Using LTM to Balance LDS

Question

Hi,  
&nbsp;   Trying to use LTM to provide load balancing for an LDS ldap.  &nbsp;
&nbsp;Having issues however as after the client has performed a successful bind the client it then trying to initiate a direct connection to the lds node that the LTM has sent the traffic.  &nbsp;
&nbsp;We've been successfully using this in our green zone for a couple of years and not noticed this behaviour,  however after recently moving one of our client devices into our DMZ Redzone and exposing only the F5 VIP.  The resulting failure to connect has been a major headache.  &nbsp;
&nbsp;Any advice on what to do or where else to search would be appreciated. Google searches thus far all point to using MS NLB which I'm reluctant to do. &nbsp;
&nbsp;The config is very simple.   
&nbsp;2 node pool running replicated LDS instance in our Green zone on std LDAP ports.  VIP defined with fastest node response as LB method and source ip for persistance. &nbsp;&nbsp;
&nbsp;Thanks in advance&nbsp;&nbsp;

dayne_miller_19 · Answer

Hi Brent- 
&nbsp;  
&nbsp; This is a fairly common topology problem for a number of applications and services, and is not specific to F5 BIG-IP. However, we might be able to offer you some solutions. 
&nbsp;  
&nbsp; The issue exists because many applications/services include information about themselves in their responses. In this case, it seems that the LDS service includes the IP address of the LDS host, which the client then tries to contact directly. (More advanced applications, including Exchange Server and Remote Desktop Services, have a configurable value that they can return, usually set to the the FQDN associated with the appropriate virtual server on whatever load-balancing solution is being used.) 
&nbsp;  
&nbsp; You basically have three options, two of which involve the BIG-IP configuration: 
&nbsp;  
&nbsp; 1) You can set up routes and firewall rules such that clients are able to contact the LDS servers directly through your existing network infrastructure. 
&nbsp; 2) You can use the BIG-IP in a way that it's essentially a router. In other words, rather than having a client route to the "green zone" through your existing routers/firewalls, route that traffic to the BIG-IP. Configure a Forwarding (IP) virtual server on the BIG-IP, with the Destination set to the "green zone" subnet. 
&nbsp; 3) Use BIG-IP "route domains" to configure the IP addresses of the LDS servers as virtual servers on the BIG-IP in one route domain, and the actual LDS servers as pool members in a second route domain. There are some topology changes in your network that would be required for route domains to work properly and the exact configuration is probably beyond the scope of this reply, but if you think you might want to take that approach I can provide some additional information. 
&nbsp;  &nbsp;

Forum Discussion

Using LTM to Balance LDS

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Load Balancing Method to use

Big-IP LTM VE load balance configuration

Load Balance between two ISPs Using LTM .

Persistence profile - How will I use source address affinity based load balancing?

load balance using http methods

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS