HTTP redirect based on client IP

Hello,
Is anyone aware of a method to redirect an HTTP request based on the Client IP using ICM/Web Dispatcher?
The "icm/HTTP/redirect_" parameter doesn't appear to allow you to use the client IP as a criteria for the redirect, and I have not been able to find any other indication of how this might be accomplished on SMP, SDN, or Online Help.
The goal of this is to perform a protocol switch and redirect all HTTP requests from a specific IP range to HTTPS.
thanks!
John

Just a thought:
Have two instances of Web Dispatcher, listening on different ports.
Split incoming connections to different ports, whichever way is available:
1. Ask you network team to forward request from one subnet to one port and another subnet to another port.
2. On Windows server use RRAS
3. On any server use software routing;
4. Setup routing appliance before the server.
Not too elegant, but should work...
Regards,
Slava

Similar Messages

  • HTTP Redirect based upon SRC IP Address

    Is there a way to perform an http redirect based upon user's source IP address on the CSM/GSS environment?
    Logic:
    IF < src ip address is within exception list > THEN
    http redirect to URL2
    ELSE
    http to URL1
    END

    Is there a version of this solution (redirect by client source IP) for the CSS?
    I'm attempting to redirect clients from a few specific networks (source IP's) to the VIP of a second CSS using a service-type redirect and "prefer " ACL commands:
    clause 10 permit any 1.1.1.0 255.255.252.0 destination content owner/content-rule prefer service-type-redirect
    There is an "any any destination any" last clause in the ACL for the remaining source IPs. The ACL is applied to the incoming circuits leading to the webservers.
    A show of the ACL's shows all responses - no matter the client source IP - being caught by the permit any clause at the end of the ACL.
    Extra points: this is a one-arm design with source group destination applied (to return server traffic to the CSS) and traffic is https with SSL terminating at the servers (no SSL module). Content rules are set to be sticky for srcip. Both CSSs are answering content-based DNS queries for the same URL with their local VIP address (but controlling which DNS server clients query isn't readily possible, so static proximity using DNS didn't provide the answer).
    Each CSS is in a different data center: the idea is to keep traffic local by redirecting non-local traffic to its "local" (the other) CSS if services are active (and to keep traffic on the first CSS if the services at the redirected-to CSS are down).
    Don't want too much, do I? ;-)
    Thanks for everyone's time -
    -K.

  • CSS redirect based on client IP address?

    We have a number of web servers behind CSS11500. We would like to be able to send an http redirect to a client browser, depending on the client's IP address.
    I had thought this might be possible using ACL but I can't find anything that seems to fit the bill. Can anyone suggest whether this is even possible, and how?

    create a redirect service.
    Then you can use an acl like this :
    clause 10 permit tcp x.x.x.x destination content prefer
    Gilles.

  • Setting HTTPS redirect in NetWeaver CE 7.1 EhP1

    I would like to redirect all HTTP requests such that users will always use HTTPS access. I found an OSS note 973644 that explains the steps for non CE environments. Does anyone know how to setup HTTPS redirect on NetWeaver CE 7.1 Ehp1?
    Regards,
    Asif

    Hi Lee,
    I think I know how to solve this. I have just solved a similar problem with my PI 7.1 EHP1. Deployment in JSPM of various software components all failed like this example:
    JSPM log:
    Deploy status is 'Aborted'
    Client path '
    pi71\sapmnt\trans\EPS\in\SAPXIAF04_7-20002649.SCA'
    Description:'1. ERROR CODE DPL.DS.5089  Exception during generating components of sap.com/com.sap.aii.af.app  application in webservices_container container.
       -> com.sap.engine.services.webservices.espbase.configuration.BindingData.getConfigurationType()I'.
    Default Trace:
    Caused by: java.lang.NoSuchMethodError: com.sap.engine.services.webservices.espbase.configuration.BindingData.getConfigurationType()I
    at com.sap.engine.services.webservices.server.deploy.WSBaseAbstractDProcess.getBindingDataId
    After that most of the browser based admin apps, such as NetWeaver Administrator ( /nwa ), would refuse to start.
    But finally after several tests, searching on SDN+SMP and restore to backup version I found the solution in [SAP Note 1328776|http://service.sap.com/sap/support/notes/1328776] which describes a similar problem: Update to the newest version of ENGINEAPI 7.11. Today this is ENGINEAPI04P_4-20002603.SCA.
    You may also want to make sure that you are running the newest version of the Configuration Wizard, so you should check/update LMTOOLS, LMCTC and LMCFG*, currently LMTOOLS04P_3-20002705.SCA, LMCTC04P_1-20002694.SCA and LMCFG04P_4-20002729.SCA.
    I hope this proves to be useful.
    regards
    Mauri

  • Http redirects not changing url in address bar

    I'm going crazy trying to fix a major bug in our application. Http
    redirects are not changing the url in the address bar of the latest versions of internet explorer. But this only happens if the redirected page is an xml page with an xslt reference for the browser to do the transformation. Mozilla seems to work fine, but I seem to have encountered a major bug in Internet Explorer. If anybody can help or at least point me in a direction I'd be SO grateful. This doesn't seem to be a java servlet specific issue, but that's what we're using so I thought I'd ask the question here too.
    We have an MVC type framework we developed. For example, if you were to add something to a shopping cart, the url might be:
    http://ecommerce.com/cart/add?sku=54321. In the add servlet, we would add the sku to your shopping cart and then redirect to, let's say,
    http://ecommerce.com/displaycart. I think this is how most MVC frameworks work. And it works great for us.
    The problem began when we started sending XML to the browser with an XSLT stylesheet. So now the browser does the transformations (if the browser is capable of doing them, which we check) instead of the server. This is a major part of our project. One of the reasons we started this.
    The problem is that Internet Explorer no longer updates the url in the
    address bar after a redirect. Mozilla works great though. We haven't
    tested on other xslt capable browsers yet. In the example above, what would happen is after adding something to your shopping cart, the "displaycart" page would be shown but the http://ecommerce.com/cart/add?sku=54321 url would be shown in the address bar. It wouldn't seem to be too big of a deal since everything works. But now all the relative links are messed up. They start from the "cart" directory. So we need absolute links. But that introduces many other problems. We then need to know the host and the parent directories (not as easy as it seems).
    So is there a solution? Is this a big bug that nobody has realized yet (or maybe they have, but my searches don't see it) in internet explorer? Is there a way for the redirected url to appear in the address bar from a browser-based xslt transformation in internet explorer? By the way, I'm testing with the latest version of IE6.0 as of July 7, 2003.
    When testing, redirects work perfect if I do the xslt transformation on the server side and just send plain html to internet explorer. And it works perfect with either serverside or browserside xslt transformations in mozilla.
    Scott Mueller
    AccelerateBiz Incorporated

    As I've been reading in the specs, microsoft, etc, it seems that it's not what's supposed to happen. But the specs are not very specific about this. However, internet explorer DOES always replace the url in the address bar with the redirected url if HTML is being returned from the redirected servlet. As is the case with all other browsers. So, at least, this behavior is the de-facto standard.
    BUT when the redirected to page is an xml page which references an xslt stylesheet.. then, ONLY in internet explorer, the original url is what's shown in the address bar (and, more importantly, what's used as the base url). Regardless of what the links look like or how they're manipulated in the transformed HTML that ends up being shown, I can't seem to make the url in the address bar the redirected url..

  • ACE: Can I loadbalance based on client Source IP/and client tcp source port?

    We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm.  Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm.  Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions?  The application does not require persistence.

    Hello,
    Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
    Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
    Regards Jean-Marc

  • Best practices for securing communication to internet based SCCM clients ?

    What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ?  should 3rd party SSL certs be used ?  When doing an inventory for example of the clients configuration in order to run reports
    later how the  data be protected during transit ?

    From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
    and also provide an authentication mechanism.
    From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
    certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
    properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • CSM HTTP Redirect with SSL

    Problem we are having:
    A client opens an HTTPS connection to a CSM with SSL offload to SSL module. The decrypted clear HTTP request hits the IIS server and is redirected (301).
    The client gets an HTTP redirect and not an HTTPS redirect.
    The reason for the 301 redirect is the IIS server does not have a physical resource but rather a virtual directory so it issues a 301 and adds a /. eg https://www.cisco.com/tech is redirected to https://www.cisco.com/tech/ in a working situation.

    look for the urlrewrite command in order to change HTTP into HTTPS.
    Regards,
    Gilles.

  • What does too many http redirects mean and how do I fix it

    Does anyone know what the **** "Too many http redirects" means, and how the **** do I fix it ??

    500 errors in the HTTP cycle
    Any client (e.g. your Web browser or our CheckUpDown robot) goes through the following cycle when it communicates with the Web server:
    Obtain an IP address from the IP name of the site (the site URL without the leading 'http://'). This lookup (conversion of IP name to IP address) is provided by domain name servers (DNSs).
    Open an IP socket connection to that IP address.
    Write an HTTP data stream through that socket.
    Receive an HTTP data stream back from the Web server in response. This data stream contains status codes whose values are determined by the HTTP protocol. Parse this data stream for status codes and other useful information.
    This error occurs in the final step above when the client receives an HTTP status code that it recognises as '500'. Frank Vipond. September 2010.
    Fixing 500 errors - general
    This error can only be resolved by fixes to the Web server software. It is not a client-side problem. It is up to the operators of the Web server site to locate and analyse the logs which should give further information about the error.
    Fixing 500 errors - CheckUpDown
    Please contact us (email preferred) whenever you encounter 500 errors on your CheckUpDown account. We then have to liaise with your ISP and the vendor of the Web server software so they can trace the exact reason for the error. Correcting the error may require recoding program logic for the Web server software, which could take some time.
    http://www.checkupdown.com/status/E500.html

  • Redirect based on user_level or user_id or session

    I am on a mission to find the
    technote or adobe
    support file that explains how to redirect based on
    user_level or user_id or session
    I have searched using:
    "redirect"
    "user level"
    and even:
    "redirect based on user"
    I know it exists (
    I read it) I just can't find it, Please can someone help me
    find it.
    Cheers

    MM_redirectLoginSuccess = $row_rsUser['destination_page'];
    Murray --- ICQ 71997575
    Adobe Community Expert
    (If you *MUST* email me, don't LAUGH when you do so!)
    ==================
    http://www.projectseven.com/go
    - DW FAQs, Tutorials & Resources
    http://www.dwfaq.com - DW FAQs,
    Tutorials & Resources
    ==================
    "forumsza" <[email protected]> wrote in
    message
    news:gpiimv$pma$[email protected]..
    > Based on this article: (which only supports, ASP and
    JSP)
    >
    http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15881&sliceId=1
    >
    > Do I just add my PHP like this:
    >
    > MM_redirectLoginSuccess =
    > CStr(MM_rsUser.Fields.Item("destination_page").Value)
    >
    > The same as ASP?
    >

  • Local Director & HTTP Redirection

    Hi, just wondering if anyone has successfully implemented HTTP
    redirection on Cisco Local Director 416 running ver 4.1.2 Basically I'm
    after any pitfalls to look out for. Current implementation utilizes
    generic session stickiness however this has problems for clients
    trying to access our load balanced servers if they come from behind
    multiple proxies via their ISP.
    Servers are Private IP addressed (Firewall in front of LD performing NAT static
    txlation)
    On another point, how does the Cisco CS11000 (Arrowpoint) perform
    session persistance/stickiness or what "better" ways does the
    Arrowpoint acheive this as compared to Local Director?
    Any helpful input would be much appreciated.
    Rgds
    Adam

    Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
    If anyone else in the forum has some advice, please reply to this thread.
    Thank you for posting.

  • ACE port redirection message to client

    Hi,
    I need to configure a new VIP so that if the requests come on port 80 it sends a redirection message to clients saying to try on port HTTPS://*:9443, is the configuration below correct?
    rserver host server1
      description host1
      ip address 1.1.1.1
      probe probe-http
      inservice
    rserver host server2
      description host2
      ip address 1.1.1.2
      probe probe-http
      inservice
    serverfarm host sfarm1
      rserver server1
        inservice
      rserver server2
        inservice
    rserver redirect sfarm1_redirect_9443
      webhost-redirection https://%h:9443%p 301
      inservice
    serverfarm redirect sfarm_redirect_9443
      rserver sfarm1_redirect_9443
        inservice
    class-map match-all VIP_HTTP
      description Match HTTP
      2 match virtual-address 2.2.2.2 tcp eq www
    class-map match-all VIP_HTTPS
      description Match HTTPS
      2 match virtual-address 2.2.2.2 tcp eq 9443
    policy-map type loadbalance first-match http_Redirect_Policy
      class class-default
        serverfarm sfarm_redirect_9443
    policy-map type loadbalance first-match https_9443
      class class-default
        serverfarm sfarm1
    policy-map multi-match VIPS
    class VIP_HTTP
        loadbalance vip inservice
        loadbalance policy http_Redirect_Policy
        loadbalance vip icmp-reply active
    class VIP_HTTPS
        loadbalance vip inservice
        loadbalance policy https_9443
        loadbalance vip icmp-reply active

    Hi,
    %h and %p are usually used when host and path remain same as is the case in redirection from http to https.
    You can also use the actual hostname and path if the above doesn't work. I think it should work but i haven't tested it before.
    You can try something like below:
    webhost-redirection https://test.com:9443 301
    Let me know how it goes.
    Regards,
    Kanwal

  • ACE http/https redirect or rewrite

    Greetings,
    We have a setup that requires ACE http/https redirection or rewrite.
    A client connects to a secured Web portal which has its ssl termination on the ACE.
    The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
    the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
    In this case what would be best to use? ACE "rewrite" or "redirect"?
    Will the following example config for ACE "redirect" be sufficent to implement this?
    ssl-proxy service ssl-App-443-81
    key app1.test.com.key
    cert app1.test.com.cert
    rserver redirect App-secure-redirect
    webhost-redirection https://app1.test.com/Go/
    inservice
    serverfarm redirect App-secure-redirect-sf
    rserver App-secure-redirect
    inservice
    serverfarm host App-81-sf
    probe TCP81
    rserver proxy1 81
    inservice
    rserver proxy2 81
    inservice
    parameter-map type http http_param_map
    header modify per-request
    sticky http-cookie App-cookie App-sticky
    cookie insert
    replicate sticky
    serverfarm App-81-sf
    class-map match-any App-443-81-cm
    2 match virtual-address 10.10.10.112 tcp eq https
    class-map match-any App-81-cm
    2 match virtual-address 10.10.10.112 tcp eq 81
    class-map type http loadbalance App-secure-redirect-cm
    match http url http://app1.test.com:81/Go/
    policy-map type loadbalance http first-match App-rewrite-pm
    class App-secure-redirect-cm
    serverfarm App-secure-redirect-sf
    policy-map type loadbalance http first-match App-sticky-443-81-pm
    class class-default
    sticky-serverfarm App-sticky
    policy-map multi-match policy-inbound
    class App-81-cm
    loadbalance vip inservice
    loadbalance policy App-rewrite-pm
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    class App-443-81-cm
    loadbalance vip inservice
    loadbalance policy App-sticky-443-81-pm
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options http_param_map
    ssl-proxy server ssl-App-443-81

    If you are offloading www.yoursite.com on ACE and on the backend
    real servers are not ssl aware (sends URL with http://) then with
    following sample config you can instruct ACE to rewrite such urls (http->https)
    class-map match-all VIP-443
    match virtual-address x.x.x.x tcp eq https
    action-list type modify http HTTP2HTTPS-REWRITE
    ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
    policy-map type loadbalance first-match YOUR-POLICY
    class class-default
    serverfarm YOUR-SFARM
    action HTTP2HTTPS-REWRITE
    class VIP-443
    loadbalance vip inservice
    loadbalance policy YOUR-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server YOUR-SSL-SERVICE
    You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
    Syed Iftekhar Ahmed

  • External Web Authentication - HTTP Redirect or Proxy?

    I've been reading all of the information I can find about the use of authentication of guest users using an external web server, rather than the native portal provided by a WLC. I've looked at the configuration examples and configuiration guides.
    My question is this: when the WLC redirects the client to the external web server, is it a true http redirect (i.e. a http redirect sent to the client) or does the WLC act as a proxy (via its virtual address  - usually 1.1.1.1), altering the http headers as it does when re-directing requests to its internal web portal ?
    This is important as I need to understand if it is the client that has to be able to connect to the external web server, or whether it is the WLC that has to be able to connect to the external web server.
    The WLC for the solution I am working on is in a highly secure DMZ area, so it is imprtant to know which devices need to talk to which.

    So, to be clear, it is the WLC that needs connectivity to the external server or the client device?
    Both devices need to communicate to the external web server.  The WLC will need to communicate with the external server since it will be expecting a return of information from that server to process the l3 authentication.  The client will need to reach it as the WLC is going to redirect it to that site (reason for pre-auth acl). 
    Does the client communicate directly with the external web server, or will it direct its http requests to 1.1.1.1, which will then be proxied by the WLC to the external web server?
    Again this is both; So the client will lookup/resolve a site and initiate some HTTP traffic, so it starts a TCP SYN for to the real web server it is trying to reach, the WLC will see this request; hijack the IP of the destination server and reply back to the client(pretending to be the "internet" server) The WLC redirects the client to it's virtual IP; whether using internal or external web auth.  So the client will arrive at the virtual IP of the WLC; which will then redirect the client to the external web server in your case.  When this happens the WLC has also inserted some information in to the redirect URL on the clients behalf so which the external server will use to send the information it collects (assuming you're using one of our standard external bundles).  The external server will process the client HTTP GET, so as far as "viewing and using" the external web server; the client will make that request directly to the external web server.  The external server, upon submittion of the form on the page, will send the information collected from the client back to the WLC server (which it learned it's IP from the redirect URL).  The authentication of the client will take place at the WLC.
    So in this scenario you need a love triangle between the Client, WLC, and external server.  All will be talking to one another at some point.  Your client needs connectivity to the external server; and your WLC needs connectivity to the external server.
    David W.

  • ACE - HTTPS redirection

    Hi,
    How to configure the ACE to redirect a https request to different url.
    For example
    Clients requesting https://www.mycompany.com shall be redirected to https://www1.mycompany.com.
    Please let me know.Thanks in Advance

    Hi Gilles,
    I am having the certificate and the key.
    Please check the config and confirm whether this looks fine or not.
    I am using GSS to resolve www.mycompany.com and www1.mycompany.com
    probe http Server1
    interval 15
    passdetect interval 60
    request method head url /keepAlive.html
    expect status 200 202
    open 10
    parameter-map type ssl PARAMMAP_SSL_TERMINATION
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    rserver redirect HTTPS-REDIRECT
    conn-limit max 4000000 min 4000000
    webhost-redirection https://www1.mycompany.com.au 301
    inservice
    serverfarm host SFARM_HTTPS
    rserver Server1_http 80
    inservice
    serverfarm redirect https-redirect
    rserver HTTPS-REDIRECT
    inservice
    ssl-proxy service SSL_PSERVICE
    key MYKEY.PEM
    cert ACE-SP2.CER
    ssl advanced-options PARAMMAP_SSL_TERMINATION
    class-map type http loadbalance match-any HTTPS1
    2 match http header Host header-value "www[.]mycompany[.]com"
    class-map type http loadbalance match-any HTTPS2
    2 match http header Host header-value "www1[.]mycompany[.]com"
    policy-map type loadbalance first-match HTTPS
    class HTTPS1
    serverfarm https-redirect
    class HTTP2
    serverfarm SFARM_HTTPS
    class class-default
    serverfarm SFARM_HTTPS
    policy-map multi-match HTTPS-PM
    class HTTPS-RED
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_PSERVICE
    Also let me know know if there is any another way to configure the redirection other than matching host header.
    Thanks in Advance

Maybe you are looking for