SSL::disable serverside
    pool http_pool
  }
}

    Aaron
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    Scott, I am talking about the load balancer pool configuration, are the members set like this: x.x.x.x:80 or x.x.x.x:*? If the LB sends traffic to port 80, the server will not be listening for SSL.

     

     

    Aaron, I think he has offloading already and wants to disable that for this particular traffic.
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    Scott, I am talking about the load balancer pool configuration, are the members set like this: x.x.x.x:80 or x.x.x.x:*? If the LB sends traffic to port 80, the server will not be listening for SSL.
  • Scott_27805's avatar
    Scott_27805
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012

    I though that this would be clientside per the document here https://devcentral.f5.com/wiki/iRul...k_URL.ashx. I don't even have a server side ssl profile defined on this virtual server.

     

     

    The pool for port 80 is the same as the pool for 443. It should be going to the same pool members. Or does this require a different set of pool memebers entirely?

     

  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    I think if your pool members are defined as x.x.x.x:80 then you would need a new pool for x.x.x.x:443
  • Scott_27805's avatar
    Scott_27805
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    Brian, yes my pool members were only on port 80. Can I just add the same pool members again on port 443 or should I remove them and the add them back with a * for the port?
  • Scott_27805's avatar
    Scott_27805
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2012
    I created a new pool for 443. Now when I go to the page just for that URL it just hangs. The new pool is showing as available. The iRule is as follows 

     when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{
    SSL::disable serverside
    pool webmail_443_pool
  } 
}