Manual Chapter :
Remote Access Forward Proxy
Configurations
Applies To:
Show VersionsBIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Remote Access Forward Proxy
Configurations
Overview: Configuring explicit forward proxy
for Network Access
You can configure Access Policy Manager (APM) to
act as an explicit forward proxy so that APM processes the Internet traffic from a Network Access
client in the same way that it processes such traffic from a client in the enterprise.
Using a distinct explicit forward
proxy configuration to process traffic from remote clients separately from a configuration used
for processing traffic from internal clients provides an important measure of network
security.
Prerequisites for an explicit forward proxy
configuration for Network Access
Before you start to create a configuration in which Access Policy Manager
(APM) acts as an explicit forward proxy to support Network Access clients,
you must have completed these tasks.
- You need to have configured a working a Network Access configuration.
- You need a per-request policy configured for forward proxy.
- On a BIG-IP® system with an SWG subscription, you must ensure that the URL database is downloaded. You can also configure any URL filters that you want to use in addition to, or instead of, the default URL filters.
- On a BIG-IP® system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
Configuration outline: Explicit forward proxy
for Network Access
Tasks for integrating a Network Access configuration with a configuration in which Access Policy Manager
(APM)®acts as an explicit forward proxy follow this order.
- First, if your Network Access configuration does not include a connectivity profile, create one and add it to the virtual server.
- Next, create a configuration in which APM acts as an explicit forward proxy. This configuration includes the per-request policy.
- Finally, in the Network Access configuration, update the access policy (so that it populates any session variables required for successful execution of the per-request policy) and update the Network Access resource for client proxy.
Creating a connectivity profile
You create a connectivity profile to configure client connections.
- On the Main tab, click.A list of connectivity profiles displays.
- ClickAdd.The Create New Connectivity Profile popup screen opens and displays General Settings.
- Type aProfile Namefor the connectivity profile.
- Select aParent Profilefrom the list.APM provides a default profile,connectivity.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
To provide functionality with a connectivity profile, you
must add the connectivity profile and an access profile to a virtual server.
Adding a connectivity profile to a virtual server
Update a virtual server that is part of an Access
Policy Manager application access, network access, or portal access
configuration to enable a secure connectivity interface for traffic
from the client.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- Scroll down to the Access Policy area.
- From theConnectivity Profilelist, select the connectivity profile.
- ClickUpdateto save the changes.
Creating a DNS resolver
You configure a DNS resolver to resolve DNS
queries and cache the responses. The next time the system receives a query for a
response that exists in the cache, the system returns the response from the cache.
- On the Main tab, click.The DNS Resolver List screen opens.
- ClickCreate.The New DNS Resolver screen opens.
- In theNamefield, type a name for the resolver.
- ClickFinished.
When you create an OAuth Server, creating a DNS Resolver with a
forward zone named . (period) is mandatory to forward all requests.
Adding forward
zones to a DNS resolver
Before you begin, gather the IP addresses of the nameservers that
you want to associate with a forward zone.
Add a forward zone to a DNS resolver when you want
the BIG-IP system to forward queries for particular zones to specific nameservers for
resolution in case the resolver does not contain a response to the query.
Creating a forward zone is optional. Without one, a DNS resolver can still make
recursive name queries to the root DNS servers; the virtual servers using the cache
must have a route to the Internet.
When you create an OAuth
Server, creating a DNS Resolver with a forward zone named . (period) is
mandatory.
- On the Main tab, click.The DNS Resolver List screen opens.
- Click the name of the resolver you want to modify.The properties screen opens.
- On the menu bar, clickForward Zones.The Forward Zones screen displays.
- Click theAddbutton.You add more than one zone to forward based on the needs of your organization.
- In theNamefield, type the name of a subdomain or type the fully qualified domain name (FQDN) of a forward zone.To forward all requests (such as when creating an OAuth server), specify . (period) as the name.For example, eitherexampleorsite.example.comwould be valid zone names.
- Add one or more nameservers:
- In theAddressfield, type the IP address of a DNS nameserver that is considered authoritative for this zone.Based on your network configuration, add IPv4 or IPv6 addresses, or both.
- ClickAdd.The address is added to the list.
The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to. - ClickFinished.
Creating a custom HTTP profile for
explicit forward proxy
An HTTP profile defines the way that
you want the BIG-IPsystem to manage HTTP traffic.
To act an explicit
forward proxy, Access Policy Manager (APM) requires a DNS resolver that you select in the HTTP profile.
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theProxy Modelist, selectExplicit.
- ForParent Profile, retain thehttp-explicitsetting.
- Select theCustomcheck box.
- Scroll down to the Explicit Proxy area.
- From theDNS Resolverlist, select the DNS resolver you configured previously.
- In theTunnel Namefield, you can retain the default value,http-tunnel, or type the name of a tunnel if you created one.APM requires a tunnel with tcp-forward encapsulation to support SSL traffic for explicit forward proxy.
- From theDefault Connect Handlinglist, retain the default settingDeny.Any CONNECT traffic goes through the tunnel to the virtual server that most closely matches the traffic; if there is no match, the traffic is blocked.
- ClickFinished.
The custom HTTP profile now appears
in the HTTP profile list screen.
Creating a virtual
server as the forward proxy for Network Access traffic
Before you begin, you need to know the name of the connectivity profile specified in
the virtual server for the Network Access configuration that you want to protect with
Access Policy Manager (APM) acting as an explicit forward proxy.
You specify a virtual server to process forward
proxy traffic. This virtual server must listen on the secure connectivity interface that
is specified on the virtual server through which network access clients connect. This
virtual server is also the one that network access resources must specify as the client
proxy server.
Use this virtual server for forward proxy traffic only. You
should not try to use it for reverse proxy, or add a pool to it.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.Type a destination address in this format:162.160.15.20.
- In theService Portfield, type the port number to use for forward proxy traffic.Typically, the port number is3128or8080.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profilelist, select the HTTP profile you configured earlier.
- Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the secure connectivity interface to theSelectedlist.
- From theSource Address Translationlist, selectAuto Map.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickFinished.
Creating a wildcard virtual server for HTTP tunnel traffic
You configure a virtual server to process web traffic coming in on the HTTP tunnel
from the explicit forward-proxy virtual server.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the tunnel to theSelectedlist.The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel ishttp-tunnel.
- From theSource Address Translationlist, selectAuto Map.
- Scroll down to thePort Translationsetting and clear theEnabledcheck box.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickFinished.
Creating a custom Client SSL forward proxy profile
You perform this task to create a Client SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption
and encryption. This profile applies to client-side SSL forward proxy traffic
only.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectclientssl.
- From theSSL Forward Proxylist, selectAdvanced.
- Select theCustomcheck box for the SSL Forward Proxy area.
- Modify the SSL Forward Proxy settings.
- From theSSL Forward Proxylist, selectEnabled.
- From theCA Certificatelist, select a certificate.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theCA Keylist, select a key.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In theCA Passphrasefield, type a passphrase.
- In theConfirm CA Passphrasefield, type the passphrase again.
- In theCertificate Lifespanfield, type a lifespan for the SSL forward proxy certificate in days.
- From theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, select the extensions that you want in theAvailable extensionsfield, and move them to theEnabled Extensionsfield using theEnablebutton.
- Select theCache Certificate by Addr-Portcheck box if you want to cache certificates by IP address and port number.
- From theSSL Forward Proxy Bypasslist, selectEnabled.Additional settings display.
- From theBypass Default Actionlist, selectInterceptorBypass.The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.If you selectBypassand do not specify any additional settings, you introduce a security risk to your system.
- ClickFinished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile
list screen.
Creating a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- Select theProxy SSLcheck box (the rest of the UI will collapse following this setting).
- Optionally, select theProxy SSL Passthroughcheck box.This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
- Configure theCertificateandKeyusing the identical Certificate and Key details configured on the server.Import the details to the BIG-IP system prior to configuringProxy SSL.
- ClickFinished.
The custom Server SSL profile is now listed in the SSL Server profile list.
Creating a wildcard virtual server for SSL traffic on the HTTP tunnel
If you do not have existing client SSL and server SSL profiles that you want to use,
configure them before you start.
You configure a virtual server to process SSL web traffic coming in on the HTTP
tunnel from the forward proxy virtual server.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the tunnel to theSelectedlist.The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel ishttp-tunnel.
- From theSource Address Translationlist, selectAuto Map.
- Scroll down to thePort Translationsetting and clear theEnabledcheck box.
- For theAddress Translationsetting, clear theEnabledcheck box.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickFinished.
Updating the access policy in the remote access configuration
Add queries to the access policy to populate any session variables that are required
for successful execution of the per-request policy.
Class lookup or group lookup items in a per-request policy rely on
session variables that can only be populated in this access policy.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- In the General Properties area, click theEdit Access Policy for Profilelink.profile_nameThe visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA LDAP server.An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
- Specify theSearchDN, andSearchFiltersettings.SearchDN is the base DN from which the search is done.
- ClickSave.
This item populates thesession.ldap.last.attr.memberOfsession variable. - To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA AD server.
- Select theFetch Primary Groupcheck box.The value of the primary user group populates thesession.ad.last.attr.primaryGroupIDsession variable.
- ClickSave.
- To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA RADIUS server.
- ClickSave.
This item populates thesession.radius.last.attr.classsession variable. - To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the policy and configure its properties:
- From theLocalDB Instancelist, select a local user database.
- In theUser Namefield, retain the default session variable.
- ClickAdd new entryA new line is added to the list of entries with the Action set toReadand other default settings.
- In the Destination columnSession Variablefield, typesession.localdb.groups.If you type a name other thansession.localdb.groups, note it. You will need it when you configure the per-request access policy.
- In the Source column from theDB Propertylist, selectgroups.
- ClickSave.
This item populates thesession.localdb.groupssession variable.
The access policy is configured to support the per-request policy.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Configuring a
Network Access resource to forward traffic
You must create a Network Access resource, or open an
existing resource, before you can perform this task.
Configure a Network Access resource to forward
traffic to the virtual server you configured for explicit forward proxy traffic so that
Access Policy Manager (APM) can act as the explicit forward proxy.
- On the Main tab, click.The Network Access Lists screen opens.
- In the Name column, click the name of the network access resource you want to edit.
- On the menu bar, clickNetwork Settings.
- ForClient Settings, selectAdvanced.
- Scroll down and selectClient Proxy Settings.Additional settings display.
- If theTraffic Optionssetting specifiesForce all traffic through tunnel, configure these additional settings:
- In theClient Proxy Addressfield, type the IP address of the explicit forward proxy virtual server.
- In theClient Proxy Portfield, type the port number of the explicit forward proxy virtual server.Typically, the port number is3128or8080; it might be different in your configuration.
- If theTraffic Optionssetting specifiesUse split tunneling for traffic, in theClient Proxy Autoconfig Scriptfield, type the URL for a proxy auto-configuration script.
- Click theUpdatebutton.Your changes are saved and the page refreshes.
The Network Access resource is configured to forward traffic to the explicit forward
proxy server.
Implementation result
The configuration in which Access Policy Manager (APM®) acts as
an explicit forward proxy is ready to process web traffic
from network access clients.
About configuration
elements for explicit forward proxy (remote access)
When you configure Access Policy
Manager (APM) to act as an explicit forward proxy
for use by Network Access clients, you might want to understand how these objects fit into the
overall configuration.
- Secure connectivity interface
- In a Network Access configuration, a connectivity profile on the virtual server specifies a secure connectivity interface for traffic from the client. The virtual server configured as the explicit forward proxy server must listen on the secure connectivity interface for traffic from Network Access clients.
- Tunnel
- The virtual server configured as the explicit forward proxy server must specify an HTTP profile that specifies the name of a tunnel of tcp-forward encapsulation type. You can use the default tunnel, http-tunnel, or create another tunnel and use it.
- Per-request policy
- In any APM forward proxy configuration, the determination of whether a user can access a URL must be made in a per-request policy. A per-request policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
- Access policies
- The access policy in the Network Access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must populate any session variables used in the per-request policy. An access profile of theSWG-Explicittype is required in the forward proxy configuration; however, it is not necessary to include any items in the access policy.
Per-request policy items that read session variables
This table lists per-request policy items that read session variables and lists the
access policy items that populate the variables.
Per-request policy item |
Session variable |
Access policy item |
---|---|---|
AD Group Lookup |
session.ad.last.attr.primaryGroupID |
AD Query |
LDAP Group Lookup |
session.ldap.last.attr.memberOf
|
LDAP Query |
LocalDB Group Lookup |
session.localdb.groups
This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy. |
Local Database |
RADIUS Class Lookup |
session.radius.last.attr.class |
RADIUS Auth |
Overview: Configuring transparent forward
proxy for remote access
Access Policy Manager (APM) can be configured to
act as a transparent forward proxy to support remote clients that connect using application
access, network access, or portal access.
Using a distinct APM
transparent forward proxy configuration to process traffic from remote clients separately from
a forward proxy configuration used for processing traffic from internal clients provides an
important measure of network security.
Prerequisites for APM
transparent forward proxy for remote access
Before you start to create an Access Policy Manager (APM) transparent forward proxy
configuration to support remote access clients, you must have completed these tasks.
- You must have a working Network Access, Portal Access, or Application Access configuration.
- You need a per-request policy configured for forward proxy.
- On a BIG-IP® system with an SWG subscription, you must ensure that the URL database is downloaded. You can also configure any URL filters that you want to use in addition to, or instead of, the default URL filters.
- On a BIG-IP® system without an SWG subscription, if you want to designate only a few URLs for specific handling, you probably do not need to configure user-defined URL categories and filters. However, if you need to control access to many URLs, for better performance and ease-of-use you should configure user-defined URL categories and filters.
Configuration outline for APM transparent
forward proxy for remote access
Tasks for integrating an Access Policy Manager (APM) remote access configuration with a transparent forward proxy configuration for APM
follow this order.
- First, update the existing application access, network access, or portal access configuration to add a secure connectivity profile to the virtual server if one is not already specified.
- Next, create a transparent forward proxy configuration for APM. The per-request policy is part of this configuration.
- Finally, update the access policy in the existing application access, network access, or portal access configuration if needed. If the per-request policy uses group or class lookup items, add queries to the access policy to populate the session variables on which the lookup items rely.
Creating a connectivity profile
You create a connectivity profile to configure client connections.
- On the Main tab, click.A list of connectivity profiles displays.
- ClickAdd.The Create New Connectivity Profile popup screen opens and displays General Settings.
- Type aProfile Namefor the connectivity profile.
- Select aParent Profilefrom the list.APM provides a default profile,connectivity.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile displays in the list.
To provide functionality with a connectivity profile, you
must add the connectivity profile and an access profile to a virtual server.
Adding a connectivity profile to a virtual server
Update a virtual server that is part of an Access
Policy Manager application access, network access, or portal access
configuration to enable a secure connectivity interface for traffic
from the client.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- Scroll down to the Access Policy area.
- From theConnectivity Profilelist, select the connectivity profile.
- ClickUpdateto save the changes.
Creating an access profile for transparent
forward proxy
You create an access profile to supply an access policy.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.An access profile name must be unique among all per-session profile and per-request policy names.
- From theProfile Typelist, selectSWG-Transparent.Additional fields display set to default values.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.The Access Profiles list screen displays.
The access profile displays in the Access Profiles
List. Default-log-setting is assigned to the access profile.
You do not need to add any actions or make any changes to the access policy.
Creating a wildcard virtual server for HTTP traffic on the connectivity interface
Before you begin, you need to know
the name of the connectivity profile specified in the virtual server for the remote
access configuration that you want Access Policy Manager (APM) to protect.
You configure a virtual server to process web traffic on the secure connectivity
interface for a remote access client.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the secure connectivity interface to theSelectedlist.
- From theSource Address Translationlist, selectAuto Map.
- Scroll down to thePort Translationsetting and clear theEnabledcheck box.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickFinished.
Creating a custom Client SSL forward proxy profile
You perform this task to create a Client SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption
and encryption. This profile applies to client-side SSL forward proxy traffic
only.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectclientssl.
- From theSSL Forward Proxylist, selectAdvanced.
- Select theCustomcheck box for the SSL Forward Proxy area.
- Modify the SSL Forward Proxy settings.
- From theSSL Forward Proxylist, selectEnabled.
- From theCA Certificatelist, select a certificate.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theCA Keylist, select a key.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In theCA Passphrasefield, type a passphrase.
- In theConfirm CA Passphrasefield, type the passphrase again.
- In theCertificate Lifespanfield, type a lifespan for the SSL forward proxy certificate in days.
- From theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, select the extensions that you want in theAvailable extensionsfield, and move them to theEnabled Extensionsfield using theEnablebutton.
- Select theCache Certificate by Addr-Portcheck box if you want to cache certificates by IP address and port number.
- From theSSL Forward Proxy Bypasslist, selectEnabled.Additional settings display.
- From theBypass Default Actionlist, selectInterceptorBypass.The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.If you selectBypassand do not specify any additional settings, you introduce a security risk to your system.
- ClickFinished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile
list screen.
Creating a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- Select theProxy SSLcheck box (the rest of the UI will collapse following this setting).
- Optionally, select theProxy SSL Passthroughcheck box.This option is often not needed. Review the Knowledge Center article K13385: Overview of the Proxy SSL feature for guidelines on when to enable this setting and its implications.
- Configure theCertificateandKeyusing the identical Certificate and Key details configured on the server.Import the details to the BIG-IP system prior to configuringProxy SSL.
- ClickFinished.
The custom Server SSL profile is now listed in the SSL Server profile list.
Creating a wildcard virtual server for SSL traffic on the connectivity interface
Before you begin, you need to know the name of the connectivity profile specified in
the virtual server for the remote access configuration that you want Secure Web Gateway
(SWG) to protect. Also, if you do not have existing client SSL and server SSL profiles
that you want to use, configure them before you start.
You configure a virtual server to process SSL web traffic coming in on the secure
connectivity interface for a remote access client.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the secure connectivity interface to theSelectedlist.
- From theSource Address Translationlist, selectAuto Map.
- Scroll down to thePort Translationsetting and clear theEnabledcheck box.
- For theAddress Translationsetting, clear theEnabledcheck box.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickFinished.
Updating the access policy in the remote access configuration
Add queries to the access policy to populate any session variables that are required
for successful execution of the per-request policy.
Class lookup or group lookup items in a per-request policy rely on
session variables that can only be populated in this access policy.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- In the General Properties area, click theEdit Access Policy for Profilelink.profile_nameThe visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA LDAP server.An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
- Specify theSearchDN, andSearchFiltersettings.SearchDN is the base DN from which the search is done.
- ClickSave.
This item populates thesession.ldap.last.attr.memberOfsession variable. - To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA AD server.
- Select theFetch Primary Groupcheck box.The value of the primary user group populates thesession.ad.last.attr.primaryGroupIDsession variable.
- ClickSave.
- To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA RADIUS server.
- ClickSave.
This item populates thesession.radius.last.attr.classsession variable. - To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the policy and configure its properties:
- From theLocalDB Instancelist, select a local user database.
- In theUser Namefield, retain the default session variable.
- ClickAdd new entryA new line is added to the list of entries with the Action set toReadand other default settings.
- In the Destination columnSession Variablefield, typesession.localdb.groups.If you type a name other thansession.localdb.groups, note it. You will need it when you configure the per-request access policy.
- In the Source column from theDB Propertylist, selectgroups.
- ClickSave.
This item populates thesession.localdb.groupssession variable.
The access policy is configured to support the per-request policy.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Implementation result
A transparent forward proxy configuration is ready to process web traffic from remote access
clients.
About configuration
elements for transparent forward proxy (remote access)
When you configure the BIG-IPsystem so that Access Policy Manager (APM) can act as a transparent forward proxy for use by
remote access clients, you might want to understand how these objects fit into the overall
configuration.
- Secure connectivity interface
- In a remote access configuration, a connectivity profile is required on the virtual server to specify a secure connectivity interface for traffic from the client. In the APM configuration, wildcard virtual servers must listen on the secure connectivity interface for traffic from remote access clients.
- Per-request policy
- In any APM forward proxy configuration, the determination of whether a user can access a URL must be made in a per-request access policy. A per-request access policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
- Access policies
- The access policy in the remote access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must populate any session variables used in the per-request policy. An access profile of theSWG-Transparenttype is required; however, it is not necessary to include any items in the access policy.
Per-request policy items that read session variables
This table lists per-request policy items that read session variables and lists the
access policy items that populate the variables.
Per-request policy item |
Session variable |
Access policy item |
---|---|---|
AD Group Lookup |
session.ad.last.attr.primaryGroupID |
AD Query |
LDAP Group Lookup |
session.ldap.last.attr.memberOf
|
LDAP Query |
LocalDB Group Lookup |
session.localdb.groups
This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy. |
Local Database |
RADIUS Class Lookup |
session.radius.last.attr.class |
RADIUS Auth |