For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
May 11, 2010

Bypassing a VIP based on destination address

Hi All,     Our LTM is configured with a PROXY_VIP and WEBMAIL_VIP which load balances proxy and webmail traffic for schools. Schools use the PROXY_VIP to access HTTP/HTTPS web sites and the IP ...
config
design
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
May 11, 2010
1. If the proxy ip address is hard-coded in the browser then it doesn't matter what you redirect to... It'll still go via the proxy... The only way around that really is to use a PAC file (It's a small javascript program that gets run for EVERY URL accessed. It can decide whether to use a proxy or go direct to a website).

 

Beaware though that because it gets run for EVERY URL, you really really do want to keep it small. And avoid IP address lookups etc.

 

 

2. redirects are no good.

 

 

The best way would be via PAC file. Note that you can setup the PAC file on an HTTP server and then have the browsers load it from there. Thus you don't have to distribute a file every time it changes. Failing that, I'd recommend using an iRule on the proxy_vip. Simply detect the host they're accessing, and if it's webmail.com then use the webmail pool. Otherwise use the default pool. You can also enable/disable SNAT in the iRUle so that when accessing the webmail servers, the webmail will see the client IP address. But this also pre-supposes that the webmail servers use the F5 as their route back to the clients (Either by default route, or routes in the network etc).

 

 

H