Forum Discussion

Paul_Ryan_73610's avatar
Icon for Nimbostratus rankNimbostratus
Sep 05, 2011

GTM Concerns..

Hi Guys, Just want to get your opinions on whether running GTM and LTM on one box, lets say a 1600 is an issue. My concern if compromised that an attacker can gain access directly to my web server vlan by bypassing segments that are currently firewalled etc. Is it actually best practice to run GTM and LTM on separate devices? LTM being used to handle internal server load balancing such as exchange etc.. Thanks

3 Replies

  • Hi Paul,


    There is no hard set rule of running a GTM with an LTM. It's usually best practice to separate so you have redundancy and the flexibility to move your services away from a address that is being attacked. Security is more an after thought with the separation (at least from my point of view).



    From a security standpoint it's better to host an ASM and LTM to keep the attacker from exploiting an open port to a service that hasn't been patched or bringing a legacy architecture into secure architecture.



    I hope this helps







  • I think the general best practice is to run GTM on a separate unit than LTM. There are a number of reasons for this:



    Security: DNS is typically situated closer to the client. Some organizations prefer it to be on the perimeter, outside of the internal network. LTMs are generally installed near the servers behind a DMZ. Having a GTM-LTM combination unit forces a compromise in location.



    Functional: There isn't a significant benefit to having GTM co-located with LTM. The traffic doesn't necessarily flow through the same LTM as the GTM which is responding to the client. Clients will always traverse the GTM and LTM modules separately. Whereas with ASM, APM, WAM, and maybe WOM, traffic would benefit from those modules being co-located and not having to traverse the "stack" multiple times on separate units.



    If LTM and GTM are combined you're going to want to upgrade all of your GTM's together, which also means upgrading all of your LTM's. However if you've de-coupled LTM from GTM then you can run different LTM code versions in different DC's without running into versioning conflicts. This is a reasonably common practice especially when moving to a new major release. Upgrade one DC and let it run for a few days before upgrading the other(s). This way the rollback is to simply use GTMs to shift the traffic.



    Adding GTM to an LTM unit also takes up a module slot that you may want to use later for a different module like ASM, WAM, etc.



    Cost: Generally there are two LTMs per datacenter. You wouldn't want to have GTM licensed only on one unit in a redundant pair. So it would require four licenses of GTM, rather than two standalone GTM units.



    Organizational: DNS is usually not maintained by the same team that deals with the applications. Sometimes it is easier to put GTM on its own device.