Forum Discussion

Mike_Harpe_6170's avatar
Mike_Harpe_6170
Icon for Nimbostratus rankNimbostratus
Oct 05, 2010

Issue with SharePoint 2007 behind BIG-IP LTM 9.4.8

Two SharePoint 2007 servers behind an F5 BIG-IP LTM. Doing SSL offload on client side. Server side is port 80 in the clear.

 

 

User starts a session. Sniffer trace shows SSL handshake happens. SP server starts talking directly to the client, going around the F5. SP server thinks the F5 is doing this. I can't find a way to make that happen. No iRules are involved. VS is setup according to implementation guide. This has worked previously.

 

 

Any help appreciated!

 

 

Mike Harpe

 

US Army Human Resources Command

 

Fort Knox, KY

 

  • Whoa! Article should read "SP server ADMIN thinks the F5 is doing this..."

     

     

    Sorry.
  • Helen_Johnson_1's avatar
    Helen_Johnson_1
    Historic F5 Account
    Hi Mike,

     

     

    That's an interesting issue, and my first question would be around what's changed in your SP environment. Did a gateway change, or maybe a configuration setting in the F5 device?

     

     

    -Helen

     

  • Ryan_Korock_46's avatar
    Ryan_Korock_46
    Historic F5 Account
    I think Helen hit the nail on the head. In almost all load balanced environments (the exception being the npath/direct server return corner case), return traffic from the servers will need to pass back through the load balancer before it makes it back to the client.

     

     

    Most implementations accomplish this by putting the servers 'behind' the BIG-IP, and point the default gateway of the servers at the BIG-IP.

     

     

    Others will use SNAT functionality on the BIG-IP to swap out the source IP of the connection as it passes through the BIG-IP on its way to the servers. Now the servers will see the source IP being that of the BIG-IP, and send all return traffic towards it. This option allows you more flexibility in how you configure your servers routing tables, but has the drawback of making it look like all the connections were originated from the BIG-IP.

     

     

    So Mike.... I would check 2 things. Are your servers pointing to the BIG-IP as their default gateway? If not, and you dont want to change their routing, check to see if SNAT is enabled on the VIP/BIG-IP.