Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

I have some virtual directories in IIS that are locked down by IP address. As now all traffic to my servers is coming from the IP of the 'loadbalancer' not the source IP of the client how do I get around this problem?

Would it be better to allow the load balancer to handle this or is there a way of passing through IP addresses?

I am suspecting that an irule is the way forward but the ones available only seen to be allow/deny on ip to a whole virtual server. I want to allow/deny at virtual deirectory level.

5 Answer(s):

Do you need to translate the source address for response traffic to return to the load balancer? (iow, is some other device besides LTM the default route for the servers?)

/d
Here is a post with some related info:

IP address and domain name restrictions in IIS
https://devcentral.f5.com/Default.aspx?tabid=53&forumid=25&tpage=1&view=topic&postid=23811

Aaron
Ok - may help if I give a bit more detail:-

2 x F5 LTM on a single subnet (SNAT in use)
The traffic goes to a farm of web servers.
Some of the websites on the webservers have 'virtual directories' which are locked down to a specific IP address range in IIS. Obviously this now does not work since the load balancers IP is seen instead of the source client IP.
The article mentions that the source IP can be passed through in a header using the HTTP profile. I suspect though that this could then only be applied at site level rather than Virtual directory level?
I suspect the way forward is an irule.
Just reading the other thread again and it may be that's all we need to do is switch of address translation and set the gateway IP's of each client to the load balancer. All of our nodes have different IP addresses so I am guessing this is an option? Is this just a case of unticking address translation in the VS settings? What if a server needed to talk out directly not though the load balancer?
You can set SNAT to none on the virtual server. Leave address translation enabled as that refers to destination address translation. As long as the web servers' default gateway is set to the BIG-IP, that part will work. If you want to allow outgoing connections from the servers through the BIG-IP, you can configure a forwarding virtual server (IP forwarding with SNAT enabled). If you only want to allow traffic from the web servers to pass though this VIP, enable it only on the VLAN they're on.

Aaron

Your answer:

You must be logged in to reply. You can login here.