SSL termination using Hardware Load Balancer

We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there.  Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18.  In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5).  The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80.  Apache Reverse proxy will send request to Portal J2EE engine on the http port.
this scenario seems to work in most cases but we are having issues with the standard portal login page.  The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer.  99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
How can we keep all requests generated on port 443 (https)?

Hello Brian (all)
I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal. 
Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP.  In discussing with the network team, they have done the following:
1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
Any advice?
Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM

Similar Messages

  • Why do I have to overide internal Lyncpool FQDN when using hardware load balancing

    Hi!
    As the title says, why do I need to override the FQDN when using HLB? Why can't I just change the DNS entry of lyncpool01.domain.com to point to the HLB?
    Thanks!

    You'd want to override it because there are non-HTTP/HTTPS ports involved that are better load balanced using DNS. 
    http://social.technet.microsoft.com/wiki/contents/articles/22988.demystify-hlb-and-dns-load-balancing-lync-2013-topology-with-high-availability-pools-dns-lb-vs-hlb.aspx 
    http://technet.microsoft.com/en-us/library/gg615011.aspx
    If you want to use HLB for all internal ports, then you wouldn't necessarily need to override this. 
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Coyotepoint E350 and OracleAs 10g Hardware Load Balancing SSL

    Hi:
    Has anyone been successful using a CoyotePoint E350 with XCEL SSL accelerator card and OracleAS 10g with SSL to hardware load balance an HTTPS site?

    You're on the right track adding the SSL certificate to the Load Balancer. I'm not really sure what you mean 'without the use of Webcache'? However, if I had the choise, I'd always add the certificate to the Load Balancer.
    A good document setting up a load balanced environment is the Enterprise Deployment Guide. Chapter 8 describes the tasks for a Forms environment.
    Regards,
    Martin

  • Defining SERVER_NAME to use RUN_REPORT_OBJECT on a hardware load balancer

    Hi everybody,
    We are deploying a Forms application on OAS (actually Forms & Reports Services - FRS) 10.1.2.0.2 using a hardware load balancer, that distributes workload between two FRS instances on separate computers.
    Forms work without a hitch, but it is executing reports that's not working.
    The problem is that when using RUN_REPORT_OBJECT you have to supply the REPORT_SERVER parameter, and each computer has a different report server name, but you don't know in advance wich FRS instance you are going to connect to, because the URL is that of the load balancer.
    We thought that omitting the report server name from the report_object would do the trick but then we get an "FRM-41211 integration error" message
    What would be the right o recomended way to solve this problem?
    Thanks in advance,
    Miguel.

    What would be the right o recomended way to solve this problem?I don't know what would be the right or recomended way, I can say how we solved the problem in our Forms/Reports applications.
    We have a lookup table where each machine has some parameters configured, one of which is the reports server name. The first form in each application identifies the machine where it's running, and reads corresponding rows in that table.

  • Hardware load balancer config

    Hi,
    EBS Release-12.1.3 ,
    Apps -2 nodes HA,
    Hardware load balancer-F5 in DMZ(Single Entry point for load balancing)
    We have chosen HTTP Layer Hardware Load Balancing for persistentant session config
    please advice that what kind of changes we need to do at the application level in order to implement Hardware load balancer like,
    Can we configure EBS application to run on 443 port ,so as to directly redirect appln url from hardware load balancer to 443 port of EBS application node.
    without reverse proxy configuration.
    If reverse proxy in DMZ is required then how hardware load balancing will be configure for http layer balancing between nodes.
    As we have iSupplier in internet connectivity,please suggest which kind of implementation we can go for.
    Thanks
    Edited by: user10702579 on 21 Sep, 2012 3:46 AM

    Not necessarily - it depends on how F5 is configured. As stated, one of the settings on the F5 allows traffic from the client to be addressed to the virtual URL on the F5 using port 443 (https), and the F5 can then direct traffic to the real application servers on the port on which EBS is configured. The return traffic from the application server back to the F5 uses the same EBS port, and when the F5 send the traffic back to the client it can use 443 - so as far as the client is concerned, it looks like the entire application is SSL enabled (using 443).
    If this setting is not configured in the F5, then EBS will have to be reconfigured to use 443 throughout.
    HTH
    Srini

  • General Hardware Load Balancer question

    We are considering setting up a hardware load balancing configuration for Oracle Appliaction Server. I was wondering if anyone has any helpful infroamation about this, i.e. hardware vendor, ease of setup and configuration or any other helpful hints.

    As long as they fill your minimum requirements, they are kind of equally good. In my private opinion BIG IP is the best one could get, and I have had least issues with that Load Balancer. It's also very flexible and you can do all possible configurations with it.
    However, as I said as long as any Load Balancer fulfills your requirements (balance request, sticky/persistence, SSL termination?) they should be as good as well.
    Regards,
    Martin

  • Lync Server Front End 2 Hardware Load Balancer IP

    I currently have the following Setup.
    I only have 1 Hardware Load Balanced IP for my Front End Pool. 
    After running the Lync Planning Tool it actually states that i need 2 Hardware Load Balanced IP, 1 for internal and 1 for external. 
    My question would be would i be able to configure for mobility and external access with just using 1 Hardware Load Balanced IP? 
    Because i seem to have problem with connecting to the front end server based on the following scenario.
    Without Reverse Proxy Mapping (port 80/443 internet to port 80/443 reverse proxy to port 80/443 lyncpool frontend) 
    Internal Access (No Issue)
    Lync Mobile 2013 App (Can Connect and chat but intermittent connection) *gets disconnected if i access video/audio
    Lync Client 2013 Externally (Cannot Connect to Server) 
    https://meet.domain.com (working)
    With Reverse Proxy Mapping (Port 80/443 internet to port 8080/4443 reverse proxy to port 8080/4443 lyncpool frontend)
    Internal Access (No Issue)
    Lync Mobile 2013 App (Cannot connect)
    Lync Client 2013 Externally (Cannot connect)
    https://meet.domain.com (Not working)
    Would i actually need to have a additional front end pool IP for external access? or can i maintain it as it is? 
    I do not understand why without the mapping it can work whereas if i do the mapping according to technet article it won't work.
    Everything is running windows server 2012 R2 and Lync 2013, Loadbalancer / Reverse Proxy is the same F5 Appliance
    Any assistance on this is greatly appreciated.

    Hi Greg,
    I have been making use of it (https://testconnectivity.microsoft.com/) to test my autodiscover and remote
    access.
    Like i mentioned it is weird that without doing port mapping from 80/443 to 8080/4443 i was able to pass
    the autodiscovery and all but once i changed to the proper steps to do port mapping it stopped working. 
    and im not using TMG but using a F5 Hardware Reverse Proxy which also happen to be my Load Balancing Appliance. 
    Is there anyone who can help give me more details if i need 2 VIP for the front end ? 

  • Doubt on Hardware Load Balancing?

    Hi Community,
         I think there are two ways to perform the load balancing.One of them is proxy and other one is hardware load balancing.I have know something about the Proxy related Load balancing using Apache,oracle HTTP server and others.My question,I don't know about the single bit of Hardware load balancing,i refer the some sites but it is not benefits for  me.So please guide me to configure the hardware load balancing for my cluster..
    Regards,
    Ove..

    Hi,
    Find the document for configuring the hardware load balancer with Weblogic
    1.F5 load balancer
    https://www.f5.com/pdf/deployment-guides/bea-bigip45-dg.pdf
    2.Cicso
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/App_Networking/weblogicdg.html
    http://www.cisco.com/en/US/solutions/ns340/ns517/ns431/ns432/net_design_guidance09186a0080908169.pdf
    Additional Info
    http://pauldone.blogspot.in/2013/04/load-balancing-t3-initial-context.html
    Best Load Balancing Hardware | TechSource
    Oracle Weblogic Server Administration: Load Balancing in Weblogic Server
    http://www.broadband-testing.co.uk/download/ZeusBEAWebLogic.pdf
    http://www.ateam-oracle.com/using-weblogic-as-a-load-balancer/
    Hope it helps

  • Hardware Load Balancing Tuxedo

    In a PeopleSoft scenario, can i use a hardware load balancer to scale out multiple PeopleSoft app servers on the JOLT port?
    In theory, i think i should be able to , but for some reason it does not work.
    Thanks
    Alok

    Hi Alok,
    At the moment, we don't certify load balancers with Tuxedo, although I'm not sure why you are encountering errors using a hardware load balancer. I know other customers are using them successfully. Which load balancer are you using and how do you have it configured?
    Regards,
    Todd Little
    Oracle Tuxedo Chief Architect

  • Hardware Load balancing

    Hi,
    I have 2 Oracle 9i Database Servers running on Sun systems which are physically located in 2 different locations connected by a leased line.
    We would like to load balance these Servers which are physically located far using a Hardware Load Balancing device, ServerIronXL from Foundry Networks using IP.
    I would like to know if there would be any issues from the Oracle Application while doing so?
    I would also want to know if U want to suggest any other Hardware other than ServerIron to do this load balancing?
    Best Regards,
    Srini

    Hi,
    The SUN1 goes down because his source goes down.
    Instead of the Source that is sending data do SUN1, a small unit is coming up and replacing the Source for 4 hours, but it feeds the SUN2 with data. That will be later on send to again SUN1, so to avoid duplication of data (sun2 is receiving data from sun1 all the time) , SUN2 is just holding the data until the Source comes up and starts feeding the SUN1. the data that was on sun2 will be deleted as soon the Source comes up.
    While the Sun1 is down the Sun2 must feed information to the Web site.
    It is just to split traffic during a certain period of time (4 hours, while the maintenance is happening), the rest of the 24 hours the sun2 is a Backup location, and it must contain the exact live copy of SUN1, and be ready to jump into production if something goes down on SUN1.
    Regards,
    Srini

  • Using the load balancer

    Hi, I just started using the SJWS7.0. When a client sends a request, is the request to the load balancer server name or the admin server name? Any information on how to use the load balancer will also be appreciated

    The server where the load balancer is running. The admin server has not play in the load balancing beyond allowing you to configure and manage it using the administration console.

  • If equal cost routes exist, OSPF uses CEF load balancing?

    Hi All,
    Can anyone explain about:
    . If equal cost routes exist, OSPF uses CEF load balancing?

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Rick is correct, but if his response, with mine, causes any confusion. . .
    To OP's original question:
    If equal cost routes exist, OSPF uses CEF load balancing?
    The answer is technically no, for the reason Rick describes.
    But if we rephrase, such as:
    Does CEF load balance across multiple equal cost routes generated by OSPF?
    The answer would be yes.
    I suspect the latter question is what the OP really had in mind, but again, Rick is correct to distinguish that OSPF doesn't use CEF.

  • Hardware Load Balancing Configuration and Session Clustering

              I would like to know where I can find any information on Hardware Load Balancing
              Configuration in order to leverage WLS HTTPSession clustering.
              Don Ferguson mentioned white papers on this subject however I can't seem to locate
              them.
              I am particularly interested in Cisco's 11000 Content Service Switch.
              Thanks.
              Mike Jones
              

    Scroll to the bottom of this link. It discusses how to configure Alteon and Big-IP.
              The principles should apply to Cisco as well, but we don't have documentation on
              configuring it, as far as I know.
              http://e-docs.bea.com/wls/docs61/cluster/index.html
              -Don
              Michael Jones wrote:
              > I would like to know where I can find any information on Hardware Load Balancing
              > Configuration in order to leverage WLS HTTPSession clustering.
              > Don Ferguson mentioned white papers on this subject however I can't seem to locate
              > them.
              > I am particularly interested in Cisco's 11000 Content Service Switch.
              >
              > Thanks.
              >
              > Mike Jones
              

  • OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

    I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
    <Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
    I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

    What is WLS and OHS versions are you using in this environment?
    If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
    I hope this helps,
    Thiago Leoncio.

  • SSL Setup in a load balanced portal

    Hi,
    We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
    So the configuration would be:
    Portal requests --> Load Balancer --> Portal --> Backend
    We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
    The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
    So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
    I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
    Now, can we install the same certificate (that we put on the LB) on the portal as well?
    (This might not work because the server type will be different)
    (or)
    Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
    Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
    Thank You ,
    Raj

    Raj Kumar wrote:
    My question is about how to go about installing the certificates on the LB and on the portal.
    If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
    Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
    You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
    On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
    Regards,
    Sean

Maybe you are looking for

  • Fix for Shuffle on XP Machines

    I, like many others, had the problem of my Shuffle no longer being recognized on any of my computers. The PC would load the device as a drive letter but, I could not access it with Itunes or Win Explorer. The tunes I had on the shuffle would still pl

  • Is it Normal?

    Hello I understand that it takes longer to access certain instruments than others, I am not that new to GB. But I have noticed my computer being even slower loading instruments from third party AU's as in Albino or Absynth, is this normal? Some of th

  • Source tables for forms and tabular forms must have a primary key.

    Why does HTML DB 2.0 return the message "Source tables for forms and tabular forms must have a primary key." when trying to generate a "Report and Form" page based on a view defined like "create view <applicationschema>.a as select * from <sourcesche

  • Solaris 10 basic network tutorial

    Hi there, I have a solaris 10 machine and a windows xp machine. I have them linked up with a cross over cable. I have set the IP on the windows machine to 192.168.0.100 on a subnet mask of 255.255.255.0 What i cannot seem to fathom (although i did ma

  • Asyncronous call with WS-Addressing

    Hi experts, I want to use the WS-Addressing for async. calls. I know the WSA is supported by Oracle BPEL but I have got problem with it. So my scenario is: *1.* call the BPEL process from soapUI (no WSA info in the request) -> BPEL process - operatio