Forum Discussion

wilko_113503's avatar
Jun 06, 2011

Moving ASM to Standalone Configuration

Can anyone please assist me on this.



We have an exisitng HA Pair of 3600's running LTM and ASM on Version 9.4.8, we want to split the functionaility and run ASM on an additional HA pair of 6400's on Version 10.



I have seen two methods, one in the deployment guides called


Deploying the BIG-IP LTM with Multiple BIG-IP Applications Security Managers.pdf



The second being: sol9372 - Configuring BIG-IP ASM in transparent bridge mode




Can anyone point me in the right direction here on which would be the recommended path to achieve this?








4 Replies

  • I can tell you that we have something similar currently deployed. Our LTMs and ASMs are on seperate hardware. Basically we run LTMs and ASMs in our DMZ and then LTMs on the internal network in front of the servers. So the traffic for an external facing web application hit the LTM gets load balanced to an ASM and the ASM runs the traffic through policy, then sends the traffic to an internal LTM pool which load balances it to a server. This design has worked pretty well for us. Let me know if you have any specific questions


  • Thanks so if you check page 3 on the deployment guide;



    Do you have something like this?



    So on your LTM you have all your Virtual servers defined "exterior" the traffic is then passed onto the ASM which runs its policy on the traffic, then sends traffic to an internal virtual server or pool back up to the LTM that then load balances to your web servers?



    Are your ASM's in an Active/Active setup behind the exterior Virtual server on the LTM?
  • Similar but actually our external and internal LTMs are physically seperate devices. The externals live in a DMZ behind our firewall and the internals, obviously live behind a firewall on our internal network.



    Yes our ASMs are both Active behind the external LTM.



    I guess it would depend how you feel about the security of VLANing if you wanted to use the design concept in this document. Personally I prefer the physical separation of the 2 LTMs. From a security perspective having the external LTM out in a DMZ allows us to only allow the ASMs access to the internal LTM. I would rather have the external traffic stop in the DMZ and be proxied by the ASM, that way the external requests are never directly going to a device on our internal network.


  • Thanks Mike



    We currently have LTM and ASM running on the same unit anyway but will take the security concern into consideration.



    Does anyone know if F5 are able to exchange the LTM licenses that the new units came with for ASM licenses?