Forum Discussion

Dimesio_91168's avatar
Dimesio_91168
Icon for Nimbostratus rankNimbostratus
Sep 05, 2012

redirecting from one VS to another

Hello,

 

 

I have searched the forums and found little relating to this, as I am sure this is a bit of a unique situation.

 

I have two sites to be hosted behind our F5, each needing a different virtual server configuration to work properly. I have two URLs that connect to the same IP(scmdev.xx.xx.xx and scmssodev.xx.xx.xx) and the way the current configuration is we have TMG doing the redirect depending on the URL requested.

 

 

Being that I need to have two drastically different VS's on the F5 to make the sites work, I am wondering how to creat a central VS to redirect to the correct VS depending on the URL requested. I am trying to use the following iRule:

 

when HTTP_REQUEST {

 

switch [HTTP::HOST] {

 

scmdev.xxx.xxx.xx { virtual NAME_OF_VSERVER1 }

 

scmssodev.xxx.xxx.xx { virtual NAME_OF_VSERVER2 }

 

default {reject}

 

}

 

}

 

 

I know that this rule works when I use pool NAME_OF_POOL instead of virtual,so I am stumped as to why it cant do this to a another local VS? I have the central server setup for proxy on both SSL profiles, but when I try to connect it just shows me that the page doesnt exist, basically like it has nowhere to go. Any help on this would be greatly appreciated.

 

application delivery
dev
devops
iRules

15 Replies

Sort By
Show More
  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2012
    I see what you mean. It was interesting, I took your advice and turned off SSL proxy with the redirect VIP, and was able to get to one of my servers with the irule, the server that was using ProxySSL. But now I am unable to get to the other server which uses normal SSL client and server side settings. I am assuming I should try to have a setup like this(i will try after this post):

     

     

    Redirect server: client side SSL, server side not

     

    UserReg server(ProxySSL)

     

    Sharepoint server(client side no, server side SSL

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 07, 2012
    As Kevin said, I don't think you'll be able to use proxy SSL with multiple virtual servers that have client or server SSL profiles or HTTP profiles. If you just need to ensure the connection is encrypted before and after LTM, you should be able to use one virtual server with a client SSL and server SSL profile.

     

     

    Can you explain more on what you're trying to accomplish overall?

     

     

    Aaron
  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2012
    Hoolio,

     

     

    To explain further, I have two websites each needing a different SSL configuration on the VIP to function. One VIP goes to a sharepoint site and uses normal client/server SSL settings. The other VIP uses proxy SSL configuration, as the site it leads to needs direct information from the client's CAC card certificate. It is a user registration server.

     

     

    My dilemma is that the URLs for each site are configured to the same IP, so I need to have a central VIP to redirect to the two inner VIPs depending on the url the user inputs. It seems that This may an impossibility due to the restrictions you and Kevin have told me.

     

     

    A question for the both of you, would it be possible for me to have the Proxy SSL VIP process an iRule(similar to the one above) to redirect to the other VIP via an access policy?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2012
    The biggest problem is going to be ProxySSL. It needs a clear unobstructed path to the back end server and as such doesn't play well with others. I looked at integrating ProxySSL and SNI (to switch SSL profiles based on TCP negotiation) and ProxySSL breaks that.

     

     

    I'd say at this point, if the single IP is a hard requirement, that you look at ways to send alternative information to the registration server and terminate the SSL at the BIG-IP. iRules have full access to the X509 data, so it's fairly trivial to send the entire certificate base64 encoded, or some specific attribute like the cert UPN (EDIPI@mil), in an HTTP header or other form. Also consider that in most cases it's not the application that is requesting the certificate, but rather the web server during SSL negotiation, so it should be straightforward to make the application consume that certificate information via an alternate "channel" - from a TRUSTED proxy.

     

  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2012
    I was afraid you were going to say something like that(the need for an unobstructed path.) We have decided to try and get it to two seperate IPs so I dont have to worry about this anymore. I appreciate your help gentlemen, I am sure I will be back soon for more questions.