Forum Discussion

Roger_Murdock's avatar
Roger_Murdock
Icon for Nimbostratus rankNimbostratus
Jun 14, 2021

F5-LTM active directory and http/s

Looking to utilize LTM to handle traffic within a domain that wasn't configured following best practices. Currently, the active directory domain and the primary website share the same domain name. Clients have historically reached the website via a "www" cname but this cname needs to be removed for SEO purposes.

 

The cname was removed from external DNS for clients connecting via the WAN. I would like to duplicate this behavior for LAN clients without placing a reverse proxy web server on the domain controllers and need an option that will perform more reliably than adding a netsh portproxy rule to handle port 80 and 443 traffic.

 

How can I configure the LTM so that active directory LAN client traffic destined for "ourdomainname.com" reaches our active directory servers and LAN client traffic via ports 80 and 443 destined for "ourdomainname.com" is directed to the web servers IP address?

 

 

  • Hi Roger,

     

    That sounds like an interesting problem you've got there ;) Let me give it is a stab, but please shout if I've completely misunderstood your question.

     

    For the moment, I'm assuming you get the AD traffic over ports 389/636 or similar? (i.e. AD specific ports?) And anyone who resolves the DNS name "ourdomainname.com" always ends up with the same IP, irrespective of the service they are interested in?

     

    If so, you can set up multiple virtual servers on the same IP address, but with different port numbers.

    • VS1: 1.1.1.1:389 - pool: AD-pool
    • VS1: 1.1.1.1:636 - pool: AD-pool (alternatively, create a port list to reduce the number of virtual servers required)
    • VS1: 1.1.1.1:80 - pool: Web-Servers
    • VS1: 1.1.1.1:443 - pool: Web-Servers (probably with SSL offload)

     

    As long as you don't have any with the same IP and same port, these virtual servers will work nicely together.

     

    Hope this helps.

  • Hi Roger,

     

    That sounds like an interesting problem you've got there ;) Let me give it is a stab, but please shout if I've completely misunderstood your question.

     

    For the moment, I'm assuming you get the AD traffic over ports 389/636 or similar? (i.e. AD specific ports?) And anyone who resolves the DNS name "ourdomainname.com" always ends up with the same IP, irrespective of the service they are interested in?

     

    If so, you can set up multiple virtual servers on the same IP address, but with different port numbers.

    • VS1: 1.1.1.1:389 - pool: AD-pool
    • VS1: 1.1.1.1:636 - pool: AD-pool (alternatively, create a port list to reduce the number of virtual servers required)
    • VS1: 1.1.1.1:80 - pool: Web-Servers
    • VS1: 1.1.1.1:443 - pool: Web-Servers (probably with SSL offload)

     

    As long as you don't have any with the same IP and same port, these virtual servers will work nicely together.

     

    Hope this helps.

  • AlexBCT,

     

    The answer to both questions is YES. AD servers are standalone "no additional services installed" with all AD services using the default ports. Our current DNS configuration on the LAN side has (A record "ourdomainname.com" --> "IpaddrOfADserver"). I'm going to assume this A record will need to change to the IP of the F5-LTM.

     

    At the moment, I have added the following rule to the AD server,

     

    "netsh interface portproxy add v4tov4 listenport=80 listenaddress=eth0IPaddr connectport=80 connectaddress=IpaddrOfWebServer"

     

    This portproxy rule has worked ok as a temporary measure but it sometimes has issues with responsiveness if no port 80 requests have been made in the last 24 hours. After returning to the office on Monday, the first port 80 proxy response can take up to 45 seconds before the correct address is resolved and passed back to the client. After that 1st initial request, there are no further issues until the following week. I'm hoping that the LTM will not suffer from the same problem.

     

    Thank you for the response here, that information is very helpful.

     

     

    • AlexBCT's avatar
      AlexBCT
      Icon for Cumulonimbus rankCumulonimbus

      Hi Roger,

       

      Glad to hear!

       

      >>  I'm going to assume this A record will need to change to the IP of the F5-LTM.

      Yes, indeed. Depending on your network config, also make sure you have SNAT enabled (if in doubt, configure Source Address Translation: AutoMap under the virtual server)

       

      >> ...the first port 80 proxy response can take up to 45 seconds...

      Auch, yeah, that's not great ;)

       

      >> I'm hoping that the LTM will not suffer from the same problem.

      ...there would be something wrong with the F5 if it did... ;)

       

      Good luck with the setup!

      If you're happy with the answer, can you mark the question as Answered? This way it may help the rest of the community.