08-29-2012 12:44 AM
Hi,
I am new to ACE module config. I need help to configure url redirection from https to http for my MAPI server
mean client will connect through https://webmail.test.com then it will redirect to http://webmail.test.com/owa to get the web page.
now with my config no client can access the desired page through https://webmail.test.com/owa.
crypto chaingroup chain
cert pem
cert cer
access-list all line 10 extended permit ip any any
access-list all line 20 extended permit icmp any any
access-list all line 30 extended permit tcp any any eq www
access-list all line 40 extended permit tcp any any eq https
probe https Exchange-OWA
interval 30
passdetect interval 60
ssl version all
request method get url GET /owa/auth/logon.aspx
expect status 400 404
probe https https-probe
interval 60
passdetect interval 60
passdetect count 2
request method get url /owa/auth/login.aspx
expect status 400 404
probe tcp TCP135
description RPC Endpoint Mapper
port 135
interval 30
passdetect interval 60
connection term forced
probe tcp TCP60000
description RPC Client Access
port 60000
interval 30
passdetect interval 60
connection term forced
probe tcp TCP60001
description Address Book Service
port 60001
interval 30
passdetect interval 60
connection term forced
open
rserver host CAS01
ip address 10.128.195.73
inservice
rserver host CAS02
ip address 10.128.195.74
inservice
rserver redirect OWA-SSL-REDIRECT
webhost-redirection https://webmail.test.com/owa 301
inservice
serverfarm host Exchange-CAS-HTTP
predictor leastconns
rserver CAS01 80
inservice
rserver CAS02 80
inservice
serverfarm host Exchange-CAS-HTTPS
predictor leastconns
rserver CAS01 443
inservice
rserver CAS02 443
inservice
serverfarm host Exchange-CAS-RPC
predictor leastconns
rserver CAS01
inservice
rserver CAS02
inservice
serverfarm redirect Exchange-OWA-REDIRECT
rserver OWA-SSL-REDIRECT
inservice
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
timeout 7200
replicate sticky
serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
cookie insert browser-expire
timeout 60
replicate sticky
serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
timeout 7200
replicate sticky
serverfarm Exchange-CAS-HTTPS
ssl-proxy service Exchange-CAS
key pem
cert pem
chaingroup chain
class-map match-any Exchange-CAS-RPC
2 match virtual-address 10.128.194.1 any
class-map match-all Exchange-CAS-HTTPS
2 match virtual-address 10.128.194.1 tcp eq https
class-map match-all Exchange-OWA-REDIRECT
2 match virtual-address 10.128.194.1 tcp eq http
class-map type http loadbalance match-any HTTPS1
2 match http header Host header-value "www[.]webmail[.]test[.]com"
class-map type http loadbalance match-any HTTPS2
2 match http url https://webmail.test.com
2 match http url /owa/auth/logon.aspx
3 match http url /owa/auth/*.*
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match HTTPS
class HTTPS2
serverfarm Exchange-CAS-HTTP
class class-default
serverfarm Exchange-CAS-RPC
class HTTPS1
serverfarm Exchange-CAS-HTTPS
policy-map type loadbalance first-match Exchange-CAS-HTTPS
match OutlookAnywhere http header User-Agent header-value "MSRPC"
sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
class class-default
sticky-serverfarm Exchange-CAS-HTTPS-Cookie
policy-map type loadbalance first-match Exchange-CAS-RPC
class class-default
sticky-serverfarm Exchange-CAS-RPC
policy-map multi-match vlan1601
class Exchange-CAS-HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1601
ssl-proxy server Exchange-CAS
class Exchange-CAS-RPC
loadbalance vip inservice
loadbalance policy Exchange-CAS-RPC
nat dynamic 1 vlan 1601
class Exchange-OWA-REDIRECT
loadbalance vip inservice
loadbalance policy Exchange-OWA-REDIRECT
interface vlan 1601
description Client_server
ip address 10.128.194.7 255.255.255.128
peer ip address 10.128.194.8 255.255.255.128
access-group input all
nat-pool 1 10.128.194.20 10.128.194.29 netmask 255.255.255.128 pat
service-policy input vlan1601
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 10.128.194.4
your prompt help will be appricated.
08-29-2012 09:28 AM
Hello Panda,
If you just need to redirect from HTTPS to HTTP
Here you have a sample of a configuration which I just configured and it is working on my lab as you can see below:
class-map match-any JORGE-SSL
2 match virtual-address 10.198.16.126 tcp eq https
policy-map multi-match test
class JORGE-SSL
loadbalance vip inservice
loadbalance policy REDIRECT-PM
loadbalance vip icmp-reply
nat dynamic 126 vlan 112
ssl-proxy server JORGE-SSL-PROXY
ssl-proxy service JORGE-SSL-PROXY
key JORGE-KEY
cert JORGE-CERT
chaingroup CHAIN-GROUP-JORGE
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTP
inservice
rserver redirect REDIRECT-TO-HTTP
webhost-redirection http://www.cisco.com 301
inservice
ACE-71/Admin# show service-policy test class-map JORGE-SSL
Status : ACTIVE
-----------------------------------------
Interface: vlan 112
service-policy: test
class: JORGE-SSL
ssl-proxy server: JORGE-SSL-PROXY
nat:
nat dynamic 126 vlan 112
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: REDIRECT-PM
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 3
dropped conns : 0
client pkt count : 29 , client byte count: 2672
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
ACE-71/Admin#
Hope this helps!!!
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide