Sharepoint 2007 Problem

Question

Hi, 
&nbsp; I am publishing Sharepoint using an external F5 (where SSL terminates), ISA2006, then via another internal F5, Load Balancing IIS server. I have followed the F5 deployment guide and I am able to publish the site fine. The problem I get is when I click - "New Group" or "New User" from the 'People &amp; Groups' section of SP.  
&nbsp; This request just times out and Page cannot be displayed. 
&nbsp; If I bypass F5 and just go straight to IIS, it works fine. 
&nbsp; I have an HTTP profile configured as per the deployment doc and Cookie persistence. 
&nbsp; My iRule to redirect http - https is per the install doc: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp; HTTP::redirect https://[HTTP::host][HTTP::uri] 
&nbsp; } 
&nbsp;  
&nbsp; When the request times-out, the url displayed eventually changes to: 
&nbsp; http://sitename:port/subsitename/_layouts/newgrp.aspx 
&nbsp; whereas the normal url is https://sitename/subsitename etc. 
&nbsp;  
&nbsp; so it seems as though the http request is not being redirected properly(?)... 
&nbsp; If anyone could help with this I would really appreciate it!!!  
&nbsp;  
&nbsp; Many Thanks

hoolio · Answer

Hi, 
  
 What is the port in the requested host header value?  Can you add a log statement to your iRule performing the redirect from http to https?  If the port number is included in the request, you could strip it out before redirecting to https:

when HTTP_REQUEST { 
    log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting new request from [HTTP::host][HTTP::uri] to https" 
  
     Check if Host header value has a length 
    if {[string length [HTTP::host]]}{ 
  
        Redirect to the requested host and URI (minus the port if specified) 
       HTTP::respond 301 Location https://[getfield [HTTP::host] ":" 1][HTTP::uri] 
  
    } else { 
  
        Redirect to VIP's IP address 
       HTTP::respond 301 Location https://[IP::local_addr][HTTP::uri] 
    } 
 }

Can you also use a browser plugin like Fiddler for IE or HttpFox for FF to see what is triggering the request to http?  If you see a 30x redirect coming from the app to http://sitename... you could enable rewrite redirects on the HTTPS VIP's HTTP profile to rewrite these redirects from http to https. 
  
 Aaron

tdoc_90806 · Answer

Hi, thanks for replying so soon.. 
&nbsp; Yes, the port number does seem to get included in the request - Fiddler shows: 
&nbsp;  
&nbsp; Object moved 
&nbsp; Object moved to . 
&nbsp;  
&nbsp;  
&nbsp; so it seems as though the port gets added to the url. 
&nbsp;  
&nbsp; When I request the People and Groups page, first I see a 302, with the details shown above. Then the page is returned. Its when I then click to create a new group, that the timeout occurs, i guess the url has already been changed to hostname:port by this stage... 
&nbsp;  
&nbsp;  
&nbsp; I have added the iRule above to my http vip, but i get the same response. Do I need to modify the iRule to specify my port or is it ok as it is? (sorry, not very experienced with iRules..) 
&nbsp; (Just to confirm, I have 2 vips, 1 listening on port 80 - no pool resources just the iRule to redirect to https, plus 1 listening on port 443 which has the http profile etc, no iRule  -  is this right?) 
&nbsp;  
&nbsp; "Redirect Rewrite" is set to 'Matching' in my http profile. 
&nbsp;  
&nbsp; Thanks

hoolio · Answer

I would expect that you can configure aliases within Sharepoint to tell the app to reference itself using the public hostname without the specific port.  If that's not possible, you can use a stream profile and iRule to rewrite the references to :8081 with nothing.  To use the example rule, add a blank stream profile to the VIP and create a custom HTTP profile with Response Chunking set to Rechunk. 
 when HTTP_REQUEST { 
     Disable the stream filter by default 
    STREAM::disable 
 }
 when HTTP_RESPONSE { 
     
     Rewrite the response content 
     
     Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
        Replace any http:// instance with https://, unless the original string is http://example.com 
       STREAM::expression "@http://example.com:8081@https://example.com@" 
        Enable the stream filter for this response only 
       STREAM::enable 
    } 
     
     Rewrite the response headers 
     
    if {[HTTP::is_redirect]}{ 
       HTTP::header replace Location [string map "http://example.com:8081 https://example.com" [HTTP::header value Location]] 
    } 
 } 
 You can disable the rewrite redirects option on the HTTPS VIP's HTTP profile as the iRule does this.  The rest of your config as you described it should be fine. 
 Aaron

tdoc_90806 · Answer

Hi 
&nbsp; After looking into this all day, I think the issue could be coming from the actual site configuration itself within Sharepoint. It looks like the site name includes the port number in its URL (on some pages, not all!), which must have been a mis-configuration when the site was set up. I have created some test sites and this doesnt occur on them. I have noticed that when a new Sharepoint application is created, by default it appends the port, so potentially this is how the mis-config occurred. 
&nbsp; I have applied the rule you posted, but this hasn't resolved the issue, so I think a re-build of the site - removing the port number - may sort it out. 
&nbsp;  
&nbsp; Many Thanks for your help.... 
&nbsp;  
&nbsp;  
&nbsp; Regards 
&nbsp;  &nbsp;

Forum Discussion

Sharepoint 2007 Problem

4 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

F5 XC JWKS auto update

PCI Compliance and ASM

irule for redirect and header injection

What happens if I activate only ASM without provisioning LTM?

Implement load balancing solution with constraints

Related Content

APM Sharepoint authentication

EM Template MS Sharepoint 2007 SSL

APM Sharepoint authentication v2

Microsoft SharePoint 2016 iApp template

Microsoft SharePoint Server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS