GTM to resolve WWW proxies for clients - LTM required?

Question

Hello,&nbsp;
We are currently changing from using the F5 as an explicit proxy to loadbalance to upstream WWW proxies only, such that client proxy to the upstream devices.&nbsp;
I have config working to do this as: client proxy.pac ---&gt; proxy = proxy1.acme.uk ---&gt; GTM resolve wide ip proxy1.acme.uk ---&gt; pool --&gt; 3 x VS each containing one proxy&nbsp;
GTM are a total of three. the LTM VS live on the same BigIPs.&nbsp;
In the above configuration client proxy IP is resolved to the LTM VS chosen by the GTM. We are forced to use SNAT pools and XFF for WWW proxy identity awareness.&nbsp;
My question is, do we need to use LTM at all if we just need to resolve clients to a proxy IP. The aim is to resolve proxy1.acme.uk for a client directly to the upstream WWW proxiy IP with a level of client persistence as long as the proxy is alive and can reach the internet. NAT is not required and all clients can route to each up stream proxy.&nbsp;
I can see the benefit of using LTM with GTM for this but I have been asked if it is possible to remove client NAT and XFF.&nbsp;
Thank you for any help&nbsp;

jrahm · Answer

I'm not sure I fully comprehend what you are trying to do, but if the only need is DNS service then no LTM is not required. If it is DNS service plus passing the client traffic through the box, you'll need both.

nathe · Answer

CSOC - could you add the proxy servers as Generic Hosts on the GTM. That way the GTM will return the actual IP address of one of the proxy servers themselves, rather than a VIP on an LTM. There are wider considerations on using Generic Hosts, rather than LTM VIPs but the GTM Implementation Guides on Askf5 should help on this.&nbsp;
Hope this helps,&nbsp;
N&nbsp;

csoc_146480 · Answer

Thanks for replying. Let us presume we only need DNS service for the clients to reach the upstream proxies and we have a working GTM WIP resolving to a pool of LTM VS. 
Apologies but I need to ask a config question at this point as could not find anything to suggest what I should do -  to not use LTM, I am what IP address should be used on the GSLB server and GSLB VS resource – can they match the proxy destination IP and port? Is this the correct way to use GTM only if you just want to resolve to an IP?  
The flow for client to one proxy then would be:

Client --&gt; proxy.pac --&gt; proxy=proxy1.acme.uk --&gt; GTM WIP --&gt; wip proxy1.acme.uk --&gt; GTM resolve WIP proxy1.acme.uk --&gt; GSLB server_VS (matching proxy IP and port 8080)

For the above, the WIP pool would contain the GSLB  server_VS for each of the three proxies (one in each of the three data centers) and the pool  could have persistence enabled such as CARP to keep clients to one proxy if available?

Again, thanks for any help

Forum Discussion

GTM to resolve WWW proxies for clients - LTM required?

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Reminder: MFA now required to log in to DevCentral

Resolve Citrix Secure Ticket Authority (STA)

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

DNS Resolution with the RESOLVER::name_lookup Command