At one of my clients, I am tasked with setting up a 1500 series LTM as a reverse proxy for all of the company external facing websites. LTM is being looked for less of a load balancing function and more of http proxying and secure application layer. I have done similar setup using Microsoft ISA Proxy Server but never used LTM for this role. Are there any guidelines around this setup or like solution guides? If any one has quick understanding of the design, please share it here. Any help is greatly appreciated. Thanks--Chenna

Just treat it as normal really... Think of the reverse proxy as really just load balancing over one backend... Since the number of backends is pretty much irrelevant (Assuming you can do persistence, and since you say web servers you can do active cookies), you can forget that bit. The more important question is what functionality do they want to achieve from using the 'reverse proxy'? Client Authentication? No problem, it's a separate license module though I think... Authorisation? Hmm... That's a good question... I'm not sure how you'd do something like lookup arbitrary attribute sin an external LDAP (Or similar) directory for authorisation decisions... You may still need some external web host to do the authorisation lookups for you... And then scrape the results from the reply and put them in persistence records for later... Hmmm... I wonder if iRules are flexible enough to do a separate lookup itself against an auth service then direct the user request based on the results of that... Anyone? H

Thanks for the response. Actual requirement is something like this: Internet | | External Firewall | | F5 LTM | | Internal Firewall | | Servers Excuse my poor drawing skills. F5 will be acting like a DMZ between actual servers and internet users. For the most part, its a straight forward configuration where in requests come in from internet, land on the firewall, get NATed to a private IP which is local only between F5 and Ext Firewall, gets to F5, F5 will have a VIP listening on the NATed IP and F5 sends to internal firewall, internal firewall NATs it again to the actual core IP on the server VLAN and send to servers. I don't know if this is a feasible solution yet since this is all in the POC stage right now. Please give your recommendations.

Yes it's feasable, but why are you NAT'ing so many times*? Is there a problem with your network numbering? Supporting legacy addresses where people haven't configured things correctly? One thing I would note is that I'd normally configure the F5 directly in front of the servers. (Usually by moving the serves to a DMZ behind the F5's). The internal firewall doesn't seem to be gaining you anything... (** Assuming this is a new requirement and not simply a new requirement to load balance existing internal only servers from external). e.g. Internet -> Firewall -> (F5 -> Servers) all in a DMZ. or Internet -> Ext Firewall \ F5 -> DMZ with Servers / Internal -> Internal Firewall (So the F5 becomes the router to/from your DMZ's). More info as to your reasoning & what can or can't be altered may help... H * - I don't adhere to the commonly mis-stated view that NAT'ing is automatic security...

I used to work in a telco and my setup is something like hamish mentioned. I placed a pair of Apache Reverse Proxy servers in the DMZ who will then direct traffic to App tier servers (in the backend). I guess this is the best and cleanest. Now that I am in another company, I seem to have similar requirement as dchenna, that is, using F5 as the reverse proxy server. I think it is feasible and am still figuring out how to do it since F5 needs to see the servers that are configured in the pool. Anyone can help?

Hi, I am looking to do something similar and was wondering how the OP went with their implementation. Thanks.

F5 LTM as Reverse Proxy

Hamish
Cirrocumulus
Jun 27, 2008
Just treat it as normal really... Think of the reverse proxy as really just load balancing over one backend... Since the number of backends is pretty much irrelevant (Assuming you can do persistence, and since you say web servers you can do active cookies), you can forget that bit.

The more important question is what functionality do they want to achieve from using the 'reverse proxy'?

Client Authentication? No problem, it's a separate license module though I think...

Authorisation? Hmm... That's a good question... I'm not sure how you'd do something like lookup arbitrary attribute sin an external LDAP (Or similar) directory for authorisation decisions...

You may still need some external web host to do the authorisation lookups for you... And then scrape the results from the reply and put them in persistence records for later... Hmmm... I wonder if iRules are flexible enough to do a separate lookup itself against an auth service then direct the user request based on the results of that... Anyone?

H
wowchens
Nimbostratus
Jun 27, 2008
Thanks for the response. Actual requirement is something like this:

Internet

|

|

External Firewall

|

|

F5 LTM

|

|

Internal Firewall

|

|

Servers

Excuse my poor drawing skills. F5 will be acting like a DMZ between actual servers and internet users. For the most part, its a straight forward configuration where in requests come in from internet, land on the firewall, get NATed to a private IP which is local only between F5 and Ext Firewall, gets to F5, F5 will have a VIP listening on the NATed IP and F5 sends to internal firewall, internal firewall NATs it again to the actual core IP on the server VLAN and send to servers.

I don't know if this is a feasible solution yet since this is all in the POC stage right now.

Please give your recommendations.
Hamish
Cirrocumulus
Jun 30, 2008
Yes it's feasable, but why are you NAT'ing so many times*? Is there a problem with your network numbering? Supporting legacy addresses where people haven't configured things correctly?

One thing I would note is that I'd normally configure the F5 directly in front of the servers. (Usually by moving the serves to a DMZ behind the F5's). The internal firewall doesn't seem to be gaining you anything... (** Assuming this is a new requirement and not simply a new requirement to load balance existing internal only servers from external).

e.g.

Internet -> Firewall -> (F5 -> Servers) all in a DMZ.

or

Internet -> Ext Firewall

\

F5 -> DMZ with Servers

/

Internal -> Internal Firewall

(So the F5 becomes the router to/from your DMZ's).

More info as to your reasoning & what can or can't be altered may help...

H

* - I don't adhere to the commonly mis-stated view that NAT'ing is automatic security...
Yong_Yuen_Chong
Nimbostratus
Aug 19, 2008
I used to work in a telco and my setup is something like hamish mentioned. I placed a pair of Apache Reverse Proxy servers in the DMZ who will then direct traffic to App tier servers (in the backend). I guess this is the best and cleanest.

Now that I am in another company, I seem to have similar requirement as dchenna, that is, using F5 as the reverse proxy server. I think it is feasible and am still figuring out how to do it since F5 needs to see the servers that are configured in the pool.

Anyone can help?
Shain_Singh_846
Historic F5 Account
May 18, 2009
Hi,

I am looking to do something similar and was wondering how the OP went with their implementation.

Thanks.
L4L7_53191
Nimbostratus
May 19, 2009
This will work. Just remember that if you want to do anything intelligent with the traffic you'll need to have a NAT for each pool member so the BigIP can do traffic management. Another idea is to have another BigIP pair downstream (behind the internal FW) that will do your heavy lifting with traffic management. You'd point to these Virtual Servers from your "proxy" BigIP. While you'd need another pair, it would give you the maximum flexibility.

It sounds like the goal may be to collapse a farm of reverse proxies into a BigIP pair, correct? This sounds like a perfectly valid use case to me.

-Matt
Neeraj_Jags_152
Cirrus
May 14, 2014
I have similar requirement. Source= Internet --> Ext Firewall --> F5 LB doing Proxy --> Int Firewall --> F5 LB --> Pool Member

Both F5 LB are same physical device. but different route domain means different VLAN and so between VLAN firewall required.

is it feasible solution and what else needs to take care.
nitass
Employee
May 18, 2014
is it feasible solution

why not? :)
Kevin_Stewart
Employee
May 19, 2014
One could argue that you wouldn't necessarily need the internal firewall layer here. The BIG-IP appliance is a default deny device and can itself perform firewall functions. What you're asking for can absolutely be done, but you could reduce complexity by removing the inner firewall layer.
Neeraj_Jags_152
Cirrus
May 19, 2014
Kevin, Agree with you. but firewall should be there as per customer. and outside traffic should not hit directly to F5-LB, that is why F5-PROXY-LB placed before that.

I have configured the same however pool is down and so virtual server is down.

ports and traffic is open.. Checked SSL dump traffic via command line at LB and found that handshake is being done between both LB instances (PROXY-LB and int-LB) but final RST packet seen,, why ?

Regards, Neeraj