iRule to conditionally serve Flash xmlsocket policy files

Question

Hi all, 
&nbsp;  
&nbsp; We're building an application that uses a Flash-based VNC client to remotely control machines for test purposes over the Internet using a browser. The users will be behind firewalls with only 80/443 open so we're planning to use the Flash VNC client to connect to the F5 on 80 and have the traffic redirected to a pool of servers listening on port 5900. The Flash security model now requires a socket policy file to be served from the same port as the socket connection. When a request is made Flash will send the string  plus a null byte to the server, which must respond with an XML syntax, for example: 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;    
&nbsp;    
&nbsp;  
&nbsp;  
&nbsp; Note that all of this uses XML syntax but is not sent or received as HTTP. 
&nbsp;  
&nbsp; So I'm trying to write an iRule that checks the TCP payload for this  string and if it filds it, send the responds and close the connection. If not, forward to the pool.  I think I've got the syntax correct except for the forwarding part. I can't seem to get the pool command to work - maybe because I'm trying to change the port?  and the virtual command isn't firing. Most of my iRule writing is learned from other user's code on the forums and wiki. I suspect I have many syntactic errors, so with some shame here's the current iRule: 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp;    TCP::collect 
&nbsp; } 
&nbsp;  
&nbsp; when CLIENT_DATA { 
&nbsp;  
&nbsp;      Read the whole packet if we don't have it yet 
&nbsp;     set len [TCP::payload length] 
&nbsp;     log local0.info $len 
&nbsp;     if { $len &lt; 23 } { 
&nbsp; TCP::collect 
&nbsp; return 
&nbsp;     } 
&nbsp;  
&nbsp;     set crossdomain { 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;    
&nbsp;    
&nbsp;  
&nbsp; } 
&nbsp;  
&nbsp;   if { [TCP::payload] contains "" } { 
&nbsp;      log local0.info "Found policy file" 
&nbsp;      TCP::respond $crossdomain 
&nbsp;      TCP::close 
&nbsp;      return  
&nbsp;   } else { 
&nbsp;      log "Standard packet. Move it along."  
&nbsp;      virtual my_labs 
&nbsp;      return   
&nbsp;   }   
&nbsp;   TCP::release 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; Any suggestions? the rule seems to fire correctly if the payload does contain the policy file request, but if it's 'normal' traffic the virtual command never gets invoked pool doesn't either). I've got an iRule that logs RULE_INIT and that never gets called so I think it's not getting there at all. 
&nbsp;

hoolio · Answer

So the iRule works for a "policy-file-reqest" but you don't see any response for a standard request?  You might try removing the return after the virtual command so that TCP::release is called. 
&nbsp;  
&nbsp; Else, you could combine the two virtual servers and not use the virtual command.  Or is there a specific reason you are using two VIPs? 
&nbsp;  
&nbsp; Also, RULE_INIT is only triggered when the rule is modified or saved.  The first event normally triggered when an iRule fires is CLIENT_ACCEPTED. 
&nbsp;  
&nbsp; Aaron

james_wrubel_48 · Answer

Aaron, 
&nbsp;  
&nbsp; Thanks for the followup.  I was using a second VIP with the virtual command because I wasn't sure if just assigning the pool in the iRule would get the traffic there.  The Virtual Server on which this iRule is defined is listening on port 80 while the pool internally is listening on port 5900 (VNC).  I wasn't sure if simply assigning the pool would also do the port translation. It didn't work when I tried it but there are a bunch of reasons that might be.

hoolio · Answer

LTM will translate the destination port from what the client requested to the VIP to the pool member's port assuming the virtual server property 'port translation' is enabled.  For a standard TCP VIP, address and port translation are both enabled by default. 
&nbsp;  
&nbsp; Aaron

jan_carlin_4038 · Answer

I have a very similar problem in that I need to serve up a socket policy file as well but that file is generated on one of the pool members so I cannot serve it up statically. I must use SSL and tcp requests. I must terminate the SSL on the load balancer. How ever I cannot start SSL until I have the policy file so I need the initial request to be let all the way thru while SSL is disabled. Subsequent ones should use SSL so it needs to be turned back on again if the payload does not contain the xml snippet at the top entry of this thread.
&nbsp;Does anybody have any idea of how I would do this?&nbsp;

the_bhattman · Answer

My response on the following new thread&nbsp;&nbsp;
&nbsp;Bhattman&nbsp;

Forum Discussion

iRule to conditionally serve Flash xmlsocket policy files

Recent Discussions

Service discovery is not happening in AS3

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

Related Content

Minimizing Security Complexity: Managing Distributed WAF Policies

iControl REST Cookbook - LTM policy (ltm policy)

Auditing Security Policy Updates

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 2 - Policy Import)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS