About Wipo Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com Problem Statement When a F5 hosted Sharepoint site is accessed using F5s VIP, it would not load the page (refer Fig 1)
Fig 1. Site fails to load Symptoms The issue is observed only when the virtual server is set to Standard. PCAP from client could show RST packet from F5. On F5, PCAP would reveal RST from Sharepoint pool members. SSLDump may show certificate handshake failures immediately after client exchanges its certificate (refer Fig 2)
Fig 2. SSL Handshake failure from SSLdump This behavior is seen with a sslprofile mapped to a Sharepoint Virtual Server Profile. Diagnostic Guide Initiate request from a client. Capture packets on client PC & F5 simultaneously. The capture should record all the events till the client show a page connection failure as shown Fig 1. Use Wireshark or Microsoft Network Analyzer to capture packets from the client. To capture packets on F5, use the following syntax, tcpdump -s0 -nni 0.0:nnnp host <VirtualServerIP> or (host <Internal- interface-Self-IP-of-F5> and (host <IP- of-pool-member1> or host IP-of-pool- member2)) -w f5-capture.pcap -s0 Capture the entire packet -nn Disable both name and service port resolution -i 0.0:nnnp Capture L2 to L7 traffic through all interfaces Packet Capture may have TLS packets. Wireshark will not decrypt these. To decrypt the packets, it is recommend to use SSLDump. This tool is readily available in F5. To decrypt the packet, you will need private key from Sharepoint. If you have a PFX or PVK of Sharepoint, OpenSSL can be used to get the private key in PEM format. Syntax will be, PFX to PEM openssl pkcs12 -in keybundle.pfx -out privatekey.pem nodes PVK to PEM openssl rsa -inform pvk -in microsoftkey.pvk -outform pem -out privatekey.pem To use SSLDump with PCAP from F5, ssldump -Aed -nr capture.pcap -k privatekey.pem -Aed Prints all record fields of data traffic with absolute timestamp -n Suppresses hostname resolution -r Read a data file Cause This is because Sharepoint server requires a client certificate form F5. Since F5s sslserver profile dont have a client authentication key usage, it present s a SSL certificate to Sharepoint. Sharepoint would terminate connection as it is not a client certificate by sending a RST packet to F5
Solution This issue has two solutions. Either we can have a lenient Certificate requirement on Sharepoint server or issue a client certificate to F5 and use that in SSL Server profile of Sharepoint Virtual Server To relax certificate requirement on Sharepoint Server, change the Client Certificate Setting of IIS as in Fig 3. SSL can be set to Required or leave unchecked. F5 LTM Page wont load on a Sharepoint site
Prashant Bharadwaj 4/9/2014
About Wipo Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com
Fig 3. Client Certificate Settings on IIS To use client certificate, request your CA to issue a client certificate for F5. Please note, external CA may not issue client certificates. It is recommended to obtain a client certificate from an internal CA. It is cost effective. In F5, create a new Server SSL profile with the issued client certificate. Use the new Server SSL profile in Sharepoint Virtual Server. Requesting a certificate from a local certification authority - http://technet.microsoft.com/en-us/library/cc995096.aspx Creating a custom Server SSL profile A Server SSL profile enables the BIG-IP system to perform decryption and encryption for server-side SSL traffic. 1. On the Main tab, click Local Traffic > Profiles > SSL > Server. The SSL Server profile list screen opens. 2. Click Create. The New Server SSL Profile screen opens. 3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. Select serverssl in the Parent Profile list. 5. From the Configuration list, select Advanced. This selection allows you to modify additional default settings. 6. Select the Custom check box for Configuration. The settings in the Configuration area become available for configuring. 7. Select the Custom check box for Server Authentication. The settings in the Server Authentication area become available for configuring. 8. Modify the settings, as required. 9. Click Finished. The custom Server SSL profile is listed in the Profiles:SSL:Server list.