Chris Hall bio photo

Chris Hall

Principal Technical Consultant

PolarCloudsUK Chris LinkedIn Github
Chris Hall Nutanix Certified Master - Multicloud Infrastructure 6 Chris Hall VMware vExpert 2024 Nutanix Certified Professional - Cloud Integration Chris Hall Nutanix Certified Professional - Multicloud Infrastructure 6 Chris Hall Nutanix Certified Professional - Unified Storage 6 Chris Hall VMware vExpert 2023 Chris Hall VMware vExpert 2022

NSX for vSphere Load Balancer Firewall Problem

NSX Super quick tip time…

I discovered this little nugget of configuration joy today, a case where an NSX-v edge configured as a load balancer was not firewalling traffic as expected. Bit of a head scratcher to start with, however the answer is out there in the documentation… The problem was finding it!

Hopefully this post will serve as a point of reference / reminder for me should this issue come up again in the future.

Scenario

Using an NSX load balancer to host a load balanced Virtual IP (VIP) for SMTP email relay to Microsoft Exchange.

So not all LAN hosts can relay email to Exchange as this would be a security risk, the load balancer edge firewall was configured with an allow IP set of IP addresses approved to relay SMTP email. LAN clients not in the allow IP set should be blocked from relaying SMTP email to Exchange.

Problem

Upon testing, it was found that SMTP traffic from ALL LAN hosts was being allowed to Exchange via the load balancer despite the firewall rule described above.

Resolution

After much edge firewall diagnosis and spot of Googling, I found this article: Configure Load Balancer Service.

Within this article, I found these nuggets of information:

NSX Load Balancer Acceleration

To quote:

When disabled, all virtual IP addresses (VIPs) use the L7 LB engine.

The L7 HTTP/HTTPS VIPs (“acceleration disabled” or L7 setting such as AppProfile with cookie persistence or SSL-Offload) are processed after the edge firewall, and require an edge firewall allow rule to reach the VIP.

Further,

The L4 VIP (“acceleration enabled” in the VIP configuration and no L7 setting such as AppProfile with cookie persistence or SSL-Offload) is processed before the edge firewall, and no edge firewall rule is required to reach the VIP.

As I want to use the edge load balancer firewall rule to govern the relaying of SMTP email to Exchange, clearly I need to use the L7 load balancer engine - I.E. Ensure acceleration is set to “Disabled”.

Double checking my config:

Ooops!

Opps!

With acceleration being enabled, the firewall rules were are not being applied to the traffic, hence all LAN hosts were able to relay email to the Exchange!

Right, simple enough, fix:

Fixed

Fixed!

Sometimes acceleration isn’t needed. Sometimes slow and steady wins the race :turtle:

Nice little fix anyway.

-Chris