LTM to LTM transparent proxy (triangulation)

Question

We have a situation where we want to use 3 physically separate (but same datacenter) LTM clusters (but with no http redirects (301,302) whatsoever to serve 2 distinct websites using a single website hostname   
&nbsp; Definitions:  
&nbsp; LTM 'A' = pair of bigip (active/standby - fault tolerant )  
&nbsp; LTM 'B' = different pair of bigip (active/standby - fault tolerant )  
&nbsp; LTM 'C' = yet a another pair of bigip (active/standby - fault tolerant )  
&nbsp; So client would make connection to LTM 'A' using immutable www.website.com.   
&nbsp; LTM 'A' would look for presence of cookie (controller by actual web servers) and transparently proxy/forward/triangulate that connection (without http redirect) to either LTM 'B' (b.website.com) or LTM 'C' (c.website.com)   
&nbsp; depending on which the cookie indicated   
&nbsp; p  
&nbsp; However, from the client's perspective they should interact only with www.website.com the entire time, regardless of which backend LTM they are actually using.   
&nbsp; And the client should never be redirected, but always talking to LTM A using initial TCP session.   
&nbsp; Now I know this is cinch with 1 LTM and a few local pools with the ProxyPass iRule, but that doesn't work for us because we need to diversify our load among the physically separate LTM clusters. All 3 LTM clusters are in same datacenter  
&nbsp; So one superheavy used site is on 1 LTM (b.website.com), other superheavy used site is on other LTM (c.website.com), and the third LTM acts as traffic/tcp session director and a single point of contact for the clients  
&nbsp; So we want LTM A to transparently proxy connections to both LTM B and LTM C.  
&nbsp; Only LTM B and LTM C would actually have real servers (serving the actual unique website content)  
&nbsp; If LTM B went down, then LTM C's website would still work.(via LTM A)   
&nbsp; If LTM C went down, then LTM B's website would still work (via LTM A).   
&nbsp; Additionally, client can choose to connect directly to "b.website.com" and/or "c.website.com" and they will get that website (effectively bypassing LTM 'A')  
&nbsp; By design, LTM A would be mission critical for both websites to be accessible via www.website.com  
&nbsp; Reason for this all is we are not able to change the hostname that the client is requesting and we are not allowed to do any http redirects.  
&nbsp; Additionally, we want to diversify risk/load across all 6 of the loadbalancers (2 in each LTM cluster)  
&nbsp; Any thoughts on the approach for this would be appreciated  
&nbsp; Thanks   
&nbsp; Matt

matt_breedlove_ · Answer

Any help would be appreciated 
&nbsp;  
&nbsp; Thanks

ian_smith · Answer

enable passive cookie persistence on all the LTM http virtual servers or in your iRules. &nbsp;

l4l7_53191 · Answer

I may be missing something, but why not use GTM here? As it stands it sounds like you'll essentially shift most all of the risk up to the A pair of LTMs, which may be contrary to  your goals. If you're looking to distribute traffic across the pairs, GTM is a killer tool that will solve this problem easily. You'd create a www.website.com "wide IP" that would actually distribute users to all three pairs of LTM, and you can apply persistence, monitoring (at layer 7, real handy), rules, etc... 
&nbsp;  
&nbsp; Would this work for you? 
&nbsp;  
&nbsp; -Matt

dennypayne · Answer

I agree with Matt that GTM is the ideal solution here for the reasons he described.   
&nbsp;  
&nbsp; However, you could potentially configure LTM A to have the virtual for www.website.com pointing to a pool with 2 members that are the virtual servers on LTM B and C respectively.  Then the connections would be farmed out to B and C based on whatever lb algorithm is defined on that pool.  LTM A doesn't "know" that those aren't physical hosts. 
&nbsp;  
&nbsp; The downside is that you will have to SNAT on LTM A.  Otherwise, when the packets are sent through to the real servers behind B and C, they will be sent in response directly back to the client, bypassing LTM A on the return, and the clients will drop them.  So you will lose visibility to the original client source IP on the nodes, which may or may not be a big deal for you, depending on whether they are currently logged and/or used for Webtrends (or similar). 
&nbsp;  
&nbsp; Denny

Forum Discussion

LTM to LTM transparent proxy (triangulation)

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy

Transparent Load Balancing in Azure

Transparent proxy virtual servers