January 11, 2008

MOSS: Cannot define same Internal and Public URL in AAM

We have a LB (Cisco CSS11503) in front of our two WFE's. The LB device functions also as SSL Offloader. The URL of our service for the internal users is https://service.company.com.

Upon page request, SSL Offloading and load-balancing takes place on Cisco, and the requests are redirected to one of the WFE's. Cisco device cannot modify the HTTP-Header of the request, so while the requests are redirected to one of the WFE's, the Request-URI of the request itself is the same FQDN but with http protocol, http://service.company.com.

There are some good blog posts about how to configure MOSS AAM in NLB senarios. However, none of them explains how to make the previously mentioned case working. In AAM you just cannot define (or so it seems) Internal URL FQDN to be the same as Public URL FQDN so that in Internal URL the protocol is http and in the Public URL the protocol is https.

The order in which you define the URLs is important. The key is that you must first have a single URL in a zone which is using https protocol. After that you may add another URL and define it's protocol to http.

1. In the beginning you only have one URL defined, and this URL is the one you want to use, but you just would like to have the Public URL for Zone URL to say https://service.company.com.

2. No worries, select the Internal URL link http://service.company.com and change the Internal URL to https://service.company.com (or something else than the URL you want to use for the service), click OK.

3. Select "Add Internal URLs" link and type in the http-URL of your service, http://service.company.com, and select Default zone. Click Save.

Now you have the same FQDN for the service, but different protocol in Internal and Public URLs.

We did also define "Front-End-Https: on" header on Cisco, but I don't know if it is required.


  1. This worked most of the way for me.
    When I come through the ISA to my intranet (for offsite employees) the admin pages remain with the external URL. But if I come in from the inside it changes to the external URL. SO even those on the internal network are sent outside to the ISA server. What am I doing wrong?


  2. You should make sure that the Zones are defined correctly, you shouldn't use this procedure if you have different URLs between internal and external users.

  3. I'm in an ISA configuration and have done this same technique.

    Have you ever had any problems with SharePoint Designer or approval workflows (e.g. not being able to approve page layouts) after making this switch?

  4. I'm going to answer my own question here.

    If you access your site at https://service.company.com now, instead of http, Designer will be happier.