Managing DMZ app servers behind the BigIP
Hey all, I'm just curious how some of you have designed your networks to load balance and secure your public apps, but still manage them with internal resources and tools (software, patching, security scans, etc.). Here's the scenario. BigIP has a switch hanging off of it, isolated DMZ environment, no other connection. Any web apps we're publishing we plug into that switch, build a virtual server, and we're off and running. Any resources the app server needs internally like DNS, directory services, etc. that it can initiate itself, it routes through the BigIP which has an internal network interface and a route built in for that comm. One of the issues is any connection initiated from the internal network cannot reach that app server unless we build a virtual server for each service (RDP, monitoring and patching which has multiple ports, security scans even more ports). That can;t be the right way to do it. I personally think we should have a seperate DMZ switch hanging off the firewall with a different interface on the app server dedicated to those management functions. It's much easier for me to write one rule in the FW for that access than create multiple VIPS for each server/service for management functions. Our BigIP is sitting along side our fw's today so any connections sourcing from the outside bypass those. I am toying with the idea of placing the BigIP behind the fw's once they;re replaced with more robust appliances but that has not happened yet. Just curious all, I appreciate the feedback. -GR
LTM - DMZ Routing
We have 2 VLANs setup for a specific partition on our LTM. One is for their production servers, the other is intended to act as a DMZ as there is a particular server that needs a lot of ports opened to it from the Internet. To reduce the security risk of opening so many ports to the production network, another VLAN was created for this server to sit on. However, this server still needs to access select devices on their production network, but only using 1 port. How can I allow communication from the server in the DMZ to specific devices on their production network? Is setting up Layer 4 virtual servers the only to acheive this without completely opening the communication between the two VLANs? Is there a way that I can allow communication between the 2 networks, but restrict what devices it has access to without creating a virtual server for every device this server needs to communicate with on the production network? Any assistance is appreciated. Thank you.Direction on how to connect LTM VE between internet and web server
I am interested in connecting a Big-IP LTM VE to the outside. Place web servers in the DMZ. Traffic from the outside hit F5 and traffic to pool of web servers will pass through a Firepower / Firewall. What I am not sure about is if I assign an interface on the LTM a public address and assign that address to mywebservers.org, when traffic hits that interface on the LTM how is it forwarded to the pool? Can I create a VIP for a self-ip address? The LTM is used internally. I SNAT, automap. Thanks in advance for any support. JohnGuidance setting up a DMZ proxy for Citrix ShareFile
I am looking into setting up our F5 as the DMZ proxy for Citrix ShareFile. I have seen some discussions about some setting it up as an SAML IdP, (with issues with SLO). Is an IdP necessary as part of the proxy for ShareFile? Does anyone else have experience using F5 APM with ShareFile or can point to some F5 documentation for this? Thanks in advance for your help,