Forum Discussion
NimbostratusUsing the F5 as a Reverse Proxy for RSA SecurID Self Service
21 Replies
Brett_11764Hi guys,
Just checking if this is still the case? i.e no port changes can be made at the same time as the changing other parts of the url?
We have a requirement to do both.
- nitass
Employee
Just checking if this is still the case? i.e no port changes can be made at the same time as the changing other parts of the url?
i have not read the proxypass but i believe both (i.e. changing uri and port) can be done by either using proxypass or not using it.
if you can post the irule, people here who know should be able to help. :-)
- Brett_11764
Thanks nitass,
I just read the proxypass documents and it seems that in V10 and V11 of proxypass, it is supported.
Thanks again!
rkrenzisI have RSA SecurID working with proxypass without changing any port numbers and not requiring users to supply the 7004 tcp port externally. I will upload instructions later this evening. I have to go offsite to a meeting.
--Ryan
VAP_142052Ryan, Could you please share the instructions? Thanks,
Troy_90533You can do this without proxypass using the following two irules. If your environment is HA create a custom snat pool that uses only one of your floating IP addresses.SNATs > SNAT Pool List > Create > Name it and add the single floating IP address... Add to your Virtual servers
Private https://HostName.Domain.com:7004/console-selfservice/ Public: https://rsa.website.com Place this irule on your 7004 virutal server. It is necessary to listen on 7004 for the import-from-web function to continue workingwhen HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains ("/ctkip/services/") } { HTTP::header replace "Host" internalhost.com:7004 } else {HTTP::respond 200 content "RSA Self-Service Console - OLDThe URL for this site has changed. Please update your bookmark."
}
}
when HTTP_RESPONSE {
HTTP::header replace Location [string map -nocase {internalhost.com:7004 externalhost.com:7004} [HTTP::header value Location]]
}
This irule modifies the the uri so that visitors can type https://externalhost.com instead of https://externalhost.com/console-selfservice. Place this irule on your 443 and 7004 virtual serverswhen HTTP_REQUEST {
if {[HTTP::uri] equals "/" } {
HTTP::uri /console-selfservice/
}
HTTP::header replace "Host" internalhost.com:7004
}
when HTTP_RESPONSE {
HTTP::header replace Location [string map -nocase {internalhost.com:7004 externalhost.com} [HTTP::header value Location]]
}- Stefan_Klotz
Cumulonimbus
Hi Guys,
I know this topic is quite some days old, but I have some strange behavior in a similar setup. The LB should just be used to proxy two RSA servers to be reachable from the Internet.
The strange thing is, when accessing for example /console-selfservice/ directly on the server I get a webpage displayed. Trying the same URL via the LB I'm ending up in a redirect-loop. I found out that doing a HTTP/1.0 request on the commandline of the LB towards the server I also get the correct page as response. But doing a HTTP/1.1 - using either public DNS, server DNS or serverIP - I'm ending up in the redirect-loop again.
Btw. the redirect-loop is not between two URIs, but always the same URI just adding the jsessionid again and again.
Right now I've implemented the following iRule with that the application seems to work:
when HTTP_REQUEST { HTTP::header remove Host HTTP::version "1.0" } when HTTP_RESPONSE { if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {"" "" ":7004" "" "//:7004" "//"} [HTTP::header Location]] } }The last mapping is required, because when doing a login on URI /console-ims/ the server respond with a redirect containing an empty Host-header.
I'm not an application expert, especially not for RSA, but I'm wondering if this is related to a wrong server configuration or if I have to do a special configuration on the LB (currently I expect the first one).
Anyone an idea where and what I can look for?
Thank you!
Ciao Stefan 🙂
- Stefan_Klotz
In the meanwhile I found the issue. The Host-header don't need to be remove, but needs to be replaced with the FQDN of the server including its port.
I'm using now the following iRule:
when HTTP_REQUEST { if { not [class match [string tolower [HTTP::uri]] starts_with _allowed_uris] } { HTTP::respond 301 Location "https://[HTTP::host]/console-selfservice/" } else { Prevent the server from sending compressed responses as LTM does not decompress them HTTP::header remove "Accept-Encoding" } } when HTTP_REQUEST_SEND { Need to force the host header replacement and HTTP:: commands into the clientside context as the HTTP_REQUEST_SEND event is in the serverside context clientside { verify the selected server IP to specify its FQDN if { [IP::addr [LB::server addr] equals ] } { set server_hostname } else { set server_hostname } set server_port [LB::server port] Replace the host header value HTTP::header replace Host $server_hostname:$server_port } } when HTTP_RESPONSE { if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {":7004" "" ":7004" ""} [HTTP::header Location]] } }Maybe this will help someone else as well.
Ciao Stefan 🙂
Urs_Schwarz_122Hi Stefan, I also try to get this working, but with no success, although using core irule parts of your rule (host header replace) Just get a Reset, troubleshooting seems difficult, did not help so far.
ltm log: I see requests coming in and sent to pool (1 member) with correct host header. Looks well so far.How about your server ssl profile configuration. What did you configure there ? Thanks
Urs- Stefan_Klotz
This is our final iRule (which is more or less the ProxyPass Lite iRule), which is in production since some weeks now (it requires the parent stream-profile assigned to the VS first):
when HTTP_REQUEST { if { not [class match [string tolower [HTTP::uri]] starts_with _allowed_uris] } { HTTP::respond 301 Location "https://[HTTP::host]/console-selfservice/" } else { Prevent the server from sending compressed responses as LTM does not decompress them HTTP::header remove "Accept-Encoding" } } when HTTP_REQUEST_SEND { Need to force the host header replacement and HTTP:: commands into the clientside context as the HTTP_REQUEST_SEND event is in the serverside context clientside { verify the selected server IP to specify its FQDN if { [IP::addr [LB::server addr] equals ] } { set server_hostname } else { set server_hostname } set server_port [LB::server port] Replace the host header value HTTP::header replace Host $server_hostname:$server_port } } when HTTP_RESPONSE { if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {":7004" "" ":7004" ""} [HTTP::header Location]] } Rewrite the response body if the response type is text if { [HTTP::header "Content-Type"] starts_with "text/" } { Configure the find/replace strings STREAM::expression "@:7004@@ @:7004@"@" Enable the stream filter STREAM::enable } }Everything else are default settings.
Ciao Stefan 🙂
- tiwang_122270
Hi out there I need also to publish a selfservice for the RSA server - but I cant get Stefans irule working - I probably missing something obvious... besides of the piece of code Stefan has shared here what need more to be done? I am not that good in reading irules so I might have missed something.. We are running OS 11.3
