IP address restriction to IIS

Do you need to translate the source address for response traffic to return to the load balancer? (iow, is some other device besides LTM the default route for the servers?)

 

 

/d

Here is a post with some related info:

 

 

IP address and domain name restrictions in IIS

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=25&tpage=1&view=topic&postid=23811

 

 

Aaron

Ok - may help if I give a bit more detail:-

 

 

2 x F5 LTM on a single subnet (SNAT in use)

 

The traffic goes to a farm of web servers.

 

Some of the websites on the webservers have 'virtual directories' which are locked down to a specific IP address range in IIS. Obviously this now does not work since the load balancers IP is seen instead of the source client IP.

 

The article mentions that the source IP can be passed through in a header using the HTTP profile. I suspect though that this could then only be applied at site level rather than Virtual directory level?

 

I suspect the way forward is an irule.

Just reading the other thread again and it may be that's all we need to do is switch of address translation and set the gateway IP's of each client to the load balancer. All of our nodes have different IP addresses so I am guessing this is an option? Is this just a case of unticking address translation in the VS settings? What if a server needed to talk out directly not though the load balancer?

 

You can set SNAT to none on the virtual server. Leave address translation enabled as that refers to destination address translation. As long as the web servers' default gateway is set to the BIG-IP, that part will work. If you want to allow outgoing connections from the servers through the BIG-IP, you can configure a forwarding virtual server (IP forwarding with SNAT enabled). If you only want to allow traffic from the web servers to pass though this VIP, enable it only on the VLAN they're on.

 

 

Aaron