Configuration:
HTTPS / WSS
Offloading
Warning
This document contains confidential information that is proprietary to CafX Communications Inc. No part
of its contents may be used, disclosed or conveyed to any party, in any manner whatsoever, without prior
written permission from CafX Communications Inc.
Table of Contents
1
Document Control
Introduction
VLANs
SNAT
Self IP
Network Routes
Virtual Servers
7.1
Health Monitor
7.2
Virtual Server Pools
7.2.1
HTTP Pool Properties
7.2.2
HTTP Pool Members
7.2.3
Media Pool Properties
7.2.4
Media Pool Members
7.3
Virtual Server Properties
7.3.1
HTTPS Virtual Service
7.3.2
Media Virtual Service
7.4
Virtual Server Resources
7.4.1
HTTP Virtual Server
7.4.2
Media Virtual Server
9
10
11
12
13
14
15
15
17
18
18
18
20
8.1
Application URIs
8.1.1
Fusion Web Gateway URIs
8.1.2
Fusion Palettes Admin URIs
8.1.3
Fusion Live Assist Server URIs
8.1.4
Fusion Sample Application URIs
8.2
Websocket URIs
8.3
The iRule
20
20
21
22
23
24
24
Contact information
27
Document Control
Version
Author
Issue Date
10.0
Solutions Engineering
28 May 2014
11.0
Solutions Engineering
30 April 2014
Introduction
This guide walks through the configuration needed on F5 Big-IP LTM (Local Traffic Manager) to offload
inbound HTTPS and Secure Websockets (WSS) requests.
The environment this configuration relates to is:
The FCSDK installation consists of a co-hosted Fusion Web Gateway instance and a
Fusion Media Broker
The FCSDK web-based sample application has been deployed onto this same FAS
instance
The configuration described will terminate the HTTPS/WSS connection at F5, and will then NAT and load
balance the decrypted connection across a pool of back end application servers.
The configuration also describes the steps required to restrict specific URIs to only allow access to the
required REST services for FCSDK and Fusion Palettes.
Once the secure connection has been decrypted, F5 is able to translate the original source IP address of
a packet to a configured IP address. This feature is known as Secure Network Address Translation
(SNAT). The configuration illustrates how F5 can be configured to perform SNAT automapping i.e.
enabling F5 to automatically choose a translation address which will be an existing Self IP address.
The instructions in this guide are based on a non-HA evaluation version of F5 (v10.2.4 build 577) and
should be used as an example of what configuration is required to achieve HTTPS/WSS offloading. As
such, some configuration may vary depending on the local environment and policies.
VLANs
Assuming F5 has 2 network interfaces (one for the public side and the other for F5s private side), the
following illustration defines 2 VLANs and associates appropriate interfaces with each.
Note that in this environment, both network interfaces were untagged.
SNAT
Self IP
Self IP address for F5s private interface as well as public interface should be defined in Network > Self
IPs menu.
It can be created by specifying the address, netmask and finally selecting the appropriate VLAN. See
below:
Network Routes
A network gateway address is required to be created by specifying a particular router that the BIG-IP
system should use when forwarding packets to the destination host or network.
Virtual Servers
A virtual server must be created for each service exposed by F5. In the screenshots below, there is a
service for handling HTTPS traffic and another for RTP traffic.
As both FCSDK and Fusion Palettes are co-hosted on the same server, the configuration only defines
one Virtual Server.
7.1
Health Monitor
By default, the BIG-IP system uses HTTP 0.9 for HTTP monitor requests. When a HTTP 0.9 request is
sent to a HTTP 1.1 server, the server may not respond as expected. Therefore, using the default HTTP
health monitor may fail even though the server is running.
To prevent the monitor from incorrectly marking the server as inaccessible, it is possible to either create a
custom health monitor based on the default HTTP monitor or change the default HTTP monitor and
change only its Send String property to send a HTTP 1.1 request by explicitly specifying the HTTP
version as follows:
GET / HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n
This health monitor should be used when defining the back end server pool associated with the virtual
server. In this example the name of the monitor is: fcsdk_http
7.2
For each of the two services (HTTP and media), a group of member devices should be defined that will
receive and process traffic.
10
Note that as SSL offloading is taking place, the back end server pool associat ed with the HTTPS Virtual
Service is defined as being insecure.
7.2.1
A pool of backend servers is required to enable F5 to load balance the appropriate service. Note the use
of the Health Monitor (fcsdk_http) created earlier.
11
7.2.2
Although for simplicity this pool has only 1 member, there may be any number of members in a pool.
When defining a member, along with its IP address, the port on which the service resides is also required.
12
7.2.3
13
7.2.4
14
7.3
The NAT configuration of both the HTTPS and media Virtual Servers are as follows:
Auto-SNAT is enabled meaning that F5 will automatically choose which address to translate the
source IP into based on the list of Self IPs.
o
7.3.1
Following best practice, the name of the VLAN for which the virtual server is enabled has
been changed from its default to being explicitly defined via the VLANs and Tunnels
property.
The HTTP profile that is defined is the default HTTP profile without any changes.
o
In order for F5 to correctly process Websockets, the HTTP profile needs to be disabled
via iRules during the processing of the Websockets request, allowing the TCP
communication to be proxied through the BIG-IP. iRules will be discussed in a later
section within this document.
For the purposes of this exercise, F5 has been configured to use a client -side self signed
certificate, and as such the SSL Profile (Client) property has been set to clientssl.
o
An alternative to this would be to import a CA signed certificate and define that in the
SSL Profile (Client) property field.
Note that the port exposed for the HTTPS service is defined here as being 8443. This should be
configured to a value appropriate to the environment.
15
16
7.3.2
17
7.4
7.4.1
The following shows the default load balancing pool associated with the HTTPS virtual server, which was
defined earlier. Note that this is the insecure pool defined earlier.
7.4.2
The following screenshot shows the configured load balancing pool associated with the media virtual
server, which was defined earlier.
18
19
Access to application URIs can be restricted by defining an F5 iRule associated with the virtual server.
Define an iRule (e.g. named FusionHttpsUriRule) that will restrict access to specific URIs by only
allowing those in pre-defined Data Group Lists.
For simplicity, the URIs in the Data Group Lists must only contain the URIs that web clients are allowed to
access. Websocket URIs must be explicitly defined in the iRule itself.
In order to separate the URIs on a per application basis, the configuration described below defines a Data
Group List for each application together with a list for the URIs associated with some sample applications:
When configuring the URI Data Group Lists, they must be entered as String-Value pairs. The sections
below show the URIs within each of the groups defined above.
Note: The URIs may be different to those used in the enterprises environment, and therefore may
need updating appropriately.
Note: The URIs relating to the Websocket connections MUST NOT be in these lists.
Note: The Javascript URIs are only relevant for browser clients.
8.1
Application URIs
8.1.1
String
Value
/gateway/adapter.js
/gateway/adapter.js
/gateway/csdk-aed.js
/gateway/csdk-aed.js
/gateway/csdk-common.js
/gateway/csdk-common.js
/gateway/csdk-phone.js
/gateway/csdk-phone.js
20
/gateway/csdk-presence.js
/gateway/csdk-presence.js
/gateway/csdk-sdk.js
/gateway/csdk-sdk.js
8.1.2
String
Value
/palettes_admin/rickshaw.min.css
/palettes_admin/rickshaw.min.css
/palettes_admin/style.css
/palettes_admin/style.css
/palettes_admin/images/fusion-logo.png
/palettes_admin/images/fusion-logo.png
/palettes_admin/vendor/d3.min.js
/palettes_admin/vendor/d3.min.js
/palettes_admin/rickshaw.min.js
/palettes_admin/rickshaw.min.js
/palettes_admin/admin.js
/palettes_admin/admin.js
/palettes_server/adminapi/alerts
/palettes_server/adminapi/alerts
21
8.1.3
String
Value
/assistserver/
/assistserver/
22
8.1.4
String
Value
/basic_ivrb_sample_client_js/
/basic_ivrb_sample_client_js/
/dummy_callcenter_adapter/
/dummy_callcenter_adapter/
/dummy_callcenter/
/dummy_callcenter/
/csdk-sample/
/csdk-sample/
/assist-agent-console/
/assist-agent-console/
/assistsample/
/assistsample/
/assist-resourcemanager/
/assist-resourcemanager/
Note: The Palettes adapter component is accessed directly by the client and is ther efore required
to be added to the list of URIs managed by the reverse proxy.
23
8.2
Websocket URIs
Only FCSDK and Live Assist utilise Websockets for call control and screen-share functionality and their
URIs have been listed below:
Application
Websocket URI
FCSDK
/gateway/websocketcall
Live Assist
/assistserver/share
8.3
The iRule
The code below shows the iRule used to restrict access to URIs using the Data Group Lists defined
above, while also showing how to allow Websockets access.
Note: The URIs relating to the Websocket connections for FCSDK and Live Assist MUST be
explicitly defined in the iRule.
24
when CLIENT_ACCEPTED {
HTTP::enable
log local0. "http profile enabled"
}
when HTTP_REQUEST {
log local0. "URI --- [HTTP::uri]"
# Only allow following URLs
if { ([HTTP::uri] starts_with "/gateway/websocketcall") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] starts_with "/assistserver/share") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] starts_with "/assistserver/topic") } {
log local0. "http profile - disabled"
HTTP::disable
} elseif { ([HTTP::uri] equals "/csdk-sample")
|| ([HTTP::uri] equals "/palettes_admin")
|| ([HTTP::uri] equals "/basic_ivrb_sample_client_js")
|| ([HTTP::uri] equals "/assistsample")
|| ([HTTP::uri] equals "/assist-agent-console") }
{ # Change it to end with '/'
HTTP::redirect "[HTTP::uri]/"
} elseif { ([class match [HTTP::uri] starts_with FusionGatewayUris])
|| ([class match [HTTP::uri] starts_with FusionPalettesAdminUris])
|| ([class match [HTTP::uri] starts_with FusionLiveAssi st1.2ServerUri s])
|| ([class match [HTTP::uri] starts_with FusionSampleAppUris])
|| ([HTTP::uri] equals "/palettes_server/palettes?serviceID=basicivrbsamplerules") } {
# Leave HTTP profile enabled and pass traffic through
log local0. "Passing it through"
} else {
} }
25
This iRule will drop any requests to any URI outside of the defined Data Group Lists.
This iRule should be associated with the virtual server as shown earlier. The SSL offloading process will
decrypt requests from clients and apply this iRule, allowing or rejecting access to the back end servers.
NOTE: An open F5 issue: SOL12938, states that calling the 'HTTP::disable' function from within an
iRule may result in a TMM core. However, this issue occurs when ALL of the following conditions are met:
1.
2.
3.
Note that the configuration described within this document does NOT meet the required conditions for this
issue to be relevant in this deployment.
Although 'HTTP::disable' has been invoked in the iRule, the default HTTP profile that has been used
when defining the HTTPS Virtual Server has its OneConnect property enabled, but the RAM Cache
disabled.
F5 has been tested with the OneConnect property both enabled and disabled, without any change in
application behaviour.
26
Contact information
For technical support or other queries, contact CafX Communications Support at:
support@cafex.com
For our worldwide corporate office addresses, please visit:
http://www.cafex.com
27