Nimbostratus
This is a fairly common topology problem for a number of applications and services, and is not specific to F5 BIG-IP. However, we might be able to offer you some solutions.
The issue exists because many applications/services include information about themselves in their responses. In this case, it seems that the LDS service includes the IP address of the LDS host, which the client then tries to contact directly. (More advanced applications, including Exchange Server and Remote Desktop Services, have a configurable value that they can return, usually set to the the FQDN associated with the appropriate virtual server on whatever load-balancing solution is being used.)
You basically have three options, two of which involve the BIG-IP configuration:
1) You can set up routes and firewall rules such that clients are able to contact the LDS servers directly through your existing network infrastructure.
2) You can use the BIG-IP in a way that it's essentially a router. In other words, rather than having a client route to the "green zone" through your existing routers/firewalls, route that traffic to the BIG-IP. Configure a Forwarding (IP) virtual server on the BIG-IP, with the Destination set to the "green zone" subnet.
3) Use BIG-IP "route domains" to configure the IP addresses of the LDS servers as virtual servers on the BIG-IP in one route domain, and the actual LDS servers as pool members in a second route domain. There are some topology changes in your network that would be required for route domains to work properly and the exact configuration is probably beyond the scope of this reply, but if you think you might want to take that approach I can provide some additional information.
