F5 BIG-IP Load Balancer Design and Implementation (Windows SharePoint Services 2.0)
F5 BIG-IP devices support 100 Mbps or 1 Gbps interfaces. For this deployment, 100 Mbps NIC cards are used on the BIG-IP devices.
A pair of BIG-IP load balancers (redundant BIG-IP controllers) supports automatic failover and helps insure the reliability of the request routing. The load balancing device pair is configured in the Active/Passive mode. Each F5 BIG-IP controller has two interfaces, exp0 (with public addresses) and exp1 (with private addresses).
Exp1 is the administrative interface. IP addresses for the BIG-IP controller are placed on exp1.
F5 BIG-IP IP Addresses
External Interface (exp0): Active IP address 22.214.171.124 and Standby IP address 126.96.36.199.
Internal Interfaces (exp1): Active IP address 172.16.1.3 and Standby IP address 172.16.1.4.
The state mirroring feature allows the standby unit to maintain all of the current connection and persistence information. If the active unit fails and the standby unit takes over, all connections continue, virtually uninterrupted.
Windows SharePoint Services automatically supports dynamic load balancing between front-end Web servers. There is no need to enable persistence on the BIG-IP controllers.
BIG-IP NAT/SNAT Configuration
Network Address Translation (NAT) is used to convert public address space (200.100.1. x ) to private address space (172.16.1. y ); for example, Windows SharePoint Services may connect to the Internet to retrieve additional Web Part information. Using Secure Network Address Translation (SNAT) provided by BIG-IP helps protect the internal network address information. The SNAT address for outbound traffic is 188.8.131.52. Use Address Resolution Protocol (ARP) with NAT.
F5 BIG-IP Device Administration and Configuration
The Internet Platform and Operations group used https://184.108.40.206/ and https://220.127.116.11/ and logged in with the appropriate account and password to manage the BIG-IP controllers and load balancing configuration. To help provide a high level of security, they blocked traffic coming from the Internet and allowed only servers on the corporate network using the corporate proxy servers to access those two URLs.