Forum Discussion
JasonNall_44907
Nimbostratus
NimbostratusIIS, LTM, and a Flat Network
Hello all. I could really use a hand here as a F5 newbie.
Here is my basic setup, and I mean basic :0
I have a completely flat network, all servers and clients on the 10.160.x.x/16 network.
We use 2 web servers to run our production floor so they are very critical. We basically just need the F5 to serve as a virtual front end for multiple physical servers.
Client --> F5 ----> 2 web servers, again all on the same network.
The problem I am having is that our web servers make some decisions based on being able to resolve the client’s source address in DNS.
I am unable to figure out how to configure the F5 to do so. As of now, the web page will work if I put an entry for the F5's address in the local HOSTS file on my IIS box, but since the source address is always the same; the host entry is displayed on every pc.
As of now, my F5 is configured using the SNAT setup, with the X Forward option enabled in IIS...which all seems to be working fine. I am able to see the clients source address in the log, but that isn't really helpful to me.
Any help would be greatly appreciated.
Please let me know if you need more information or if my description is unclear
- As of now, my F5 is configured using the SNAT setup, with the X Forward option enabled in IIS...which all seems to be working fine. I am able to see the clients source address in the log, but that isn't really helpful to me.
It's not clear what isn't working. Could you please explain what you need to change?
/deb 
JasonNall_44907Sure, and thanks for the quick response. I will try to be more clear.
The problem is that I don't just need the origination IP to show up in the log, but to actually be interacting with IIS.
Our web app makes decisons on what pages to serve based on the ip address of the machine accessing it.
I currently have a Cisco CSS in front of the web servers, and it has been serving this function for a few years now. i would just like to consolidate down to one device.
With the Cisco, in the W3 log, I see the clients actual IP address, as well as all requests coming from the client.
With the F5, I see the clients IP address in the log, but all IIS requests are coming from the F5's IP address.
Please let me know if this is more clear, or simply more confusing.
Thanks again for the help- JasonNall_44907Thank you all again. I am not certain the manner described in the manual will work for me or not. Our 2 web servers are physically separated in 2 different buildings, so keeping them on an isolated switch would prove rather challenging.
If anyone has any other ideas, I would appreciate it. Otherwise, I will work with my web designer to see if he can make some changes, or just keep my current Cisco configuration. - It sounds to me like you just need to have the developers look at the x-forwared-for header we have a number of apps that server diffrent pages based on source address but use x-forwarded-for or you can even right an irule to create a custom header. Maybe something like this...Not sure this helps but it sounds like this is what your issue is.
when HTTP_REQUEST {
HTTP::header insert WhatEverYouWant [IP::client_addr]
} 
Pavel_Sestak_69physically separated in 2 different buildings, so keeping them on an isolated switch would prove rather challenging.
I do not think the idea is to keep them on the same switch, but on the same VLAN (which could be propoagated between Your Ciscos) - the problem with this setup is that You have to trust the F5 in the same way as the switches, because any packet to and from the physical server in this setup goes via F5, which will be acting as another switch in the way (For example management and monitoring of Your precious servers).
This means to me, that if You can put the servers in separate VLAN (beware of using more than 3 VLANs in VLAN Group - we have run to bunch of other problems while trying this setup), You can create a VLAN group containing two VLANs: v_my_precious_servers and v_all_other_stuff. F5 will take care of bridging non-balanced traffic, while You do not need to have SNAT active on the VS. Anyway some sort of segmentation, which will force the packet to return via F5 seems to be the only way how to get rid of SNAT. And it does not matter if it is done on L2 or L3.
Anyway I would be very carefull about why the hell does pool member need to know the real client IP for. If it will try some sort of call back or something, IMHO You may get very unexpected results.
