Layout of BIP-LTM

I too agree the BIG-IP LTM on a private network behind the firewall is a common and secure architecture. The only exception which makes up the remainder of the implementations in my experience is those that wish to provide some of the same functionality for their firewall(s) as the LTM provides for their servers.

 

 

Putting the LTM device *in front of firewalls* allows incoming traffic to be load balanced across multple firewall devices providing persistence, failover, performance enhancement [SSL acceleration and termination, which also allows for more granular inspection of packets by the firewall(s)], and an additional layer of protection (e.g. Denial of Service attacks, certificate and token authentication with added modules, etc). To provide added functionality for outbound traffic through multiple firewalls, a second pair of LTM devices can be added to the inside of the firewalls -- also known as the "firewall sandwich". This configuration can support a number of other proxy devices like web caches, IPSec gateways, mail filtering gateways, etc.

 

 

So the right configuration might actually be a evolving question of where you want to take your architecture and how many services you eventually plan to consolidate and offload to the DMZ tier. Until then, the BIG-IP LTM behind the firewall on private network, as you mentioned, is the most common place to start.