Inbound F5 Load Balancing for an EFT HA Cluster using DMZ Gateways


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7 and later

DISCUSSION

Introduction

F5 provides software and hardware solutions that can be used as a load balancer for traffic inbound to set EFT HA nodes. Most organizations will already be using an existing global traffic management system within their network environment. This document will help you take advantage of the F5 features to configure access and load balancing for Globalscape EFT servers utilizing Globalscape DMZ Gateway servers in a highly available manner.

See also the "F5® Big-IP® LTM™ Implementation Guide" (attached).

Disclaimer:

This article it is intended for technical audience and it is provided “As Is” without any guaranty or support; it is intended for demonstration/educational purposes only. Globalscape recommends using a hardware-based load balancer like Big IP F5 or similar for production environments. Each network and corporate environment is unique and could require additional steps. IP Address and object labels provided below are used for demonstration only. You should obtain and use labels and IP addresses associated with your specific environment.

Please consult with your Network Administrator or Globalscape Tech Support for more information.

Prerequisites

  • At least two EFT Servers
    • Connected to the same multicast subnet.
    • Hosted on the internal network
  • Each EFT Server with connect to a Globalscape DMZ Gateway server.
    • Default port to create Peer Notification Channel (PNC) 44500
    • DMZ servers should use IP addresses associated with a DMZ network
  • F5 hosting connections for the multicast subnet hosting the EFT nodes.

F5 “Configuration Objects” - as applied to a Globalscape HA solution

  • Virtual Server = DNS address for the site URL example “sftp.globalscape.com”
  • Node = Each DMZ Gateway server
  • Application Service = Each protocol offered can be defined as an Application Service
    • Shown as IP:Port Example DMZ Server IP = 192.168.1.100:Port
    • SFTP would be defined as 192.168.1.100:22
    • HTTPS might be configured as 192.168.1.100:443
    • The Application Service is defined for each DMZ node
  • Pool = all DMZ Gateway nodes
    • Each DMZ server participating in the load balancing effort
    • Includes the Application Services available on each node

Traffic destined to multiple Globalscape EFT Server HA nodes utilizing DMZ Gateway partners can be managed by F5’s Local Traffic Manager. The following sections will give an overview for an F5 solution, to do the functions of load balancing the traffic between the DMZ nodes. This process can be repeated for internal traffic and directed to each EFT node.

Load Balancing Traffic

You can configure the F5 BIG-IP systems to load balance inbound traffic through Globalscape DMZ Gateway servers. When you create the virtual server, you can configure it to use the F5 profiles. The profiles determine how the BIG-IP system processes FTP traffic to each DMZ node. This section describes how to create the F5 “Configuration Objects” listed below, using a profile.

  • Create a pool for load balancing DMZ traffic.
  • Create a virtual server for processing DMZ traffic.

In this section, we’ll use the following example, where node1 and node2 both only offer HTTPS. The HTTPS traffic is offloaded to Big-IP F5, for load balancing. This process can be repeated for additional protocols such as SFTP or standard FTP.

Creating a pool- You can create a load balancing pool to balance passive mode DMZ traffic. After creating the pool, please assign it to the virtual server that you create.

Create F5 Pool - Please create a pool, and assign members to it.

  • Go to “Local Traffic” -> Pools -> Pool List as shown below.
  • Click on the “Create” button on the top right corner, which will display the following:
    • § Configuration: Leave set as “Basic”
    • § Name: Enter the pool name. For example, EFT-DMZ HTTPS-pool.
    • § Description: Enter some meaningful info here “HTTPS for DMZ Gateways”
    • § Health Monitors: Select “tcp” from the “Available” list.
    • § Load Balancing Method: Select “round robin”
    • § New Members:
      • Click on “New Node” radio button
      • Enter the IP address of the DMZ Gateway Node1.
    • Port: Select HTTPs
  • Add: Click on add to add the DMZ-Node1.
  • Repeat the same process and add “DMZ-Node2″.
  • Once you add both of the nodes, click on “Finished”, which will create our new EFT-DMZ HTTPS-pool.

To create a virtual server for Globalscape DMZ traffic

Example Virtual Server https://sftp.globalscape.com (192.168.14.2) - matches the site URL

Node 1: https://sftp.globalscape.com (192.168.101.2) – DMZ Gateway Server 1

Node 2: https://sftp.globalscape.com (192.168.101.3) – DMZ Gateway Server 2

Create F5 DMZ Virtual Server - Create the DMZ virtual server that will use the pool we created above.

  • Go to “Local Traffic” -> Virtual Servers -> Virtual Server List as shown below.
  • From here, click on “Create” button on the top right corner, which will display the following:
    • Name: Enter the name of the virtual server. For example, DMZ-VS
    • Description: “Virtual Server for Globalscape DMZ”
    • Type: Select standard
    • Destination: Select “Host”, and enter the name of the virtual server. (For example, 192.168.102.2). So, if someone comes to 192.168.101.2 on SSL, it will get redirected to one of the nodes in the EFT-DMZ-pool.
    • Service Port: Select HTTPS, as incoming request to the virtual server itself will be in SSL.
    • Leave everything else set as defaults on this screen and create the virtual server.

After the above setup, if you go to https:// 192.168.14.2, F5 Big-IP will transfer the traffic to one of the EFT-DMZ-pool nodes.

Repeat the steps to create F5 Pools for each protocol being allowed. SFTP, FTP…

References

F5 - https://f5.com/products/big-ip

F5 Virtual Server - https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-2-0/ltm_virtual.html