Port 443 content rule, can the CSS see inside the cookie ?

Hi Gilles/everyone,
With a content rule using port 443, can we use cookie based stickiness or is the cookie also encrpyted ?
cheers,
Mike

also encrypted.
No way to see it without an SSL module to decrypt.
Gilles.

Similar Messages

  • How do i temporarily disable TLS/SSL port 443 going to server on CSS

    We are having issues with truncating packets that go through the CSS
    I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
    They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
    They server team would like to turn it off just to test..i tried removing
    "add service ARR-public-ssl" from the contetn below and we lost http and https to the server
    so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
    content BYE-WEB-SSL
       vip address 172.20.120.16
       protocol tcp
       port 443
       advanced-balance ssl
       application ssl
       add service ARR-public-ssl
       active
    ssl-server 40
    ssl-server 40 rsacert byetest
    ssl-server 40 vip address 172.20.120.16
    ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
    ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
    ssl-server 40 urlrewrite 1 *
    ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
    ssl-server 40 rsakey byekey
    backend-server 50
    backend-server 50 type initiation
    backend-server 50 server-ip 69.xxx.xxx.xxx
    backend-server 50 ip address 69.xxx.181.xxx
    backend-server 50 rsacert byetest
    backend-server 50 rsakey byekey
    active
    !************************** SERVICE **************************
    service TIE-SSLINIT
      protocol tcp
      ip address 69.xxx.xxx.xxx
      keepalive type tcp
      keepalive port 443
      slot 2
      type ssl-init
      add ssl-proxy-list HR-SSL
      active
    owner PublicBYE
      content BYE-WEB-ARRR
        vip address 172.20.120.17
        protocol tcp
        port 80
        url "/arr*"
        advanced-balance arrowpoint-cookie
        balance aca
        arpt-lct http-100-reinsert
        add service BYE-ods-web1
        active
      content BY-WEB-TIX
        protocol tcp
        port 80
        url "/tix*"
        advanced-balance arrowpoint-cookie
        balance aca
        arpt-lct http-100-reinsert
        add service BYE-ods-web2
        vip address 172.20.120.17
        active
      content BYE-WEB-TIX-CLEARTEXT
        add service TIX-SSLINIT
        vip address 172.20.120.19
        protocol tcp
        port 80
        active
    content BYE-WEB-Nav
      vip address 172.20.120.17
      protocol tcp
      port 80
      url "/na*"
      balance aca
      arpt-lct http-100-reinsert
      add service BYE-ods-web1
      active
    content BYE-WEB-SSL
      vip address 172.20.120.16
      protocol tcp
      port 443
      advanced-balance ssl
      application ssl
      add service ARR-public-ssl
      active
    service BYE-ds-web1-ssl
      ip address 172.20.212.5
      port 443
      keepalive type ssl
      active
    service BYE-ds-web2
      ip address 172.20.212.6
      port 7777
      keepalive port 7777
      keepalive type tcp
      active
    service BYE-ds-web2
      ip address 172.20.212.6
      port 7777
      keepalive port 7777
      keepalive type tcp
      active
    service BYEos-web2-ssl
      ip address 172.20.212.6
      port 443
      keepalive type ssl
      active

    CSS11506# sh ver
    Version:               sg0810205 (08.10.2.05)
    Flash (Locked):        08.10.1.06
    Flash (Operational):   08.10.2.05
    Type:                  PRIMARY
    Licensed Cmd Set(s):   Standard Feature Set
                           Secure Management
    Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
    I thought i saw some bug info from cisco but i cant tell if its related
    CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
    As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
    Is there a bug related to this on the CSS?
    POST /TIXX/DocumentRepository_Service HTTP/1.1
    Accept-Encoding: gzip,deflate
    Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
    User-Agent: Jakarta Commons-HttpClient/3.1
    Host: www.xxxxxxxxxxxx.net
    Content-Length: 9044

  • Layer 5 port 80 content rule breaks realaudio.

    I have some layer 5 content rules we are using to filter virus's:
    content block_.ida
    protocol tcp
    port 80
    url "/*"
    header-field-rule .ida weight 0
    add service drop
    active
    header-field-group .ida
    header-field .ida request-line contain ".ida"
    This does a great job of filtering what we want, however realaudio which uses port 80 fails. If I disable the content rule the realaudio traffic works.
    Any ideas?
    Thanks!

    Thanks for the response. We only have the one real audio stream. I have not seen and reference to .ida within the stream.
    Is there anyway to create a content rule stating that all realvideo traffic on port 80 go directly to the original destination with no further processing by the CSS?

  • After port forward, airport utility can no longer see my time capsule

    I tried to forward public port 1025 to private port 80 on a raspberry pi using  airport utility. But after I did that,  the airport utility can no longer see my time capsule. Wifi still works correctly. Are there any conflicts about port 1025? How to fix that other than resetting the time capsule?
    Thanks,
    Michael

    It doesn't sound like a port that is used.
    From the standard google search.. nope.
    Reboot the whole network..
    No luck tell me what OS version you are running the utility on and what model and firmware TC???
    Note with Yosemite, anything can and will happen.

  • Why can't finder see inside an iPhoto folder?

    this seems to only happen on my macbook (intel), not on my macPro (also intel) both with Leopard installed. on both machines i let iPhoto import some photos and make it's own folder for the iPhoto library. in the case of the macPro everything works fine. I can use the finder to navigate to the folders and see the photos in the finder. but on the laptop i can not. it shows a folder that looks like the application. but if i search for the images i can see them and the sub folders.

    There are even more than that:
    For 10.5 users: You can use any Open / Attach / Browse dialogue. On the left there's a Media heading, your pics can be accessed there. Apple-Click for selecting multiple pics.
    To upload to a site that does not have an iPhoto Export Plug-in the recommended way is to Select the Pic in the iPhoto Window and go File -> Export and export the pic to the desktop, then upload from there. After the upload you can trash the pic on the desktop. It's only a copy and your original is safe in iPhoto.
    This is also true for emailing with Web-based services. If you're using Gmail you can use THIS
    If you use Apple's Mail, Entourage, AOL or Eudora you can email from within iPhoto. You can also access the iPhoto Library from a Mail message window.
    If you use a Cocoa-based Browser such as Safari, you can drag the pics from the iPhoto Window to the Attach window in the browser.
    Or, if you want to access the files with iPhoto not running, then create a Media Browser using Automator (takes about 10 seconds) or use THIS
    Other options include:
    1. *Drag and Drop*: Drag a photo from the iPhoto Window to the desktop, there iPhoto will make a full-sized copy of the pic.
    2. *File -> Export*: Select the files in the iPhoto Window and go File -> Export. The dialogue will give you various options, including altering the format, naming the files and changing the size. Again, producing a copy.
    3. *Show File*: Right- (or Control-) Click on a pic and in the resulting dialogue choose 'Show File'. A Finder window will pop open with the file already selected.
    Regards
    TD

  • URL Content Rule with SSL

    Hi
    I have two different ssl services on the same servers. One service is published with standard 443 port and 444 port.
    I would like to balance those services with two different contents. They should have the same VIP address and the standard ssl port (443 tcp). Then, the difference between both contents would be the url.
    content 1
    url "//myserver.com/APL1/*"
    vip address 192.168.1.1
    port 443
    add service service1_443
    add service service2_443
    content 2
    url "//myserver.com/APL2/*"
    vip address 192.168.1.1
    port 443
    add service service1_444
    add service service2_444
    I've tried it but it doesn't work.
    Have I done anything wrong?
    Regards

    the main purpose of SSL is security.
    So, what is security ?
    Securit means you don't want other person/devices to see the content of your traffic.
    If nobody can see the content, this includes the CSS.
    So, the CSS is unable to see the URL which is part of the content.
    Your solution can't work.
    Unless you install an ssl module with the key of the server so the module can decrypt the traffic.
    Regards,
    Gilles.

  • Sticky sessions across multiple content rules

    Hi,
    If a client PC initiates two requests which match different content rules on a CSS (first request http port 80 to CSS VIP downloads a small application. This application then sends a second request to the VIP, on tcp port 8085) can sticky rules be configured on the CSS content rules, so that they hit the same destination server, given that both content rules contain the same services, and hence be considered part of the same session?
    Thanks

    there is no sitcky accros content rules option on the CSS.
    But there are solutions to this problem.
    First, are you doing anything special with your HTTP content rule ? Like cookies or url inspection ?
    If not, you can group the 2 content rules into a single one. You will have 1 Layer3 rule instead of 2 Layer 4 rules.
    If you have L5-7 rules [http inspection], the previous solution is not possible.
    You will need to maintain 2 rules.
    You could then use a 'balance srcip' balancing method on both rules.
    This algorithm is deterministic.
    The same client will always go to the same server.
    Hope this helps.
    Regards,
    Gilles.
    Thanks for rating.

  • Remote Connectivity Analyzer opens port 443 successfully but fails.."Net. conn. not available"

    Trying to set up a client with external access.  I just got their Edge off the domain and in the DMZ, and supposedly the appropriate firewall ports are opened. They have a RP running IIS ARR.
    Microsoft Remote Connectivity Analyzer (testconnectivity.Microsoft.com) does the following for three tests:
    1.  When I do Lync Server Remote Connectivity Test and choose Autodiscover, it is able to open port 443 and it validates the cert.  But it says "Operation failed because the network connection was not available". 
    2.  When I do the same Lync Server Remote Connectivity Test and manually enter the Access Edge service FQDN and choose port 5061, it is able to resolve the name in DNS but it then fails testing TCP port 5061 with "The specified port is either blocked,
    not listening, or not producing the expected response".
    3.  When I do the Lync Autodiscover Web Service Remote Connectivity Test, it fails when trying to open port 443 on the Lyncdiscover URL.
    So, that seems to indicate to me that port 443 might be open on the Edge but not the Reverse Proxy, since that's where the autodiscover URL points.  And it seems 5061 is not open but 443 is on the Edge.  What else could I check on the Edge to get
    443 working?
    Thanks for the help and sorry for any vague information.  Any help is appreciated!
    Brandon

    Okay, I can now telnet to lyncdiscover.mydomain.dom on port 443 successfully, and I can telnet to sip.mydomain.com on 5061 successfully. 
    Now when I do the remote connectivity test:
    Using Autodiscover to detect server settings, I get "Operation failed because the network connection was not available". It opens port 443 fine it looks like.
    Manually choosing lync.mydomain.com as the FQDN and port 5061, I get "The endpoint was unable to register.  See the ErrorCode for specific reason".  Response code is 504 and response message is Server Time-out
    Doing the Lync Autodiscover Web Service Remote Connectivity Test I get "HTTP 403 error was received because ISA server denied the specified URL".
    Looks to me like a rule might not be set right on the firewall if ISA is denying the connection, right?(they are using TMG on a server running Server 2008 as the firewall).  I can't ping the reverse proxy from the firewall (but I can ping the Edge). 
    What else can I check?
    Thanks for all the help so far, I really appreciate it.
    Brandon

  • Defining virtual servers using content-rules

    Can multiple virtual servers be "bound" to a single real server when all of the virtual servers have the same ip address and port, with the only difference between each virtual server being a unique content rule applied to each? (This is more of a migration issue, than a load-balance issue)

    I assume you are saying Web(HTTP) and the answer is yes.
    1. Your server should has name-based virtual hosting enabled if your server only use 1 IP address.
    2. In CSS, you can use single service for this server or use different services with different keepalive uri for each service.
    3. You can use a number of unique Content rules (same VIP, TCP 80 with different URLs) and add the service to it.
    Remarks: If you want to use unique Content rules, you should make them difference with URL, otherwise all the content rules are the same and you can't activate all.
    Another suggestion: If your server already support Name-VHOST, you can use just single L4 Content rule and all the traffic would be handled by that server (service).

  • Non SSL website on port 443

    Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
    I access the website as http://xyz:443.
    Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
    Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
    Firefox 32.0.3
    Error message:
    The connection was reset
    The connection to the server was reset while the page was loading.
    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
    You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible.

  • IE Traffic being forced to tunnel via port 443

    I have a Windodws 2008 R2 server that has been in production for over 2 years.  It is a Hyper-V host running five 2008 R2 guests.  Everything wasw running fine until a couple of weeks ago when I installed the latest HP firmware and drivers. 
    Since then, Internet Explorer cannot open any website except
    www.google.com.  After uninstalled IE9 and then installing IE10 there was no change.  I've scanned the server with malwarebytes and HiJackThis.  No problems found.  I reset IE and reset the TCP/IP stack.  No change.  I removed
    McAfee AV and I'm now able to access google and one other site.  I then installed Fiddler and looked at what is happening and it appears that most websites are trying to tunnel using port 443 rather than using the typical port 80.  I'm not sure how
    to interpret this.  I know name resolution is working and can ping the sites I'm trying to reach.  If I go to a standard site, say
    www.yahoo.com, the IE window stays blank but if I go to Tools/View Source it appears I'm looking at the HTML from the target site.  Below is a summary of the Fiddler output when I tried to go to yahoo.com.  Any help
    is greatly appreciated as I am all out of ideas.
    Thanks,
    Joe
    # Result Protocol Host URL Body Caching Content-Type Process Comments Custom 
    1 301 HTTP fiddler2.com /UpdateCheck.aspx?isBeta=False 0 no-cache  fiddler:4916   
    2 200 HTTP www.telerik.com /updatecheck.aspx?isBeta=False 620 private text/plain; charset=utf-8 fiddler:4916   
    3 301 HTTP www.yahoo.com / 212 no-store text/html iexplore:728   
    4 200 HTTP Tunnel to www.yahoo.com:443 0   iexplore:728   
    5  -  HTTP crl.geotrust.com /crls/secureca.crl -1   iexplore:728   
    6 200 HTTP Tunnel to www.yahoo.com:443 0   iexplore:728   
    7 200 HTTP Tunnel to iecvlist.microsoft.com:443 0   iexplore:5104   

    Found that the problem was somewhere in the Windows firewall.  Although I had stopped the firewall service during testing something remained hooked in.  Another attempt at shutting off the firewall and then starting it again seems to have resolved
    the problem.  This makes no sense but I'm not arguing with the results.  Thanks everyone for your help.

  • CS-150-LAN extra content rule disables all access to website

    We have a CS-150-LAN Content switch with software version 6.10Build203. Yesterday for no apparent reason we lost connectivity to our website through our CSS. To get around this issue we removed all content rules except for the "everything-else" rule.
    owner http://www.acmi.net.au
    content AIC
    add service acmi-web3
    url "//www.acmi.net.au/AIC*"
    protocol tcp
    port 80
    vip address 203.14.59.174
    content everything-else
    add service acmi-web1
    vip address 203.14.59.174
    protocol tcp
    port 80
    active
    owner http://www.vceart.com
    content everything
    add service acmi-web3
    vip address 203.14.59.175
    protocol tcp
    port 80
    active
    What is happening now is that when l create an addional content rule it then times out all connections to our website http://www.acmi.net.au. If l suspend the additional rule "AIC" the website comes back online. We need these additional content rules for accessing subsites. Please help.
    Thanks

    Here are the sho service summary and show summmary outputs
    Owner Content Rules State Services Service Hits
    www.acmi.net.au AIC Suspended acmi-web3 6
    everything-else Active acmi-web1 243
    acmi-web2 340
    www.vceart.com everything Active acmi-web3 23
    sec-css-11150# sh service summary
    Service Name State Conn Weight Avg State Idx
    Load Transitions
    acmi-web1 Alive 2 1 2 2 2
    acmi-web2 Alive 9 1 23 2 3
    acmi-web3 Alive 1 1 17 2 4
    The content rule AIC is suspended because if l activate it, it then makes the website www.acmi.net.au unreachable and timesout.
    This config was working from day one with the AIC content rule and about another 9 content rules under the owner www.acmi.net.au
    If l add the url "/*" command to the content rule "everything-else this also hangs the site www.acmi.net.au

  • Use of content rule vs source group for NATing

    To NAT outgoing flows out of two servers, is it necessary to define a content rule and source group (or is just a source group sufficient?).
    Having trouble with Option 2.
    Option 1:
    service svr1
    ip address 192.168.10.1
    no port
    protocol tcp
    active
    Also does CSS do NAPT i.e. alter the source port number for outgoing packets from source groups?
    service svr2
    ip address 192.168.10.2
    no port
    protocol tcp
    active
    content outflows
    protocol tcp
    add service svr1
    add service svr2
    vip address <externalip>
    active
    group outgrp
    vip address <external ip>
    add service svr1
    add service svr2
    active
    <add appropriate acl>
    Option 2:
    service svr1
    ip address 192.168.10.1
    no port
    protocol tcp
    active
    service svr2
    ip address 192.168.10.2
    no port
    protocol tcp
    active
    group outgrp
    vip address <external ip>
    add service svr1
    add service svr2
    active
    <add appropriate acl>

    to nat connections initiated by the server, you only need a source group.
    No need for a content rule.
    The CSS will port nat.
    Gilles.

  • USB port on wrt610n i can see the drive but cannot see the content

    USB port on wrt610n i can see the drive but cannot see the content
    I have followed the instructions I see the drive but when I try to acess the drive I get a empty new folder
    help I am lostwhat should i do

    winmaco wrote:
    Yes i have it is working on my PC
    One thing in setting up the usb I had to use a different password
    my router has a password and the only way I could move forward was to use the default admin admin user name and password
    I could not use my router user name and password.
    The username and password for the share on your attached drive can be anything you want them to be. I assume you set up a share on the attached drive? That's where you need to add a password for the share, although for ease of use I never did assign a password to the shares.
    You do know that the firmware for the Storage Link is buggy, right? File size limitations as well as file corruption issues? Connectivity issues also rise up, with the only workaround that I have found is a script that you have to run every time you boot up your computer. As far as I can see the Storage Link function is a poorly implemented idea. No firmware in sight to fix the issues, and no idea of when.

  • How can I make the web server work on port 80 and not 443. I can only access my website using https.

    On a Mac Mini server with OS X Lion 10.7.2, I am unalbe to get the web server working on port 80. It switches automatically to port 443 (https).
    This situation complicates the access to FileMaker Web publishing, as I don't want my clients having to use https.
    How can I change that? Does anyone know?
    Thanks for any reply

    in the server: I checked the SSL certificate. Tried several configuration.
    Well, that's a problem for a start.
    Your port 80 connection should NOT use SSL. Port 80 is the standard HTTP port, not HTTPS and most applications that connect to port 80 will not expect to use SSL
    If you want to run a site under both HTTP and HTTPS then you create two sites, one on port 80 without SSL and one on port 443 with SSL

Maybe you are looking for

  • Sales Orders Blocked For Delivery

    Hi, Do we have T-Code for Sales Orders Blocked For Delivery other than VA14L,Because Customer name is not there in VA14L list. Thanks, NAG

  • Fios digital voice app no longer working

    I have the digital voice service on my home phone, and the android app always worked fine. I have the app installed on a phone and a tablet, and was able to get voice mails, see the call log, etc. .  Starting a few days ago the app would say that I d

  • Premiere Pro Update Failure: Adobe Premiere Pro CC 2014.0.1 Update Installation failed. Error Code: U44M2P7

    Hi, I can't seem to update Premiere Pro. I get the following message: Adobe Premiere Pro CC 2014.0.1 Update Installation failed. Error Code: U44M2P7 Have tried the patch, no dice. Need to avoid re-install. Would like an Adobe staff member to step up

  • Clearing of User Inbox

    Dear All, I have a scenario like this:while one HR user trying to trigger some automatic generated mails(from SAP to Lotus notes) related to bill settlements,he is getting message something like this in small pop-up window of SAP office express info

  • OLAP variable in ABAP Routine.

    In data selection of Infopackage, I have used a OLAP variable. Is it possible to access the routine for OLAP variable in a ABAP routine?? How to proceed for the same???