Managing DMZ app servers behind the BigIP
Hey all, I'm just curious how some of you have designed your networks to load balance and secure your public apps, but still manage them with internal resources and tools (software, patching, security scans, etc.). Here's the scenario. BigIP has a switch hanging off of it, isolated DMZ environment, no other connection. Any web apps we're publishing we plug into that switch, build a virtual server, and we're off and running. Any resources the app server needs internally like DNS, directory services, etc. that it can initiate itself, it routes through the BigIP which has an internal network interface and a route built in for that comm. One of the issues is any connection initiated from the internal network cannot reach that app server unless we build a virtual server for each service (RDP, monitoring and patching which has multiple ports, security scans even more ports). That can;t be the right way to do it. I personally think we should have a seperate DMZ switch hanging off the firewall with a different interface on the app server dedicated to those management functions. It's much easier for me to write one rule in the FW for that access than create multiple VIPS for each server/service for management functions. Our BigIP is sitting along side our fw's today so any connections sourcing from the outside bypass those. I am toying with the idea of placing the BigIP behind the fw's once they;re replaced with more robust appliances but that has not happened yet. Just curious all, I appreciate the feedback. -GR