The network path is as follows:
Browser ---https---> load balancer ---http---> SharePoint servers
However, it turns out to be not an easy task. We found that the URLs embedded in http responses (such as form action link) from SharePoint are in http. Since SharePoint never knows that the traffic was originally https (as you can see from the network path above), of course it would embed URLs in http. It kind of makes sense.
I searched all over the places to see if someone had already found a solution.
One suggestion was to use the stream profile of the load balancer as workaround:
- On the BigIP load balancer, under Local Traffic | Virtual Servers | Profiles, choose Others | Stream.
- Create a Stream profile with Settings:
It does work. All "http://sp.domain.com" in the http responses from SharePoint would be replaced by "https://sp.domain.com". If you decide to purse this approach, you must read AskF5 knowledge base article SOL6422: Using the Stream profile with HTTP traffic may prevent the client from displaying all of the data. It documents a known issue of Stream profile, and the workaround.
But I am persistence, and kept pursuing further for the real fix in SharePoint. The following two articles had been very useful in helping me derive my own solution using BigIP load balancers.
- F5's Deployment Guide Microsft SharePoint Portal Server 2003 (BIG-IP v9.x)
- Microsoft SharePoint Team Blog What every SharePoint administrator needs to know about Alternate Access Mappings (Part 1 of 3)
It took me a day, and I think I figured it out:
- First you create a Sharepoint site in default zone, and port
spsite port 8888
- Sharepoint will create the web application, content database accordingly.
- Then, extend this web application to a new SharePoint web site with your internal host name, port, and no SSL
http://sp.domain.com port 80
- In the Load Balanced URL field, use https://sp.domain.com (yes, https here!).
- Put this site in Internet zone.
- Then, go to Operations | Alternate Access Mapping. You will see that the following entries:
Internal URL Zone Public URL for Zone http://spsite:8888 Default http://spsite:8888 https://sp.domain.com Internet https://sp.domain.com
- Now, click on Add Internal URLs. Add your internal non-SSL url as Internet Zone.
- Then, go back to Operations | Alternate Access Mapping screen. You will see that the following entries:
Internal URL Zone Public URL for Zone http://spsite:8888 Default http://spsite:8888 https://sp.domain.com Internet https://sp.domain.com http://sp.domain.com Internet https://sp.domain.com