CSS. loosing login/pass info due to redirection http -> https

Unanswered Question
Jun 14th, 2007
User Badges:

Hi,


I have sort of a problem with CSS 11501 (ios 8.20.1.01).


The desigh is:

client(http) -internet-> router -> checkpoint(nat) -> css -> backe-end server. CSS, checkpoind, back-end server are in the same subnet. CSS performs SSL termination.


I want to have automatic redirection from http to https, so when the remote client connects to CSS with http he's redirected to https. The client enter login/pass info but this info is lost after redirection and it's nesessary to enter login/pass again.


Note: If I connect to https directly I'm able to login without problems.



CSS config:


!************************** CIRCUIT **************************

circuit VLAN112

ip address 10.112.0.3 255.255.0.0


circuit VLAN114

ip address 10.114.0.3 255.255.0.0


!*********************** SSL PROXY LIST ***********************

ssl-proxy-list rrssl1

ssl-server 1

ssl-server 1 dhparam ...

ssl-server 1 rsacert ...

ssl-server 1 rsakey ...

ssl-server 1 cipher rsa-export1024-with-des-cbc-sha 10.112.0.107 80

ssl-server 1 vip address 10.112.0.241

!************************** SERVICE **************************

service secure-transfer

type redirect

no prepend-http

ip address 2.2.2.2

keepalive type none

domain "https://test1.abc.com"

active


service sslservice

type ssl-accel

add ssl-proxy-list rrssl1

slot 2

keepalive type none

active


!*************************** OWNER ***************************

owner test

content default-redirect

protocol tcp

port 80

url "/*"

vip address 10.112.0.241

add service secure-transfer

active


content ssl-rule

protocol tcp

port 443

add service sslservice

vip address 10.112.0.241

active


Tnx a lot in advance for any comments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Thu, 06/14/2007 - 03:33
User Badges:
  • Cisco Employee,

the CSS itself is not involved in the login process.

If you have to login in HTTP, it means the login is requested before you get to the CSS.

[the CSS would just forward a redirect and will not request any login and will not connect to the server].

So, the checkpoint firewall is probably doing the login.

You should check there for help.


Gilles.

kreshetnikov Thu, 06/14/2007 - 04:10
User Badges:

The back-end server performed authentication after redirection http -> https, the firewall does no authentication. The problem was solved , unfortunatly it was not an issue that could be resolved via the css. We had to resort to manually editing the html file.


Actions

This Discussion