Forum Discussion

Tabish_Mirza_12's avatar
Tabish_Mirza_12
Icon for Nimbostratus rankNimbostratus
Oct 07, 2013

how to deploy F5 BIG-IP 4200 V HA Pair for Web Application

Hi, We have recently purchased pair of BIG-IP 4200V (LTM & ASM) for our https based web servers load balancing. Web servers are located in DMZ of firewall. Web serves wants to see original source IP ...
design
Tabish_Mirza_12's avatar
Tabish_Mirza_12
Icon for Nimbostratus rankNimbostratus
Oct 07, 2013

As per my knowledge X-forwarded-for method only work for HTTP & SMTP traffic. It won't work for HTTPS traffic. As you said we can use same IP subnets on both interfaces (external & internal) of BIG-IP if we are deploying in Inline-Routed Mode. What is the pros & cons of using BIG-IP with same IP subnets or different ?

 

  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Oct 07, 2013
    You are correct if you're not terminating the SSL with the F5. However, If the F5 terminates the SSL connection from the client, it can insert the XFF header. This solution document gives some specifics. http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html There are no set pros or cons of keeping the F5 in the same subnet. It all depends on your specific environment. Since the web servers are already in the DMZ in this case, it saves IPs, subnets and VLANs to have it in the same subnet doing the inline. Simpler config, fewer problems is my standard goal. Other people may have more information, but this has worked well for us over many years. No problems thus far. Keep in mind, the F5 doesn't treat traffic any different when it sends it out on the wire. An IP is an IP and an interface is an interface to the F5.