For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account
Mar 05, 2014

If you're dealing with exchange, this command is important for your snat:

snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}])

The reason why is that RPC in particular, will require re-authentication if a client IP changes midstream. Since RPC clients can open up to 10 connections to the same server, it is important that each of these connections has the same source IP, otherwise the session may fail completely.

If you do not use that command for snatting, then subsequent requests from the same client may get a different IP address from the snatpool, and your service may fail.

Also, if your HTTP application requires reauthentication if a session's IP addresss changes, the command serves the same purpose.

Finally, make sure to put the IP addresses you use inside a snatpool, otherwise the F5 will not answer ARP traffic for those addresses, and your service will not function correctly.

mmory09_63087's avatar
mmory09_63087
Icon for Nimbostratus rankNimbostratus
Mar 05, 2014
Exactly right. That command is required if the snatpool has a few members but shouldn't be an issue if its a single member. The challenge for me is how I can include that in the selective irule below. when CLIENT_ACCEPTED { snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}]) } when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snatpool snat_exch2007 } }