Hey Everyone, I am new to the F5 load balancer and iRules. From what I understand the F5 load balancer has the ability to act as a reverse proxy. In order to make the RSA device accessible from the web, I need to have a reverse proxy setup. How can I do this using iRules? Does anyone have a template to use that would make doing this easier? I have attached a link to RSA's documentation that shows the setup if you are using Microsoft ISA 2007. Hopefully this will help. http://www.rsa.com/products/securid/specs/proxy_sever.pdf Thanks!

The device is essentially a reverse proxy out of box. Do you simply need to translate a public address to a private one? It seems like you should e able to make a Virtual Server on your F5 and have the SecurID box be a pool member.

Well, the address translation is the easy part. I think the hard part is the rules for the URL rewriting. Lets say the internal address is: https://HostName.Domain.com:7004/console-selfservice/ and I want the public URL to be written as: https://rsa.website.com/ I would also need to make sure that any SSL certs that sit on the RSA server are honored and don't throw any errors and also that the replies back to the web browser follow the same formatting. Thanks!

Easy enough. As long as you have the pool members listening on 7004, you don't need that part. You basically just need an iRule to rewrite the host/uri on the way to the server...Does the host header have to change as well as the URI or can the host stay the same?

I think the header can stay the same, but I would need to do some testing to be sure. Also, would you need to do anything special for the return traffic to be formatted correctly in the users address bars? Is their a good guide to use when using re-write iRules? Thanks!

If the internal server is configured for https://HostName.Domain.com:7004/console-selfservice/ and the external URL they want to present is https://rsa.website.com/, I'd guess the host header needs to be rewritten. I wonder if only the / URI needs to be rewritten to /console-selfservice/ or all URIs need to have this string prepended. You could either do this rewriting with ProxyPass or with a streamlined version which is more tailored to the exact requirements. http://devcentral.f5.com/wiki/default.aspx/iRules/proxypass http://devcentral.f5.com/wiki/default.aspx/iRules/proxypassv10 Aaron

Using the F5 as a Reverse Proxy for RSA SecurID Self Service

21 Replies

Chris_Miller
Altostratus
Sep 21, 2010
The device is essentially a reverse proxy out of box. Do you simply need to translate a public address to a private one? It seems like you should e able to make a Virtual Server on your F5 and have the SecurID box be a pool member.
bookbinder_1115
Nimbostratus
Sep 21, 2010
Well, the address translation is the easy part.

I think the hard part is the rules for the URL rewriting. Lets say the internal address is:

https://HostName.Domain.com:7004/console-selfservice/

and I want the public URL to be written as:

https://rsa.website.com/

I would also need to make sure that any SSL certs that sit on the RSA server are honored and don't throw any errors and also that the replies back to the web browser follow the same formatting.

Thanks!
Chris_Miller
Altostratus
Sep 22, 2010
Easy enough.

As long as you have the pool members listening on 7004, you don't need that part. You basically just need an iRule to rewrite the host/uri on the way to the server...Does the host header have to change as well as the URI or can the host stay the same?
bookbinder_1115
Nimbostratus
Sep 22, 2010
I think the header can stay the same, but I would need to do some testing to be sure. Also, would you need to do anything special for the return traffic to be formatted correctly in the users address bars? Is their a good guide to use when using re-write iRules? Thanks!
hoolio
Cirrostratus
Sep 22, 2010
If the internal server is configured for https://HostName.Domain.com:7004/console-selfservice/ and the external URL they want to present is https://rsa.website.com/, I'd guess the host header needs to be rewritten. I wonder if only the / URI needs to be rewritten to /console-selfservice/ or all URIs need to have this string prepended.

You could either do this rewriting with ProxyPass or with a streamlined version which is more tailored to the exact requirements.

http://devcentral.f5.com/wiki/default.aspx/iRules/proxypass

http://devcentral.f5.com/wiki/default.aspx/iRules/proxypassv10

Aaron
Chris_Miller
Altostratus
Sep 22, 2010
Time for me to finally read the proxypass wiki...
Kirk_Bauer_1018
Altostratus
Sep 22, 2010
You beat me to it, Hoolio!
moto32_63735
Nimbostratus
Oct 19, 2012
Anyone got this working?
moto32_63735
Nimbostratus
Oct 19, 2012
Anyone got this working?
Claudio_Maroni_
Nimbostratus
Apr 04, 2013
Hi,

i do this with my BIGIP and ProxyPass11, but you cannot chanche port:

You can do this:

Private

https://HostName.Domain.com:7004/console-selfservice/

Public:

https://rsa.website.com:7004/console-selfservice/

But no other changes in the URL are possibile...