Our server administrators would like to start logging connections to the web servers and tried to do so but keep seeing the IP addresses of the load balancers in their logs.
We are using source groups on the CSSes since they are sitting behind a set of firewalls; and, we found that the servers would be blocked when removing the source groupings. I have attached a rough diagram of how we are configured.
How do we transmit the remote clients' IP address to the web servers?
We were able to successfully connect to the VIP from the Internet with the removal of source groups and pointing the servers to the CSS as the def gateway.
We ran into an issue where the clients on the LAN would connect to the VIP and then get no response back. I believe this to be due to the fact we are crossing the firewall on a higher security interface and trying to come back over on a lower security interface. The source of the IP from the LAN is NATed to an address that is on the local network for the CSS, therefore the servers respond back directly to our NAT address instead of going to the CSS and back out, as in the case of the Internet connection.
Keep in mind that we are one-arming this configuration and using a firewall sandwich, as indicated in the diagram. The firewalls have their higher security interfaces point back toward the LAN.
Would I still need to bridge? Do you have an example I may look at to verify it would work? (We would like to be able to track IP addresses on the servers.)
I am in a similar situation to this guy. We also want to retrieve real client IP addresses from the servers, but because of us also using source group configuration we are unable to see real client addresses instead the loadbalancer addresses.
Unlike this guy we don't have a firewall in front of the loadbalancers, so if I turn off source group and create a redundant interface for the server default gateway, will I run into any problems you can think off?
At this moment the servers & loadbalancers are pointing to a firewall (which contains various aliases).
please see the basic quick topology i did to help you visualise what i am working with.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...