topic Re: OWA behind CSS/SSL issue in Application Networking

OWA behind CSS/SSL issue

a.gesse — Fri, 15 Jun 2007 19:59:58 GMT

Hello,

trying to setup OWA behind CSS with SSL termination.

http-header static "FRONT-END-HTTPS: on" is in place.

User can access folders and calendar, but can't see body of the messages

The problem seems to be that user at some point tries to use http instead of https,

and because frontend and backend rules have different IP addresses it is impossible

to access OWA via http directly from client.

Tried some other commands around http-header and urlrewrite, didn't work

Any help is appreciated

Alex

Re: OWA behind CSS/SSL issue

Syed Iftekhar Ahmed — Fri, 15 Jun 2007 22:29:21 GMT

OWA

uses several other methods that are not recognized by default on the CSS so you will need

to add the functionality by running

css#script play setup_owa_methods

Syed

Re: OWA behind CSS/SSL issue

a.gesse — Sat, 16 Jun 2007 01:38:03 GMT

Syed,

did before, didn't help.

thanks

Alex

Re: OWA behind CSS/SSL issue

Gilles Dufour — Sun, 17 Jun 2007 07:28:07 GMT

Alex,

if the users tries to use HTTP at some point, there could be some 302 redirect in your owa server.

You might want to configure a urlrewrite function in order to convert from http to https.

But you should verify first if this is the case.

Try to sniff the client traffic and decode it with ssldump or wireshark using the server key.

Gilles.

Re: OWA behind CSS/SSL issue

a.gesse — Sun, 17 Jun 2007 12:30:24 GMT

Gilles,

have tried it already.

Urlrewrite for "*" and explicitly defined frontend and backend ports as 443 and 80.

Sniffer showed 302 types redirects were coming with https.

Clients can see folders, calendar, subjects.

Can't see message bodies only.

Will start with clean config on Monday, what would you say is recommended list of commahds:

1. script play setup_owa_methods

2. static http-header "FRONTEND HTTPS=on"

3. urlerewrite ?

4. ?

thanks,

Alex

Re: OWA behind CSS/SSL issue

Syed Iftekhar Ahmed — Sun, 17 Jun 2007 22:35:34 GMT

You should have following two entries under SSL proxy list

ssl-server x http-header static "FRONT-END-HTTPS: ON?

ssl-server x urlrewrite 1 yourdomain.com sslport 443 clearport 80

Syed

Re: OWA behind CSS/SSL issue

Gilles Dufour — Mon, 18 Jun 2007 05:11:03 GMT

Alex,

get a sniff and see where the client request the body and if the server sends it.

Your config is fine. Nothing else is needed.

You may want to bypass the css and capture a sniff as well so you can compare the 2.

Gilles.

Re: OWA behind CSS/SSL issue

a.gesse — Mon, 18 Jun 2007 16:18:49 GMT

Sorry for big post.

Still doesn't work - users see subjects, folder, calendar, don't see body.

ip route 0.0.0.0 0.0.0.0 10.222.131.1 1

!************************* INTERFACE *************************

interface e1

bridge vlan 131

interface e5

bridge vlan 130

interface e6

bridge vlan 130

!************************** CIRCUIT **************************

circuit VLAN131

ip address 10.222.131.201 255.255.255.0

circuit VLAN130

ip address 1.1.1.1 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list Al#1-list

ssl-server 10

ssl-server 10 rsakey RSAKEYASS#1

ssl-server 10 rsacert RSACERTASS#1

ssl-server 10 vip address 10.222.131.202

ssl-server 10 cipher rsa-with-3des-ede-cbc-sha 2.2.2.2 80

ssl-server 10 cipher rsa-with-rc4-128-sha 2.2.2.2 80

ssl-server 10 cipher rsa-with-rc4-128-md5 2.2.2.2 80

ssl-server 10 urlrewrite 2 10.222.131.202

ssl-server 10 http-header static "FRONT-END-HTTPS: on"

active

!************************** SERVICE **************************

service OWA1

protocol tcp

port 80

ip address 1.1.1.2

keepalive uri "/adam.html"

keepalive type http

keepalive port 80

active

service ssl-mod

type ssl-accel

keepalive type none

add ssl-proxy-list Al#1-list

slot 2

active

!*************************** OWNER ***************************

owner OWA_OWA

content back.owa

add service OWA1

add service OWA2

advanced-balance sticky-srcip

protocol tcp

port 80

url "/*"

sticky-inact-timeout 240

vip address 2.2.2.2

active

content front.owa

vip address 10.222.131.202

protocol tcp

port 443

add service ssl-mod

active

~~~~~~Server answers to client with HTTPS (static header is working presumably):

https://10.222.131.202/exchweb/themes/0/owacolors.css">

~~~~~ Some other stuff from server alse have HTTPS

src="https://10.222.131.202/exchweb/img/pg-first.gif">

height="16" id=idPageControl_PrevPage onclick="idMsgViewer.previousPage()" title="Previous Page"

src="https://10.222.131.202/

xchweb/img/pg-prev.gif">

id=idPageControl_NextPage onclick="idMsgViewer.nextPage()" title="Next Page"

src="https://10.222.131.202/exchweb/img/pg-next.gif">

width="16" height="16" id=idPageControl_LastPage onclick="idMsgViewer.page = -1"

~~~~~~ Client requests:

SEARCH /exchange/userone/Inbox/ HTTP/1.1

Accept: */*

Referer: https://10.222.131.202/exchange/userone/Inbox/?Cmd=contents

translate: f

brief: t

Content-Type: text/xml

~~~~~~ Server responds with

HTTP/1.1 207 Multi-Status

Date: Mon, 18 Jun 2007 16:02:38 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Type: text/xml

Accept-Ranges: rows

Content-Range: rows 0-5; total=6

MS-WebStorage: 6.5.7638

Transfer-Encoding: chunked

X-Powered-By: ASP.NET

Cache-Control: no-cache

c9b

xmlns:c="xml:" xmlns:a="DAV:">0-5

http://10.222.131.202/exchange/userone/Inbox/No%20Subject-2.EML

HTTP/1.1 200 OK< ~~~ (skipped)

~~~~~~~~~ And here I see HTTP instead of HTTPS (?) Something wrong ?

Thanks

Re: OWA behind CSS/SSL issue

Gilles Dufour — Tue, 19 Jun 2007 07:09:49 GMT

the urlrewrite function does not parse the http body. Only the header.

So, if the server sends http link in the body, that's what the client will see.

I'm not sure why the exchange server is doing this.

But what you can try to do is implement a http rule to redirect the traffic to https.

Try something like

service redirect

keepalive type none

ip address 1.1.1.1

type redirect

no prepend-http

domain https://10.222.131.202

active

owner OWA_OWA

content http_redirect

vip address 10.222.131.202

protocol tcp

port 80

add service redirect

active

Let me know if this works.

Gilles.

Re: OWA behind CSS/SSL issue

a.gesse — Tue, 19 Jun 2007 15:33:58 GMT

Thanks Gilles, very much

It makes it work finally.

The question becomes is it the way how it is supposed to be,

because there still "http://" in the botom line during loading,

and these messages regarding secure/unsecure content mix.

regards,

Alex

Re: OWA behind CSS/SSL issue

Gilles Dufour — Wed, 20 Jun 2007 04:44:37 GMT

Alex,

yes, we had to adjust the config because the server sends http:// links.

Normally, with the "front-end-https: on" it's supposed to only send https link.

Maybe this is because by default the CSS only insert the header once.

You can try the following command to see if it makes a difference :

ssl-server http-header insert-per-request

I'm glad we finally have a solution.

Sniffer trace is always the best way to troubleshoot 🙂

Gilles.