AH2011
Nimbostratus
NimbostratusPacket and proxy based
Hello All, I need to understand the main differences between packet based and proxy based solutions in addition to when packet based scenarios will be sufficient? Many thanks for your help
Forum Discussion
7 Replies
JinshuCirrus
Hello,
Please read below F5 white paper which explains very well.
https://f5.com/resources/white-papers/tmos-redefining-the-solution
Hope this helps.
-Jinshu
Martijn_van_de1Hi,
When you use a packet based solution, the device (like a router or firewall) in the middle of the communication streams just forwards the destination to the endpoint. So there is one connection from client to server. With an access list or firewall rule base you can allow or block traffic. You do not have much control over the traffic passing the device.
When you use a proxy based solution (like F5 BIGIP) there are two connections. One connection from client to F5 BIGIP and one connection from F5 BIGIP to server. This gives you much more control over the traffic passing the BIGIP.
For example you can have a HTTPS on the client side of the connection while the connection to the backend server is just HTTP. So performing SSL Offloading. Or you can use a TCP profile on the client side which is optimized for WAN while the TCP profile on the server side is optimized for LAN.
And when you use iRules, you can do about anything to change the traffic passing the BIGIP.
So if there is no need to change the traffic passing the device in the middle (or maybe it is not allowed by the security policy to 'look' in the traffic flow) you can use a packet bases solution.
If you need control over traffic passing the device, you need to use the proxy based solution.
Hopes this helps.
Regards, Martijn.
AH2011Hi Martijn,
Many thanks for your time and effort to explain that. I am also wondering if that explanation applies to load balancing using packet based and proxy based or applies for just one source and one destination setup? secondly, if a solution makes source ip translation for load balancing, which type will be this? Thirdly, will packet forwarding be sufficient in case of layer 4 load balancing? Thanks in advance.
- Martijn_van_de1
Hi,
When the device performs some kind of destiantion NAT-ing, you could say you have packet based load balancing, but in F5 BIGIP the connection to the backend server is a second one so you have proxy based load balancing.
Both types of solution support source IP NAT-ing.
Below an F5 article explaining the connection setups for different types of virtual servers. Hopes this makes thing clear to you.
https://support.f5.com/csp/article/K8082standard
Regards, Martijn.
Martijn_144688Cirrostratus
Hi,
When you use a packet based solution, the device (like a router or firewall) in the middle of the communication streams just forwards the destination to the endpoint. So there is one connection from client to server. With an access list or firewall rule base you can allow or block traffic. You do not have much control over the traffic passing the device.
When you use a proxy based solution (like F5 BIGIP) there are two connections. One connection from client to F5 BIGIP and one connection from F5 BIGIP to server. This gives you much more control over the traffic passing the BIGIP.
For example you can have a HTTPS on the client side of the connection while the connection to the backend server is just HTTP. So performing SSL Offloading. Or you can use a TCP profile on the client side which is optimized for WAN while the TCP profile on the server side is optimized for LAN.
And when you use iRules, you can do about anything to change the traffic passing the BIGIP.
So if there is no need to change the traffic passing the device in the middle (or maybe it is not allowed by the security policy to 'look' in the traffic flow) you can use a packet bases solution.
If you need control over traffic passing the device, you need to use the proxy based solution.
Hopes this helps.
Regards, Martijn.
- AH2011
Hi Martijn,
Many thanks for your time and effort to explain that. I am also wondering if that explanation applies to load balancing using packet based and proxy based or applies for just one source and one destination setup? secondly, if a solution makes source ip translation for load balancing, which type will be this? Thirdly, will packet forwarding be sufficient in case of layer 4 load balancing? Thanks in advance.
- Martijn_144688
Hi,
When the device performs some kind of destiantion NAT-ing, you could say you have packet based load balancing, but in F5 BIGIP the connection to the backend server is a second one so you have proxy based load balancing.
Both types of solution support source IP NAT-ing.
Below an F5 article explaining the connection setups for different types of virtual servers. Hopes this makes thing clear to you.
https://support.f5.com/csp/article/K8082standard
Regards, Martijn.