Forum Discussion

Dazzla_20011's avatar
Dazzla_20011
Icon for Nimbostratus rankNimbostratus
Jan 11, 2011

Bluecoat Internet Monitor

Hi,

 

 

Just wondered if someone could help me. We've set up our F5 LTM pair to load balance outbound internet requests via two bluecoat proxies which are located at 2 diifferent data centres. We're using SNAT as the bluecoat proxies don't have a default route via the F5 LTM. All is working fine its just the monitor I would like to optimize.

 

 

Currently we are using two monitors for each bluecoat pool member. A icmp ping to check the bluecoat is available and google udp monitor to check the availability of the internet via each data centre. The problem is the google udp monitor isn't sent via the bluecoat box so there could be scenario where the bluecoat responds to ping and the internet monitor is up but for some reason internet access via the bluecoat isn't working. is it possible to force the internet monitor via the bluecoat?

 

 

How have other people configured the F5 to load balance outbound internet access?

 

 

Thanks

 

Darren

 

config
design
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 11, 2011
    You could use transparent HTTP monitors. 

    
Transparent

    Specifies whether the monitor operates in transparent mode. A monitor in transparent mode uses a path through the associated pool members or nodes to monitor the aliased destination (that is, it monitors the Alias Address-Alias Service Port combination specified in the monitor). The default is No.

        Yes: Specifies that the monitor operates in transparent mode.

        No: Specifies that the monitor does not operate in transparent mode.

    I've done something similar with default gateway pools. If you want to do an HTTP check for google for instance, you'll type in their address in the "Alias Address" field and port 80 in the "Service port field". Then simply attach that monitor to your pool member/nodes. Since google obviously has multiple IPs, I'd recommend configuring several monitors and requiring at least X be available.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 11, 2011
    By the way, people typically use "transparent ICMP" monitors in this case if they're monitoring a link. Since you're monitoring a proxy, I just assumed you'd want something more but that's your call.

     

     

    https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8971.html

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jan 11, 2011
    The last time I set this up I just used several website checks. e.g. news.bbc.co.uk, an external site of our own and a couple of others... Then just set a minimum number of 'Up' monitors and away you go...

     

     

    If you're on a recent version you could use an inline monitor too...

     

     

    H
  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2011
    I'm struggling to get this working. I've created the follwing.

     

     

    My Pool contains two bluecoat proxies using the ip address and port (885).

     

    The monitor has a send string of Get http://www.google.co.uk

     

    transparent is set to yes

     

    Alias address is 173.194.37.104

     

    Alias service port http.

     

     

    The monitor is down. I would have expected to see entries from the bluecoat in the firewall logs for the monitor but nothing is there. I have also added the F5 device to the do not authenticate on bluecoat.

     

     

    Any help much appreciated as I've tried numerous things to get this working.

     

     

    Thanks

     

    Darren
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 13, 2011
    What version of LTM are you running? HTTP monitors can be a bit complex.

     

     

    Did you copy and paste that? I just noticed that GET wasn't capitalized and would need to be. :-P
  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2011

     

    Version 10.0.1 build 378.0

     

     

    The GET is in capitals.

     

     

    I'm also confused as to why I'm not seeing logs on the firewall when the transparent is set to no.

     

    Without transparent I would expect to see logs on the firewall with the source address being the F5 device. I don't see that and the monitor is up.

     

     

    Many Thanks
  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2011
    Thaks very much for your speedy responses. As you have probably guessed I'm new to F5 world and just starting to pick it up.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 13, 2011
    Posted By Dazzla on 01/13/2011 08:41 AM

     

    Thaks very much for your speedy responses. As you have probably guessed I'm new to F5 world and just starting to pick it up.

     

    Don't sweat it at all. It's like learning a new language...everything comes with experience.

     

     

    Did this monitor work and are you seeing the logs you'd expect?

     

  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2011
    I set up the http monitor without transparent and it was up but I'm not seeing any logs on the firewall or the monitor. From my understanding I would expect to see logs from the F5 to google.

     

    I've then set up transparent with ip address of 193.105.162.85 and port 80. Once I set up transparent the monitor goes down and still not seeing any hits on the firewall from the bluecoat or the f5.

     

    I logged on to the command line utility and and did a telnet to port 80 which was logged in the firewall so I know it dns is functioning and the f5 has route to get there.