Hi Baptiste, So you do layer 7 mode http?ould you be able to give me a copy of the confit whichever irks for you?
I'm happy to give that a shot tonight, Australia time... And I'll get back to you. In terms of netscaler, I have a clustered pair that I created a virtual server on in tcp mode, balancing port 443 to the NLB IP of the CAS servers - it's doing essentially the same thing as the haproxy server is supposed to be doing... Ta, Leo Sent from my iPad > On 20 Sep 2013, at 3:35 pm, Baptiste <[email protected]> wrote: > > Hi Leo, > > I have a lab with a slightly different configuration than yours. > In my lab, HAProxy decipher the traffic, log everything then recipher > the traffic to the server. Like a man in the middle. > I have a round robin algorithm + no session persistence + option > http-server-close. > > I ran the same test as yours. > > From my lab platform, I can see those URLs requested, in front the > server that was used: > exch1: "POST > /ecp/DDI/DDIService.svc/SetObject?schema=PasswordService&msExchEcpCanary=<SOME > BLAH BLAH HERE> HTTP/1.1" > exch2: "GET /ecp/PersonalSettings/logoff.aspx?src=exch HTTP/1.1" > exch1: "GET /owa/logoff.owa HTTP/1.1" > exch2: "GET > /owa/auth/logon.aspx?url=https%3a%2f%2fmail.2013.haproxylab.net%2fowa%2flogoff.owa&reason=0 > HTTP/1.1" > > so sounds normal I'm logged out after a password update: application design. > > That said, your configuration should not produce this effect, since > all your requests are routed to a single server. > An other point: my password has been changed, but now I can't change > it anymore due to a password policy issue (whatever I type in, it says > my password is too weak)... > > I'll investigate on this in my platform and keep you updated. > > Can you tell us exactly how your netscaller is configured and works > with exchange 2013? > > Baptiste > > >> On Fri, Sep 20, 2013 at 3:56 AM, Leo Raikhman <[email protected]> wrote: >> Hi all, >> >> I have haproxy 1.5dev19 running in TCP mode in front of my Exchange 2013 CAS >> servers. My config is appended. >> >> It seems that haproxy can't handle the outlook web access redirect. When I >> log into OWA 2013, internally, and externally, everything is fine. >> >> When I click on the "Options" or "Change Password" item on the OWA menu the >> URL changes from https://email.company.com/owa to >> https://email.company.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.company.com%2fecp%2f%3frfr%3dowa%26owaparam%3dmodurl%253D0%26p%3daccount >> and drops me into the Exchange 2013 login page again, except I can't login. >> >> This does not happen internally, or when I load balance the CAS servers >> behind a Citrix NetScaler. Is there something I'm missing? Does haproxy have >> a character limit on URLs in TCP mode? Can it not decode the URL encoding of >> those characters? >> >> Please help... >> >> Config: >> >> defaults >> option dontlognull >> option redispatch >> option contstats >> retries 3 >> timeout connect 5s >> timeout http-keep-alive 1s >> timeout http-request 15s >> timeout queue 30s >> timeout tarpit 1m >> backlog 10000 >> >> balance roundrobin >> mode tcp >> option tcplog >> log global >> timeout client 300s >> timeout server 300s >> default-server inter 3s rise 2 fall 3 >> >> frontend ft_exchange_tcp >> bind 10.0.0.9:443 name https >> maxconn 10000 >> default_backend bk_exchange_tcp >> >> backend bk_exchange_tcp >> stick-table type ip size 10240k expire 60m >> stick on src >> option redispatch >> option abortonclose >> balance leastconn >> server cas1 10.0.0.15:443 maxconn 10000 check >> server cas2 10.0.0.16:443 maxconn 10000 check >> >> -- >> Leo Raikhman >> VMware ESX/Storage Consultant >> Ph: 0404943618 >> Email: [email protected]
