F5 Reverse Proxy

Hoang Tran (Henry) Solution Consultant

hoang.tran@f5.com

F5 Synthesis
LTM

GTM

AAM

AFM

APM

ASM

CGNAT

PEM

iRules, iApp, iCall, and iControl

Chassis

Appliance

Network

Virtual Edition

[Physical Overlay SDN]

2

LTM

GTM

SAML and cloud federation

Single
delivery
firewall (ADF)
Global
Application
SPDY
andGateway
local
load balancing
sign-on
access
control
SSL
application
firewall (WAF)
Carrier-grade
Web
Application
NAT
optimization
(CGNAT)
VPN
Secure
firewall
Intelligent
DNS
Web
performance
DNS
web
gateway optimization
Anti-malware
anti-phishing,
anti-fraud
Business
DNSSEC,
Trafficcontinuity,
shaping
and
disaster
QoS
recovery
and endpoint
inspection

AAM

AFM

APM

ASM

CGNAT

PEM
3

F5 Application Delivery Controllers (ADCs)

Capability Expandability Flexibility

BIG-IP 10000 Series

BIG-IP 11000 Series

VIPRION 4800

BIG-IP 5000 Series

BIG-IP 7000 Series

VIPRION 4480

BIG-IP 2000 Series

BIG-IP 4000 Series

VIPRION 2400
4

Example: Control Traffic Based on User Location

GTM
GTM

GTM

Example: Wide IPs and Intelligent DNS Resolution

GTM directs traffic to available data centers based on
gathered metrics
GET
DNS?

GET
DNS?

Internet
Data Center 2

Data Center 1

LTM

GTM

Application
Servers

GTM

LTM

Application
Servers
6

Example: DDoS and WAF Protection in the Enterprise Data Center

Applications

Tier 2: Protect L7

Web Application Firewall

ASM

LTM

APM

AFM

LTM

GTM

SSL Termination
Single Sign-on

Network Firewall
DNS Services
Load Balancing to Tier 2

Tier 1: Protect L3-4 and DNS

7

F5 Offers Comprehensive DDoS Protection

Threat Intelligence Feed
Next-Generation
Firewall
Scanner

Anonymous
Proxies

Anonymous
Requests

Botnet

Cloud

Attackers

Network

Multiple ISP
strategy

Corporate Users

Application

Network attacks:
ICMP flood,
UDP flood,
SYN flood

SSL attacks:
SSL renegotiation,
SSL flood

Financial
Services

Legitimate
Users
Cloud
Scrubbing
Service
DDoS
Attackers

Volumetric attacks and

floods, operations
center experts, L3-7
known signature attacks

E-Commerce

ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning

Network
and DNS

Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET

Subscriber

IPS
Strategic Point of Control

Example: All-in-One Authentication and Single Sign-on

Public / Private Cloud

Clients
Application Services
+ Access Policy Management

APM

LTM

VDI

VDI

VDI

Data Center

Directory Services
Application Servers
9

Centralized BIG-IP Management with BIG-IQ

BIG-IQ Platform Services

BIG-IP
BIG-IP
Data Center

Hybrid Cloud

Public Cloud

10

BIG-IP Full Proxy Architecture

Client

TCP

View
Configure
Default
and deny
modify
to listen
device
traffic
for
certain
behavior
traffic

TCP
Server

Connection is proxied Modified application data

Application data
Encrypted

Unencrypted

Compressed

Uncompressed

IPv6

IPv4

11

The BIG-IP System

TMOS: Traffic Management

BIG-IP: Administration

iApps
LTM

GTM

ASM

APM

AAM

AFM
GUI

iRules

TMSH

Full Proxy
High Performance
Hardware

SSL

Compression

CLI

12

Local Traffic Manager

A Virtual Server Listens for and Processes Traffic

IP address:port

http://www.f5.com

http://203.0.113.10
http://www.f5.com

Often associated with a pool

http://www.f5.com

Virtual Server
203.0.113.10:80
216.34.94.17:80
http_pool

172.16.20.1:80

172.16.20.2:80

172.16.20.3:80

web application

web application

web application

14

Virtual Server Address and Port Translation

Request

Source
Source

Destination
Destination

Virtual
Client
Server

Virtual
Client
Server

Virtual Server
Load balancing decision
Translation is "undone"
Destination translation
Member

Member

Member
Source
Source

Destination
Destination

PoolClient
Member

PoolClient
Member

Response

15

Translation Example: Request to Virtual Server

192.0.2.101

Source

Destination

192.0.2.101:3154

203.0.113.10:80

203.0.113.10:80

172.16.20.1:80

172.16.20.2:80

Destination translated to pool

member based on load balancing
decision
Source

Destination

192.0.2.101:3154

172.16.20.1:80

172.16.20.3:80
16

Translation Example: Response from Pool Member

192.0.2.101

203.0.113.10:80

172.16.20.1:80

172.16.20.2:80

Source

Destination

203.0.113.10:80

192.0.2.101:3154

BIG-IP translates source IP

back to
virtual server address

Source

Destination

172.16.20.1:80

192.0.2.101:3154

172.16.20.3:80
17

Specifying Different Ports

192.0.2.101

Source

Destination

192.0.2.101:3154

203.0.113.10:80

203.0.113.10:80

Port can be different between virtual

server and pool members

Source

Destination

192.0.2.101:3154

172.16.20.3:8080

172.16.20.3:8080

172.16.20.1:8082
172.16.20.2:8081

18

SOL8082

Not Just NAT. A Full-Proxy Architecture

Client

3
4

BIG-IP

SYN
SYN_ACK
ACK

Pool Member

virtual server
2

HTTP_GET

SYN
SYN_ACK
ACK

7
8

HTTP_RESPONSE

10

HTTP_GET
HTTP_RESPONSE

Separate client and server connections

19