For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TRRT_94279's avatar
TRRT_94279
Icon for Nimbostratus rankNimbostratus
Jul 27, 2011

F5 ASM and reverse Proxy

Hello all,

 

 

I have a very simple question (but I'm new to F5...):

 

I have two F5 ASM (the Appliance - 3600 series): Is it possible to configure them as reverse Proxy?

 

 

I read that it is possible with the LTM series but I'm not sure with ASM...

 

 

I need this information quickly... thanks you for your help...!

 

 

 

basic
getting started
new to f5

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 27, 2011
    Hi TRRT,

     

     

    ASM even as a standalone still has LTM functionality to terminate the clientside connection and create a separate serverside TCP connection. So ASM is acting as a reverse proxy.

     

     

    Can you clarify what you're trying to do?

     

     

    Aaron
  • TRRT_94279's avatar
    TRRT_94279
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2011
    Hi Hoolio,

     

     

    Thanks you very much for your quick and complete answer. Our company will install soon a OWA Server and they want to use the F5 ASM 3600 as a reverse proxy for external access to this particular ressource. The F5 ASM will be in a DMZ.

     

     

    After reading quickly the user guide, I think that I have to:

     

    - Create a local traffic pool for my OWA server (the internal IP address of the OWA Server)

     

    - Create a local traffic virtual server (in the subnet of my DMZ - different of the IP address of the F5 itself)

     

    - Select the OWA Exchange 2003 security policy for this traffic

     

     

    So the F5 will act as a reverse Proxy and will apply the specific security policy for this traffic.

     

     

    Am I correct or did I miss something else?

     

     

    Thanks

     

     

    TRRT

     

  • TRRT_94279's avatar
    TRRT_94279
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2011
    Me again...

     

    I have one more question:

     

     

    If my F5 ASM is in the DMZ, it will be connected only with one interface (there won't be two VLAN - internal and external). I read this documentation and it seems to be possible to do that (One IP network topology):

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_2solguide/BIG_IP9_2SolutionsGuide-17-1.html

     

     

    In this scenario, I will configure a External VLAN for my F5 (in the DMZ subnet) and a pool for my OWA server (with the internal address). Is it possible to do that? The pool won't be in the same subnet as the External VLAN of my F5 and in the document above, it's written that: "Before creating the pool, verify that all content servers for the pool are in the network of VLAN external."..

     

     

    I'm a bit confused about all that. Again sorry, but Im totally new to F5 technologies and I would much appreciate any help :p

     

     

    Regards

     

    TRRT

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 28, 2011
    As long as you're SNAT'ing the traffic, that shouldn't matter. The BigIP just needs to be able to route the traffic to the poolmember (From both the management host and tim itself via the VLAN connected.

     

     

    As long as the routes to the pool members aren't via the management interface, then it should all be immaterial.

     

     

    H