2

I am exposing my service to public network from my corporate network.

i have certificate as *.mydomain.com, a generic certificate.

My load balancer url with service is:

https://myservice.mydomain.com/service1.svc

i have two app servers whose urls are:

http://myservice1.mydomain.com/service1.svc http://myservice2.mydomain.com/service1.svc

we use SSL off0loading from F5 load balancer. so from outside world to F5 LB, its https and from LB to app servers its http. we configured certificate at the F5 LB.

when i hit the LB service url on the browser, i get "Service has been created page

MyService Service

You have created a service.

To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:    

svcutil.exe http://myservice.mydomain.com/service1.svc?wsdl

You can also access the service description as a single file:

http://myservice.mydomain.com/service1.svc?singleWsdl

and when i add the service reference from my client app using load balancer url i am getting following error:

The document was understood, but it could not be processed.
  - The WSDL document contains links that could not be resolved.
  - There was an error downloading 'http://myservice.mydomain.com/service1.svc?wsdl=wsdl0'.
  - Unable to connect to the remote server
  - No connection could be made because the target machine actively refused it 207.187.164.30:80
Metadata contains a reference that cannot be resolved: 'https://myservice.mydomain.com/service1.svc?wsdl'.
Metadata contains a reference that cannot be resolved: 'https://myservice.mydomain.com/service1.svc?wsdl'.
If the service is defined in the current solution, try building the solution and adding the service reference again.

but when i access my two app servers url directly from inside the network, i am able to generate the proxy generated and my service works just fine but when i try to generate proxy outside network through LB url, i am getting the above mentioned error.

My Service binding is:

<service behaviorConfiguration="DefaultBehavior" name="MyServices.MyService">
        <endpoint  binding="wsHttpBinding" contract="MyServices.IMyService" />
        <endpoint  address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>

and corresponding behavior is:

<behavior name="DefaultBehavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <errorHandler/>
        </behavior>

Please help me resolve this issue

Alagesan Palani
  • 1,984
  • 4
  • 28
  • 53
  • What makes you think it is an SSL certificate issue? Are you getting error messages to that effect? If so, include them in your question. – user469104 Nov 07 '14 at 18:28
  • because my certificate is issued to *.mydomain.com and my app servers domain are devlab.com and configured with self signed certificate, i am thinking it can be certificate error. i am using self signed certificate as my *.mydomain.com certificate can't be applied to my *.devlab.com app servers. – Alagesan Palani Nov 07 '14 at 18:31
  • The certificates on your dev servers are only a concern in the trust relationship between your load balancer device and those servers. As long as the load balancer has been made to trust those self-signed root certs it would not be an issue. Are you getting error messages? If so, include them in your question. – user469104 Nov 07 '14 at 18:37
  • pleae check my updated question for error message. – Alagesan Palani Nov 07 '14 at 18:45
  • It would also be good to see the bindings from both the client and the server. Do you know if it works if you do not use SSL? I.e. over regular http over the load balancer? If so, perhaps this could be of help http://stackoverflow.com/questions/3876955/wcf-service-returns-404-over-https-but-not-http – user469104 Nov 07 '14 at 19:01
  • if you can reach the url from the outside on https://myservice.mydomain.com/service1.svc?singleWSDL it will be all you need to import the service – Pedro.The.Kid Nov 11 '14 at 14:17
  • What happens when you access lb without Ssl in the browser? – Mike Nov 11 '14 at 21:11
  • i cannot access service url of lb without ssl, if i try i will see page not found. – Alagesan Palani Nov 12 '14 at 05:23

1 Answers1

1

Though i was exposing service from my nodes as http but F5 LB was doing the heavy lifting on ssl offloading so my service from F5 LB was https. Since i was exposing metadata over http scheme from my nodes and F5 LB did not support http scheme, wsdl generation on http url through F5 LB was blocked hence i was not able to generate the proxy.

Later i came to know from my Infrastructure team that exposing meta data to clients in production was a security issue so we block it.

So now the question is how a client consume service when we dont expose metadata endpoint? simple Answer was use channel factory and create proxy and call service method through F5 LB's https url. This is how i solved the problem.

Alagesan Palani
  • 1,984
  • 4
  • 28
  • 53