07-13-2009 05:31 AM
I am having a redirect/rewrite problem with my ACE module. When the user types in https://citix.com and accepts the cert, I need the ace to add the following path to the url.../citrix/accessplatform/auth/login.aspx. That part works, but the page is returned as "http" and with the real server IP address in an unencrypted session versus https and the vip. I thought the action-list would fix this problem, but it had no effect. Any suggestions would be appreciated.
access-list IB extended permit ip any any
probe tcp connect
interval 5
faildetect 5
passdetect count 10
probe http web-connect
interval 5
passdetect count 6
request method get url /citrix/accessplatform/auth/login.aspx
expect status 200 302
connection term forced
parameter-map type http HTTP_Secure_Params
case-insensitive
persistence-rebalance
set header-maxparse-length 8192
action-list type modify http ACTION
ssl url rewrite location "172.16.252.50"
ssl url rewrite location "citrix"
rserver host citrix-01
ip address 172.16.252.10
inservice
rserver host citrix-02
ip address 172.16.252.11
inservice
rserver redirect citrix-redirect
webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301
inservice
rserver redirect citrix-redirect-02
webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301
inservice
ssl-proxy service SSL
key citrixkey
cert certnew.pem
serverfarm redirect Redirect-farm
rserver redirect citrix-redirect
inservice
rserver redirect citrix-redirect-02
inservice
serverfarm host citrix-farm
rserver citrix-01 81
inservice
rserver citrix-02 81
inservice
sticky http-cookie citrix.nnn citrix-sticky
timeout 720
replicate sticky
serverfarm Redirect-farm
class-map type http loadbalance match-any redirect
match http url citrix
class-map match-all HTTPS-VIP
match virtual-address 172.16.252.50 tcp eq https
policy-map type loadbalance first-match SLB
class class-default
sticky-serverfarm citrix-sticky
action ACTION
policy-map multi-match client-vip1
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy SLB
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP_Secure_params
ssl-proxy server SSL
interface vlan 252
access-group input IB
service-policy input client-vip1
no shutdown
07-14-2009 03:35 AM
Hi,
redirection is without http/https in the front. You can redirect only to another domain/path/.
You must correct define ssl rewrite condition. for example:
ssl url rewrite location DOMAIN-or-IP sslport 443 clearport 80
For you is DOAMIN-or-IP 172.16.252.10 and .11. Try it.
martin
07-14-2009 05:02 AM
I added the "sslport 443 clearport 80" commands under the action-list and it seems that they are the default since they do not show up in the config.
07-14-2009 05:05 AM
right. sslport 443 and clearport 80 is default and it not shows in configuration. it works now (whit correct ip addresses) or not?
07-14-2009 05:24 AM
I still have the same outcome. The user only sees "http" in the url versus the "https"
07-14-2009 05:25 AM
I still have the same outcome. The user only sees "http" in the url versus the "https"
07-14-2009 05:25 AM
I still have the same outcome. The user only sees "http" in the url versus the "https"
07-14-2009 05:34 AM
can you attach current configuration?
07-14-2009 05:35 AM
access-list IB extended permit ip any any
probe tcp connect
interval 5
faildetect 5
passdetect count 10
probe http web-connect
interval 5
passdetect count 6
request method get url /citrix/accessplatform/auth/login.aspx
expect status 200 302
connection term forced
parameter-map type http HTTP_Secure_Params
case-insensitive
persistence-rebalance
set header-maxparse-length 8192
action-list type modify http ACTION
ssl url rewrite location "172.16.252.50"
ssl url rewrite location "citrix"
rserver host citrix-01
ip address 172.16.252.10
inservice
rserver host citrix-02
ip address 172.16.252.11
inservice
rserver redirect citrix-redirect
webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301
inservice
rserver redirect citrix-redirect-02
webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301
inservice
ssl-proxy service SSL
key citrixkey
cert certnew.pem
serverfarm redirect Redirect-farm
rserver redirect citrix-redirect
inservice
rserver redirect citrix-redirect-02
inservice
serverfarm host citrix-farm
rserver citrix-01 81
inservice
rserver citrix-02 81
inservice
sticky http-cookie citrix.nnn citrix-sticky
timeout 720
replicate sticky
serverfarm Redirect-farm
class-map type http loadbalance match-any redirect
match http url citrix
class-map match-all HTTPS-VIP
match virtual-address 172.16.252.50 tcp eq https
policy-map type loadbalance first-match SLB
class class-default
sticky-serverfarm citrix-sticky
action ACTION
policy-map multi-match client-vip1
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy SLB
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP_Secure_params
ssl-proxy server SSL
interface vlan 252
access-group input IB
service-policy input client-vip1
no shutdown
07-14-2009 05:46 AM
this is correct??
rserver redirect citrix-redirect
webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301
inservice
rserver redirect citrix-redirect-02
webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301
inservice
it should be https instead http:
rserver redirect citrix-redirect
webhost-redirection httpS://172.16.252.10/citrix/accessplatform/auth/login.aspx 301
inservice
rserver redirect citrix-redirect-02
webhost-redirection httpS://172.16.252.11/citrix/accessplatform/auth/login.aspx 301
inservice
07-14-2009 05:52 AM
I tried that a couple of times. Once I accept the cert, the page times out and does not display with the vip in the url --> https://172.16.252.50
07-14-2009 06:00 AM
correct data flow for your configuration is:
1. client access https://172.16.252.50/
2. ACE send HTTP redirect (301) to client to http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx
3. browser receive this http redirect and tried get new url: http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx
^^ do you need this data flow?
07-14-2009 06:16 AM
yes.
07-14-2009 06:21 AM
ok and when you get direct from browser this page: https://172.16.252.11/citrix/accessplatform/auth/login.aspx, it works?
because I think, configuration is correct. Try tcpdump from client side (wireshark from client pc) and check if ace send corect http redirect to https://...)
07-14-2009 07:06 AM
It does work when I go to that page with http only... the server is only listening on port 80.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: