Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

external URL (or IP) as a node for VS

Hi, The customer has a request to configure several SSL certificates on a VS (and use SNI) which is fairly simple, but one of incoming URLs needs to be proxied (not redirected) to an external URL - https://something.smth (is https a factor here?).

I do have the IP of this external URL - is this as straightforward as creating a pool with the external URL IP and 443 as a port? I could open the firewall path (though I do not love the idea) from VS to this URL.

Or would you advise any different approach. The traffic is loadbalanced by an iRule as far as i remember for this VS (I'm not close to my VPN right now, can't check)

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

If the external URL is a fixed IP, you can create a node and pool for this URL and use it in the virtual server configuration. HTTPS should not be an issue as long as you configure a correct Server SSL profile on the virtual server.

Do not forget to configure a correct SNAT on the virtual server otherwise the return traffic wil not go through the F5.

You can use a LTM policy to forward traffic for the https://something.smth URL to the correct pool.

Regards, Martijn.

0
Comments on this Answer
Comment made 3 months ago by Bciesz 134

I need to built up upon it. So, the CMO is: Traffic coming from the Internet, through FW to F5 VS (10.10.10.10) and load balanced to two servers (10.10.10.11 and 10.10.10.22). There is a SNAT to 10.10.10.10 on VS. It works.

One of my concerns is the returning traffic once I attach a pool with the external IP. It would be coming back to the IP which is either the VS IP or the SNAT. Does F5 keep a session (based on ports?) that allows it to know that which traffic is it exactly... I guess it should work this way.

The second problem I have is how to use an URL as a destination. I cannot use redirect, which would be easier - the customer needs to work as a proxy.

0
Comment made 3 months ago by Martijn 494

Hi,

I would not use the IP-address of the virtual server as the SNAT IP-address. It makes troubleshooting a lot more difficult when creating traces. Use Automap or create a SNAT with a different IP-address.

Yes, the F5 keep track of a session in a session table. So return traffic should be an issue.

When you need to create a destination based on URL, you should use a LTM policy. Create nodes and pools just like you always do. Then create a LTM policy with te following rule:

When HTTP host is something.smth Forward traffic to pool and insert the pool you created earlier.

Instead of HTTP host you can also use HTTP URI if that suits you better.

Martijn.

0