Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1961
Views
0
Helpful
4
Replies

Cisco ACE rewrite question.

tdzb
Level 1
Level 1

‎08-17-2011 10:09 AM

Here is the setup. User hits a VIP via https. The ACE terminates the SSL and forwards it to the server on port 80. The server has a agent installed (siteminder) that sees the user is not logged in and redirects them to the authentication server. When the user logs in it redirects them to the original URL using http instead of https. I've tried using many different rewrites to get this to https: but nothing seems to work. I did a trace and this is the response from the rserver that redirects them to the logon server.

http://stgcontent.abc.com/at_abc/navigation/ABCConnectionLogin.asp?TYPE=33554433&REALMOID=06-cc299e90-76cc-4efe-b68e-c8bb3c61cf7f&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$zWep8n4YLnnpJM%2f6%2bpFLe6TuVYSVKoEJMW8bEk42PH2pllUc9k%2b2%2fJGM3oOLNqEf...http%3a%2f%2fL17SVAPLUS01%2eABC%2ecom%2fPLUSWEB%2fStartPage%2easpx

So after the user logs on he is sent back to

http://l17svaplus01.ABC.com/PLUSWEB/StartPage.aspx

instead of'

https://l17svaplus01.ABC.com/PLUSWEB/StartPage.aspx

any ideas?

Thanks

Labels:
0 Helpful
4 Replies 4

Surya ARBY
Level 4
Level 4

‎08-17-2011 12:10 PM

Hi.

Unfortunately when it goes to advanced rewrite rules the ACE has limited capability. I guess the best you can do is an ssl rewrite

action-list type modify http urlrewrite
  ssl url rewrite location "www\.cisco\.com"

but I'm afraid it will look only to the first bytes of the content of the location field, if the URL you need to rewrite is embedded in a longer string of character the parser will not probably detect it.

I need to understand the architecture, correct me if I'm wrong.

1 - a user comes in HTTPS and hits the VIP using HTTPS on port 443

2 - the ACE forwards the request in clear http on port 80

3 - the siteminder agent detects the user is not logged in and sends a 302 redirect to an authentication server on another URL

4 - the user reaches the authentication server directly (or by using a VIP on the ACE ?) in HTTP or HTTPS

5 - the authentication server authenticates the client and then sends a 302 redirect with an "http://" link in the Location field

Am I wrong somewhere ?

Can you send a pcap trace of the last redirection which causes the issue ?

Maybe some Cisco guy can help, is it possible to match a part of the URL in the Location field and replace it by another string of character ?

0 Helpful

tdzb
Level 1
Level 1
In response to Surya ARBY

‎08-17-2011 12:42 PM

Yeah I've scoured throught the forum looking at other examples and tried header rewrites and ssl rewrites with no luck.

You are correct on the architecture.

4. The user goes to the authentication server using https to a VIP. 

The monster I pasted in the first post is the location field of the 302 redirect. Which takes you to the authentication/logon page. Once they login I guess it takes the url in that jumbled mess and turns it into the http link and redirects the user to that page intead of the https link.

I tried matching on http%3a in the link as well as other various fields in that link but doesnt seem to be able to match on it.

0 Helpful

Surya ARBY
Level 4
Level 4
In response to tdzb

‎08-17-2011 02:53 PM

According to the doc it seems to be possible by using some parameters (%1, %2) :

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/classlb.html#wp1563764

host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST


host1/Admin(config-actlist-mod)# header rewrite response Location header-value STRANGE-REGEX-HERE replace %1https://l17svaplus01[.]ABC[.]com%2

I believe your expression is not triggered because when the URL is parsed by the ACE it should be transformed by some normalization engine and then sent to the matching rule

What does happen if you make a replacement rule with a direct target of "https://l17svaplus01.ABC.com/PLUSWEB/StartPage.aspx" in the Location field instead of trying to rewrite the original response from the authentication server ?

Maybe someone here has played with this type of config more than me. And I don't have the box to test currently.

0 Helpful

parveesm123
Level 1
Level 1

‎08-17-2011 08:25 PM

Hi,

Try to use server redirect

rserver redirect RSERV-REDIRECT

webhost−redirection https://%h%p 301

inservice

serverfarm redirect SRFRM-REDIRECT

rserver RSERV-REDIRECT

inservice

policy−map type loadbalance http first−match P7-REDIRECT

class class−default

serverfarm SRFRM-REDIRECT

class-map match-all C3-REDIRECT

2 match virtual-address x.x.x.x tcp eq www

policy-map multi-match P4-POLICY

class C3-REDIRECT

loadbalance vip inservice

loadbalance policy P7-REDIRECT

loadbalance vip icmp−reply active

Can you try using this.

thanks,

Parvees M

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card