locked
WCF Service Behind Load Balancer (F5 box) - Security Issue RRS feed

  • Question

  • Hello

    Our environment is such that WCF service is hosted on an IIS box behind a load balancer (F5 box). The F5 box uses SSL whereas the IIS box doesn't use SSL.

    The service is exposed through myservice.svc in a virtual directory called myservicevirdir

    The service uses basicHttpbinding with no security.

    The client machine's app.config specifies endpoint as follows:

    https://virtualhostname/myservicevirdir/myservice.svc

    Note that virtualhostname is pointing to the F5 box and not to the IIS box.

    The only way I have gotten this scenario to work is by specifying securitymode="Transport" on the client side eventhough the WCF service on the IIS box has no security.

    Anyways, the problem I am running into is that this approach of specifying securitymode=Transport on the client side when the wcf service uses securitymode=None doesnt work if i use the wsHttpBinding. And I need to use the wsHttpBinding for transactions.

     

    Here is the server web.config:

     <system.serviceModel> 
        <services>
          <service behaviorConfiguration="credentialConfig" name="X.X.X.MyService" >
            <endpoint address=""
                      binding="basicHttpBinding"
                      bindingConfiguration="basicHttpBindingForMyService"
                      contract="X.X.X.IMyService"/> 
          </service>
        </services>
        <bindings>
          <basicHttpBinding>
     <binding name="basicHttpBindingForMyService" closeTimeout="02:00:00" maxBufferPoolSize="10000000" maxBufferSize="1000000000" maxReceivedMessageSize="1000000000" openTimeout="02:00:00" receiveTimeout="02:00:00" sendTimeout="02:00:00" transferMode="Buffered">  
     </binding>  
          </basicHttpBinding>    
        </bindings>   
        <behaviors>
          <serviceBehaviors>
            <behavior name="credentialConfig">       
              <serviceMetadata httpGetEnabled="True"/>
              <serviceDebug includeExceptionDetailInFaults="true"/> 
       <dataContractSerializer maxItemsInObjectGraph="1000000000" />
            </behavior>
          </serviceBehaviors>     
        </behaviors>
      </system.serviceModel>

     

    Client's app.config:

    <system.serviceModel>

    <bindings>

    <basicHttpBinding>

    <binding name="basicHttpBinding_IMyService" closeTimeout="02:00:00" maxBufferPoolSize="100000000" maxBufferSize="1000000000" maxReceivedMessageSize="1000000000" openTimeout="02:00:00" receiveTimeout="02:00:00" sendTimeout="02:00:00" transferMode="Buffered">

    <readerQuotas maxStringContentLength="1000000000" maxArrayLength="1000000" maxBytesPerRead="1000000" maxNameTableCharCount="1000000" maxDepth="1000000"/>

    <security mode="Transport"></security>

    </binding>

    </basicHttpBinding>

    </bindings>

    <client>

    <endpoint address=https://virtualhostname/myservicevirdir/myservice.svc binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_IMyService" contract="X.X.X.IMyService" name="myendpoint1">

    </endpoint>

    </client>

    </system.serviceModel>

    Thursday, March 22, 2007 2:59 PM

All replies

  • anybody?
    Monday, March 26, 2007 1:42 PM
  • does anybody have any pointers?
    Tuesday, March 27, 2007 9:42 PM
  • You have a complicated scenario and I want to help, but I don't really understand the question (I am not an expert), but I think your question needs to be clarified:

     

    You have a F5 box that uses a SSL or https, correct?

     

    You have another box hosting WCF on IIS and you want it hosting https or http? If it is https, doesn't that require a SSL?

     

    You have clients that access WCF. Do they go through the F5 box that requires a SSL and you still want them to gain access to the WCF box as http?

     

    In other words I don't get the chain from client to the WCF box, nor what role the F5 box really plays and I am confused about the use of http versus https bindings. From my understanding, a SSL (secure socket layer) is using a cryptographic key/pair to encrypt messages. So https and SSL are, essentially, the same thing

     

    I think you need to be very clear to get help.
    Wednesday, March 28, 2007 8:44 AM
  • Thank you for replying, Trevor.

     

    I have the WCF service hosted in IIS on a Windows 2003 Server. The service by itself does not require SSL. There is no certificate installed on the IIS box.

     

    The client does not access the IIS box directly. There is a load balancer in front of the IIS box. This load balancer is the F5 box and has certificate installed and uses SSL.

     

    My WCF client is on a Vista machine and uses a generated service proxy. The endpoint specified in the client's configuration to access the WCF service hosted on the IIS box uses the F5 box's address. This endpoint uses https since the F5 box requires SSL. The F5 box handles the requests coming from clients and redirects them to the IIS box. Effectively, we use https from client->F5 and http from F5->IIS. On the response side, we use http from IIS->F5 and https from F5->client.

     

    This scenario works fine if I use basicHttpbinding for my WCF service with security mode= None and basicHttpbinding on the client side with security mode=Transport

     

    The WCF client thinks that the WCF service requires SSL and hence has to specify https in the endpoint as security mode as Transport. This is because the F5 box gives the client that impression.

     

    However, if I try to use wsHttpbinding and specify security mode = None for the service and security mode = Transport on the client side, I get a mismatch error.

     

    Wednesday, March 28, 2007 2:08 PM
  • bump
    Thursday, March 29, 2007 5:28 PM
  • Now there is one setup that i can think right away that might solve your problem.

    What i can understand is that your SSL terminates at F5 (im not sure what this is btw) but i can understand this to be an intermediate box of somesort.

    The transport security obviously ends here. Now wsHttpBinding by itself requires some form of secure transport. since you are not using SSL between F5 and the service this mean your service is not secure.

     

    ON the other hand you could setup message level security also and transport security to SSL.

    This way the service could be setup with security mode= message

     

    This is a performance kill since you have multiple levels of security but this might solve your problem since you dont have transport security between the 2 boxes.

     

    Now IMHO i would suggest you setup f5 to begin a new SSL session as this means your security would be at that transport and you have faster security and might not have a performance trade off.

     

    Thanks

    Sajay

    Thursday, March 29, 2007 7:04 PM
  • Thanks for replying, Sajay.

     

    F5 is an intermediate machine that acts as a load balancer for the web farm. Having SSL on web servers is likely to degrade performance. We intend to have SSL only on the F5 box.

     

    I tried the following:

     

    Service:

    wsHttpBinding

    security mode = Message

    message clientCredentialType=None

     

    Client:

    wsHttpBinding

    security mode = TransportWithMessageCredential

    transport clientCredentialType=None

    message clientCredentialType=None

     

    This does not work. Get a message saying I can't specify None as a clientCredentialType 

     

    I also tried using Certificates for authentication with the security mode = Message but then i started running into other problems (e.g. there is no private key in the x.509 cert).

     

    On a side note, can you confirm if I would be able to use Windows as the clientCredentialType if my service is hosted on a Windows 2003 machine that is inside a particular windows domain but my wcf client machine is inside a different windows domain?

    • Proposed as answer by Santthosh Tuesday, March 24, 2009 7:33 PM
    Thursday, March 29, 2007 7:28 PM
  • Did you ever figure out how do make this work? I am trying to use client certificate authentication on web servers behind an f5. Thanks, Richard
    Thursday, October 30, 2008 5:18 AM
  • I am having a similar set up (IIS WebService servers sit behind a F5, where SSL is offloaded by F5) clients access via SSL. 

    After a bit of research, the following configuration worked fine for me (Its very similar to s441's configuration, uses message level security throughout, Transport on the client and None on the server).

    Server (dev01.myserver.com) Security Configuration

              <security mode="None">
                <transport clientCredentialType="None" proxyCredentialType="None" />
                <message clientCredentialType="Windows" establishSecurityContext="false" negotiateServiceCredential="true" />
              </security>

    Client (client01.myclient.com) Security Configuration
                
               <security mode="Transport">
              <transport clientCredentialType="None" proxyCredentialType="None" />
              <message clientCredentialType="Windows" establishSecurityContext="false" negotiateServiceCredential="true"/>
             </security>

    Endpoint Address on client

        <client>
           <endpoint address="https://example.myserver.com/TestService.svc"
            binding="wsHttpBinding" bindingConfiguration="TestSOAPBinding"
            contract="ITestService" name="TestService">    
           </endpoint>   
      </client>

    Remember to set  establishSecurityContext to false on message (http://msdn.microsoft.com/en-us/library/ms730128.aspx)
    • Proposed as answer by Santthosh Tuesday, March 24, 2009 8:43 PM
    Tuesday, March 24, 2009 7:43 PM
  • We are in similar situation, here is an article I found. It might help you guys.

     

    http://support.microsoft.com/kb/971842

    Friday, May 14, 2010 2:53 PM
  • Have a look at the following article; I think it addresses your situation:

    http://www.devproconnections.com/article/net-framework2/wcf-and-ssl-processing-load-balancers.aspx 


    MCSE, MCTS:SQL 2005, Project+
    Friday, May 21, 2010 5:46 PM
  • I blogged about this a few months ago. I took most of the solution from Michele's article that Ryan posted, and provided my sample solution (C#) at the bottom. It worked for me.

    http://offroadcoder.com/2010/12/04/WCFServiceBehindASSLOffloadingACELoadBalancer.aspx

    Wednesday, May 18, 2011 3:44 PM
  • In some cases, the load balancer may be sending the traffic to just one server, and it works ok. The moment a second server is added, the following error is returned:

    There was no endpoint listening at https://myservice.svc that could accept the message.

    This is using TransportWithMessageCredential in both basic and wsHttp

    Posting the request directly to each server works ok as well.  What kind of rule in the load balancer could be causing this problem?

     

    Wednesday, August 10, 2011 10:04 PM
  • This error is raised because the load balancer does a context switch during the routing of the request to a server, and to optimize the  internal traffic, there is no SSL encryption. The problem is that the TransportWithMessageCredential requires that the channel be encrypted. To address this problem, you need to use CustomBinding and allow the request to be processed without SSL.


    0g


    • Edited by ozkaryMVP Friday, July 20, 2012 7:35 PM
    Friday, July 20, 2012 7:34 PM