Hi ,
I will reply to your points according to each point in the query:
- you should put AWAF first not the LTM.
- you don't need SSLO you can use same Certificate which you will use in the LTM in the Client side , you can do the ssl offloading by AWAF same as LTM exactly.
- No for the optimal use , you should use AWAF then LTM behind it.
- the traffic flow should be :
- you will create a Virtual server for each application on AWAF , then use the Client ssl profile and http profile and AWAF policy.
- you should go to the LTM device , the create another Virtual server for the same application and behind it the Pool of servers.
- the last step you will create the LTM Virtual server in (step 2) as a pool member in a pool, this all be done in AWAF.
- the last point of preserving the Client Public IP:
- you can do that by disabling SNAT options ( Auto map or SANT pool ) , but in this case you will create only one route as a default route to send any traffic to the LTM ( as a Next hop I mean the self IP of the LTM [ Floating self if HA or non-floating self if Standalone] ).
- Do you have a Firewall between AWAF and LTM or not , because this will be the main issue as in this case I don't see it has a benefit in this design.
- it's Okay to place it before servers ( between LTM and Servers ) but you will need to use Auto-map option or SNAT pool.
- you can depend on XFF header to preserve the public IP.
Let me know if you have further concerns :)
Nimbostratus
