ACE - Redirect

Hi !
I am trying to do the following:
A customer dials into our network. The first HTTP Request get`s redirected to some Content-Page.
This could be annoying for some customers that`s why we want to implement a button on that page to DISABLE this Redirect Feature for that customer.
I am sure the redirect will work - but I am wondering if it`s possible to store some data on the customers web-browser - to make sure the feature remains DISABLED whenever he dials to the network again - and doesn`t get redirected anymore .
Is there a chance to match on the ACE against some sort of f.e. cookie - to make sure the client is not redirected anymore if this cookie is present ?
If not - then the client gets redirect.
I would really appreciate any help / hints.
cheers
Hans

In the following example if the http request comes for VIP:192.168.1.1 then the header is checked for cookie name "testcookie" and if the cookie value is "Donot-Redirect" then request is served by serverfarm "APP1-sf" and if this value is not present then request is redirected to http://192.168.120.132/redirect.html .
parameter-map type http APP1-pmap
persistence-rebalance
rserver redirect SERVER-redirect
webhost-redirection http://192.168.120.132/redirect.html 302
inservice
rserver host App1-server1
ip address 10.10.10.111
inservice
rserver host App1-server2
ip address 10.10.10.10
inservice
serverfarm redirect SFARM-redirect
rserver SERVER-redirect
inservice
serverfarm App1-SF
predictor leastconns
probe TCP81
rserver App1-server1
inservice
rserver App1-server2
inservice
class-map match-all App1-VIP
2 match virtual-address 192.168.1.1 tcp eq 80
class-map type http loadbalance match-any APP1-CHECK
match http cookie testcookie cookie-value Donot-Redirect
policy-map type loadbalance first-match APP1-policy
class APP1-CHECK
serverfarm App1-SF
class class-default
serverfarm SFARM-redirect
policy-map multi-match VIPS
class App1-VIP
loadbalance vip inservice
loadbalance policy APP1-policy
loadbalance vip icmp-reply active
appl-parameter http advanced-options APP1-pmap
HTH
Syed Iftekhar Ahmed

Similar Messages

Ace Redirect and re-write

Can anybody point me in the right direction for changing the URL when the ACE is performing the redirection?
I have the standard ace redirection to HTTPS set up and it is working fine.
I have a wildcard certificate *.abc.com but when the application was being tested the URL abc.com kicks up a certificate error in the browser.
Not sure if I should have set the CN as *acb.com when ordering it but its done now.
I am wanting to redirect when http://abc.com is put in the client browser to https://www.abc.com
I have tried reading these forums and using header rewrite to change the location on response but it just doesn't seem to work.
I have tried deleting/renaming/replacing the host header on request and rewrite/delete on response. Tried all sorts of regex nothing works.
I can insert a header so I know the action is being hit, just can't seem to change the host on request or location on response.
Any idea's?
I am guessing the inner workings only allow for modification of these headers when the redirects are being done by the server and the headers are passing through the load balancer.
on latest 5(2.1) version
example of one I tried
action-list type modify http ABC_MODIFY
header rewrite response location header-value "https://abc(.*)" replace "https://www.abc%1"
then applied to policy redirect map

I tried another approach which seemed to work.
rserver redirect RED2A
webhost-redirection https://www.%h 302
inservice
rserver redirect RED2
webhost-redirection https://%h 302
inservice
serverfarm redirect RED2-VIP-IN
rserver RED2
inservice
serverfarm redirect RED2A-VIP-IN
rserver RED2A
inservice
class-map type http loadbalance match-any RED2A-VIP-IN
2 match http header Host header-value "abc.com"
class-map match-any RED2-VIP-IN
2 match virtual-address x.x.x.x tcp eq www
..etc
policy-map type loadbalance first-match RED2-VIP-IN-LB-POLICY
class RED2A-VIP-IN
serverfarm RED2A-VIP-IN
class class-default
serverfarm RED2-VIP-IN
this seemed to redirect the abc.com to https://www.abc.com and the other requests like other.abc.com to https://other.abc.com
I tried regex for the header value match like [^\.]abc.com and ^abc.com but these didn't seem to match.

ACE Redirect not working

We have a ACE redirect configured on 3 physically seperate ACE modules with the following config. It works on one ACE Module and not on the other 2.
Capture on the ACE and sniffer gives this error.R [bad tcp cksum 2d41!] ACE sends resets to the client. Anyone run into this issue?
The software version is   system:    Version A2(1.0a) [build 3.0(0)A2(1.0a)
rserver redirect Test
webhost-redirection http://www.test.com
inservice
serverfarm redirect Test
rserver Test
    inservice
class-map match-any Test
2 match virtual-address 192.168.10.10 tcp eq www
policy-map type loadbalance first-match Test
class class-default
    serverfarm Test
class Test
    loadbalance vip inservice
    loadbalance policy Test
    loadbalance vip icmp-reply active

Sorry maybe I didn't explain what I was getting at good enough...
I guess I'm basically asking if there's potential for asymmetry at the site that's not working.
For example.
Say I have a load balanced server. It has two interfaces a "front end" and a "back end". I manage the server on the backend from my laptop, for which the server has a route. Now if I try to hit the public VIP of the LB, traffic is routed to the VIP, then to the server, but because the server already has a route to my laptop via the backend, it bypasses the load balancer on the return and replies directly to me, thus putting the flow out of sync and never completing the connection...
Not saying that's it, but I've had so many asymmetry issues that are tough to figure out that It's usually one of the first things I rule out...
It's possible if the site that's not working is local to you and the others aren't, this may be a potential issue??

ACE redirect to different URI on rserver

         We use JDE and up to now part of the tools was Apache which would redirect as follows
http://alias.server to http://real.server:13333/main.maf
the latest version no longer uses Apache so I was wondering how I can do it on the ACE
of course there is no problem going from alias.server port 80 to real.server:13333 but how can I add the URI main.maf?

Hi
The configuration would look like the following:
rserver host CHIJTW55
description CHIJTW55
ip address 172.16.98.106
inservice
rserver redirect JDEDV_RED
webhost-redirection http://172.16.73.10:13333/main.maf 301
serverfarm host JDEDV
description JDEDV servers
failaction purge
probe tcp13333
rserver CHIJTW55 13333
    inservice
serverfarm redirect REDIRECT_FARM
     rserver JDEDV_RED
       inservice
class-map match-any JDEDV_vip_80
2 match virtual-address 172.16.73.10 tcp eq www
class-map match-any JDEDV_vip_13333
2 match virtual-address 172.16.73.10 tcp eq 13333
policy-map type loadbalance first-match JDEDV_80
class class-default
    serverfarm REDIRECT_FARM
policy-map type loadbalance first-match JDEDV_13333
class class-default
    serverfarm JDEDV
policy-map multi-match MULTI_POLICY
class JDEDV_vip_80
    loadbalance vip inservice
    loadbalance policy JDEDV_80
class JDEDV_vip_13333
    loadbalance vip inservice
    loadbalance policy JDEDV_13333
interface vlan X
     service-policy input MULTI_POLICY
I hope this helps
Daniel

ACE Redirect. Configuration Problem?

Hi,
I´m configuring Redirect in ACE 4710 and it doesn´t work fine. The client has two real servers and he wants redirect the traffic when both real servers are down.
They have other server with static content (http) for redirect the trafic.
The configuration is (complete configuration is attached):
rserver host Backup_Rserver
ip address 192.168.0.212
inservice
rserver host achs-tamw01
ip address 192.168.0.217
inservice
rserver host achs-tamw02
ip address 192.168.0.205
inservice
rserver host achs-tamw03
ip address 192.168.0.203
inservice
serverfarm host SF_Backup
rserver Backup_Rserver 80
    inservice
serverfarm host TAMW_80
predictor leastconns
probe PROBE_TAMW:80
rserver achs-tamw01 80
    inservice
rserver achs-tamw02 80
    inservice
rserver achs-tamw03 80
    inservice
sticky ip-netmask 255.255.255.255 address source TAMW_80_STICKY
replicate sticky
serverfarm TAMW_80 backup SF_Backup
policy-map type loadbalance first-match VIP-POLICY-TAMW_80
class class-default
   sticky-serverfarm TAMW_80_STICKY
policy-map multi-match LB-VIP
class VIP_TAMW_80
    loadbalance vip inservice
    loadbalance policy VIP-POLICY-TAMW_80
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 10
interface vlan 10
nat-pool 1 172.16.10.39 172.16.10.39 netmask 255.255.255.255 pat
service-policy input LB-VIP
When both real servers are down, the VIP remains operational and the backup real servers is operational and I can see statistics increase in this server:
ACE-CC/Contexto_B# sh rserver
rserver              : Backup_Rserver, type: HOST
state                : OPERATIONAL (by default, unverified)
                                                ----------connections-----------
       real                  weight state        current    total
   ---+---------------------+------+------------+----------+--------------------
   serverfarm: SF_Backup
      192.168.0.212:0       8      OPERATIONAL 4          66
In these moment both real servers were down and I could see connections, but when user from Internet o LAN try to connect it can´t see static content.
ACE-CC/Contexto_B# sh service summ
service-policy: LB-VIP
Class                            VIP             Prot Port        VLAN          State    Curr Conns   Hit Count Conns Drop
VIP_TAMW_80                      172.16.10.150   tcp   eq 80       1,10           IN-SRVC          21         903          0
VIP remains operational.
Regards,
Jaime

Hi Peter,
I did test only in HTTP mode. In the configurations you can see that I applied a backup server only the port 80:
serverfarm host SF_Backup
   rserver Backup_Rserver 80
    inservice
I didn´t create a SF_Backup_443 because we were testing only with services in HTTP.
I still can´t do labs test, although it seems that configuration is well.
Regards.
Jaime.

ACE redirection of users to specific Brokers via AD authentication for VMWare View

Hi
I'm currently looking at a requirement we have to direct users to a particular VMWare broker dependent up AD credentials. An overview is that we have 2 data centers, each with a specific brokers and set of VDIs. Users are mapped to a particular data centre where their VDI exists. When they are sent to a particular DC I want the ACE to check credential against AD and determine if they should be going to the local broker or redirected to the other DC.
I've had a look at the F5 LTM with the APM installed and this supports this functionality. However I can't see anything on the ACE that provides a handoff to AD for user credential checking to make decisions on which broker to send the user to. Does anybody know if the ACE supports this type of feature?
Thanks
Malcolm

Hi Malcolm,
You may need to talk to your Cisco SE engineer to do a Product Enhancement Request to analyze and eventually add it in future releases
Jorge

ACE Redirection

I have ACE 4710 and I want to use this to redirect port 80 traffic to my proxy server. But I am not able to do that. MY ACE is in routed mode. Below is my ACE configuration when I am applying the policy on the interface I am not able to browse the Internet.
I am connected to the Interface VLAN 300. Below is the configuration for ACE.
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
11 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
12 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
13 match virtual-address 172.23.16.0 255.255.255.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
16 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
17 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
18 match virtual-address 172.23.16.0 255.255.255.0 tcp eq www
19 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
20 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
serverfarm SF_BCPR
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT1
ip address 192.168.180.5 255.255.255.240
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.10.5 255.255.255.0
no normalization
no icmp-guard
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.180.97 255.255.255.240
access-group input acl-proxy
no shutdown
Please let me know where I am missing the configuration. I will be very thankful for the prompt help.

Hi,
You need to put your rserver inservice.
rserver host RS_BCPR01
ip address 192.168.180.103
inservice
As you can see, when you're displaying your rserver/serverfarm, it's current status is OUTOFSERVICE, which indicates, that the rserver has been manually suspended for service.
hth

ACE Redirection question

We are migrating a large application to a new serverfarm one folder at a time. the exiting applicaiton server is not loadbalanced via the ACE.
We want to set a vip on the ACE as the primary DNS entry for host ans.company.com. When users requrest ans.company.com/dfr they will get L7 loadbalanced (via url matching) to a new local serverfarm.
When the users request ans.company.com/cms we want to redirect them to the old application server that wull be renamed via dns as classic.ans.company.com.
As each folder is migrated to the new servers the L7 rules will be modified to keep that traffic local
example
user requests ans.company.com/bfr or ans.company.com/cms they will be sent to the local new serverfarm.
user requests ans.company.com/dma1 or ans.company.com/dma2 they will be redirected to classic.ans.company.com/dma1 or classic.ans.comapny.com/dma2 (depending on the original request).
Does anyone have an sample script for this type of senario? I have the loadbalancing working fine. It's the redirection that is not working. I am trying to use a L7 url match to send the requrest to a redirect rserver
Any help would be appreciated.

It should be some thing like
rserver redirect REDIRECT-TO-OLD
webhost-redirection http://classic.ans.company.com/%p 302
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-OLD
inservice
class-map type http loadbalance match-any local-new
match http url /bfr
match http url /cms
class-map type http loadbalance match-any remote-old
match http url /dma1
match http url /dma2
policy-map type loadbalance first-match L7_LOGIC
class local-new
serverfarm local-serverfarm
class remote-old
serverfarm REDIRECT-SERVERFARM
policy-map multi-match CLIENT_VIPS
class VIPs
loadbalance vip inservice
loadbalance policy L7_LOGIC
HTH
Syed Iftekhar Ahmed

ACE redirection issue

Hi,we have our main website https://abc.com and it provides links to users for various applications.If i go to https://abc.com and click the link xyz on it, i get back to main page again and current connections drops to 0. here my browser should be redirected to https://abc.com/xyz which is not happening. Traffic is getting tunnnled to https://abc.com as seen in logs in http catcher.
But if i type in https://abc.com/xyz in browser, i go to correct page.
below is my configuration. please let me know if any other configuration is needed, Below config is with 2 links but actual production has many links.
I have similar issue for another application where links on main page can not be accessed. that application works on http instead of https.
rserver redirect xyz
inservice
webhost-redirection "https://abc.com/xyz"
rserver redirect uvw
inservice
webhost-redirection "https://abc.com/uvw"
rserver host abc
ip address 1.1.1.1
inservice
serverfarm redirect xyz
rserver xyz
inservice
parameter-map type http case_param
case-insensitive
no persistence-rebalance (i also tried enabling it)
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parameter-map type ssl abc
cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy service abc
key abc
cert abc
ssl advanced-options abc
serverfarm redirect uvw
rserver uvw
inservice
serverfarm host abc
rserver abc
inservice
class-map type http loadbalance match-any map1
   match http url /xyz.*
class-map type http loadbalance match-any map1
   match http url /uvw.*
policy-map type loadbalance first-match ssl-abc
class map1
    serverfarm xyz
class map2
    serverfarm uvw
class class-default
    serverfarm abc
class ssl-intranet
    loadbalance vip inservice
    loadbalance policy ssl-abc
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 368
    appl-parameter http advanced-options case_param
    ssl-proxy server abc
the IP address mentioned for abc.com (1.1.1.1) is on cisco CSS (VIP for www.abc.com for internal users) which is serving my internal clients. The CSS then points to actual server hosting abc.com. The ACE is serving clients coming from Internet and CSS is serving my internal clients which connect with http. Is this problem because of communication issue between ACE and CSS?
Can anybody suggest?

class-map match-all intranet
2 match virtual-address 198.184.231.7 tcp eq www
class-map match-all ssl-intranet
2 match virtual-address 198.184.231.7 tcp eq https
I have 2 different policy maps .........intranet map redirects to ssl-intranet map which then makes redirection to individual applications.
policy-map multi-match external-lb
class extranet
    loadbalance vip inservice
    loadbalance policy extranet
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 368
    appl-parameter http advanced-options case_param
class ssl-extranet
    loadbalance vip inservice
    loadbalance policy ssl-extranet
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 368
    appl-parameter http advanced-options case_param

Configuration help - ACE redirection

Please see the below ACE configuration. It is currently in place for both load balancing and redirection. Here are the 4 current scenarios...
1. https://www.URL1.com is the desired URL and will be load balanced. Certificate is for this URL.
2. http://www.URL1.com will redirect the client to https://www/URL1.com for appropriate load balancing.
3. URL1.com resolves to the same vip ip address as www.URL1.com, so http://URL1.com will redirect the client to https://URL1.com
4. https://URL1.com will be load balanced, but client gets a certificate error since the cert is not associated with this address.
How can I redirect http://URL1.com and https://URL1.com to https://www.URL1.com? Can I create a L7 policy map in addition to the existing L4 policy map?
Thanks for any help you can give.
rserver host URL1-ws07
ip address 1.1.1.1
inservice
rserver host URL1-ws08
ip address 1.1.2.1
inservice
rserver host URL1-ws09
ip address 1.1.3.1
inservice
rserver host URL1-ws10
ip address 1.1.4.1
inservice
rserver host URL1-ws06
ip address 1.1.5.1
inservice
!************** Generic redirect rserver used by many policy maps to redirect clear text addresses to secure addresses *************
rserver redirect server-rd
webhost-redirection https://%h%p 301
inservice
ssl-proxy service URL1
key URL10911-key
cert URL10911-cert
chaingroup verisign-ev-cg
serverfarm host URL1
description www.URL1.com
probe port_80
rserver URL1-ws07 80
    inservice
rserver URL1-ws08 80
    inservice
rserver URL1-ws09 80
    inservice
rserver URL1-ws10 80
    inservice
rserver URL1-ws06 80
    inservice
sticky http-cookie acecookie sticky-URL1
cookie insert browser-expire
replicate sticky
serverfarm URL1
!***************** Redirect to https *****************
class-map match-all URL1-vip
2 match virtual-address 2.2.2.2 tcp eq https
class-map match-all URL1-vip-rd
2 match virtual-address 2.2.2.2 tcp eq www
policy-map type loadbalance first-match URL1-lb
class class-default
    sticky-serverfarm sticky-URL1
    action https-rewrite
    insert-http X-Forwarded-For header-value "%is"
policy-map type loadbalance first-match URL1-rd
class class-default
    serverfarm server-rd
policy-map multi-match yellow-policy
class URL1-vip-rd
    loadbalance vip inservice
    loadbalance policy URL1-rd
    loadbalance vip icmp-reply active
class URL1-vip
    loadbalance vip inservice
    loadbalance policy URL1-lb
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options generic-http-parameter-map
    ssl-proxy server URL1

Hi there,
If all the URLs respond to the same VIP then you need to modify your server-rd as follows:
rserver redirect server-rd
webhost-redirection https://www.URL1.com/%p 301
inservice
That would take care of the HTTP part.
For HTTPS we can't do much as decryption happens before URL matching, you'll get the certificate
error before being sent to the correct domain. The only way you can get HTTPS working is either with:
- Wildcard Certificate: *.URL1.com
- SAN certificate: You can include multiple domains into the same SSL certificate.
HTH
Pablo

ACE redirect problem

Hi,
Hopefully someone can tell me if what i'm trying to achieve is possible. I need to append details to a URL, i've attempted a rewrite but dont want to send the 10.10.10.1 address back to the client and want to send their original request with the appended URL. As the ip and port are staying the same the request loops. Hardware ACE 4710 software A3 (2.0)
I need to loadbalance.
http://ourdomain.com:9080 > http://10.10.10.1-10:9080/ThisBitAdded
ourdomain.com resolves to the same address every time, 10.10.10.1-10 are the real servers.
Any help greatly appreciated.
Thanks
Chris

Chris:
As I'm preparing a response, I'm curious about how you have it set up at this point. What is the configuration that you were testing?

ACE: How to have icmp-reply active ignore redirect rhosts?

I'm wondering if anyone knows if I can have an ace4710 not reply to ICMP requests for a VIP unless atleast one of the host rservers is up. It appears to reply if just a single redirect service is online.
Thanks,
Chad

Chad,
Thanks for the clarification regretably I'm pretty sure the ACE works alike as the CSS in this requirement.
The problem is that the content rules (CSS) and the class-maps (ACE) are not dependent with each other. i.e with a config like the one shown below regardless if you suspend the service SIP or the content Web, ICMP still is going to be answered as the MAC address is still allocated on the arp table of your SW, in this case for the content Redirect there's no way you can stop ICMP replies other than manually suspending the rule.
owner Web
content Redirect
    vip address 10.10.10.10
    url "/*"
    port 80
    protocol tcp
    redirect "http://website.com/blah.htm"
    active
content Web
    vip address 10.10.10.10
    port 80
    protocol tcp
    url "/blah*"
    add service SIP
    active
I had thought I would've been able to it with an ACL like this one buuuut this is not traffic directed to the VIP :S
acl 5
clause 1 deny icmp any destination content Web/Redirect
clause 2 permit icmp any destination content Web/Web
clause 3 permit any any destination any
apply circuit-(VLAN10)
Same happens with the ACE redirect services will always make the VIP show as "inservice" as they don't require a health check to check the aliveness, these ones were thought to be UP all the time.
serverfarm host Web
probe HTTP
rserver Web-1
    inservice
rserver Web-2
    inservice
rserver redirect Redirect
webhost-redirection https://%h/blah.htm
inservice
serverfarm redirect Blah
rserver Redirect
    inservice
class-map type http loadbalance match-any Any
2 math http url .*
class-map type http loadbalance match-any Blah
2 match http url /blah.htm
policy-map type loadbalance first-match Insertion
   class Blah
     serverfarm Web
   class Any
     serverfarm Blah

ACE http/https redirect or rewrite

Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81

If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed

Full URL re-direct with ACE 4710

Is there anyway to perform a redirect on the ACE 4710 so that it will redirect a request sent to the domain mydomain.com be redirected to www.mydomain.com, this is so that an installed SSL certificate will match.
Thanks

Thank you for your response, but the redirect would occur before any encyption.. for example today this is what happens
someone goes to
http://www.mydomain.com
and the ACE redirects the connection to
https://www.mydomain.com
What I want is for someone to go to
http://mydomain.com (without the www) and for it to redirect to
http://www.mydomain.com which will inturn redirect to https://www.mydomain.com
or it can just redirect to https://www.mydomain.com
So the encryption will not occur until it is redirected to teh correct websit

Use ACE to redirect or insert a WWW in a client request

I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms. Redirection is configured to redirect http to https. There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www". In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1". I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first. Below is a sample of the working config.
Thanks in advance,
mb
rserver host RS_TEST_01
description ***Test Producation Host***
ip address 10.64.64.45
inservice
rserver redirect RD_EC
description ***TEST Sub-Site***
webhost-redirection https://www.test.com/EC/
inservice
rserver redirect http
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
    inservice
serverfarm host SF_TEST
rserver RS_TEST_01 80
    inservice
serverfarm redirect SF_EC
description ***Test Sub-Site***
rserver RD_EC
    inservice
sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
timeout 600
replicate sticky
serverfarm SF_TEST
ssl-proxy service SSL_TEST_1
key TEST_KEY
cert TEST_CERT
chaingroup VERISIGN
ssl advanced-options SSL_TERMINATION
class-map match-any TEST_VIP_01
description ***VIP for TEST***
2 match virtual-address 10.64.74.45 tcp eq https
class-map type http loadbalance match-all TEST_EC
2 match http url /ec*
policy-map type loadbalance first-match LB_TEST_01
description ***Load Balancing Policy for Test***
class TEST_EC
    serverfarm SF_EC
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class class-default
    serverfarm REDIRECT
policy-map multi-match NEW_WEB_POLICY
class TEST_VIP_01
    loadbalance vip inservice
    loadbalance policy LB_TEST_01
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_TEST_1
interface vlan 474
description ***Front End VIP interface***
ip address 10.64.74.254 255.255.255.0
alias 10.64.74.252 255.255.255.0
peer ip address 10.64.74.253 255.255.255.0
access-group input TEST_WEB
service-policy input TEST_WEB_POLICY
no shutdown

Hi Michael,
The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
rserver redirect http
webhost-redirection https://%h%p 301
inservice
rserver redirect http_and_www
webhost-redirection https://www.%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
    inservice
serverfarm redirect REDIRECT_and_www
rserver http_and_www
    inservice
class-map type http loadbalance match-all http_with_www
2 match http header Host header-value www.*
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class http_with_www
    serverfarm REDIRECT
class class-default
    serverfarm REDIRECT_AND_WWW
I hope this helps
Daniel

ACE - Redirect

Similar Messages

Maybe you are looking for