jskfan
asked on
Hardware Load Balancer
Most of companies use Hardware load balancer for their Apps, such as Exchange email servers, Web servers, Citrix Storefront, etc...
The hardware load balancer usually is placed in he DMZ.
Well, it makes sense to me when external user comes through the firewall, then to load balancer in the DMZ, then to the server.
However if internal users want to access the server, do they have to go through DMZ to get to the Load Balancer then come back through the DMZ back to the internal Network to get to the server ?
OR
Companies need to have Load balancer(s) in the DMZ for external users and Load balancer(s) inside the Network for internal users ?
any idea ?
Thank you
The hardware load balancer usually is placed in he DMZ.
Well, it makes sense to me when external user comes through the firewall, then to load balancer in the DMZ, then to the server.
However if internal users want to access the server, do they have to go through DMZ to get to the Load Balancer then come back through the DMZ back to the internal Network to get to the server ?
OR
Companies need to have Load balancer(s) in the DMZ for external users and Load balancer(s) inside the Network for internal users ?
any idea ?
Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
we have load balancing infrastructure in the the DMZ and on the internal network and the only deal with connection from the network they are in i.e. no internal connections to the external load balancers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK if I understand. the best way is to have fault tolerance internally and externally.
Put 2 LB internally and 2 LB in the DMZ, internal users will g through the internal LBs and the external users will come through the DMZ LBs.
I believe if LB is in the DMZ only, then there will be a lot of NATTING back and forth on the internal firewall.
for instance, when internal user makes connection, the internal firewall will NAT the internal IP to the DMZ IP, then they reach the VIP grab the IP of the VIP and come back through the internal firewall again and probably the VIP IP address will be translated to the internal IP address
Put 2 LB internally and 2 LB in the DMZ, internal users will g through the internal LBs and the external users will come through the DMZ LBs.
I believe if LB is in the DMZ only, then there will be a lot of NATTING back and forth on the internal firewall.
for instance, when internal user makes connection, the internal firewall will NAT the internal IP to the DMZ IP, then they reach the VIP grab the IP of the VIP and come back through the internal firewall again and probably the VIP IP address will be translated to the internal IP address
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
*** From Internet coming inside it is clear..
internet --nat--> DMZ LB --nat--> internal server
*** What about when users from inside try to access StoreFront ?
is it going to be Internal User---Internal Firewall--LB---Back through Internal Firewall--StoreFront Server ?
***The Leg inside the network is not clear to me.. because you will have External Firewall -----LB----Internal Firewall----Inside Network.
I do not see where the LB leg can be positioned.
internet --nat--> DMZ LB --nat--> internal server
*** What about when users from inside try to access StoreFront ?
is it going to be Internal User---Internal Firewall--LB---Back through Internal Firewall--StoreFront Server ?
***The Leg inside the network is not clear to me.. because you will have External Firewall -----LB----Internal Firewall----Inside Network.
I do not see where the LB leg can be positioned.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I thought when we say DMZ , it means a network between 2 Firewalls.
If your internal network is 192.168.x.x . Storefront server1=192.168.20.20 and Storefront server2 = 192.168.20.21
your DMZ network is 172.16.x.x , the LB VIP (I believe should have 172.16.x.x IP address)
Now Internal users when trying to reach one of the storefront servers, they connect to the hostname of the VIP (172.16.x.x), considering this VIP is in the DMZ , how does the connection(including translation) occur in the path:
Internal user---internal Firewall----VIP(172.16.x.x ) which is in DMZ----back to Internal Firewall----to one of the Storefront servers.
When you say the LB can have a leg inside the network.. that way I understand there is at least one Network interface connected directly from LB to the internal switch and there are 2 VIPs configured , one for internal users and one for external users.
example: 192.168.20.19 (VIP for internal user) and 172.16.x.19 (for external users), the 172.6.x.19 should be translated to 192.168.x.x
**Do not worry about explaining how external users connect to Storefront , that one is clear.
If your internal network is 192.168.x.x . Storefront server1=192.168.20.20 and Storefront server2 = 192.168.20.21
your DMZ network is 172.16.x.x , the LB VIP (I believe should have 172.16.x.x IP address)
Now Internal users when trying to reach one of the storefront servers, they connect to the hostname of the VIP (172.16.x.x), considering this VIP is in the DMZ , how does the connection(including translation) occur in the path:
Internal user---internal Firewall----VIP(172.16.x.x
When you say the LB can have a leg inside the network.. that way I understand there is at least one Network interface connected directly from LB to the internal switch and there are 2 VIPs configured , one for internal users and one for external users.
example: 192.168.20.19 (VIP for internal user) and 172.16.x.19 (for external users), the 172.6.x.19 should be translated to 192.168.x.x
**Do not worry about explaining how external users connect to Storefront , that one is clear.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The whole point is not to NAT between the internal & dmz networks. You use your LB device's routing functions to control the traffic from the DMZ to the internal network.
Excellent!
ASKER
Thank you!