Jump to content


Photo

Navigating directly to Real Server via port 80 times out

client impersonation real server port 80 340

Best Answer mtaylor, 24 February 2016 - 09:28 AM

Ok, thank you for your answer. We have decided to instead add a listening port to our webservers, make the LoadBalancer talk to the Real Server on that new port and then we get port 80 back for direct access.

 

Adding a bunch of services would clog up the viewing of the Load Balancer.

Go to the full post


This topic has been archived. This means that you cannot reply to this topic.
2 replies to this topic

#1 mtaylor

mtaylor
  • Members
  • 13 posts

Posted 23 February 2016 - 04:41 PM

We have a LB ADC 340. We have recently turned on Client Impersonation. Long story short we now cannot navigate directly to a Real Server over port 80 that has Client Impersonation turned on.

 

Here is an example of the setup:

Summary/Example of my working settings:

Service IP is 172.16.15.240 and is on the GE-1-1 interface

Real Server IP addresses are:

App1- 172.16.15.241

App2- 172.16.15.242

App3- 172.16.15.243

 

The Default Gateway on the Real Servers are pointing to 172.16.15.240 

I have the default route configured on the GE-1-1 interface point to the Gateway of 172.16.15.1.

To ensure traffic originating from the real servers only goes where it is allowed, I have a policy-based-route for each of the Real Servers.

The Policy Based Route says anything from 172.16.15.x going to 0.0.0.0 then route it over the GE-1-1 interface to 172.16.15.1, meaning no traffic other than management goes over the MGMT interface.

I also have a configured route on GE-1-1 saying route responses from IP 172.16.14.234 to 172.16.15.1.

 

 

 

The only issue again is that with Client Impersonation is turned on, access to port 80 to a Real Server times-out/is denied.

 

Here are some scenarios:

-Client Impersonation turned on, I cannot hit port 80 from 172.16.14.234 to 172.16.15.241

-Turn Client Impersonation off and I can, but only because of the configured route that specified my IP address.

-I added port 8181 to my Real Server website configuration, then with Client Impersonation off I can access the server directly either over port 8181 or port 80.

-Now turn Client Impersonation back On and I can only access the Real Server directly through port 8181.

-Now If I go into the Configured Server/Real Server settings under the Virtual Service and tell it to communicate with the Real Server over port 8181 instead of 80, then the problem flips and I can only access port 80 on the Real Server directly with Client Impersonation turned on.

 

 

 

 

 

 

Anyone know what is specifically happening with port 80, or in other words the port the Load Balancer Virtual Service is configured to talk with the Real Server on?



#2 Kaushik Thirumurthy

Kaushik Thirumurthy
  • Barracuda Team Members
  • 41 posts

Posted 24 February 2016 - 09:25 AM

Hello Taylor,

 

With client Impersonation enabled, you would not be able to access the server directly on the same server instance port.

 

Given that the return traffic from the server would have the source port as port 80 ( which is the configured as  server instance port), the response would not be forwarded to the client.

 

A work-around here is to create exclusive services on the ADC on the respective port with just one server, which you would like to access.

 

Please let us know if you have any questions, thank you

 

Regards,

Kaushik



#3 mtaylor

mtaylor
  • Members
  • 13 posts

Posted 24 February 2016 - 09:28 AM   Best Answer

Ok, thank you for your answer. We have decided to instead add a listening port to our webservers, make the LoadBalancer talk to the Real Server on that new port and then we get port 80 back for direct access.

 

Adding a bunch of services would clog up the viewing of the Load Balancer.