Manual Chapter : SSL Bypass and Intercept with APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

SSL Bypass and Intercept with APM

Overview: Bypassing SSL forward proxy traffic with APM

On a BIG-IP® system that supports SSL forward proxy, you can create an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic. The key points of the configuration are that, on the virtual server that processes SSL traffic, the server and client SSL profiles must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to
Intercept
.
An Access Policy Manager (APM) per-request policy can be configured to determine whether to intercept or bypass the SSL traffic.

Task summary

Before you start, you must have configured an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic.

Task list

Example policy: SSL forward proxy bypass

SSL bypass decision based on group membership and URL category
policy with protocol lookup, group lookup, category lookup, and ssl bypass set
1
SSL traffic exits on the HTTPS branch of Protocol Lookup.
2
A lookup type item, such as LocalDB Group Lookup, identifies users in a group, Directors.
3
With SSL Bypass Set, any SSL request on the Directors branch is not intercepted or inspected.
4
Category Lookup processes HTTPS traffic when configured to use SNI or Subject.CN input.
Finance or Govt is a standard URL category that SWG maintains on a system with an SWG subscription. User-defined URL categories can provide an alternative on systems without an SWG subscription.
5
For users in a group other than Directors, bypass only requests that contain private information (determined through Category Lookup).
6
SSL traffic processing is complete. Now is the time to start processing HTTP data with actions that inspect the SSL payload. Using data provided by Category Lookup, URL Filter Assign item determines whether to allow or block traffic.
(For this example to be valid, both the server and client SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to
Intercept
.)

Creating a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. Click
    Create
    .
    The General Properties screen opens.
  3. In the
    Name
    field, type a name for the policy and click
    Finished
    .
    A per-request policy name must be unique among all per-request policy and access profile names.
    The policy name appears on the Per-Request Policies screen.

Processing SSL traffic in a per-request policy

To use SSL forward proxy bypass in a per-request policy, both the server and client SSL profile must enable SSL forward proxy and SSL forward proxy bypass; and, in the client SSL profile, the default bypass action must be set to
Intercept
.
Configure a per-request policy so that it completes processing of HTTPS requests before it starts the processing of HTTP requests.
These steps describe how to add items for controlling SSL web traffic to a per-request policy; the steps do not specify a complete per-request policy.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. In the
    Name
    field, locate the policy that you want to update, then in the
    Per-Request Policy
    field, click the
    Edit
    link.
    The visual policy editor opens in another tab.
  3. To process the HTTPS traffic first, configure a branch for it by adding a
    Protocol Lookup
    item at the start of the per-request policy.
    1. Click the
      (+)
      icon anywhere in the per-request policy to add a new item.
      A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. In the Search field, type
      prot
      , select
      Protocol Lookup
      , and click
      Add Item
      .
      A properties popup screen opens.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
    The Protocol Lookup item provides two default branches: HTTPS for SSL traffic and fallback.
  4. Before you add an SSL Bypass Set, or an SSL Intercept Set, item to the per-request policy, you can insert any of the following policy items to do logging or to base how you process the SSL traffic on group membership, class attribute, day of the week, time of day, or URL category:
    • AD Group Lookup
    • LDAP Group Lookup
    • LocalDB Group Lookup
    • RADIUS Class Lookup
    • Dynamic Date Time
    • Logging
    • Category Lookup
      Category Lookup is valid for processing SSL traffic only when configured for SNI or Subject.CN categorization input and only before any HTTP traffic is processed.
    If you insert other policy items that inspect the SSL payload (HTTP data) before an SSL Bypass Set item, the SSL bypass cannot work as expected.
  5. At any point on the HTTPS branch where you decide to bypass SSL traffic, add an
    SSL Bypass Set
    item.
The per-request policy includes items that you can use to complete the processing of SSL traffic. Add other items to the policy to control access according to your requirements.
A per-request policy goes into effect when you add it to a virtual server. Depending on the forward proxy configuration, you might need to add the per-request policy to more than one virtual server.

Adding a per-request policy to the virtual server

To add per-request processing to a configuration, associate the per-request policy with the virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server.
  3. In the Access Policy area, from the
    Per-Request Policy
    list, select the policy that you configured earlier.
  4. Click
    Update
    .
The per-request policy is now associated with the virtual server.

Virtual server Access Policy settings for forward proxy

F5 recommends multiple virtual servers for configurations where Access Policy Manager (APM) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.
Forward proxy
Recommended virtual servers (by purpose)
Specify access profile?
Specify per-request policy?
Explicit
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Yes
Yes
Reject traffic other than HTTP and HTTPS
N/A
N/A
Transparent Inline
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Only when a captive portal is also included in the configuration
Only when a captive portal is also included in the configuration
Forward traffic other than HTTP and HTTPS
N/A
N/A
Captive portal
Yes
No
Transparent
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Only when a captive portal is also included in the configuration
Only when a captive portal is also included in the configuration
Captive portal
Yes
No

About the SSL Bypass Set and SSL Intercept Set process

For SSL bypass or SSL intercept actions, Access Policy Manager (APM) forwards the client hello directly to the server. The client and server then negotiate SSL parameters. This must occur before any per-request policy item inspects the SSL payload (HTTP data). Everything that the policy does before an SSL Bypass Set or SSL Intercept Set policy item must operate either on SSL data (certificate or client hello) or on session data (which is not part of SSL payload).

About SSL Bypass Set and SSL Intercept Set and the order of policy items

To ensure that SSL Bypass Set and SSL Intercept Set work correctly, do not place them in a per-request policy after any of these items:
  • Application Lookup
  • Application Filter Assign
  • Category Lookup, if configured to use HTTP URI for input
  • HTTP Headers
  • Proxy Select
  • Select SSO Configuration
  • URL Filter Assign