Forum Discussion

Nimbostratus

Mar 21, 2012

HTTPS Passthrough not working

In our current environment we use SSL offloading for our Exchange 2010 Outlook Web Access through our F5. We need to stop this just for the MRSProxy service and not any other traffic to the server. I created the iRule below and applied it to the virtual server. However we are still seeing the requests for this URL come through on port 80 instead of 443 in the IIS logs on the OWA server. Can anyone help and tell me where I went wrong? Thanks.

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{

SSL::disable clientside

}

We are seeing GET /EWS/mrsproxy.svc – 80 in the IIS log and we should get GET /EWS/mrsproxy.svc - 443

Scott_27805
Nimbostratus
Mar 21, 2012
I changed it to clientside but the page still hangs.
hooleylist
Cirrostratus
Mar 21, 2012
Brian, You can't disable client SSL based on the requested HTTP URI as the SSL would have to have already been used to decrypt the request to parse the URI.

Scott, what's the actual issue you're trying to address for this specific URI?

Aaron
Brian_69413
Nimbostratus
Mar 21, 2012
ah yes.
Scott_27805
Nimbostratus
Mar 21, 2012
We are engaging with Microsoft to migrate our Student email to Live@EDU which needs to connect to the MRSProxy service at the URL /EWS/mrsproxy.svc. In talking with their support engineer, the process doesn't support SSL offloading so I just need to disable the offloading only for these requests. The service only accepts encrypted traffic on 443.

hooleylist

Cirrostratus

Mar 21, 2012

Thanks for clarifying. I think you should be able to add a server SSL profile to the virtual server and then disable it for all but the specific URI:


when CLIENT_ACCEPTED {
 Save the name of the VS pool before this iRule could change the current pool
set default_pool [LB::server pool]
}
when HTTP_REQUEST {
 If the request is for a proxy.svc URI select a separate pool
 Leave serverssl enabled
if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{
pool webmail_443_pool
} else {
 For all other URIs disable serverssl and use the VS default pool
SSL::disable serverside
pool $default_pool
}
}

Aaron

Brian_69413
Nimbostratus
Mar 21, 2012
That seems like a good solution, I like it!
Scott_27805
Nimbostratus
Mar 23, 2012
That worked perfectly! Thank you everyone for your help.
- jdsuni_201283
  Nimbostratus
  May 08, 2015
  Hi Scott, we need to do exactly the same on our F5, but have never worked with iRules before... can you tell me what I need to do to make this happen? Thanks in advance!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

HTTPS Passthrough not working

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

HTTP::redirect doesn't work for multiple conditions, URL redirect doesn't work using iRule

Redirect from Http to Https Not working

SSL passthrough VIP - mitigating birthday attack

Getting Started with iControl: Working with Configuration Objects

After HTTPs to HTTP site not working

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS