Using the F5 as a Reverse Proxy for RSA SecurID Self Service

Hi guys,

Just checking if this is still the case? i.e no port changes can be made at the same time as the changing other parts of the url?

We have a requirement to do both.

Just checking if this is still the case? i.e no port changes can be made at the same time as the changing other parts of the url?

i have not read the proxypass but i believe both (i.e. changing uri and port) can be done by either using proxypass or not using it.

if you can post the irule, people here who know should be able to help. :-)

Thanks nitass,

I just read the proxypass documents and it seems that in V10 and V11 of proxypass, it is supported.

Thanks again!

I have RSA SecurID working with proxypass without changing any port numbers and not requiring users to supply the 7004 tcp port externally. I will upload instructions later this evening. I have to go offsite to a meeting.

--Ryan

SNATs > SNAT Pool List > Create > Name it and add the single floating IP address... Add to your Virtual servers

when HTTP_REQUEST {

HTTP::respond 200 content "RSA Self-Service Console - OLD

The URL for this site has changed. Please update your bookmark."

when HTTP_REQUEST {

Hi Guys,

I know this topic is quite some days old, but I have some strange behavior in a similar setup. The LB should just be used to proxy two RSA servers to be reachable from the Internet.

The strange thing is, when accessing for example /console-selfservice/ directly on the server I get a webpage displayed. Trying the same URL via the LB I'm ending up in a redirect-loop. I found out that doing a HTTP/1.0 request on the commandline of the LB towards the server I also get the correct page as response. But doing a HTTP/1.1 - using either public DNS, server DNS or serverIP - I'm ending up in the redirect-loop again.

Btw. the redirect-loop is not between two URIs, but always the same URI just adding the jsessionid again and again.

Right now I've implemented the following iRule with that the application seems to work:

when HTTP_REQUEST {
HTTP::header remove Host
HTTP::version "1.0"
}
when HTTP_RESPONSE {
if { [HTTP::header exists Location] } {
    HTTP::header replace Location [string map -nocase {"" "" ":7004" "" "//:7004" "//"} [HTTP::header Location]]
}
}

The last mapping is required, because when doing a login on URI /console-ims/ the server respond with a redirect containing an empty Host-header.

I'm not an application expert, especially not for RSA, but I'm wondering if this is related to a wrong server configuration or if I have to do a special configuration on the LB (currently I expect the first one).

Anyone an idea where and what I can look for?

Thank you!

Ciao Stefan 🙂

In the meanwhile I found the issue. The Host-header don't need to be remove, but needs to be replaced with the FQDN of the server including its port.

I'm using now the following iRule:

when HTTP_REQUEST {
    if { not [class match [string tolower [HTTP::uri]] starts_with _allowed_uris] } {
        HTTP::respond 301 Location "https://[HTTP::host]/console-selfservice/"
    } else {
         Prevent the server from sending compressed responses as LTM does not decompress them 
        HTTP::header remove "Accept-Encoding" 
    }
}
when HTTP_REQUEST_SEND {
     Need to force the host header replacement and HTTP:: commands
     into the clientside context as the HTTP_REQUEST_SEND event
     is in the serverside context
    clientside {
         verify the selected server IP to specify its FQDN
        if { [IP::addr [LB::server addr] equals ] } {
            set server_hostname 
        } else {
            set server_hostname 
        }
        set server_port [LB::server port]
         Replace the host header value
        HTTP::header replace Host $server_hostname:$server_port
    }
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map -nocase {":7004" "" ":7004" ""} [HTTP::header Location]]
    }
}

Maybe this will help someone else as well.

Ciao Stefan 🙂

Hi Stefan, I also try to get this working, but with no success, although using core irule parts of your rule (host header replace) Just get a Reset, troubleshooting seems difficult, did not help so far.

How about your server ssl profile configuration. What did you configure there ? Thanks

This is our final iRule (which is more or less the ProxyPass Lite iRule), which is in production since some weeks now (it requires the parent stream-profile assigned to the VS first):

when HTTP_REQUEST {
    if { not [class match [string tolower [HTTP::uri]] starts_with _allowed_uris] } {
        HTTP::respond 301 Location "https://[HTTP::host]/console-selfservice/"
    } else {
         Prevent the server from sending compressed responses as LTM does not decompress them 
        HTTP::header remove "Accept-Encoding" 
    }
}
when HTTP_REQUEST_SEND {
     Need to force the host header replacement and HTTP:: commands
     into the clientside context as the HTTP_REQUEST_SEND event
     is in the serverside context
    clientside {
         verify the selected server IP to specify its FQDN
        if { [IP::addr [LB::server addr] equals ] } {
            set server_hostname 
        } else {
            set server_hostname 
        }
        set server_port [LB::server port]
         Replace the host header value
        HTTP::header replace Host $server_hostname:$server_port
    }
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map -nocase {":7004" "" ":7004" ""} [HTTP::header Location]]
    }
     Rewrite the response body if the response type is text
    if { [HTTP::header "Content-Type"] starts_with "text/" } {
         Configure the find/replace strings
        STREAM::expression "@:7004@@ @:7004@"@"
         Enable the stream filter
        STREAM::enable
    }
}

Everything else are default settings.

Ciao Stefan 🙂

Hi out there I need also to publish a selfservice for the RSA server - but I cant get Stefans irule working - I probably missing something obvious... besides of the piece of code Stefan has shared here what need more to be done? I am not that good in reading irules so I might have missed something.. We are running OS 11.3