Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE module redirect/rewrite issue

I am having a redirect/rewrite problem with my ACE module. When the user types in https://citix.com and accepts the cert, I need the ace to add the following path to the url.../citrix/accessplatform/auth/login.aspx. That part works, but the page is returned as "http" and with the real server IP address in an unencrypted session versus https and the vip. I thought the action-list would fix this problem, but it had no effect. Any suggestions would be appreciated.

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

16 REPLIES
New Member

Re: ACE module redirect/rewrite issue

Hi,

redirection is without http/https in the front. You can redirect only to another domain/path/.

You must correct define ssl rewrite condition. for example:

ssl url rewrite location DOMAIN-or-IP sslport 443 clearport 80

For you is DOAMIN-or-IP 172.16.252.10 and .11. Try it.

martin

New Member

Re: ACE module redirect/rewrite issue

I added the "sslport 443 clearport 80" commands under the action-list and it seems that they are the default since they do not show up in the config.

New Member

Re: ACE module redirect/rewrite issue

right. sslport 443 and clearport 80 is default and it not shows in configuration. it works now (whit correct ip addresses) or not?

New Member

Re: ACE module redirect/rewrite issue

I still have the same outcome. The user only sees "http" in the url versus the "https"

New Member

Re: ACE module redirect/rewrite issue

I still have the same outcome. The user only sees "http" in the url versus the "https"

New Member

Re: ACE module redirect/rewrite issue

I still have the same outcome. The user only sees "http" in the url versus the "https"

New Member

Re: ACE module redirect/rewrite issue

can you attach current configuration?

New Member

Re: ACE module redirect/rewrite issue

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

New Member

Re: ACE module redirect/rewrite issue

this is correct??

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

it should be https instead http:

rserver redirect citrix-redirect

webhost-redirection httpS://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection httpS://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

New Member

Re: ACE module redirect/rewrite issue

I tried that a couple of times. Once I accept the cert, the page times out and does not display with the vip in the url --> https://172.16.252.50

New Member

Re: ACE module redirect/rewrite issue

correct data flow for your configuration is:

1. client access https://172.16.252.50/

2. ACE send HTTP redirect (301) to client to http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

3. browser receive this http redirect and tried get new url: http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

^^ do you need this data flow?

New Member

Re: ACE module redirect/rewrite issue

yes.

New Member

Re: ACE module redirect/rewrite issue

ok and when you get direct from browser this page: https://172.16.252.11/citrix/accessplatform/auth/login.aspx, it works?

because I think, configuration is correct. Try tcpdump from client side (wireshark from client pc) and check if ace send corect http redirect to https://...)

New Member

Re: ACE module redirect/rewrite issue

It does work when I go to that page with http only... the server is only listening on port 80.

New Member

Re: ACE module redirect/rewrite issue

:) ...here is a problem. ace send to client redirect to http and you need access from client to https (ssl terminated on ace? - if true, configuration is wrong, because as I wrote before your configuration has 3 steps - access to vip, redirect send to client, client access to new location).

It's clear?

New Member

Re: ACE module redirect/rewrite issue

I am reworking the configuration later today and will post the new final. Thank you for the input.

642
Views
0
Helpful
16
Replies