BigIP 11.5 VE lab edition

To get the LTM to control browser traffic, would I put a virtual server IP into the browser's Proxy Settings?

 

Not at all. A bare minimum configuration of a virtual server is a destination IP and port, and a pool of resources (your web servers). Client traffic connects to the VIP address and is proxied to a pool member. From there you can add additional "filters" that can act on the payload in different ways. For example, to use an iRule to examine and control HTTP data through the proxy, you'd apply an HTTP profile. To optimize that HTTP traffic, you might apply a web acceleration profile. And to terminate and optionally re-encrypt the data (ie. HTTPS), you'd apply client and server SSL profiles respectively.

 

The basic VIP configuration I just described is generally for REVERSE proxy environments (unlimited set of external clients accessing a limited set of internal resources). As of 11.4 and above, there are now some really cool FORWARD proxy capabilities (a limited set of internal clients accessing an unlimited set of remote resources). For this you have several options, in which one includes explicit browser proxy settings.

 

Kevin, Thanks for the response. In the lab environment of the F5 University, I'm guessing part of the environment included a virtual web server or two? If that's the case, then it might behoove me to create my own bare-bones server.. lots to learn with this technology!

 

eblair84

 

I created a Debian VM web server and I'm trying to configure the LTM such that I can plug in the VIP into my browser and have it redirect to the web server. I created a pool with the web servers's IP as a member. The VS uses an HTTP profile but regardless of what I put in, I cannot get the browser to redirect to the web server when putting in the VIP into the address bar (essentially trying to replicate what's in the lab). The LTM and web server are on an ESX host and I'm connecting through my PC. Granted, this is all a home-based lab..

 

Thanks,

 

eblair84

 

Okay, so at a minimum you need a pool and a VIP. Everything else is basically as required for specific functionality. The pool lists the member web servers and the ports they listen on (80?), and the VIP is the IP that a client browser will communicate with. Now, if the client and web servers are on the same subnet, or the web servers know how to route directly to the client, then you'll probably also need to apply a SNAT profile. This will change the client source address in the packet to an IP that lives on the F5, to force return routing.

Also understand that, especially when it comes to HTTP, the term "redirect" has a special meaning. What you're actually attempting to do is "route" or "proxy" the traffic through the load balancer to the web server. A proxy presents TWO different sessions: the client to proxy session, and the proxy to server session. If you're still having trouble getting to the web page, I'd recommend watching the traffic at te command line. SSH into the management IP and run the following command:

tcpdump -lnni 0.0 port 80    

Now test your browser connection again. You should see traffic from the client's IP to the VIP. If you don't have a SNAT applied, you'll then see traffic from the client's IP to the server's IP. If you have. SNAT applied, you'll see the traffic coming from the F5's self-IP to the server's IP. And of course you'll want to see the server respond to the same address.