For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rene_125890's avatar
Rene_125890
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

Establish comunication from the nodes of a pool to the LAN

I have the following topology: There is an F5 BigIP LTM and behind it there are 2 Bluecoat Proxies. These BC are pool members of a pool. I created a VS, I used the performance (layer 4) profile, I associate the pool that I created with the BC as pool members into the VS and finally I left the port as 0. I noticed that BC proxies need communication with AD Servers to authenticate users.

 

how can I establish this communication from the BC to the AD in the other side of the F5?.

 

Thanks in advance.

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
microsoft
security

6 Replies

  • MiLK_MaN_61922's avatar
    MiLK_MaN_61922
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2014

    You can create another virtual server that listens on the VLAN of the BC's, is a 0.0.0.0/0 destination, and has a pool member of the upstream router from the F5. This will essentially make the BIG-IP act as a router for your BC's back into your network.

     

    I would probably do some more intelligent load balancing with your BC's as well instead of having a destination port of 0. You've probably done this to simplify configuration to allow for multiple protocols to be load balanced, but you are missing out on intelligent features like CARP as an example.

     

    • Rene_125890's avatar
      Rene_125890
      Icon for Nimbostratus rankNimbostratus
      Jul 25, 2014
      Thank you ver much for your reply. I'll take in count your advice. I'm gonna check it configuring the BC's VS.
    • Rene_125890's avatar
      Rene_125890
      Icon for Nimbostratus rankNimbostratus
      Jul 30, 2014
      Hello. I created the VS but it didn't work. There's an issue that I have to mention. The segment assigned to the BC's Proxies is not routed in the LAN. I tried using an SNAT so the request went to the AD from the F5 IP Address, but It didn't work too. I use instead a NAT and finally I had the connection between the BC Proxy with the AD vía a BCAAA Server.
  • MiLK_MaN's avatar
    MiLK_MaN
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2014

    You can create another virtual server that listens on the VLAN of the BC's, is a 0.0.0.0/0 destination, and has a pool member of the upstream router from the F5. This will essentially make the BIG-IP act as a router for your BC's back into your network.

     

    I would probably do some more intelligent load balancing with your BC's as well instead of having a destination port of 0. You've probably done this to simplify configuration to allow for multiple protocols to be load balanced, but you are missing out on intelligent features like CARP as an example.

     

    • Rene_125890's avatar
      Rene_125890
      Icon for Nimbostratus rankNimbostratus
      Jul 25, 2014
      Thank you ver much for your reply. I'll take in count your advice. I'm gonna check it configuring the BC's VS.
    • Rene_125890's avatar
      Rene_125890
      Icon for Nimbostratus rankNimbostratus
      Jul 30, 2014
      Hello. I created the VS but it didn't work. There's an issue that I have to mention. The segment assigned to the BC's Proxies is not routed in the LAN. I tried using an SNAT so the request went to the AD from the F5 IP Address, but It didn't work too. I use instead a NAT and finally I had the connection between the BC Proxy with the AD vía a BCAAA Server.