Forum Discussion

aj11's avatar
aj11
Icon for Nimbostratus rankNimbostratus
May 03, 2017

Access multiple non-standard ports on the server through a single VIP - can you do it, and how?

If a client is trying to connect to alternate services on a server through a VIP on a non-standard port, where one is already used, how would you go about setting this up? For example, as it currently stands, DNS points 'mysubdomain.mydomain.com' to a VIP IP address configured on the F5, and for it, there is an http to https redirect which sends 443 requests to a non-standard port on the hosts in the pool (ex: 8080). Lets say a client needs to access to 2 different services available on other ports listening on the servers - TCP 65000 and 65001, for example, but using the url 'mysubdomain.mydomain.com' (if possible). If the firewall in front allows traffic from the sources to the VIP address on ports 65000/65001, how would you configure this on the F5? From the client side, is it simply accessed in a browser using 'mysubdomain.mydomain.com:65001'? Would the 'https://' or 'http://' prefix be needed? (ex: 'https://mysubdomain.mydomain.com:65000' ... I'm not sure yet if access will be requested via browser or CLI/script, but I'm curious how it would work) Would this be a separate VIP? Policy and/or iRule?

 

5 Replies

  • There are many ways to do this. Can you help by picking a specific use case. There are some smart folks on here that can then dive into at a deeper level.

     

    -=Bhattman=-

     

  • I am hoping that i got it correctly. You can Configure multiple Virtual Servers using Same Virtual IP address like 1.1.1.1:80 send the traffic on port 8080 and another virtual 1.1.1.1:65000 send it on same port or translate the port as per requirement and same way configure another virtual IP address.

     

    HTTP or https is basically as per our requirement. Lets say that you want to configure https for port 65000 apply client side https profile to offload that traffic or pass through with just tcp profile without http profile.

     

    • Subrun's avatar
      Subrun
      Icon for Cirrostratus rankCirrostratus

      Can you share if you have done this using LTM Policy or iRules ? And share an example of syntax ?

  • The safest way is to create multiple Virtual Servers, all for the same IP address, each with different ports, and with different pools pointing at the appropriate server-side port on the pool member. It's easy, fast and it works.

     

    > From the client side, is it simply accessed in a browser using 'mysubdomain.mydomain.com:65001'?

     

    Yes.

     

    > Would the 'https://' or 'http://' prefix be needed?

     

    The http:// prefix tells the browser to use the default http port (80) without TLS encryption.

    The https:// prefix tells the browser to use the default https port (443) with TLS encryption.

    If you override the port in the URI, then https:// or http:// specifies whether TLS encryption is used by the browser or not.

    So using TLS depends on either the virtual server (client-ssl profile or not) or the pool member service listening on the target port (if the virtual server is a passthrough).

     

    You should not need any irules or LTM Policy.

     

    If you use an :any virtual server (all ports) you need another mechanism for control (maybe to block port 22 for sshd, and port 23 for telnet, and ...). You also need complex mechanisms (like irules or LTM policy) to allow for server-side port translation, pool selection, client-side and server-side SSL profiles. It can be done, but there are generally better solutions.