Traffic Policy to Split Content Between IIS Server and Cloud Provider - unexpected behavior
We are in the process of moving a website from an IIS web server farm out to a different cloud hosting provider. The root of the rewritten site will be on the cloud servers. Since not all of the old legacy applications have been rewritten, we will still be serve up some of the legacy web applications from the old IIS servers. To achieve this, we are using the following: VIP with a default pool "Cloud_Provider" . That pool contains the IP address of that provider. VIP has a Traffic Policy associated with it that has a rule of: Match all of the following conditions:HTTP URI path starts with any of: /oldapp1 at request time Do the following when the traffic is matched:Forward traffic to pool "IIS_pool" The following scenerios work as expected and correctly serve up the web content: https://HostName.com/(this successfully loads the site from the cloud provider) https://HostName.com/oldapp1(this successfully loads the legacy app from the IIS Servers) However...If we first go to https://HostName.com/oldapp1and successfully load that,then we remove "/oldapp1" from the address bar and hit Enter, it attempts to load the root of the site in IIS. Since there is no more root site (it is now living on the cloud provider as a rewritten site), it sees no content and spits out a 403 Forbidden message. What we are trying to solve is, why when running through that second scenerio, is the traffic not going through the Traffic Policy again and seeing "this request is not foroldapp1"so I will not forward the traffic... I will just use the default pool. Troublshooting steps taken so far: Tried changing the Persistence Profile on the VIP to: source_address, ssl, cookie, none. Put an index.html file at the root of the IIS web server and had it redirect to https://HostName.com. That resulted in an endless loop because it never left the IIS server to go back through the VIP. This is running on 15.1.5.1, with ASM.Solved2KViews0likes2Commentshealth monitor IIS
Hello, I was wondering if someone can shed some light on a health monitor I am trying to setup. Ill give a brief overview of the setup. We have an application that gets proxied via apache ( apache are the nodes in the pool being monitored, acts as proxy nothing more) to IIS where the application actually lives. I am trying to setup a monitor so that it monitors say an index.html page on the IIS server something along the lines of Send string - http://Portal/dir/index.html receive string - IIS is up Tried to use this but nodes fail the health check when applying the monitor to the pool The service ports that its monitoring for are https Any help is greatly appreciated Thanks899Views0likes4CommentsSNAT / X-FORWARD-FOR breaks HTTPS connection
We are trying to create an iAPP with SSL passthrough and X-FORWARDED set but when we enable SNAT for the X-FORWARDED-FOR (HTTP profile or iRule X-FORWARDED-FOR) the connection seems to stop passing through to our backend IIS pool (nothing logged in the IIS logs). We have looked through a few guides but it feels like we are missing something or there is an underlying setup flaw with our F5. Edge / Chrome give the following err_connection_reset It would seem the minute we enable either; a HTTP Profile, an SSL Profile or enable SNAT the site stops working I'm sure you will need more info from me, as I'm relatively new to F5's let me know what you need and I'll post the details inSolved845Views0likes2CommentsIIS behind Big IP Windows Authentication
Hi everyone, I'm trying to load balance a couple of IIS web servers for a particular application. The website is configured with Windows Authentication. If i try to access the webpage directly to a server node , i'm able to get the content without any issues. Now if i tried to access the webpage through the F5 Virtual Server, i'm getting the credentials popup window. How can i accomplish this without? regards699Views0likes1CommentLTM Monitoring IIS and Webserver Binding
Hello, we've got a VS for 2 MS IIS Webserver. Question: if I configure the Pool with regular Nodes, the Monitor connects the Nodes with the IP Adress, right? Then I've got a problem with the Webserver-Binding (only Bindings for hostname and Website-Name) What if I configure the Pool with fqdn-Node? Is it sure, Monitor connects with hostname? when I make from BIG-IP a curl -k https://webbvk1.bvk.int/Smoke-Test I get the Response ...Smoketest... but with a Pool with webbvk1.bvk.int and webbvk2.bvk.int as fqdn-Node, the members are marked as down. webbvk1 & 2 are CNAMEs Send-String: HEAD /Smoke-Test HTTP/1.0\r\n\r\n Receive-String: Smoketest any Idea, where I could look for? Or a Problem with the IIS? Thank youSolved676Views0likes6CommentsiRule To Test Webpage Login
We have an issue where something in IIS will fail and external users will not be able to log into our webpage. I would like to either modify a current iRule and our create my own to test the login page on each webserver. I have tested and verified working health monitors for CPU and Memory load. And another health monitor for testing the url of the webpage ie abc.company.com on each webserver . The last piece would would be to stop directing traffic to the webserver that has the "IIS" webpage login issue until our dev team can figure out the issue. I was thinking of an iRule where I provide it a test username and password and the website url abc.company.com and it would try and login to the webpage on each webserver. If the page returns an error and is unable to log in the irule marks the node down and only keeps active connections. Once the iRule can log into the webpage it would automatically start directing traffic back to the node. Does anyone know if this can be done???611Views0likes12CommentsCan someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.599Views0likes2CommentsHSTS / ASM connection drops
Hi All, We currently implement HSTS as an iRule on the F5, we also decrypt and inspect traffic with ASM. There are discussions internally on our side about adding HSTS to the web server responses on the actual server rather than from the F5. If we were to do this, is it possible/likely that F5 ASM decrypting the traffic will then result in connection drops? Thank you511Views0likes4CommentsHow to seperate web servers in same IIS
Hi, How can I make different virtual servers for each www server in same IIS server. Should I write DNS name in virtual server destination address? IIS server : 192.168.1.1 xyz.com pool has node : 192.168.1.1 abc.com pool has node : 192.168.1.1375Views0likes1CommentCRM - Cross Domain Functionality Through F5
Hi, Our topology looks like this CRM_SERVER := internal.domain.com ^^ F5 := external.domain.com \ Azure plugin/SaaS service We are having issues where the external Azure plugin, in this case Click Dimensions, is raising an authentication exception when processing CRM data. We have the following iRule in place to handle header and payload rewrites. when HTTP_REQUEST { if { [HTTP::header host] eq "crmdev.external.com" } { HTTP::header replace Host "crmdev.internal.com" } Disable the stream filter for all requests STREAM::disable LTM does not uncompress response content, so if the server has compression enabled and it cannot be disabled on the server, we can prevent the server from sending a compressed response by removing the compression offerings from the client HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { Rewrite the Location header replacing the internal hostname with the external hostname HTTP::header replace Location [string map -nocase {"crmdev.internal.com" "crmdev.external.com"} [HTTP::header Location]] only do this for text-based responses if { [HTTP::header Content-Type] contains "text" } { establish the stream expression STREAM::expression {@http://crmdev.internal@https://crmdev.external@ @https://crmdev.internal@https://crmdev.external@} STREAM::expression {@crmdev.internal@crmdev.external@} enable stream processing STREAM::enable } } As the F5 is in SSL offload mode, do we need to include anything to handle the HTTP 401 Challenge/Response to the IIS server? Or has anyone experienced similar issues where the F5 acts as the external face for applications on an internal domain?353Views0likes1Comment