Applies To:
Show VersionsBIG-IP APM
- 13.0.1, 13.0.0
Overview: Bypassing SSL forward proxy traffic with APM
On a BIG-IP® system that supports SSL forward proxy, you can create an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic. The key points of the configuration are that, on the virtual server that processes SSL traffic, the server and client SSL profiles must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.
An Access Policy Manager® (APM®) per-request policy can be configured to determine whether to intercept or bypass the SSL traffic.
Task summary
Before you start, you must have configured an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic.
Task list
Example policy: SSL forward proxy bypass
SSL bypass decision based on group membership and URL category
1 | SSL traffic exits on the HTTPS branch of Protocol Lookup. |
2 | A lookup type item, such as LocalDB Group Lookup, identifies users in a group, Directors. |
3 | With SSL Bypass Set, any SSL request on the Directors branch is not intercepted or inspected. |
4 | Category Lookup processes HTTPS traffic when configured to use SNI or Subject.CN input.
Note: Finance or Govt is a standard
URL category that SWG maintains on a system with an SWG subscription. User-defined URL
categories can provide an alternative on systems without an SWG subscription.
|
5 | For users in a group other than Directors, bypass only requests that contain private information (determined through Category Lookup). |
6 | SSL traffic processing is complete. Now is the time to start processing HTTP data with actions that inspect the SSL payload. Using data provided by Category Lookup, URL Filter Assign item determines whether to allow or block traffic. |
(For this example to be valid, both the server and client SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.)
Creating a per-request policy
Processing SSL traffic in a per-request policy
Adding a per-request policy to the virtual server
To add per-request processing to a configuration, associate the per-request policy with the virtual server.
Virtual server Access Policy settings for forward proxy
F5 recommends multiple virtual servers for configurations where Access Policy Manager® (APM®) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.
Forward proxy | Recommended virtual servers (by purpose) | Specify access profile? | Specify per-request policy? |
---|---|---|---|
Explicit | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Yes | Yes | |
Reject traffic other than HTTP and HTTPS | N/A | N/A | |
Transparent Inline | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Forward traffic other than HTTP and HTTPS | N/A | N/A | |
Captive portal | Yes | No | |
Transparent | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Captive portal | Yes | No |
About the SSL Bypass Set and SSL Intercept Set process
For SSL bypass or SSL intercept actions, Access Policy Manager® (APM®) forwards the client hello directly to the server. The client and server then negotiate SSL parameters. This must occur before any per-request policy item inspects the SSL payload (HTTP data). Everything that the policy does before an SSL Bypass Set or SSL Intercept Set policy item must operate either on SSL data (certificate or client hello) or on session data (which is not part of SSL payload).
About SSL Bypass Set and SSL Intercept Set and the order of policy items
To ensure that SSL Bypass Set and SSL Intercept Set work correctly, do not place them in a per-request policy after any of these items:
- Application Lookup
- Application Filter Assign
- Category Lookup, if configured to use HTTP URI for input
- HTTP Headers
- Proxy Select
- Select SSO Configuration
- URL Filter Assign