CSM terminating SSL for Outlook Web Access

Unanswered Question

Hi.

Be most grateful if anyone is able to offer some insight as to why I I can't get this to be sticky - I know it's not working as if I take one of the servers out of service in the serverfarm everything functions as it should, but as soon as I add another back, I get various results, mostly to do with getting shunted back to the login screen after getting a brief glimpse of the main inbox screen, which I think is because part of my test flow is hitting the server that didn't handle the successful login transaction. Initially I also had issue with the 302s the server sends but a url-rewrite policy seems to have sorted those... I tried adding a sticky group to the MAIL-BE vserver but this kills the whole app altogether for some reason. Config snippets below:

From CSM:

serverfarm MAIL-BE
  nat server
  nat client BE_MAIL_NAT
  real name <server1>

   inservice
  real name <server2>
   inservice


serverfarm MAIL-FE
  nat server
  nat client FE_MAIL_NAT
  real <ssl module vip ipaddr> local
   inservice

sticky 2 ssl timeout 60

vserver MAIL-BE
  virtual <ipaddr> any
  serverfarm MAIL-BE
  replicate csrp connection
  persistent rebalance
  inservice


vserver MAIL-FE
  virtual <ipaddr> tcp https
  serverfarm MAIL-FE
  sticky 60 group 2
  replicate csrp connection
  persistent rebalance
  inservice

From SSL module on CSM:

ssl-proxy policy url-rewrite MAIL-RED
url <string>

ssl-proxy service mail-ssl-vip
virtual ipaddr <ssl module vip ipaddr> protocol tcp port 443 secondary
server ipaddr <mail-be ipaddr> protocol tcp port 80

policy url-rewrite MAIL-RED
certificate rsa general-purpose trustpoint <tp>
inservice

Thanks in advance !

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsirstin Thu, 08/12/2010 - 13:01

Jake,

It looks like you have the sticky applied to the wrong vserver. You have it tied to the SSL vserver that has only one sslm in the serverfarm. There is no need for sticky here if you only have a single real in the farm.

I think the problem is when you terminate and hit the CSM clear text vip you do not have sticky applied here and that is why you keep bouncing servers. You will need to create a sticky group based on source IP, or cookie and apply it to the clear text vserver your proxy service points to.

Regards

Jim

Jim,

Thanks very much for the reply - you are right, the sticky shown above is not needed, I had misunderstood what it was doing until you explained it. When I initially tried to put it on the other vserver instead it broke the flow completely for some unknown reason, but after I cleared all the config out and rebuilt it cleanly in conjunction with no nat client as well, it all works fine. Much obliged for the suggestion, thanks again!

Kind regards, Jake.

Actions

This Discussion