PUBLIC FQDN

Question

Hello Experts&nbsp;
My scenario is some what like, we have user machines which will be trying to access an internal portal page, which will be resolved to internal IP. This IP will be used as VIP on F5. When this request will hit the VIP, the pool associated with it is FQDN, lies on the internet.&nbsp;
Now I want is when user open the internal portal page, it get proxied to external FQDN.&nbsp;
Need Help. I am new to FQDN and F5 both.&nbsp;

vernon_97235 · Answer

If you are running 11.6.0, you can use FQDNs as pool members.  This is described in detail here:
Manual Chapter: Configuring the BIG-IP System to Auto-Populate Pools
You would also need to SNAT the connection:
SOL7820: Overview of SNAT features
If you are using a version prior to that, and the target must be an FQDN, you'll have to use an iRule.  You should read the information regarding the RESOLV::lookup command:
RESOLV::lookup command
then use something like this (untested!):
when RULE_INIT {
    set static::rf_target_fqdn "www.example.com"
}

when CLIENT_ACCEPTED {
    set alist [RESOLV::lookup -a $static::rf_target_fqdn]
    
    if { [llength $alist] &gt; 0 } {    
        node [lindex $alist 0]
    } else {
        log local0.warn "Failed to resolve hostname ($static::rf_target_fqdn)"
        reject
    }
}

There are (at least) three drawbacks here: 1. RESOLV::lookup does not follow CNAME records; 2. if the result returns more than one A record, it'll always use the first (though typically local resolvers rotarize the results on each query); and 3. each connection incurs the lookup cost and consequent latency.

vernonwells · Answer

If you are running 11.6.0, you can use FQDNs as pool members.  This is described in detail here:
Manual Chapter: Configuring the BIG-IP System to Auto-Populate Pools
You would also need to SNAT the connection:
SOL7820: Overview of SNAT features
If you are using a version prior to that, and the target must be an FQDN, you'll have to use an iRule.  You should read the information regarding the RESOLV::lookup command:
RESOLV::lookup command
then use something like this (untested!):
when RULE_INIT {
    set static::rf_target_fqdn "www.example.com"
}

when CLIENT_ACCEPTED {
    set alist [RESOLV::lookup -a $static::rf_target_fqdn]
    
    if { [llength $alist] &gt; 0 } {    
        node [lindex $alist 0]
    } else {
        log local0.warn "Failed to resolve hostname ($static::rf_target_fqdn)"
        reject
    }
}

There are (at least) three drawbacks here: 1. RESOLV::lookup does not follow CNAME records; 2. if the result returns more than one A record, it'll always use the first (though typically local resolvers rotarize the results on each query); and 3. each connection incurs the lookup cost and consequent latency.

vishal_bhugra_1 · Answer

Thanks a lot vernon

I am using 11.6 and my FQDN is getting resolved. Following is my configuration, please correct me if I am wrong

ltm virtual AWS_TEST { destination 172.16.254.51%254:http ip-protocol tcp mask 255.255.255.255 partition AWS profiles { /Common/http { } /Common/mptcp-mobile-optimized { } My_REWRITE_PROFILE { } } source 0.0.0.0/0 source-address-translation { pool /Common/AWS_TEST_POOL type snat } source-port preserve-strict translate-port disabled vlans { VLAN_SERVER_AWS } vlans-enabled vs-index 89 }

ltm pool AWS_TEST { members { www.gogoair.com:http { fqdn { autopopulate enabled name www.gogoair.com } state fqdn-up } www.gogoair.com-12.130.115.24:http { address 12.130.115.24%0 ephemeral true state up fqdn { name www.gogoair.com } } } monitor /Common/http partition AWS }

ltm snatpool AWS_TEST_POOL { members { 172.16.254.50 } }

ltm profile rewrite My_REWRITE_PROFILE { app-service none bypass-list none client-caching-type cache-css-js defaults-from /Common/rewrite java-ca-file /Common/ca-bundle.crt java-crl none java-sign-key /Common/default.key java-sign-key-passphrase-encrypted none java-signer /Common/default.crt location-specific false request { insert-xforwarded-for enabled insert-xforwarded-host disabled insert-xforwarded-proto disabled rewrite-headers enabled } response { rewrite-content enabled rewrite-headers enabled } rewrite-list none rewrite-mode uri-translation split-tunneling false uri-rules { uri_1438135745006 { client { host 172.16.254.51 path /r/n/ scheme http } server { host www.gogoair.com path / scheme http } } } }

The thing I am seeing is my request is not hitting the public address

vishal_bhugra_1 · Answer

Thanks a lot vernon

I am using 11.6 and my FQDN is getting resolved. Following is my configuration, please correct me if I am wrong

ltm virtual AWS_TEST { destination 172.16.254.51%254:http ip-protocol tcp mask 255.255.255.255 partition AWS profiles { /Common/http { } /Common/mptcp-mobile-optimized { } My_REWRITE_PROFILE { } } source 0.0.0.0/0 source-address-translation { pool /Common/AWS_TEST_POOL type snat } source-port preserve-strict translate-port disabled vlans { VLAN_SERVER_AWS } vlans-enabled vs-index 89 }

ltm pool AWS_TEST { members { www.gogoair.com:http { fqdn { autopopulate enabled name www.gogoair.com } state fqdn-up } www.gogoair.com-12.130.115.24:http { address 12.130.115.24%0 ephemeral true state up fqdn { name www.gogoair.com } } } monitor /Common/http partition AWS }

ltm snatpool AWS_TEST_POOL { members { 172.16.254.50 } }

ltm profile rewrite My_REWRITE_PROFILE { app-service none bypass-list none client-caching-type cache-css-js defaults-from /Common/rewrite java-ca-file /Common/ca-bundle.crt java-crl none java-sign-key /Common/default.key java-sign-key-passphrase-encrypted none java-signer /Common/default.crt location-specific false request { insert-xforwarded-for enabled insert-xforwarded-host disabled insert-xforwarded-proto disabled rewrite-headers enabled } response { rewrite-content enabled rewrite-headers enabled } rewrite-list none rewrite-mode uri-translation split-tunneling false uri-rules { uri_1438135745006 { client { host 172.16.254.51 path /r/n/ scheme http } server { host www.gogoair.com path / scheme http } } } }

The thing I am seeing is my request is not hitting the public address

vernonwells · Answer

I would recommend using tcpdump to look at the traffic flow:
SOL411: Overview of packet tracing with the tcpdump utility
and check /var/log/ltm to ensure that there are no errors.  Since you have the http profile applied, the flow should look like this in a tcpdump:
 CLIENT                     BIG-IP                  SERVER
         --- SYN      ---&gt;    |
         &lt;-- SYN/ACK  ---     |
         --- ACK      ---&gt;    |
         ---  ---&gt;    |
                              +  --- SYN      ---&gt;
                              + &lt;--- SYN/ACK  ---
                              +  --- ACK      ---&gt;
                              +  ---  ---&gt;

where REQHDR are the request headers.  On the second half (between the BIG-IP and the SERVER), the source address will be the SNAT source address (172.16.254.50).
Having said all of that, the SNAT source address on the BIG-IP (172.16.254.50) must be able to reach the public addresses (since it's an RFC 1918 address, I assume it is subject to further address translation somewhere else?) and there must be a route back to that address.

Forum Discussion

PUBLIC FQDN

Recent Discussions

iRule command to allow IP range to access specific URL

When user goes through LB the server page has stripped information

HIGHLY RECOMMENDED LOST CRYPTOCURRENCY RECOVERY SERVICE/ DIGITAL TECH GUARD RECOEVRY

Help with an I-rule rewrite

When adding new GTM(DNS) to the existing group, if software version is not same, what will happen?

Related Content

Enriching AFM with public domain Threat Intelligence

SSLO in public cloud: Azure inbound L3 use case

Create an HTTPS Origin based on public FQDN for VoltMesh

Public Cloud Simplified with F5 NGINXaaS for Azure

F5 High Availability - Public Cloud Guidance