Foundry GSLB/DNS + PIX 515 Question

[RJ45100BT]

Ok,

Got a tough one.

I have a foundry Serviron on a DMZ Interface with a private address of 10.30.200.2, pix-gate 10.30.200.1. all statics and ACL's work great. All server monitoring for GSLB works good. They have statically trans'd Public ip's for the WEB VIP and DNS-VIP interfaces. NSLookup to the boxes from the big "I" work great and the web sites deliver fine through the load balancer.

But there is one issue.

Both of My foundry boxes in Irvine and Dallas can see each other, they can reach each others respective Name Servers, and Web VIP's.

But they cannot reach their own DNS or WEB VIP's. (they need this as part of the GSLB logic to determine best site selection. ie. (My DNS/WEB is down so the best site is my peer, etc.)

Well, to determine this it sends a ping to it's configred WEB and DNS VIP IP. (Which is the public, since it's what it has to deliver to a client via nslookup.)

Now, is there a way to allow the DMZ, statically translated, privately addressed foundry box to ping a virtual interface which has real IP associated with it?

IE, I want to ping 216.x.x.x and get a response from the DMZ, but that 216.x.x.x block lives on this PIX.

--BD


However,

 

[baddos]

You need to have your boxes on the same subnet talk to each other with their real IP's and not their statically mapped ones.

I.e. If Server1 is 10.10.10.1 and Server2 is 10.10.10.2, you need to have server1 get to Server2 by 10.10.10.2 and not the public mapped address.

 

[kavana]

Hi Iam from India.Currently we are facing a problem with Foundry load balancer.Please find below the description of the problem.

We have one web server (Which is a different application) sends a request to our Servers (Our application ) through a Foundry Load balancer.Where as we use SSL communication so the request we recieve is encrypted one at Load balancer.So when we tried to use URL switching mechanism it failed.Now we are running our application using only one server our side.

So please suggest me a better mechanism, under SSL (https) request and response mechanism, how to configure the Load balancer to resolve the communication between the servers from the parent application request/response.

Thanks and regards,
Kavana

 

[RJ45100BT]

It sounds like our set-up is very similar. I am actually passing an encrypted CGI request through my foundry serveriron, to my web server, which delivers the output fo that request via a url back to the requesting client/server.


In your gslb configuration you need to bind both ssl and whatever port your application listens on ie. Also, on your real server, you need to specify


server real real-web1 64.x.x.x

port ssl
port http
port http keepalive
port http url "HEAD /"
port http status_code 403 403
(i have mine set to allow 403 as a valid response from the web server as an "up" status because some clients come across SSL and some hit it directly with http. If the foundry receives a 403 error because it tries to test a web site via http request, and it gets "forbidden via ssl" it will still makr the site as healthy&quot

Under Virtual server


virtual server real-web1
port ssl sticky
port http
bind ssl virt-1 ssl
bind http virt-1 http

Hope this helps