Forum Discussion
Geoff_Littlewoo
Nimbostratus
NimbostratusSSL re-direction for Exchange 2003
Using BIG-IP 1500 to manage traffic through to an Exchange 2003 server. It is https traffic with an SSL certificate held on the F5 device. If i create a VS to the Exchange server using http, the standard re-direct script kicks in as expected. If I connect using the VS setup to allow HTTPS and the SSL vert added to this VS then, the re-direction does not take place.
I guess there must be a standard iRule to fix this when connecting to an Exchange 2003 server ?
8 Replies
hoolioCirrostratus
You can configure LTM to insert an HTTP header (Front-End-Https: On) which lets OWA know it's being proxied by an SSL offloading device.
SOL6087: Configuring BIG-IP LTM to provide access to Microsoft Outlook Web Access through a decrypting SSL virtual server
https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6087.html
Aaron
Geoff_LittlewooThis does not cover the re-direction to the /exchange folder ?- hoolioHere is a quick one to redirect / to /exchange:
when HTTP_REQUEST { Redirect / to /exchange if {[HTTP::uri] eq "/"}{ HTTP::redirect https://[HTTP::host]/exchange } }
Aaron - Geoff_LittlewooOk added that iRule in to the device, and attempted to connect. SSL prompt works, then seemlingly still tries to re-direct but just display "Internet Explorer cannot display the webpage"
It seem to have https://host/exchange as expected but does not display page. But the script says " HTTP::redirect https://[HTTP::host]/exchange" - hoolioIt sounds like the request is making it to the HTTPS VIP and is being redirected to the new URI. If you make a request to https://domain/exchange do you see the request leave LTM and make it to the web server? Does the reply get back to LTM and then the client? You can check this using tcpdump. If not, is the web server's default gateway set to the LTM's floating self IP on that VLAN? Or do you have SNAT enabled on the VIP?
Here is a tcpdump command you can use to see the client and server side packets:
tcpdump -ni 0.0 -s0 host CLIENT_IP or host SERVER_IP
Replace CLIENT_IP and SERVER_IP with the relevant IP addresses.
Aaron - Geoff_LittlewooI have run the TCPDUMP.
The OWA screen gets loaded but it does not display the Email inbox etc but reports that IE is uable to display the contents.
I have attached outputs, the client IP is 167.165.0.22 and the destiantion host is 167.165.0.11
Hope this helps. - hoolioIf you want help diagnosing the issue using tcpdumps, you could contact F5 support. They'll want to see binary formatted traces (you can get this by adding -w /path/to/output.file.dmp to the tcpdump command before the host filter):
tcpdump -ni 0.0 -s0 -w/var/tmp/`/bin/hostname`.owa.dmp host 167.165.0.22 or host 167.165.0.11
This will capture traffic on all switch interfaces (0.0) and ensure that the trace contains the full packets. You can use Wireshark to analyze the trace.
There are a couple of related AskF5 solutions:
SOL411: Overview of packet tracing with the tcpdump utility
https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html
SOL1893: Packet trace analysis
https://support.f5.com/kb/en-us/solutions/public/1000/800/sol1893.html
Aaron 
adamp_1519I have a similar problem, and i've added the "Front-End-Https: On" header, and i can see it go through to the back end exchange 2007 server, however OWA still 302-redirects to the http service.
do i need to adjust/rewrite the HTTP::Response on the way back?
i'd rather not, i'd rather get exchange/owa to do the right thing and redirect to https ... but the Front-End-Https: On doesnt seem to be acknowledged.
tia
