09-28-2005 02:46 PM
Hi, currently for testing purposes we have had a one armed configuration that works using client nat. Now, due to an application requirement the original requesting client ip must be known. When I isolated a server completely behind the css, it can no longer reach the AD controllers to perform AD related functions and authentication. How do configure the css to allow this traversal to outside network services from the machines behind the css.
Thanks, Bob
09-28-2005 10:31 PM
I should have included the config. Right now this config works fine. One nic is on the 10.10.20.0 behind the css, the other nic is on the 172.15.16.0 on the regular network.
!*************************** GLOBAL ***************************
no restrict web-mgmt
dns-server forwarder primary 172.16.51.243
dns-server forwarder secondary 172.16.51.244
ssl associate dhparam diffehkey diffehkey
ssl associate rsakey webdevrsakey webdevrsakey
ssl associate cert virdevweb virdevweb.crt
ip route 0.0.0.0 0.0.0.0 172.16.51.1 1
!************************* INTERFACE
interface e2
bridge vlan 10
!************************** CIRCUIT
circuit VLAN1
ip address 172.16.51.186 255.255.254.0
circuit VLAN10
ip address 10.10.20.254 255.255.255.0
!*********************** SSL PROXY LIST
ssl-proxy-list devwebslllist
ssl-server 20
ssl-server 20 vip address 172.16.51.187
ssl-server 20 dsacert virdevweb
ssl-server 20 rsacert virdevweb
ssl-server 20 rsakey webdevrsakey
ssl-server 20 dhparam diffehkey
ssl-server 20 unclean-shutdown
ssl-server 20 cipher rsa-with-rc4-128-md5 172.16.51.187 80
active
!************************** SERVICE
service DevSvr1BT
ip address 10.10.20.3
port 9010
string BusinessTier
protocol tcp
active
service DevSvr1MD
ip address 10.10.20.3
protocol tcp
port 9012
string MetaDataCache
active
service DevSvr1db
ip address 10.10.20.3
port 9011
string DBCache
protocol tcp
active
service DevSvr1www1
protocol tcp
port 80
string DevSvr1www1
keepalive type http
ip address 10.10.20.2
active
service DevSvr2BT
port 9010
string BusinessTier
ip address 10.10.20.5
protocol tcp
active
service DevSvr2MD
protocol tcp
port 9012
string MetaDataCache
ip address 10.10.20.5
active
service DevSvr2db
port 9011
string DBCache
ip address 10.10.20.5
protocol tcp
active
service DevSvrssl1
protocol tcp
port 443
string DevSvrssl1
keepalive type http
ip address 10.10.20.2
active
service DevSvrwww2
protocol tcp
port 80
string DevSvrwww2
keepalive type http
ip address 10.10.20.4
active
service sslmodule2
type ssl-accel
keepalive type none
slot 2
add ssl-proxy-list devwebslllist
active
!*************************** OWNER
owner devrules
dns accept
dnsbalance leastloaded
content VirDevAppBT
vip address 172.16.51.187
protocol tcp
port 9010
dnsbalance leastloaded
balance leastconn
failover next
add service DevSvr2BT
add service DevSvr1BT
active
content VirDevAppDB
protocol tcp
vip address 172.16.51.187
port 9011
dnsbalance leastloaded
balance leastconn
failover next
add service DevSvr2db
add service DevSvr1db
active
content VirDevAppMD
protocol tcp
vip address 172.16.51.187
port 9012
dnsbalance leastloaded
balance leastconn
add service DevSvr2MD
add service DevSvr1MD
active
content VirDevWeb
vip address 172.16.51.187
balance leastconn
failover next
add service DevSvr1www1
add service DevSvrwww2
protocol tcp
port 80
url "/*"
dnsbalance leastloaded
sticky-serverdown-failover sticky-srcip-dstport
advanced-balance sticky-srcip-dstport
active
content VirDevWebSSL
vip address 172.16.51.187
protocol tcp
port 443
add service sslmodule2
active
!*************************** GROUP
group client-nat
vip address 172.16.51.187
add destination service DevSvr1www1
add destination service DevSvr2BT
add destination service DevSvr1BT
add destination service DevSvr2MD
add destination service DevSvr1MD
add destination service DevSvr2db
add destination service DevSvr1db
add destination service DevSvrwww2
add destination service sslmodule2
active
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: