Manual Chapter :
Transparent Forward Proxy Configuration
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0
Transparent Forward Proxy Configuration
Overview: Configuring transparent forward proxy
In transparent forward proxy, you configure your internal network to forward web traffic to
the BIG-IP system with Access Policy Manager® (APM®) configured to act as a forward proxy. Use this configuration when
your topology includes a router on which you can configure policy-based routing or Web Cache
Communication Protocol (WCCP) to send any traffic for ports 80 and 443 to the BIG-IP system.
This implementation describes only the configuration required on the BIG-IP system.
The router sends traffic to the self-ip address of a VLAN configured on the BIG-IP system.
Virtual servers listen on the VLAN and process the traffic that most closely matches the
virtual server address. APM identifies users without using session management cookies. A
per-request policy, configured to use action items that determine the URL category and apply a
URL filter, controls access.
Transparent forward proxy provides the option to use a captive portal. To use
this option, you need an additional virtual server, not shown in the figure, for the captive
portal primary authentication server.
Task summary
Use these procedures to configure the virtual servers, SSL profiles, access profile, and
VLAN that you need to support transparent forward proxy. When you are done, you must add an
access policy and a per-request policy to this configuration to process traffic as you
want.
Task list
About the iApp for Secure Web Gateway
configuration
When deployed as an application service, the Secure Web Gateway (SWG) iApps template can set up either an explicit or a transparent forward proxy configuration.
The template is designed for use on a system provisioned and licensed with SWG. To download a
zipped file of iApp templates from the F5 Downloads site at
(
downloads.f5.com
), you must register for an F5 support account. In the
zipped file, a README and template for F5 Secure Web Gateway are located in the RELEASE_CANDIDATE
folder. About user identification with a logon page
User identification by IP address is a method that is available for these access profile
types: SWG-Explicit, SWG-Transparent, and LTM-APM.
Identify users by IP address only when IP addresses are unique and can be
trusted.
To support this option, a logon page must be added to the access policy to explicitly
identify users. The logon page requests user credentials and validates them to identify the
users. For explicit forward proxy, a 407 response page is the appropriate logon page action.
For transparent forward proxy, a 401 response page is the appropriate logon page action. For
LTM-APM, the Logon Page action is appropriate.
F5
BIG-IP
Access Policy Manager (APM®) maintains an internal
mapping of IP addresses to user names.
About user identification with an SWG F5
agent
Transparent user identification
makes a best effort to identify users without
requesting credentials. It is not authentication. It should be used only when you are
comfortable accepting a best effort at user identification. Transparent user identification is supported in Secure Web Gateway (SWG) configurations for
either explicit or transparent forward proxy. An agent obtains data and stores a mapping of IP
addresses to user names in an IF-MAP server. An F5 DC Agent queries
domain controllers. An F5 Logon Agent runs a script when a client logs in and can be
configured to run a script when the client logs out.
Agents are available only on a BIG-IP system with an SWG
subscription.
In an access policy, a Transparent Identity Import item obtains the
IP-address-to-username-mapping from the IF-MAP server. This item can be used alone for
determining whether to grant access or be paired with another query to look up the user or
validate user information.
To support this option, either the Secure Web Gateway F5 DC Agent or F5 Logon Agent must be
downloaded, installed, and configured.
Creating a VLAN for transparent forward proxy
You need a VLAN on which the forward proxy can listen. For increased security, the
VLAN should directly face your clients.
- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.The New VLAN screen opens.
- In theNamefield, type a unique name for the VLAN.
- For theInterfacessetting,
- From theInterfacelist, select an interface number.
- From theTagginglist, selectUntagged.
- ClickAdd.
- ClickFinished.The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Assigning a self IP address to a VLAN
Assign a self IP address to a VLAN on which
the forward proxy listens.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type the IP address of the VLAN.The system accepts IPv4 and IPv6 addresses.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- From theVLAN/Tunnellist, select the VLAN.
- ClickFinished.The screen refreshes, and displays the new self IP address.
Creating an access profile for transparent
forward proxy
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a name for the access profile.An access profile name should be unique among all per-session profile and per-request policy names.
- From theProfile Typelist, selectSWG-Transparent. Additional settings display.
- From theProfile Scopelist, select the required profile criteria. Default is Profile.
- Profile: Gives an user access only to resources that are behind the same access profile. This is the default value.
- Virtual Server: Gives an user access only to resources that are behind the same virtual server.
- Global: Gives an user access to resources behind any access profile that has global scope.
- Named: Gives an SSL Orchestrator user access to resources behind any access profile that has global scope.
- From theCustomization Typelist, select the required page style for an access profile. Default is Modern. Available options are Modern and Standard. You can also use Standard but Modern customization is simpler and provides better compatibility for modern cross-platform and cross-device applications.
- In theSettingsarea, click theCustomcheckbox to enable the options. Configure the available options as applicable.
- In theConfigurationsarea, configure the following parameters:
- When SWG-Transparent profile type is selected, theUser Identification Methodoption is selected as IP address and remains unchanged.
- IP Address: Use this option only in an environment where a client IP address is unique and can be trusted, typically, in an internal network. This option is not for use with internal NAT or shared systems. In the case of a shared machine, an IP address might already be associated with a user or a session. Using Kerberos or NTLM authentication ensures that the system can associate the IP address with the correct session new or existing) or with a new user each time a user logs on to a shared machine. Selecting this option ignores the cookies.When IP address is selected, the default authentication type is set as None and the NTLM auth configuration and Kerberos auth configuration are optional.
- From theAuthentication typelist, select the required authentication type from the list. Available options are NTLM Only, Kerberos Only, Both, and None.
- From theNTLM Auth Configurationlist, select the required NTLM auth configuration object from the list. Default is None.
- From theKerberos Auth Configurationlist, select the required Kerbreos auth configuration object from the list. Default is None.
- To use NTLM authentication before a session starts, from theNTLM Auth Configurationlist select a configuration.For NTLM authentication to work, you must also enable theCaptive Portalssetting and specify an IP address in thePrimary Authentication URIfield for the virtual server that you configure for the captive portal.In the case of a shared machine, an IP address might already be associated with a user or a session. Using NTLM authentication ensures that the system can associate the IP address with the correct session (new or existing) or with a new user each time a user logs on to the shared machine.
- To direct users to a captive portal, forCaptive PortalselectEnabledand, in thePrimary Authentication URIfield, type the URI.You might specify the URI of your primary authentication server if you use single sign-on across multiple domains. Users can then access multiple back-end applications from multiple domains and hosts without needing to re-enter their credentials, because the user session is stored on the primary domain.For example, you might typehttps://logon.siterequest.comin the field.
- In the Language Settings area, add and remove accepted languages, and set the default language.If any browser language does not match with the accepted languages list, the browser uses the default language.
- ClickFinished.The Access Profiles list screen displays.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Create a custom Client SSL forward proxy profile
You perform this task to create a Client SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption
and encryption. This profile applies to client-side SSL forward proxy traffic
only.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectclientssl.
- From theSSL Forward Proxylist, selectAdvanced.
- Select theCustomcheck box for the SSL Forward Proxy area.
- Modify the SSL Forward Proxy settings.
- From theSSL Forward Proxylist, selectEnabled.
- From theCA Certificatelist, select a certificate.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theCA Keylist, select a key.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In theCA Passphrasefield, type a passphrase.
- In theConfirm CA Passphrasefield, type the passphrase again.
- In theCertificate Lifespanfield, type a lifespan for the SSL forward proxy certificate in days.
- From theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, select the extensions that you want in theAvailable extensionsfield, and move them to theEnabled Extensionsfield using theEnablebutton.
- Select theCache Certificate by Addr-Portcheck box if you want to cache certificates by IP address and port number.
- From theSSL Forward Proxy Bypasslist, selectEnabled.Additional settings display.
- From theBypass Default Actionlist, selectInterceptorBypass.The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.If you selectBypassand do not specify any additional settings, you introduce a security risk to your system.
- For detailed information on the different settings of the SSL:Client page, refer to theSSL Traffic Managementchapter (Create a custom Client SSL profilesection) of the SSL Administration guide.
- ClickFinished.
Create a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- From theSSL Forward Proxylist, selectEnabled.You can update this setting later, but only while the profile is not assigned to a virtual server.
- From theSSL Forward Proxy Bypasslist, selectEnabled(or retain the default valueDisabled).The values of theSSL Forward Proxy Bypasssettings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
- Scroll down to theSecure Renegotiationlist and selectRequest.
- For detailed information on the different settings of the SSL:Server page, refer to theSSL Traffic Managementchapter (Create a custom Server SSL profilesection) of the SSL Administration guide.
- ClickFinished.
Creating a virtual server for forward proxy SSL traffic
You configure a virtual server to process
the
SSL web
traffic in a
transparent forward proxy configuration.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- If you plan to use this virtual server for proxy chaining from APM, from theHTTP Proxy Connect Profilelist, select a profile that you configured previously or selecthttp-proxy-connect.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theVLAN and Tunnel Trafficsetting, retain the default valueAll VLANs and Tunnelslist.
- From theSource Address Translationlist, selectAuto Map.
- For theAddress Translationsetting, clear theEnabledcheck box.
- ClickFinished.
The virtual server now appears in the Virtual Server List screen.
After you configure an access policy and a per-request policy, specify them in the
Access Profile settings area of this virtual server.
Creating a virtual server for forward proxy traffic
You configure a virtual server to
process web traffic going to port 80 in a transparent forward proxy configuration.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- For theHTTP Connect Profilesetting, be sure to retain the default valueNone.
- For theVLAN and Tunnel Trafficsetting, retain the default valueAll VLANs and Tunnelslist.
- From theSource Address Translationlist, selectAuto Map.
- For theAddress Translationsetting, clear theEnabledcheck box.
- ClickFinished.
The virtual server now appears in the
Virtual Server List screen.
After you configure an access policy and a per-request policy, specify them in the
Access Profile settings area of this virtual server.
Creating a Client
SSL profile for a captive portal
You create a Client SSL profile when you want the BIG-IP system to
authenticate and decrypt/encrypt client-side application traffic. You create this
profile if you enabled Captive Portals in the access profile and if you want to use
client-side SSL.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- For theParent Profilelist, retain the default value,clientssl.
- Select theCustomcheck box.
- In the Certificate Key Chain area, select a certificate and key combination to use for SSL encryption for the captive portal.This certificate should match the FQDN configured in the access profileSWG-Transparenttype to avoid security warnings, and should be generated by a certificate authority that your browser clients trust.If the key is encrypted, type a passphrase. Otherwise, leave thePassphrasefield blank.
- ClickFinished.
After creating the Client SSL profile and assigning the profile to a virtual server,
the BIG-IP system can apply SSL security to the type of application traffic for which
the virtual server is configured to listen.
Creating a virtual server for a captive portal
You configure a virtual server to
use as a captive portal if you enabled the
Captive Portals
setting in the access profile. - On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.Type a destination address in this format:162.160.15.20.
- Specify a port in theService Portfield.If you plan to use client-side SSL, type443or selectHTTPSfrom the list.
- From theHTTP Profilelist, be sure to retain the default valuehttp.
- For theHTTP Connect Profilesetting, be sure to retain the default valueNone.Whether or not you plan to use client-side SSL, for a captive portal the value for this setting should beNone.
- If you plan to use client-side SSL, for theSSL Profile (Client)setting, move the profile you configured previously from theAvailablelist to theSelectedlist.
- ClickFinished.
The virtual server appears in the
Virtual Server List screen.
After you configure an access policy, specify it in the Access Profile settings
area of this virtual server.
Implementation result
You now have the profiles, virtual servers, and other configuration objects that you need for
transparent forward proxy.
Before you send traffic to this configuration, you need to configure an
access policy and a per-request policy and specify them in the virtual servers.
Access policy and per-request policy configuration depends on what you are trying to do. To
locate examples, look for configurations that categorize and filter traffic, intercept or bypass
SSL traffic, forward traffic to a third party proxy server, and so on.
About redirects after access denied by captive portal
A tool that captures HTTP traffic can reveal what appears to be an extra redirect after a
user attempts to gain access using a captive portal but fails. Instead of immediately
redirecting the user to the logout page, the user is first redirected to the landing URI, and
then a request to the landing URI is redirected to the logout page.
This sample output shows both redirects: the 302 to the landing page
http://berkeley.edu/index.html
and the 302 to the logout page
http://berkeley.edu/vdesk/hangup.php3
. POSThttps://bigip-master.com/my.policy?ORIG_URI=http://berkeley.edu/index.html302http://berkeley.edu/index.htmlGEThttp://berkeley.edu/index.html302http://berkeley.edu/vdesk/hangup.php3
Although the 302 to the landing page might seem to be an extra redirect, it is not. When a
request is made, a subordinate virtual server transfers the request to the dominant virtual
server to complete the access policy. When the dominant virtual server completes the access
policy, it transfers the user back to the subordinate virtual server, on the same original
request. The subordinate virtual server then enforces the result of the access policy.
Overview: Configuring transparent forward
proxy in inline mode
In a configuration where Access Policy Manager® (APM®) acts as a transparent forward proxy, you configure your internal network to
forward web traffic to the BIG-IP system. This implementation describes
an
inline deployment
. You place the BIG-IP system directly in the path of
traffic, or inline, as the next hop after the gateway. The gateway sends traffic to the self IP address of a VLAN configured on the BIG-IP system.
Wildcard
virtual servers listen on the VLAN and process the traffic that most
closely matches the virtual server address. A wildcard virtual server is a special type of
network virtual server designed to manage network traffic that is targeted to transparent
network devices. Transparent forward proxy
provides the option to use a captive portal. To use this option, you need an additional
virtual server, not shown in the figure, for the captive portal primary authentication
server.
Task summary
Use these procedures to configure the virtual servers, SSL profiles, access profile, VLAN,
and self-IP that you need to support inline transparent forward proxy. When you are done,
you must add an access policy and a per-request policy to this configuration to process
traffic as you want.
Task list
About the iApp for Secure Web Gateway
configuration
When deployed as an application service, the Secure Web Gateway (SWG) iApps template can set up either an explicit or a transparent forward proxy configuration.
The template is designed for use on a system provisioned and licensed with SWG. To download a
zipped file of iApp templates from the F5 Downloads site at
(
downloads.f5.com
), you must register for an F5 support account. In the
zipped file, a README and template for F5 Secure Web Gateway are located in the RELEASE_CANDIDATE
folder. Creating a VLAN for transparent forward proxy
You need a VLAN on which the forward proxy can listen. For increased security, the
VLAN should directly face your clients.
- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.The New VLAN screen opens.
- In theNamefield, type a unique name for the VLAN.
- For theInterfacessetting,
- From theInterfacelist, select an interface number.
- From theTagginglist, selectUntagged.
- ClickAdd.
- ClickFinished.The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Assigning a self IP address to a VLAN
Assign a self IP address to a VLAN on which
the forward proxy listens.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type the IP address of the VLAN.The system accepts IPv4 and IPv6 addresses.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- From theVLAN/Tunnellist, select the VLAN.
- ClickFinished.The screen refreshes, and displays the new self IP address.
Creating an access profile for transparent
forward proxy
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- ClickCreate.The New Profile screen displays.
- In theNamefield, type a name for the access profile.An access profile name should be unique among all per-session profile and per-request policy names.
- From theProfile Typelist, selectSWG-Transparent. Additional settings display.
- From theProfile Scopelist, select the required profile criteria. Default is Profile.
- Profile: Gives an user access only to resources that are behind the same access profile. This is the default value.
- Virtual Server: Gives an user access only to resources that are behind the same virtual server.
- Global: Gives an user access to resources behind any access profile that has global scope.
- Named: Gives an SSL Orchestrator user access to resources behind any access profile that has global scope.
- From theCustomization Typelist, select the required page style for an access profile. Default is Modern. Available options are Modern and Standard. You can also use Standard but Modern customization is simpler and provides better compatibility for modern cross-platform and cross-device applications.
- In theSettingsarea, click theCustomcheckbox to enable the options. Configure the available options as applicable.
- In theConfigurationsarea, configure the following parameters:
- When SWG-Transparent profile type is selected, theUser Identification Methodoption is selected as IP address and remains unchanged.
- IP Address: Use this option only in an environment where a client IP address is unique and can be trusted, typically, in an internal network. This option is not for use with internal NAT or shared systems. In the case of a shared machine, an IP address might already be associated with a user or a session. Using Kerberos or NTLM authentication ensures that the system can associate the IP address with the correct session new or existing) or with a new user each time a user logs on to a shared machine. Selecting this option ignores the cookies.When IP address is selected, the default authentication type is set as None and the NTLM auth configuration and Kerberos auth configuration are optional.
- From theAuthentication typelist, select the required authentication type from the list. Available options are NTLM Only, Kerberos Only, Both, and None.
- From theNTLM Auth Configurationlist, select the required NTLM auth configuration object from the list. Default is None.
- From theKerberos Auth Configurationlist, select the required Kerbreos auth configuration object from the list. Default is None.
- To use NTLM authentication before a session starts, from theNTLM Auth Configurationlist select a configuration.For NTLM authentication to work, you must also enable theCaptive Portalssetting and specify an IP address in thePrimary Authentication URIfield for the virtual server that you configure for the captive portal.In the case of a shared machine, an IP address might already be associated with a user or a session. Using NTLM authentication ensures that the system can associate the IP address with the correct session (new or existing) or with a new user each time a user logs on to the shared machine.
- To direct users to a captive portal, forCaptive PortalselectEnabledand, in thePrimary Authentication URIfield, type the URI.You might specify the URI of your primary authentication server if you use single sign-on across multiple domains. Users can then access multiple back-end applications from multiple domains and hosts without needing to re-enter their credentials, because the user session is stored on the primary domain.For example, you might typehttps://logon.siterequest.comin the field.
- In the Language Settings area, add and remove accepted languages, and set the default language.If any browser language does not match with the accepted languages list, the browser uses the default language.
- ClickFinished.The Access Profiles list screen displays.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Create a custom Client SSL forward proxy profile
You perform this task to create a Client SSL forward proxy profile that makes it
possible for client and server authentication while still allowing the BIG-IP system to perform data optimization, such as decryption
and encryption. This profile applies to client-side SSL forward proxy traffic
only.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, selectclientssl.
- From theSSL Forward Proxylist, selectAdvanced.
- Select theCustomcheck box for the SSL Forward Proxy area.
- Modify the SSL Forward Proxy settings.
- From theSSL Forward Proxylist, selectEnabled.
- From theCA Certificatelist, select a certificate.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- From theCA Keylist, select a key.If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
- In theCA Passphrasefield, type a passphrase.
- In theConfirm CA Passphrasefield, type the passphrase again.
- In theCertificate Lifespanfield, type a lifespan for the SSL forward proxy certificate in days.
- From theCertificate Extensionslist, selectExtensions List.
- For theCertificate Extensions Listsetting, select the extensions that you want in theAvailable extensionsfield, and move them to theEnabled Extensionsfield using theEnablebutton.
- Select theCache Certificate by Addr-Portcheck box if you want to cache certificates by IP address and port number.
- From theSSL Forward Proxy Bypasslist, selectEnabled.Additional settings display.
- From theBypass Default Actionlist, selectInterceptorBypass.The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.If you selectBypassand do not specify any additional settings, you introduce a security risk to your system.
- For detailed information on the different settings of the SSL:Client page, refer to theSSL Traffic Managementchapter (Create a custom Client SSL profilesection) of the SSL Administration guide.
- ClickFinished.
Create a custom Server SSL profile
Create a custom server SSL profile to support SSL forward proxy.
- On the Main tab, click.The Server SSL profile list screen opens.
- ClickCreate.The New Server SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- ForParent Profile, retain the default selection,serverssl.
- From theConfigurationlist, selectAdvanced.
- Select theCustomcheck box.The settings become available for change.
- From theSSL Forward Proxylist, selectEnabled.You can update this setting later, but only while the profile is not assigned to a virtual server.
- From theSSL Forward Proxy Bypasslist, selectEnabled(or retain the default valueDisabled).The values of theSSL Forward Proxy Bypasssettings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
- Scroll down to theSecure Renegotiationlist and selectRequest.
- For detailed information on the different settings of the SSL:Server page, refer to theSSL Traffic Managementchapter (Create a custom Server SSL profilesection) of the SSL Administration guide.
- ClickFinished.
Creating a virtual server for forward proxy SSL traffic
You configure a virtual server to process
the
SSL web
traffic in a
transparent forward proxy configuration.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- If you plan to use this virtual server for proxy chaining from APM, from theHTTP Proxy Connect Profilelist, select a profile that you configured previously or selecthttp-proxy-connect.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theVLAN and Tunnel Trafficsetting, retain the default valueAll VLANs and Tunnelslist.
- From theSource Address Translationlist, selectAuto Map.
- For theAddress Translationsetting, clear theEnabledcheck box.
- ClickFinished.
The virtual server now appears in the Virtual Server List screen.
After you configure an access policy and a per-request policy, specify them in the
Access Profile settings area of this virtual server.
Creating a virtual server for forward proxy traffic
You configure a virtual server to
process web traffic going to port 80 in a transparent forward proxy configuration.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type80, or selectHTTPfrom the list.
- From theConfigurationlist, selectAdvanced.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- For theHTTP Connect Profilesetting, be sure to retain the default valueNone.
- For theVLAN and Tunnel Trafficsetting, retain the default valueAll VLANs and Tunnelslist.
- From theSource Address Translationlist, selectAuto Map.
- For theAddress Translationsetting, clear theEnabledcheck box.
- ClickFinished.
The virtual server now appears in the
Virtual Server List screen.
After you configure an access policy and a per-request policy, specify them in the
Access Profile settings area of this virtual server.
Creating a forwarding virtual server
For Secure Web Gateway transparent forward proxy in inline mode, you create a
forwarding virtual server to intercept IP traffic that is not going to ports 80 or
443.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectForwarding (IP).
- In theSource Addressfield, type0.0.0.0/0.
- In theDestination Address/Maskfield, type0.0.0.0to accept any IPv4 traffic.
- In theService Portfield, type*or select* All Portsfrom the list.
- From theProtocollist, select* All Protocols.
- From theVLAN and Tunnel Trafficlist, retain the default selection,All VLANs and Tunnels.
- From theSource Address Translationlist, selectAuto Map.
- ClickFinished.
Creating a Client
SSL profile for a captive portal
You create a Client SSL profile when you want the BIG-IP system to
authenticate and decrypt/encrypt client-side application traffic. You create this
profile if you enabled Captive Portals in the access profile and if you want to use
client-side SSL.
- On the Main tab, click.The Client SSL profile list screen opens.
- ClickCreate.The New Client SSL Profile screen opens.
- In theNamefield, type a unique name for the profile.
- For theParent Profilelist, retain the default value,clientssl.
- Select theCustomcheck box.
- In the Certificate Key Chain area, select a certificate and key combination to use for SSL encryption for the captive portal.This certificate should match the FQDN configured in the access profileSWG-Transparenttype to avoid security warnings, and should be generated by a certificate authority that your browser clients trust.If the key is encrypted, type a passphrase. Otherwise, leave thePassphrasefield blank.
- ClickFinished.
After creating the Client SSL profile and assigning the profile to a virtual server,
the BIG-IP system can apply SSL security to the type of application traffic for which
the virtual server is configured to listen.
Creating a virtual server for a captive portal
You configure a virtual server to
use as a captive portal if you enabled the
Captive Portals
setting in the access profile. - On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.Type a destination address in this format:162.160.15.20.
- Specify a port in theService Portfield.If you plan to use client-side SSL, type443or selectHTTPSfrom the list.
- From theHTTP Profilelist, be sure to retain the default valuehttp.
- For theHTTP Connect Profilesetting, be sure to retain the default valueNone.Whether or not you plan to use client-side SSL, for a captive portal the value for this setting should beNone.
- If you plan to use client-side SSL, for theSSL Profile (Client)setting, move the profile you configured previously from theAvailablelist to theSelectedlist.
- ClickFinished.
The virtual server appears in the
Virtual Server List screen.
After you configure an access policy, specify it in the Access Profile settings
area of this virtual server.
Implementation result
You now have the profiles, virtual servers, and other configuration objects that you need for
transparent forward proxy.
Before you send traffic to this configuration, you need to configure an
access policy and a per-request policy and specify them in the virtual servers.
Access policy and per-request policy configuration depends on what you are trying to do. To
locate examples, look for configurations that categorize and filter traffic, intercept or bypass
SSL traffic, forward traffic to a third party proxy server, and so on.