Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM: Portal Access to SSL Sites

Hello,

we've got a VS with a Access Policy showing a webtop with some links like rdp-connections and a Portal Accesss to an internal http Site. Everything's working fine. Now I need a link to a Portal Access to a internal Sharepoint 2016 Site which is only reachable via https, and I only get the error: "Error: secure connection failed The connection to the Server was reset..." (translated from German)

a tcpdump shows a Reset from the Server (=another LTM in the LAN) with: Cause: TCP Reset from Server

a "curl -vk server" shows cert and everything else

every non-ssl-Site is working

Version is 13.1.0.8

I've tried a lot with SSL-Server-Profile, but no success.

any Idea, where to look?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

To find the root-cause the first thing to do is to understand why a TCP RST is sent by the server.

Some checks to do :

  • Who send the RST: application server or reverse-proxy F5 ?
  • Does the TCP handshake is ok?
  • Does the SSL handshake is ok?
  • Is there a security brick in place on application side, like anti-DDOS or L7 ACL ?

Also, FYI, to implement SharePoint SSO with APM there is an iRule to add. You can find it there: https://devcentral.f5.com/codeshare/apm-sharepoint-authentication-v2-draft-1049

Hope that helps.

0
Comments on this Answer
Comment made 12-Jul-2018 by kgaigl 110

Hello Nicolas,

thanks for your hints, but it was a problem with SNI, I had to enter the name of the SharePoint Server in the field Servername in the SSL-Server Profile.

But I still have a Problem: it takes above 2 minutes, till the Site opens (and every Link on the Site too). In a capture I don't see errors in this time (if I capture for the IP of the SP-Service)

Any other ideas about timeouts?

Karl

0
Comment made 12-Jul-2018 by Nicolas DE 336

A SSL handshake problem so :)

Regarding your new problem, there is certainly a issue on the TCP communication to be so long. Check if you see packets retransmision or RST due to a timeout raised by one side.

To take the trace (to be done on each F5), you can use the "-p" flag with tcpdump to capture the entire communication if you are in SNAT or Auto-map mode.

Hope that helps.

0
Comment made 12-Jul-2018 by kgaigl 110

I did this already, but there are no TCP retransmit from self-IP to Destination.

I suspected an SNI_Issue because if we start a sharepoint-site, there will be automatically the "mysite" of the user loaded. And for the "mysite" I think I need an extra Portal-Access and an extra SSL-Server-Profile, is this right?

thanks anyway

Karl

0
Comment made 13-Jul-2018 by Nicolas DE 336

Sorry your problem of SNI is not clear enough for me to answer you, I need more details.

If you need to dynamically change the SNI parameter according to the FQDN of client request , you can have a look to the iRules present in codeshare:

https://devcentral.f5.com/codeshare/serverside-sni-injection-irule-968

0
Comment made 16-Jul-2018 by kgaigl 110

Hi Nicolas,

maybe I can explain my issue with SNI: our intranet-site has the address https://intranet.xxx.int/Seiten/default.aspx , so I create a portal-access for intranet.xxx.int and in the SSL-Server-Profile I enter the server-name intranet.xxx.int , ok it works after about 2 minutes.

If I browse the intranet, there is a "personal part" with my user (SSO is working) and this personal part has the address: https://my.xxx.int, this would be the 2nd SNI (this is also loaded after the 2 minutes.

So now I'm not sure about the effect of the host my.xxx.int (I've modified the ACL but I think this was not needed). If I browse the intranet with a mobile-device (via MDM-App-Tunnel), I have to enter User/PW a second time for my.xxx.int.

thanks for your link to the I-Rule, but I can't figure out, how to tweak the variable, could you give me some hints?

0
Comment made 16-Jul-2018 by kgaigl 110

Just for info after some tests: another SharePoint-Site (same Version) is ok (loading in a few seconds)

So could it be, that the F5 has a Problem with rendering the one site that needs 2 minutes? The header (title-info of the browser-tab) is also loaded in a few seconds.

In the config of the portal-access I've also configured minimal-patching, but no difference

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

Can you confirm that you set hostname instead ip in portal access (Application URI)?

Additional the request is done by floating and not self (the rules are open from floating?)

Regards

0
Comments on this Answer
Comment made 12-Jul-2018 by kgaigl 110

Hello Youssef,

yes, I've set hostname.

No, non-floating IP (it's a single, testing F5, I don't have a floating IP on this F5). do you think it is a problem?

Karl

0
Comment made 12-Jul-2018 by youssef 4067

Non floating is not problem I would just validate architecture.

Can you please make a curl from cli:

curl -i -k https://sharepoint-hosntname/uri

Set the same hostname in uri above that you set in portal acces (Application URI).

And tell me what's you obtain.

0
Comment made 12-Jul-2018 by kgaigl 110
[iv0yyy@f5-host:Active:Standalone] ~ # curl -i -k https://sp-site.xxx.int/Seiten/default.aspx

HTTP/1.1 401 Unauthorized Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 SPRequestGuid: 8dfa799e-34f8-6033-3979-f3052ed49a72 request-id: 8dfa799e-34f8-6033-3979-f3052ed49a72 X-FRAME-OPTIONS: SAMEORIGIN SPRequestDuration: 1 SPIisLatency: 0 WWW-Authenticate: NTLM X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 16.0.0.4456 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly Date: Thu, 12 Jul 2018 07:54:32 GMT Content-Length: 16

401 UNAUTHORIZED

0
Comment made 12-Jul-2018 by youssef 4067

You can confirm that you set snat automap in your VS (VPN that host portal access) and during your test when you click in your portal access did you see a logs in f5?

in /var/log/ltm? maybe ssl or other that can help us?

Additional don't forget to set a ssl server profile to insecure.

Then I think that you do it but just verify that you set a rewrite profile in your VS .

Regards

0
Comment made 12-Jul-2018 by youssef 4067

In order to validate if the problem com from SNI you can set up a VS for Sharepoint (test) trough your F5 and use a simple server ssl (insecure). Check if you have access to your app. If yes it's not an ssl problem...

0