GTM working over the Internet

Question

Hello,&nbsp;
I have 2 questions about a new design of Global Load Balancing over the Internet with our BigIPs devices configured in our corporate DMZs:&nbsp;
1) my understanding is that TCP/22, TCP/443, TCP/UDP/4353 should be opened over the Internet to create a fully-meshed communication matrix among all LTMs/GTMs around the world. But is it feasible that these 3 ports are opened on any FW in the Internet?&nbsp;
2) If we open these 3 ports on our LTMs/GTMs devices, is there a ufficial hardening document on how to protect from exploit from the Internet on these ports?&nbsp;
PS: If - for whatever vulnerability - one of our BigIP is hacked to obtain root access, then among all the worst things, the BigIPs have no clear separate Management interface and an attacker could hack other devices in the inside network. Is this amajor design security flaw not to have a separate Management interface on f5 boxes? &nbsp;

hamish · Answer

I think you're possibly misinterpreting the comms. The ports should be opened ONLY between your OWN GTM's... Not other peoples.&nbsp;
These ports are used for syncing config and state between your GTM's and between your GTM's and your LTM's.&nbsp;
Any access from the outside world is port 53 (udp and tcp) only. udp/53 always, tcp/53 generally where queries or responses are too large for a 512Byte UDP response (Or zone transfers, but that doesn't necessarily mean a lot for GTM)&nbsp;
H&nbsp;

2funky_105078 · Answer

Hi H&nbsp;
So you think that i would be able to establish over the Internet TCP/22, TCP/443, TCP/UDP/4353 communications among our GTMs/LTMs  without anyone blocking me?&nbsp;
For example, if any device in between ever NAT my IP to another IP, i may fell back to open to any IP to be sure to have communcaiton working.
But still - i may be wrong - I doubt it could work for 4353 to pass via multiple countries...&nbsp;

hamish · Answer

Between your own devices in your own data centres? Why would anyone block you? (Unless you're in a country with some censoring country firewall)&nbsp;
H&nbsp;

hamish · Answer

Yes... That's correct... The internet would break otherwise if transits started to block random ports...&nbsp;
The only people who do that are some consumer orientated ISP's. 'Protecting' their clients...&nbsp;
H&nbsp;

Forum Discussion

GTM working over the Internet

4 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

SFTP VIP on CLoud F5 AWS not working from internet , from F5 its working

F5 APM VPN Choking Internet Bandwidth

Unbreaking the Internet and Converting Protocols

F5 iRUule not working

Internet of Food