Forum Discussion
Aaron_107144
Nimbostratus
Mar 11, 2011Redirect to pool based on incoming HTTPS URI
I've been digging and testing all day, but I'm coming up blank.
We've had great success so far with the LTMs marshaling traffic from the internet to the Exchange TMG servers for Outlook Anywhere, OWA, and the like (Exchange 2010)
So yesterday, I got a request from our Exchange admin to redirect HTTPS traffic for Outlook Anywhere and autodiscover to a new set of IP's - While leaving the rest of the traffic to pass as usual to the OWA virtual server/pool. So basically I'm trying redirect incoming Exchange 2010 traffic to a different pool based on the URI.
As much as I'd like to just use an HTTP redirect (easy) - The TMG servers' security requires that the requested URLs remain intact. So I can't substitute the VIP of the new VS in the URL.
The rule I've come up with is this:
when HTTP_REQUEST
{
if {([HTTP::uri] starts_with {/rpc}), or ([HTTP::uri] starts_with {/oab}), or ([HTTP::uri] starts_with {/ews}), or ([HTTP::uri] starts_with {/autodiscover})}
{ pool TMG_OA_Pool }
else { pool TMG_OWA_Pool }
}
When I try to apply this iRule to my incoming HTTPS Virtual Server, I get an error:
HTTP_REQUEST event in rule (Exch_OA_Redirect) requires an associated HTTP or FASTHTTP profile on the virtual server Exch_TMG_Edge_VIP
When I add an HTTP profile to the VS (It's currently "none" because it's an HTTPS VS) OWA breaks. I added the iRule anyway, and I can see the rule getting hit, but nothing makes it to the OA pool counters.
Any ideas? Am I going about this wrong?
- hoolio
Cirrostratus
Hi Aaron,when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/rpc*" - "/oab*" - "/ews*" - "/autodiscover*" { pool TMG_OA_Pool } default { pool TMG_OWA_Pool } } }
- Chris_Miller
Altostratus
Aaron - I've often encountered applications that won't function with an attached HTTP profile. I've just assumed it's because an HTTP profile causes the Virtual Server to require an HTTP request before opening a TCP connection to the pool member. While the HTTP profile is a requirement for L7 visibility, doesn't it also force the application to comply with certain standards? If it's SSL traffic not being decrypted on LTM, would these requests essentially look incorrect and therefore be kept from pool members? - Absolutely... You'll need to terminate ssl on your LTM(s)... Are you?
- Aaron_107144
Nimbostratus
Yes, I am terminating SSL on the LTM - It's actually built to F5's Exchange 2010 design guide specs. There are 2 VS - 1 HTTP and 1 HTTPS, both with the same VIP. The HTTP VS has a HTTPS redirect iRule, sending traffic sourced on port 80 to the HTTPS VS. - Chris_Miller
Altostratus
You're correct in that you'll need the iRule applied to HTTPS traffic as well. Also, as your rule looks at HTTP info (path) you'll need the HTTP profile. If you do a packet capture, is traffic getting to your pool members? Are you just using a clientSSL profile on your HTTPS VIP? - Michael_Yates
Nimbostratus
I've had similar problems to what you are describing in the past. The problems that I had were revolved around a default behavior in the HTTP Profile (Response Rechunking). Some traffic doesn't respond well to it. - Aaron_107144
Nimbostratus
I've managed to make some progress:
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects