Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 Appliance and Tenant in the DMZ

HerrDrachen
Altocumulus
Altocumulus

‎26-Jun-2023 10:28

Good Afternoon, We are trying to implement an F5 appliance in the DMZ and I am probably not thinking about this correctly.  We think that the Data Interfaces (5.0 / 6.0) are LACP together into the DMZ switches.  The tenant we would like to deploy is fronting two web servers in the DMZ.  The web servers themselves have firewall fules to talk to the back-end servers.  Does the tenent or appliance need access to the internal network as well for load balancing purposes?  I am trying to find a good guide on this but I am missing some Google-Fu right now.

Labels:
0 Kudos
5 REPLIES 5

whisperer
Cumulonimbus
Cumulonimbus

‎26-Jun-2023 11:24

If the web servers route to internal resources via the firewall, then no issues as F5 is out of the path. However, if you are doing something like routing through the F5 and source NATing then of course the IP seen would be the F5. So depends on architecture.

 

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP

‎26-Jun-2023 16:11

Hi @HerrDrachen , 

To be able to help , Review with me ...
I have draw this diagram according your post and included info : 
DMZ_Flow.png

Am I correct in this flow ? 

Feel free to correct me , use this website to draw your design ( https://excalidraw.com/ ) 

Also 

What is the access that you mean ??

Looking forward hearning from you soon 🙂 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Paulius
MVP
MVP

‎26-Jun-2023 20:53

@HerrDrachen Would you be able to provide a topology of your layout in order to better answer this question?

0 Kudos

HerrDrachen
Altocumulus
Altocumulus

‎27-Jun-2023 06:31

HerrDrachen_0-1687872573039.png

Here is a simple layout of the F5, network, vmware and VMs.  The client would hit the F5, go through the switches to the VMware Hosts, hit the VMs that are in the pool, do what it has to do and then come back out the F5.

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to HerrDrachen

‎27-Jun-2023 09:47

Hi @HerrDrachen , 
your Question here is : 
if f5 bigip appliance need access to reach ( VM 1 , VM 2 ) ? 
The answer (yes) but if the "DMZ Vmware" depending on Access rules which look like firewall policies rules. 
So in this case you need to open access from (f5 bigip appliance selfip) on the internal vlan to reach ( VM1 and VM2 ) Pool members through DMZ VMware.

Note you need to configure ( SNAT auto map on virtual server configuration properities ). 

this is my primary analysis , please let me know if I miss somthing and clarify it more for me   

_______________________
Regards
Mohamed Kansoh
0 Kudos
Copyright © 2023 Khoros, LLC