Layout of BIP-LTM

Question

We are upgrading our existing IIS 5 and Cisco CSS to IIS 6 and BIP-LTM, but have several questions as far as network configuration and layout.&nbsp;
&nbsp;Currently we have the following:&nbsp;
&nbsp;CSS has one leg in dmz and one leg on public network.
&nbsp;Web farm is in its own dmz, 192.168.168.0/24
&nbsp;Web servers default gateway is CSS.&nbsp;
&nbsp;Going forward, we would like to keep the BIP within our private network behind the firewall and wanted to gather some information on what everyone is doing.&nbsp;
&nbsp;Thanks Again

ryan_korock_46 · Answer

fmagoufis,&nbsp;
&nbsp;Although I'm not active customer, I've implemented quite a few BIG-IPs in my various roles at f5.&nbsp;
&nbsp;Because of the BIG-IPs flexibility, I've seen it implemented in some fairly interesting ways. However I would say that your proposed solution is probably one of the most common. Having the BIG-IP on a private network behind your firewall is a very popular and secure architecture. &nbsp;&nbsp;

mark_harris_608 · Answer

I too agree the BIG-IP LTM on a private network behind the firewall is a common and secure architecture. The only exception which makes up the remainder of the implementations in my experience is those that wish to provide some of the same functionality for their firewall(s) as the LTM provides for their servers. 
&nbsp; 
&nbsp;Putting the LTM device *in front of firewalls* allows incoming traffic to be load balanced across multple firewall devices providing persistence, failover, performance enhancement [SSL acceleration and termination, which also allows for more granular inspection of packets by the firewall(s)], and an additional layer of protection (e.g. Denial of Service attacks, certificate and token authentication with added modules, etc).  To provide added functionality for outbound traffic through multiple firewalls, a second pair of LTM devices can be added to the inside of the firewalls -- also known as the "firewall sandwich".  This configuration can support a number of other proxy devices like web caches, IPSec gateways, mail filtering gateways, etc.&nbsp;
&nbsp;So the right configuration might actually be a evolving question of where you want to take your architecture and how many services you eventually plan to consolidate and offload to the DMZ tier.  Until then, the BIG-IP LTM behind the firewall on private network, as you mentioned, is the most common place to start.

fotios_30046 · Answer

Thank you for the updated information, I was getting worried my question would go unanswered.  To add to my original post, we purchased two LTM 3400's and will be initially setting them up as primary/secondary.  My initial thoughts were to put the bigip into dmzFE, but have all the webservers in dmzBE.&nbsp;
&nbsp;dmzFE will be a small network of public to private static mappings
&nbsp;dmzBE will be all the iis web servers&nbsp;
&nbsp;The bigip will have connections into both networks.  The web servers will use the bigip in the dmzBE as their default gateway, and the bigip will have its default gateway as the firewall in the dmzFE network.&nbsp;
&nbsp;Thoughts/Suggestions?

jrahm · Answer

This is a standard configuration and will work just fine.  You can map your translations on the firewall instead of the BigIP to keep your security zones well defined.  In most environments I've worked in, the F5 device between fe &amp; be dmz's is not considered a security boundary and therefore the translations occur before or after the BigIP.  Ultimately your security policy should guide the final solution.

Forum Discussion

Layout of BIP-LTM

4 Replies

Recent Discussions

google-visualization-issues

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

F5 BIP IP LTM failover triggers

ARX configuration/network layout

layout

F5 Python SDK Overview

BIP-IP LTM to go in standby/Standby mode