Hardware Load Balancer

Most of companies use Hardware load balancer for their Apps, such as Exchange email servers, Web servers, Citrix Storefront, etc...
The hardware load balancer usually is placed in he DMZ.
 Well, it makes sense to  me when external user comes through the firewall, then to load balancer in the DMZ, then to the server.
However if  internal users want to access the server, do they have to go through DMZ to get to the Load Balancer then come back through the DMZ back to the internal Network to get to the server ?

OR

Companies need to have Load balancer(s) in the DMZ for external users and Load balancer(s) inside the Network for internal users ?

any idea ?

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
Really depends on cost, security and design.

I have seen customer have a load balancer sitting in DMZ with 3 leg (one to internet, one to internal and one to DMZ )

this way, you save the cost of implementing 2 load balancer.

However, i have seen security don't allow it and force the customer to have 2 pair of load balancer. one pair for internal use. and one pair for external use.



I think it is up to the business to what their requirement (security and cost)

there is nothing right or wrong.
0
Sekar ChinnakannuStaff EngineerCommented:
So you mean to say you using single citrix farm for both internal or external users? If so its better to segregate the environment for external users and internal users.  If not then external users connect via load balancer in DMZ then connect to server.
0
dan_blagutCommented:
Hello

Like you sayd, the users (internals and externals) connect to the DMZ servers trough the load balancer. The OWA server is in DMZ so ther is no difference in your examples. If not there is many built in load balancer mechanism in many applications: Active directory, CAS and MBX servers for Exchange etc

Dan
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Tej Pratap Shukla ~DexterServer AdministratorCommented:
yes,
A load balancer along with DMZ will certainly adds an extra layer of security to the company network. As load balances will manage the traffic for internal as well as external users, DMZ will give a secured network to both internal as well as external networks.

The task is to how a company can utilize its resources by setting an equilibrium between internal and external traffic with the help of proxy server or load balancer.
0
ChrisCommented:
we have load balancing infrastructure in the the DMZ and on the internal network and the only deal with connection from the network they are in i.e. no internal connections to the external load balancers
0
CoralonCommented:
There are a lot of ways to do this, and a lot of design options/considerations.  

One of the easier ways to do what you want to accomplish is to have 2 separate load balanced addresses, and have your LB device with a leg internally and in your DMZ.  You use differing DNS entries internal & external/DMZ.  This prevents your internal traffic from crossing the DMZ, while allowing external access.  

You can definitely force your internal traffic through the DMZ for LB if you want, you can skip the DMZ segment and have it all internal, etc.  It really all depends on what you want to accomplish.

Coralon
0
jskfanAuthor Commented:
OK if I understand. the best way is to have fault tolerance internally and externally.
Put 2 LB internally and 2 LB in the DMZ, internal users will g through the internal LBs  and the external users will come through the DMZ LBs.

I believe if LB is in the DMZ only, then there will be a lot of NATTING back and forth on the internal firewall.
for instance, when internal user makes connection, the internal firewall will NAT the internal IP to the DMZ IP, then they reach the VIP grab the IP of the VIP and come back through the internal firewall again and probably the VIP IP address will be translated to the internal IP address
0
CoralonCommented:
No.. if your LB is DMZ only, then your internal users will access it by the native address.. the only NAT will be from the LB to your internal servers.

[compA] ---> DMZ LB ---nat--> internal server..

So.. lets say your computer is on 192.168.1.10 and your LB is on 172.16.1.20 and your internal server is 192.168.1.100

Your computer will connect to 172.16.1.20, while the traffic from the Load Balancer will NAT back to the 192.168.1.100.

If you put a leg to your LB inside your network, then your LB IP might be 192.168.1.50, and you would eliminate any NAT to the INSIDE, while your outside connections would NAT to the DMZ IP (the 172.16.1.20 address).. you would have either
internet --nat--> DMZ LB --nat--> internal server (no LB leg inside your network)
or
internet --nat--> DMZ LB ---> internal server (if you do have a LB leg inside your network).

Coralon
0
jskfanAuthor Commented:
*** From Internet coming inside it is clear..
internet --nat--> DMZ LB --nat--> internal server

*** What about when users from inside try to access StoreFront ?
is it going to be Internal User---Internal Firewall--LB---Back through Internal Firewall--StoreFront Server ?

***The Leg inside the network is not clear to me.. because you will have External Firewall -----LB----Internal Firewall----Inside Network.
I do not see where the LB leg can be positioned.
0
CoralonCommented:
The Load balanced IP Address lives on the LB device itself.  IF you have a leg on the internal network, there is no crossing the firewall.. it is a direct connection to the inside so there is no translation.. the connection just happens directly on that network.  

If you do not have a leg on the internal network, then the translation happens exactly as it does talking to any server on the DMZ -- generally, there is no NAT that direction, they use the actual IP addresses of the DMZ network devices, and the responses use the actual internal address names.  Most designs do not do a NAT between the inside & DMZ.. only from the Outside and DMZ/Internal.

Coralon
0
jskfanAuthor Commented:
I thought when we say DMZ , it means a network between 2 Firewalls.

If your internal network is 192.168.x.x . Storefront server1=192.168.20.20 and Storefront server2 = 192.168.20.21
 your DMZ network is 172.16.x.x , the LB VIP (I believe should have 172.16.x.x IP address)

Now Internal users when trying to reach one of the storefront servers, they connect to the hostname of the VIP (172.16.x.x), considering this VIP is in the DMZ , how does the connection(including translation) occur in the path:

Internal user---internal Firewall----VIP(172.16.x.x) which is in DMZ----back to Internal Firewall----to one of the Storefront servers.

When you say the LB can have a leg inside the network.. that way I understand there is at least one Network interface connected directly  from LB to the internal switch and  there are 2 VIPs configured ,  one for internal users and one for external users.
example: 192.168.20.19 (VIP for internal user) and 172.16.x.19 (for external users), the 172.6.x.19 should be translated to 192.168.x.x  




**Do not worry  about explaining how external users connect to Storefront , that one is clear.
0
CoralonCommented:
Not exactly..  

2 leg design:
Your load balancing device will have network connections directly to your internal network and a connection to your DMZ.  

Your load balanced IP Address could be a DMZ IP Address, or an Internal IP Address.  There is no NAT between your DMZ & Internal network.  

1 leg design:
Your LB device will have the single address in the DMZ.  You would establish a NAT from the outside to the device.  Your internal clients will still use the DMZ native addresses -- you will NOT nat between your internal network & your DMZ. You use your routers to send the traffic appropriately for your DMZ.  

Now.. that being said.. you *can* use 2 separate load balanced IP's as you mentioned, one for internal & 1 for external, but there really is not a reason to do so - it overly complicates the design.  

The whole point is not to NAT between the internal & dmz networks.   You use your LB device's routing functions to control the traffic from the DMZ to the internal network.

Coralon
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
The whole point is not to NAT between the internal & dmz networks.   You use your LB device's routing functions to control the traffic from the DMZ to the internal network.

Excellent!
0
jskfanAuthor Commented:
Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.