wowchens
Jun 17, 2008Nimbostratus
Design Issues with F5 LTM for IIS and .Net Remoting
Please help with a design issue that I am having.
At one of my client here we have a requirement to setup F5 LTM for load balancing a couple of .Net Remoting Application Servers. These are no different than any other web/app servers, except the traffic is all binary over http from a FAT Client.
One of the requirements from the business was to not use SNAT as this application is global, accessed from at least 6 countries and they want to be able to see traffic as is and trace end points if they need to. (when I say AS-IS, I mean without changing source ip address)
I proposed the setup as below:
Servers will have 2 NIC cards, one connected to F5 Internal VLAN and the other connected to Core Network for sys admin/monitoring/backup etc. This way application traffic is segmented. I set the Default Gateway for the F5 NIC to F5's floating IP Address and also made a NAT entry on F5 for the server to be able to talk to Database, Documentum, FileServers, Messaging etc. This application is heavy on Database and is liked to many other systems.
The issue that I am having is:
If any of the back end system, Database or Documentum is on the same VLAN as CORE NIC, its not able to route because of the same network and it tries to reach them directly from the F5 NIC without going to Default Gateway and this fails as the destination server cannot return traffic to the private F5 internal IP Address.
For now I fixed the issue by placing the servers in totally separate VLANS from all of the other systems. Now I am challenged with another issue, that is, this application makes web service calls to bunch of websites that are setup on the same server, which are also failing for the same reason as above.
Big Questions for me now is:
1) Is the design that I proposed to use 2 NIC's and both having Default Gateways, is it good/bad or ugly? From the best of my knowledge on a windows server, one can have any number of Default Gateways and the route is decided by metric and Bindings.
2) Is there any other design that any one can recommend?
3) Is anyone successful with not using SNAT and still able to use dual nic traffic segmentation?
Any help is highly appreciated and I am more than happy to give more details as required.
Thanks--Chenna