SharePoint MOSS 2007 with SSL termination on Load Balancer

We want to enable SSL in our SharePoint (MOSS 2007). Since we already have a pair of load balancers (F5 Network's BigIP load balancers) for our Blackboard Learning Management System. We would like to use them for SSL termination for SharePoint as well. The advantage is that it offloads all encryption and decryption work from our SharePoint servers on to the load balancer (which is designed to do that work, and more).

The network path is as follows:

Browser ---https---> load balancer ---http---> SharePoint servers

However, it turns out to be not an easy task. We found that the URLs embedded in http responses (such as form action link) from SharePoint are in http. Since SharePoint never knows that the traffic was originally https (as you can see from the network path above), of course it would embed URLs in http. It kind of makes sense.

I searched all over the places to see if someone had already found a solution.

One suggestion was to use the stream profile of the load balancer as workaround:

• On the BigIP load balancer, under Local Traffic | Virtual Servers | Profiles, choose Others | Stream.
• Create a Stream profile with Settings:
  Source http://sp.domain.com
  Target https://sp.domain.com

It does work. All "http://sp.domain.com" in the http responses from SharePoint would be replaced by "https://sp.domain.com". If you decide to purse this approach, you must read AskF5 knowledge base article SOL6422: Using the Stream profile with HTTP traffic may prevent the client from displaying all of the data. It documents a known issue of Stream profile, and the workaround.

But I am persistence, and kept pursuing further for the real fix in SharePoint. The following two articles had been very useful in helping me derive my own solution using BigIP load balancers.

• F5's Deployment Guide Microsft SharePoint Portal Server 2003 (BIG-IP v9.x)
• Microsoft SharePoint Team Blog What every SharePoint administrator needs to know about Alternate Access Mappings (Part 1 of 3)

It took me a day, and I think I figured it out:

• First you create a Sharepoint site in default zone, and port
  spsite port 8888
• Sharepoint will create the web application, content database accordingly.
• Then, extend this web application to a new SharePoint web site with your internal host name, port, and no SSL
  http://sp.domain.com port 80
• In the Load Balanced URL field, use https://sp.domain.com (yes, https here!).
• Put this site in Internet zone.
• Then, go to Operations | Alternate Access Mapping. You will see that the following entries:
  
  

  Internal URL	Zone	Public URL for Zone
  http://spsite:8888	Default	http://spsite:8888
  https://sp.domain.com	Internet	https://sp.domain.com

  
  
• Now, click on Add Internal URLs. Add your internal non-SSL url as Internet Zone.
  http://sp.domain.com Internet
• Then, go back to Operations | Alternate Access Mapping screen. You will see that the following entries:
  
  

  Internal URL	Zone	Public URL for Zone
  http://spsite:8888	Default	http://spsite:8888
  https://sp.domain.com	Internet	https://sp.domain.com
  http://sp.domain.com	Internet	https://sp.domain.com

Only then, SharePoint will know that the incoming URL http://sp.domain.com is associated with the Internet zone, and it should embed https://sp.domain.com inside form action link, etc when sending responses back to users.