Using LTM as a forwarder for internet originated traffic (reverse proxy)

Question

I have a scenario where a BIG IP appliance is bound to the corporate network, say 10.10.10.0/24. It is performing APM tasks like NTLM authentication and SAML single sign on. This appliance is next to our corporate services and I don't want to change this as 90% of the traffic will be initiated from the internal network.&nbsp;
We have a perimeter environment that we use, basically a DMZ, where I have an existing LTM appliance pair, say 10.199.10.0/24. There are SNATs from the internet to virtual server IPs on that network. On this LTM I already have virtual servers that communicate with 10.10.10.0/24 nodes over TCP 443. So really what I would like to do is change one of these virtual servers to an IP forwarder to forward to my APM enabled virtual servers on 10.10.10.0/24.&nbsp;
Is this something that is possible?&nbsp;

thomas_gobet · Answer

Hi,&nbsp;
Do you want to keep the functionality of a virtual server ?
Because you can do multiple things here, I'll list 2 of them only (better ones for me)&nbsp;
Make a ip forwarder virtual server (you'll loose the http traffic vision)Keep your virtual server and set the APM IP as a pool member

rabbit23_116296 · Answer

Thanks I have tried both options so far with no luck, the APM IP is 10.10.10.222&nbsp;
On the LTM in the DMZ I've tried option 1 and then set up a simple iRule and attached it to the forwarder:&nbsp;
when CLIENT_ACCEPTED {node 10.10.10.222}&nbsp;
Trying option 2 with it being a "Standard" virtual server with the APM IP address as a pool member does not work either (even if I attach a simple HTTPS monitor which indicates the member is reachable)&nbsp;

thomas_gobet · Answer

Did you apply SNAT, or does your APM know how to route back the traffic through your LTM ?&nbsp;

rabbit23_116296 · Answer

There's no SNAT but yes as you say I probably need networks to configure a route back to the APM's floating IP?&nbsp;

rabbit23_116296 · Answer

correction meant the LTM's floating IP&nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Using LTM as a forwarder for internet originated traffic (reverse proxy)

6 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Automating F5 Licensing - without direct internet access

Create an Internet exposed HTTPS Load-Balancer on Volterra with Terraform (Origin handled by a Volterra node)

Protect an application exposed on Internet with F5 XC WAAP

F5 Distributed Cloud - Mitigation for Cross Tenant Origin Exposure (CTOE)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS