Manual Chapter : BIG-IP HTTP Connector Setup and Usage Guide
back-action Using HTTP Connector to Access External Servers

Updated Date: 05/04/2026

BIG-IP HTTP Connector Setup and Usage Guide

The HTTP Connector feature in F5 BIG-IP Zero Trust Access (ZTA) (Formerly known as APM) enables the system to send HTTP requests to external services directly from an access policy. This feature allows integration with external REST APIs or web services without requiring an iRule. When used in a per-session policy, the HTTP Connector executes once during session creation. The system stores the response in session variables, which can be used throughout the session.

Environment:

  • BIG-IP Zero Trust Access (ZTA) (Formerly known as APM)
  • Per-session access policies
  • HTTP Connector feature

Object Model:

The HTTP Connector configuration consists of the following objects:

Access Policy

→ HTTP Connector Agent

→ HTTP Connector Request

→ HTTP Connector Transport

  • HTTP Connector Agent: Policy item used within the Visual Policy Editor (VPE)
  • HTTP Connector Request: Defines HTTP request parameters
  • HTTP Connector Transport: Defines connection settings to the external service

Description

The HTTP Connector Transport object defines how the BIG-IP system connects to an external HTTP service.

  1. Navigate to:

Main → Access → Authentication → HTTP Connector → HTTP Connector Transport

  1. Click Create.

  2. Configure the following settings:

    • Name: Specifies a unique name for the transport object.
    • Server: Specifies the host name or IP address of the external service.
    • Port: Specifies the destination port (for example, 80 or 443).
    • Protocol: Specifies HTTP or HTTPS.

  3. Click Finished.

Description

In addition to the standard configuration options available in TMUI, the HTTP Connector Transport object supports an advanced property called target-vs, which is configurable only through TMSH. The target-vs property allows the BIG-IP system to send HTTP Connector requests through a specified virtual server, instead of directly connecting to the external service defined by the Server and Port settings.

Note: The target-vs property is not available in TMUI and must be configured using TMSH.

  1. Access the BIG-IP command line interface.

  2. Create a new HTTP Connector Transport object with the target-vs property:

tmsh create apm aaa http-connector-transport my_http_transport \
    target-vs /Common/internal_vs
  1. Alternatively, modify an existing transport object:
tmsh modify apm aaa http-connector-transport my_http_transport \
    target-vs /Common/internal_vs

  • The specified virtual server must already exist on the BIG-IP system.

  • Ensure the virtual server is properly configured with:

    • Pool members or upstream services
    • SSL profiles (if HTTPS is required)
    • SNAT or appropriate routing configuration

  • When target-vs is configured, the HTTP Connector sends traffic to the virtual server, which then determines how the request is processed and forwarded.

When the HTTP Connector Transport is configured with target-vs:

  • The HTTP request is sent to the specified virtual server.
  • The virtual server applies its configuration (such as load balancing, SSL processing, or iRules).
  • The response is returned to the HTTP Connector and stored in session variables.

  • The target-vs property enables integration with existing BIG-IP traffic management configurations.

  • This is useful for advanced scenarios such as:

    • Load balancing requests across multiple backend services
    • Applying SSL offload or re-encryption
    • Using iRules for request or response manipulation

Note: If the target-vs property is not configured, the HTTP Connector uses the Server, Port, and Protocol settings to connect directly to the external service.

Description

The HTTP Connector Request object defines the HTTP request sent to the external service.

  1. Navigate to:

    Main → Access → Authentication → HTTP Connector → HTTP Connector Request

  2. Click Create.

  3. Configure the following settings:

    • Name: Specifies a unique name for the request object.
    • Request Method: Specifies the HTTP method (for example, GET).
    • Request URI: Specifies the URI path for the request.
    • Transport: Selects the HTTP Connector Transport object.
    • Headers (optional): Specifies HTTP headers as key-value pairs.
    • Body (optional): Specifies the request payload.

  4. Click Finished.

  1. Navigate to:

    Main → Access → Profiles/Policies → Access Profiles (Per-Session Policies)

  2. Select the access profile.

  3. In the Per-Session Policy column, click Edit.

  4. In the Visual Policy Editor (VPE), click the (+) icon.

  5. From the General Purpose tab, select HTTP Connector.

  6. Click Add Item.

  7. Configure the following:

    • Name: Specifies a name for the agent.
    • Request: Selects the HTTP Connector Request object.

  8. Click Save.

When the per-session policy runs:

  • The HTTP Connector agent sends the configured HTTP request.
  • The system stores the response in session variables.
  • You can use these session variables in subsequent policy items to determine access policy outcomes.

  • The HTTP Connector in a per-session policy runs once per session.
  • Use this feature when the HTTP request does not require evaluation for every user request.
  • Ensure that the external service is reachable from the BIG-IP system.
  • For HTTPS connections, ensure that the appropriate SSL certificates are configured.