Forum Discussion

Gabe's avatar
Gabe
Icon for Nimbostratus rankNimbostratus
Jan 29, 2018

In-Line SMTP with STARTTLS Offloading

We have a virtual server to load balance our SMTP/SMTPS traffic using SNAT Automap. It is currently performing TLS Offloading for STARTTLS but our SPAM Solution is not working properly since all the email appears to have originated from the F5.

 

Our solution is to move away from SNAT Automap, setup the Virtual Server in-line by changing the default gateway to the Floatter address of the F5 on our SMTP Servers and configure an IP Forwarding Virtual Server.

 

Would TLS Offloading still work when we place the server in-line or does TLS offloading require SNAT Automap to be used ?

 

  • You don't need to change the Virtual Server type.

     

    You can have a standard virtual (including TLS offload) without source address translation. You still need the pool members to use the LTM as the default gateway.

     

  • Gabe's avatar
    Gabe
    Icon for Nimbostratus rankNimbostratus

    Thanks S. Blakely, we were just waiting for someone to confirm to move forward with testing. You are correct we will configure our Pool Members to have the default gateway as the LTM Floater address since we have our F5s in HA.

     

    Once we perform our testing I will post the results.

     

  • Hi Gabriel,

     

    Would TLS Offloading still work when we place the server in-line or does TLS offloading require SNAT Automap to be used ?

     

    Yes it will work.

     

    Beside of hiding the original source IP, the setting "snat none" or "snat auto" does not have an impact of the remaining TCP-Proxy/L7 functionality of LTM.

     

    You can see it also like this "snat auto" is performing a SNAT to you floating IP and "snat none" is performing a SNAT to the same IP as before (aka. null-snat) for the server side TCP connection. And as long as your F5 is in the routing path for the responces of the server side connection, it makes no difference for the remaining functionality of your LTM...

     

    Cheers, Kai