I am trying to setup a VIP for a OpenText EIM solution. I have a standard vip for port 443. However, the server keeps doing a redirect for another FDQN. So in this case, I am putting in https://content.companya.com and the browser is getting redirected to https://servera.host.local (the domain name for the server itself). If I go to the FQDN of the server itself (servera.host.local), it works fine. According to OpenText, this is an issue with the OpenText Directory Services (OTDS) as the this is the expected behaviour as during the installation of OTDS, it is required that we have to use the FQDN and use certificates that have been created against that hostname of the server. A reverse proxy must be used to translate requests between different top-level domains. So what type of iRule do I need to setup to make the translation work?
If this is only an installation issue (one off)
Try now. Delete above configuration when finished.
Still not working. The packet trace shows that when the packet goes to the pool member, another connection is initiated to the OTDS server which is a separate server. The result is that the error "There was a problem with your request. Please contact your administrator if this persists. The DNS domains for the request and response differ or cannot be determined. As OTDS uses domain-level cookies, the request and response must originate within the same DNS domain. Please make sure that fully qualified DNS domains are specified in all configuration and browser entries. Do not use IP address or local names. The redirect URL was given as "https://contentcenter:443/OTCS/cs.exe", and the OTDS URL followed was "http://dfmspotparc.hostederp.local:8080/otdsws/login"."
The Opentext support says that the solution is a "reverse proxy", so I am taking it that when the request comes in from the client as "www.companya.com" the F5 needs to forward the request to the server as "servera.host.local". However, the OTDS server is not part of the pool as it is a separate box.
There is not enough information here for me to help you.
You can do this with LTM as well but as you can see when you have multiple outgoing to requests to different destinations you need to create virtual's for them as well. The problem here is I do not have a clear picture of what is happening. Can you draw up a diagram to explain the application flows that are going on here and attach to this post.
As for correct naming, the BIGIP can rename anything in the traffic flow to make it look right to the application, that is one of its strengths. The challenge for the solution designer is to clearly understand what the server is expecting.
So the issue is that the Content Server talks to another because that is where directory services in running. After the directory services application checks to make sure there is a valid user, it should return the client to the content server. According to OpenText is that the FDQN for content server is in a .local domain, it then talks to directory services which is also in the same .local domain. But the original URL is the company.com. So when the reply go back to the client, it is only referencing the .local domain.
From the sniffer trace, I can see the following:
Client sends a request to the Content Server
Whenever we call Content server, it communicates to directory services server for authentication.
The directory services server sends a request to the Client for authentication
Client response back to the directory service server with creditentials
The directory services server checks the Active directory for the user existence and roles.
The archive server send a 302 redirect to .local:443/OTCS/livelink.exe to client to continue back to the Content Server, instead of sending .company.com/OTCS/livelink.exe
The server team built a Apache reverse proxy to replace the F5 as a test. The results came back that the application works as expected. I am going to try to do a sniffer trace with that later today.
I tried to use the Proxy Pass irule to emulate the functions but it is still doing the behavior above.
Was there ever a fix for this? We are trying to do OpenText Directory Services and we are running into the same issue. Thoughts?
You can use URL mapping withing same VIP and have routed to different nodes.
/OTCS URL - Content server nodes (1...N)
/otdsws URL - OTDS server nodes (1...N)
This way we can have only one DNS for example http(s)://content.company.com and based on URL it can route to different nodes.