Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 7
Registered: ‎07-06-2012
Accepted Solution

Load Balancing Server Behind A Firewall

Hi All, 

I've been reading through http://www.brocade.com/support/Product_Manuals/ServerIron_SLBGuide/slb.2.42.html#105590 to figure out a solution to a problem I have in a new deployment. It seems that natively the ADX is meant to be directly connected to the subnets that the real servers are hosted on, however in this particular implementation, it cannot have that access, as the real servers are located behind firewalls and in different subnets.

 

There exists the option to use remote server, which I did, and I only got that working when I enable global source-nat. However this causes issues with other servers connected in subnets it can reach. Additionally, all the logs on the real servers list all connections as coming from ADX, so it seems to me that if I made some indivual NAT rules (rather than global) I'd still be left with an untenable situation.

 

So I'm a bit stuck with my config...

 

ADX(config)#server remote test.site.com 10.10.1.1

 

WEBZ -----  200.1.4.2 [ADX] 10.10.0.1 -------- 10.10.0.2 [Firewall] 10.10.1.2 ------------- 10.10.1.1 [Real Server]

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: Load Balancing Server Behind A Firewall

[ Edited ]

Hi There,

Source-nat is not required for remote server configuration. However you will need to do source-nat when the network topology is single arm (i.e. both client and remote servers are reachable via same ADX interface). 

 

If you are using ADX in an inline setup (i.e. clients and servers are reachable via different ADX interfaces) then you have to add the routes on the intermediate routers in such a way that ADX is in the path of packets going from Servers to the clients and it should work without source-nat. 

 

It will be helpful in finding a solution to your problem if you can provide more details about what is your network topology and what kind of service and features you are planning to use on ADX. 

 

-Mohit

 

 

 

-Mohit Sahni
Occasional Contributor
Posts: 7
Registered: ‎07-06-2012

Re: Load Balancing Server Behind A Firewall

Here's an image overview of the situation

 

http://i62.tinypic.com/2nk5dfm.jpg

 

Obviously the servers ont he other side of the FW are the problematic ones. Now all that is routable, as in from webserver, to ADX I can ping, and ping the FW and there's no NATing there.

 

Occasional Contributor
Posts: 7
Registered: ‎07-06-2012

Re: Load Balancing Server Behind A Firewall

Also, this is pretty much for web hosting, so HTTP/SSL

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: Load Balancing Server Behind A Firewall

Here is how I think it should be configured. 

Servers in 10.10.1.1 and 10.10.2.1 should be defined as real servers as they are L2 reachable from ADX. 

Server in 10.10.10.x network should be defined as remote servers and they should have route in such a way that traffic towards clients go via ADX (IP 10.10.3.1) 

 

Now when you bind http or ssl ports of all the real servers under same virtual server port, the ADX  by default will not use remote servers for load balancing, to resolve this you need to add command "port http lb-pri-servers" to use all the servers for SLB. 

 

After that it should work fine. I don't see any need for using source-nat in your setup. 

 

Hope that helps. :)

 

-Mohit Sahni
Occasional Contributor
Posts: 7
Registered: ‎07-06-2012

Re: Load Balancing Server Behind A Firewall

THanks, part of the problem I was having was specifically with some firewall rules which were cutting my website address as opposed to the acutal server address

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook