Manual Chapter : Interoperability characteristics for forward proxy chaining
Applies To:Show Versions
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Interoperability characteristics for forward proxy chaining
In a forward proxy chain, Access Policy Manager (APM®) selects the next hop proxy server, and interacts with it and resource servers behind it.
A proxy server can be located in the cloud. It can be located in another department of an enterprise.
For the BIG-IP system, proxy server, and resource servers behind the proxy server, let's focus on these configuration characteristics.
- Forward proxy mode
- APM can be configured to act as an explicit or as a transparent forward proxy. The proxy server can be configured to act as explicit or transparent forward proxy. APM supports any combination of forward proxy modes.
- SSL bypass mode
- APM can be configured for SSL bypass or SSL intercept. The proxy server can be configured for SSL bypass or SSL intercept. APM supports all combinations of SSL bypass mode.
- Authentication might be configured on one or more servers:
- On APM, you can configure no authentication or any type of authentication that APM supports for an SWG-Explicit or SWG-Transparent access profile.
- On a proxy server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the proxy server. You can also have no authentication configured on the proxy server.
- On a resource server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the resource server. You can also have no authentication configured on the resource server.
- Single sign-on
- APM supports these types of SSO configuration to the proxy server or to a resource server: HTTP Basic, NTLMv1, NTLMv2, or Kerberos.
To a large extent, APM supports combinations of these configuration characteristics. However, given the number of possible configuration combinations and the varying capabilities of proxy servers, some configuration constraints can exist. Refer to
BIG-IP Access Policy Manager: Secure Web Gatewayand to Release Note: BIG-IP APM (for the product version you are using) on the AskF5™ web site located at