Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusHow to forward traffic when all pool members are down?
Hi All,
We currently have a virtual server (PROXY.EDU_3128_TCP) on the F5 to load balance a number of proxy servers for schools. Schools configure their web browser to point to 210.15.x.x:3128 and the proxy takes care of the rest.
Because of a major maintenance, all the proxy servers need to come offline. In order to minimize any disruption to schools, we've allowed schools to have unrestricted access to the Internet for this maintenance window - so without the schools needing to change anything on their web browsers, it should just work.
OK so is there a way on the F5 to forward traffic to the internet when a request comes into the virtual server on port 3128 then (bearing in mind that at this time all the proxy servers (pool members) will be down during this time) - so in effect bypassing all the pool members. Do I need some irule for this magic to happen???
Here's our current config:
virtual PROXY.EDU_3128_TCP {
mirror
enable pool EDU_PROXY_POOL
destination 210.15.X.X:squid
ip protocol tcp
persist source_addr
profiles fastL4 {}
vlans Vlan_80 enable }
pool EDU_PROXY_POOL {
lb method member least conn
action on svcdown reselect
monitor all gateway_icmp
members {
210.15.X.1:webcache {
limit 5000 }
210.15.X.2:webcache {
limit 5000 }
210.15.X.3:webcache {
limit 5000 }
210.15.X.4:webcache {
limit 5000 }
}
}
Thanks.
Andy
- Chris_Miller
Altostratus
Do you have some sort of "default gateway pool" defined on this box for other applications that need internet access? My idea would be to have a pool containing the proxies and the gateways using Priority Group Activation so the gateway pool would only be used if all the proxies were down. 
hooleylistCirrostratus
If the clients are using the LTM virtual server as their proxy server, you couldn't just forward the traffic to the internet. The clients are connecting with a destination IP of the virtual server, so if you forwarded the traffic it would still have a destination IP of the LTM VS and the router(s) wouldn't handle the connection/would send it back to LTM.
You'd basically need LTM to act as a web proxy server. I've seen some draft iRules for this, but none that have been thoroughly tested or published. I worked on a hack of one a while back, but it didn't support the CONNECT method for HTTPS tunneling.
Are the clients using a PAC file to get directed to the LTM VS as a web proxy? If so, I wonder if you could modify that PAC file to have a default option of forwarding without a web proxy?
Aaron
hc_andy_35682Posted By hoolio on 01/21/2011 09:43 AM
If the clients are using the LTM virtual server as their proxy server, you couldn't just forward the traffic to the internet. The clients are connecting with a destination IP of the virtual server, so if you forwarded the traffic it would still have a destination IP of the LTM VS and the router(s) wouldn't handle the connection/would send it back to LTM.
You'd basically need LTM to act as a web proxy server. I've seen some draft iRules for this, but none that have been thoroughly tested or published. I worked on a hack of one a while back, but it didn't support the CONNECT method for HTTPS tunneling.
Are the clients using a PAC file to get directed to the LTM VS as a web proxy? If so, I wonder if you could modify that PAC file to have a default option of forwarding without a web proxy?
Aaron
Thanks for that Hoolio. Not sure if the clients are using PAC files on their end to get directed to the LTM VS. The idea was for the client (schools) to do NOTHING on their end during this brief maintenance window. I'll google around to see if I can locate an irule that will make the LTM act as a web proxy for now.Cheers.
Andy
