NimbostratusHow to make F5 to response with a perticular domain name?
Hi Guys,
I ran into a weird issue and here’s the picture:
- SOURCE.SERVER.COM – Source Server the request coming from (Microsoft System Center Operations Manager (SCOM) Agent)
- F5.VIP.com.au – F5 Virtual Server (LTM v11)
- 4 NODE servers – Microsft SCOM 2012 a. DESTINATION.NODE1.LOCAL b. DESTINATION.NODE2.LOCAL c. DESTINATION.NODE3.LOCAL d. DESTINATION.NODE4.LOCAL
When the communication happens directly from the source to destination without the F5 it works fine. SOURCE.SERVER.COM sends a request to a Management Server on TCP 5723 and presents a certificate. Management server validates certificate trust and communicates its name and certificate information back to SOURCE.SERVER.COM. A secure connection is established.
This is falling over through F5 because SOURCE.SERVER.COM is expecting this sort of communication: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > SOURCE.SERVER.COM
What’s happening is: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > DESTINATION.NODE1.LOCAL (2, 3 or 4) 3. DESTINATION.NODE1.LOCAL > F5.VIP.com.au 4. F5.VIP.com.au then passes response from DESTINATION.NODE1.LOCAL > SOURCE.SERVER.COM
This means that F5.VIP.com.au is responding to SOURCE.SERVER.COM with the name DESTINATION.NODE1.LOCAL but the expected name is F5.VIP.com.au, this makes certificate authentication fail.
We need: 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > DESTINATION.NODE1.LOCAL (2, 3 or 4) 3. DESTINATION.NODE1.LOCAL > F5.VIP.com.au 4. F5.VIP.com.au then passes response from DESTINATION.NODE1.LOCAL as F5.VIP.com.au > SOURCE.SERVER.COM
This should make all communication appear to be To/From F5.VIP.com.au. ie. 1. SOURCE.SERVER.COM > F5.VIP.com.au 2. F5.VIP.com.au > SOURCE.SERVER.COM
No certificate is configured on the F5 and the VirtualServer is configured on port 5723.
Hope this make sense. What iRule should I write to achieve this.
Please feel free to ask if you need more clarification.
Thanks
Rana
