Manual Chapter : Interoperability characteristics for forward proxy chaining

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Interoperability characteristics for forward proxy chaining

In a forward proxy chain, Access Policy Manager (APM®) selects the next hop proxy server, and interacts with it and resource servers behind it.
A proxy server can be located in the cloud. It can be located in another department of an enterprise.
For the BIG-IP system, proxy server, and resource servers behind the proxy server, let's focus on these configuration characteristics.
Forward proxy mode
APM can be configured to act as an explicit or as a transparent forward proxy. The proxy server can be configured to act as explicit or transparent forward proxy. APM supports any combination of forward proxy modes.
SSL bypass mode
APM can be configured for SSL bypass or SSL intercept. The proxy server can be configured for SSL bypass or SSL intercept. APM supports all combinations of SSL bypass mode.
Authentication
Authentication might be configured on one or more servers:
  • On APM, you can configure no authentication or any type of authentication that APM supports for an SWG-Explicit or SWG-Transparent access profile.
  • On a proxy server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the proxy server. You can also have no authentication configured on the proxy server.
  • On a resource server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the resource server. You can also have no authentication configured on the resource server.
Single sign-on
APM supports these types of SSO configuration to the proxy server or to a resource server: HTTP Basic, NTLMv1, NTLMv2, or Kerberos.
To a large extent, APM supports combinations of these configuration characteristics. However, given the number of possible configuration combinations and the varying capabilities of proxy servers, some configuration constraints can exist. Refer to
BIG-IP Access Policy Manager: Secure Web Gateway
and to Release Note: BIG-IP APM (for the product version you are using) on the AskF5 web site located at
support.f5.com
.