Forum Discussion

Aaron_107144's avatar
Aaron_107144
Icon for Nimbostratus rankNimbostratus
Mar 11, 2011

Redirect to pool based on incoming HTTPS URI

I've been digging and testing all day, but I'm coming up blank.

 

 

We've had great success so far with the LTMs marshaling traffic from the internet to the Exchange TMG servers for Outlook Anywhere, OWA, and the like (Exchange 2010)

 

So yesterday, I got a request from our Exchange admin to redirect HTTPS traffic for Outlook Anywhere and autodiscover to a new set of IP's - While leaving the rest of the traffic to pass as usual to the OWA virtual server/pool. So basically I'm trying redirect incoming Exchange 2010 traffic to a different pool based on the URI.

 

 

As much as I'd like to just use an HTTP redirect (easy) - The TMG servers' security requires that the requested URLs remain intact. So I can't substitute the VIP of the new VS in the URL.

 

 

The rule I've come up with is this:

 

 

when HTTP_REQUEST

 

{

 

if {([HTTP::uri] starts_with {/rpc}), or ([HTTP::uri] starts_with {/oab}), or ([HTTP::uri] starts_with {/ews}), or ([HTTP::uri] starts_with {/autodiscover})}

 

{ pool TMG_OA_Pool }

 

else { pool TMG_OWA_Pool }

 

}

 

 

When I try to apply this iRule to my incoming HTTPS Virtual Server, I get an error:

 

HTTP_REQUEST event in rule (Exch_OA_Redirect) requires an associated HTTP or FASTHTTP profile on the virtual server Exch_TMG_Edge_VIP

 

 

When I add an HTTP profile to the VS (It's currently "none" because it's an HTTPS VS) OWA breaks. I added the iRule anyway, and I can see the rule getting hit, but nothing makes it to the OA pool counters.

 

 

Any ideas? Am I going about this wrong?

 

application delivery
dev
devops
iRules

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 11, 2011
    Hi Aaron,

    With most Exchange deployments on LTM I've heard about, it's a requirement to decrypt the SSL on LTM to do URI inspection. If you haven't done this already, but want to do URI inspection, I think you'll need to import the server cert onto LTM and add a client SSL profile to the virtual server.

    Once you do, you can use an HTTP based iRule like this: 

    when HTTP_REQUEST {

   switch -glob [string tolower [HTTP::path]] {
      "/rpc*" -
      "/oab*" -
      "/ews*" -
      "/autodiscover*" {
         pool TMG_OA_Pool
      }
      default {
         pool TMG_OWA_Pool
      }
   }
}

    Aaron
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 12, 2011
    Aaron - I've often encountered applications that won't function with an attached HTTP profile. I've just assumed it's because an HTTP profile causes the Virtual Server to require an HTTP request before opening a TCP connection to the pool member. While the HTTP profile is a requirement for L7 visibility, doesn't it also force the application to comply with certain standards? If it's SSL traffic not being decrypted on LTM, would these requests essentially look incorrect and therefore be kept from pool members?
  • Aaron_107144's avatar
    Aaron_107144
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    Yes, I am terminating SSL on the LTM - It's actually built to F5's Exchange 2010 design guide specs. There are 2 VS - 1 HTTP and 1 HTTPS, both with the same VIP. The HTTP VS has a HTTPS redirect iRule, sending traffic sourced on port 80 to the HTTPS VS.

     

     

    The issue is that if the client request is HTTPS to begin with, the HTTP VS is never hit. The session is established to the HTTPS VS directly - This is why I'm assuming whichever iRule I use to redirect the traffic to the other pool is going to have to be applied to the HTTPS VS.

     

     

    I tried the switch -glob iRule before posting (I tried 6 or 7 different variations, actually, before posting...) But I was still stuck having to assign an HTTP profile to the HTTPS VS to get the rule to apply, breaking OWA.

     

     

    I need to get to an LTM class!

     

     

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Mar 14, 2011
    You're correct in that you'll need the iRule applied to HTTPS traffic as well. Also, as your rule looks at HTTP info (path) you'll need the HTTP profile. If you do a packet capture, is traffic getting to your pool members? Are you just using a clientSSL profile on your HTTPS VIP?
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    I've had similar problems to what you are describing in the past. The problems that I had were revolved around a default behavior in the HTTP Profile (Response Rechunking). Some traffic doesn't respond well to it.

     

     

    I would suggest creating and applying a custom HTTP Profile and trying different chunking options to see if this fixes your problem.

     

     

    I did check my OWA Virtual Server settings and we are using the default HTTP Profile (with the default Response Rechunking settings) so this is just a guess, but it sounds like you have everything else configured correctly.

     

  • Aaron_107144's avatar
    Aaron_107144
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2011
    I've managed to make some progress:

     

    Using the iRule:

     

     

    when HTTP_REQUEST {

     

     

    switch -glob [string tolower [HTTP::path]] {

     

    "/rpc*" -

     

    "/oab*" -

     

    "/ews*" -

     

    "/autodiscover*"

     

    { pool Exch_OA_Pool

     

    }

     

    default {

     

    pool Exch_OWA_Pool

     

    }

     

    }

     

    }

     

     

    I also removed the pool declaration in the VS configuration - Allowing pool selection solely VIA the iRule. This works, and OWA traffic flows as required to the "Exch_OWA_Pool"

     

    And I can see the OA traffic hitting the "Exch_OA_Pool" as designed.

     

     

    This also works with the iRule I started with (If, or, or, or, or), Just FYI for the next guy...

     

     

    I'm still having trouble with the traffic, but at least it's hitting the OA TMG pool now! I may have more questions, but I have to do a little more research to make sure they aren't too newb-ish ;)

     

     

    Thanks guys! I appreciate the help.