Forum Discussion

Dbow_21284's avatar
Dbow_21284
Icon for Nimbostratus rankNimbostratus
May 21, 2009

HTTPS VIP - Redirect to Maintenace Page

Hey everyone,

 

 

Fairly new to F5s, used to the GUI stuff (laught all you want)! Anyway, I have a site that is HTTPS only, and I need to redirect to a maintenance page if all the nodes in pool are down. I see its easy in a HTTP VIP via HTTP profile fallback parameter or via an iRule to look at the active_members in a pool and redirect to maintenance page if not available.

 

 

But for HTTPS, I cant find an iRule to do this. I assume https_request syntax does not exist.

 

 

Does anyone have a iRule that does this? Or if not an iRule how else can you do it? Do I have to offload the SSL cert to the LB?

 

 

Your help is appreciated.

 

 

Dave

 

 

PS: I looked for topic on this with no luck. Sorry if I duplicated. Thanks again in advance.
application delivery
dev
devops
iRules

17 Replies

Sort By
Show More
  • Dbow_21284's avatar
    Dbow_21284
    Icon for Nimbostratus rankNimbostratus
    May 21, 2009
    The problem is that I cannot offload SSL to the LTM as this is for Exchange 2007 OWA. We have many Active Sync enabled phones and Microsoft does not support Active Sync when offloading SSL from the Exchange 2007 Hub transport (OWA) servers.

     

     

    This is frustrating if their is no way to do this with an indsutry leading LB appliance and the most widely used email prodcut in the world. Yes I am complaining now LOL.

     

     

    I appreciate everyone's time and attention to this topic!!!!

     

     

    Has anyone else come across this situation? What have you done? I cant be the only one...... Any other advice?

     

     

  • Dbow_21284's avatar
    Dbow_21284
    Icon for Nimbostratus rankNimbostratus
    May 21, 2009
    Can I create an irule that detects if active_members of a https pool equals 0, if so, redirect to http? Or to an HTTP VIP that has no pool members but a http profile with a fallback host parameter that is my maintenance page?
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    May 21, 2009

    Posted By ddenbow on 05/21/2009 12:47 PM

     

    The problem is that I cannot offload SSL to the LTM as this is for Exchange 2007 OWA. We have many Active Sync enabled phones and Microsoft does not support Active Sync when offloading SSL from the Exchange 2007 Hub transport (OWA) servers.

     

     

     

    You can always re-encrypt using a serverssl profile before the connection is sent to the OWA servers. Then OWA doesn't "know" that there's any offload of SSL taking place. But you have to decrypt at the LTM so that you can manipulate the http data.

     

     

    Plus according to SOL 6087 (Click here you need to add a FRONT-END-HTTPS: on header to virtuals that do offloading for OWA, and I'd be surprised if that doesn't indicate to the server what it needs to do that Active Sync properly.

     

     

    Denny
  • Dbow_21284's avatar
    Dbow_21284
    Icon for Nimbostratus rankNimbostratus
    May 21, 2009
    Ok this is starting to make sense now to a noob like me. Thats not sarcasm btw. Thanks for the ongoing help everyone.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 21, 2009
    Either I'm not communicating the point very well or I don't understand what you're trying to accomplish. I'll try again:

     

     

    With Hoolio's solution, the F5 will not offload SSL in ANY circumstance other than when all the servers are down, at which point it will offload ONLY to redirect the traffic to the destination you provide. If all the servers are down, the LTM will not be forwarding traffic to them anyway.

     

     

    The problem you are encountering has nothing to do with the industry leading technology, it has everything to do with the encryption parameters defined in the SSL protocol, namely, if you have no cert and no key, you don't get to see the traffic.
  • Dbow_21284's avatar
    Dbow_21284
    Icon for Nimbostratus rankNimbostratus
    May 21, 2009
    Ok ... its sinking in. I was confused as when I was hearing offload SSL, I was thinking the SSL cert and everything is on the LTM and it talks to the servers via http. So in my mind it mean no SSL between the LTM and server.

     

    So I understand better now, been looking at the documentation to. SO I will follow this snipit you sent citizen and see what happens. If you are confident it will work ... I am sure it will.

     

    Thanks again! and thanks for your patience!
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 21, 2009
    Yeah, that's the traditional use of offload. So there's:

     

     

    1. Offload SSL, do stuff, Send in the clear to the servers (requires only clientssl profile)

     

     

    2. Offload all SSL, do stuff, Re-encrypt, Send encrypted to the servers (requires clientssl and serverssl profiles) Most financial & govt require this for user-sensitive data, no data in the clear on the wire

     

     

    3. Hoolio's Solution. Configure the virtual like solution number 1, but, via iRules, bypass the offloading UNLESS no servers are available

     

     

    4. Offload nothing, configure simply as a standard virtual server. No "do stuff" with this option other than mess with tcp options

     

     

    HTH...Jason