For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Nov 05, 2015

Basic Reverse Proxy LTM Configuration

Hi All

 

I am trying to decide on an option on how to configure my BIGIP F5 appliance to handle a reverse proxy configuration that I am moving from a TMG instance to F5. The 2 choices I have come up with are as follows:

 

Option 1) Perform a normal APM type configuration with F5 authentication page and then having the logon details passed to the form for the web page.

 

Option 2) Perform an LTM only type configuration which has the F5 as the proxy.

 

I have an externally configured public website which the F5 is able to listen for and respond. The F5 is also able to talk with the webserver (as this sits in a DMZ that the F5 has a leg into - basically same subnet).

 

First question. As I have never done LTM, I am uncertain how I would perform an LTM configuration or whether I should not bother given the potential security flaw here. Effectively how do I do a passthrough configuration on the F5 to allow an externally accessible URL to connect to the logon page of an internally configured webserver?

 

Second question (as I am relatively inexperienced with creating APM's, more just operationally looking after them), if I use the APM method and present an F5 logon page. How do I move those variables to auto populate on the webpage of the internal server (so effectively the user doesn't get presented with a double up login)?

 

I have no doubt there will be some configurations that will require pure passthrough, but I don't know LTM so I am hoping someone is able to shine a bit of light on this topic for me. I will continue to search through F5 devcentral and how to guides.

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security

1 Reply

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2015

    In the scenario with LTM that's typically not any problems, that's what the LTM is used for. Sure, there can be things that needs to be done for your particular implementation - maybe the HTTP Host needs to be rewritten to the internal name for the vhost on the server to accept the requests, maybe absolute URL:s are hardcoded in the application and needs to be rewritten on responses to point to the external name. That's all details that can be solved though.

     

    As for the scenario with APM, that's pretty much what the APM does. It has multiple SSO methods, and among them is for the BIG-IP to POST a request to the logon form of the server with the same credentials (or modified credentials if that is a requirement). It's fairly simple if you know how.

     

    So whether you should use LTM or APM, or both if you want preauthentication and loadbalancing, is simply a matter of deciding if you trust the application to handle the client requests before they are authenticated or not.