RPC load balancing among multiple tiers using iRules, pools and forwarding

I think what is happening is that since the VIP is configured with an ip address and port set to 0 that the BigIP completes the three-way handshake to any incoming request and if it matches one of my ports it does the load balance or forward depending on my rule. My reason for this thought is that if I telnet from a device on the external VLAN to the VIP (also on external VLAN) on port 3389 the connect happens but if I actually run Terminal Services client that uses 3389 it doesnt actually send it to a device on the internal VLAN. I also did some random ports that I know no internal VLAN machines would be listening on and all of them completed the three-way handshake with the BigIP.

 

 

It is a little misleading since I would normally expect any connection not on the specific ports to be dropped.

 

 

Do you know of a way to do a drop, deny, reject or something of that nature so that the BigIP will not answer TCP connections aside from the ones in the iRule?

 

 

---Perhaps it is the CLIENT_ACCEPTED that is the source of the answer-any-TCP-request. Is there a CLIENT_REQUEST or something that looks at the port number before connection is made and then truely drops/discards so that a TCP connection cannot be made on any port?