Forum Discussion
taro_107756
Nimbostratus
NimbostratusOneConnect: Security Consideration
The following description is in SOL6997.
"The BIG-IP LTM applies the source mask to the request, finds an eligible TCP connection, and aggregates the request from client B over the existing TCP connection created for client A."
Is it to be meant the use of the server-side connection simultaneously by client A and client B?
I want to separate the user traffics for security reasons. Should not I use OneConnect?
Source mask cannot be used as a solution, because there is Reverse Proxy on the client side and source IP has been translated by PAT.
2 Replies
- Is it to be meant the use of the server-side connection simultaneously by client A and client B?yes, that is correct
I want to separate the user traffics for security reasons. Should not I use OneConnect?
Source mask cannot be used as a solution, because there is Reverse Proxy on the client side and source IP has been translated by PAT. If that's the case, I'd say you should disable OneConnect.
/deb 
zaferHi Deb,
if i configure oneconnect profile with network mask /24. What will i see source ip address in sniffed packets on server side (between bigip and servers).
why ask this question;
the server has access list ; some client accessible application the others not
if i configure the oneconnect profile with mask /24 some times i see forbidden.
when i look the tcpdump on client side source address exist on server accesslist but when i look the server side tcpdump i see different source address.
what i understand f5 uses first time opened connection on server side (when oneconnect enabled) and if the ip address can be different client address on client side?
regards
zafer
