Manual Chapter : Common elements for SWG implementations. Do not include this file in a map.

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common elements for SWG implementations. Do not include this file in a map.

To create a configuration where Access Policy Manager (APM) acts as a forward proxy, make sure to also complete these requirements.
Per-request policy
A per-request policy is required in any configuration where APM acts as a forward proxy. A per-request policy must specify the logic for processing URL requests.
URL categorization
  • On a BIG-IP® system with an SWG subscription, you must download and install a URL database and schedule updates for it.
  • On a system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
Transparent user identification
On a system with an SWG subscription, if you plan to identify users transparently, you must first download, install, and configure an F5 user identification agent, either the Secure Web Gateway F5 DC Agent or the Secure Web Gateway F5 Logon Agent.
Secure Web Gateway user identification agents are available only on a BIG-IP® system with an SWG subscription.
Authentication
If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends that you use NTLM or Kerberos authentication. If you plan to use authentication, ensure that you have configured it. For configuration steps, refer to
BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration
on the AskF5 web site located at
support.f5.com
.
SSL intercept
To intercept SSL connections that pass through the proxy, ensure that you have imported a valid subordinate CA certificate and key that is trusted by the endpoints behind the proxy.
  • You need a per-request policy configured for forward proxy.
  • On a BIG-IP® system with an SWG subscription, you must ensure that the URL database is downloaded. You can also configure any URL filters that you want to use in addition to, or instead of, the default URL filters.
  • On a BIG-IP® system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
The configuration process for a BIG-IP® system entails adding the OPSWAT library update to one system, then installing it to that same system, or to a device group. You must pre-configure a device group to install the update to multiple systems.