Forum Discussion

STTR_85331's avatar
Icon for Nimbostratus rankNimbostratus
Mar 31, 2011

LTM DMZ Design Question




We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:



Internet<-->Firewalls<-->LTMs<-->Web Servers.



The LTM Virtual Servers use SNAT AutoMap and the web servers use an internal router as their default gateway. Incoming traffic from the internet passes the firewalls and LTMs and is returned out the same path as the web servers see it as originating from an IP on their local subnet (the F5 internal floating IP). Management traffic for the web servers passes over the internal router from other internal networks.



In addition to the web services (HTTP/HTTPS) provided by the above configuration we have now been asked to host STMP relays (inbound/outbound SMTP), DNS (might later be a GTM) and other services that I wouldn't immediately think of putting behind a load balancer.



I was originally planning on putting these new services in a separate DMZ which would exist as an interface on another firewall pair (a traditional 3-leg firewall design) but now I'm wondering if there are reasons that I should consider combining all these services into a centralized DMZ that provides both secure access to SMTP, DNS, etc as well as access to load balanced web farms for HTTP/HTTPS. I have a feeling that if I want to do this with SMTP and DNS outside the F5 but behind my firewall I'll need to move to an inline configuration so that I have a way to send management traffic to/from the DNS/SMTP servers assuming they are behind the DMZ firewall but outside the LTMs.



I'd be interested in others thoughts on best practices for such a configuration as well as where I can read further on my options. I've reviewed the F5 implementation manuals but they seem to only cover individual aspects of what I'm trying to achieve rather than a complete solution.



I'd also be interested in general thoughts on where to place services like SMTP, DNS, etc in an environment that includes F5 LTMs as my assumption to date has been that I would want these things in a DMZ but not behind my LTMs.



Thanks in advance for any tips or pointers to additional reading.








11 Replies