help troublshooting or reconfiguring an irule

Question

&nbsp;
Currently the CAS server is doing the redirect, terminating
the SSL, and providing the OWA logon page… The F5 was set up for ‘Performance
L4’ and load balancing.&nbsp;
I was attempting to integrate our enterprise vault solution
today. The plan was to use the existing exchange virtual server and iRules to
direct traffic to the enterprise vault pool.&nbsp;

&nbsp;
I changed the VS type to standard and created the following
irules… I see the 1st 80 redirect rule working, but I don’t see any
traffic hitting the pool and I think I need a little assistance… Attached is a generic diagram of the EV/Exchange set up.&nbsp;

&nbsp;
HTTP Virtual:&nbsp;

&nbsp;
When HTTP_REQUEST {&nbsp;
               
if { [HTTP::uri] contains "enterprisevault" }{&nbsp;
                               
HTTP::redirect "https://webmail.company.com/enterprisevault/"&nbsp;
               
} elseif { [HTTP::uri] equals "/" }{&nbsp;
                               
HTTP::redirect "https://webmail.company.com/owa"&nbsp;
               
}&nbsp;
}&nbsp;

&nbsp;
HTTPS Virtual:&nbsp;

&nbsp;
when HTTP_REQUEST {&nbsp;
               
if { [string tolower [http_uri]] equals "/enterprisevault" } {&nbsp;
               
pool enterprise-vault &nbsp;
               
log local0. "match for ev"&nbsp;
} else { &nbsp;
               
pool exchange2007-owa&nbsp;
               
}&nbsp;
}&nbsp;

&nbsp;
&nbsp;

&nbsp;

nitass · Answer

if { [string tolower [http_uri]] equals "/enterprisevault" } {is it "/enterprisevault" or "/enterprisevault/"? 
&nbsp;  
&nbsp; by the way, http_uri is HTTP::uri, isn't it?

gh0std0g_79292 · Answer

Sorry, another piece of information to further complicate things... I do not have the SSL client profile configured with a valid cert. The CAS servers have the cert on them and will continue to redirect 80 traffic and terminate SSL. Will I have to install the cert/key pair on F5 as well? And if so, I assume I can use the default server profile 'server-sslinsecure-compatible'? And that will not interfere with my enterprise vault pool listening on port 80. 
&nbsp;  
&nbsp; Thanks

richard__harlan · Answer

Yes the LTM will reset the traffic as you have a HTTP profile on the VIP and the traffic is non-RFC HTTP. WIth out the Client-ssl profile the LTM will not be able to read any of the traffic.

nitass · Answer

Will I have to install the cert/key pair on F5 as well?yes, you should import certificate and key from server to bigip and set it in clientssl profile. you are able to use default clientssl profile but user will get certificate warning page when accessing https virtual server. 
  
 And if so, I assume I can use the default server profile 'server-sslinsecure-compatible'?yes, you can use default serverssl-insecure-compatible on server-side i.e. custom clientssl profile on client-side and default serverssl-insecure-compatible on server-side. 
  
 And that will not interfere with my enterprise vault pool listening on port 80.not really sure if i understand correctly. anyway, i understand there are 2 pools; exchange pool is listening on port 80 and 443 and enterprisevault is on port 80. you have 2 virtual servers but same virtual address; one is on port 80 and the other one is on port 443, and you want to direct traffic to pool based on url. 
  
 so, i think configuration may look like this. 
  
 [root@ve10:Active] config  b virtual bar80 list
virtual bar80 {
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule80
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule80 list
rule myrule80 {
   when HTTP_REQUEST {
   if { [string tolower [HTTP::uri]] contains "enterprisevault" }{
      HTTP::redirect "https://[HTTP::host]/enterprisevault"
   } elseif { [HTTP::uri] equals "/" }{
      HTTP::redirect "https://[HTTP::host]/owa"
   }
}
}

[root@ve10:Active] config  b virtual bar443 list
virtual bar443 {
   snat automap
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule443
   profiles {
      clientssl {
         clientside
      }
      http {}
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule443 list
rule myrule443 {
   when HTTP_REQUEST {
   if { [string tolower [HTTP::uri]] equals "/enterprisevault" } {
      SSL::disable serverside
      pool foo80
   } else {
      pool foo443
   }
}
}
[root@ve10:Active] config  b pool foo80 list
pool foo80 {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b pool foo443 list
pool foo443 {
   members 200.200.200.101:443 {}
}

joe_clark_45172 · Answer

Has anyone gotten this to work?  We are running Enterprise Vault with OWA, and I can't get enterprise vault accessible from the outside.&nbsp;

Forum Discussion

help troublshooting or reconfiguring an irule

7 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

google autenticator broken barcode

Related Content

DNS Iapp reconfiguration

iRULE regsub error

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect