Forum Discussion

RecontuerSG_258's avatar
RecontuerSG_258
Historic F5 Account
Jun 15, 2017

iRule to Redirect autodiscover traffic

Dear all,

the SSL certificate in my current virtual server points to autodiscover.abc.com and not autodiscover.abccommodities.com

I would like F5 to redirect from autodiscover.abccommodities.com to autodiscover.abc.com in hopes to eliminating the SSL security warning popup from Outlook clients as seen below. Is that possible?

I tried this iRule but it wasn't working, still prompts warning. I believe Outlook client is using HTTPS traffic to contact the mail server?

when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] ends_with ".abccommodities.com" } {
        HTTP::redirect "https://autodiscover.abc.com"
    }
}

  • which SSL certificate you have installed on VIP "autodiscover.abccommodities.com". Its looke like VIP is not using valid SSL certificate, so returning error. Plz click on view Certificates of autodiscover.abccommodities.com & paste here.

     

    iRule will not redirected traffic to other VIP until valid cert or other option to bypass client cert.

     

    • DavisLi's avatar
      DavisLi
      Ret. Employee

      There is no certificate for abccommodities.com. Only abc.com is attached a SSL Client Profile in the VS listening for exchange traffic. Is there a way not to buy abccommodities certificate because company has 10 over subsidiary names but all pointing to the same Exchange server cluster.

       

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent

      Either option to click Yes all time or attach valid ssl certificate to vip.

       

      Other option(not recommended) apply redirection on http vip.

       

    • DavisLi's avatar
      DavisLi
      Ret. Employee

      Redirect from HTTPS to HTTP or HTTP to HTTPS? Exchange backend only accepts HTTPS.

       

      If without SSL certificates, can this issue be resolved? Exchange team was saying previously when they used Microsoft's Threat Management Gateway (TMG), there was some redirection features inside TMG and they never had SSL certificates.

       

      With F5 in the picture to replace TMG, they were expecting F5 to do the same.

       

      I still can't understand how TMG does it without proper certificates because TMG is just an SSL terminator but still needs certificate/private key right?

       

    • DavisLi's avatar
      DavisLi
      Ret. Employee

      It seems there is no other way other than meddling with customer's DNS or have customer to provision multiple SSL-Certs with the appropriate common name and add them into one virtual server.

       

      When the client access one https site, client knows the hostname of the site. During SSL handshake, the server provide the certificate. If the CN in the server certificate does not match the hostname, the client will definitely get the certificate warning. HTTP redirect cannot fix the issue, as the certificate warning is in the first connection.

       

      If one virtual server can provide the service for multiple HTTPS sites and provided customer can provision different SSL-Cert with its common names, the following article can help: K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature (https://support.f5.com/csp/article/K13452)