AutoSPInstaller icon indicating copy to clipboard operation
AutoSPInstaller copied to clipboard

Published 20 hours ago verified publisher icon brianlala

SSL Offloading and LB with AutoSPInstaller

Open rg54 opened this issue 7 years ago • 2 comments

Hello,

I've SSL Offloading subject has already been discussed previously here, but I am contronted with the same situation, and I think this additional information may be interesting to discuss.

As mongey said in previous thread, usually with SSL offloading, the SharePoint Web Application is fully configured as HTTP, and the Load Balancer change the URL to HTTPS.

But in this case, links in SharePoint content will be HTTP, not HTTPS. And if some reverse proxies can replace HTTP links to HTTP, many load balancers can't (Radware Alton, I think, for example).

We can still configure systematic HTTP to HTTPS redirection on LB, but technically, that's not a panacea, just a workaround with much useless redirection traffic.

As far as I know, the only "clean" solution to avoid this problem is to have this in SharePoint AAM :

  • https://my.application.com as public URL
  • http://my.application.com as internal URL

Even if it may seem weird, it works : SharePoint redirects user to HTTPS at first connection to HTTP, and all links in content will be HTTPS.

Unluckily, this case isn't managed by AutoSPInstaller today (with 3.99.60) The only workaround I've found is to create webapp on HTTP 80, and then make this change in AAM in GUI.

And even in this case, I wasn't able to use AutoSPInstaller later to re-create UserProfile, because it has crashed trying to re-create MySite Host site collection, . I've made the customization to avoid that problem (in attachment).

A last word : many many thanks for this wonderful tool and the time it has made me save !! :)

AutoSPInstallerFunctionsCustom.zip

rg54 avatar Aug 11 '17 23:08 rg54

Same problem here. Trying to fix it too. We need SSL Offloading.
What was your approach? Unforunately I don't "unterstand" your changes in your customization because it's on three years old code.

@brianlala: how do we want to fix this? Some ideas:

  • Add a workaround to every Get-SPWebApplication so it find's the correct one (use Webapp-Name, use Filter, ask user to choose webapp etc.) (very tricky)
  • Omit IIS SSL configuration with a Script parameter or a new xml value
  • Fully implement AAM to the script and xml (lots of work)

Which approach you'd like to take? Maybe I can support with some code.

Thx

jn-bedag avatar Jun 05 '20 13:06 jn-bedag

Best practice? Use SSL bridging instead. Secure all the way through, and no need for different AAMs. Use a self-signed cert on the WFEs if you must, then configure the HLB to trust it. I don't plan on adding this support to AutoSPInstaller as it's essentially in maintenance mode at this point and my focus is on DSC these days.

Cheers

brianlala avatar Jun 05 '20 14:06 brianlala