GTM Design Question

Hi,

 

I did not fully understand your question but hope to be able to provide some input.

 

First of all it´s highly recommended, to use at least two F5 BIG-IP GTM controllers.

 

As they act as authoritative name servers for a zone, they need to be redundant and it´s best practice to place them into different IP networks.

 

So if you have two geographically separated sites it makes sense to have a GTM per site.

 

If your GTMs and LTMs are placed behind a firewall which is doing NAT, it will be necessary, to configure both the GTMs and the LTMs as "BIG-IP"-type servers including both the external NAT address (public & routeable IP) and the local self IP of each BIG-IP.

 

This will be the "external" self IP address of each BIG-IP, which will be used for the inter-device communication (based on the encrypted proprietary F5 iQuery protocol).

 

Be aware, that your firewall policies need to allow a full-mesh communication between all these self IPs for bi-directional TCP/4353 (iQuery) connections.

 

The NAT definition and proper data center assignment for all servers will be important, as a GTM will try to connect to the LTM in the "local" data center via the self IP address and not through the external NAT address. It´s important to follow this concept for all defined servers i.e. the "Generic Host"-type servers etc..

 

The external address (NAT) is important, as it will be returned as an A-record to the client/resolver, if the GTM receives a DNS query.

 

This leads to another interesting topic regarding LTM:

 

A virtual IP does not need to belong to a locally attached network. This means to can use a transfer network (unregistered IP addresses from RFC1918 range) to establish the connection between the external firewall/router and your BIG-IP LTM. You will just need host routes on the external L3 components pointing to the F5´s floating self IP as next hop to reach the virtual IPs.

 

In this case it would be important, that the GTM is using the LTM to validate virtual server states.

 

Thanks, Stephan

 

PS: I would recommend to discuss the several implementation options with your F5 systems engineer, F5 professional services or an experienced system integrator.

 

Hi,

 

This would require to terminate SSL on your firewall. Otherwise the firewall doesn't know, what name has to be resolved.

 

It's typically the job of the GTM to verify the availability of the servers, respond to the client/resolver with a resource record and the client tries to establish a direct connection to the target system.

 

What you are expecting from your firewall is the job of a forward proxy. But a forward proxy requires the client to use the so called CONNECT method to specify the hostname it wants to be connected to.

 

Now the forward proxy does a name resolution, sends an OK to the client and now the client starts sending the request through the established "tunnel".

 

So the answer depends on the capabilities of your firewall.

 

Thanks, Stephan

 

Hello guys.

 

Just to share my resolution for this issue.

 

I create a virtual server in pool of GTM. In address box I type the public address and in translation box I type the internal IP address (VIP). So when a DNS request arrive in my firewall it will be redirect for my GTM, and my GTM will response with the public address, and this public address I did a NAT configuration in firewall to translate to my internal address (VIP).

 

Voialà! =)

 

Regards.

 

W