MSP Load Balancer

Looking for an MSP Load Balancer solution, the LBC has you covered! Whether basic help on your config or a fully managed service provider for your equipment, we can help.

Let’s face it, Load Balancers, such as our favorite, the F5 BIG-IP product line are hard devices to support. They span about as much of the entire width of technology as anything out there. Supporting them means you need to be a programmer, a security expert, an application expert, a network expert, and also a troubleshooting expert for all the technologies that go through the LB. How often is the issue something other than the F5, but the F5 team has to prove it so the other guys go fix it? A lot.

Want a subscription including management and licenses of your devices? Maybe managed security services of your on-prem devices with support? Perhaps a more traditional staff augmentation model with professional services included? We have experience with them all. With our team of certified engineers, you’ll have access to an entire group of people that focus on load balancing, but also know how to work with security, application and networking engineers. We work through our channel of partners, and you probably already have a relationship with one of our partners to integrate smoothly into your purchasing and procurement.

All of these reasons make the thought of MSP Load Balancer support contract sound pretty good. Finding engineers knowledgable in the ADC space is difficult, and training them is expensive and requires lots of downtime. Also, your team needs to understand so many different disciplines. It’s nearly impossible to find a single person that has that type of knowledge. Without an expert, you can’t use your investment in your load balancing infrastructure to its fullest.

Contact us to find out more about our team and a partner that’s the right fit for you!

F5 CORS

What is CORS?

F5 CORS can mean a few different things. Probably the most common, which we’ll look at here is enabling Cross-Origin Resource Sharing for the applications behind the BIG-IP. Alternatively, you can check out our article on actually enabling the BIG-IP to support CORS for the management GUI. You can also read a little bit about what CORS is. Another topic related to F5 CORS is what the ASM will allow and block when it sees CORS. Configuration of that is discussed in this F5 ASM CORS Support post here.

First, a quick recap on CORS. CORS is used when the browser is making an automated request to a site that is different than the one the user put in their browser. It’s a protection built-in by the browser that javascript isn’t allowed to send data all over the place. Often though, this is exactly what the application architects need to happen. In comes CORS. Basically, the site that is getting a request from a non-local origin needs to allow the request to come in.

CORS has two types of requests, simple requests and requests that require more work. For basic requests, the browser is notified that this is OK with a simple header. For more complicated requests, you need to what’s called a pre-flight request to get some additional data before sending the actual request. What makes them complicated or simple is outside the scope of this post, but your application people should be able to tell you which of the methods you need to support.

The Mozilla CORS page gives a lot more detail if you want to get into the details of the requests.

Configuring F5 CORS

For the simple one, you just need to insert the “Access-Control-Allow-Origin:” header with the value of the domain that should be allowed to make the cross origin request. If you want any website on the internet to be allowed, just set an asterisk.

You can do this with just an HTTP profile and the header insert, or you can do it in an iRule and insert the header based on whatever conditions you want.

Preflighted requests are a bit trickier. First, you’ll intercept the OPTIONS request, and respond with the proper information for the client. Next, the client will send the actual request.

Rather than reinvent the iRule, you can take a look at this thorough example on devcentral: F5 cors iRule

One thing to note about the iRule, create a datagroup outside of the iRule as shown in one of the comments. That’s what they are there for, so use it.

Good luck, and feel free to comment if you’re having issues getting the iRule working either here or on DevCentral.

F5 BIG-IP Creating Custom Whitelists for DoS Profile

How to apply an IP whitelist to a DoS Profile. 

This is F5 BIG-IP version 13.1.1.

If you are looking at this screen trying to figure out how to add your custom address list in place of the Default list for a DoS Profile, you are not alone!

F5 does give you the ability to add addresses on the right hand side, pictured below. You can also create an address list under Security > Network Firewall > Address List.

This is an excellent feature. Now we just need to actually add this newly created list in place of the default list. As far as I can tell there is no way to do this on the GUI, but you can do this from the CLI.

SSH into the F5

Command:

tmsh modify security dos profile dos whitelist test-list

After dos profile you will enter the name of your dos profile as well as the name of your whitelist in place of test-list. After running this command, to verify that this is working you can run the command: tmsh list security dos profile dos. Hit space until you are at the bottom of the profile.

You should be able to see your whitelist inside your DoS profile.

Please comment below if this helped you or if you have any further questions!

Hope this helped!

Broken iRules Maintenance Page

Many people have been using the feature of a health monitor on LTM called “Monitor Disable String”. When the health monitor receives this string it disables the pool member. This is handy to give to application owners so they can remotely disable a pool member for maintenance or upgrades. A popular use case was to attach an iRule to a VIP. That iRule presents a maintenance page when all pool members are in a disabled state.

Continue reading “Broken iRules Maintenance Page”