4

Following is the scenario.

We have F5 load balancer and incoming requests comes in to the F5 load balancer as HTTPs and then they are redirected to WCF services server as HTTP.

I have tried almost all possible configuration combinations but it keeps giving two different errors. For example, in light of few suggestions, I have tried changing security mode to 'Transport' then the error changes to as follows: "Could not establish secure channel for SSL/TLS with authority 'xxx.xxx.xxx.xxx:XXXX'."

Server Configuration:

<system.serviceModel>
    <services>
      <service behaviorConfiguration="NameofServiceBehaviour" name="NameOfServices">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndPointBinding" name="wsHttpEndPoint" contract="Name.IContractName" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndPointBinding">
          <security mode="None"> 
        <!-- <transport clientCredentialType="Certificate" /> -->
      </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehaviourName">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <!-- <serviceCredentials>
            <serviceCertificate findValue="CN=CertificateName" storeLocation="LocalMachine" />
          </serviceCredentials> -->
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
  </system.serviceModel>

Client Configuration:

<system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="wsHttpEndPoint">
                    <security mode="None" />
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://URL.svc"
                binding="wsHttpBinding" bindingConfiguration="wsHttpEndPoint"
                contract="Name.IContractName" name="wsHttpEndPoint" />
        </client>
    </system.serviceModel>

Regards, Nasir

Muhammad Nasir Waqar
  • 63
  • 1
  • 1
  • 4
  • take a loot at this link, it can help you: http://www.codeproject.com/Articles/36705/simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi – Ricardo Pontual Aug 25 '15 at 14:35
  • Ricardo - This link only works if there is no load balancer involved. I have tried this. If I remove load balancer and call my WCF server directly then it works fine. But with load balancer it doesnt. – Muhammad Nasir Waqar Aug 25 '15 at 15:43
  • If your load balancer is configured to off load SSL and the traffic between the load balancer and your WCF service (hosted server) is over http you can change your binding to basichttp. You dont not need a wshttpbindingbinding for this scenario. – Rajesh Aug 26 '15 at 08:38

2 Answers2

5

Under Load Balancer I have had this problem and the fix was on the client side like this: 

<system.serviceModel>        
    <bindings>
      <customBinding>
        <binding name="MyBindingConfig">
          <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8">
          </textMessageEncoding>
          <httpsTransport  authenticationScheme="Anonymous" bypassProxyOnLocal="false" proxyAuthenticationScheme="Anonymous"/>
        </binding>
      </customBinding>
    </bindings> 
    <client>
        <endpoint address="https://YOUR-END-POINTURL-WITH-HTTPS"
            binding="customBinding" bindingConfiguration="MyBindingConfig"
            contract="ServiceReference.YOURCONTRACT" name="TEST" />
    </client>
</system.serviceModel>

Also you can see that when you add the webservice reference on VisualStudio and you put the URL with HTTPS it will be adding automatically the URL on the client end point child (client app.config) without the S so (HTTP because the loadbalancer) then you can go ahead and update that with HTTPS as I did on the above example. Hope it help.

Ernest
  • 2,039
  • 24
  • 19
  • This was what I was looking for, by the way this could be done on c# code, without configuration file, with `var encodingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8); var transportElement = new HttpsTransportBindingElement(){ AuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous, BypassProxyOnLocal = false, ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Anonymous }; var customBinding = new CustomBinding(encodingElement, transportElement); var client = new Client(customBinding, new EndpointAddress("https://ENDPOINT"));` – Pablo Recalde Feb 24 '20 at 15:08
  • @PabloRecalde I'm glad it worked for you. And yes it is opt to us to pick the best way to do it. – Ernest Feb 24 '20 at 15:14
-1

I found the answer with this link. The key was to set the following parameters in the custom binding:

<security allowInsecureTransport="true" enableUnsecuredResponse="true">
Jamal
  • 763
  • 7
  • 22
  • 32
Muhammad Nasir Waqar
  • 63
  • 1
  • 1
  • 4
  • 7
    What is the point of SSL if you are allowing InsecureTranport and responses? – Jack B Nimble Aug 08 '16 at 20:50
  • 1
    it might work but this is not a good solution from a security perspective – Simon May 19 '17 at 07:50
  • 1
    I dont think the down votes here are entirely fair. If you were changing a http binding to https you would run into this problem. Obviously an unsecured channel negates the benefits of https but it could be an intermediate step along the way to properly securing the channel. – Malachy Aug 22 '17 at 02:00