cancel
Showing results for 
Search instead for 
Did you mean: 

Can someone take a look and make sure I understand this right about reverse proxy

yxorpesrever
Altostratus
Altostratus

Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing.

We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process.

From my understanding the connection "route" is as follows:

Internet-->ExtIP-->F5virtualIP-->IntIP

The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server.

There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load.

 

I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.

2 REPLIES 2

neeeewbie
MVP
MVP

I think you should check the tcpdump.

and you need check FW <> F5 traffic flow 

first . who sent reset packet ?

sec. compare internal PC pcap and external PC pcap

I think http redirect irule traffic does not forwarding external PC 

P_Kueppers
Cirrus
Cirrus

Ur understanding is right. 

Internet -> Ext IP (natted on firewall to virtual server IP F5) -> virtual IP F5 -> PoolMember (internal Server IP). You need to create two virtual servers. one with port 80 with the default irule for redirecting to 443. second virtual server with port 443 running with ssl cert within client-ssl profile. Maybe server-ssl profile if the internal server runs with https or withount server-ssl if it runs on http. 

maybe share some screenshots and we can try to find the error. external dns is working fine? ur landing on the right ip? there is so much to check.