We recently purchased BIG-IP LTM's with the Web Accelerator module. The LTM is running great and we have migrated all of our Load Balanced systems to the new platform. However, we recently enabled the following:
Advanced Settings
Protocol Profile (Client) - tcp-wan-optimized
Protocal Profile (Server) - tcp-lan-optimized
OneConnect Profile - oneconnect
HTTP Profile - http-acceleration
HTTP Class Profiles
wa_httpclass - with Web Acceleration enabled
At first everything was fine and we recieved very possitive feedback both during testing and once we implemented the change. However, a few days after implementing the change an issue arose with our SSL VPN system from Juniper (SA-6000).
Users connecting through the SSL VPN would sporadically see another users ID and data. Fortunately the first platform we enabled WA on does not house confidential data. Recognizing that the only change was the addition of the above changes I disabled the .OneConnect profile and the http-acceleration. This fixed the issue.
Now to my question, I have proposed two solutions to fix this issue. The first solution would involve setting up a separate VIP that the SSL VPN clients would connect to. The separate VIP would have NO acceleration of any kind enabled. Simple fast, easy to maintain and low cost.
The second solution involves creating an iRule that would filter traffic connecting to the current VIP. The idea being the iRule would look at the source IP address and if it is in a certain IP range the iRule would disable all acceleration to and from that source address.
The second solution seems much more complicated to me but i am being asked to investigate both. Has anyone here done something like this and would you recommend using an iRule? If yes, could you provide a copy of the iRule so that I can use it as a starting point for my effort?
I appreciate any help you can provide :).
Best regards,
Brett