Forum Discussion

JL_45517's avatar
JL_45517
Icon for Nimbostratus rankNimbostratus
Mar 12, 2010

Port redirect

I know it's been done before. I've looked around and can't find an answer to what I'm trying to do: VIP listening on port 80, and a pool with nodes listening on 8080.

 

 

Here's my situation: I'm using the LTMs to load balance McAfee Webwasher proxy servers used for our outbound internet browsing traffic. My environment uses the "Automatically detect proxy settings" in IE, so we need a wpad.dat file hosted somewhere. The Webwashers support hosting that file, but they only listen on tcp port 8080.

 

 

The WPAD "Automatically detect proxy settings" process needs to resolve wpad to an IP address, then makes the request: http://192.168.5.10/wpad.dat. 192.168.5.10 is the VIP for the wpad server, redirecting to the Webwasher pool. The wpad.dat file is parsed (same as a proxy.pac file) and returns the proxy server settings: (let's say in this example) 192.168.5.20:8080. 192.168.5.20 is the VIP for the proxy server, listening on 8080, using the Webwasher pool.

 

 

The Webwashers only listen on port 8080 and I have over 700 sites with DHCP option 252 defining the WPAD host on port 80. How can I have the VIP listen and accept requests on port 80, load balancing to the pool/nodes on port 8080, then send it back to the client from the VIP?

 

 

Anyone else doing something like this? I don't think it should be that hard but it's not working/returning the wpad.dat file when I configure the VIP on 80, and the nodes on 8080.

1 Reply

  • The VIP:80 pointing to pool member(s) on port 8080 should work fine as long as you have (destination) port and (destination) address translation enabled on the VIP. If the proxy servers aren't pointing to LTM for their default gateway, then you'd want to enable SNAT on the VIP as well to translate the source address on the server side connections to the LTM floating self IP on the server VLAN.

     

     

    If that's not working, can you try capturing a tcpdump on all switch ports looking for the VIP and pool member IP addresses? It would make things easier if you temporarily disable all but one pool member.

     

     

    tcpdump -ni 0.0 host VIP_IP or host POOL_IP_1

     

     

    Another option would be to host the wpad.dat/proxy.pac file with an iRule. Bhattman added an example to the Codeshare which does this:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/Proxy_Pacfile_Hosting_without_need_for_Web_servers.html

     

     

    Aaron