Forum Discussion

Basavaraj_16797's avatar
Basavaraj_16797
Icon for Nimbostratus rankNimbostratus
Feb 07, 2016

F5-LTM-ROUTING

Hello Experts,

 

I have one query here and i would like to ask you all

 

we have implemented F5 in our environment and its working great. we have hosted MAIL servers behind it and everything is working fine, any traffic hits to the mails servers VIP and it will be source natted and traffic will go to the respective servers and gets the response,

 

Here our exchange admins dont want to change source IPs, they want to see request is coming from which exact source IPs ( for thier troubleshooting purpose )

 

Is it possible to configure that any traffic goes through the F5 and hits and VIP and do not change the source IP and go to destinations ?

 

your expert ideas would be appreciated

 

Thank you so much

 

application delivery
BIG-IP

6 Replies

Sort By
  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    Feb 07, 2016

    The reason that you would use source address translation is to cause the response to return via the LTM, and not directly to the client.

     

    You could disable source address translation if your pool members are configured to route traffic via the LTM, eg, if their default route points to the LTM.

     

    Alternatively, for HTTP traffic only, you could have the LTM insert a X-Forwarded-For header with the client's original IP address.

     

    F5 provides an ISAPI Plug-in, which you can download from the LTM's default page (click on the red f5 ball to get back to it) if you wish the client IP to be written to the IIS logs. See SOL4816 for more information on this.

     

  • Basavaraj_16797's avatar
    Basavaraj_16797
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2016

    Hi LAN,

     

    Thank you so much for the response

     

    Here in my case, we want clients original ip to be remained for the EXCHANGE traffic alone, when exchange admins capture the traffic they would like to see who are the users sending emails and their original IPs for the troubleshooting purpose

     

    • IanB's avatar
      IanB
      Icon for Employee rankEmployee
      Feb 08, 2016
      If you're not using an iApp, then just create a new http profile with Insert-X-Forwarded-For enabled, and associate that http profile with the virtual server that handles your exchange http/https traffic.
  • Basavaraj_16797's avatar
    Basavaraj_16797
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2016

    Oh we are using iAPP, even if we are using iAPP and if i create http profile with Insert-X-Forwarded-For enabled and once i associate this to MAILservers vip will it work ? when exchange admins capture the traffic will they able to see that who are all sending emails

     

    Thanks again for your quick response

     

    • IanB's avatar
      IanB
      Icon for Employee rankEmployee
      Feb 08, 2016
      If you're using the iApp, then the X-Forwarded-For option should already be turned on. Make sure you're using the 2010_2013 iApp, not the old 2010 one. If you don't have the latest iApp zip file, you can download it from downloads.f5.com, then go to iApps / Templates / Import to load the template into your LTM. Also, take a look at Appendix B, in the deployment guide, which explains the steps necessary to install the ISAPI plugin on your IIS server: https://www.f5.com/pdf/deployment-guides/microsoft-exchange-2010-2013-iapp-dg.pdf