Posted By Hamish on 09/07/2010 08:33 AM
That's not fatal. The only requirement is that the F5 see both flows of the TCP connection. So you then have 2 choices.
1. Implement policy based routing such that all traffic FROM the poolmember port on the server is routed via the F5 (Floating IP)
2. Or simply put the F5's floating selfip as the default router.
3. Move the servers off to a dedicated subnet BEHIND the F5...
Option 1 is cleaner... At the expense of some systems won't let you do this... Linux and iptables are pretty simple (I've done it myself, takes a couple of iptables lines to tag the packets and a tagged packet routing table entry). Option 2 is not as clean and has the disadvantage that hosts on the same subnet (Besides the F5 of course) will be unable to access the load balanced service (That may or may not be a problem for you). Option 2 & 3 also require a wildcard network VS to be created on the F5 and also a route TO the servers via the F5 from the actual router (It starts to get messy on option 2 pretty rapidly).
H
So let me outline the specifics of this solution.
The F5 receives the traffic via a VS, which is then sent to a Swtichware device on the same subnet. The device has a router in front with the same subnet address and has a route to point back to the F5 to reach the handheld devices. The F5 forwards this traffic through a firewall to reach this network.
The solution is basically for SSL offloading, so the devices can connect through ssl for some encryption, the f5 then forwards this traffic after offloading the ssl to the server which requires all connecting IPs to be shown, the server is to send this to f5 for re encryption and send to the handheld.
I hope this helps, cause been taxing myself trying to get this thing working.