Forum Discussion

neil_t_66364's avatar
neil_t_66364
Icon for Nimbostratus rankNimbostratus
Apr 09, 2015

Policy check sequence within a virtual server

Hi All,

 

my question is around the use of a policy within a virtual server. I have a single virtual server as a front end and I've used a policy to check the URL and forward to several secondary VIPs based on the http host content and that works fine. The front end server requires a default pool and it's around this default server that my question relates. The F5 is running LTM & ASM and it's decrypting and re-encrypting the connections so if I'm using a policy to forward connections to secondary VIPs should I also configure SNAT, One-connect profile, IRules, server side SSL certs and ASM policy on the front end VIP as these will be required for the default pool but I don't want them to be used for any connection destined for a secondary VIP. What is best practise, do you use a default drop pool or is there another 'best practise' way to use the default pool?

 

thanks in advance.

 

2 Replies

  • So are you decrypting and reencrypting on the primary VIP? If so, do you also decrypt on the secondary's so as to be able to use cookie persistence? Is each secondary hosting/connecting-to a different application? Just curious as to whether your policy is generic enough to be applicable to the apps behind each secondary. I know that for our custom-built webapp I've had to do a fair amount of policy tuning because of how extensive the app is, so it's really only (or most) applicable for our app (a K-12 Student Information System).

     

    I'm still learning myself but it would seem to make sense to have One-connect, SNAT, etc on the secondaries as they are creating/using the TCP sessions to the pool members.

     

  • Hi John,

     

    Thanks for the response. I may have mislead you with my description. there is a single front end VIP which passes connections to multiple back end VIPs based on a policy. Each back end VIP has components, one-connect, IRules etc plus an SSL cert to re-encrypt before sending to the server. The front end vip requires a default pool so my question is around that default pool. If I also need to have a one-connect profile, IRules and ssl connection to the server for the default pool how do I do it? Is the policy used to send connections to other VIPs read before these other components are implemented? as you mentioned, if there is a server ssl cert will the front end VIP re-encrypt before sending to the backend VIP (not required)? Is it standard to use some sort of default pool to drop connections not matching any of the policy rules? Hopefully this is a little clearer.