SSL Decryption on a load balancer while hosting WCF service through Biztalk

1
votes

I’ve got a situation where I have a WCF load balancer sitting behind a F5 load balancer that is doing the SSL decryption and forwarding the unencrypted message to the BizTalk hosted WCF service behind it.

If I configure the service using basic http and the client attempts to call the service this comes back:

The provided URI scheme 'https' is invalid; expected 'http'. Parameter name: via

If I configure the service to use wcf-custom and set the bindings for wsHttp with windows auth or None the client gets the following exception:

There was no endpoint listening at https:/// service.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

I think that the answer to this may involve using a custom behavior, however I was wondering if anyone had run into this situation in the past, and if so, how did you deal with it?

1
.netwcfload-balancingbiztalk
Shouldn't you use a URL rewriter of some sort on the load balancer that handles the SSL decryption? After the decryption your traffic will be normal HTTP traffic. The URL has to reflect that.Daniel Hilgarth

1 Answers

1
votes

The easiest solution for your case is to use something called ClearUsernameBinding where you can pass username password over the http channel. By default the basicHttpBinding doesnt allow username password to be passed over the http channel and we tend to use wsHttpBinding which fails in case of load balanced environments.

Alternatively you have to configure your F5 load balancer to not to offload the SSL for any requests that are realated to your WCF service. Ex: Host the WCF service on a different port and then tell the F5 load balancer to not offload the SSL for any traffic coming to that port.