Manual Chapter :
Common elements for SWG implementations. Do
not include this file in a map.
Applies To:
Show VersionsBIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Common elements for SWG implementations. Do
not include this file in a map.
To create a configuration where Access Policy Manager (APM) acts as a forward proxy, make sure to also complete
these requirements.
- Per-request policy
- A per-request policy is required in any configuration where APM acts as a forward proxy. A per-request policy must specify the logic for processing URL requests.
- URL categorization
- On a BIG-IP® system with an SWG subscription, you must download and install a URL database and schedule updates for it.
- On a system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
- Transparent user identification
- On a system with an SWG subscription, if you plan to identify users transparently, you must first download, install, and configure an F5 user identification agent, either the Secure Web Gateway F5 DC Agent or the Secure Web Gateway F5 Logon Agent.Secure Web Gateway user identification agents are available only on a BIG-IP® system with an SWG subscription.
- Authentication
- If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends that you use NTLM or Kerberos authentication. If you plan to use authentication, ensure that you have configured it. For configuration steps, refer toBIG-IP Access Policy Manager: Single Sign-On Concepts and Configurationon the AskF5 web site located atsupport.f5.com.
- SSL intercept
- To intercept SSL connections that pass through the proxy, ensure that you have imported a valid subordinate CA certificate and key that is trusted by the endpoints behind the proxy.
- You need a per-request policy configured for forward proxy.
- On a BIG-IP® system with an SWG subscription, you must ensure that the URL database is downloaded. You can also configure any URL filters that you want to use in addition to, or instead of, the default URL filters.
- On a BIG-IP® system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
The configuration process for a BIG-IP®
system entails adding the OPSWAT library update to one system, then installing it to that same
system, or to a device group. You must pre-configure a device group to install the update to
multiple systems.