Vista - WCF Security Issue - Unsecured Service behind SSL-accelerated F5 (load balancer) box

Hello

Our environment is such that WCF service is hosted on an IIS box
behind a load balancer (F5 box). The F5 box uses SSL whereas the IIS
box doesn't use SSL.

The service is exposed through myservice.svc in a virtual directory
called myservicevirdir

The service uses basicHttpbinding with no security.

The client machine's app.config specifies endpoint as follows:

https://virtualhostname/myservicevirdir/myservice.svc

Note that virtualhostname is pointing to the F5 box and not to the IIS
box.

The only way I have gotten this scenario to work is by specifying
securitymode="Transport" on the client side eventhough the WCF service
on the IIS box has no security.

Anyways, the problem I am running into is that this approach of
specifying securitymode=Transport on the client side when the wcf
service uses securitymode=None doesnt work if i use the wsHttpBinding.
And I need to use the wsHttpBinding for transactions.



Here is the server web.config:

<system.serviceModel>
<services>
<service behaviorConfiguration="credentialConfig"
name="X.X.X.MyService" >
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="basicHttpBindingForMyService"
contract="X.X.X.IMyService"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingForMyService" closeTimeout="02:00:00"
maxBufferPoolSize="10000000" maxBufferSize="1000000000"
maxReceivedMessageSize="1000000000" openTimeout="02:00:00"
receiveTimeout="02:00:00" sendTimeout="02:00:00"
transferMode="Buffered">
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="credentialConfig">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="1000000000" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>



Client's app.config:

<system.serviceModel>



<bindings>

<basicHttpBinding>

<binding name="basicHttpBinding_IMyService" closeTimeout="02:00:00"
maxBufferPoolSize="100000000" maxBufferSize="1000000000"
maxReceivedMessageSize="1000000000" openTimeout="02:00:00"
receiveTimeout="02:00:00" sendTimeout="02:00:00"
transferMode="Buffered">

<readerQuotas maxStringContentLength="1000000000"
maxArrayLength="1000000" maxBytesPerRead="1000000"
maxNameTableCharCount="1000000" maxDepth="1000000"/>

<security mode="Transport"></security>

</binding>

</basicHttpBinding>

</bindings>

<client>

<endpoint address=https://virtualhostname/myservicevirdir/
myservice.svc binding="basicHttpBinding"
bindingConfiguration="basicHttpBinding_IMyService"
contract="X.X.X.IMyService" name="myendpoint1">

</endpoint>

</client>

</system.serviceModel>

For the client this would be correct: Transport mode security is what you
have described, hence the SSL.

On the Service side, it gets more tricky due to your load balanced Server.
Using wsHttpBinding by default has security turned on, which means it will
expect a message entering into your service in an encrypted form- message
level security - which it is by default.

When you turn that off, the service is expecting the raw message as is, no
encryption be applied.

However, due to the Load Balanaced server (F5) which uses x.509 cert for
the SSL on the transport layer, when the Server sends the message to the
implementation box, the question you should ask is, is this message still
encrypted with the transport layer security or not???

I'm not sure of your settings, however this is the essence of your problem
you're describing. If you turn on message logging, and open the
SvcTraceViewer, you should be able to determine what's happening. Hope this
helps.