Forum Discussion
Tabish_Mirza_12
Nimbostratus
Customer wants to see the original source IP of the client on the Web Servers. Web servers are HTTPS based. As I know I can not go for One-Arm mode design because in One-Arm client source IP will change. In inline-routed mode (two arm) if we can not use same subnet on both interfaces then we have to change either web servers IP's or DMZ interface IP because currently server are using DMZ interface IP as a default gateway. Pls advise
Jason_40733
Oct 07, 2013Cirrocumulus
Quick clarification of terminology.
One arm: F5 has a single interface for processing traffic.
Two arm: F5 has an "external" and an "internal" interface for processing traffic. These are two different subnets on two different VLANS typically.
Npath Routing: Incoming traffic comes into the F5 load balancer but does not return via the F5. This limits load balancing options.
Note: You can do Npath routing in EITHER a one-arm or two-arm solution.
Note: The differences between one-arm and two-arm solutions are only the subnets, IPs, VLANS, etc. There is no difference in how the F5 is able to manipulate or direct traffic.
Even if the web servers are serving ONLY https... the same certificate can be loaded on the F5 and used to decrypt the data, then you add a server-side SSL and the connection to the Web servers will be re-encrypted. This is more load as you are decrypting and encrypting on the F5 on the way in and the way out. But is a functional way to move data that preserves all load balancing methods.
One-Arm design does NOT have to change the source IP. Whether the source IP changes is determined by whether or not you have the Virtual server set to do SNAT. ( Source Network Address Translation ).