MAG Webserver Health Check using incorrect source IP causing the Web server to be displayed as DOWN

Access Manager setup and working well. Due to network constraints, the TCP connect settings for the Web server configuration has been configured with 'Make Outbound Connection Using' set to specific IP addresses. The reason for this is that the network is locked down and firewall policies only allow connections from certain IP addresses. With this change in place, all users can access the protected resources on the web servers without any issues.

Despite this, the healthcheck reported in iManager for this working AG shows that many of the Web servers are DOWN. Traces show that the heartbeat requests from the AG to the Web servers are using the primary IP address for the web server healthchecks, that are all being blocked at the Firewall. There is no option to change the source IP address of the outgoing request to be a specific interface for the healthchecks as we do with the 'Make Outbound Connection Using'option above when users access the web server.

A defect has been opened with development. In the meantime, iptables can be used to rewrite the outgoing source IP address to workaround the issue.

The following is an example of how to do this:

iptables -t nat -A POSTROUTING -d 10.10.10.10 -s 192.168.1.1 -j SNAT –to-source 192.168.1.9

This rewrites our source address to look like the packets are coming from 192.168.1.9 instead of 192.168.1.1, but only when packets are destine for 10.10.10.10. The above example can be further locked for for specific interfaces (-o eth0), specific TCP ports (-m tcp --dport 80) if needed.