ACE - HTTPS CLASS MAP CONFIGURATION

Similar Messages

• Issue with ACE HTTP class map

  This is what I want to achieve USING the ACE as a reverse proxy.
  User uses the url https://abc/password - gets to the destination server & the web page
  If user tries to use any thing additional then the connection is dropped at the ACE such as
  https://abc/password/test or any such variation.
  Following is the config I have to achieve this
  class-map type http loadbalance match-any L7-CLASS-TEST
    match http url /password
    match http url /password/
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url .*.*
  policy-map type loadbalance first-match LBP-TEST
    class L7-CLASS-TEST
      serverfarm FARM-TEST
      ssl-proxy client TEST
    class L7-CLASS-TEST-deny
      drop
    class class-default
      serverfarm FARM-TEST
      ssl-proxy client TEST
  The problem with this is when the page opens I get broken links on all the images. If I use the following line
  match http url /password.*
  I get the images to work but the user can use the https://abc/password/test which is not what I want.
  Has any one faced this issue ?
  Any help will be appreciated.
  Thanks in advance
  Prasanna

  Prasanna,
  What about if you try it in HTTP and apply the following change?
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url /.*
  This should work in HTTP but not with HTTPS
  Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
  Jorge

• Help with Class-map configuration - ZBFW

  Hello,
  I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
  a.)
  class-map type inspect match-all HTTPS-ACCESS
  match protocol https
  match access-group name HTTPS-SERVER-ACCESS
  ip access-list extended HTTPS-SERVER-ACCESS
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.60 eq 443
  Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
  Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
  b.)
  ip access-list extended OUTSIDE-TO-INSIDE-ACL
  permit tcp any host 172.17.0.55 eq 443
  permit tcp any host 172.17.0.55 eq www
  permit tcp any host 172.17.0.55 eq 21
  permit tcp any host 172.17.0.55 eq 3389
  permit tcp any host 172.17.0.56 eq 443
  permit tcp any host 172.17.0.56 eq www
  permit tcp any host 172.17.0.56 eq 21
  permit tcp any host 172.17.0.56 eq 3389
  permit tcp any host 172.17.0.36 eq 443
  permit tcp any host 172.17.0.36 eq www
  permit tcp any host 172.17.0.36 eq 21
  permit tcp any host 172.17.0.36 eq 3389
  permit tcp any host 172.17.0.45 eq 443
  permit tcp any host 172.17.0.45 eq www
  permit tcp any host 172.17.0.45 eq 21
  permit tcp any host 172.17.0.45 eq 3389
  class-map type inspect match-all OUT-IN-CLASS
  match access-group name OUTSIDE-TO-INSIDE-ACL
  Which one is the correct approach when we consider the performance of the firewall ? Please help me.
  Regards,
  Yadhu

  Hey
  I do not agree with Varun, I think the first approach is the best one.
  Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
  Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened).  That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
  But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
  That's my two cents. Hope it helped!

• ACE ignoring class map depending on source???

  I have a problem with a the load balancing "not working" properly depending on the source.
  The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
  This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
  The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
  My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
  Here is the config:
  rserver host FE1-app
    description frontend app
    ip address 192.168.137.69
    inservice
  rserver host FE2-app
    description frontend app
    ip address 192.168.137.74
    inservice
  serverfarm host FE1-app
    rserver FE1-app 80
      inservice
  serverfarm host FE2-app
    rserver FE2-app 80
      inservice
  serverfarm host FE-app
    rserver FE1-app 80
      inservice
    rserver FE2-app 80
      inservice
  class-map type http loadbalance match-all COOKIE-FE1
    2 match http cookie secondary ld cookie-value "fe1"
  class-map type http loadbalance match-all COOKIE-FE2
    2 match http cookie secondary ld cookie-value "fe2"
  class-map match-all VIP-app
    2 match virtual-address 192.168.138.39 tcp eq www
  policy-map type loadbalance first-match VIP-app-loadbalance
    class COOKIE-FE1
      serverfarm FE1-app
    class COOKIE-FE2
      serverfarm FE2-app
    class class-default
      serverfarm FE-app
  policy-map multi-match INT470
    class VIP-app
      loadbalance vip inservice
      loadbalance policy VIP-app-loadbalance
      loadbalance vip icmp-reply
  interface vlan 470
    description lb_rpfedrift
    ip address 192.168.138.36 255.255.255.240
    alias 192.168.138.35 255.255.255.240
    peer ip address 192.168.138.37 255.255.255.240
    service-policy input remote_mgmt_allow_policy
    service-policy input INT470
    no shutdown

  Hi Federico,
  The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
  The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
  From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
  I hope this helps
  Daniel

• ACE: a class-map with multiple ports... what about the probe/serverfarm?

  Hello Gilles,
  One question about something I was not able to find in the documentation.
  Lets say I have one class-map which includes 2 ports (in this case https and 5061).
  Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
  So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
  The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
  Thanks and have a great day!!
  Giulio.
  probe tcp PROBE_GENERIC_TCP
    description This probe works for all TCP services by inheriting the VIP port.
    interval 15
    faildetect 2
    passdetect interval 15
    passdetect count 2
    open 2
  rserver host SERVER1_ACCESS
    ip address <1AC>
    inservice
  rserver host SERVER2_ACCESS
    ip address <2AC>
    inservice
  serverfarm host ACCESS-SFARM
    probe PROBE_GENERIC_TCP
    rserver SERVER1_ACCESS
      inservice
    rserver SERVER2_ACCESS
      inservice
  class-map match-any OCS_L4ACCESS
    2 match virtual-address x.x.x.176 tcp eq https
    2 match virtual-address x.x.x.176 tcp eq 5061
  policy-map type loadbalance first-match OCS_L4ACCESS
    class class-default
      sticky-serverfarm ACCESS_STICKY
  policy-map multi-match POLICY
  class OCS_L4ACCESS
  loadbalance vip inservice
  loadbalance policy OCS_L4ACCESS
  loadbalance vip icmp-reply active
  connection advanced-options OCS_VIPTIMEOUT
  nat dynamic XXX vlan 503

  Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Source ip filtering with class map on cisco ace30

  Hello ,
  I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
  access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
  class-map match-all S_IP_FILTERING_XVIP
  2 match access-list S_IP_FILTERING
  3 match virtual-address 2.2.2.2 any
  Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
  thanks for your support
  Case,

  Hi,
  Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
  for example:
  class-map type http loadbalance match-any LOADBALANCE-FILTER
    2 match source-address X.X.X.X 255.255.255.255
  class-map match-any TEST-CLASSMAP
    2 match virtual-address Y.Y.Y.Y tcp eq www
  policy-map type loadbalance first-match LOADBALANCE
    class LOADBALANCE-FILTER
      serverfarm TEST-SERVERFARM
  policy-map multi-match UTC-PM
    class TEST-CLASSMAP
      loadbalance policy LOADBALANCE
      loadbalance vip inservice
  -Alex

• ACE HTTP loadbalancing problem

  What i'm trying to achieve with the below config is
  any request coming in with "programming" in the URL
  will be mapped to one server and all else mapped to
  a different. So what i see happening is that i can
  get to the main page but not the page with "programming"
  in the URL. I have to clear the connections to get
  mapped to the serverfarm with that handles all requests
  with "programming". I thought is was related to the
  sticky serverfarm i had configured before so i reverted
  to a ordinary serverfarm and it still doesn't work. Any
  thoughts or suggestions????
  rserver host TEST_01
  ip address 10.10.204.200
  inservice
  rserver host TEST_02
  ip address 10.10.204.201
  inservice
  serverfarm host TEST/PROG_SF
  rserver TEST_02
  inservice
  serverfarm host TEST_SF
  rserver TEST_01
  inservice
  class-map match-any TEST_VS
  2 match virtual-address 10.10.215.27 tcp eq www
  3 match virtual-address 10.10.215.27 tcp eq https
  class-map type http loadbalance match-any TEST/PROG
  3 match http url (/programming.*)
  4 match http url /programming.*
  policy-map type loadbalance first-match TEST_L7SLB
  class TEST/PROG
  serverfarm TEST/PROG_SF
  class class-default
  serverfarm TEST_SF
  policy-map multi-match VIPS
  class TEST_VS
  loadbalance vip inservice
  loadbalance policy TEST_L7SLB
  loadbalance vip icmp-reply
  interface vlan 215
  service-policy input VIPS

  you need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
  parameter-map type http HTTP-PARAM
  persistence-rebalance
  policy-map multi-match VIPS
  class TEST_VS
  appl-parameter http advanced-options HTTP-PARAM
  Gilles.

• ACE http/https redirect or rewrite

  Greetings,
  We have a setup that requires ACE http/https redirection or rewrite.
  A client connects to a secured Web portal which has its ssl termination on the ACE.
  The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
  the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
  In this case what would be best to use? ACE "rewrite" or "redirect"?
  Will the following example config for ACE "redirect" be sufficent to implement this?
  ssl-proxy service ssl-App-443-81
  key app1.test.com.key
  cert app1.test.com.cert
  rserver redirect App-secure-redirect
  webhost-redirection https://app1.test.com/Go/
  inservice
  serverfarm redirect App-secure-redirect-sf
  rserver App-secure-redirect
  inservice
  serverfarm host App-81-sf
  probe TCP81
  rserver proxy1 81
  inservice
  rserver proxy2 81
  inservice
  parameter-map type http http_param_map
  header modify per-request
  sticky http-cookie App-cookie App-sticky
  cookie insert
  replicate sticky
  serverfarm App-81-sf
  class-map match-any App-443-81-cm
  2 match virtual-address 10.10.10.112 tcp eq https
  class-map match-any App-81-cm
  2 match virtual-address 10.10.10.112 tcp eq 81
  class-map type http loadbalance App-secure-redirect-cm
  match http url http://app1.test.com:81/Go/
  policy-map type loadbalance http first-match App-rewrite-pm
  class App-secure-redirect-cm
  serverfarm App-secure-redirect-sf
  policy-map type loadbalance http first-match App-sticky-443-81-pm
  class class-default
  sticky-serverfarm App-sticky
  policy-map multi-match policy-inbound
  class App-81-cm
  loadbalance vip inservice
  loadbalance policy App-rewrite-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  class App-443-81-cm
  loadbalance vip inservice
  loadbalance policy App-sticky-443-81-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  appl-parameter http advanced-options http_param_map
  ssl-proxy server ssl-App-443-81

  If you are offloading www.yoursite.com on ACE and on the backend
  real servers are not ssl aware (sends URL with http://) then with
  following sample config you can instruct ACE to rewrite such urls (http->https)
  class-map match-all VIP-443
  match virtual-address x.x.x.x tcp eq https
  action-list type modify http HTTP2HTTPS-REWRITE
  ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
  policy-map type loadbalance first-match YOUR-POLICY
  class class-default
  serverfarm YOUR-SFARM
  action HTTP2HTTPS-REWRITE
  class VIP-443
  loadbalance vip inservice
  loadbalance policy YOUR-POLICY
  loadbalance vip icmp-reply active
  ssl-proxy server YOUR-SSL-SERVICE
  You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
  Syed Iftekhar Ahmed

• ZBF Class-map and different way of doing them

  Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
  i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
  ok we we all know the basic
  class-map type inspect match-any ZBF_CM_ICMP
  match protocol icmp
  policy-map type inspect ZBF_PM_EXTERNAL->DMZ
  class type inspect ZBF_CM_ICMP
    inspect
  and then the ZP dont need to show, this is a simple map using nbar fair enough
  then we could a mulitiple matches
  class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
  match protocol icmp
  match protocol http
  match protocol dns
  match protocol https
  policy-map type inspect ZBF_PM_DMZ->EXTERNAL
  class type inspect ZBF_CM_STD_DMZ_PORTS
    inspect
  Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
  ip access-list extended AL_RDP_PORT
  permit tcp any any eq 3389
  class-map type inspect match-all ZBF_CM_RDP
  match access-group name AL_RDP_PORT
  policy-map type inspect ZBF_PM_EXTERNAL->DMZ
  class type inspect ZBF_CM_RDP
    inspect
  This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
  ip access-list extended AL_HOST_IP_IN
  permit ip any host 11.11.11.11
  ip access-list extended AL_ISATAP
  permit 41 any any
  ip access-list extended AL_TEREDO
  permit udp any any eq 3544
  class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
  description Nested Class Map
  match access-group name AL_ISATAP
  match access-group name AL_TEREDO
  match protocol https
  class-map type inspect match-ALL ZBF_CM_APP_IN
  match access-group name AL_HOST_IP_IN
  match access-group name ZBF_CM_DirectAccess_Protocols
  policy-map type inspect ZBF_PM_EXTERNAL->DMZ
  class type inspect ZBF_CM_APP_IN
    inspect                                                                                                      (or pass with rule for other direction)
  THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where  same proceduare as below.
  ip access-list extended AL_HOST_IP_IN
  permit ip any host 11.11.11.11
  ip access-list extended AL_ISATAP
  permit 41 any any
  ip access-list extended AL_TEREDO
  permit udp any any eq 3544
  class-map type inspect match-ANY CM_ISATAP
  match access-group name AL_ISATAP
  class-map type inspect match-ANY CM_TEREDO
  match access-group name AL_TEREDO
  class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
  description Nested Class Map
  match class-map CM_ISATAP
  match class-map CM_TEREDO
  match protocol https
  class-map type inspect match-ALL ZBF_CM_APP_IN
  match access-group name AL_HOST_IP_IN
  match access-group name ZBF_CM_DirectAccess_Protocols
  policy-map type inspect ZBF_PM_EXTERNAL->DMZ
  class type inspect ZBF_CM_APP_IN
    inspect
  So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
  QUESTION:
  Why did CiscoCP do the extra nesting
  both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
  thanks
  regards
  A very sore headed
  Dave

  When people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
  But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
  It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
  shmoove

• Class-map in IOS XR

  Hi, anyone can explain the "sh class-map list type qos" in XR platforms ? is this command used to know how many types of class-maps configured in one router ?

  It is a useful command to help clean up unused class-maps:
  RP/0/RSP0/CPU0:A9K-BNG#show class-map list type qos
  Thu Sep 12 14:58:56.383 EDT
  1) ClassMap: class1    Type: qos
      Referenced by 3 Policymaps
  2) ClassMap: class3    Type: qos
      Referenced by 2 Policymaps
  in this examples the QOS class-maps class1 and class3 which have index 1 and 2 respectively are used by respectively 3 or 2 policy-maps. can't remove them.
  I could technically remove this class-map:
  20) ClassMap: v6    Type: qos
      Referenced by 0 Policymaps
  Not used at all.
  regards
  xander

• Class-map for CSC ignores

  I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
  permit ip 172.16.1.0 255.255.255.0 any
  deny ip any any
  or the other way around?
  deny ip 172.16.1.0 255.255.255.0 any
  permit ip any any

  thats right
  but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
  and will match any other web traffic
  but nothing else
  i mean no smtp,pop3 or ftp
  if u want to match any thing else after the deny or ignore statement
  u have to make permit ip any any
  after u match it with class-map
  apply it to a policy map
  like polic-map global_policy (which is the default global policy)
  class-map (ur calss-map name)
  csc fail-open
  then
  service-policy global_policy global
  in this case it will be applied to all interfaces
  good luck
  Rate if helpful

• Cisco ACE loadbalancing matching more than one header in L7 class map

  Dear All,
  This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
  class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  So for above configuration, when traffic is coming for abhisar.com, it is working fine.
  Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
  abhisarindia.com
  indiaabhi.com
  So new configuration will be
  class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  4 match http header Host header-value ".*abhisarindia.com*"
  6 match http header Host header-value ".*indiaabhi.com*"
  So just want to confirm if this is fine.
  Thank You,
  Abhisar.

  Dear Rajesh,
  Thank you for reply. I will let you know once I carry out this activity.
  Thank You,
  Abhisar.

• ACE - FQDN in a class map or other suggestions

  It appears it is only possible to use an IP address when creating match conditions in a class map which makes sense. 
  We are using this basically as a NAT.
  ie, server sends an HTTP message to the ACE containing XML
  ACE then encrypts with an SSL cert and substitutes a public IP address and sends the XML out to a customer IP on the public internet
  Problem is when customer changes the IP address, we need to change the configuration on the ACE.  Ideally if I could use a DNS name, then the customer can manage any changes via DNS and not involve us.
  Disclaimer: I'm a complete novice to the ACE
  Any ideas appreciated!

  Hi Rob,
  Can you share the current configuration and also the traffic flow here.
  Regards,
  Kanwal

• ACE class-map match url syntax

  Can someone help me with the string that would match a url with no path specified?  For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
    2 match http url oulook\.domain\.net\

  Adam and Shday,
  I'll give you a hand on this =)
  Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
  In case SSL termination is configured then the configuration would be like this:
  rserver redirect OWA
    webhost-redirection https://%h/owa 301
    inservice
  serverfarm redirect OWA
    rserver OWA
      inservice
  class-map type http loadbalance match-any OWA
  2 match http header Host header-value "outlook.domain.net"
  policy-map type loadbalance first-match OWA
  class OWA
    serverfarm OWA
  class class-default
    serverfarm Backend
  Shday yours is pretty much the same but you need to decide if class-default needs
  to be in place:
  rserver redirect Domain
  webhost-redirection http://%h/any_path 301
  inservice
  serverfarm redirect Domain
     rserver Domain
       inservice
  class-map type http loadbalance match-any Any
  2 match http url /.*
  class-map type http loadbalance match-any Domain
  2 match http header Host header-value "domain.com"
  policy-map type loadbalance first-match Domain
  class Any
    serverfarm Backend
  class Domain
    serverfarm Domain
  HTH
  Pablo