Did you try browsing to the site using only the ip address followed up by inbox? So an example would be https://10.10.10.10/inbox

Where 10.10.10.10 is the ip address of your cucm server.

Let me know your results after you try this.

Sent from Cisco Technical Support iPhone App

If I go directly to Unity Connection, bypassing the F5, then I am able to connect without getting the 504 error mentioned above.

I have the same issue, but it only occurs when I access the Inbox via a public IP address or a server name URL such as https://..com/inbox via Safari or Firefox. If accessed via Internet Explorer 9, I get a different error message "The website cannot display the page - HTTP error 500" for the Messages section of the page.

When I connect via the https:///inbox I do not get the problem and the Web Inbox opens correctly (in Safari, Firefox and IE9). The Unity server is not configured with the FQDN that I want use as the URL, but instead with a style name.

Does anyone have a solution to this that allows the Web Inbox to open correctly when accessed via a to-Unity-unknown URL or IP address?

Unity Connection 8.5.1

Upon further investigation it appears that the backend server simply needs to be able to hit port 80 on the forward facing virtual server, simple as that. Otherwise, it either fails with an inline HTTP 500 error message or may use what appears to be a locally cached version of "/inbox/gadgets/msg/msg-gadget.xml". In the latter case, hard coded host names don't match and anti-XSS browser features will prevent the inbox from loading.

In our environment, there appears to a HTTP request to "/inbox/gadgets/ifr" which sends a url parameter that doesn't use HTTPS. This parameter seems to be used by the server to access the contents of msg-gadget.xml which it then renders in the iframe. There are obvious MITM security implications to this that need to be taken into account if there is an untrusted network separating the load balancer and the backend servers.

Hello Sam,

We're facing the same issue with a CUC in 10.5.2 and F5 VIP.

Could you explain more how you solve your problem ?

Agree that it's definitely a security problem to use http request in a SSL session...

Thanks in advance,

Benoit

I tracked the hard coded http reference to /inbox/wro/msg-gadget.js

I uploaded a fixed version of that file to the F5 as an iFile and then intercept any requests for it, replacing it with my version.

Thanks Sam,

In fact, we finally make it work by opening the http port between CUC and F5. And let the VIP being resolved in http.

Like you said, the "shitty" javascript code try to resolve its name by sending again a request with a http request... Even if the session was in SSL. This is security...

So the name resolved, should get the good IP of the server handling the request. That's why it's better to configure the VIP in failover.

I've just had another look at my configuration. We're doing SSL Bridging (forget about trying to get SSL Offload working) also permitting port 80 traffic from the CUC server(s) to go through via the back end (port 443). That's like reverse SSL offloading! Otherwise you get those 500 errors from memory.

I asked the appliance administrator to add a local hosts entry pointing the VIP host name to 127.0.0.1, but apparently he doesn't have the access to do that. This is by far the most troublesome application I've had to configure because the appliance is all locked down, or so I'm told. You can't configure it to play nice at all.

The other issues I had in my initial, rather misguided post were caused because the appliance must be able to resolve the hostname used by the client to the F5 VIP. To confuse matters, it will also cache the initial DNS resolution for quite a while (which is why it only seemed to work for me via IP address).

So, due to the fact nobody is able to configure the appliance hosts file, I have some logic permitting what would normally be "loopback" type requests on port 80 to go through the F5. All other port 80 requests get a redirect. I have no idea how people safely load balance this service without the magic of F5.