Port 443 content rule, can the CSS see inside the cookie ?
Hi Gilles/everyone,
With a content rule using port 443, can we use cookie based stickiness or is the cookie also encrpyted ?
cheers,
Mike
also encrypted.
No way to see it without an SSL module to decrypt.
Gilles.
Similar Messages
-
How do i temporarily disable TLS/SSL port 443 going to server on CSS
We are having issues with truncating packets that go through the CSS
I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
They server team would like to turn it off just to test..i tried removing
"add service ARR-public-ssl" from the contetn below and we lost http and https to the server
so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
content BYE-WEB-SSL
vip address 172.20.120.16
protocol tcp
port 443
advanced-balance ssl
application ssl
add service ARR-public-ssl
active
ssl-server 40
ssl-server 40 rsacert byetest
ssl-server 40 vip address 172.20.120.16
ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
ssl-server 40 urlrewrite 1 *
ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
ssl-server 40 rsakey byekey
backend-server 50
backend-server 50 type initiation
backend-server 50 server-ip 69.xxx.xxx.xxx
backend-server 50 ip address 69.xxx.181.xxx
backend-server 50 rsacert byetest
backend-server 50 rsakey byekey
active
!************************** SERVICE **************************
service TIE-SSLINIT
protocol tcp
ip address 69.xxx.xxx.xxx
keepalive type tcp
keepalive port 443
slot 2
type ssl-init
add ssl-proxy-list HR-SSL
active
owner PublicBYE
content BYE-WEB-ARRR
vip address 172.20.120.17
protocol tcp
port 80
url "/arr*"
advanced-balance arrowpoint-cookie
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web1
active
content BY-WEB-TIX
protocol tcp
port 80
url "/tix*"
advanced-balance arrowpoint-cookie
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web2
vip address 172.20.120.17
active
content BYE-WEB-TIX-CLEARTEXT
add service TIX-SSLINIT
vip address 172.20.120.19
protocol tcp
port 80
active
content BYE-WEB-Nav
vip address 172.20.120.17
protocol tcp
port 80
url "/na*"
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web1
active
content BYE-WEB-SSL
vip address 172.20.120.16
protocol tcp
port 443
advanced-balance ssl
application ssl
add service ARR-public-ssl
active
service BYE-ds-web1-ssl
ip address 172.20.212.5
port 443
keepalive type ssl
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYEos-web2-ssl
ip address 172.20.212.6
port 443
keepalive type ssl
activeCSS11506# sh ver
Version: sg0810205 (08.10.2.05)
Flash (Locked): 08.10.1.06
Flash (Operational): 08.10.2.05
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
Secure Management
Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
I thought i saw some bug info from cisco but i cant tell if its related
CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
Is there a bug related to this on the CSS?
POST /TIXX/DocumentRepository_Service HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: www.xxxxxxxxxxxx.net
Content-Length: 9044 -
Layer 5 port 80 content rule breaks realaudio.
I have some layer 5 content rules we are using to filter virus's:
content block_.ida
protocol tcp
port 80
url "/*"
header-field-rule .ida weight 0
add service drop
active
header-field-group .ida
header-field .ida request-line contain ".ida"
This does a great job of filtering what we want, however realaudio which uses port 80 fails. If I disable the content rule the realaudio traffic works.
Any ideas?
Thanks!Thanks for the response. We only have the one real audio stream. I have not seen and reference to .ida within the stream.
Is there anyway to create a content rule stating that all realvideo traffic on port 80 go directly to the original destination with no further processing by the CSS? -
After port forward, airport utility can no longer see my time capsule
I tried to forward public port 1025 to private port 80 on a raspberry pi using airport utility. But after I did that, the airport utility can no longer see my time capsule. Wifi still works correctly. Are there any conflicts about port 1025? How to fix that other than resetting the time capsule?
Thanks,
MichaelIt doesn't sound like a port that is used.
From the standard google search.. nope.
Reboot the whole network..
No luck tell me what OS version you are running the utility on and what model and firmware TC???
Note with Yosemite, anything can and will happen. -
Why can't finder see inside an iPhoto folder?
this seems to only happen on my macbook (intel), not on my macPro (also intel) both with Leopard installed. on both machines i let iPhoto import some photos and make it's own folder for the iPhoto library. in the case of the macPro everything works fine. I can use the finder to navigate to the folders and see the photos in the finder. but on the laptop i can not. it shows a folder that looks like the application. but if i search for the images i can see them and the sub folders.
There are even more than that:
For 10.5 users: You can use any Open / Attach / Browse dialogue. On the left there's a Media heading, your pics can be accessed there. Apple-Click for selecting multiple pics.
To upload to a site that does not have an iPhoto Export Plug-in the recommended way is to Select the Pic in the iPhoto Window and go File -> Export and export the pic to the desktop, then upload from there. After the upload you can trash the pic on the desktop. It's only a copy and your original is safe in iPhoto.
This is also true for emailing with Web-based services. If you're using Gmail you can use THIS
If you use Apple's Mail, Entourage, AOL or Eudora you can email from within iPhoto. You can also access the iPhoto Library from a Mail message window.
If you use a Cocoa-based Browser such as Safari, you can drag the pics from the iPhoto Window to the Attach window in the browser.
Or, if you want to access the files with iPhoto not running, then create a Media Browser using Automator (takes about 10 seconds) or use THIS
Other options include:
1. *Drag and Drop*: Drag a photo from the iPhoto Window to the desktop, there iPhoto will make a full-sized copy of the pic.
2. *File -> Export*: Select the files in the iPhoto Window and go File -> Export. The dialogue will give you various options, including altering the format, naming the files and changing the size. Again, producing a copy.
3. *Show File*: Right- (or Control-) Click on a pic and in the resulting dialogue choose 'Show File'. A Finder window will pop open with the file already selected.
Regards
TD -
Hi
I have two different ssl services on the same servers. One service is published with standard 443 port and 444 port.
I would like to balance those services with two different contents. They should have the same VIP address and the standard ssl port (443 tcp). Then, the difference between both contents would be the url.
content 1
url "//myserver.com/APL1/*"
vip address 192.168.1.1
port 443
add service service1_443
add service service2_443
content 2
url "//myserver.com/APL2/*"
vip address 192.168.1.1
port 443
add service service1_444
add service service2_444
I've tried it but it doesn't work.
Have I done anything wrong?
Regardsthe main purpose of SSL is security.
So, what is security ?
Securit means you don't want other person/devices to see the content of your traffic.
If nobody can see the content, this includes the CSS.
So, the CSS is unable to see the URL which is part of the content.
Your solution can't work.
Unless you install an ssl module with the key of the server so the module can decrypt the traffic.
Regards,
Gilles. -
Sticky sessions across multiple content rules
Hi,
If a client PC initiates two requests which match different content rules on a CSS (first request http port 80 to CSS VIP downloads a small application. This application then sends a second request to the VIP, on tcp port 8085) can sticky rules be configured on the CSS content rules, so that they hit the same destination server, given that both content rules contain the same services, and hence be considered part of the same session?
Thanksthere is no sitcky accros content rules option on the CSS.
But there are solutions to this problem.
First, are you doing anything special with your HTTP content rule ? Like cookies or url inspection ?
If not, you can group the 2 content rules into a single one. You will have 1 Layer3 rule instead of 2 Layer 4 rules.
If you have L5-7 rules [http inspection], the previous solution is not possible.
You will need to maintain 2 rules.
You could then use a 'balance srcip' balancing method on both rules.
This algorithm is deterministic.
The same client will always go to the same server.
Hope this helps.
Regards,
Gilles.
Thanks for rating. -
Trying to set up a client with external access. I just got their Edge off the domain and in the DMZ, and supposedly the appropriate firewall ports are opened. They have a RP running IIS ARR.
Microsoft Remote Connectivity Analyzer (testconnectivity.Microsoft.com) does the following for three tests:
1. When I do Lync Server Remote Connectivity Test and choose Autodiscover, it is able to open port 443 and it validates the cert. But it says "Operation failed because the network connection was not available".
2. When I do the same Lync Server Remote Connectivity Test and manually enter the Access Edge service FQDN and choose port 5061, it is able to resolve the name in DNS but it then fails testing TCP port 5061 with "The specified port is either blocked,
not listening, or not producing the expected response".
3. When I do the Lync Autodiscover Web Service Remote Connectivity Test, it fails when trying to open port 443 on the Lyncdiscover URL.
So, that seems to indicate to me that port 443 might be open on the Edge but not the Reverse Proxy, since that's where the autodiscover URL points. And it seems 5061 is not open but 443 is on the Edge. What else could I check on the Edge to get
443 working?
Thanks for the help and sorry for any vague information. Any help is appreciated!
BrandonOkay, I can now telnet to lyncdiscover.mydomain.dom on port 443 successfully, and I can telnet to sip.mydomain.com on 5061 successfully.
Now when I do the remote connectivity test:
Using Autodiscover to detect server settings, I get "Operation failed because the network connection was not available". It opens port 443 fine it looks like.
Manually choosing lync.mydomain.com as the FQDN and port 5061, I get "The endpoint was unable to register. See the ErrorCode for specific reason". Response code is 504 and response message is Server Time-out
Doing the Lync Autodiscover Web Service Remote Connectivity Test I get "HTTP 403 error was received because ISA server denied the specified URL".
Looks to me like a rule might not be set right on the firewall if ISA is denying the connection, right?(they are using TMG on a server running Server 2008 as the firewall). I can't ping the reverse proxy from the firewall (but I can ping the Edge).
What else can I check?
Thanks for all the help so far, I really appreciate it.
Brandon -
Defining virtual servers using content-rules
Can multiple virtual servers be "bound" to a single real server when all of the virtual servers have the same ip address and port, with the only difference between each virtual server being a unique content rule applied to each? (This is more of a migration issue, than a load-balance issue)
I assume you are saying Web(HTTP) and the answer is yes.
1. Your server should has name-based virtual hosting enabled if your server only use 1 IP address.
2. In CSS, you can use single service for this server or use different services with different keepalive uri for each service.
3. You can use a number of unique Content rules (same VIP, TCP 80 with different URLs) and add the service to it.
Remarks: If you want to use unique Content rules, you should make them difference with URL, otherwise all the content rules are the same and you can't activate all.
Another suggestion: If your server already support Name-VHOST, you can use just single L4 Content rule and all the traffic would be handled by that server (service). -
Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
I access the website as http://xyz:443.
Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
Firefox 32.0.3
Error message:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible. -
IE Traffic being forced to tunnel via port 443
I have a Windodws 2008 R2 server that has been in production for over 2 years. It is a Hyper-V host running five 2008 R2 guests. Everything wasw running fine until a couple of weeks ago when I installed the latest HP firmware and drivers.
Since then, Internet Explorer cannot open any website except
www.google.com. After uninstalled IE9 and then installing IE10 there was no change. I've scanned the server with malwarebytes and HiJackThis. No problems found. I reset IE and reset the TCP/IP stack. No change. I removed
McAfee AV and I'm now able to access google and one other site. I then installed Fiddler and looked at what is happening and it appears that most websites are trying to tunnel using port 443 rather than using the typical port 80. I'm not sure how
to interpret this. I know name resolution is working and can ping the sites I'm trying to reach. If I go to a standard site, say
www.yahoo.com, the IE window stays blank but if I go to Tools/View Source it appears I'm looking at the HTML from the target site. Below is a summary of the Fiddler output when I tried to go to yahoo.com. Any help
is greatly appreciated as I am all out of ideas.
Thanks,
Joe
# Result Protocol Host URL Body Caching Content-Type Process Comments Custom
1 301 HTTP fiddler2.com /UpdateCheck.aspx?isBeta=False 0 no-cache fiddler:4916
2 200 HTTP www.telerik.com /updatecheck.aspx?isBeta=False 620 private text/plain; charset=utf-8 fiddler:4916
3 301 HTTP www.yahoo.com / 212 no-store text/html iexplore:728
4 200 HTTP Tunnel to www.yahoo.com:443 0 iexplore:728
5 - HTTP crl.geotrust.com /crls/secureca.crl -1 iexplore:728
6 200 HTTP Tunnel to www.yahoo.com:443 0 iexplore:728
7 200 HTTP Tunnel to iecvlist.microsoft.com:443 0 iexplore:5104Found that the problem was somewhere in the Windows firewall. Although I had stopped the firewall service during testing something remained hooked in. Another attempt at shutting off the firewall and then starting it again seems to have resolved
the problem. This makes no sense but I'm not arguing with the results. Thanks everyone for your help. -
CS-150-LAN extra content rule disables all access to website
We have a CS-150-LAN Content switch with software version 6.10Build203. Yesterday for no apparent reason we lost connectivity to our website through our CSS. To get around this issue we removed all content rules except for the "everything-else" rule.
owner http://www.acmi.net.au
content AIC
add service acmi-web3
url "//www.acmi.net.au/AIC*"
protocol tcp
port 80
vip address 203.14.59.174
content everything-else
add service acmi-web1
vip address 203.14.59.174
protocol tcp
port 80
active
owner http://www.vceart.com
content everything
add service acmi-web3
vip address 203.14.59.175
protocol tcp
port 80
active
What is happening now is that when l create an addional content rule it then times out all connections to our website http://www.acmi.net.au. If l suspend the additional rule "AIC" the website comes back online. We need these additional content rules for accessing subsites. Please help.
ThanksHere are the sho service summary and show summmary outputs
Owner Content Rules State Services Service Hits
www.acmi.net.au AIC Suspended acmi-web3 6
everything-else Active acmi-web1 243
acmi-web2 340
www.vceart.com everything Active acmi-web3 23
sec-css-11150# sh service summary
Service Name State Conn Weight Avg State Idx
Load Transitions
acmi-web1 Alive 2 1 2 2 2
acmi-web2 Alive 9 1 23 2 3
acmi-web3 Alive 1 1 17 2 4
The content rule AIC is suspended because if l activate it, it then makes the website www.acmi.net.au unreachable and timesout.
This config was working from day one with the AIC content rule and about another 9 content rules under the owner www.acmi.net.au
If l add the url "/*" command to the content rule "everything-else this also hangs the site www.acmi.net.au -
Use of content rule vs source group for NATing
To NAT outgoing flows out of two servers, is it necessary to define a content rule and source group (or is just a source group sufficient?).
Having trouble with Option 2.
Option 1:
service svr1
ip address 192.168.10.1
no port
protocol tcp
active
Also does CSS do NAPT i.e. alter the source port number for outgoing packets from source groups?
service svr2
ip address 192.168.10.2
no port
protocol tcp
active
content outflows
protocol tcp
add service svr1
add service svr2
vip address <externalip>
active
group outgrp
vip address <external ip>
add service svr1
add service svr2
active
<add appropriate acl>
Option 2:
service svr1
ip address 192.168.10.1
no port
protocol tcp
active
service svr2
ip address 192.168.10.2
no port
protocol tcp
active
group outgrp
vip address <external ip>
add service svr1
add service svr2
active
<add appropriate acl>to nat connections initiated by the server, you only need a source group.
No need for a content rule.
The CSS will port nat.
Gilles. -
USB port on wrt610n i can see the drive but cannot see the content
USB port on wrt610n i can see the drive but cannot see the content
I have followed the instructions I see the drive but when I try to acess the drive I get a empty new folder
help I am lostwhat should i dowinmaco wrote:
Yes i have it is working on my PC
One thing in setting up the usb I had to use a different password
my router has a password and the only way I could move forward was to use the default admin admin user name and password
I could not use my router user name and password.
The username and password for the share on your attached drive can be anything you want them to be. I assume you set up a share on the attached drive? That's where you need to add a password for the share, although for ease of use I never did assign a password to the shares.
You do know that the firmware for the Storage Link is buggy, right? File size limitations as well as file corruption issues? Connectivity issues also rise up, with the only workaround that I have found is a script that you have to run every time you boot up your computer. As far as I can see the Storage Link function is a poorly implemented idea. No firmware in sight to fix the issues, and no idea of when. -
On a Mac Mini server with OS X Lion 10.7.2, I am unalbe to get the web server working on port 80. It switches automatically to port 443 (https).
This situation complicates the access to FileMaker Web publishing, as I don't want my clients having to use https.
How can I change that? Does anyone know?
Thanks for any replyin the server: I checked the SSL certificate. Tried several configuration.
Well, that's a problem for a start.
Your port 80 connection should NOT use SSL. Port 80 is the standard HTTP port, not HTTPS and most applications that connect to port 80 will not expect to use SSL
If you want to run a site under both HTTP and HTTPS then you create two sites, one on port 80 without SSL and one on port 443 with SSL
Maybe you are looking for
-
Sales Orders Blocked For Delivery
Hi, Do we have T-Code for Sales Orders Blocked For Delivery other than VA14L,Because Customer name is not there in VA14L list. Thanks, NAG
-
Fios digital voice app no longer working
I have the digital voice service on my home phone, and the android app always worked fine. I have the app installed on a phone and a tablet, and was able to get voice mails, see the call log, etc. . Starting a few days ago the app would say that I d
-
Hi, I can't seem to update Premiere Pro. I get the following message: Adobe Premiere Pro CC 2014.0.1 Update Installation failed. Error Code: U44M2P7 Have tried the patch, no dice. Need to avoid re-install. Would like an Adobe staff member to step up
-
Dear All, I have a scenario like this:while one HR user trying to trigger some automatic generated mails(from SAP to Lotus notes) related to bill settlements,he is getting message something like this in small pop-up window of SAP office express info
-
OLAP variable in ABAP Routine.
In data selection of Infopackage, I have used a OLAP variable. Is it possible to access the routine for OLAP variable in a ABAP routine?? How to proceed for the same???