06-15-2007 12:59 PM
Hello,
trying to setup OWA behind CSS with SSL termination.
http-header static "FRONT-END-HTTPS: on" is in place.
User can access folders and calendar, but can't see body of the messages
The problem seems to be that user at some point tries to use http instead of https,
and because frontend and backend rules have different IP addresses it is impossible
to access OWA via http directly from client.
Tried some other commands around http-header and urlrewrite, didn't work
Any help is appreciated
Alex
06-15-2007 03:29 PM
OWA
uses several other methods that are not recognized by default on the CSS so you will need
to add the functionality by running
css#script play setup_owa_methods
Syed
06-15-2007 06:38 PM
Syed,
did before, didn't help.
thanks
Alex
06-17-2007 12:28 AM
Alex,
if the users tries to use HTTP at some point, there could be some 302 redirect in your owa server.
You might want to configure a urlrewrite function in order to convert from http to https.
But you should verify first if this is the case.
Try to sniff the client traffic and decode it with ssldump or wireshark using the server key.
Gilles.
06-17-2007 05:30 AM
Gilles,
have tried it already.
Urlrewrite for "*" and explicitly defined frontend and backend ports as 443 and 80.
Sniffer showed 302 types redirects were coming with https.
Clients can see folders, calendar, subjects.
Can't see message bodies only.
Will start with clean config on Monday, what would you say is recommended list of commahds:
1. script play setup_owa_methods
2. static http-header "FRONTEND HTTPS=on"
3. urlerewrite ?
4. ?
thanks,
Alex
06-17-2007 03:35 PM
You should have following two entries under SSL proxy list
ssl-server x http-header static "FRONT-END-HTTPS: ON?
ssl-server x urlrewrite 1 yourdomain.com sslport 443 clearport 80
Syed
06-17-2007 10:11 PM
Alex,
get a sniff and see where the client request the body and if the server sends it.
Your config is fine. Nothing else is needed.
You may want to bypass the css and capture a sniff as well so you can compare the 2.
Gilles.
06-18-2007 09:18 AM
Sorry for big post.
Still doesn't work - users see subjects, folder, calendar, don't see body.
ip route 0.0.0.0 0.0.0.0 10.222.131.1 1
!************************* INTERFACE *************************
interface e1
bridge vlan 131
interface e5
bridge vlan 130
interface e6
bridge vlan 130
!************************** CIRCUIT **************************
circuit VLAN131
ip address 10.222.131.201 255.255.255.0
circuit VLAN130
ip address 1.1.1.1 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list Al#1-list
ssl-server 10
ssl-server 10 rsakey RSAKEYASS#1
ssl-server 10 rsacert RSACERTASS#1
ssl-server 10 vip address 10.222.131.202
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha 2.2.2.2 80
ssl-server 10 cipher rsa-with-rc4-128-sha 2.2.2.2 80
ssl-server 10 cipher rsa-with-rc4-128-md5 2.2.2.2 80
ssl-server 10 urlrewrite 2 10.222.131.202
ssl-server 10 http-header static "FRONT-END-HTTPS: on"
active
!************************** SERVICE **************************
service OWA1
protocol tcp
port 80
ip address 1.1.1.2
keepalive uri "/adam.html"
keepalive type http
keepalive port 80
active
service ssl-mod
type ssl-accel
keepalive type none
add ssl-proxy-list Al#1-list
slot 2
active
!*************************** OWNER ***************************
owner OWA_OWA
content back.owa
add service OWA1
add service OWA2
advanced-balance sticky-srcip
protocol tcp
port 80
url "/*"
sticky-inact-timeout 240
vip address 2.2.2.2
active
content front.owa
vip address 10.222.131.202
protocol tcp
port 443
add service ssl-mod
active
~~~~~~Server answers to client with HTTPS (static header is working presumably):
https://10.222.131.202/exchweb/themes/0/owacolors.css">
~~~~~ Some other stuff from server alse have HTTPS
src="https://10.222.131.202/exchweb/img/pg-first.gif">
height="16" id=idPageControl_PrevPage onclick="idMsgViewer.previousPage()" title="Previous Page"
xchweb/img/pg-prev.gif">
id=idPageControl_NextPage onclick="idMsgViewer.nextPage()" title="Next Page"
src="https://10.222.131.202/exchweb/img/pg-next.gif">
width="16" height="16" id=idPageControl_LastPage onclick="idMsgViewer.page = -1"
~~~~~~ Client requests:
SEARCH /exchange/userone/Inbox/ HTTP/1.1
Accept: */*
Referer: https://10.222.131.202/exchange/userone/Inbox/?Cmd=contents
translate: f
brief: t
Content-Type: text/xml
~~~~~~ Server responds with
HTTP/1.1 207 Multi-Status
Date: Mon, 18 Jun 2007 16:02:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/xml
Accept-Ranges: rows
Content-Range: rows 0-5; total=6
MS-WebStorage: 6.5.7638
MS-WebStorage: 6.5.7638
Transfer-Encoding: chunked
X-Powered-By: ASP.NET
Cache-Control: no-cache
c9b
xmlns:c="xml:" xmlns:a="DAV:">
~~~~~~~~~ And here I see HTTP instead of HTTPS (?) Something wrong ?
Thanks
06-19-2007 12:09 AM
the urlrewrite function does not parse the http body. Only the header.
So, if the server sends http link in the body, that's what the client will see.
I'm not sure why the exchange server is doing this.
But what you can try to do is implement a http rule to redirect the traffic to https.
Try something like
service redirect
keepalive type none
ip address 1.1.1.1
type redirect
no prepend-http
domain https://10.222.131.202
active
owner OWA_OWA
content http_redirect
vip address 10.222.131.202
protocol tcp
port 80
add service redirect
active
Let me know if this works.
Gilles.
06-19-2007 08:33 AM
Thanks Gilles, very much
It makes it work finally.
The question becomes is it the way how it is supposed to be,
because there still "http://" in the botom line during loading,
and these messages regarding secure/unsecure content mix.
regards,
Alex
06-19-2007 09:44 PM
Alex,
yes, we had to adjust the config because the server sends http:// links.
Normally, with the "front-end-https: on" it's supposed to only send https link.
Maybe this is because by default the CSS only insert the header once.
You can try the following command to see if it makes a difference :
ssl-server
I'm glad we finally have a solution.
Sniffer trace is always the best way to troubleshoot :-)
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: