Re-direct based on source ip address
Dear all,
i wish to redirect url traffic to another server based on their ip address. We currently have sharepoint server and was hoping to utilise it facilities to redirect to another server. https://www.abc.com to
http://www.abc.com/def
we have iis7 runnin in the backgroup if that help.. Would iis be a better choice?
Thanks in advance..
N DHANRAJ
Hi Dhanraj,
I understand that you want to redirect the url from
https://www.abc.com to http://www.abc.com/def, you can try URL Rewrite rules to achieve this goal.
Here are some posts about this topic, you can take a look.
http://stackoverflow.com/questions/22182087/iis-rewrite-rule-to-redirect-specific-domain-url-to-different-url-on-same-domain
http://social.technet.microsoft.com/wiki/contents/articles/23074.sharepoint-2013-url-rewrite.aspx
Supportability of Rewrite and Redirects with SharePoint 2007/2010/2013
More about the IIS redirect, I would recommend you post in IIS forum below, there will be more experts assisting on this issue.
http://forums.iis.net/t/1153050.aspx?URL+Rewrite+for+SSL+redirection
Thanks
Daniel Yang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]
Similar Messages
-
Route call based on source IP address
Hello Guys,
Is there a way to route calls based on source IP address?
I want to redirect calls to specific queues based on the ip of the phone who's starting it.
Any ideas?
Thanks in advance.
Filipe LeiteHi Filipe
I'm assuming here that you are using CallManager rather than CME?
One option might be to use the 'device mobility' feature to assign a specific CSS to devices based on their IP subnet. That CSS could have the appropriate partitions to route to a seperate trigger that directs calls to a separate CSQ.
Of course, whether you can do this depends on whether it would be appropriate to override the device CSS in this way.
Aaron -
Load balancing based on source IP address
Hi,
I configured a CSS to balance the load depending on source IP address to suppport a application feature in the server.
We have two firewalls and behind we have different users. We have also two servers behind the CSS.
Firewalls perform NAT with a unique outside IP address. So, for example, in these conditions the CSS balances requests coming from FW 1 to server 1 and requests coming from FW 2 to server 2. Is it correct this scenario?
Is it possible that requests coming from FW 1 could be forwarded to Server 2 and viceversa?
Could anyone answer me?
Thanks in advance.
Best regards.
Giuseppe.Giuseppe,
it all depends on how you configured your CSS.
Did you use an ACL to force traffic from SRC1 to server1 and traffic from SRC2 to server2 ?
Or did you simply configure sticky based on source ip or a source ip hash loadbalancing ?
Except the ACL, all other methods do not guarantee that the traffic will be splitted in 2.
Gilles. -
ACE load balance based on Source IP Address
Hi Cisco Support,
I have question related to Cisco ACE behavior in term to taking a decision based on source address
I currently have two servers sits behind ACE part of one server farm, these servers are load balanced via one VIP on ACE module and every things looks fine.
Now service owners want to replace these old servers with new hardware hence before the migration we need to make sure these new servers are working as required standard hence need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we can't engage all our partner to participate in this test therefore decided to engage only one partner to carry our test with us.
For that reason can we some how configure the ACE so when packet arrive on ACE from one test partner mentioned above, ACE send only that partner's traffic based on it's source address (define via class/policy map on ACE if possible) towards new servers in the existing server farm and not to the old server in the same server farm.
Thanks for your supportHi,
Just to put some config sample that might help you to get this done.
First create the new rservers and include them under a new serverfarm (New-APP)/
serverfarm host Webfarm
rserver SVR1
inservice
rserver SVR2
inservice
serverfarm host New-APP
rserver New-1
inservice
rserver New-2
inservice
- Same VIP already working.
class-map match-all VIP-HTTP
2 match virtual-address 10.10.10.10 tcp eq www
- Create a new class that will include your partner's IP(s).
class-map type http loadbalance match-any 3rd-Party
2 match source-address 200.200.200.1 255.255.255.255
3 match source-address 200.200.200.10 255.255.255.255
Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
policy-map type loadbalance first-match L7-SLB
class 3rd-Party
serverfarm New-APP
class class-default
serverfarm Webfarm
Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
HTH
Pablo -
Redirect based on source IP address????
I have a site that I don't want our competitors to view! By
tracking code, I have managed to obtain their source IP addresses.
After looking around, there is a .php solution to my problem
but my host is not well suited to .php files (although it does some
processing).
My pages are in .shtml (to process css drop-down menus
correctly) and I understand that this attached code, if put at the
top of the page before anything else, will work.
I have managed to get one working
http://www.donbur.co.uk/gb/newindex.php
but am having difficulty getting this code to work elsewhere.
The problem is, when I try to put this code into either a
template or as an include, it won't process correctly or the page
won't render at all.
Do I have to use .php files or can I insert php script into
an .shtml document.
Getting really confused now.... HELPThanks for the constructive advice...
quote:
>After looking around, there is a .php solution to my
problem but my host is not well
>suited to .php files (although it does some processing).
What does this mean? Does your hosting plan include php
support or not?
You can't just put a php script into any page. It needs to be
a .php page or you need to reconfigure the server to parse other
pages for php. But if your hosting plan doesn't support php then it
won't work in any case.
My host is BT Internet and they claim not to process .php
files which is why our main .php site is hosted elsewhere; however,
it seems that, although it has difficulty (to clarify: doesn't
render) with main full scripts, it does seem to process simple
<?php echo commands for example.
It has been suggested on another forum that the .shtml files
are set to be recognised by .php in the cpanel but our host will
not do this...
Our competitors are not particularly smart or up-to-date and
this would have been reasonably effective; however, I bow to better
judgement and close this topic. -
VRF selector using PBR or Source IP address
Could anyone can tell which is the better choice of VRF selector using PBR or Source IP address? From Cisco doc, VRF selection based on Source take advance over PBR. My feeling is that PBR may match more criterias than just match source IP address.
ThanksI would personally use the "VRF selection based on source IP address" only where the "VRF selection using PBR" is not available since the latter is a superset of the former.
Hope this helps, -
Redirecting traffic based on source address on CSS11503
Hi all,
I need to redirect HTTP traffic originating from a specific range of IPs to a specific farm of HTTP servers. More specifically, I need request comming to CSS's outside VIP address on port 80/tcp to be redirected to the HTTP farm (2 boxes with RFC1918 addresses) on port 30084/tcp.
The trick is that this rule should only apply for a certain range of source IP addresses. The rest should be content switched normally. I.e. 80/tcp -> 80/tcp, etc.
Is this possible with ACL or somthing similar?
I'm running WebNS 7.20 on a CSS11503.
Thanks,
haveryou could create a 2nd VIP like x.x.x.x:81 and
a service like
service redirect
domain x.x.x.x:81
type redirect
keepalive type none
Under the Vip x.x.x.x:81, you configure the 2 services with private ip addresses and port 30084.
Then you create an ACL
acl 10
clause 10 permit tcp destination content prefer redirect
clause 99 permit any any destination any
apply circuit-VLAN...
Don't forget you will need an ACL permit any any on all other interfaces to avoid blocking the rest of the traffic.
What this will do is tell the browser to close the current connection to vip:80 and reopen a new one to vip:81 and this will be loadbalanced to the private servers.
Gilles. -
Providing Access based on Client IP Address
Current Scenario -
SAP Portal is accessible directly and via Citrix (VPN).
Based on the URL alias - we have implemented Desktop Filtering.
eg if the URL ends with / internet - You get restricted roles
eg if the URL ends with / intranet - You get wider roles
In Production, we also have Netscaler Reverse Proxy and HTTPs settings in place for External (outside firewall) access.
New Requirement (Example) -
Based on the IP address of the client, determine which subnet it falls under and based on that -
If used within Citrix - Provide certain roles
If not used within Citrix - Restricted access / Redirect to a different URL on the redirect server.
Questions -
With the current desktop filtering in place based on URL determination and no specific restriction for inside/outside Citrix access -
1 - Please suggest which would be a good way to crack this? Inside Portal (IP address determination and SAP Logon modification) / Outside Portal (eg Citrix, Network OS Exit, Reverse Proxy etc) based on Best Practise ?
2 - Not sure if this is relevant : Find IP address of Client with webdybpro (This API works only in Web Dynpro and not PDK) ? I believe tweaking SAP Logon logic can get very painful and overtly complicated for such scenarios.
Thanks for your inputs ~ DhanzVivek,
On the coding front -
1 - Will reading the IP address in the header field x-forwarded-for retrieve right results if reverse proxy is in place ? Wouldnt it retrieve the proxy / load balancer IP instead of Client IP ?
2 - Also we have HTTPS settings for extranet access - So encrypted data (eg Client IP ) is transferred that the Web Dispatcher cannot manipulate ?
Please suggest.
Remember to be polite
Edited by: Anja Engelhardt on Jan 27, 2012 11:27 AM -
Bandwidth Limit based on Source IP?
Hi
I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.
I need to have the ability to limit both the outbound and inbound traffic.
So I created the following config:
policy-map bw-limit-inbound
class bw-limit-class
police 10000
class-map match-any bw-limit-class
match access-group 150
access-list 150 permit ip 172.16.99.0 0.0.0.255 any
If I apply the Service Policy inbound, it does police the upload to 100Kbps.
If I apply it outbound, it does nothing to the download.
Any reason for this?
I am applying this to an SVI
ThanksHi Guys
Just to update this thread, I figured out where I was going wrong!
As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.
I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:
access-list 197 permit ip 172.16.97.0 0.0.0.255 any
access-list 197 permit ip any 172.16.97.0 0.0.0.255
access-list 198 permit ip 172.16.98.0 0.0.0.255 any
access-list 198 permit ip any 172.16.98.0 0.0.0.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any
access-list 199 permit ip any 172.16.99.0 0.0.0.255
I then created the relevant class maps:
class-map match-all vlan998-download
match access-group 198
class-map match-all vlan999-download
match access-group 199
class-map match-all vlan997-download
match access-group 197
class-map match-all vlan998-upload
match access-group 198
class-map match-all vlan999-upload
match access-group 199
class-map match-all vlan997-upload
match access-group 197
Then the service policies:
policy-map download-limit
class vlan997-download
police 2000000
class vlan998-download
police 3000000
class vlan999-download
police 4000000
policy-map upload-limit
class vlan997-upload
police 200000
class vlan998-upload
police 300000
class vlan999-upload
police 400000
Then finally applied those to the relevant SVI:
interface Vlan102
ip vrf forwarding WAN2
ip address 10.20.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
service-policy output download-limit
service-policy input upload-limit -
HTTP Redirect based upon SRC IP Address
Is there a way to perform an http redirect based upon user's source IP address on the CSM/GSS environment?
Logic:
IF < src ip address is within exception list > THEN
http redirect to URL2
ELSE
http to URL1
ENDIs there a version of this solution (redirect by client source IP) for the CSS?
I'm attempting to redirect clients from a few specific networks (source IP's) to the VIP of a second CSS using a service-type redirect and "prefer " ACL commands:
clause 10 permit any 1.1.1.0 255.255.252.0 destination content owner/content-rule prefer service-type-redirect
There is an "any any destination any" last clause in the ACL for the remaining source IPs. The ACL is applied to the incoming circuits leading to the webservers.
A show of the ACL's shows all responses - no matter the client source IP - being caught by the permit any clause at the end of the ACL.
Extra points: this is a one-arm design with source group destination applied (to return server traffic to the CSS) and traffic is https with SSL terminating at the servers (no SSL module). Content rules are set to be sticky for srcip. Both CSSs are answering content-based DNS queries for the same URL with their local VIP address (but controlling which DNS server clients query isn't readily possible, so static proximity using DNS didn't provide the answer).
Each CSS is in a different data center: the idea is to keep traffic local by redirecting non-local traffic to its "local" (the other) CSS if services are active (and to keep traffic on the first CSS if the services at the redirected-to CSS are down).
Don't want too much, do I? ;-)
Thanks for everyone's time -
-K. -
IIS Logs display CSS11501 IP address instead of external source IP address.
(FW)---(CSS11501)---(SERVERS)
Basic configuration, everything on VLAN1. Servers in web farm are logging attacks, etc. Source IP address all show the CSS instead of the originating IP address coming from the outside.
What do I need to add/change to allow servers to see the actual IPs from the outside?Yes, inline configuration. FW connects to L2 switch crossed over to CSS, Servers are connected to CSS ports directly. However the servers Default Gateway is the FW not the CSS, that is what I believe I need to change in order for it to work, is that correct, or is there something else?
Example:
circuit VLAN1
ip address x.x.x.x x.x.x.x
owner xyz
address "xyz"
content rule.100.https
protocol tcp
port 443
url "/*"
add service serv.1.https weight 1
add service serv.2.https weight 2
add service serv.3.https weight 3
vip address x.x.x.100
application ssl
advanced-balance ssl
sticky-mask 255.255.255.0
sticky-inact-timeout 15
dnsbalance roundrobin
balance srcip
active
group source.100
vip address x.x.x.100
add destination service serv.1.https
add destination service serv.2.https
add destination service serv.3.https
active -
Jdbc connection set source ip address
Hi
Is there any way to specify the local (source) ip address of a jdbc connection ?
I work in an enterprise environment with firewalls all over, and only certain ip addresses can connected to other ip addresses.
The server which runs my application has many ip addresses and
I'd like to be sure that my ip address is the source...
Thanks
Gabor Dolla
Budapest, HungaryNo, certainly not in the JDBC API. I don't believe there's even a way to do this in the java.net Socket API. There's the very slimmest of slim chances that a particular driver might implement something like this, in which case it would be in the driver's documentation. However, the chances are so slim that I'd bet strongly against any driver doing this.
The source address is usually picked by the operating system, based on the routability to the target IP address. Basically, the OS network services looks at the target IP and says to itself, "which (logical) interface can get there? That's the source IP I will use". If your host's routing says there are multiple routes to the IP, then it will pick one; if there's only one route to the particular IP, there will be only one interface (and therefore source IP) that can be chosen.
There's no reason Java or a driver couldn't be extended to do this, but no particular demand either; the problem is usually dealt with at the network layer. -
Tracing TCP Source/Destination Addresses/Ports for ongoing connections
On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.
The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
#!/usr/sbin/dtrace -Cs
#pragma D option switchrate=10hz
#pragma D option bufsize=512k
#pragma D option aggsize=512k
#include <sys/file.h>
#include <inet/common.h>
#include <sys/byteorder.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
/* First pass, for all TCP Read/Write actions, collect source/destination
IP + Port - after a few secs, print them all out */
fbt:ip:tcp_send_data:entry
/* Outgoing TCP */
self->connp = (conn_t *)args[0]->tcp_connp;
fbt:ip:tcp_rput_data:entry
/* Incoming TCP */
self->connp = (conn_t *)arg0;
fbt:ip:tcp_send_data:entry,
fbt:ip:tcp_rput_data:entry
/self->connp/
/* fetch ports */
#if defined(_BIG_ENDIAN)
self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
#else
self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
#endif
/* fetch IPv4 addresses */
this->fad12 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
this->fad13 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
this->fad14 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
this->fad15 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
this->lad12 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
this->lad13 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
this->lad14 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
this->lad15 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
/* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
are empty - where is this data? */
}http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/command/reference/CmdGrpC.html#wp1139667
portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
disable
Instructs the CSS to perform Network Address Translation (NAT) only on the source IP addresses and not on the source ports of UDP traffic hitting a particular source group. This option does not affect TCP flows.
For applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups. Destination services cause the CSS to NAT the client source ports, but not the destination ports.
Note If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group does not successfully traverse the CSS.
The CSS maintains but ignores any base-port or number-of ports (see the options above) values configured in the source group. If you later reenable port mapping for that source group, any configured base-port or number-of ports values will take effect. The default behavior for a configured source group is to NAT both the source IP address and the source port for port numbers greater than 1023.
There is no possibility to disable it for TCP.
We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
Gilles: -
Server A, Server B, Server C are connected directly to CSS (Network Address 192.168.XX.XX). clients access the servers through Internet and get connected as well as load balanced. But our servers are unable to track the source IP address of the clients logging through Internet. Is there any configuration where servers can track the source IP address.
Hi,
The CSS would be doing source NATing if you have a group configured with "add destination service".
This is needed to prevent asymmetric flows, but if the servers are directly connected to the CSS, there would be no asymmetric flows, hence you can get rid of the group and the CSS will start sending traffic to the server with original client's IP.
Configure the CSS as the default gateway of your servers to make sure they wont bypass the CSS on the way back.
Hope it helps!!
Diego M. -
How do I stop Firefox from redirecting me to another site based on my IPS address?
I work in California. Our corporate offices are in Oklahoma and my desktop computer is set up with an IPS address in OK. When I try to go to the CA website for AAA, Firefox redirects me to the OK website for AAA. How do I stop from being redirected to OK sites when trying to open CA sites?
hello eajames, sites can show you content and redirect you based on your IP address which will reveal your approximate location - there is not much a browser can do against this...
http://www.yougetsignal.com/tools/network-location/
Maybe you are looking for
-
I have 3 Quries on the same table to find which (all paied) and which (Retracted) and the thried is the Conclusion What are the suggestions in the report builder for its vertically? can make union or union all or other thing? all paied: SELECT SUM
-
My monitor is yes, freaking out. It is flickering pink bands ans squares. It is a 30 inch cinema display. I tried removing speakers but it's still doing it. Did it once before and then quit on restart, but now it won't seem to go away. Is card overhe
-
How can I add KeyListener to JTable editor
Hi, I want to know how can I add a KeyListener to a JTable editor? I want to capture the event when any of the cell in the jtable has a key typed.
-
Some LR4 issues / requests
1) it seems that (on the mac) the folder with lens profiles has moved from /Library/Application Support/Adobe/CameraRaw/LensProfiles/1.0/ to a private copy inside the application package: /Applications/Adobe Photoshop Lightroom 4.app/Contents/Resourc
-
Unable to locate a suitable JDBC driver to establish a connection to URL
Hi experts, I have developed an interface IDOC to JDBC (MS ACCESS) but when try to deliver the message in the MS ACCESS I get this error in the communication channel: Error during database connection to the database URL 'jdbc:odbc:Driver={Micros