Forum Discussion
tdoc_90806
Nimbostratus
NimbostratusSharepoint 2007 Problem
Hi,
I am publishing Sharepoint using an external F5 (where SSL terminates), ISA2006, then via another internal F5, Load Balancing IIS server. I have followed the F5 deployment guide and I am able to publish the site fine. The problem I get is when I click - "New Group" or "New User" from the 'People & Groups' section of SP.
This request just times out and Page cannot be displayed.
If I bypass F5 and just go straight to IIS, it works fine.
I have an HTTP profile configured as per the deployment doc and Cookie persistence.
My iRule to redirect http - https is per the install doc:
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
When the request times-out, the url displayed eventually changes to:
http://sitename:port/subsitename/_layouts/newgrp.aspx
whereas the normal url is https://sitename/subsitename etc.
so it seems as though the http request is not being redirected properly(?)...
If anyone could help with this I would really appreciate it!!!
Many Thanks
hoolioCirrostratus
Hi,
What is the port in the requested host header value? Can you add a log statement to your iRule performing the redirect from http to https? If the port number is included in the request, you could strip it out before redirecting to https:when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting new request from [HTTP::host][HTTP::uri] to https" Check if Host header value has a length if {[string length [HTTP::host]]}{ Redirect to the requested host and URI (minus the port if specified) HTTP::respond 301 Location https://[getfield [HTTP::host] ":" 1][HTTP::uri] } else { Redirect to VIP's IP address HTTP::respond 301 Location https://[IP::local_addr][HTTP::uri] } }
Can you also use a browser plugin like Fiddler for IE or HttpFox for FF to see what is triggering the request to http? If you see a 30x redirect coming from the app to http://sitename... you could enable rewrite redirects on the HTTPS VIP's HTTP profile to rewrite these redirects from http to https.
Aaron
tdoc_90806Hi, thanks for replying so soon..
Yes, the port number does seem to get included in the request - Fiddler shows:
Object moved
Object moved to .
so it seems as though the port gets added to the url.
When I request the People and Groups page, first I see a 302, with the details shown above. Then the page is returned. Its when I then click to create a new group, that the timeout occurs, i guess the url has already been changed to hostname:port by this stage...
I have added the iRule above to my http vip, but i get the same response. Do I need to modify the iRule to specify my port or is it ok as it is? (sorry, not very experienced with iRules..)
(Just to confirm, I have 2 vips, 1 listening on port 80 - no pool resources just the iRule to redirect to https, plus 1 listening on port 443 which has the http profile etc, no iRule - is this right?)
"Redirect Rewrite" is set to 'Matching' in my http profile.
Thanks- hoolioI would expect that you can configure aliases within Sharepoint to tell the app to reference itself using the public hostname without the specific port. If that's not possible, you can use a stream profile and iRule to rewrite the references to :8081 with nothing. To use the example rule, add a blank stream profile to the VIP and create a custom HTTP profile with Response Chunking set to Rechunk.
when HTTP_REQUEST { Disable the stream filter by default STREAM::disable } when HTTP_RESPONSE { Rewrite the response content Check if response type is text if {[HTTP::header value Content-Type] contains "text"}{ Replace any http:// instance with https://, unless the original string is http://example.com STREAM::expression "@http://example.com:8081@https://example.com@" Enable the stream filter for this response only STREAM::enable } Rewrite the response headers if {[HTTP::is_redirect]}{ HTTP::header replace Location [string map "http://example.com:8081 https://example.com" [HTTP::header value Location]] } }
You can disable the rewrite redirects option on the HTTPS VIP's HTTP profile as the iRule does this. The rest of your config as you described it should be fine.
Aaron - tdoc_90806Hi
After looking into this all day, I think the issue could be coming from the actual site configuration itself within Sharepoint. It looks like the site name includes the port number in its URL (on some pages, not all!), which must have been a mis-configuration when the site was set up. I have created some test sites and this doesnt occur on them. I have noticed that when a new Sharepoint application is created, by default it appends the port, so potentially this is how the mis-config occurred.
I have applied the rule you posted, but this hasn't resolved the issue, so I think a re-build of the site - removing the port number - may sort it out.
Many Thanks for your help....
Regards