Forum Discussion
NimbostratusCreating iRule for web proxies with site preference
Hi,
This is the first time I've tried to write an iRule and given my lack of knowledge of TCL I'm surprised I've got this far! What I'm trying to do is as follows:
-
Check if the DR site pool is up
-
Check if the client IP address matches either of the two specified ranges (although currently 2, this will likely end up as more)
-
If both the are positive, send the traffic to the DR site proxy.
- If either, or both, of the above return false, check if the HQ site proxy is up
- If the HQ site proxy is up, send the traffic there
- Finally, if it gets to the end and the HQ proxy pool is also down, send traffic to a pool which is just a holding page advising the user to call the service desk.
Now with the help of Google, this fine site and some guess work, I've come up with the following:
when CLIENT_ACCEPTED {
if { ( [LB::status pool Proxy-DR_TCP8080_Pool] eq "up" ) } {
if { ( [IP::addr [IP::client_addr] equals 10.100.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 10.64.0.0/8] ) } {
pool Proxy-DR_TCP8080_Pool
} else {
if { ( [LB::status pool Proxy-HQ_TCP8080_Pool] eq "up" ) } {
pool Proxy_HQ_TCP8080_Pool
} else {
pool NO_AVAIL_PROXY_Pool
}
}
}
}
Does what I've written cover what I'm trying to do, and more importantly, is it something that the LTM will accept?
Many thanks, Andrew
5 Replies
BaselineIn the 10 mins since I wrote the question, I started to think I've been going about this the wrong way..... Based on the above, the proxy setting in IE on the clients will have to be the IP of the Virtual Server on the LTMs at one of the sites. This could result in traffic going to the HQ site before then going over the WAN to the DR site to use the internet link there.
I feel I should add here the logic behind this - we have a high speed internet connection at the HQ site and at the DR site. Currently the clients all point to the HQ site proxy and therefore use the HQ internet connection. Very little uses the DR connection. We are about to start migration to Office 365, hybrid Exchange and Skype for Business, so want to make best use of both links for this increased traffic.
We have a GTM at each site and although configured as authoritative for a stub DNS zone, they aren't actually used for anything. I'm thinking that the client proxies should actually put to the GTM (i.e. proxy.stubzone.domain.local) to cover LTM failure at either site. Therefore, the iRule for the site preference should actually be running on the GTM. (I hope that makes sense.)
So, given that, would this iRule, or a variation of it, work on a GTM and still meet the requirements?
Many thanks, Andrew
- Baseline
As I've been investigating GTM configurations, I found under Wide IPs > Pools > Load Balancing Method you can have topology. It appears that if I create a topology in the GTM it will do what I'm trying to get the iRule to do for me!
PeteWhiteEmployee
You seem to have made some good progress in a short time! :o)
So topology loadbalancing means that GTM will look at the source IP address and provide an answer based on that. For instance, if the source IP is in China, send user to the Hong Kong datacentre etc. Site preferences and fallback is pretty simple stuff for both GTM and LTM - as you say, with GTM you can set the loadbalancing method and have multiple pools ( i assume you mean using an explicit proxy at each site and use GTM to control the site/proxy in use ).
Otherwise, you can use a transparent proxy ( ie no browser configuration ) and use multiple routers as pool-members ( this can also be done with explicit proxy of course ). You turn off address and port translation on the virtual server and use a transparent monitor for the router. LTM has pretty good handling of failure scenarios like priority groups and fallback host. GTM has Last Resort Pools.
Also, managing source address matching is best done using a datagroup and the class match iRule command. Simple and scalable, you'll find plenty of examples on here.
- Baseline
Thanks for the comprehensive write up, Pete. You are correct, explicit proxy at each site.
When you say "managing source address matching is best done using a datagroup and the class match iRule command" is that instead of, or in addition/part of topology load balancing? (I'm still reading up on how that is configured so if it is part of it and I've not got to there in the documentation yet I apologise!)
Andrew
- PeteWhite
So if you decide to do the loadbalancing on the LTM then it's simple to change pools based on source address using the iRule as you have created. The source address matching section of that iRule should use the class iRule command to find the address within a datagroup. This is completely separate to the standard topology loadbalancing within GTM. Just to confuse things more, GTM has iRule events and you can use the matchregion and whereis iRule commands.
In general, it is good practise to perform the function where it is simplest and most efficient and using the simplest method - don't write complex iRules if you can use built-in features. If it were me, i'd decide on whether i wanted an explicit or transparent proxy and if explicit then perform GTM loadbalancing across sites, if transparent then perform LTM loadbalancing across links.
