Applies To:
Show VersionsBIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP system forward proxy chaining and APM benefits
The BIG-IP® system supports forward proxy chaining which enables connection to a next hop proxy server. Access Policy Manager® (APM®) brings these abilities to forward proxy chaining:
- Offload authentication from and support authentication to the next hop on the client's behalf.
- Support single sign-on to the next hop and to resources at the next hop.
- Select different proxy servers for different requests.
- Select different SSO configurations for different requests.
Interoperability characteristics for forward proxy chaining
In a forward proxy chain, Access Policy Manager® (APM®) selects the next hop proxy server, and interacts with it and resource servers behind it.
Forward proxy chaining: server types
For the BIG-IP® system, proxy server, and resource servers behind the proxy server, let's focus on these configuration characteristics.
- Forward proxy mode
- APM can be configured to act as an explicit or as a transparent forward proxy. The proxy server can be configured to act as explicit or transparent forward proxy. APM supports any combination of forward proxy modes.
- SSL bypass mode
- APM can be configured for SSL bypass or SSL intercept. The proxy server can be configured for SSL bypass or SSL intercept. APM supports all combinations of SSL bypass mode.
- Authentication
- Authentication might be configured on one or more servers:
- On APM, you can configure no authentication or any type of authentication that APM supports for an SWG-Explicit or SWG-Transparent access profile.
- On a proxy server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the proxy server. You can also have no authentication configured on the proxy server.
- On a resource server, if you have HTTP Basic, NTLM, or Kerberos authentication configured, APM should authenticate to the resource server. You can also have no authentication configured on the resource server.
- Single sign-on
- APM supports these types of SSO configuration to the proxy server or to a resource server: HTTP Basic, NTLMv1, NTLMv2, or Kerberos.
To a large extent, APM supports combinations of these configuration characteristics. However, given the number of possible configuration combinations and the varying capabilities of proxy servers, some configuration constraints can exist. Refer to BIG-IP® Access Policy Manager®: Secure Web Gateway and to Release Note: BIG-IP APM (for the product version you are using) on the AskF5™ web site located at support.f5.com.
Configuration essentials for forward proxy chaining
When configured to act as an explicit or transparent forward proxy, Access Policy Manager® (APM®) supports forward proxy chaining, with or without an SWG subscription. These configuration elements are key to forward proxy chaining:
- One or more pools of proxy servers. All servers in a pool must support the same forward proxy mode: explicit or transparent.
- A per-request policy that includes a Proxy
Select agent, which specifies a pool of proxy servers.Note: Only the Proxy Select agent signals that a connection must be made to a next hop. A Pool Assign agent does not.
- An HTTP Proxy Connect profile configured with its state disabled.
- The virtual server that processes HTTPS traffic for the forward proxy configuration with the disabled HTTP Proxy Connect profile specified.
Overview: Offloading authentication from the next hop
In this example, Access Policy Manager® (APM®) performs authentication on behalf of the proxy server and the resource servers.
Expected initial configuration
Task summary
You need an access policy configured with any type of authentication that APM supports for an SWG-Explicit or SWG-Transparent access profile type, and a per-request policy that selects the next hop.
Task list
Configuring an access policy for authentication
Configuring a per-request policy to select the next hop
Overview: Using NTLM pass-through to the next hop
NTLM pass-through describes a configuration where authentication is not specified on Access Policy Manager® (APM®), but where NTLM authentication is configured at the next hop or at a resource server behind the next hop.
Expected initial configuration
To support this configuration, you need an access policy, but no specific configuration is required in it. You also need a per-request policy configured to select the next hop.
Configuring a per-request policy to select the next hop
Overview: Inserting HTTP headers for authentication to the next hop
Access Policy Manager® (APM®) supports inserting the X-Authenticated-User HTTP header and, optionally, the X-Forwarded-For HTTP header to authenticate on the user's behalf to a next hop proxy server or to a resource server behind the proxy. In this example, you can configure either HTTP Basic or NTLM authentication on the proxy server or on the resource server.
Expected initial configuration
Task summary
You need an access policy configured with any type of authentication that APM supports for an SWG-Explicit or SWG-Transparent access profile type and a per-request policy that inserts the header and selects the next hop.
Task list
Configuring an access policy for authentication
Inserting the HTTP header and selecting the next hop
Configuration constraints for X-Authenticated-User header
Before configuring Access Policy Manager® (APM®) to forward X-Authenticated-User and X-Forwarded-For headers to a third-party proxy server, consider the capabilities of the specific proxy server. How a proxy server responds to X-Authenticated-User and X-Forwarded-For headers is completely dependent on the proxy server capabilities, and on the settings that a proxy server might provide for resource protection. Not all proxy servers can process the headers. Others might process and trust the headers but, based on configuration settings, require authentication regardless.
Overview: Authenticating with HTTP Basic to the next hop
With no authentication configured on Access Policy Manager® (APM®), you can still use HTTP Basic to authenticate to a next hop proxy server.
You don't need any particular configuration in the access policy. You do need to select the next hop proxy, and specify static credentials in the Proxy Select agent in the per-request policy.
Configuring a policy for HTTP Basic at the next hop
Troubleshooting Basic authentication at the next hop proxy server
The table lists some activities that you might observe with forward proxy chaining between Access Policy Manager® (APM®) and a third-party proxy server that uses Basic authentication. The table provides additional explanation.
Activity | Description |
---|---|
A client achieves single sign-on to a next hop proxy server that uses Basic authentication. However, the configuration on Access Policy Manager® (APM®) configuration does not include SSO. | The initial client request includes one these HTTP headers: Proxy Authorization or Authorization. This can happen when, for example, the user logged on as a domain user. Some third-party proxy servers accept these credentials at the initial request. |
Packet captures show that a next hop proxy server rejected an initial client request with one of these HTTP headers: Proxy Authorization or Authorization. | Some third-party proxy servers deny such an initial request because the header is not expected. The proxy server then sends HTTP status code 407 (Proxy Authentication Required) or 401 (Authentication Required). APM responds to the HTTP code. If Basic SSO is configured, APM invokes it. |
Overview: Configuring Basic or NTLM SSO to the next hop
Access Policy Manager® (APM®) supports the HTTP Basic, Kerberos, NTLMv1, and NTLMv2 types of SSO configuration to and behind a next hop proxy server. This example specifies the configuration for a Basic or NTLM type SSO. Authentication can be configured on the proxy server or on a resource server behind it.
Expected initial configuration
Task summary
You need an access policy to gather and cache user credentials. You need a per-request policy to specify an SSO configuration and select the next hop proxy.
Task list
Configuring an access policy for SSO to the next hop
Configuring Basic or NTLM SSO to the next hop
- An HTTP Basic, NTLMv1, or NTLMv2
SSO configuration.Note: SSO configurations are configured in the area of the product.
- A pool of proxy servers, each of
which is configured for the same forward proxy mode: explicit or
transparent.Note: Pools are configured in the area of the product.
Example per-request policy with SSO Configuration Select and Proxy Select
Configuration constraints for SSO to a resource server
Access Policy Manager® (APM®) does not support SSO to a resource server for SSL bypass traffic when the resource server performs authentication.
Overview: Configuring Kerberos SSO to the next hop
Expected initial configuration
Task summary
For Kerberos SSO, you need a delegation account in Active Directory for the next hop proxy server and a Kerberos SSO configuration in APM that references the delegation account.
For forward proxy chaining, you need an access policy to authenticate the user and cache credentials. You need a per-request policy to specify an SSO configuration and select the next hop proxy.
Task list
Configuring a delegation account for the next hop proxy server
Configuring APM Kerberos SSO for the next hop proxy server
Configuring an access policy for Kerberos SSO
Configuring a per-request policy for Kerberos SSO
Per-request policy that selects SSO before selecting a next hop proxy server
Overview: Configuring Kerberos SSO to a resource server
Expected initial configuration
Task summary
For Kerberos SSO, you need a delegation account in Active Directory for the next hop proxy server and a Kerberos SSO configuration in APM that references the delegation account and specifies On 401 Status Code as the value for the Send Authentication setting.
For forward proxy chaining, you need an access policy to authenticate the user and cache credentials. You need a per-request policy to specify an SSO configuration and select the next hop proxy.
Task list
Setting up a delegation account to support Kerberos SSO
Configuring APM Kerberos SSO for a resource server
Configuring an access policy for Kerberos SSO
Configuring a per-request policy for Kerberos SSO
Per-request policy that selects SSO before selecting a next hop proxy server
Configuration constraints for Kerberos SSO to a resource server
Access Policy Manager® (APM®) does not support Kerberos SSO to a resource server for SSL traffic when: the resource server performs Kerberos authentication; and, the next hop proxy server simply passes the Kerberos credential to the resource server without performing Kerberos authentication.
Overview: Updating virtual servers for forward proxy chaining with APM
For forward proxy chaining, Access Policy Manager® (APM®) requires an HTTP proxy connect profile configured with its state disabled. The HTTP proxy connect profile must be specified in the virtual server that processes the HTTPS traffic for the explicit or transparent forward proxy configuration.
Task summary
Disabling HTTP proxy connect for forward proxy chaining
- On the Main tab, select .
- Click Create.
- Type a name for the profile and, for the Parent Profile setting, retain http-proxy-connect.
- In the Settings area, for Default State clear the Enabled check box.
- Click Finished.
Updating a virtual server for forward proxy chaining with APM
Virtual server Access Policy settings for forward proxy
F5 recommends multiple virtual servers for configurations where Access Policy Manager® (APM®) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.
Forward proxy | Recommended virtual servers (by purpose) | Specify access profile? | Specify per-request policy? |
---|---|---|---|
Explicit | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Yes | Yes | |
Reject traffic other than HTTP and HTTPS | N/A | N/A | |
Transparent Inline | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Forward traffic other than HTTP and HTTPS | N/A | N/A | |
Captive portal | Yes | No | |
Transparent | Process HTTP traffic | Yes | Yes |
Process HTTPS traffic | Only when a captive portal is also included in the configuration | Only when a captive portal is also included in the configuration | |
Captive portal | Yes | No |