Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

GTM iRule to ignore WideIP based on Client IP

I'm looking to isolate clients issuing DNS requests that are connected via VPN tunnel. The response I want is to ignore the GTM WideIP and forward the DNS request through my company's DNS infrastructure.

Background: 1. We use PAC files 2. We have a two-stage GTM deployment (Internal and DMZ-Extranet) 3. VPN PAC file points to internal DNS servers fronted by F5 LTMs (GTM and Saphhire appliances) 4. Application needs VPN users to resolve External address

My current solution is to apply an iRule that looks at the incoming client address and if that address is in the created Topology region, do a pool selection and select the "external" pool, which has the external VS presence of the application. This is all created on the internal GTM sync group.

Here's the iRule

when DNS_REQUEST {
    #log local0. "iRule VPN-LDNS-Internal-to-External-Redirect start."
set qname [DNS::rrname]
    #log local0. "QNAME is $qname"
    regexp -nocase {^[a-z0-9-]*} $qname host
    regexp -nocase {\..*} $qname rsdomain
                set host [string tolower $host]
   # log local0. "Host is $host"
   # log local0. "Domain is $rsdomain IP [IP::client_addr]"
                                if {[ matchregion [IP::client_addr] VPN-LDNS ]  } {
                                                set irpool ${host}-external${rsdomain}
#log local. "match pool: $irpool"
                                                pool $irpool
    }

}

I created the Region "VPN-LDNS" and added the VPN subnets.

My question... Is there a better way to do this?

The application's FQDN TLD is authoritative on our External Nameserver. The normal hops would be Internal LTM - Internal GTM - Internal LTM - Internal Saphhire - egress Proxy - External NS (External LTM VS) - External GTM - resolve IP **Caching understood

I'm wondering if there is a command to tell the Internal GTM not to resolve, based on the inbound client address, and pass the query along even though there IS a WideIP that matches the Hostname.

We need to keep the internal GTM WideIP to handle internal (non-VPN) clients.

Thank you in advanced...

0
Rate this Question

Answers to this Question