BIG-IP APM SSL VPN - https traffic issues while using web proxy/URL filter
Greetings, my team is running BIG-IP APM for SSL VPN and we are experiencing intermittent issues with https/443 web traffic (no http/80 issues). We do have an "on premise" web proxy/URL filtering service. Our issues clear up whenever we put in a "bypass" on the web proxy for the VPN client address space. Problem Behavior: For the first ~1 min 30 seconds or at random times throughout a VPN session, users experience web sites that load very slowly or that time out and do not load at all. The problem affects both PC and Mac and also happens in all browsers. Has anyone come across similar issues with specific web proxy vendors? Does anyone have any tips, tricks, or best practices for getting the BIG-IP and web proxies to work well together?? Thank you Dev Central community!
True Source IP address
Currently using an F5 to load balance a Websense web proxy deployment. Using the vendors "; iApp template to load balance the traffic between blades which is working. The issue is that the proxy logs show the FIP of the load balancer rather than the true IP of the users system. I am not using SNAT, XFF is enabled on the HTTP services profile, XFF is also enabled on the web proxy. What am I missing here?Problem with session persistence using CARP when load balancing a McAfee Web Gateway cluster using progress page for downloads
We have a cluster of 14 McAfee Web Gateways and about 15000 users connecting to them from a few dozen Citrix farms. Previously we have been using source address persistence, which works fine until one of the pool members are taken offline then online again. All clients will then be load balanced to another available pool member and the one that was offline gets no traffic after that. Enter hash persistence using CARP. The idea is simple, use something like the host header and make a hash of it then load balance using the CARP algorithm. This also works great, except when downloading files. McAfee Web Gateway works like this; it downloads the file for malware scanning before delivering it to the client. Meanwhile it displays a progress page to the client. The problem is that with hash persistence quite often the progress page will show an error. This is because I get loadbalanced to a different pool member than the one showing me the progress page. I really would like to use hash persistence, but I'm not sure there is a proper workaround for this. Any suggestions? What are you guys doing for persistence to web caches?