Manual Chapter :
SSL Bypass and Intercept with APM
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0
SSL Bypass and Intercept with APM
Overview: Bypassing SSL forward proxy traffic
with APM
On a BIG-IP system that supports SSL forward proxy, you can create an
explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy
traffic. The key points of the configuration are that, on the virtual server that processes SSL
traffic, the server and client SSL profiles must enable SSL forward proxy and SSL forward proxy
bypass; the client SSL profile must set the default bypass action to
Intercept
.An Access Policy Manager (APM®) per-request policy
can be configured to determine whether to intercept or bypass the SSL traffic.
Task summary
Before you start, you must have configured an explicit or transparent forward proxy
configuration that supports bypassing SSL forward proxy traffic.
Task list
Example policy: SSL forward proxy
bypass
1 | SSL traffic exits on the HTTPS branch of Protocol Lookup. |
2 | A lookup type item, such as LocalDB Group Lookup, identifies users in a group,
Directors. |
3 | With SSL Bypass Set, any SSL request on the Directors branch is not intercepted or
inspected. |
4 | Category Lookup processes HTTPS traffic when configured to use SNI or Subject.CN input.
Finance or Govt is a standard
URL category that SWG maintains on a system with an SWG subscription. User-defined URL
categories can provide an alternative on systems without an SWG subscription.
|
5 | For users in a group other than Directors, bypass only requests that contain private
information (determined through Category Lookup). |
6 | SSL traffic processing is complete. Now is the time to start processing HTTP data with
actions that inspect the SSL payload. Using data provided by Category Lookup, URL Filter Assign
item determines whether to allow or block traffic. |
(For this example to be valid, both the server and client SSL profiles on the virtual server
must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the
default bypass action to
Intercept
.)Creating a per-request policy
You can create a per-request policy to ensure
greater security on your system.
- On the Main tab, click.The Per-Request Policies screen opens.
- ClickCreate.The General Properties screen opens.
- In theNamefield, type a name for the policy.A per-request policy name must be unique among all per-request policy and access profile names.
- LeavePolicy Typeset toAll.
- For most cases, leaveIncomplete Actionset toDeny.
- For theCustomization Type, use the default valueModern.
- In theLanguagessetting, select the accepted languages.
- ClickFinished.The policy name appears on the Per-Request Policies screen.
Processing SSL traffic in a per-request policy
To use SSL forward proxy bypass in a
per-request policy, both the server and client SSL profile must enable SSL forward proxy
and SSL forward proxy bypass; and, in the client SSL profile, the default bypass action
must be set to
Intercept
. Configure a
per-request policy so that it completes processing of HTTPS requests before it
starts the processing of HTTP requests.
These steps describe
how to add items for controlling SSL web traffic to a per-request policy; the steps
do not specify a complete per-request policy.
- On the Main tab, click.The Per-Request Policies screen opens.
- In theNamefield, locate the policy that you want to update, then in thePer-Request Policyfield, click theEditlink.The visual policy editor opens in another tab.
- To process the HTTPS traffic first, configure a branch for it by adding aProtocol Lookupitem at the start of the per-request policy.
- Click the(+)icon anywhere in the per-request policy to add a new item.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- In the Search field, typeprot, selectProtocol Lookup, and clickAdd Item.A properties popup screen opens.
- ClickSave.The properties screen closes. The policy displays.
The Protocol Lookup item provides two default branches: HTTPS for SSL traffic and fallback. - Before you add an SSL Bypass Set, or an SSL Intercept Set, item to the per-request policy, you can insert any of the following policy items to do logging or to base how you process the SSL traffic on group membership, class attribute, day of the week, time of day, or URL category:
- AD Group Lookup
- LDAP Group Lookup
- LocalDB Group Lookup
- RADIUS Class Lookup
- Dynamic Date Time
- Logging
- Category LookupCategory Lookup is valid for processing SSL traffic only when configured for SNI or Subject.CN categorization input and only before any HTTP traffic is processed.
If you insert other policy items that inspect the SSL payload (HTTP data) before an SSL Bypass Set item, the SSL bypass cannot work as expected. - At any point on the HTTPS branch where you decide to bypass SSL traffic, add anSSL Bypass Setitem.
The per-request policy includes items
that you can use to complete the processing of SSL traffic. Add other items to the
policy to control access according to your requirements.
A per-request policy goes into effect when you add it to a virtual server.
Depending on the forward proxy configuration, you might need to add the per-request
policy to more than one virtual server.
Adding a
per-request policy to the virtual server
To add per-request processing to a configuration, associate the
per-request policy with the virtual server.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- ClickUpdate.
The per-request policy is now associated with the virtual server.
Virtual server Access Policy settings for
forward proxy
F5 recommends multiple virtual servers for configurations where Access
Policy Manager (APM) acts as an explicit or transparent forward
proxy. This table lists forward proxy configurations, the virtual servers recommended for each,
and whether an access profile and per-request policy should be specified on the virtual
server.
Forward proxy |
Recommended virtual servers (by purpose) |
Specify access profile? |
Specify per-request policy? |
---|---|---|---|
Explicit |
Process HTTP traffic |
Yes |
Yes |
Process HTTPS traffic |
Yes |
Yes |
|
Reject traffic other than HTTP and HTTPS |
N/A |
N/A |
|
Transparent Inline |
Process HTTP traffic |
Yes |
Yes |
Process HTTPS traffic |
Only when a captive portal is also included in the configuration |
Only when a captive portal is also included in the configuration |
|
Forward traffic other than HTTP and HTTPS |
N/A |
N/A |
|
Captive portal |
Yes |
No |
|
Transparent |
Process HTTP traffic |
Yes |
Yes |
Process HTTPS traffic |
Only when a captive portal is also included in the configuration |
Only when a captive portal is also included in the configuration |
|
Captive portal |
Yes |
No |
About the SSL Bypass Set process
For SSL bypass actions, Access Policy Manager (APM) forwards the client hello directly to the server. The client and server then negotiate SSL parameters. This must occur before any per-request policy item inspects the SSL payload (HTTP data). Everything that the policy does before an SSL Bypass Set policy item must operate either on SSL data (certificate or client hello) or on session data (which is not part of SSL payload).
About SSL Bypass Set and the order of policy items
To ensure that SSL Bypass Set works correctly, do not place it in a per-request policy after any of these items:
- Application Lookup
- Application Filter Assign
- Category Lookup, if configured to use HTTP URI for input
- HTTP Headers
- Proxy Select
- Select SSO Configuration
- URL Filter Assign