Forum Discussion

eugenix_116516's avatar
eugenix_116516
Icon for Nimbostratus rankNimbostratus
May 08, 2013

Help with Port Translation

Apologies in advance if this is the wrong forum or place to ask this question, but I can't seem to figure this out.

 

 

We have a Java Web Server application (ManageEngine's AD Self Service) that uses port 9251. We would like to use our F5 to create a virtual server such that we can give our users a simple URL instead of

 

 

I created a new virtual server with a new IP and then created a pool with just the webserver in it, set it to use HTTPS and specified port 9251. I used the java keytool to export the server cert & key (from our internal Enterprise Root CA). I created an SSL Server profile, specified the cert & key, left everything else default. On the virtual server, I specified the SSL Server profile, and at the moment, am just leaving the Client profile as 'none', so they can it over port 80.

 

 

Do I need some kind of iRule to make this happen? Any tips, hints, help greatly appreciated.

 

 

Forget to mention, we have a BIG-IP 1600 , running 10.2.3

 

 

Thanks,

 

 

Eugene

 

config
design

15 Replies

Sort By
Show More
  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    May 09, 2013

    Thanks Ajmal :) JUst curious, how successful have you been getting application owners to fix their redirections to use standard ports :) Anyway I did a search for rewriting the port in an http response and found the following from Hoolio. With some slight modification (just in comments I think) It worked perfectly...

     

     

     

    when HTTP_RESPONSE {

     

    Check if server response is a redirect

     

    if { [HTTP::header is_redirect]} {

     

    Log original and updated values

     

    log local0. "Original Location header value: [HTTP::header value Location],\

     

    updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"

     

    Do the update, replacing in this case :9443/ with / (where 9443 is the stproxy port)

     

    HTTP::header replace Location [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]

     

    }

     

    }

     

     

     

  • Ajmal_2608's avatar
    Ajmal_2608
    Icon for Nimbostratus rankNimbostratus
    May 10, 2013

    Thats strange.

     

     

    Are you able to reach the VIP IP from your network, ping or telnet to port 443

     

  • eugenix_116516's avatar
    eugenix_116516
    Icon for Nimbostratus rankNimbostratus
    May 10, 2013
    Yes, I'm able to ping and telnet to 443 on the VIP IP.

     

     

    Is this something I would create as an iRule, and for my problem, would I change port 9443 to port 9251? I'm not quite sure what I need to change in the example to tailor it to my problem.

     

    Especialliy in regards to the line:

     

     

    updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"

     

     

     

    when HTTP_RESPONSE {

     

     

    Check if server response is a redirect

     

     

    if { [HTTP::header is_redirect]} {

     

     

    Log original and updated values

     

     

    log local0. "Original Location header value: [HTTP::header value Location],\

     

     

    updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"

     

     

    Do the update, replacing in this case :9443/ with / (where 9443 is the stproxy port)

     

     

    HTTP::header replace Location [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]

     

     

    }

     

     

    }
  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    May 10, 2013

    the original line had 8080, which I changed to 9443, but again , that is just a comment. The LTM is actually reading what that port is and just removing it, with the result being a redirection with no port specified, so it uses the standard of 443, since we are doing https here.

     

     

    This is the crucial line....

     

     

    HTTP::header replace Location [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]

     

    that replaces :xxxx/ :/ where xxxx is whatever non standard port the server is sending in its redirection.

     

  • Ajmal_2608's avatar
    Ajmal_2608
    Icon for Nimbostratus rankNimbostratus
    May 10, 2013

    An iRule is not required here as there is no redirection required on the LTM, the traffic should pass to the pool member on the defined ports. Since the server is maintaining all the SSL sessions, you can try removing the SSL profiles.

     

     

    b virtual ADSS_Test '{

     

    snat automap

     

    pool BHADTOOLS

     

    destination 192.168.250.138:https

     

    ip protocol tcp

     

    profiles {

     

    http {}

     

    tcp {}

     

    }

     

    }'