F5 recommended configuration for Microsoft IIS

Question

Hi,&nbsp;
This question can be sound very trivial and basic but I have very high level knowledge on F5 and I am a developer with no prior knowledge and background on network administration. Any help is very much appreciated&nbsp;
We are using BIG-IP 11.4.1 LTM for load balancing HTTP requests to IIS version 6.2  on winodws 2012 r2 . The problem I am facing is when I browse to https:/// the IIS home page gets displayed properly. In case I browse to https:/// the connection gets reset. When I browse to http:/// I am able to see the IIS home page.&nbsp;
The underlying IIS server binds to both 80 and 443. The  I have configured using Iapp &amp; f5.microsoft_iis template with HTTPS offload. When I configured the same vip-host-name from Iapp using "plain text to both server and client" things are working as expected. The load balancing pool is configured for IIS server on 80 port. There is only one server in the pool&nbsp;
From tcpdump I am able to see the tcp connection from the IIS server to big ip getting reset. &nbsp;
My question is there any specific IIS/F5 configuration that has to be done to correct this issue.&nbsp;

hannes_rapp · Answer

Question: &nbsp;
If you configure the Pool Member in first case, I suppose you send requests to a SSL-enabled port on Windows Server 2012, and have also configured ServerSSL profile in VS config? Or in short, are you looking to deploy SSL decrypt, SSL re-encrypt solution on BigIP?
If that's the case, there's one thing worth looking into.&nbsp;
I don't know if also the case with Windows Server 2012, but in case of ServerSSL between BigIP and Windows Server 2008, the SSL handshake tends to fail, resulting in TCP teardown. The easiest solution is to enforce explicit use of TLSv1.0 on the Server-SSL profile, there also are some workarounds for the Windows Server config, but they take a bit more time and are harder to implement.
Apart from possible ServerSSL issues, I cannot think of anything else as a likely root cause here.&nbsp;
Have a look here for reference solution: https://devcentral.f5.com/questions/regarding-cipher-negotiation-for-ltm&nbsp;

prasannablore_2 · Answer

Thanks for replying Hannes.&nbsp;
To answer your question:&nbsp;

The backend pool member i.e. the IIS server is listening on port 80 for processing incoming requests. I have configured the same in Load balancing pool. I am trying for SSL offload i.e. SSL terminates on F5 and requests are sent over the wire as normal http

Is server SSL applicable as I am not sending any data over SSL. Its just plain HTTP calls from F5 to pool and vice versa.&nbsp;

I hope this sheds more light on present problem that I am facing&nbsp;

prasannablore_2 · Answer

Thanks for replying Hannes.&nbsp;
To answer your question:&nbsp;

The backend pool member i.e. the IIS server is listening on port 80 for processing incoming requests. I have configured the same in Load balancing pool. I am trying for SSL offload i.e. SSL terminates on F5 and requests are sent over the wire as normal http

Is server SSL applicable as I am not sending any data over SSL. Its just plain HTTP calls from F5 to pool and vice versa.&nbsp;

I hope this sheds more light on present problem that I am facing&nbsp;

hannes_rapp · Answer

Clear, can you share the config with us? Two TMSH commands for that:
'tmsh list ltm virtual MyVirtualServerName' and 'tmsh list ltm pool MyPoolName'.

prasannablore_2 · Answer

Virtual server configuration

ltm virtual vs_crfinbound_https {

destination 10.153.229.19:https

ip-protocol tcp

mask 255.255.255.255

pool CRFS_ServerManager_pool

profiles {

CRFS-Inbound-communication-SSL {

context clientside

}

http { }
        tcp { }
    }
    rules {
        http_redirecting_rule_for_CRFS_inbound
    }
    source 0.0.0.0/0
    vs-index 43

Pool configuration
ltm pool CRFS_ServerManager_pool {
    load-balancing-mode least-sessions
    members {
        bus00axx.us.oracle.com:http {
            address 10.153.230.27
            session monitor-enabled
            state up
        }
    }
    monitor http
}

}

Forum Discussion

F5 recommended configuration for Microsoft IIS

6 Replies

Recent Discussions

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Related Content

Microsoft Powershell with iControl

Microsoft SharePoint and Microsoft Exchange December 2020 Security Update

Microsoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security

Recommended Persistence for F5 working as ISP-LB ( ISP Load Balancing )

Harnessing the power of F5 BIG-IP Access Policy Manager (APM) and Microsoft