Forum Discussion

Kashif_Rana_493's avatar
Kashif_Rana_493
Icon for Nimbostratus rankNimbostratus
Feb 12, 2013

F5 LTM off path design (with SNAT) and client IP logging

Hi Experts

 

I have one deployment for F5 LTM 6900. We want to load balance below applications on different servers.

 

  1. Exchange (OWA, MAPI, RPC OVER HTTP, OUTLOOK ANY WHERE)
  2. VDI (VIRTUAL DESKTOP INFRASTRUCTURE)
  3. LDAP
  4. SMTP GATEWAYS (INCOMING AND OUTGOING)
  5. WEBDEV (FILE SHARING OVER HTTP)
  6. COUPLE OF WEB APPLICATION (IIS, APACHE)

We do not want servers gateway to be F5. So we need to use SNAT on F5 (off path design). The problem is that how to get the client IP logs on application. For HTTP, I know we can use X-FORWARDER but what about other applications like SMTP Gateways, some TCP applications. Is there any IRULE for this OR any other method to used.

 

Also is there any harm if I make servers gateway F5? I believe this is not recommended

 

 

Looking forward for the reply

 

 

Thanks

 

config
design

5 Replies

  • pete_71470's avatar
    pete_71470
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2013
    We have a similar situation where all traffic to nodes is SNAT'ed, mostly AutoMap, but some non-HTTP nodes need to log the connecting client's IP. We use a simple iRule to log the connection:

     

    ...

     

    when SERVER_CONNECTED {

     

    HSL::send $hsl "<190> CONNECT: client [IP::client_addr]:[TCP::client_port] vip [clientside {IP::local_addr}]:[clientside {TCP::local_port}] node [IP::server_addr]:[TCP::server_port]"

     

    }

     

    ...
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2013
    Can't you just create static routes on the servers for the client source IP ranges and point those at the F5, leaving the default and anything else pointing wherever it does now. It's a much simpler solution.
  • Kashif_Rana_493's avatar
    Kashif_Rana_493
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2013
    Hi

     

    Thanks for the reply. But could you please explain this IRULE? Actually I need to have client IP on APPLICATION ITSELF
  • pete_71470's avatar
    pete_71470
    Icon for Cirrostratus rankCirrostratus
    Feb 13, 2013
    I'm afraid the iRule won't help you in that way. The rule simply documents the connection so that later, say for forensics or connection troubleshooting, you need to correlate the connecting client's IP with the SNAT used (which would have a corresponding IP and ephemeral port in some log generated by your applications). Since your applications see the source IP as the SNAT you'd have to perform any necessary access control on the F5 (data groups, etc). I like Steve's idea of simplicity but I don't have control over the servers our F5's steer traffic toward.