Forum Discussion
jba3126
Cirrostratus
CirrostratusConfigure LTM as a true Full Proxy
In short we need to have the LTM do a Full Proxy. By that I mean the client IP communicates with the VIP via TCP 9091. The LTM in turn opens a separate TCP connection via 9091 to the Application server. If required we can change the port. The only requirement I was given was, the F5 has to proxy the client connection and make a separate call to the App. So basically the backend will either see the Internal Floating IP or I assume an IP address that I would potentially assign?
FYI - For more detail on the Full Proxy see, http://devcentral.f5.com/weblogs/macvittie/archive/2008/10/02/the-concise-guide-to-proxies.aspx
Client
|
Internet
|
Firewall
|
LTM VIP
|
Firewall
|
Application
10 Replies
hoolioHi Jeff,
Are you wanting confirmation that LTM will act as a full proxy? If so, this is the case as long as you define the virtual server as a standard VS with a TCP profile. LTM will then broker separate TCP connections for the client and server sides. The source IP for the serverside connection can be the original client IP address, an LTM floating self IP or any other address you specify in a SNAT pool.
Aaron
Binary10_10077Nimbostratus
Hi, I don't know if this is the same thing as a full proxy but can I ask 2 questions?
1. We have two BIP-IP LTM 6400 in active/standby mode that we will be hoping to migrate to DNS instead of IP resolution, is this possible? In other words, can the BIP-IP LTM 6400 use hostnames instead of IP addresses for its webservers?
2. Can we create SSL certificates based on hostnames and not IP addresses?
Thanks.
Michael_Yates
1. We have two BIP-IP LTM 6400 in active/standby mode that we will be hoping to migrate to DNS instead of IP resolution, is this possible? In other words, can the BIP-IP LTM 6400 use hostnames instead of IP addresses for its webservers?
No. The LTM Load Balances to an IP Address and Port.
Visual Assist. You can have the Server Names included next to the IP Address if you name the Nodes (Local Traffic -> Virtual Servers -> Nodes).
or
You can go to the Preferences (System -> Preferences) and check the "Display Host Names When Possible" check box and it will look like it is using the DNS Hostname of the Server whose IP Address matches the Pool Member settings, but that is only a visual decoration (and when a DNS Entry exists for the IP Address). The LTM still uses the IP Address and Port.
2. Can we create SSL certificates based on hostnames and not IP addresses?
You can create an SSL Certificate for a Server using it's Hostname (FQDN), but I've never heard of creating an SSL Certificate for an IP Address. SSL Certificates are normally created for vanity URL's for a domain that you own.- Binary10_10077Thanks much for your assistance and fast response.
- hoolioYou can do name based load balancing using an iRule. It would add more load and latency than using default IP based load balancing though.
See this post for details on using RESOLV::lookup in 10.1 or NAME::lookup or in pre-10.1 to do this:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1171749/aff/5/showtab/groupforums/Default.aspx1173920
Aaron - Binary10_10077Thank you.
jba3126I apologize for the delay in response and my company was blocking notifications that anyone had posted. With that said, I need for LTM to perform a full proxy hiding the client address.
- jba3126After some research on SNAT/SNAT Pool, I believe this will work. Below is an example from my lab LTM. Please provide some feedback/corrections.
=====================
From bigip_base.conf
=====================
self 10.10.0.254 {
netmask 255.255.255.0
vlan LB-internal
allow all
}
self 10.30.0.254 {
netmask 255.255.0.0
vlan LB-external
allow all
}
================
From bigip.conf
================
snat translation 10.30.1.10 {
ip timeout 28800
}
snatpool TSYS-ISIS-SNAT-Pool {
members 10.30.1.10
}
monitor RDP {
defaults from tcp_half_open
dest *:3389
}
pool TSYS-ISIS-PROD-9091 {
action on svcdown reselect
monitor all RDP
members 10.10.0.10:3389
}
virtual TSYS-ISIS-PROD-9091 {
snatpool TSYS-ISIS-SNAT-Pool
pool TSYS-ISIS-PROD-9091
destination 10.30.1.10:3389
ip protocol tcp
profiles
tcp-lan-optimized
serverside
tcp-wan-optimized
clientside
} - hoolioYou might want the SNAT pool address(es) to be in the same subnet as the pool members (assuming it's not a /8 network that both the VIP and pool members are on). Else, the pool members will need a route back to the 10.30.1.0 network.
Aaron - Cspillane_18296Hi Jeff, not directly related to your query but I noticed you have port lockdown set to 'allow all' on both selt ip's you show - you may want to consider revising this. This setting has an impact on traffic to the LTM (e.g. when you're managing the device via a self ip rather than the management port). E.g. typically an external selfip would have a setting of 'allow none' whereas an internal self ip used for administration would likely have a setting 'allow default'.
There's an overview of the behaviour here: https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html
