At one of my clients, I am tasked with setting up a 1500 series LTM as a reverse proxy for all of the company external facing websites. LTM is being looked for less of a load balancing function and more of http proxying and secure application layer. I have done similar setup using Microsoft ISA Proxy Server but never used LTM for this role. Are there any guidelines around this setup or like solution guides? If any one has quick understanding of the design, please share it here. Any help is greatly appreciated. Thanks--Chenna

Just treat it as normal really... Think of the reverse proxy as really just load balancing over one backend... Since the number of backends is pretty much irrelevant (Assuming you can do persistence, and since you say web servers you can do active cookies), you can forget that bit. The more important question is what functionality do they want to achieve from using the 'reverse proxy'? Client Authentication? No problem, it's a separate license module though I think... Authorisation? Hmm... That's a good question... I'm not sure how you'd do something like lookup arbitrary attribute sin an external LDAP (Or similar) directory for authorisation decisions... You may still need some external web host to do the authorisation lookups for you... And then scrape the results from the reply and put them in persistence records for later... Hmmm... I wonder if iRules are flexible enough to do a separate lookup itself against an auth service then direct the user request based on the results of that... Anyone? H

Thanks for the response. Actual requirement is something like this: Internet | | External Firewall | | F5 LTM | | Internal Firewall | | Servers Excuse my poor drawing skills. F5 will be acting like a DMZ between actual servers and internet users. For the most part, its a straight forward configuration where in requests come in from internet, land on the firewall, get NATed to a private IP which is local only between F5 and Ext Firewall, gets to F5, F5 will have a VIP listening on the NATed IP and F5 sends to internal firewall, internal firewall NATs it again to the actual core IP on the server VLAN and send to servers. I don't know if this is a feasible solution yet since this is all in the POC stage right now. Please give your recommendations.

Yes it's feasable, but why are you NAT'ing so many times*? Is there a problem with your network numbering? Supporting legacy addresses where people haven't configured things correctly? One thing I would note is that I'd normally configure the F5 directly in front of the servers. (Usually by moving the serves to a DMZ behind the F5's). The internal firewall doesn't seem to be gaining you anything... (** Assuming this is a new requirement and not simply a new requirement to load balance existing internal only servers from external). e.g. Internet -> Firewall -> (F5 -> Servers) all in a DMZ. or Internet -> Ext Firewall \ F5 -> DMZ with Servers / Internal -> Internal Firewall (So the F5 becomes the router to/from your DMZ's). More info as to your reasoning & what can or can't be altered may help... H * - I don't adhere to the commonly mis-stated view that NAT'ing is automatic security...

I used to work in a telco and my setup is something like hamish mentioned. I placed a pair of Apache Reverse Proxy servers in the DMZ who will then direct traffic to App tier servers (in the backend). I guess this is the best and cleanest. Now that I am in another company, I seem to have similar requirement as dchenna, that is, using F5 as the reverse proxy server. I think it is feasible and am still figuring out how to do it since F5 needs to see the servers that are configured in the pool. Anyone can help?

Hi, I am looking to do something similar and was wondering how the OP went with their implementation. Thanks.

F5 LTM as Reverse Proxy

17 Replies

nitass
Employee
May 19, 2014
Checked SSL dump traffic via command line at LB and found that handshake is being done between both LB instances (PROXY-LB and int-LB) but final RST packet seen

who sends reset? if it is bigip, can you try this?

sol13223: Configuring the BIG-IP system to log TCP RST packets

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
Kevin_Stewart
Employee
May 19, 2014
Okay, so given your architecture:

Internet --> Ext FW --> F5 LB doing Proxy --> Int FW --> F5 LB --> Pool Member

I'm guessing that you're terminating SSL at the external LB, re-encrypting, and then decrypting again at the internal LB? In which case your internal FW is simply forwarding SSL traffic? Have you assessed that non-SSL traffic works? Do you see traffic on both sides of both VIPs?

For what it's worth, I wasn't suggesting you remove the external firewall, but rather the one after the proxy LB (internal FW).

Internet --> Ext FW --> F5 LB doing Proxy --> Pool Member
Neeraj_Jags_152
Cirrus
May 19, 2014
the below is the output

where C -- means - Proxy LB,,,, S -- means internal LB and this I believe monitor (polling) traffic.

ssldump -nr /var/tmp/AIA_8002_proxy_issue.pcap
New TCP connection 1: 10.160.193.15(18243) <-> 10.160.198.10(8002)
1 1 0.0009 (0.0009) C>S Handshake

ClientHello Version 3.1 cipher suites --------------------------------- compression methods unknown value NULL

1 2 0.0009 (0.0000) S>C Handshake

ServerHello Version 3.1 session_id[32]= a3 0f 9f 8f 73 b1 d6 39 a6 7c 37 ef 51 a9 67 b8 30 d0 05 23 db 0d 47 e3 34 f5 17 73 81 57 d5 82 cipherSuite TLS_RSA_WITH_RC4_128_SHA compressionMethod NULL

1 3 0.0009 (0.0000) S>C Handshake

Certificate

1 4 0.0009 (0.0000) S>C Handshake

ServerHelloDone

1 5 0.0023 (0.0014) C>S Handshake

ClientKeyExchange

1 6 0.0023 (0.0000) C>S ChangeCipherSpec

1 7 0.0023 (0.0000) C>S Handshake

1 8 0.0044 (0.0020) S>C ChangeCipherSpec

1 9 0.0457 (0.0412) S>C Handshake

1 10 0.0467 (0.0010) C>S application_data

1 0.0485 (0.0017) S>C TCP RST
Neeraj_Jags_152
Cirrus
May 19, 2014
above exchange shows... From Client (Proxy LB) to Server (int LB) reachable

RST could be because of the this is monitor traffic so after exchange it RST the packet.

but why the POOL shows down then ?
Kevin_Stewart
Employee
May 19, 2014
The "application_data" in the capture indicates that the SSL handshake is probably okay. Can you remove the monitor until you have data flowing correctly? With the monitor removed, now look on the server side of the internal LB for traffic. Do you see data flowing to the server? Do you see either party reset the connection?
Neeraj_Jags_152
Cirrus
May 19, 2014
I have removed the Monitor, but the Proxy LB (POOL) is still do not work. Need to raise F5 ticket...

Kevin_Stewart

Employee

May 19, 2014

So just to level set, is this how you have it configured?

- Client passes request through the external FW to the external LB VIP (defined IP and port)
- External VIP passes traffic to a pool, which is a VIP on the internal LB (through the internal FW)
- Traffic arrives at internal LB VIP and is then passed to a pool, which is the web server(s)

If this is correct, where do you NOT see traffic?

client to external LB VIP?
external LB to internal LB VIP?
internal LB to server?

Forum Discussion

F5 LTM as Reverse Proxy

17 Replies

Recent Discussions

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

URL

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Azure DP-100 Exam Questions

Deploying F5 WAF in front of Azure Web App Services

Related Content

Reverse Proxy via iRules

find source ip address after reverse proxy

SSL Proxy

Reverse Proxy vs F5 LTM

Citrix ICA proxy solution in F5 LTM