For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Nelson_18's avatar
James_Nelson_18
Icon for Nimbostratus rankNimbostratus
Jun 16, 2016

Sharepoint 2013 Apps -- SSL Offload\Bridging question

Hi there,

 

I followed the F5 deployment guide for Sharepoint 2013, and used the latest iApp template. Knowing that true SSL offload is not supported for the Sharepoint apps domain, I did as the guide suggested and configured the app for SSL bridging, and then used the following iRule to redirect non-Apps content to the http pool with server-side encryption disabled:

 

when HTTP_REQUEST { if {[HTTP::host] contains "my-apps.company.com"} { pool SP_2013_https_pool } else { SSL::disable serverside pool SP_2013_http_pool persist none } }

 

On the Sharepoint front ends themselves, the non-apps sites are all listening on 80 and identified with their respective host headers. I have a single IIS site with an empty host header bound on 443, so it should be catching the apps requests.

 

When I added logging to catch what the iRule was doing, I saw that no matter what, traffic is hitting the "else" portion of the rule and getting directed to the http pool, thus offloading SSL rather than bridging and causing the apps not to work.

 

Any ideas?

 

application delivery
iApps
iRules

4 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 16, 2016

    Hi James, have you tried logging the value of [HTTP::host] to check why it's not matching my-apps.company.com? If the host header has any caps in it, it wouldn't match unless you use [string tolower [HTTP::host]].

     

    Mike

     

    • James_Nelson_18's avatar
      James_Nelson_18
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Hey Mike, I am logging that value, and it's coming through as the regular URL of my Sharepoint site. The app in question is embedded in the page, and if you view the source it does show the apps host, but I'm not sure why it's mapping. The host does not have any caps, and an earlier iteration of the iRule did have a tolower function in place as well, with the same result. I took it out to match precisely what the deployment guide stated.
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 16, 2016

    I assume your DNS records for the app domains are pointing to the BIG-IP virtual server IP?

     

    I don't have a working lab with SharePoint apps set up at the moment. Is it possible to use Fiddler on your client to view the request and response for the app requests to verify that those use the correct host header?

     

  • sudarshang_2572's avatar
    sudarshang_2572
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2017

    Hello All,

     

    I am also facing same problem with SharePoint SSL bridge. Tried with all SSL cipher change and HTTP profile change, but application is not working with SSL bridge. Even tried same application access with 12.0 and 11.6 version.

     

    Today suggested customer to go with SSL offload the application and will test application access.

     

    Please suggest any solution to work with SSL Bridge option.

     

    Regards Sud