In our current environment we use SSL offloading for our Exchange 2010 Outlook Web Access through our F5. We need to stop this just for the MRSProxy service and not any other traffic to the server. I created the iRule below and applied it to the virtual server. However we are still seeing the requests for this URL come through on port 80 instead of 443 in the IIS logs on the OWA server. Can anyone help and tell me where I went wrong? Thanks. when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{ SSL::disable clientside } } We are seeing GET /EWS/mrsproxy.svc – 80 in the IIS log and we should get GET /EWS/mrsproxy.svc - 443

are the pool members only configured for port 80?

No. They are configured for 80 and 443. I can go directly to any of the pool members by their individual IP addresses and hit the URL on 443 without issue.

You would need to disable SSL for the serverside connection and select a pool with member(s) on port 80: when HTTP_REQUEST { if { [HTTP::uri] starts_with "/EWS/mrsproxy.svc"}{ SSL::disable serverside pool http_pool } } Aaron

Scott, I am talking about the load balancer pool configuration, are the members set like this: x.x.x.x:80 or x.x.x.x:*? If the LB sends traffic to port 80, the server will not be listening for SSL. Aaron, I think he has offloading already and wants to disable that for this particular traffic.

Scott, I am talking about the load balancer pool configuration, are the members set like this: x.x.x.x:80 or x.x.x.x:*? If the LB sends traffic to port 80, the server will not be listening for SSL.

HTTPS Passthrough not working

18 Replies

Scott_27805
Nimbostratus
Mar 21, 2012
I changed it to clientside but the page still hangs.
hooleylist
Cirrostratus
Mar 21, 2012
Brian, You can't disable client SSL based on the requested HTTP URI as the SSL would have to have already been used to decrypt the request to parse the URI.

Scott, what's the actual issue you're trying to address for this specific URI?

Aaron
Brian_69413
Nimbostratus
Mar 21, 2012
ah yes.
Scott_27805
Nimbostratus
Mar 21, 2012
We are engaging with Microsoft to migrate our Student email to Live@EDU which needs to connect to the MRSProxy service at the URL /EWS/mrsproxy.svc. In talking with their support engineer, the process doesn't support SSL offloading so I just need to disable the offloading only for these requests. The service only accepts encrypted traffic on 443.

hooleylist

Cirrostratus

Mar 21, 2012

Thanks for clarifying. I think you should be able to add a server SSL profile to the virtual server and then disable it for all but the specific URI:


when CLIENT_ACCEPTED {
 Save the name of the VS pool before this iRule could change the current pool
set default_pool [LB::server pool]
}
when HTTP_REQUEST {
 If the request is for a proxy.svc URI select a separate pool
 Leave serverssl enabled
if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{
pool webmail_443_pool
} else {
 For all other URIs disable serverssl and use the VS default pool
SSL::disable serverside
pool $default_pool
}
}

Aaron

Brian_69413
Nimbostratus
Mar 21, 2012
That seems like a good solution, I like it!
Scott_27805
Nimbostratus
Mar 23, 2012
That worked perfectly! Thank you everyone for your help.
- jdsuni_201283
  Nimbostratus
  May 08, 2015
  Hi Scott, we need to do exactly the same on our F5, but have never worked with iRules before... can you tell me what I need to do to make this happen? Thanks in advance!

Forum Discussion

HTTPS Passthrough not working

18 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

HTTPS passthrough fallback URL

monitor does not work https

Passthrough IPSec with AFM

How to make DNS resolutions in an HTTP request event work FOR you, not against you

How HTTP/2 Compression works under the hood