Configure LTM as a true Full Proxy

Hi Jeff,

 

 

Are you wanting confirmation that LTM will act as a full proxy? If so, this is the case as long as you define the virtual server as a standard VS with a TCP profile. LTM will then broker separate TCP connections for the client and server sides. The source IP for the serverside connection can be the original client IP address, an LTM floating self IP or any other address you specify in a SNAT pool.

 

 

Aaron

Hi, I don't know if this is the same thing as a full proxy but can I ask 2 questions?

 

 

1. We have two BIP-IP LTM 6400 in active/standby mode that we will be hoping to migrate to DNS instead of IP resolution, is this possible? In other words, can the BIP-IP LTM 6400 use hostnames instead of IP addresses for its webservers?

 

 

2. Can we create SSL certificates based on hostnames and not IP addresses?

 

 

Thanks.

 

 

 

1. We have two BIP-IP LTM 6400 in active/standby mode that we will be hoping to migrate to DNS instead of IP resolution, is this possible? In other words, can the BIP-IP LTM 6400 use hostnames instead of IP addresses for its webservers?

 

 

No. The LTM Load Balances to an IP Address and Port.

 

Visual Assist. You can have the Server Names included next to the IP Address if you name the Nodes (Local Traffic -> Virtual Servers -> Nodes).

 

or

 

You can go to the Preferences (System -> Preferences) and check the "Display Host Names When Possible" check box and it will look like it is using the DNS Hostname of the Server whose IP Address matches the Pool Member settings, but that is only a visual decoration (and when a DNS Entry exists for the IP Address). The LTM still uses the IP Address and Port.

 

 

 

2. Can we create SSL certificates based on hostnames and not IP addresses?

 

 

You can create an SSL Certificate for a Server using it's Hostname (FQDN), but I've never heard of creating an SSL Certificate for an IP Address. SSL Certificates are normally created for vanity URL's for a domain that you own.

Thanks much for your assistance and fast response.

You can do name based load balancing using an iRule. It would add more load and latency than using default IP based load balancing though.

 

 

See this post for details on using RESOLV::lookup in 10.1 or NAME::lookup or in pre-10.1 to do this:

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1171749/aff/5/showtab/groupforums/Default.aspx1173920

 

 

Aaron

Thank you.

After some research on SNAT/SNAT Pool, I believe this will work. Below is an example from my lab LTM. Please provide some feedback/corrections.

 

 

=====================

 

From bigip_base.conf

 

=====================

 

 

self 10.10.0.254 {

 

netmask 255.255.255.0

 

vlan LB-internal

 

allow all

 

}

 

self 10.30.0.254 {

 

netmask 255.255.0.0

 

vlan LB-external

 

allow all

 

}

 

 

 

================

 

From bigip.conf

 

================

 

 

snat translation 10.30.1.10 {

 

ip timeout 28800

 

}

 

snatpool TSYS-ISIS-SNAT-Pool {

 

members 10.30.1.10

 

}

 

monitor RDP {

 

defaults from tcp_half_open

 

dest *:3389

 

}

 

pool TSYS-ISIS-PROD-9091 {

 

action on svcdown reselect

 

monitor all RDP

 

members 10.10.0.10:3389

 

}

 

virtual TSYS-ISIS-PROD-9091 {

 

snatpool TSYS-ISIS-SNAT-Pool

 

pool TSYS-ISIS-PROD-9091

 

destination 10.30.1.10:3389

 

ip protocol tcp

 

profiles

 

tcp-lan-optimized

 

serverside

 

tcp-wan-optimized

 

clientside

 

}

You might want the SNAT pool address(es) to be in the same subnet as the pool members (assuming it's not a /8 network that both the VIP and pool members are on). Else, the pool members will need a route back to the 10.30.1.0 network.

 

 

Aaron

Hi Jeff, not directly related to your query but I noticed you have port lockdown set to 'allow all' on both selt ip's you show - you may want to consider revising this. This setting has an impact on traffic to the LTM (e.g. when you're managing the device via a self ip rather than the management port). E.g. typically an external selfip would have a setting of 'allow none' whereas an internal self ip used for administration would likely have a setting 'allow default'.

 

 

There's an overview of the behaviour here: https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html