Forum Discussion

wilko_113503's avatar
wilko_113503
Jun 06, 2011

Moving ASM to Standalone Configuration

Can anyone please assist me on this.

 

 

We have an exisitng HA Pair of 3600's running LTM and ASM on Version 9.4.8, we want to split the functionaility and run ASM on an additional HA pair of 6400's on Version 10.

 

 

I have seen two methods, one in the deployment guides called

 

Deploying the BIG-IP LTM with Multiple BIG-IP Applications Security Managers.pdf

 

 

The second being: sol9372 - Configuring BIG-IP ASM in transparent bridge mode

 

 

 

Can anyone point me in the right direction here on which would be the recommended path to achieve this?

 

 

Thanks

 

 

 

 

APM
app sec
security

4 Replies

Sort By
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2011
    I can tell you that we have something similar currently deployed. Our LTMs and ASMs are on seperate hardware. Basically we run LTMs and ASMs in our DMZ and then LTMs on the internal network in front of the servers. So the traffic for an external facing web application hit the LTM gets load balanced to an ASM and the ASM runs the traffic through policy, then sends the traffic to an internal LTM pool which load balances it to a server. This design has worked pretty well for us. Let me know if you have any specific questions

     

  • wilko_113503's avatar
    wilko_113503
    Jun 06, 2011
    Thanks so if you check page 3 on the deployment guide;

     

    http://www.f5.com/pdf/deployment-guides/big-ip-ltm-asm-dg.pdf

     

    Do you have something like this?

     

     

    So on your LTM you have all your Virtual servers defined "exterior" the traffic is then passed onto the ASM which runs its policy on the traffic, then sends traffic to an internal virtual server or pool back up to the LTM that then load balances to your web servers?

     

     

    Are your ASM's in an Active/Active setup behind the exterior Virtual server on the LTM?
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2011
    Similar but actually our external and internal LTMs are physically seperate devices. The externals live in a DMZ behind our firewall and the internals, obviously live behind a firewall on our internal network.

     

     

    Yes our ASMs are both Active behind the external LTM.

     

     

    I guess it would depend how you feel about the security of VLANing if you wanted to use the design concept in this document. Personally I prefer the physical separation of the 2 LTMs. From a security perspective having the external LTM out in a DMZ allows us to only allow the ASMs access to the internal LTM. I would rather have the external traffic stop in the DMZ and be proxied by the ASM, that way the external requests are never directly going to a device on our internal network.

     

  • wilko_113503's avatar
    wilko_113503
    Jun 06, 2011
    Thanks Mike

     

     

    We currently have LTM and ASM running on the same unit anyway but will take the security concern into consideration.

     

     

    Does anyone know if F5 are able to exchange the LTM licenses that the new units came with for ASM licenses?