Applies To:
Show VersionsBIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Transparent Forward Proxy Configurations
Overview: Configuring transparent forward proxy in inline mode
In transparent forward proxy, you configure your internal network to forward web traffic to the BIG-IP® system with Secure Web Gateway (SWG). This implementation describes an inline deployment. You place the BIG-IP system directly in the path of traffic, or inline, as the next hop after the gateway.
Secure Web Gateway transparent forward proxy inline deployment
The gateway sends traffic to the self IP address of a VLAN configured on the BIG-IP system. Wildcard virtual servers listen on the VLAN and process the traffic that most closely matches the virtual server address. A wildcard virtual server is a special type of network virtual server designed to manage network traffic that is targeted to transparent network devices.
Task summary
About the iApp for Secure Web Gateway configuration
When deployed as an application service, the Secure Web Gateway iApps® template can set up either an explicit or a transparent forward proxy configuration. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at (http://devcentral.f5.com/wiki/iapp.Codeshare.ashx).
SWG transparent forward proxy configuration prerequisites
Ensure that prerequisites are complete before beginning the configuration.
- Per-request policy
- A per-request policy is required in any Secure Web Gateway (SWG) forward proxy configuration. A per-request policy must specify the logic for processing URL requests.
- URL categorization
- On a BIG-IP® system with an SWG subscription, you must download and install a URL database and schedule updates for it. On a system without an SWG subscription, you can configure user-defined URL categories and filters to control access by filtering URLs.
- Transparent user identification
- On a system with an SWG subscription, if you plan to identify users transparently, you
must first download, install, and configure an F5® user
identification agent, either the F5 DC Agent or the F5 Logon Agent. Note: User identification agents are available only on a BIG-IP® system with an SWG subscription.
- Authentication
- If you include authentication in your access policy and the first site that a user
accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent
this from happening, F5 recommends that you use NTLM or Kerberos authentication. If you
plan to use authentication, ensure that you have what you need configured.
- For NTLM, you need an NTLM Auth Configuration in Access Policy Manager® (APM®).
- For Kerberos, you need a domain-joined Kerberos user account and a Kerberos AAA server configured in APM.
- SSL intercept
- To intercept SSL connections that are passing through the proxy, ensure that you have imported a valid subordinate CA certificate and key that is trusted by the endpoints behind the proxy.
- Captive portal
- If you plan to use the captive portal feature, make sure that a certificate and key with the proper common name is imported for use.
SWG transparent forward proxy example: Clear text password
F5® recommends using NTLM or Kerberos authentication in a Secure Web Gateway (SWG) forward proxy configuration to prevent passwords from being exposed in clear text. With Captive Portals disabled in an SWG transparent type access profile, other types of authentication (AD Auth, LDAP Auth, or RADIUS Auth) in the access policy will work. However, the configuration is not secure because passwords can be exposed in clear text.
Access policy that can expose passwords in clear text (with captive portal disabled)
SWG transparent forward proxy example: Encrypted password
F5® recommends using NTLM or Kerberos authentication in a Secure Web Gateway (SWG) forward proxy configuration to prevent passwords from being exposed in clear text. With Captive Portals enabled in an SWG transparent type access profile, using a Logon Page with other types of authentication (AD Auth, LDAP Auth, or RADIUS Auth) in the access policy will also work to keep passwords secure.
Access policy that keeps passwords secure (with captive portals enabled)
Creating a VLAN for transparent forward proxy
Assigning a self IP address to a VLAN
Creating an access profile for SWG transparent forward proxy
Verifying log settings for the access profile
Configuring an access policy for transparent forward proxy
Creating a custom Client SSL forward proxy profile
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
Creating a custom Server SSL profile
Creating a virtual server for forward proxy SSL traffic
Creating a virtual server for forward proxy traffic
Creating a forwarding virtual server
Creating a Client SSL profile for a captive portal
You create a Client SSL profile when you want the BIG-IP® system to authenticate and decrypt/encrypt client-side application traffic. You create this profile if you enabled Captive Portals in the access profile and if you want to use SSL.
Creating a virtual server for a captive portal
Implementation result
Web traffic that originates from your enterprise networks is now inspected and controlled by F5® Secure Web Gateway forward proxy.
Per-request policy items that read session variables
This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.
Per-request policy item | Session variable | Access policy item |
---|---|---|
AD Group Lookup | session.ad.last.attr.primaryGroupID | AD Query |
LDAP Group Lookup | session.ldap.last.attr.memberOf | LDAP Query |
LocalDB Group Lookup |
session.localdb.groups
Note: This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy.
|
Local Database |
RADIUS Class Lookup | session.radius.last.attr.class | RADIUS Auth |
About redirects after access denied by captive portal
A tool that captures HTTP traffic can reveal what appears to be an extra redirect after a user attempts to gain access using a captive portal but fails. Instead of immediately redirecting the user to the logout page, the user is first redirected to the landing URI, and then a request to the landing URI is redirected to the logout page.
This sample output shows both redirects: the 302 to the landing page http://berkeley.edu/index.html and the 302 to the logout page http://berkeley.edu/vdesk/hangup.php3.
POST https://bigip-master.com/my.policy?ORIG_URI=http://berkeley.edu/index.html 302 http://berkeley.edu/index.html GET http://berkeley.edu/index.html 302 http://berkeley.edu/vdesk/hangup.php3
Although the 302 to the landing page might seem to be an extra redirect, it is not. When a request is made, a subordinate virtual server transfers the request to the dominant virtual server to complete the access policy. When the dominant virtual server completes the access policy, it transfers the user back to the subordinate virtual server, on the same original request. The subordinate virtual server then enforces the result of the access policy.
Overview: Configuring transparent forward proxy
In transparent forward proxy, you configure your internal network to forward web traffic to the BIG-IP® system with Secure Web Gateway (SWG). Use this implementation when your topology includes a router on which you can configure policy-based routing or Web Cache Communication Protocol (WCCP) to send any traffic for ports 80 and 443 to the BIG-IP system.
This implementation describes only the configuration required on the BIG-IP system.
Secure Web Gateway transparent forward proxy deployment
The router sends traffic to the self-ip address of a VLAN configured on the BIG-IP system. Virtual servers listen on the VLAN and process the traffic that most closely matches the virtual server address. Secure Web Gateway identifies users without using session management cookies. A per-request policy, configured to use action items that determine the URL category and apply a URL filter, controls access.
Task Summary
SWG transparent forward proxy configuration prerequisites
Ensure that prerequisites are complete before beginning the configuration.
- Per-request policy
- A per-request policy is required in any Secure Web Gateway (SWG) forward proxy configuration. A per-request policy must specify the logic for processing URL requests.
- URL categorization
- On a BIG-IP® system with an SWG subscription, you must download and install a URL database and schedule updates for it. On a system without an SWG subscription, you can configure user-defined URL categories and filters to control access by filtering URLs.
- Transparent user identification
- On a system with an SWG subscription, if you plan to identify users transparently, you
must first download, install, and configure an F5® user
identification agent, either the F5 DC Agent or the F5 Logon Agent. Note: User identification agents are available only on a BIG-IP® system with an SWG subscription.
- Authentication
- If you include authentication in your access policy and the first site that a user
accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent
this from happening, F5 recommends that you use NTLM or Kerberos authentication. If you
plan to use authentication, ensure that you have what you need configured.
- For NTLM, you need an NTLM Auth Configuration in Access Policy Manager® (APM®).
- For Kerberos, you need a domain-joined Kerberos user account and a Kerberos AAA server configured in APM.
- SSL intercept
- To intercept SSL connections that are passing through the proxy, ensure that you have imported a valid subordinate CA certificate and key that is trusted by the endpoints behind the proxy.
- Captive portal
- If you plan to use the captive portal feature, make sure that a certificate and key with the proper common name is imported for use.
SWG transparent forward proxy example: Clear text password
F5® recommends using NTLM or Kerberos authentication in a Secure Web Gateway (SWG) forward proxy configuration to prevent passwords from being exposed in clear text. With Captive Portals disabled in an SWG transparent type access profile, other types of authentication (AD Auth, LDAP Auth, or RADIUS Auth) in the access policy will work. However, the configuration is not secure because passwords can be exposed in clear text.
Access policy that can expose passwords in clear text (with captive portal disabled)
SWG transparent forward proxy example: Encrypted password
F5® recommends using NTLM or Kerberos authentication in a Secure Web Gateway (SWG) forward proxy configuration to prevent passwords from being exposed in clear text. With Captive Portals enabled in an SWG transparent type access profile, using a Logon Page with other types of authentication (AD Auth, LDAP Auth, or RADIUS Auth) in the access policy will also work to keep passwords secure.
Access policy that keeps passwords secure (with captive portals enabled)
About the iApp for Secure Web Gateway configuration
When deployed as an application service, the Secure Web Gateway iApps® template can set up either an explicit or a transparent forward proxy configuration. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at (http://devcentral.f5.com/wiki/iapp.Codeshare.ashx).
About user identification with a logon page
User identification by IP address is a method that is available for these access profile types: SWG-Explicit, SWG-Transparent, and LTM-APM.
To support this option, a logon page must be added to the access policy to explicitly identify users. The logon page requests user credentials and validates them to identify the users. For explicit forward proxy, a 407 response page is the appropriate logon page action. For transparent forward proxy, a 401 response page is the appropriate logon page action. For LTM-APM, the Logon Page action is appropriate.
Secure Web Gateway (SWG) maintains an internal mapping of IP addresses to user names.
About user identification with an F5 agent
Transparent user identification makes a best effort to identify users without requesting credentials. It is not authentication. It should be used only when you are comfortable accepting a best effort at user identification.
Transparent user identification is supported in Secure Web Gateway (SWG) configurations for either explicit or transparent forward proxy. An agent obtains data and stores a mapping of IP addresses to user names in an IF-MAP server. An F5® DC Agent queries domain controllers. An F5 Logon Agent runs a script when a client logs in and can be configured to run a script when the client logs out.
In an access policy, a Transparent Identity Import item obtains the IP-address-to-username-mapping from the IF-MAP server. This item can be used alone for determining whether to grant access or be paired with another query to look up the user or validate user information.
To support this option, either the F5 DC Agent or the F5 Logon Agent must be downloaded, installed, and configured.
Creating a VLAN for transparent forward proxy
Assigning a self IP address to a VLAN
Creating an access profile for SWG transparent forward proxy
Verifying log settings for the access profile
Configuring an access policy for transparent forward proxy
Creating a custom Client SSL forward proxy profile
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
Creating a custom Server SSL profile
Creating a virtual server for forward proxy SSL traffic
Creating a virtual server for forward proxy traffic
Creating a Client SSL profile for a captive portal
You create a Client SSL profile when you want the BIG-IP® system to authenticate and decrypt/encrypt client-side application traffic. You create this profile if you enabled Captive Portals in the access profile and if you want to use SSL.
Creating a virtual server for a captive portal
Implementation result
Web traffic that originates from your enterprise networks is now inspected and controlled by F5® Secure Web Gateway forward proxy.
Per-request policy items that read session variables
This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.
Per-request policy item | Session variable | Access policy item |
---|---|---|
AD Group Lookup | session.ad.last.attr.primaryGroupID | AD Query |
LDAP Group Lookup | session.ldap.last.attr.memberOf | LDAP Query |
LocalDB Group Lookup |
session.localdb.groups
Note: This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy.
|
Local Database |
RADIUS Class Lookup | session.radius.last.attr.class | RADIUS Auth |
About redirects after access denied by captive portal
A tool that captures HTTP traffic can reveal what appears to be an extra redirect after a user attempts to gain access using a captive portal but fails. Instead of immediately redirecting the user to the logout page, the user is first redirected to the landing URI, and then a request to the landing URI is redirected to the logout page.
This sample output shows both redirects: the 302 to the landing page http://berkeley.edu/index.html and the 302 to the logout page http://berkeley.edu/vdesk/hangup.php3.
POST https://bigip-master.com/my.policy?ORIG_URI=http://berkeley.edu/index.html 302 http://berkeley.edu/index.html GET http://berkeley.edu/index.html 302 http://berkeley.edu/vdesk/hangup.php3
Although the 302 to the landing page might seem to be an extra redirect, it is not. When a request is made, a subordinate virtual server transfers the request to the dominant virtual server to complete the access policy. When the dominant virtual server completes the access policy, it transfers the user back to the subordinate virtual server, on the same original request. The subordinate virtual server then enforces the result of the access policy.