How to load ballance transparent devices (SMTP transparent proxy)

Question

Hello, 
&nbsp;  
&nbsp; I wonder how to load ballance group of SMTP antispam scanners which are working in transparent bridge mode. 
&nbsp;  
&nbsp; I need to have a solution to transparently scan all SMTP traffic going through LTM and then transparent SMTP applianaces. 
&nbsp;  
&nbsp; What is the best way to do this? 
&nbsp;  
&nbsp; Thanks for any help.

pavel_sestak_69 · Answer

Just an idea did not think about it too much - what about running each bridge device in separate VLAN and make virtual IPs behind the bridging devices? Someting like this: 
&nbsp;  
&nbsp; VIP MX has pool of nodes AC1 AC2 AC3 and AC4, these are each in different VLAN each containing one bridging device, which forces LTM to push traffic through given bridging device. AC1-4 are VIPs each having pool of internal SMTP servers. 
&nbsp;  
&nbsp; To solve: 
&nbsp; - is it possible to use one F5 or is it needed to have external and internal one? Easiest way is to have two of them with inbound VIP on external and AC VIPs on internal. The same on the way out. 
&nbsp; - monitoring of bridging devices.

paul_szabo_9016 · Answer

First stab, it should be just like load balancing anything else, except turn IP address translation off.  The BIG-IP will translate the MAC address (and vlan) but otherwise leave the L3-L4 headers relatively untouched.  If you are further LBing some servers behind it you can use a nexthop pool to LB the transparent proxies while the IP address translation gets you to the desired end server. 
&nbsp;  
&nbsp; Except you may want to touch some L4 information when LB transparent devices.  See RFC 2101 for some hints.  Your transparent proxies are masquerading the same client address to the back end servers, the servers could get unhappy when they see timestamps or sequence numbers go backwards because the client went through two different transparent proxies.  Very hard to debug, the connections just stall and many OSses don't even have the right counters to debug this.  You just turn on timestamp re-writes if using fastL4 on the BIG-IP and you should be okay.  (full proxy won't have this issue, and sequence numbers are always re-written) 
&nbsp;  
&nbsp; I'm assuming you don't need any session persistence (e.g. email from the same client goes through same smtp transparent proxy).  If so then you'll need some sort of persistence 
&nbsp;  
&nbsp; Paul

paul_szabo_9016 · Answer

whups, I see you said "transparent bridge mode".  I now think you mean literally then it's not touching the packets, not a transparent proxy.  I guess the "bridge" part would be a clue... 
&nbsp;  
&nbsp; sorry about that, i need to stop posting at midnight. 
&nbsp;  
&nbsp; I'm generally not fond of completely transparent inspections systems, it's possible to fool them by making headers cross packet boundaries or by finding other holes in the stream reconstruction process used by the transparent device, allowing bad stuff to slip through. 
&nbsp;  
&nbsp; That critique aside, the previously reply is probably the right way to go (seperate vlans).  This avoids bridge loops. 
&nbsp;  
&nbsp; must.go.to.bed.now. 
&nbsp;  
&nbsp; Paul

Forum Discussion

How to load ballance transparent devices (SMTP transparent proxy)

3 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Transparent Load Balancing in Azure

Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy

Transparent Kerberos Authentication and APM fallback authentication