Forum Discussion

Rajesh_07_16489's avatar
Rajesh_07_16489
Icon for Nimbostratus rankNimbostratus
Jan 13, 2015

Loadbalancing proxies

Could you please suggest f5 configurations such as profiles, Health Monitor to be used to load balance outbound traffic across pair of Bluecoat Proxies. What is needed in f5 to make sure that outbound traffic and return traffic is happening through f5.

 

My workflow is, Internal users  f5  Pair of Forward Bluecoat Proxies  Internet

 

Health Check should be configured to monitor both Bluecoat proxy’s availability and Internet reachability of Bluecoat Proxy. If Bluecoat proxy is down and it is unable to reach internet by its own, then only f5 should be considered that health check is failed. (We have this in our environment, but not sure how it is done. )

 

Thanks in advance for your support

 

7 Replies

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    You might be able to use a monitor that requests a response from a known Internet resource, like this one:

    ltm monitor http /Common/bluecoat_www_check_HTTP1.1_200-OK_http {
        defaults-from /Common/http
        destination *:*
        interval 5
        recv "HTTP/1.1 200 OK"
        send "HEAD / HTTP/1.1\\r\\nHost:www.bluecoat.com\\r\\n\\r\\n"
        time-until-up 0
        timeout 16
    }
    

    If the Bluecoat handles this the same way as it would a regular client request this would tell you whether it still has a connection to the internet. Of course, if www.bluecoat.com goes down your clients won't be able to get to the internet...

    Does the Bluecoat have its own monitor to detect connectivity to the internet? If so, you could create a monitor that reads that status directly from the Bluecoat.

  • Thank you Arie. What is the recommended profiles in such scenario ? should TCP profile alone be enough in f5 ?

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    Monitors aren't used by the VIP, but by the pool (or the node, but I would limit those to very simple checks).

     

    In this case, the pool would use the monitor to check the health of the pool members. If you were to use the monitor I included above you'd simply be making an HTTP request (TCP, port 80). However, as that monitor would make a single external site a dependency for all your internet requests from internal clients I would be hesitant to use it. You could mitigate this dependency to a degree by creating multiple monitors (accessing different properties on the internet) and requiring only one check to pass.

     

    Have you been able to determine if the Bluecoat boxes can tell you whether they have connectivity to the Internet?

     

  • Hi Arie,

     

    I completely understand your points with regards to monitors. I am sorry as my questions were vague when it was talking about profiles.

     

    I have seen that TCP profile alone is attached at VIP in our environement for loadbalancing proxies. My question was, should we need any other profiles to be attached in VIP or only TCP profile is enough ?

     

    Also, I have seen External monitors are used in our environment. Could you pls help me to understand little bit about external monitors and can we see this in 10.x.x version ?

     

    Responding to your questions on Bluecoat health check to test Internet connectivity, " YES" Bluecoat has its own health monitor to check internet access, but there are very limited conditions on health faliure.

     

    Thanking you in advance

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    Rajesh,

     

    Regarding additional profiles the answer would be that it depends. If you want to examine the traffic you'll need to add profiles, for instance. However, if load-balancing is the only thing you do there probably is no need for additional profiles.

     

    Deb Allen has written an excellent article on external monitors: https://devcentral.f5.com/articles/ltm-external-monitors-the-basics

     

    The wiki is located at https://devcentral.f5.com/wiki/AdvDesignConfig.ExternalMonitor.ashx.

     

    Depending on how you can access the Bluecoat status you may be able to use an internal monitor. If that doesn't work it's likely that an external monitor can provide a solution.

     

  • Hi Guys,

     

    Health monitor works fine .Just an additional comments on this ,Also make sure Bluecoat rules are in place i.e web authenticiation - by pass & policy for the self ip of F5 and URL's are allowed to go out to internet. Thanks