Need load balanced servers to be externally accessible

Question

Hi DevCentral, 
&nbsp;  
&nbsp; I have load balanced application servers set up in the following fashion: 
&nbsp;  
&nbsp;           PIX 
&nbsp;            | 
&nbsp;           LTM 
&nbsp;            | 
&nbsp; ------------------------ 
&nbsp; |          |           | 
&nbsp; NodeA      NodeB       NodeC 
&nbsp;  
&nbsp; The app servers have their default gateway addresses set to the IP address of the virtual server on the BigIP. Load balancing is currently working, but due to a change in the way a component of the application works, the servers need to be externally accessible via their fully-qualified domain names. 
&nbsp;  
&nbsp; The current virtual server config includes an automap SNAT pool that was implented to force single-signon requests from a portal server in the same subnet to be routed back through the traffic manager. User sessions are tracked via cookie persistence. 
&nbsp;  
&nbsp; The users will interact with the app via appname.domain.edu, but the changed application component will be referencing servername.domain.edu to load. Based on this, it looks like I will need to completely change the load balancing setup- I will need the servers to have our router address as the default gateway again so they can be accessed from outside the network, and that will require a SNAT to get responses from the server to route back through the traffic manager.  
&nbsp;  
&nbsp; Do I have a correct understanding of how F5/BigIP SNAT works? Is the automap SNAT enough to keep sessions routing through the traffic managers for session persistence, or will I need to configure SNAT beyond the automap? 
&nbsp;

dennypayne · Answer

Sounds to me like you are understanding it pretty well.  SNAT just changes the source IP of an incoming packet to an address on the the BIG-IP, so that when the packet is handed to the destination server, that server will respond directly to BIG-IP because it "thinks" BIG-IP is the client.   
&nbsp;  
&nbsp; SNAT is required in cases like yours, because the default behavior of BIG-IP is to preserve the original client's IP address when the packet is forwarded to the destination server; if it did that in your case, the server would then respond to its' default gateway to get directly back to the client, and the client would then drop the packet because it doesn't know it's talking to that server, it thinks its' talking to the BIG-IP virtual server. 
&nbsp;  
&nbsp; Automap simply means that BIG-IP will choose its' own Self-IP as the address that it changes the source to (whichever Self-IP is appropriate given the destination).  A regular SNAT lets the administrator choose what IP is used for the SNAT, and a SNAT pool allows for multiple SNAT addresses to be chosen (usually only needed in situations where there could potentially be enough traffic to use up all of the 65535 ephemeral ports on one IP address). 
&nbsp;  
&nbsp; Hope that helps, 
&nbsp; Denny

Forum Discussion

Need load balanced servers to be externally accessible

1 Reply

Recent Discussions

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

no available managed rule groups for Israel il-central-1

Related Content

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

CSV to Address External Datagroup File

Load Balancing VMware Unified Access Gateway Integration Guide

NGINXaaS for Azure: Load Balancing