Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
5
Helpful
7
Replies

Cisco Expressway behind BigIP F5 LTM

Richard Dumag
Level 1
Level 1

‎02-22-2023 04:30 PM

We are implementing two Cisco Expressways for Jabber.  Our DMZ zone is fronted by the BigIP F5 LTM.  Instead of creating another DMZ zone just for Jabber, we would like to put the external Expressways behind the F5 (not for load balancing) instead.  Is this possible?  Has anyone done this successfully and can you share your experience and setup?  Appreciate any comments or suggestions. Thank you. 

Richard

 

0 Helpful
7 Replies 7

Nithin Eluvathingal
VIP
VIP

‎02-22-2023 05:04 PM

One of my customer wanted to use F5 in the front, not for load balancing but  it never worked. They spend almost three weeks and finally removed the F5.

You dont need a F5 in the expresway path.



Response Signature


Richard Dumag
Level 1
Level 1
In response to Nithin Eluvathingal

‎02-22-2023 05:33 PM

Thanks for the quick reply, Nithin.  But I don't want to create a firewall policy that indicates an outside to inside zone traffic.  I'm trying to avoid creating a second DMZ zone, but I guess I will have to.

Richard

 

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to Richard Dumag

‎02-22-2023 06:23 PM

Why do you need a Second DMZ ?, do the nating on Firewall. Allow the ports mentioned on the MRA guide.



Response Signature


0 Helpful

Richard Dumag
Level 1
Level 1
In response to Nithin Eluvathingal

‎02-22-2023 08:06 PM

Cisco's recommendation is to place the external expressway on the DMZ.  Did your customer have their expressway NAT'ed from the inside?   If so, isn't that a little risky?

0 Helpful

Roger Kallberg
VIP
VIP
In response to Richard Dumag

‎02-22-2023 10:17 PM

You should put the Expressway-E in a DMZ and then put the Expressway-C on the internal network. This would not be any different if you were to use F5, the network topology for an Expressway deployment stays the same. To allow traffic to your E(s) to reach the C(s) you’ll need to have a few different rules created in your firewall(s). You’ll need internet to E (external interface), E (external interface) to internet, C to E (internal interface) and management traffic to E (internal interface). If you’re using internal resources for DNS, NTP, syslog and so on you’ll need to allow the E to reach those as well.



Response Signature


0 Helpful

Roger Kallberg
VIP
VIP

‎02-22-2023 10:07 PM - edited ‎02-23-2023 10:45 AM

We use F5 for this. It fronts our MRA systems, but aren’t in the actual traffic path, and does geoDNS for the connecting client and keeps track of the status of each E we have so that it doesn’t direct traffic to an Expressway-E that is unavailable. This works perfectly fine for our system landscape.



Response Signature


0 Helpful

Richard Dumag
Level 1
Level 1
In response to Roger Kallberg

‎02-23-2023 07:33 AM

Thanks Roger.  We don't have geoDNS on the F5 unfortunately.  We're looking to just put the external expressway behind the F5 instead of creating another DMZ.

0 Helpful
Customers Also Viewed These Support Documents