You are on page 1of 2

F5 LTM – Page won’t load on a Sharepoint site

Prashant Bharadwaj 4/9/2014

About Wipo Ltd.
Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro
delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and
adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide
commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com
Problem Statement
When a F5 hosted Sharepoint site is accessed using F5’s VIP,
it would not load the page (refer Fig 1)

Fig 1. Site fails to load
Symptoms
 The issue is observed only when the virtual server is
set to Standard.
 PCAP from client could show RST packet from F5. On
F5, PCAP would reveal RST from Sharepoint pool
members.
 SSLDump may show certificate handshake failures
immediately after client exchanges its certificate
(refer Fig 2)

Fig 2. SSL Handshake failure from SSLdump
 This behavior is seen with a sslprofile mapped to a
Sharepoint Virtual Server Profile.
Diagnostic Guide
 Initiate request from a client. Capture packets on
client PC & F5 simultaneously. The capture should
record all the events till the client show a page
connection failure as shown Fig 1.
 Use Wireshark or Microsoft Network Analyzer to
capture packets from the client.
 To capture packets on F5, use the following syntax,
tcpdump -s0 -nni 0.0:nnnp host
<VirtualServerIP> or (host <Internal-
interface-Self-IP-of-F5> and (host <IP-
of-pool-member1> or host IP-of-pool-
member2)) -w f5-capture.pcap
-s0 Capture the entire packet
-nn Disable both name and service port
resolution
-i 0.0:nnnp Capture L2 to L7 traffic through all
interfaces
 Packet Capture may have TLS packets. Wireshark will
not decrypt these. To decrypt the packets, it is
recommend to use SSLDump. This tool is readily
available in F5.
 To decrypt the packet, you will need private key
from Sharepoint. If you have a PFX or PVK of
Sharepoint, OpenSSL can be used to get the private
key in PEM format. Syntax will be,
PFX to PEM
openssl pkcs12 -in keybundle.pfx -out
privatekey.pem –nodes
PVK to PEM
openssl rsa -inform pvk -in
microsoftkey.pvk -outform pem -out
privatekey.pem
 To use SSLDump with PCAP from F5,
ssldump -Aed -nr capture.pcap -k
privatekey.pem
-Aed Prints all record fields of data traffic
with absolute timestamp
-n Suppresses hostname resolution
-r Read a data file
Cause
This is because Sharepoint server requires a client certificate
form F5. Since F5’s sslserver profile don’t have a client
authentication key usage, it present s a SSL certificate to
Sharepoint. Sharepoint would terminate connection as it is
not a client certificate by sending a RST packet to F5

Solution
This issue has two solutions. Either we can have a lenient
Certificate requirement on Sharepoint server or issue a client
certificate to F5 and use that in SSL Server profile of
Sharepoint Virtual Server
To relax certificate requirement on Sharepoint Server, change
the Client Certificate Setting of IIS as in Fig 3. SSL can be set to
Required or leave unchecked.
F5 LTM – Page won’t load on a Sharepoint site

Prashant Bharadwaj 4/9/2014

About Wipo Ltd.
Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro
delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and
adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide
commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com

Fig 3. Client Certificate Settings on IIS
To use client certificate, request your CA to issue a client
certificate for F5. Please note, external CA may not issue
client certificates. It is recommended to obtain a client
certificate from an internal CA. It is cost effective. In F5,
create a new Server SSL profile with the issued client
certificate. Use the new Server SSL profile in Sharepoint
Virtual Server.
“Requesting a certificate from a local certification authority” -
http://technet.microsoft.com/en-us/library/cc995096.aspx
Creating a custom Server SSL profile
A Server SSL profile enables the BIG-IP system to perform
decryption and encryption for server-side SSL traffic.
1. On the Main tab, click Local
Traffic > Profiles > SSL > Server. The SSL Server
profile list screen opens.
2. Click Create. The New Server SSL Profile screen
opens.
3. In the Name field, type a name for the
profile. Names must begin with a letter, and can
contain only letters, numbers, and the underscore
(_) character.
4. Select serverssl in the Parent Profile list.
5. From the Configuration list, select Advanced. This
selection allows you to modify additional default
settings.
6. Select the Custom check box for Configuration. The
settings in the Configuration area become available
for configuring.
7. Select the Custom check box for Server
Authentication. The settings in the Server
Authentication area become available for
configuring.
8. Modify the settings, as required.
9. Click Finished.
The custom Server SSL profile is listed in
the Profiles:SSL:Server list.