Manual Chapter : SSL Bypass and Intercept with APM

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Bypassing SSL forward proxy traffic with APM

On a BIG-IP® system that supports SSL forward proxy, you can create an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic. The key points of the configuration are that, on the virtual server that processes SSL traffic, the server and client SSL profiles must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.

An Access Policy Manager® (APM®) per-request policy can be configured to determine whether to intercept or bypass the SSL traffic.

Task summary

Before you start, you must have configured an explicit or transparent forward proxy configuration that supports bypassing SSL forward proxy traffic.

Task list

Example policy: SSL forward proxy bypass

policy with protocol lookup, group lookup, category lookup, and ssl bypass set

SSL bypass decision based on group membership and URL category

1 SSL traffic exits on the HTTPS branch of Protocol Lookup.
2 A lookup type item, such as LocalDB Group Lookup, identifies users in a group, Directors.
3 With SSL Bypass Set, any SSL request on the Directors branch is not intercepted or inspected.
4 Category Lookup processes HTTPS traffic when configured to use SNI or Subject.CN input.
Note: Finance or Govt is a standard URL category that SWG maintains on a system with an SWG subscription. User-defined URL categories can provide an alternative on systems without an SWG subscription.
5 For users in a group other than Directors, bypass only requests that contain private information (determined through Category Lookup).
6 SSL traffic processing is complete. Now is the time to start processing HTTP data with actions that inspect the SSL payload. Using data provided by Category Lookup, URL Filter Assign item determines whether to allow or block traffic.

(For this example to be valid, both the server and client SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.)

Creating a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. Click Create.
    The General Properties screen opens.
  3. In the Name field, type a name for the policy and click Finished.
    A per-request policy name must be unique among all per-request policy and access profile names.
    The policy name appears on the Per-Request Policies screen.

Processing SSL traffic in a per-request policy

To use SSL forward proxy bypass in a per-request policy, both the server and client SSL profile must enable SSL forward proxy and SSL forward proxy bypass; and, in the client SSL profile, the default bypass action must be set to Intercept.
Important: Configure a per-request policy so that it completes processing of HTTPS requests before it starts the processing of HTTP requests.
Note: These steps describe how to add items for controlling SSL web traffic to a per-request policy; the steps do not specify a complete per-request policy.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. In the Name field, locate the policy that you want to update, then in the Per-Request Policy field, click the Edit link.
    The visual policy editor opens in another tab.
  3. To process the HTTPS traffic first, configure a branch for it by adding a Protocol Lookup item at the start of the per-request policy.
    1. Click the (+) icon anywhere in the per-request policy to add a new item.
      A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. In the Search field, type prot, select Protocol Lookup, and click Add Item.
      A properties popup screen opens.
    3. Click Save.
      The properties screen closes. The policy displays.
    The Protocol Lookup item provides two default branches: HTTPS for SSL traffic and fallback.
  4. Before you add an SSL Bypass Set, or an SSL Intercept Set, item to the per-request policy, you can insert any of the following policy items to do logging or to base how you process the SSL traffic on group membership, class attribute, day of the week, time of day, or URL category:
    • AD Group Lookup
    • LDAP Group Lookup
    • LocalDB Group Lookup
    • RADIUS Class Lookup
    • Dynamic Date Time
    • Logging
    • Category Lookup
      Important: Category Lookup is valid for processing SSL traffic only when configured for SNI or Subject.CN categorization input and only before any HTTP traffic is processed.
    If you insert other policy items that inspect the SSL payload (HTTP data) before an SSL Bypass Set item, the SSL bypass cannot work as expected.
  5. At any point on the HTTPS branch where you decide to bypass SSL traffic, add an SSL Bypass Set item.
The per-request policy includes items that you can use to complete the processing of SSL traffic. Add other items to the policy to control access according to your requirements.
A per-request policy goes into effect when you add it to a virtual server. Depending on the forward proxy configuration, you might need to add the per-request policy to more than one virtual server.

Adding a per-request policy to the virtual server

To add per-request processing to a configuration, associate the per-request policy with the virtual server.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server.
  3. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  4. Click Update.
The per-request policy is now associated with the virtual server.

Virtual server Access Policy settings for forward proxy

F5 recommends multiple virtual servers for configurations where Access Policy Manager® (APM®) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.

Forward proxy Recommended virtual servers (by purpose) Specify access profile? Specify per-request policy?
Explicit Process HTTP traffic Yes Yes
Process HTTPS traffic Yes Yes
Reject traffic other than HTTP and HTTPS N/A N/A
Transparent Inline Process HTTP traffic Yes Yes
Process HTTPS traffic Only when a captive portal is also included in the configuration Only when a captive portal is also included in the configuration
Forward traffic other than HTTP and HTTPS N/A N/A
Captive portal Yes No
Transparent Process HTTP traffic Yes Yes
Process HTTPS traffic Only when a captive portal is also included in the configuration Only when a captive portal is also included in the configuration
Captive portal Yes No

About the SSL Bypass Set and SSL Intercept Set process

For SSL bypass or SSL intercept actions, Access Policy Manager® (APM®) forwards the client hello directly to the server. The client and server then negotiate SSL parameters. This must occur before any per-request policy item inspects the SSL payload (HTTP data). Everything that the policy does before an SSL Bypass Set or SSL Intercept Set policy item must operate either on SSL data (certificate or client hello) or on session data (which is not part of SSL payload).

About SSL Bypass Set and SSL Intercept Set and the order of policy items

To ensure that SSL Bypass Set and SSL Intercept Set work correctly, do not place them in a per-request policy after any of these items:

  • Application Lookup
  • Application Filter Assign
  • Category Lookup, if configured to use HTTP URI for input
  • HTTP Headers
  • Proxy Select
  • Select SSO Configuration
  • URL Filter Assign