Forum Discussion

cjbarr1234's avatar
cjbarr1234
Icon for Nimbostratus rankNimbostratus
Oct 16, 2014

LTM to proxy from LAN to WAN

Hello,

 

I'm looking for a solution article, or some guidance on taking an internal application and proxying all of it's traffic to an external SaaS. We have security requirements that don't allow direct access from the application server to the cloud.

 

Is there a simple methodology of setting this up in an iAPP, or better yet just a vs?

 

My apologies for my ignorance, I've had great success so for with WAN to LAN, but have yet to attempt the reverse.

 

Example:

 

1)Host "server1" proxies to LTM on port 3349 2)LTM translates traffic to specific cloud application

 

Thanks for your help!

 

APM
application delivery
cloud
design
devops
iApps
iRules
security

2 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Oct 16, 2014

    Hello, one complexity is that the DNS resolution for your sas fqdn may change.

     

    So may need to use an irule to do a resolve lookup and assign a node dynamically .

     

    Alternative could be to use http explicit proxy feature in 11.5 if your application allows it.

     

  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Oct 16, 2014

    You can always just setup an outbound NAT rule on the load balancers for the "server1" and the other servers. Add a route on "server1" for the Cloud Application destination that points to the floating self-IP on the LTM pair.

     

    Alternately, you could make the LTM floating IP the default route for the servers that need to reach the Cloud Application. The NAT rule on the load balancers would be the same.

     

    I would avoid trying to create a Virtual server on the LTM for the Cloud Application. Simply because you are load balancing across a WAN (performance concerns with scalability) and you have no control over the remote services.

     

    But this NAT setup can be done with most firewalls and do not necessarily require an F5. Unless the F5 is already being used in this capacity, you might be better off getting NAT done by the firewall team.

     

    Jason