F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP APM
  4. BIG-IP Access Policy Manager: Secure Web Gateway Implementations
  5. SSL Forward Proxy Bypass
Manual Chapter : SSL Forward Proxy Bypass

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Configuring exceptions to SSL forward proxy

With BIG-IP® Access Policy Manager®system Secure Web Gateway (SWG), you can create a configuration that enforces your organization's rightful use and compliance policy for Internet access. Users that access the Internet from the enterprise go through SWG forward proxy that allows or blocks access to certain categories of URL. When necessary, for example when a URL is not already categorized, SWG analyzes the content in the request or the response to determine whether it represents a threat and to block access if needed.

To avoid issues with privacy concerns, you might need to enable SSL forward proxy bypass for URLs that expose personal user information, such as those for banking, financial, or government sites.

SSL forward proxy bypass
You enable SSL forward proxy bypass in the client SSL profile. When enabled, SSL forward proxy bypass includes a default action (intercept or bypass) and these lists which you can specify at your option:
  • Destination IP Intercept
  • Destination IP Bypass
  • Source IP Intercept
  • Source IP Bypass
  • Hostname Intercept
  • Hostname Bypass
SSL forward proxy bypass takes the first match found and intercepts a URL if it is found on an intercept list or bypasses a URL if it is found on a bypass list. If no match exists, SSL forward proxy bypass applies the default action to the URL.

The order in which SSL forward proxy bypass searches lists for a matching IP address or hostname depends on whether the default action is intercept or bypass:

Intercept Bypass
Destination IP Intercept Destination IP Bypass
Destination IP Bypass Destination IP Intercept
Source IP Intercept Source IP Bypass
Source IP Bypass Source IP Intercept
Hostname Intercept Hostname Bypass
Hostname Bypass Hostname Intercept
Note: When searching for a match in a hostname list, SSL forward proxy bypass first tries to match the Subject Alternative Name (SAN), then the Common Name (CN), and lastly, the Server Name Indication (SNI).

Task summary

Before you start these tasks, you should have created an SWG explicit or transparent forward proxy configuration that you want to enhance with the addition of SSL forward proxy bypass. To configure SSL forward proxy bypass, first you should determine your strategy, and then configure any lists that you need to implement it.

Task list

Creating a list of IP addresses

You create an address data group to specify destination IP addresses or source IP addresses for SSL traffic that you want to be intercepted or to be bypassed by SSL forward proxy bypass.
  1. On the Main tab, click Local Traffic > iRules > Data Group List. The Data Group List screen opens, displaying a list of data groups on the system.
  2. Click Create. The New Data Group screen opens.
  3. In the Name field, type a unique name for the data group.
  4. From Type field, select Address. A Records area displays.
  5. In the Records area, add each IP address that you want to include in the data group:
    1. For the Type setting, select Host or Network. To enter a subnet IP address, select Network.
    2. In the Address field, type an IP address for the host or the subnet.
    3. If the address type is Network, type a network mask in the Mask field.
    4. Click Add.
    5. Repeat these steps for each IP address you want to include in the data group.
  6. Click Finished. The new data group appears in the list of data groups.

Creating a list of hostnames

You create a string data group to specify hostnames for SSL traffic that you want to be intercepted or to be bypassed by SSL forward proxy bypass.
  1. On the Main tab, click Local Traffic > iRules > Data Group List. The Data Group List screen opens, displaying a list of data groups on the system.
  2. Click Create. The New Data Group screen opens.
  3. In the Name field, type a unique name for the data group.
  4. From the Type list, select String.
  5. In the Records area, create entries that consist of one hostname:
    1. In the String field, type a hostname. Type any of these names for the host: the common name (CN), the Subject Alternative Name (SAN), or the Server Name Indication (SNI). FQDN and wildcard-matching are supported. The wildcard-matching algorithm matches a single wildcard and only when it is provided as the first character in the name. If you type the string *.example.com, the name store.example.com matches the string, but skis.store.example.com does not match.
    2. Click Add.
    3. Repeat these steps for each host that you want to include in this data group.
  6. Click Finished. The new data group appears in the list of data groups.

Configuring a client SSL profile for forward proxy bypass

You perform this task to update a client SSL profile that is already configured for SSL forward proxy. You enable SSL forward proxy bypass in cases where you need to make exceptions, such as to mitigate privacy concerns.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click the name of a profile.
  3. In the SSL Forward Proxy area, select the Custom check box.
  4. From the SSL Forward Proxy Bypass list, select Enabled. When assigned to a virtual server, a client SSL profile and a server SSL profile both must specify the same value for this setting. You cannot change this setting in either profile while assigned to a virtual server. To change the SSL Forward Proxy Bypass setting, you can create new profiles and add them to the virtual server, or detach the profiles from the virtual server, update them, and assign them to the virtual server again. Additional settings display.
  5. From the Bypass Default Action list, select Intercept or Bypass. The default action applies to addresses and hostnames that do not match any entry specified in the lists that you specify. The system matches traffic first against destination IP address lists, then source IP address lists, and lastly, hostname lists. Within these, the default action also specifies whether to search the intercept list or the bypass list first.
    Note: If you select Bypass and do not specify any additional settings, you introduce a security risk to your system.
  6. Select a data group for any of these settings that you want to apply:
    1. From the Destination IP Intercept list, select a data group that specifies destination IP addresses to intercept.
    2. From the Destination IP Bypass list, select a data group that specifies destination IP addresses to bypass.
    3. From the Source IP Intercept list, select a data group that specifies source IP addresses to intercept.
    4. From the Source IP Bypass list, select a data group that specifies source IP addresses to bypass.
    5. From the Hostname Intercept list, select a data group that specifies hostnames to intercept.
    6. From the Hostname Bypass list, select a data group that specifies hostnames to bypass.
  7. Click Finished.
The custom Client SSL forward proxy profile now supports forward proxy bypass.
You must also enable SSL forward proxy bypass on the server SSL profile.

Enabling SSL forward proxy bypass in a server SSL profile

You perform this task to update a server SSL profile that is already configured for SSL forward proxy. You must enable SSL forward proxy bypass in a server SSL profile when SSL forward proxy bypass is enabled in the corresponding client SSL profile in your configuration.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Server. The SSL Server profile list screen opens.
  2. Click the name of a profile.
  3. Select the Custom check box for the SSL Forward Proxy area.
  4. From the SSL Forward Proxy Bypass list, select Enabled. When assigned to a virtual server, a client SSL profile and a server SSL profile both must specify the same value for this setting. You cannot change this setting in either profile while assigned to a virtual server. To change the SSL Forward Proxy Bypass setting, you can create new profiles and add them to the virtual server, or detach the profiles from the virtual server, update them, and assign them to the virtual server again. Additional settings display.
  5. Click Finished.
The custom server SSL forward proxy profile now supports SSL forward proxy bypass.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information