Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Managing DMZ app servers behind the BigIP

Hey all, I'm just curious how some of you have designed your networks to load balance and secure your public apps, but still manage them with internal resources and tools (software, patching, security scans, etc.). Here's the scenario.

BigIP has a switch hanging off of it, isolated DMZ environment, no other connection. Any web apps we're publishing we plug into that switch, build a virtual server, and we're off and running. Any resources the app server needs internally like DNS, directory services, etc. that it can initiate itself, it routes through the BigIP which has an internal network interface and a route built in for that comm.

One of the issues is any connection initiated from the internal network cannot reach that app server unless we build a virtual server for each service (RDP, monitoring and patching which has multiple ports, security scans even more ports). That can;t be the right way to do it. I personally think we should have a seperate DMZ switch hanging off the firewall with a different interface on the app server dedicated to those management functions. It's much easier for me to write one rule in the FW for that access than create multiple VIPS for each server/service for management functions.

Our BigIP is sitting along side our fw's today so any connections sourcing from the outside bypass those. I am toying with the idea of placing the BigIP behind the fw's once they;re replaced with more robust appliances but that has not happened yet.

Just curious all, I appreciate the feedback.

-GR

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

For all that a admin traffic, you normally use a network VS on the BigIP. Destination, the network address/mask of the subnet and enabled on the internal interface only.

H

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Gotcha, So that would require a network VS for each physical server I would need that admin traffic opened up for?

0
Comments on this Answer
Comment made 14-Mar-2014 by Greg 103
Or are you talking about just forwarding the traffic for that particular dmz network? That is probably fine, this DMZ subnet is not defined at all on our internal network at all.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As Hamish stated, you will need to create a network VS for the subnet that is behind the BigIP. Also, you will need to create a "outbound" network VS if the servers in the subnet will ever need to initiate connections out to either your internal network or out to the Internet.

Joe

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You need 1 VS to match a particular 'network'. That network could be 0.0.0.0/0.0.0.0 (i.e. ANYTHING) if you like. Any one of 32 different netmasks and 2^32 addresses supported...

So no... You don't need 1 per server. But could if you wanted to.

H

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You should use a forwarding IP type virtual server. This allows you to "route" non-application traffic through the F5. I have a blog post where you can read more about the specifics here -

http://packetpushers.net/stateless-routing-f5-ltm/

0