OpenText EIM Redirect Issue

Question

I am trying to setup a VIP for a OpenText EIM solution. I have a standard vip for port 443. However, the server keeps doing a redirect for another FDQN. So in this case, I am putting in https://content.companya.com and the browser is getting redirected to https://servera.host.local (the domain name for the server itself). If I go to the FQDN of the server itself (servera.host.local), it works fine. According to OpenText, this is an issue with the OpenText Directory Services (OTDS) as the this is the expected behaviour as during the installation of OTDS, it is required that we have to use the FQDN and use certificates that have been created against that hostname of the server. A reverse proxy must be used to translate requests between different top-level domains. So what type of iRule do I need to setup to make the translation work?

kevin_davies_40 · Answer

If this is only an installation issue (one off) &nbsp;
Create in a self signed cert with the correct CN in System-&gt;File Management-&gt;SSL Certificate ListCreate a new ssl client profile Local Traffic-&gt; Profiles -&gt; SSL -&gt; Client using the new certificate and key you just created.Create a a new virtual with a single pool member containing the backend server and select SNAT automap.Apply a clientssl profile that you created and the default serverssl profile.Create a hosts file entry on the client machine that points servera.host.local to the new virtual server address.
Try now. Delete above configuration when finished.&nbsp;

brian_h__jones_ · Answer

Still not working.  The packet trace shows that when the packet goes to the pool member, another connection is initiated to the OTDS server which is a separate server. The result is that the error "There was a problem with your request. Please contact your administrator if this persists. The DNS domains for the request and response differ or cannot be determined. As OTDS uses domain-level cookies, the request and response must originate within the same DNS domain. Please make sure that fully qualified DNS domains are specified in all configuration and browser entries. Do not use IP address or local names. The redirect URL was given as "https://contentcenter:443/OTCS/cs.exe", and the OTDS URL followed was "http://dfmspotparc.hostederp.local:8080/otdsws/login"."&nbsp;
The Opentext support says that the solution is a "reverse proxy", so I am taking it that when the request comes in from the client as "www.companya.com"  the F5 needs to forward the request to the server as "servera.host.local".  However, the OTDS server is not part of the pool as it is a separate box.&nbsp;

kevin_davies_40 · Answer

There is not enough information here for me to help you.&nbsp;
You can do this with LTM as well but as you can see when you have multiple outgoing to requests to different destinations you need to create virtual's for them as well. The problem here is I do not have a clear picture of what is happening. Can you draw up a diagram to explain the application flows that are going on here and attach to this post. &nbsp;
As for correct naming, the BIGIP can rename anything in the traffic flow to make it look right to the application, that is one of its strengths. The challenge for the solution designer is to clearly understand what the server is expecting.&nbsp;

brian_h__jones_ · Answer

So the issue is that the Content Server talks to another because that is where directory services in running. After the directory services application checks to make sure there is a valid user, it should return the client to the content server. According to OpenText is that the FDQN for content server is in a .local domain, it then talks to directory services which is also in the same .local domain. But the original URL is the company.com. So when the reply go back to the client, it is only referencing the .local domain.&nbsp;
From the sniffer trace, I can see the following:&nbsp;

Client sends a request to the Content Server&nbsp;
Whenever we call Content server, it communicates to directory services server for authentication.&nbsp;
The directory services server sends a request to the Client for authentication&nbsp;
Client response back to the directory service server with creditentials&nbsp;
The directory services server checks the Active directory for the user existence and roles.&nbsp;
The archive server send a 302 redirect to .local:443/OTCS/livelink.exe to client to continue back to the Content Server, instead of sending .company.com/OTCS/livelink.exe&nbsp;
The server team built a Apache reverse proxy to replace the F5 as a test. The results came back that the application works as expected. I am going to try to do a sniffer trace with that later today.&nbsp;
I tried to use the Proxy Pass irule to emulate the functions but it is still doing the behavior above.&nbsp;

brian_h__jones_ · Answer

Here are the key parts of the httpd.conf from the reverse proxy:&nbsp;
LimitRequestFieldsize 131072 ProxyRequests Off&nbsp;
ProxyPass /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/ ProxyPassReverse /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/&nbsp;
ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/&nbsp;
ProxyHTMLEnable On ProxyHTMLExtended On&nbsp;
ProxyHTMLURLMap http://dfpspotqcon.hostederp.local/OTCS/ /OTCS/ ProxyHTMLURLMap http://dfpspotqarc.hostederp.local:8080/otdsws/ /otdsws/ ProxyHTMLURLMap url(http://dfpspotqcon.hostederp.local([^)]*)) url(biq.dfamilk.com:99$1) Rihe&nbsp;
ProxyPass /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico ProxyPassReverse /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico&nbsp;
ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/&nbsp;
ProxyPass /img/ http://dfpspotqcon.hostederp.local/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local/img/&nbsp;
ProxyPass /img/ http://dfpspotqcon.hostederp.local:80/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local:80/img/&nbsp;
ProxyPass /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico&nbsp;
ProxyPassReverse /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico&nbsp;
ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico&nbsp;
ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico&nbsp;
 ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /OTDS/ RequestHeader unset Accept-Encoding &nbsp;
 ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /otdsws/ RequestHeader unset Accept-Encoding &nbsp;
ProxyPassReverseCookieDomain .hostederp.local .dfamilk.com &nbsp;

Forum Discussion

OpenText EIM Redirect Issue

8 Replies

Recent Discussions

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

(How) can I get two client certificates in one APM session?

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Related Content

issue with irule redirecting with # string

Regex issue

Anchor Link Redirect

url redirect

Irule Example Issue