Forum Discussion

Jason_Peery_467's avatar
Icon for Nimbostratus rankNimbostratus
Apr 17, 2012

SysAid, SSL, http to https and BigIPLTM

Good afternoon all,

thought I'd hit the group up to see if I can get some help. We're trying to implement a SysAid server behind our BigIP LTM (1600, v11.1), and using SSL on client and server side. We're presenting a wildcard cert on the front (*, and using an SSL profile to the server-side. A quick note, this wasn't working at first, until I removed the use of certs, and changed the negotiation to request from require strict (tls RFC 5746). Now, the fun part, I've got a VIP (x.x.121.101:443) with its node (x.x.121.100:443). So here's the deal, works fine, but returns a reject and I can't even get to the login page. I've captured some logging with an iRule, and when I compare an http (failed) to an https (successful) request about all that appears different is the URI. Not sure if that means much though, but given that, I've tried to explicitly strip the URI and point the redirect explicitly to the - that doesn't work either. So I'm wondering where to go from here, I've opened a ticket with F5, but so far haven't had much luck, and figured there's got to be someone out there with a setup like this. A few other notes, or thoughts, the SysAid server is using our Active Directory for it's authentication, and it's not a "standard" web server in that I guess it only runs Tomcat (doesn't use IIS). One thing I noticed, although the service on SysAid is listening on 443, if I set up an HTTPS monitor to that, it never works, and if I telnet to the open port, although I CAN connect, if I do a HEAD or GET I never receive any sort of reply - again, not sure if that means anything, but basically, if I manually send the IP:Port the same command as the monitor, it never responds (that I can tell). Does any of this make sense? Anyone have any ideas how to get http over to https on the F5 with regards to this SysAid stuff?


OH, one other thing, when I look in the logs, I see a message like this about the node:


Apr 17 11:11:42 tmm1 notice tmm1[6599]: 01260018:5: Connection attempt to insecure SSL server (see RFC5746): x.x.121.100:443



It's my bet that something weird is going on in the SSL/TLS exchange, but I just don't know, it's been several years since I've touched an F5 and that was always a running/established system.






Thanks in advance for ANY help.


Warm Regards,