ACE: SMTP Header insertion

Similar Messages

• ACE: dropped conns due to header insert

  My LB is dropping connections on port 443 when I have "insert-http source header-value "%is" configured. Other ports such as 80, or 8080 are working. The config is the same for all ports.
  class-map match-any Service_VIP_Class
  4 match virtual-address 1.1.1.1 tcp eq https
  policy-map type loadbalance first-match Service_L7_Policy
  class class-default
  serverfarm Service_Serverfarm
  insert-http source header-value "%is"
  policy-map multi-match Service_LB_Policy
  class Service_VIP_Class
  loadbalance vip inservice
  loadbalance policy Service_L7_Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  I see dropped conns on the service policy. When I remove the header insertion config, it connects ok.
  Please help!

  There is no way any device (including ACE) can open an https packet to insert anything.
  Only exception:
  You offload ssl using server keys and certs.Then make changes to the decrypted packet.
  Syed

• ACE One-Arm Source-NAT HTTP Header Insert

  Hellow ACE Gurus,
  This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
  /r
  Rob

  Hi Rob,
  When using HTTPS, all the data is encrypted, including the HTTP headers.
  In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
  I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
  Regards
  Daniel

• ACE CLIENT CERTIFIATE INSERTION IN HEADER

  Hy guys.
  I have a doubt regarding the client cert insertion in the https header.
  The exact problem is that in the old SSL module we had an option like this:
  policy http-header cert_pass
       client-cert pem
  As you can see, we configure the option to pass the complete certificate in pem format in one header.
  I'm unable to find this optiono in ace 5.1(3) version.
  Any idea?
  Thanks!

  Hi David,
  May be i didn't understand. Is this what are you looking for?  You can find it in the same link.
  Configuring HTTP Header Insertion of SSL Client Certificate Information
  When you configure the ACE for client authentication, you can instruct the ACE to provide the server with information about the client certificate that the ACE receives from the client. This SSL session information enables the server to properly manage the client request and can include certificate information such as the certificate serial number or the public key algorithm used to create the public key in the certificate. To forward the SSL session information to the server, the ACE inserts HTTP headers containing the client certificate fields that you specify into the HTTP requests that it receives over the client connection. The ACE then forwards the HTTP requests to the server.
  Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request.
  When you instruct the ACE to insert SSL client certificate information, by default, the ACE inserts the HTTP header information into every HTTP request that it receives over the client connection because persistence rebalance is enabled by default. If you do not want the ACE to insert the information into every HTTP request that it receives over the connection, disable persistence rebalance in an HTTP parameter map. You can also instruct the ACE to insert the information into every HTTP request that it receives over the connection by creating an HTTP parameter map with the header modify per-request command enabled. You then reference the parameter map in the policy map that the ACE applies to the traffic. For information about creating an HTTP parameter map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
  Note You must have the ACE configured for client authentication to insert an HTTP header with SSL client certificate field information (see the "Enabling Client Authentication" section). If you configure header insertion but do not configure the ACE for client authentication, no header information is inserted and the counters that track the header insertion operation do not increment (see Chapter 6, "Displaying SSL Information and Statistics").
  Regards,
  Kanwal

• HTTP header insertion problem with ACE

  Hi
  I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
  The config looks like that
  action-list type modify http TEST
  header insert both Host header-value test:test.
  I added this action-list to the correct policy-map.
  When I checked the snifer output on the server side, there is no test value in the HTTP header.
  I test the same feature based on the "insert-http" command in the policy-map and this one works.
  Could anybody help me with this problem?
  Thank you in advance
  Regards
  Lucas

  Hi Lukas,
  Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
  action-list type modify http test-insert
  header insert both My-Header header-value test
  header insert both SSL header-value TRUE
  policy-map type loadbalance http first-match HtppInsert
  class class-default
  serverfarm linux1-80
  action test-insert
  policy-map multi-match SLB1
  class VIP-122-80
  loadbalance vip inservice
  loadbalance policy HtppInsert
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  loadbalance vip advertise metric 1
  connection advanced-options SetTos
  appl-parameter http advanced-options PRMAP_PERST_REBLNC
  parameter-map type http PRMAP_PERST_REBLNC
  persistence-rebalance
  Hope this will make all the packets are inserted with the http header not the first one only.
  If it works then plz inform.
  Kind Regards.
  Sachin Garg

• Http header insertion with MSISDN

  Hi
  I know that we can define a http header insertion on the ACE to insert a custom header and a string in to the value. Is there a way for me to insert a dynamic string read from a database in to the value field. My exact requirement is to insert the MSISDN of mobile subscribers in to their http traffic. The MSISDN can be extracted form the Radius accounting messages
  Any ideas, I have no clue as to how to do such a thing.
  thanks

  I don't know about this feature. I think it's not possible. ACE can insert/generate only cookie. All other L7 methods (e.g. http header) are using existing data in communication.
  MSISDN inserting to http header/uri is role of wap-gw, or something like that device in data flow process.
  martin

• Wrong SMTP Header Information

  We have noticed that some emails have information in the data section of the SMTP header that looks like "johndoe@ <company.com>" instead of "[email protected]" if they are sent to any mailbox on our Exchange 2010 server.
  This wasn't the case before we upgraded to Exchange 2010. Has anyone seen this type of situation before?

  Hi itworker,
  Thank you for your question.
  Did this issue occur all users?
  Did this issue take an effect which someone didn’t receive emails?
  What is CU of current Exchange 2010?
  There are two values in address, which is display and email address, for example ‘displayname<[email protected]>’
  We could not make sure which values which is wrong, if displayname Is wrong, we could check it in recipient mailbox and if it is consistent with address format, for example johndoe@ <company.com>. So we suggest you send a header information and displayname
  on EMC to [email protected] for our troubleshooting.
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Header Insert Statistics on SSL Module

  Hi,
  I use an SSL Module running SW 2.1.8. Within ouput of "sh ssl-proxy stats hdr" I have a lot of "Service Errors" without any configured http header insertion policy.
  Any idea what could cause this ??
  Any answer is appreciated.
  Volker Kreisel
  Header Insert Statistics:
  Session Headers Inserted : 0 Custom Headers Inserted : 0
  Session Id's Inserted : 0 Client Cert. Inserted : 0
  Client IP/Port Inserted : 0
  No End of Hdr Detected : 0 Payload no HTTP header : 0
  Desc Alloc Failed : 0 Buffer Alloc Failed : 0
  Client Cert Errors : 0 Malloc failed : 0
  Service Errors : 28730384 Conn Entry Invalid : 0
  Buffers allocated : 0 Buffers Scanned : 0
  Insertion Points Found : 0 Header Overflow : 0
  End of Header Found : 0 Buffers Accumulated : 0

  CSCsb82589
  show ssl-proxy stats hdr counter Service Errors is erroneously increment
  This has been fixed in 3.1.1 and will be fixed soon in the next 2.1 release.
  Regards,
  Gilles.

• ACE module only inserting X-Forwarder Header on first packet

  Hi,
  As above, I have a strange problem where if I use my proxy server to access an LB VIP then it is inserting the X-forwarding header for Each GET request.
  However if I make the request direct from my PC (not via Proxy) it inserts the header on the first packet but no subsequent packets unless I restart the browser.
  Any ideas????
  Thanks
  Scott

  Hi Scott,
  In the ACE documentation, check out the section on Configuring the ACE to Modify Headers on Every HTTP Request or Response.
  I hope this helps,
  Sean

• Cisco ACE - dynamic header rewrite

  Can the ACE do dynamic http host and URL rewrites using an action list and variables?
  I need to rewrite a URL like this...
  http://*.domain.com rewritten to http://www.domain.com/user1/*
  For example...
  http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
  ... and so on for a large number of user names at the beginning of the URL string.
  I am trying to find the action-list syntax for header rewrite and having trouble figuring this out.  Would a redirection be a better option?
  Thanks, in advance, for any help with this.

  It's more related to disaster recovery planning than ACE configuration
  The cleanest way is to use L2 extension.
  Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
  There is no generic answer to your problem.

• Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

  Hi There
  I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
  So, RSERVER = SERVER = 192.168.0.1
  Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
  But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
  OUTSIDE:
  website1.abc.com = 172.16.0.1:443
  website2.abc.com = 172.16.0.1:443
  website3.abc.com = 172.16.0.2:443
  website4.abc.com = 172.16.0.2:443
  On the server we have:
  INSIDE: 192.168.0.1
  SERVER:8001 = website1.abc.com
  SERVER:8002 = website2.abc.com
  SERVER:8003 = website3.abc.com
  SERVER:8004 = website4.abc.com
  So, in a nutshell what I need to do is:
  Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
  But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
  I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
  Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
  I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
  But .... things are going hey-wire.
  So, steps are:
  RSERVER
  SFARMs = RSERVER:PORTs
  ACLs = VIPs
  CMAP = HEADER = URL
  LB PMAP = HEADER CMAP & SFARM
  PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
  SVC-POL = PMAP MULTIM

  Hi Surya
  Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
  It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
  regards
  Sent from Cisco Technical Support iPad App

• Src IP HTTP header insertion problem

  I have configured a vserver to loadbalance to 2 proxy servers over TCP port 8080.
  I use a policy to insert the source ip address of the client workstation to be
  inserted in the HTTP header.
  We use the same vserver to loadbalance HTTPS traffix.
  Appearantly the CSM also tries to insert the ip address when HTTPS traffic
  is passing this vserver.
  Is this a correct beheavior? How can I solve this one?
  Thanks!
  Regards Wim

  Actually mozilla lets you specify different ports for proxy http and proxy https.
  Anyway, are the servers behing your CSM proxy servers ?
  Do you have 'persistent rebalance" configured ?
  If so, could you try to turn do 'no persistent rebalance' and see if that solves your problem.
  Normally, https connection via a proxy are still done with HTTP connection with the request "CONNECT x.x.x.x:443" and the CSM should be able to inset the requested info.
  But we need to avoid the CSM to inspect further packets as this would be ssl traffic -> so disable peristent rebalance.
  Just an idea.
  Regards,
  Gilles.

• ACE http header rewrite

  hi
  is there any chance to change my requeste on ace like this?
  the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
  thanks in advance
  Antero

  Hi Antero,
  Yes, this is possible. Just check the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
  Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
  If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
  I hope this helps
  Daniel

• ACE - Load Balance insert cookie method for https

  I am trying to load balance between 2 web servers using the cookie insert method by ACE for achieving the session persistence. The servers are not inserting any cookie. It works fine for the http connections but when trying with https connection it is not working.
  Can anyone help me with this please.
  Is it that ACE cookie insert method of session persistence will not work with https connections.

  Hi,
  1. for https you can use src ip as sticky (mega proxy problem).
  2. you can terminate ssl connection on ace (ssl between client and ace only, between ace and server it's clear) and you can use any L7 sticky (for example cookie)
  3. if you need ssl terminate up to real server, you can first terminate ssl between client and ace on ace, then use L7 sticky and after then terminate second ssl to real server.
  in other words, if you don't decrypt ssl on ace, you can use only L2/3 data for sticky (or ssl id for ssl v2.0)
  martin

• ACE http header response

  Hi,
  I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
  How would I rewrite the response remove the port on the server that is being used.
  Thank you,

  Hi,
  You have rewrite the 30x redirect response from server or is it a normal response?
  You can try below:
  (config)# action-list type modify http H
  (config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008  replace http://abc.com
  I am using header name as Location. Please use according to your need.
  I haven't tried this myself but it should work. Try and let me know.
  Regards,
  Kanwal