Can't use Remote Desktop to Web Servers

BIG-IP is a default deny box, so if it isn't configured to pass specific traffic, it won't. So there needs to be either a NAT that directly maps an external address to each internal webserver that you want to connect to, or a forwarding virtual server that allows the BIG-IP to route traffic to its internal network.

 

 

I typically prefer the forwarder over NAT'ing (the easiest way is to just create a wildcard forwarder - a virtual server using the network option, 0.0.0.0, port 0, and change the Type from Standard to Forwarding(IP), and change the protocol from TCP to All Protocols). Your core router will most likely need a static route pointing towards the BIG-IP as the next hop to your internal network.

 

 

Hope that helps,

 

Denny

Denny,

 

 

Thanks for the quick response.

 

 

I'm a bit confused on both options, with the forwardering server do I apply that to all VLANs, and is that really safe. Also my F5's default gateway is set on an interface of the router so would I still need a static route on the router?

 

 

The NAT'ing almost sounds easier but when you talking external address, are you saying private IP address or external interface address?

 

 

Thanks,

 

Bob

The wilcard 0.0.0.0 port 0 Virtual Forwarding IP is one part of it.

 

 

However, does your VPN router have routes to the address behind the load balancer?

 

 

/cb

 

If you apply the fwd vip to all VLAN's, then anybody coming in to the front side of BIG-IP can get forwarded to the internal network, and any server on the inside can also initiate connections outbound to any destination. If you don't want to allow outbound connections then you could only enable the forwarder on the external VLAN. It basically depends on what your definition of "safe" is as to how granular you want to be about that. :-)

 

 

You'd still probably need the static route because it (or the VPN router) doesn't know where that internal network is, so yes the def gw on the F5 will take care of the outbound but inbound won't know how to get to the internal network through the BIG-IP if you don't route it there.

 

 

NAT'ing: you map an address on the external VLAN's IP range to one of the boxes on the inside VLAN. Not sure from your description whether that's private IP or not. There's no port restrictions on NATs so I don't consider them any "safer" than the forwarding vip, and they can introduce problems with Active Directory and Windows file sharing if you are trying to do any of that across the BIG-IP. So that's why I favor the forwarding vip approach. If those aren't issues for you then it's a coin toss.

 

 

Denny

Well said. Also, if you want to verify whether traffic is actually going back and forth then I suggest you use "tcpdump -ni host on the cmd line on the F5.

 

 

Hopefully this helps

 

 

/cb

 

 

 

If you don't want to allow outbound connections then you could only enable the forwarder on the external VLAN.

 

 

In general, you would want to enable the forwarding virtual server on the vlan's FROM which you want to forward traffic only, so conversely to ONLY allow outbound connections, you'd enable only on the internal, rather than the external vlan.

 

 

hth

 

/d

(edited last post to actually make sense...)