Forum Discussion
NimbostratusF5 and Direct Access
I seem to be having problems having DA working through the F5. A straight translation in the firewall from inside,outside works no problem but going through the F5 doesn't work. I created the VIP and listening on 443 (which see's the internal DA node as down), but it isn't and all the firewall rules are correct and working fine. I'm using SNAT automap on the VIP and all the other VIPs are functioning fine, just with DA it seems to be a problem. Any advice? Thanks.
12 Replies
Beinhard_8950Hi, without all details about what kind of clients will access the DA it´s no straight way to have a "best setup" in the ltm. it all depends if win 7, or 8 and what the DA configuration is.
But, to have a simple setup I usually say that a performance l4 VS is a start. Regarding your http monitor issue i think I know what you have to do, this will also be a simple monitor that is a good start and you can then dig into optimizing it with client certificate in your monitor or other spoofing so the ltm will be recognize by the DA as a "client".
The first thing you should do is to issue below command in one of your windows clients: netsh int httpstunnel show interfaces
in the output you will find the URL where you can see that /IPHTTPS is mandatory in the request and also your hostname.
So these value you will need to add in your https monitor as below: GET /IPHTTPS HTTP/1.1\r\nHost: xxx.xxxx.xxx\r\nConnection: Close\r\n\r\n Becasue your request from the ltm is not a "valid" client you will need to put in HTTP/1.1 403 in the receive string.
and becasue DA takes ~ 5-6 minutes to start all services, put in a delay "time until up" about 500 seconds.
above is a pretty good start and when you have this in place you can then later customize this with a certificate that is OK by the DA and other mandatory checks and all this together will give you a monitor that verify the DA service.
I hope this can give you a start.
Br Beinhard
