LTM migration for Proxy, Anti-Spam and web servers

The F5 LTM is a Proxy.

 

 

Anti-Spam? I'm not sure how to speak to that. I'm not sure if the F5 can do anything about that.

 

 

Active Passivie Load Balancing

 

There are may different ways to accomplish this on the F5 LTM. It really depends on how you want to do it.

 

 

I generally use Priority Activation Groups. See this thread and see if it helps:

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/afv/topic/aft/1172236/aff/31/showtab/groupforums/Default.aspx

 

 

SNAT

 

SNAT is used to change the Source IP of a connection to that of the F5 Load Balancer, usually to force the L3 return path for response traffic through the load balancer when routing from the real server back to the client's real address would bypass the load balancer (Also called a Broken Route). (Since traffic is destination NAT'd in most load balancing scenarios, the response must traverse the load balance to reverse that translation, and SNAT is one way to enforce that return path.)

 

 

http://devcentral.f5.com/Wiki/default.aspx/AdvDesignConfig/SNAT.html

 

 

The shorter answer of when and when not to use SNAT.

 

 

Is the Destination Server on an Subnet Owned by the F5?

 

- If Yes, SNAT'ing is NOT required.

 

- If No, Enable SNAT'ing

 

 

Does the Server Generate Traffic to a different server on the same Subnet? (You will generally see this when a Website is configured to use a Web Service)

 

- If Yes, Enable SNAT'ing

 

- If No, SNAT'ing is NOT required.

 

 

When it doubt....Enable SNAT. The only thing that you will lose by Enabling SNAT'ing is the Sourse IP Address of the incoming Client connections (but you can get around that too by enabling X-Forward).

In addition to Michael's helpful comments...

 

 

LTM can act as a reverse proxy for TCP and other protocols. It cannot act as a web proxy for HTTP/S.

 

 

F5 provides the Message Security Module for blocking blacklisted or disreputable source IP addresses for SMTP. See the product page on F5's main site for more details:

 

 

http://www.f5.com/products/big-ip/feature-modules/message-security-module.html

 

 

Aaron

And all inbound connection or client connection source IP (example 10.10.10.10) address must not change. Otherwise proxy server cannot sees the client IP. Same goes with Anti-Spam server.

 

Since the Anti-Spam and Proxy server hides behind the LTM, all outbound connection must use change to use the LTM virtual server IP address which is 192.168.1.4 for anti-spam and 10.7.2.2 for Proxy server.

 

Is there anything wrong with this implementation?

 

 

Can I implement only SNAT for outbound connection(return-traffic) from proxy/Anti-spam to LTM only? Original traffic from LTM(which originates from user) to proxy/Anti-spam only need to be load balance. No translation of Source IP needed. Only DestNat since LTM needs to LB to server.

 

 

Is this possible?

 

If you don't have to use SNAT'ing, I wouldn't.

 

 

If the F5 owns the subnets that these devices live on (192.168.1.4 for Anti-Spam and 10.7.2.2 for Proxy server), then you do not need to enable SNAT, and no source translation will be required. That would be the optimal setup.

 

 

If you must use SNAT and you have Applications the require the Client IP Address then you will need to configure X-Forward.

Does that means that SNAT natted client IP address (direction traffic from client to F5) which means ingress to F5? or

 

natted server pool IP address which means egress from F5 -traffic from server pool to F5

Client (10.10.10.10) to F5 Load Balancer (20.20.20.20) to Server (30.30.30.30)

 

 

When SNAT is Enabled the Server will never see the Client IP Address. All incoming traffic to the Server appear to be coming from the F5 Load Balancer (20.20.20.20) and all responses to the Client also appear to be coming from the F5 Load Balancer as well.

 

 

I wouldn't try translating it into Ingress and Egress since you are talking about two seperate conversations from the perspective of the F5 (Client to F5 - Ingress/Egress and F5 to Server - Ingress/Egress).

 

 

Does this make more sense?

You can do away with SNAT if you create a self IP and floating IP on the LTM. This means you'll need 3 IP's per inside vlan - one for the active unit, one for the standby unit and one floating IP across both units (provided you have a HA set up).

 

 

The real machines that you are load balancing behind the F5 will then have their gateway changed to the floating IP and because you're not using SNAT, the real machines will see the src address as that of the client. Return traffic will also go back via the LTM because you've set the real machine's default gateway to the floating IP. Once again documentation for network related stuff to do with the F5 is pretty poor and we only found out about avoiding SNAT through a colleague who had been working with F5's for many years.

 

 

Hope that helps...

 

 

Andy