When using Transparency, there are two requirements that must be met:

  • The Real Server needs to have the LoadMaster as the default gateway
  • The clients cannot be on the same subnet as the Real Server

When using a High Availability (HA) pair of LoadMasters, the Real Server's default gateway must be set to the HA Shared IP address defined for the Real Server's subnet. This ensures that return traffic continues to flow even if one of the LoadMaster units goes offline.

The diagrams and text below explain why these requirements must be met.

In the diagram above, neither of the flows have the LoadMaster as the default gateway. In order to be transparent, the default gateway of the Real Servers must be the LoadMaster. This is true whether the network configuration is one-armed or two-armed. If the LoadMaster is not the default gateway, there is no way to ensure that traffic passes through the LoadMaster on the way from the server to the client, and the LoadMaster cannot do its job.

Here is the flow of traffic if transparency is enabled and the LoadMaster is not the default gateway:

  1. Client to Virtual Service
  2. Virtual Service to Real Server
  3. Real Server to network default gateway
  4. Network default gateway to client

The connection will fail between the Real Server and network default gateway.

Another requirement of transparency is that you must be browsing from a subnet other than that of the Real Servers. Again, it is to ensure that traffic passes in and out of the LoadMaster. If you are on the same subnet as the Real Server, the return traffic will simply go directly to the client, instead of through the LoadMaster. As a result, the client is expecting to see traffic come from the IP address of the Virtual Service, but instead will see traffic coming from the IP address of the Real Server. When that happens, the client system ignores the traffic.

Here is the flow of traffic if transparency is enabled and the clients are in the same subnet as the Real Server:

  1. Client to Virtual Service
  2. Virtual Service to Real Server
  3. Return traffic from Real Server direct to client

The connection will fail between the Real Server and the client due to the fact that the clients are in the same subnet as the Real Server (the client expects a response from the Virtual Service address (not the Real Server address)).