CSS web page on port 80 with link to 443

Unanswered Question
May 6th, 2007

I have a CSS set up in a failover situation.

I have my VIP addres and services configured, my question is, if the initial page is on port 80 and I have a link on the page that is on port 443, will the CSS make the client connection to the server on 443?

How does that work?

service MCI

ip address 2.x.x.76

protocol tcp

keepalive type http

port 80

active

owner MCI

content MCI-http-rule

add service MCI

primarySorryServer MCI1

balance aca

protocol tcp

port 80

url "/*"

secondarySorryServer MCI2

vip address 2.1.1.70

active

group MCI

add destination service MCI

add destination service MCI1

vip address 2.1.1.70

active

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
joquesada Sun, 05/06/2007 - 15:44

Hi,

You need to create a content rule and a service on port 443 in order for the CSS to process that request; or you can configure the current content rule and services without TCP port ( layer 3 only ) so the CSS uses them for load balancing port 80 and port 443 at the same time.

If you want to use the first option, the new content and services should look like this:

service MCI-443

ip address 2.1.1.76

protocol tcp

port 443

active

owner MCI-443

content MCI-http-rule

add service MCI

primarySorryServer MCI1

protocol tcp

port 443

vip address 2.1.1.70

active

If you want to use option 2, the config should look like this:

service MCI

ip address 2.1.1.76

protocol tcp

active

owner MCI

content MCI-http-rule

add service MCI

primarySorryServer MCI1

protocol tcp

vip address 2.1.1.70

active

I hope this helps. Thanks!

Regards,

Jose Quesada.

joquesada Sun, 05/06/2007 - 15:46

Hi,

I'm sorry, the content rule for option 1 should look like this:

owner MCI

content MCI-443

add service MCI-443

protocol tcp

port 443

vip address 2.1.1.70

active

Thanks!

Jose.

wilson_1234_2 Sun, 05/06/2007 - 16:38

Thanks for the reply,

A couple of questions:

in option one with the content rule pointing to port 443, will it still allow the initial request on port 80 (they are both allowed thru firewall)?

in option 2, what is the difference in not putting the ports in the content rule?

Does it really matter all that much as far as the desing goes? What is gained by adding the port numbers as opposed to not?

Syed Iftekhar Ahmed Mon, 05/07/2007 - 14:48

In option one you will have two content rules, one for port 80 traffic and one for port 443 traffic. If port 443 is configured under a rule then only the traffic destined for port 443 will hit the rule.

In option 2

Specifying a port enables the CSS to associate a content rule with a specific TCP/UDP port number. If you dont define a port, then default "port 0" is configured for the rule, which indicates any port. Since rule in option 2 is ready to accept traffic for any port, CSS will loadbalance both port 80 & 443 traffic.

Syed

Syed

wilson_1234_2 Mon, 05/07/2007 - 17:25

I have the following config and still can get no http connection.

A packet capture on the outside Internface shows no attmep to connect on port 443.

I can connect on 80 and 443 directly to the NAT address on the firewall, but the CSS makes the HTTP connection, then (on the same server) does not connect to the https port.

got any ideas?

!************************** CIRCUIT **************************

circuit VLAN1

ip address 2.1.1.75 255.255.255.0

!************************** SERVICE **************************

service MCI-backupredirect

type redirect

port 80

keepalive type none

ip address 2.1.1.73

active

service MCI-dr

ip address 2.1.1.77

protocol tcp

keepalive type http

port 80

active

service MCI-dr-443

ip address 2.1.1.77

protocol tcp

port 443

active

service MCI-hq

ip address 2.1.1.76

protocol tcp

keepalive type http

port 80

active

service MCI-hq-443

ip address 2.1.1.76

protocol tcp

port 443

active

!*************************** OWNER ***************************

owner MCI

content MCI-http-rule

add service MCI-hq

primarySorryServer MCI-dr

balance aca

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 80

url "/*"

active

owner MCI-443

content MCI-https-rule

add service MCI-hq-443

primarySorryServer MCI-dr-443

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 443

url "/*"

active

!*************************** GROUP ***************************

group MCI-MCW-http-group

add destination service MCI-hq

add destination service MCI-dr

vip address 2.1.1.70

add destination service MCI-hq-443

add destination service MCI-dr-443

active

joquesada Mon, 05/07/2007 - 21:59

Wilson,

Follow up this issue on the other conversation you've opened. Thanks!

Regards,

Jose.

Actions

This Discussion