Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Configuring SWG explicit forward proxy for network access
You can configure Secure Web Gateway (SWG) explicit forward proxy and network access configurations so that SWG processes the Internet traffic from a network access client in the same way that it processes such traffic from a client in the enterprise.
You should understand how these configuration objects fit into the overall configuration.
- Secure connectivity interface
- In a network access configuration, a connectivity profile on the virtual server specifies a secure connectivity interface for traffic from the client. In the SWG configuration, an SWG explicit forward proxy server must listen on the secure connectivity interface for traffic from network access clients.
- Tunnel
- In the SWG configuration, an HTTP profile on the explicit forward proxy server specifies the name of a tunnel of tcp-forward encapsulation type. You can use the default tunnel, http-tunnel, or create another tunnel and use it.
- Per-request policy
- In any SWG configuration, the determination of whether a user can access a URL must be made in a per-request policy. A per-request policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
- Access policies
- The access policy in the network access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must assign an SWG scheme for the network access session and populate any session variables used in the per-request policy. An access profile of the SWG-Explicit type is required in the SWG configuration; however, it is not necessary to include any items in the access policy.
Task summary
Prerequisites for SWG explicit forward proxy for network access
Before you start to create a Secure Web Gateway (SWG) explicit forward proxy configuration to support network access clients, you must have completed these tasks.
- You need to have configured a working network access configuration.
- If you have not already done so, you must ensure that the URL database is downloaded.
- You need to have configured at least one SWG scheme and any URL filters that you want to use in addition to or instead of the default URL filters.
Configuration outline for explicit forward proxy for network access
Tasks for integrating an Access Policy Manager (APM) network access configuration with a Secure Web Gateway (SWG) explicit forward proxy configuration follow this order.
- First, if your network access configuration does not include a connectivity profile, create one and add it to the virtual server.
- Next, create an SWG explicit forward proxy configuration. This configuration includes the per-request policy.
- Finally, in the network access configuration, update the access policy (so that it assigns an SWG scheme and populates any session variables required for successful execution of the per-request policy) and update the network access resource for client proxy.
Creating a connectivity profile
Adding a connectivity profile to a virtual server
Update a virtual server that is part of an Access Policy Manager application access, network access, or portal access configuration to enable a secure connectivity interface for traffic from the client.
Creating a DNS resolver
Adding forward zones to a DNS resolver
Before you begin, gather the IP addresses of the nameservers that you want to associate with a forward zone.
Creating a custom HTTP profile for explicit forward proxy
Configuring a per-request policy for SWG
Creating an access profile for SWG explicit forward proxy
Creating a virtual server for network access client forward proxy server
Creating a wildcard virtual server for HTTP tunnel traffic
Creating a custom Client SSL forward proxy profile
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
Creating a custom Server SSL profile
Creating a wildcard virtual server for SSL traffic on the HTTP tunnel
Updating the access policy in the remote access configuration
Add an SWG Scheme Assign item to an access policy to assign a Secure Web Gateway (SWG) scheme to a client session. Add queries to populate any session variables that are required for successful execution of the per-request policy.
Configuring a network access resource to forward traffic
Implementation result
The Secure Web Gateway (SWG) explicit forward proxy configuration is ready to process web traffic from network access clients.
Session variables for use in a per-request policy
Per-request policy items that look up the group or class to which a user belongs rely on the access policy to populate these session variables.
Per-request policy item | Session variable | Access policy item |
---|---|---|
AD Group Lookup | session.ad.last.attr.primaryGroupID | AD Query |
LDAP Group Lookup | session.ldap.last.attr.memberOf | LDAP Query |
LocalDB Group Lookup | session.localdb.groups
Note: This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy.
|
Local Database |
RADIUS Class Lookup | session.radius.last.attr.class | RADIUS Auth |
Overview: Configuring SWG transparent forward proxy for remote access
Secure Web Gateway (SWG) can be configured to support remote clients that connect using application access, network access, or portal access.
You should understand how these configuration objects fit into the overall configuration.
- Secure connectivity interface
- In a remote access configuration, a connectivity profile is required on the virtual server to specify a secure connectivity interface for traffic from the client. In the SWG configuration, SWG wildcard virtual servers must listen on the secure connectivity interface for traffic from remote access clients.
- Per-request policy
- In any SWG configuration, the determination of whether a user can access a URL must be made in a per-request access policy. A per-request access policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
- Access policies
- The access policy in the remote access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must assign an SWG scheme for the network access session and populate any session variables used in the per-request policy. An access profile of the SWG-Transparent type is required in the SWG configuration; however, it is not necessary to include any items in the access policy.
Task summary
Prerequisites
Before you start to create a Secure Web Gateway (SWG) transparent forward proxy configuration to support remote access clients, you must have completed these tasks.
- You need to have configured a working application access, network access, or portal access configuration, depending on which type of remote client you want to support.
- If you have not already done so, you must ensure that the URL database is downloaded.
- You need to have configured at least one SWG scheme and any URL filters that you want to use in addition to or instead of the default URL filters.
Configuration outline
Tasks for integrating an Access Policy Manager (APM) remote access configuration with a Secure Web Gateway (SWG) transparent forward proxy configuration follow this order.
- First, update the existing application access, network access, or portal access configuration to add a secure connectivity profile to the virtual server if one is not already specified.
- Next, create an SWG transparent forward proxy configuration. The per-request policy is part of this configuration.
- Finally, update the access policy in the existing application access, network access, or portal access configuration. An SWG scheme assignment is required in this access policy. If the per-request policy uses group or class lookup items, add queries to populate the session variables on which the lookup items rely.
Creating a connectivity profile
Adding a connectivity profile to a virtual server
Update a virtual server that is part of an Access Policy Manager application access, network access, or portal access configuration to enable a secure connectivity interface for traffic from the client.
Configuring a per-request policy for SWG
Creating an access profile for SWG transparent forward proxy
Creating a wildcard virtual server for HTTP traffic on the connectivity interface
Creating a custom Client SSL forward proxy profile
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
Creating a custom Server SSL profile
Creating a wildcard virtual server for SSL traffic on the connectivity interface
Updating the access policy in the remote access configuration
Add an SWG Scheme Assign item to an access policy to assign a Secure Web Gateway (SWG) scheme to a client session. Add queries to populate any session variables that are required for successful execution of the per-request policy.
Implementation result
The Secure Web Gateway (SWG) transparent proxy configuration is ready to process web traffic from remote access clients.
Session variables for use in a per-request policy
Per-request policy items that look up the group or class to which a user belongs rely on the access policy to populate these session variables.
Per-request policy item | Session variable | Access policy item |
---|---|---|
AD Group Lookup | session.ad.last.attr.primaryGroupID | AD Query |
LDAP Group Lookup | session.ldap.last.attr.memberOf | LDAP Query |
LocalDB Group Lookup | session.localdb.groups
Note: This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy.
|
Local Database |
RADIUS Class Lookup | session.radius.last.attr.class | RADIUS Auth |