ACE: url rediection
Hi,
I need to do url redirection. I've worked on CSS alot so far but I'm new bie to ACE.
for example - my CSS config for url rediction is as follow:
service server1:443
ip address 192.168.1.1
protocol tcp
port 443
keepalive type ssl
active
service server2:443
ip address 192.168.1.2
protocol tcp
port 443
keepalive type ssl
active
service server1:80
type redirect
redirect-string "https://mail.google.com/exchange"
ip address 192.168.1.1
no prepend-http
active
service server2:80
type redirect
redirect-string "https://mail.google.com/exchange"
ip address 192.168.1.2
no prepend-http
active
owner mail
content mail.google.com:443
vip address 10.10.10.1
port 443
protocol tcp
application ssl
add service server1:443
add service server2:443
advanced-balance sticky-srcip
active
content mail.google.com:80
vip address 10.10.10.1
protocol tcp
port 80
url "/*"
add service server1:80
add service server2:80
active
what would be equivalent ACE config? please advise....
probe tcp generic-tcp
interval 5
passdetect interval 20
passdetect count 2
connection term forced
exit
rserver server1
ip add 192.168.1.1
inservice
exit
rserver server2
ip add 192.168.1.2
inservice
exit
rserver redirect https-target
webhost-redirection https://mail.google.com/exchange
inservice
exit
serverfarm redirect secure-redirect
rserver https-target
inservice
exit
serverfarm host SF443
failaction purge
predictor leastconns
probe generic-tcp
rserver server1 443
inservice
rserver server2 443
inservice
exit
exit
sticky ip-netmask 255.255.255.255 address source SF443-SG
timeout 3600
replicate sticky //only required if HA is in use
serverfarm SF443
exit
class-map match-any www-CM
2 match virtual-address 10.10.10.1 255.255.255.255 tcp eq www
exit
class-map match-any https-CM
2 match virtual-address 10.10.10.1 255.255.255.255 tcp eq 443
exit
policy-map type loadbalance first-match http-PM
class class-default
serverfarm secure-redirect
exit
exit
policy-map type loadbalance first-match https-PM
class class-default
sticky-serverfarm SF443-SG
exit
exit
policy-map multi-match LBR-LB
class www-CM
loadbalance vip inservice
loadbalance policy http-PM
loadbalance vip icmp-reply
class https-CM
loadbalance vip inservice
loadbalance policy https-PM
loadbalance vip icmp-reply
exit
exit
interface vlan xxx
ip address xxx
alias xxx
peer ip address xxx
access-group input xxx
service-policy input LBR-LB
no shutdown
exit
Similar Messages
-
ACE: URL redirect - not working
Hi,
I've to do url redirection from port 80 to port 443. I've following configured:
rserver redirect url.test.com-rd
webhost-redirection https://url.test.com/
inservice
serverfarm redirect url.test.com:80
description url.test.com - port 80 redirect ***
rserver url.test.com-rd
inservice
class-map match-any url.test.com:80
2 match virtual-address 192.168.1. tcp eq www
policy-map type loadbalance first-match url.test.com:80
class class-default
serverfarm url.test.com:80
policy-map multi-match LOAD_BALANCE
class url.test.com:80
loadbalance vip inservice
loadbalance policy url.test.com:80
loadbalance vip icmp-reply active
===
with above configuration, ACE is redirection port 80 to port 443 but it also rewrites the header. i.e. ACE send me to
"https://url.test.com/" if I type "http://url.test.com/abc" in the browser. It should have redirected to "https://url.test.com/abc" ( it shouldn't have removed "/abc")
could you advice how to accomplish it.
Thanks in advance...Hi,
thanks pablo. but that isn't expected response. redirected url shows the load balanced server. i.e. for the following serverfarm of port 443:
serverfarm host url.test.com:443
description url.test.com - Port 7777 ***
failaction purge
probe url.test.com:7777
rserver server1.test.com 7777
inservice
redirected url comes as "http://server1.test.com:7777/abc/" ...instead of what I expect .i.e. i expect "
https://url.test.com/abc/" -
Interesting ACE URL Header & Load-balance & SSL on 2 VIPs
Hi There
I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
So, RSERVER = SERVER = 192.168.0.1
Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
OUTSIDE:
website1.abc.com = 172.16.0.1:443
website2.abc.com = 172.16.0.1:443
website3.abc.com = 172.16.0.2:443
website4.abc.com = 172.16.0.2:443
On the server we have:
INSIDE: 192.168.0.1
SERVER:8001 = website1.abc.com
SERVER:8002 = website2.abc.com
SERVER:8003 = website3.abc.com
SERVER:8004 = website4.abc.com
So, in a nutshell what I need to do is:
Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
But .... things are going hey-wire.
So, steps are:
RSERVER
SFARMs = RSERVER:PORTs
ACLs = VIPs
CMAP = HEADER = URL
LB PMAP = HEADER CMAP & SFARM
PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
SVC-POL = PMAP MULTIMHi Surya
Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
regards
Sent from Cisco Technical Support iPad App -
ACE url tampering and other security capabilities
Hi,
I was wondering if anyone knows weather it's possible with the ACE to secure administrative/backend urls from the internet? ie. https://x.company.com/IGGS/Admin I would like to block access to this url from the internet for example. I have read the documentation but it only mentions HTTP deep packet inspection and alot of RFC stuff
Regards
TyroneI can answer myself because I finally found a link to another post.
The following will restrict certain source addresses from accessing certain URL via the ACE, I have tried this in one armed-mode, but should work even with routed-mode.
### Also important to notice is that doing Layer-7 loadbalancing with ssl the ACE will need to terminate the tunnel otherwise all traffic passed the ACE encrypted###
class-map type http loadbalance match-all ten
2 match source-address 10.0.0.0 255.0.0.0
4 match http url .*
class-map type http loadbalance match-all seventeen
2 match source-address 17.16.0.0 255.255.0.0
4 match http url .*
class-map type http loadbalance match-any restrict
2 match http url /public.*
4 match http url /downloads.*
then use in load balance policy as follows:
policy-map type loadbalance first-match WEBSERVER_L7 class ten sticky-serverfarm WEBSERVER_StickyGroup class seventeen sticky-serverfarm WEBSERVER_StickyGroup class restrict sticky-serverfarm WEBSERVER_StickyGroup
if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important. -
Hi All
I had an issue with ACE 2 year before where..sending all youtube traffic to same cache while using URL hash. I had below response from Cisco TAC..
Any1 knows if the new image resolved this...?
Regarding your question about the used predictor and "splitting" the requests going to youtube to be handled by two caches, please note that the URL hashing will hash the domain name up to the "?" only, so we unfortunately cannot distinguish the caches to which to send the request when using this predictor method. The "?" is the default URL parsing delimiter.
Therefore, what we could try is changing the predictor method to another type, for example hash destination|source address or round robin to verify if the loads gets distributed among the caches more evenly.
There, we can see that you can specify a begin- and end-pattern to look
for a specific pattern within an URL, too, however, as already stated,
the hashing has no effect after the "?".
Regards
Sameer ShahThe ACE module and ACE 4710 appliance were enhanced so that the url hashing predictor now includes the url query seen after the '?' delimiter.
ACE module: A2(2.1) and later (BugID CSCsq99736)
ACE 4710: A3(2.2) and later (BugID CSCsr30433) -
Hi there,
I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:
/view/avac_message.cfm?denied=safeSurfOn
/view/avac_message.cfm?denied=illegal
/view/avac_message.cfm?denied=blacklist
The content switch seems to have an issue with special characters like . ? =
I have tried encapsulating them in [.] but still comes up invalid
General idea is as follows:
1. Class Map to match the URL
(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist
2. Layer 7 Policy Map to apply the match
host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY
host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS
host1/Admin(config-pmap-ins-http-c)# permit log
host1/Admin(config-pmap-ins-http-c)# exit
3. Layer 3 and 4 Policy Map to activate the traffic classifications
host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY
host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS
host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY
host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)#
Can anyone advise a workaround to apply these url statements please?
ThanksOK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https
Can Anyone tell me what I am doing wrong here please?:
rserver host Server01
description Primary Server
ip address 10.x.x.1
conn-limit max 2000000 min 1500000
inservice
rserver host Server02
description Secondary Server
ip address 10.x.x.2
conn-limit max 2000000 min 1500000
inservice
rserver redirect Server_Redirect
webhost-redirection https://www.mysite.ie
inservice
serverfarm host ServerAuth
rserver Server01 3807
inservice
rserver Server02 3807
inservice
serverfarm redirect ServerHTTP_Redirect
rserver Server_Redirect
inservice
serverfarm host ServerServers
rserver Server01 80
inservice
rserver Server02 80
inservice
sticky http-cookie server-cookie Server_Cookie_Sticky_Group
cookie insert
timeout 21
serverfarm MyServers
class-map type http inspect match-any HTTP_URLCHECK_L7CLASS
100 match url .*denied=safeSurfOn
200 match url .*denied=illegal
300 match url .*denied=blacklist
400 match url .*logo.jpg
class-map match-any L4_Server_Auth
description match traffic for Authentication
2 match virtual-address 10.103.3.9 tcp eq 3807
class-map match-any L4_Server_HTTP
description match traffic for VIP and HTTP Traffic
2 match virtual-address 10.103.3.9 tcp eq www
class-map match-any L4_Server_HTTPS
description match traffic for VIP and HTTPS Traffic
2 match virtual-address 10.x.x.99 tcp eq https
class-map type http loadbalance match-any L7_Server_URL
2 match http url .*
policy-map type loadbalance first-match L7_Server_LBPolicy
description Server Layer 7 Load Balancing Policy
class L7_Server_URL
sticky-serverfarm Server_Cookie_Sticky_Group
policy-map type loadbalance first-match L7_Server_LBPolicy_Auth
class L7_Server_URL
serverfarm ServerAuth
policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP
class L7_Server_URL
serverfarm ServerHTTP_Redirect
policy-map type inspect http all-match L7_URLCHECK_POLICY
class HTTP_URLCHECK_L7CLASS
permit
policy-map multi-match L4_FILTER_POLICY
description L$ Server URL AVAC CHECK
class L4_Server_HTTP
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance vip advertise active
inspect http policy L7_URLCHECK_POLICY
policy-map multi-match L4_Server_LBPolicy
description L4 Server Load-Balancing Policy
class L4_Server_HTTP
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy_HTTP
loadbalance vip icmp-reply active
loadbalance vip advertise active
class L4_Server_HTTPS
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy
loadbalance vip icmp-reply
loadbalance vip advertise active
ssl-proxy server SSL_Server_Server
class L4_Server_Auth
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy_Auth
loadbalance vip icmp-reply
loadbalance vip advertise active
interface vlan 291
service-policy input L4_Server_LBPolicy -
Hello,
I am trying to redirect inbound connections from http://foo.com to http://foo.com/this/is/a/test 301. The relevant portion of the redirect config is as follows:
rserver redirect RD_QA_ANONYMOUS_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
webhost-redirection https://foo.com/this/is/a/test 301
inservice
serverfarm redirect SF_QA_ANON_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
rserver RD_QA_ANONYMOUS_LOGIN
inservice
parameter-map type http REDIRECT
description Redirect Inbound Connections to Anonymous Login Page
case-insensitive
persistence-rebalance
class-map match-any RD_PORTAL_QA_VIP_1
description ***VIP for QA Customer Portal***
2 match virtual-address 10.145.19.135 any
class-map type http loadbalance match-all RD_QA_ANON_01
2 match http header Host header-value ".*foo.com/"
policy-map type loadbalance first-match LB_RD_EXTPORTAL_QA_1
class RD_QA_ANON_01
serverfarm SF_QA_ANON_LOGIN
policy-map multi-match EXT_TEST_POLICY
class RD_PORTAL_QA_VIP_1
loadbalance vip inservice
loadbalance policy LB_RD_EXTPORTAL_QA_1
loadbalance vip icmp-reply active
appl-parameter http advanced-options REDIRECT
Right now, the client is not receiving the redirect message, only a FIN. I've tried several variations of the above config, with no success. Any ideas?
Thanks,
MichaelHello Kanwal,
Good question. The answer is yes, both. The first goal was to enable redirection without SSL. After that was working, then next goal was to enable SSL. Working with TAC, we came up with the following config, which enabled the redirection with SSL. BTW: The SSL config was already in place. I am adding the SSL config for the sake of completeness. Also we are re-writing headers in both directions:
crypto chaingroup CHAINGROUP
cert ROOT
cert WC_INTER_1
cert WC_INTER_2
rserver redirect RD_REDIRECT_SERVICE
webhost-redirection https://%h/this/is/a/test 301
inservice
rserver host RS_REAL_SERVER_01
ip address 10.10.10.10
inservice
serverfarm host SF_REAL_SERVERFARM_01
rserver RS_REAL_SERVICE_01 1000
inservice
serverfarm redirect SF_REDIRECT_SERVICE
rserver RD_REDIRECT_SERVICE
inservice
parameter-map type http REWRITE
description Enable Header Rewrites
persistence-rebalance
header modify per-request
parameter-map type ssl SSL_TERMINATION
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky ip-netmask 255.255.255.0 address both STICKY_SERVERFARM_01
timeout 600
replicate sticky
serverfarm SF_REAL_SERVERFARM_01
action-list type modify http MODIFY_HEADER_LIST
header rewrite response location header-value "http://inside[.]foo[.]net(.*)" replace "https://outside.foo.com%1"
header rewrite response location header-value "http://inside[.]foo[.]com(.*)" replace "https://outside.foo.com%1"
header rewrite request Host header-value "outside\.foo\.com" replace "inside.foo.com"
ssl url rewrite location "outside\.foo\.com%1"
ssl-proxy service SSL_WC_01
key WC_KEY
cert WC_CERT
chaingroup RAPID_SSL
ssl advanced-options SSL_TERMINATION
class-map match-any VIP_1
2 match virtual-address 10.10.10.210 any
class-map type http loadbalance match-any LB_L7
2 match http url /.*
class-map type http loadbalance match-all REDIRECT_01
2 match http url /
policy-map type loadbalance first-match LB_POLICYMAP_1
class REDIRECT_01
serverfarm SF_REDIRECT SERVICE
class LB_L7
sticky-serverfarm STICKY_SERVERFARM_01
action MODIFY_HEADER_LIST
policy-map multi-match MM_POLICY
class VIP_1
loadbalance vip inservice
loadbalance policy LB_POLICYMAP_1
loadbalance vip icmp-reply active
nat dynamic 1 vlan 60
appl-parameter http advanced-options REWRITE
ssl-proxy server SSL_WC_01 -
ISE doesn't remove URL redirect
We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESSFixed it !
Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS -
ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?
Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
As background, we are a small company with a SaaS product and a pair of webservers.
I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
That seems to be working and session traffic is sticking to a server during the user's session.
Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
Hopefully this request makes sense.
Thanks,
Mark Steeves.Daniel,
Thanks for the reply, but I cannot reach the URL you included. It gives me a 403.
Therfore without reading the article, I wanted to ask if the proper setup would be:
1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
Type = HTTP Header: Header name = Host
2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
Using this setting in testing, it looks like all the traffic keeps going to 1 server only. Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
If you have another link for the above document, please let me know.
Thanks,
Mark Steeves. -
ACE 4710 Redirect to Different Server Farm based on URL
I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-MonitorHi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal -
ACE load balancing based on URL
I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.
The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
Configuring Traffic Policies for Server Load Balancing:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html -
Need help with ACE Load Balancing Base on URL pattern
This is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmBThis is the first time for me trying to configure something like this on the ACE load balancer. I need help configuring a load balancing policy base on URL pattern. URL https://ineedhelp.com base on /willuhelpme and /imlost
Key: ineedhelp_key
cert: ineedhelp_cert
serverfarmA
serverA 10.1.1.1 443
serverfarmB
serverB 10.1.1.2 443
ineedhelp.com/willuhelpme-------serverfarmA
ineedhelp.ocm/imlost---------------serverfarmB -
I have ACE 4710 and I need configuration:
I have real web-server with folders : /1/index.html, /2/index.html, /3/index.html
I need to balance virtual service:
If I try to connect URL: http://server/index.html, then ACE balance among
http://real_server/1/index.html,
http://real_server/2/index.html,
http://real_server/3/index.htm
How can I configure ACE ?ACE, can't modify the url.
But it can send redirect.
So you could build 3 redirect rservers, and have ACE loadbalance between them.
rserver redirect HTTP-REDIRECT1
webhost-redirection http://real_server/1/index.html
inservice
rserver redirect HTTP-REDIRECT2
webhost-redirection http://real_server/2/index.html
inservice
rserver redirect HTTP-REDIRECT3
webhost-redirection http://real_server/3/index.html
inservice
serverfarm redirect SF_REDIRECT
rserver HTTP-REDIRECT1
inservice
rserver HTTP-REDIRECT2
inservice
rserver HTTP-REDIRECT3
inservice
But even if it works, this does not sound good.
It seems like a design done by an application server person who does not know how network loadbalancers work.
It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
But this can be done differently with cookies or by just doing stickyness on source ip address.
Gilles. -
ACE 4710 http probe get url question
I am trying to create a http probe using the request method get url command. My url contains a question mark and the ACE will not accept the url as is and it strips out the question mark character. Is there a way to make the ace accept a url containg a question mark?
probe http HTTP_PROBE
port 9040
interval 10
faildetect 5
passdetect interval 60
expect status 200 200
open 1
The url I am trying to enter is /psp/epprod/?cmd=login
When I enter it the ACE does as shown below
(config-probe-http)# request method get url /psp/epprod/?
<LINE>
ACE-APP-02/vc_peoplesoft(config-probe-http)# request method get url /psp/epprod/cmd=login
It strips out the ? character.Hi Nicholas,
To enter a question mark you need to type ctrl+v prior to entering the ?
You enter the control key then lowercase v, then your question mark.
HTH
Pablo -
ACE class-map match url syntax
Can someone help me with the string that would match a url with no path specified? For instance; user types "https://outlook.domain.net" into their browser and I want the ACE to redirect that request to https://outlook.domain.net/owa".
2 match http url oulook\.domain\.net\Adam and Shday,
I'll give you a hand on this =)
Adam we can solve your problem only if you're doing SSL offloading on the ACE as the layer 5 information that needs to be checked is being sent encrypted.
In case SSL termination is configured then the configuration would be like this:
rserver redirect OWA
webhost-redirection https://%h/owa 301
inservice
serverfarm redirect OWA
rserver OWA
inservice
class-map type http loadbalance match-any OWA
2 match http header Host header-value "outlook.domain.net"
policy-map type loadbalance first-match OWA
class OWA
serverfarm OWA
class class-default
serverfarm Backend
Shday yours is pretty much the same but you need to decide if class-default needs
to be in place:
rserver redirect Domain
webhost-redirection http://%h/any_path 301
inservice
serverfarm redirect Domain
rserver Domain
inservice
class-map type http loadbalance match-any Any
2 match http url /.*
class-map type http loadbalance match-any Domain
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match Domain
class Any
serverfarm Backend
class Domain
serverfarm Domain
HTH
Pablo
Maybe you are looking for
-
i m finding number format exception in the folloing code. plz help public static void main(String args[]) try String str = "ZALOKKKKKK"; Byte b[] = new Byte[1]; b[0] = new Byte(str); System.out.println("hi
-
Where is the Property Editor - Portal_server ?
Hello: I'm following this <a href="http://help.sap.com/saphelp_nw04/helpdata/en/c4/fd584289e59041e10000000a1550b0/frameset.htm">documentation</a> and I can't find the Property Editor - Portal_server. Thanks. RLS.
-
I get the following errors during pkgrm process. Any suggestion? Thanks a lot. # pkgrm SUNWudapltr ## Verifying package <SUNWudapltr> dependencies in global zone ## Processing package information. ## Executing preremove script. datadm: cannot open /e
-
How to set up JSF Development Platform
Hi, I want to develop jsf web applications, custom components. Requirements ? 1- Eclipse version ?, jsf plugins 2-Exadel version ? 3-TomCat version ? 4- mySql version ? 5- System requirements ? How to integrate these tools ? Any idea, document thanks
-
Audio unsynced with video when capturing analog HD with Kona LHe card!
Hey, This is kind of an emergency because i am in the process of logging a feature film. I am using the Kona LHe card to capture analog audio and video with the JVC BR-HD50 HDV deck. It is 720p24 HDV footage converted to analog DVCProHD 720p59.94 foo