For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wowchens's avatar
wowchens
Icon for Nimbostratus rankNimbostratus
Jun 26, 2008

F5 LTM as Reverse Proxy

At one of my clients, I am tasked with setting up a 1500 series LTM as a reverse proxy for all of the company external facing websites. LTM is being looked for less of a load balancing function and mo...
config
design
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jun 30, 2008
Yes it's feasable, but why are you NAT'ing so many times*? Is there a problem with your network numbering? Supporting legacy addresses where people haven't configured things correctly?

 

 

One thing I would note is that I'd normally configure the F5 directly in front of the servers. (Usually by moving the serves to a DMZ behind the F5's). The internal firewall doesn't seem to be gaining you anything... (** Assuming this is a new requirement and not simply a new requirement to load balance existing internal only servers from external).

 

 

e.g.

 

 

Internet -> Firewall -> (F5 -> Servers) all in a DMZ.

 

 

or

 

 

Internet -> Ext Firewall

 

\

 

F5 -> DMZ with Servers

 

/

 

Internal -> Internal Firewall

 

 

(So the F5 becomes the router to/from your DMZ's).

 

 

 

 

More info as to your reasoning & what can or can't be altered may help...

 

 

 

H

 

 

* - I don't adhere to the commonly mis-stated view that NAT'ing is automatic security...