Third-Party Load Balancer

[LBVBW]

We have some questions to GoAnywhere MFT related with a third-party Load Balancer.
But first of all our entire configuration: We use two MFT-Server in connection with two Gateway-Server. In front of the Gateway-Server we use a F5 Load Balancer. The Load Balancer has two different things to do. SSL offloading (HTTPS to HTTP) and of course load balancing (HTTPS and SFTP).

1. The SSL offloading only works, if we change the tomcat settings (install folder/config/https.xml) to:

Code: Select all

<Connector SSLEnabled="false" disableUploadTimeout="true" enableLookups="false" gaRedi-rect="false" name="Internet" port="80" protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true"/>

Is there another way to enable this settings (scheme and secure)?

2. Is it possible to use the X-Forwarded-For header in GoAnyhwere MFT? And is there an analog possibility for SFTP? Because currently we only see the remote IP Address which is every time the same (the IP of the Load Balancer)

3. Do you have a documentation for using a third-party Load Balancer in front of the Gateway-Server?


Thanks in advance for the help

[Support_Rick]

LBVBW,

Your best option here is to load the certificates into GoAnywhere and let the product handle the encryptions. It does this seamlessly through the program.

I assume you're trying to pass the originating details through the X-Forwarded-For header ... if so, this isn't recognized within GAMFT.

The issue is that you have to have the F5 forward the Originating IP. Normally this is done by SNAT using an iRule.

Normally, we do not provide support for front-end Load Balancers as the product allows for each customer to utilize VIP, LB, Firewalls, etc to route the communication traffic to the Gateway and/or the GAMFT directly. This is all determined by the Customer Installation and their network architecture. We have customers using F5 as well as Netscaler and others that they configured to pass-thru the originating IP, but we do not provide support for those configurations as they could affect other areas besides GAMFT.

[ejknight52]

We found the fix to be SSL Forwarding to the Servers through the F5.

[patrickgilman]

Anyone doing this with Netscalers?

We are using Netscalers to LB connections between our two GA Gateways. Problem is we are only seeing (logging) the IP address of the Netscalers as the client IP. We are getting HTTPS client IP via the x-forward method but are not seeing the client IP for sftp connections.

[support_steve]

Hi Patrick,

I would recommend looking in the GoAnywhere Gateway manual and reviewing the settings for Proxy Protocol, this is a later addition that should offer a much better experience than x-forwarded-for.

It can work in addition to your existing configuration on different inbound ports so you can implement the changes on the gateway nodes before changing your LB configuration.