Forum Discussion
bookbinder_1115
Nimbostratus
NimbostratusUsing the F5 as a Reverse Proxy for RSA SecurID Self Service
Hey Everyone,
I am new to the F5 load balancer and iRules. From what I understand the F5 load balancer has the ability to act as a reverse proxy. In order to make the RSA device accessible from the web, I need to have a reverse proxy setup.
How can I do this using iRules? Does anyone have a template to use that would make doing this easier?
I have attached a link to RSA's documentation that shows the setup if you are using Microsoft ISA 2007. Hopefully this will help.
http://www.rsa.com/products/securid/specs/proxy_sever.pdf
Thanks!
- Chris_Miller
Altostratus
The device is essentially a reverse proxy out of box. Do you simply need to translate a public address to a private one? It seems like you should e able to make a Virtual Server on your F5 and have the SecurID box be a pool member. 
bookbinder_1115Well, the address translation is the easy part.
I think the hard part is the rules for the URL rewriting. Lets say the internal address is:
https://HostName.Domain.com:7004/console-selfservice/
and I want the public URL to be written as:
https://rsa.website.com/
I would also need to make sure that any SSL certs that sit on the RSA server are honored and don't throw any errors and also that the replies back to the web browser follow the same formatting.
Thanks!- Chris_MillerEasy enough.
As long as you have the pool members listening on 7004, you don't need that part. You basically just need an iRule to rewrite the host/uri on the way to the server...Does the host header have to change as well as the URI or can the host stay the same? - bookbinder_1115I think the header can stay the same, but I would need to do some testing to be sure. Also, would you need to do anything special for the return traffic to be formatted correctly in the users address bars? Is their a good guide to use when using re-write iRules? Thanks!
hoolioCirrostratus
If the internal server is configured for https://HostName.Domain.com:7004/console-selfservice/ and the external URL they want to present is https://rsa.website.com/, I'd guess the host header needs to be rewritten. I wonder if only the / URI needs to be rewritten to /console-selfservice/ or all URIs need to have this string prepended.
You could either do this rewriting with ProxyPass or with a streamlined version which is more tailored to the exact requirements.
http://devcentral.f5.com/wiki/default.aspx/iRules/proxypass
http://devcentral.f5.com/wiki/default.aspx/iRules/proxypassv10
Aaron- Chris_MillerTime for me to finally read the proxypass wiki...
Kirk_Bauer_1018You beat me to it, Hoolio!- moto32_63735Anyone got this working?
- moto32_63735Anyone got this working?
Claudio_Maroni_Hi,
i do this with my BIGIP and ProxyPass11, but you cannot chanche port:
You can do this:
Private
https://HostName.Domain.com:7004/console-selfservice/
Public:
https://rsa.website.com:7004/console-selfservice/
But no other changes in the URL are possibile...
