For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

henrik_36000's avatar
henrik_36000
Icon for Nimbostratus rankNimbostratus
Apr 03, 2009

F5 and IIOP

Hi!     We have this application that talks CORBA/IIOP.   After putting this application behind a BIG-IP Loadbalancer the application stopped working.     Is there anything ...
oracle
partner
Randal_Dalhoff_'s avatar
Randal_Dalhoff_
Icon for Nimbostratus rankNimbostratus
Aug 12, 2009
Was this ever solved? I am having the same problem getting IIOP traffic to go through the F5 while using Weblogic.

 

 

It appears that the IIOP traffic is using port 80/TCP as is HTTP. I am guessing that the F5 passes the HTTP traffic, but then drops the IIOP traffic.

 

 

Another site has an A10 load balancer with a similar problem and proposed the solution below. Not being very savy on F5 setup, I was wondering how their solution might translate into a configuration for our F5. (BIG-IP 10.0.0 Build 5514.0 Hotfix HF2).

 

 

I am stuck in using port 80/TCP for both the HTTP and IIOP traffic.

 

 

-------------

 

We have a solution from A10 Networks, the load balancer vendor. Basically the issue was that the Vista Web Logic cluster was accepting both the HTTP and CORBA IIOP protocols on the same port (80/TCP). It is a bit unusual for a single service bound to a particular port to accept more than one Layer 7 protocol. The load balancer only expected HTTP packets to be received on the public cluster virtual IP from anywhere, so when AS8 tried to send CORBA packets to the Vista cluster on port 80, it just dropped them after the TCP session was set up and saw that the Layer 7 payload was not HTTP 1.0/1.1.

 

 

 

We worked around that by configuring a new (different) cluster VIP on the load balancer, using the same "real" server nodes as members of the cluster, and using the same port 80/TCP; however this cluster was configured for Layer 4 load balancing only, not Layer 7 HTTP. The FQDN corresponding to this Layer 4 cluster VIP was configured in AS8 for the SSO authentication URL. ACLs are configured on the load balancer to prevent anyone from trying to get to the Vista cluster via this FQDN/VIP (only the AS8 nodes are allowed).

 

 

 

Although CORBA IIOP packets contain Layer 3 information (namely, the IP of the AS8 real server node trying to communicate with the Vista cluster), the NAT performed by the load balancer is not a problem for us because the Vista and AS8 real server nodes are in the same private VLAN. Thus after the load balancer selected one of the Vista nodes to send the CORBA packet to, that Vista node then communicated with the AS8 node initiating the SSO auth directly.