10-18-2011 02:53 AM
Setting up SSL termination for groupwise web access.
1. Clients to connect to the VIP with either HTTP or HTTPS (webmail.xyz.net & xyzgwacc.xyz.net).
2. Both should be redirected to https://xyzgwacc.xyz.net/gw/webacc
3. Connections from ACE to servers are on port 80 (http)
Problem:
Failing to translate client connection pointing to xyzgwacc.xyz.net to be translated to https://xyzgwacc.xyz.net/gw/webacc
I have tried the redirection on the server itself, but that also changes the url displayed on the client side. Instead of xyzgwacc.xyz.net it show the actual server.
Below is the sample config that I am using to try and make it work.
If client enters the full url (https://xyzgwacc.xyz.net/gw/webacc) it works but not https://xyzgwacc.xyz.net.
I can not seem to make my url rewrite do what I want it to do. I hope someone can point me in the right direction.
---------------------------------------------------------------
crypto chaingroup WEBACC-THWART-INT
cert thwart_intermediate.crt
cert gw_imaps_certInt.crt
probe icmp PING
interval 2
passdetect interval 2
passdetect count 1
rserver host S-NGW004
ip address 10.10.10.4
probe PING
inservice
rserver host S-NGW005
ip address 10.10.10.5
probe PING
inservice
serverfarm host GW-WA
description GW web access test
predictor hash address
rserver S-NGW014 80
inservice
rserver S-NGW015 80
inservice
action-list type modify http GWACC_urlrewrite
header rewrite response location header-value "\r" replace "gw\/webacc"
ssl-proxy service SSL-PROXY-GW-WEBACC
key gw_webacc_key.pem
cert gw_webacc_certsvr.crt
chaingroup WEBACC-THWART-INT
class-map match-all GW-WA-VIP
2 match virtual-address 10.10.10.10 tcp eq https
policy-map type loadbalance http first-match SLB-GW-WA
class class-default
serverfarm GW-WA
action GWACC_urlrewrite
policy-map multi-match CL-POL-GROUPWISE
description Client facing Policy for GW WA/IMAP/SMTP
class GW-WA-VIP
loadbalance vip inservice
loadbalance policy SLB-GW-WA
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-GW-WEBACC
Solved! Go to Solution.
10-19-2011 01:29 AM
ACE supports only redirections (301 / 302).
URL rewrite is still not supported today.
10-18-2011 03:09 PM
Check this example :
10-19-2011 01:26 AM
The example uses webhost redirection. I tried it before, the problem I heard with it was that, the url displayed on the client was having the server "address" instead of the VIP one.
The client should only be presented with the same address through out (that of the VIP), regardless of the actual server he gets connected.
10-19-2011 01:29 AM
ACE supports only redirections (301 / 302).
URL rewrite is still not supported today.
10-19-2011 02:36 AM
If I understand you well, does it mean an action-list of the form;
action-list type modify http urlrewrite
header rewrite response location header-value "xyzgwacc\.xyz\.net" replace "xyzgwacc\.xyz\.net\/gw\/webacc"
will not work.
10-19-2011 02:41 AM
What are you trying to acheive ? Is it L7 switching / URL rewriting or Header rewriting ?
Can you give us the full details of your architecture ? Do you run HTTP virtual hosts ?
10-19-2011 06:02 AM
I have two VMW servers providing Groupwise mail web access. To access ones mail, the browser should point at server1/gw/webacc or server2/gw/webacc through the ACE. The ACE should provide loadbalancing and ssl termination. (Only one certificate for the VIP on the ACE). The DNS entry of the VIP is, say xyzgwacc.xyz.net.
Needed to be archieved is, if one points brower to either http https on xyzgwacc.xyz.net, there should automatically be taken to https://xyzgwacc.xyz.net/gw/webacc.
It should not be apperent to the user which server the user is connecting to.
Implementing loadbalancing using 'rserver host' addresses in partly, fails short on appending the '/gw/webacc' on requests.
Using 'rserver redirect', falls short in that the actual server servicing the request appears on the client url.
What I need is a way that, if a client enters either webmail.xyz.net or xyzgwacc.xyz.net (without providing the full url, i.e https://xyzgwacc.xyz.net/gw/webacc) should see the connection made to https://xyzgwacc.xyz.net/gw/webacc despite the server servicing the request.
10-19-2011 06:20 AM
It can work but there are restrictions.
If the real name of the webmail appears in the client browser, this is because
case 1 : the webmail application uses absolute (hardcoded) links instead of relative links.
The ACE doesn't support URL rewriting in the payload, so you have to work with the webmail vendor to move to relative links within the pages
case 2 : this is because there is a redirection in the webmail application (after a login screen usually), in that case you can use SSL redirect
Anyway that kind of issues are extremely difficult to troubleshoot without taking HTTP traces
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide