HOW-TO disable Microsoft-HTTPAPI /2.0
To the Microsoft Experts out there This is my (GTM) scenario... There are two Data Centers Each Data Center with its own GTM and its own IIS server ( hosted on Windows 2012 server) ( each IIS server hosting the same website or in other words configure with the same application pool) At the DNS resolution level, GTM works flawlessly.. I have constructed an http monitor validating the host header of the application pool, so when i stop one of the application pool ( in either data center) GTM is capable of detecting the site as "down" and providing DNS response the the one application pool remaining as "up" in the other Data Center. If I do an HTTP capture I can see the "Server" response header with the expected value of "Microsoft IIS 8.5" up until here all good! My problem arises at the Browser/user session level When I go and stop one of the application pool, GTM ( as i said) is capable of detecting the app went down and provides a DNS response to the remaining available site, HOWEVER at the Browser level the user is getting a 503 ERROR message "Service Unavailable". Analyzing the HTTP captures I see the "server" response header with the value of "Microsoft-HTTPAPI / 2.0" as if the IIS is still listening on port 80 for incoming user request Does anyone knows is this API is related to my problem? If so, how to disable it I have attached an screenshot for better clarification Thanks in advanced!
Client SSL Profile Cipher...Disable DES-CBC3-SHA.
One of my sites has just be penetration tested and a low risk was identified. The following weak ciphers were supported Testing SSL server mysite.fqdn on port 443 Supported Server Cipher(s): Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA **Accepted TLSv1 168 bits DES-CBC3-SHA** Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA It is the TLSv1 168 bits DES-CBC3-SHA that they are not happy about, but I am not sure how to disable it in the SSL Client profile. They also suggest disabling any ciphers using 128 bit keys - so I guess TLSv1 128 bits AES128-SH needs to go as well. The current setting is TLSv1_1:TLSv1_2:ECDHE+AES-GCM:NATIVE:!ADH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3:!SSLv2:@STRENGTH Is there a document that clearly shows how to achieve both - I struggle with these LTM's at the best of times. 😞 I am running BIG-IP v11.6.0 (Build 5.0.429) if that has a bearing. Any help offered will be appreciated. Thanks, Martin
F5 to load balance MS Sql Servers
Hello All: I am presented with a tricky situation by the business users here at my company. After seeing the performance and manageability with all the Web Servers and App Servers with F5 LTM, now they want to see if we can do the same for Database Servers. Right off my head, I said its doable but took time to get back with more details and here am. Is there a solutions guide or something that gives more insight on setting up Database servers behind LTM. I am not sure if anyone ever did this before, at least I never saw any company using F5 to load balance DB. I am not sure even this is possible. Please advice. Appreciate you help. Thanks, Chenna
How to create health monitor for IIS pool on web server
Hello All, I have to create health monitor which can detect member down if IIS pool is down on webserver. Currently i have created normal http monitor which monitor IIS service. But I need monitor which will detect IIS pool failure even if IIS service is runningIssues with Exchange 2013 owa
I've got the Big IP F5 virtual load balancer set up in my exchange 2013 lab getting ready for our migration in a few months and am having an issue. I've got an exchange 2007 environment set up to mimic what we have in production with multiple cas servers behind a VIP. Everything works fine. I've also got our exchange 2013 lab environment set up to run in coexistence with multiple CAS servers behind another VIP. If I log in a test account into exchange 2013 owa (through the VIP) that is an exchange 2007 mailbox, it redirects to the legacy owa (not using APM but letting exchange handle the redirection)and they can log in and get to their legacy mailbox. If I move that same users mailbox to exchange 2013 and then have them log in to owa it does nothing. Just acts like its about to load something then takes you right back to logon screen. If I open the account in outlook its fine. If I bypass the F5 and go to owa directly off one of the CAS servers then its fine, logs them right into owa mail. I've got the latest Exch 2013 template and have re-done it multiple times with different settings but nothing seems to change. My cert is valid but even not using ssl still the same thing. I'm kind of stuck here and I dont have a solid background with F5 BigIP so any help in troubleshooting this is greatly appreciated. Thank you.How to avoid "Access policy evaluation is already in progress"
Hello, I am using the iRule below to close Outlook Web App 2013 sessions. At the first sight it works correctly and shows the F5 logoff page (/vdesk/hangup.php3). However, OWA 2013 has a javascript that performs a hidden POST to the server on the onunload event to close the session on the server side. This happens right after the session is closed by the F5 logoff page. So it automatically creates a new APM session and when the user clicks on "Click here to login again" he/she sees the message below coming from APM: "Access policy evaluation is already in progress" How can I avoid this message? I tried to do ACCESS::session remove on in response to this last hidden POST but it didn't help. I also tried to introduce some delay before redirecting the user to the F5 logout page in order to let it perform the last POST but it did not work either. when HTTP_REQUEST { Set the uri variable set uri [string tolower [HTTP::uri]] Check if the user clicked the OWA signout link and redirect to the F5 logout page if { $uri contains "/logoff.owa" || $uri contains "/logoff.aspx" } { HTTP::redirect "/vdesk/hangup.php3" } }
