SharePoint SSL Offloading with Alternate Access Mapping

0

I have a SharePoint 2010 Server Farm with 1 App server and 2 Front End servers. We are using the KEMP Load Balancer to offload SSL request that come from outside the network. We are having trouble configuring the architecture to respond to External SSL requests with the appropriate protocol. Specifically, when a user enters the external address htts://myserver.myorg.org/ without specifying the page, SharePoint responds with a 302 response. The 302 response generated by SharePoint redirects the user to http://myserver.myorg.org/default.aspx which cannot be reached from the outside since it is not https.

The Alternate Access Entries in SharePoint are as follows:

Internal URL -- Zone -- Public URL for Zone
http://myserver.myOrg.org -- Default -- http://myserver.myorg.org
https://myserver.myOrg.org -- Internet -- https://myserver.myorg.org
http://share -- Internet -- https://myserver.myorg.org

I've extended the default web application and intialized the extended web application using http://share as the header and https://myserver.myOrg.org as the public URL. When I browse to http://share from inside the network (bypassing the Kemp Load Balancer) the SharePoint server responds with an "https" address which leads me to believe that the Alternate Access Mappings are performing correctly. When I access the site from outside the network and through the kemp Load Balancer, the request seems to be routed to the default web application which responds with an "http" redirect address, rather than the extened Web Application which would respond with an "https" redirect address.

Any suggestions as to how this should be configured?

Thanks,

5 comments

Avatar
James Rago -- K360 Technical Product Manager Official comment

I was thinking about this problem a bit more and came up with a solution. Rather than using the HTTPS Rewrite feature, try using the HTTP Header Modification instead. This basically does the same thing, but the HTTP Header Modification is done on EACH request and response (not just the first). The rule looks like so:

Rule Type: Replace Header
Header Field: Location
Match String: ^http://(*)
Value to replace: https://\1

This rule should be applied to responses from the server.

Avatar
0
James Rago -- K360 Technical Product Manager

It sounds like you could probably benefit by using our Rewrite Rules. If you change this setting (found under 'SSL Properties' to HTTPS, we will rewrite HTTP to HTTPS in all 301 and 302 responses. This should prevent users from being directed to http://myserver.myorg.org/default.aspx — Let me know if this setting helps

Avatar
0
John Smith

Thanks for the quick response! With the Rewrite Rules in place, and keep-alive disabled, I was able to get access to the site from systems external to the network. The unfortunate part of this is having to disable keep-alive as it forces me to use Basic Authentication. For users on the inside of the network who are not connecting with SSL, Office applications cannot communicate with the SharePoint server.

Avatar
0
James Rago -- K360 Technical Product Manager

I see. I'm glad it's working. If you're looking for a more ideal solution, I'd look into correcting your servers' behavior and sending the correct redirect URLs. That way, LoadMaster won't need to do the Rewrite Rules and you can turn on Keep-Alives and not need to use Basic Authentication.

Avatar
0
John Smith

Excellent suggestion! Works great!