Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

F5 recommended configuration for Microsoft IIS

PrasannaBlore_2
Nimbostratus
Nimbostratus

‎28-Apr-2016 00:33

Hi,

 

This question can be sound very trivial and basic but I have very high level knowledge on F5 and I am a developer with no prior knowledge and background on network administration. Any help is very much appreciated

 

We are using BIG-IP 11.4.1 LTM for load balancing HTTP requests to IIS version 6.2 on winodws 2012 r2 . The problem I am facing is when I browse to https:/// the IIS home page gets displayed properly. In case I browse to https:/// the connection gets reset. When I browse to http:/// I am able to see the IIS home page.

 

The underlying IIS server binds to both 80 and 443. The I have configured using Iapp & f5.microsoft_iis template with HTTPS offload. When I configured the same vip-host-name from Iapp using "plain text to both server and client" things are working as expected. The load balancing pool is configured for IIS server on 80 port. There is only one server in the pool

 

From tcpdump I am able to see the tcp connection from the IIS server to big ip getting reset.

 

My question is there any specific IIS/F5 configuration that has to be done to correct this issue.

 

Labels:
0 Kudos
6 REPLIES 6

Hannes_Rapp
Nimbostratus
Nimbostratus

‎28-Apr-2016 03:45

Question:

 

  • If you configure the Pool Member in first case, I suppose you send requests to a SSL-enabled port on Windows Server 2012, and have also configured ServerSSL profile in VS config? Or in short, are you looking to deploy SSL decrypt, SSL re-encrypt solution on BigIP?

If that's the case, there's one thing worth looking into.

 

  • I don't know if also the case with Windows Server 2012, but in case of ServerSSL between BigIP and Windows Server 2008, the SSL handshake tends to fail, resulting in TCP teardown. The easiest solution is to enforce explicit use of TLSv1.0 on the Server-SSL profile, there also are some workarounds for the Windows Server config, but they take a bit more time and are harder to implement.

Apart from possible ServerSSL issues, I cannot think of anything else as a likely root cause here.

 

Have a look here for reference solution: https://devcentral.f5.com/questions/regarding-cipher-negotiation-for-ltm

 

0 Kudos

PrasannaBlore_2
Nimbostratus
Nimbostratus

‎28-Apr-2016 04:24

Thanks for replying Hannes.

 

To answer your question:

 

  1. The backend pool member i.e. the IIS server is listening on port 80 for processing incoming requests. I have configured the same in Load balancing pool. I am trying for SSL offload i.e. SSL terminates on F5 and requests are sent over the wire as normal http

     

  2. Is server SSL applicable as I am not sending any data over SSL. Its just plain HTTP calls from F5 to pool and vice versa.

     

I hope this sheds more light on present problem that I am facing

 

0 Kudos

Hannes_Rapp
Nimbostratus
Nimbostratus
In response to PrasannaBlore_2

‎28-Apr-2016 05:02

Clear, can you share the config with us? Two TMSH commands for that: 'tmsh list ltm virtual MyVirtualServerName' and 'tmsh list ltm pool MyPoolName'.
0 Kudos

PrasannaBlore_2
Nimbostratus
Nimbostratus
In response to PrasannaBlore_2

‎29-Apr-2016 02:19

Virtual server configuration ltm virtual vs_crfinbound_https { destination 10.153.229.19:https ip-protocol tcp mask 255.255.255.255 pool CRFS_ServerManager_pool profiles { CRFS-Inbound-communication-SSL { context clientside } http { } tcp { } } rules { http_redirecting_rule_for_CRFS_inbound } source 0.0.0.0/0 vs-index 43 Pool configuration ltm pool CRFS_ServerManager_pool { load-balancing-mode least-sessions members { bus00axx.us.oracle.com:http { address 10.153.230.27 session monitor-enabled state up } } monitor http } }
0 Kudos

Hannes_Rapp
Nimbostratus
Nimbostratus
In response to PrasannaBlore_2

‎29-Apr-2016 03:09

Thanks for the config. I don't see any problems. Perhaps someone else will notice something that I'm missing here. Hope you'll get this sorted out
0 Kudos

PrasannaBlore_2
Nimbostratus
Nimbostratus

‎28-Apr-2016 04:24

Thanks for replying Hannes.

 

To answer your question:

 

  1. The backend pool member i.e. the IIS server is listening on port 80 for processing incoming requests. I have configured the same in Load balancing pool. I am trying for SSL offload i.e. SSL terminates on F5 and requests are sent over the wire as normal http

     

  2. Is server SSL applicable as I am not sending any data over SSL. Its just plain HTTP calls from F5 to pool and vice versa.

     

I hope this sheds more light on present problem that I am facing

 

0 Kudos
Copyright © 2023 Khoros, LLC