I may not have connected the dots fully on the security requirements, but to the last qn: The system does not allow us to create a self IP and add it as a pool member. So one way to direct requests from a VS to a self IP is through a Forwarding virtual server with the same IP address as the SelfIP. The forwarding VS can have the configuration described in the UDP VS in Overview of IP forwarding virtual servers (f5.com)
I'll describe the actual scenario so it makes more sense: We currently have an old cisco router providing NTP services for our client network running over 900 terminals. The router is unfortunately on its last legs due to age and needs to be taken out of the network.
The plan is to configure the router's IP address as a VS on the F5 and have it do NTP without having to reconfigure the terminals individually.
The security contraint i mentioned is that the primary NTP servers behind the F5 are only reachable via tha management interfaces and are on a completely separate network, so i can't use it as a pool as it won't be reachable.
Was hoping there was a way to do a combination of NAT or rerouting that can be done on just the F5 so that I avoid having to stick NAT somewhere upstream.
I was able to configure big-ip as an NTP server taking requests through the VS forwarding to the SelfIP. And through the managment interface sync with a 'lower numbered stratum' NTP server. I didn't need this in my environment, but this may be useful.