Manual Chapter : Policies for APM as a Secure Web Gateway

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

Policies for APM as a Secure Web Gateway

Overview: Controlling forward proxy traffic with APM

On a BIG-IP system with Access Policy Manager (APM®), you can configure per-request policies to control forward proxy access with user-defined URL categories and filters that you have configured.

Task summary

You must have created an explicit or a transparent forward proxy configuration.

Task list

Configuring an access policy for forward proxy with SWG

You configure an access policy to support explicit forward proxy or transparent forward proxy. If you plan to use branching by group or class attribute in your per-request policy, you add items to the access policy to populate that information. You can also add access policy items to collect credentials and to authenticate a user or add access policy items to identify the user transparently.
If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends using Kerberos or NTLM authentication.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
    1. On the Authentication tab, select
      NTLM Auth Result
      .
    2. Click
      Add Item
      .
      A properties popup screen opens.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  5. To add Kerberos authentication to an access policy for forward proxy, add
    HTTP 407 Response
    (for explicit forward proxy) or
    HTTP 401 Response
    (for transparent forward proxy); then follow it with these actions in order:
    Variable Assign
    , and
    Kerberos Auth
    .
    This example uses
    HTTP 407 Response
    . You can replace it with
    HTTP 401 Response
    .
    In a transparent forward proxy configuration, APM does not support Kerberos request-based authentication
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. On the Logon tab, select
      HTTP 407 Response
      and click
      Add Item
      .
      A properties screen opens.
    3. From the
      HTTP Auth Level
      list, select
      negotiate
      and click
      Save
      .
      The properties screen closes.
    4. Click the
      (+)
      icon on the
      negotiate
      branch.
      A popup screen opens.
    5. On the Assignment tab, select
      Variable Assign
      and click
      Add Item
      .
      For Kerberos authentication to work correctly with forward proxy, you must assign the domain name for the proxy virtual server to a session variable.
    6. Click
      Add new entry
      .
      An
      empty
      entry appears in the Assignment table.
    7. Click the
      change
      link in the new entry.
      A popup screen opens.
    8. In the left pane, retain the selection of
      Custom Variable
      and type this variable name:
      session.server.network.name
      .
    9. In the right pane, in place of
      Custom Variable
      , select
      Text
      and type the domain name for the proxy virtual server.
    10. Click
      Finished
      .
      The popup screen closes.
    11. Click
      Save
      .
      The properties screen closes. The policy displays.
    12. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    13. On the Authentication tab, select
      Kerberos Auth
      and click
      Add Item
      .
      A properties screen opens.
    14. From the
      AAA Server
      list, select an existing server.
    15. From the
      Request Based Auth
      list, select
      Disabled
      .
    16. Click
      Save
      .
      The properties screen closes and the policy displays.
    The
    Max Logon Attempts Allowed
    setting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.
  6. To identify a user transparently using information provided by a Secure Web Gateway (SWG) user identification agent, perform these steps:
    For this step of the access policy to succeed, you must have installed and configured either the F5 DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. From the Authentication tab, select
      Transparent Identity Import
      and click
      Add Item
      .
      The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.
      A properties screen opens.
    3. Click
      Save
      .
      The visual policy editor opens.
    4. Add any additional access policy items to the fallback or associated branches.
      For example, you might add Kerberos authentication on the fallback branch.
  7. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA LDAP server.
      An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the
      SearchDN
      , and
      SearchFilter
      settings.
      SearchDN is the base DN from which the search is done.
    3. Click
      Save
      .
    This item populates the
    session.ldap.last.attr.memberOf
    session variable.
  8. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA AD server.
    2. Select the
      Fetch Primary Group
      check box.
      The value of the primary user group populates the
      session.ad.last.attr.primaryGroupID
      session variable.
    3. Click
      Save
      .
  9. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA RADIUS server.
    2. Click
      Save
      .
    This item populates the
    session.radius.last.attr.class
    session variable.
  10. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.

Example policy: User-defined category-specific access control

In this example per-request policy, only recruiters can access URLs in the user-defined category Employment. The policy also restricts access to entertaining videos during business hours.
Category-specific access restrictions (using user-defined categories)

Example policy: URL filter per user group

Each URL Filter Assign item in this per-request policy example needs to specify a filter that applies to the user group.
URL filter based on group membership
Group lookup followed by branches for specific groups and a URL filter assignment for each.

Creating a per-request policy

You can create a per-request policy to ensure greater security on your system.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. Click
    Create
    .
    The General Properties screen opens.
  3. In the
    Name
    field, type a name for the policy.
    A per-request policy name must be unique among all per-request policy and access profile names.
  4. Leave
    Policy Type
    set to
    All
    .
  5. For most cases, leave
    Incomplete Action
    set to
    Deny
    .
  6. In the
    Languages
    setting, select the accepted languages.
  7. Click
    Finished
    .
    The policy name appears on the Per-Request Policies screen.

Applying user-defined URL categories and filters in a per-request policy

This task is for use on a BIG-IP system without an SWG subscription.
Look up the category for a URL request and assign a URL filter that blocks or allows access to control access to the web, based on the category of the URL request.
This task provides the steps for adding items to control web traffic based on the URL category. It does not specify a complete per-request policy.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. In the
    Name
    field, locate the policy that you want to update, then in the
    Per-Request Policy
    field, click the
    Edit
    link.
    The visual policy editor opens in another tab.
  3. On the General Purpose tab, select
    Category Lookup
    item and click
    Add Item
    .
    A popup Properties screen opens.
  4. For
    Categorization Input
    , select an option based on the type of traffic to process:
    • For HTTP traffic, select
      Use HTTP URI (cannot be used for SSL Bypass decisions)
      . If selected, the
      SafeSearch Mode
      field displays set to
      Enabled
      .
    • For SSL-encrypted traffic, select
      Use SNI in Client Hello (if SNI is not available, use Subject.CN)
      or
      Use Subject.CN in Server Cert
      .
    Early in the per-request policy, you can insert a Protocol Lookup agent to provide separate branches for HTTPS and HTTP traffic.
  5. For
    Category Lookup Type
    , you can only retain the default value
    Process custom categories only
    .
    Category Lookup looks through the user-defined categories to compile a list of categories for the URL.
  6. Click
    Save
    .
    The properties screen closes. The visual policy editor displays.
  7. On a branch after a Category Lookup item, add a
    URL Filter Assign
    agent and, in its properties, select a URL filter.
A per-request policy goes into effect when you add it to a virtual server. Depending on the forward proxy configuration, you might need to add the per-request policy to more than one virtual server.

Adding a per-request policy to the virtual server

To add per-request processing to a configuration, associate the per-request policy with the virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server.
  3. In the Access Policy area, from the
    Per-Request Policy
    list, select the policy that you configured earlier.
  4. Click
    Update
    .
The per-request policy is now associated with the virtual server.

Virtual server Access Policy settings for forward proxy

F5 recommends multiple virtual servers for configurations where Access Policy Manager (APM) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.
Forward proxy
Recommended virtual servers (by purpose)
Specify access profile?
Specify per-request policy?
Explicit
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Yes
Yes
Reject traffic other than HTTP and HTTPS
N/A
N/A
Transparent Inline
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Only when a captive portal is also included in the configuration
Only when a captive portal is also included in the configuration
Forward traffic other than HTTP and HTTPS
N/A
N/A
Captive portal
Yes
No
Transparent
Process HTTP traffic
Yes
Yes
Process HTTPS traffic
Only when a captive portal is also included in the configuration
Only when a captive portal is also included in the configuration
Captive portal
Yes
No