Migrating Servers from One Armed to Routed Configuration
BIG-IP 2000s with only ASM
I've got an HA pair of BIG-IP 2000s in our DMZ supporting several servers via a one armed configuration with SNAT enabled. The servers bypass the BIG-IPs when sending email, causing the external firewall to be reported as the source address for outbound traffic. This led to mail being dropped by certain external mail servers when reverse DNS lookups failed (Our external firewall is NATing our DMZ).
It seems the only solution is to make the BIG-IP the gateway for the affected servers, which means configuring an additional VLAN on the BIG-IPs and migrating the servers.
Is there an alternative?
Management access to the servers is a concern because they each have only one NIC. One option is to configure server NICs to trunk the DMZ and new VLAN, but I've read it's considered best practice to only support one network to a DMZ server. If I implement the best practice solution, I'll have to create virtual server profiles permitting only management traffic sourced from our internal network.
Thoughts?