Forum Discussion
NimbostratusAD Authentication traffic and Domain Join
Hi All,
I am new here so hello to everyone. I am also new F5 kit. I have a new HA pair of Version 11.3 LTMs, that are completely vanilla that i have inherited at a new role (person doing my job left unexpectedly and bought these).
All of my server that will be on the server side vLAN are internal servers, and therefore will need to be able to authenticate against AD etc we also have a provisioning tool for new servers that deploys VMs, and for the Server Side vLAN I need to be able to join machines to the domain from it.
I am a little reluctant to create an allow everything Virtual Server. What I have done up to now is create Virtual Servers for the every port related to AD traffic 389, 135, 88 etc here is an example of one of the Virtual Servers.
Name Allow-TCP-Port-135
Partition / Path Common
Description Type Forwarding (IP) Source 0.0.0.0/0 Destination
Type: Network Address: 0.0.0.0 Mask: 0.0.0.0
What I am having problems with is creating a Virtual Server that will allow Dynamic RPC Ports 49152 - 65535. I have found the iRule section but it looks to me like I would need an iRule for every Pool I create. Is there a way I can create a Virtual Server for the Dynmaic RPC Ports?
Thanks in advance for taking time to read this.
Dean
4 Replies
- Kevin_Stewart
Employee
You're passing AD traffic through VIPs? You can't use an IP or port range in a VIP, but you could:
-
Create an any:any VIP and only allow it on specific VLANs
-
Create an any:any VIP and apply IP filters that can specify IP and port ranges
-
dean132_137579I see thanks for the reply. In option 2 how would I apply the filters to the VIP, unfortunately this is where my experience with the F5 starts to fail me.
There is only 1 vLAN for the VIPs, and then 1 vLAN for the Servers, the issue I have is that with an open Any:Any rule more traffic gets through he F5 than wanted for example we Load Balance SMTP servers.
SMTP-Server01 (Server Side vLAN) SMTP-Server02 (Servier Side vLAN)
Corp-SMTP (Client Side vLAN with a VIP)
So any applications in the company that sends SMTP traffic should point use its SMTP Server as Corp-SMTP. This is obviously works, however the issue we could get is that if people point their SMTP server to an individual server eg SMTP-Server01, because of the any:any VIP the SMTP traffic would get through and the email would send, but the traffic isnt load balanced, and if there was an issue with that server the email wouldnt send and the users would have to change the application.
Maybe I have got the comepletely wrong end of the stick here, so apologies if I am completely way off.
- Kevin_Stewart
You can find info on configuring packet filters here:
As for the SMTP VIP, the F5 will process traffic across VIPs from most specific to least specific. So if you have 0.0.0.0:25 and a 0.0.0.0:0 VIPs, SMTP traffic will be processed by the port 25 VIP, while everything will go to the any port VIP.
- dean132_137579
I see I didnt realise it handled traffic that way, makes a lot more sense to me now. I really appreciate the replies.
Thanks
Dean
