Layout of BIP-LTM

fmagoufis,

 

 

Although I'm not active customer, I've implemented quite a few BIG-IPs in my various roles at f5.

 

 

Because of the BIG-IPs flexibility, I've seen it implemented in some fairly interesting ways. However I would say that your proposed solution is probably one of the most common. Having the BIG-IP on a private network behind your firewall is a very popular and secure architecture.

 

 

I too agree the BIG-IP LTM on a private network behind the firewall is a common and secure architecture. The only exception which makes up the remainder of the implementations in my experience is those that wish to provide some of the same functionality for their firewall(s) as the LTM provides for their servers.

 

 

Putting the LTM device *in front of firewalls* allows incoming traffic to be load balanced across multple firewall devices providing persistence, failover, performance enhancement [SSL acceleration and termination, which also allows for more granular inspection of packets by the firewall(s)], and an additional layer of protection (e.g. Denial of Service attacks, certificate and token authentication with added modules, etc). To provide added functionality for outbound traffic through multiple firewalls, a second pair of LTM devices can be added to the inside of the firewalls -- also known as the "firewall sandwich". This configuration can support a number of other proxy devices like web caches, IPSec gateways, mail filtering gateways, etc.

 

 

So the right configuration might actually be a evolving question of where you want to take your architecture and how many services you eventually plan to consolidate and offload to the DMZ tier. Until then, the BIG-IP LTM behind the firewall on private network, as you mentioned, is the most common place to start.

Thank you for the updated information, I was getting worried my question would go unanswered. To add to my original post, we purchased two LTM 3400's and will be initially setting them up as primary/secondary. My initial thoughts were to put the bigip into dmzFE, but have all the webservers in dmzBE.

 

 

dmzFE will be a small network of public to private static mappings

 

dmzBE will be all the iis web servers

 

 

The bigip will have connections into both networks. The web servers will use the bigip in the dmzBE as their default gateway, and the bigip will have its default gateway as the firewall in the dmzFE network.

 

 

Thoughts/Suggestions?

This is a standard configuration and will work just fine. You can map your translations on the firewall instead of the BigIP to keep your security zones well defined. In most environments I've worked in, the F5 device between fe & be dmz's is not considered a security boundary and therefore the translations occur before or after the BigIP. Ultimately your security policy should guide the final solution.