Manual Chapter : Integrating Network Access and Secure Web Gateway

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About SWG remote access

With proper configuration, Secure Web Gateway (SWG) can support these types of remote access:

Network access
SWG supports explicit forward proxy or transparent forward proxy for network access connections.
Portal access
SWG supports transparent forward proxy for portal access.
Application access
SWG supports transparent forward proxy for application access.

Overview: Configuring SWG explicit forward proxy for network access

You can configure Secure Web Gateway (SWG) explicit forward proxy and network access configurations so that SWG processes the Internet traffic from a network access client in the same way that it processes such traffic from a client in the enterprise.

Note: Using a distinct SWG explicit forward proxy configuration to process traffic from remote clients separately from an SWG configuration used for processing traffic from internal clients provides an important measure of network security.
clients on LAN Explicit forward proxy for network access

You should understand how these configuration objects fit into the overall configuration.

Secure connectivity interface
In a network access configuration, a connectivity profile on the virtual server specifies a secure connectivity interface for traffic from the client. In the SWG configuration, an SWG explicit forward proxy server must listen on the secure connectivity interface for traffic from network access clients.
Tunnel
In the SWG configuration, an HTTP profile on the explicit forward proxy server specifies the name of a tunnel of tcp-forward encapsulation type. You can use the default tunnel, http-tunnel, or create another tunnel and use it.
Per-request policy
In any SWG configuration, the determination of whether a user can access a URL must be made in a per-request policy. A per-request policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
Access policies
The access policy in the network access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must assign an SWG scheme for the network access session and populate any session variables used in the per-request policy. An access profile of the SWG-Explicit type is required in the SWG configuration; however, it is not necessary to include any items in the access policy.

Task summary

Prerequisites for SWG explicit forward proxy for network access

Before you start to create a Secure Web Gateway (SWG) explicit forward proxy configuration to support network access clients, you must have completed these tasks.

  • You need to have configured a working network access configuration.
  • If you have not already done so, you must ensure that the URL database is downloaded.
  • You need to have configured at least one SWG scheme and any URL filters that you want to use in addition to or instead of the default URL filters.

Configuration outline for explicit forward proxy for network access

Tasks for integrating an Access Policy Manager® (APM®) network access configuration with a Secure Web Gateway (SWG) explicit forward proxy configuration follow this order.

  • First, if your network access configuration does not include a connectivity profile, create one and add it to the virtual server.
  • Next, create an SWG explicit forward proxy configuration. This configuration includes the per-request policy.
  • Finally, in the network access configuration, update the access policy (so that it assigns an SWG scheme and populates any session variables required for successful execution of the per-request policy) and update the network access resource for client proxy.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Click Add. The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. Select a Parent Profile from the list. APM® provides a default profile, connectivity.
  5. Click OK. The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile to a virtual server.

Adding a connectivity profile to a virtual server

Update a virtual server that is part of an Access Policy Manager® application access, network access, or portal access configuration to enable a secure connectivity interface for traffic from the client.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. Scroll down to the Access Policy area.
  4. From the Connectivity Profile list, select the connectivity profile.
  5. Click Update to save the changes.

Creating a DNS resolver

You configure a DNS resolver on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache.
  1. On the Main tab, click Network > DNS Resolvers > DNS Resolver List. The DNS Resolver List screen opens.
  2. Click Create. The New DNS Resolver screen opens.
  3. In the Name field, type a name for the resolver.
  4. Click Finished.

Adding forward zones to a DNS resolver

Before you begin, gather the IP addresses of the nameservers that you want to associate with a forward zone.

Add a forward zone to a DNS resolver when you want the BIG-IP® system to forward queries for particular zones to specific nameservers for resolution in case the resolver does not contain a response to the query.
Note: Creating a forward zone is optional. Without one, a DNS resolver can still make recursive name queries to the root DNS servers; however, this requires that the virtual servers using the cache have a route to the Internet.
  1. On the Main tab, click Network > DNS Resolvers > DNS Resolver List. The DNS Resolver List screen opens.
  2. Click the name of the resolver you want to modify. The properties screen opens.
  3. On the menu bar, click Forward Zones. The Forward Zones screen displays.
  4. Click the Add button.
    Note: You add more than one zone to forward based on the needs of your organization.
  5. In the Name field, type the name of a subdomain or type the fully qualified domain name (FQDN) of a forward zone. For example, either example or site.example.com would be valid zone names.
  6. Add one or more nameservers:
    1. In the Address field, type the IP address of a DNS nameserver that is considered authoritative for this zone. Based on your network configuration, add IPv4 or IPv6 addresses, or both.
    2. Click Add. The address is added to the list.
    Note: The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to.
  7. Click Finished.

Creating a custom HTTP profile for explicit forward proxy

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
Note: Secure Web Gateway (SWG) explicit forward proxy requires a DNS resolver that you select in the HTTP profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP. The HTTP profile list screen opens.
  2. Click Create. The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Proxy Mode list, select Explicit.
  5. For Parent Profile, retain the http-explicit setting.
  6. Select the Custom check box.
  7. Scroll down to the Explicit Proxy area.
  8. From the DNS Resolver list, select the DNS resolver you configured previously.
  9. In the Tunnel Name field, you can retain the default value, http-tunnel, or type the name of a tunnel if you created one. SWG requires a tunnel with tcp-forward encapsulation to support SSL traffic for explicit forward proxy.
  10. From the Default Connect Handling list, retain the default setting Deny. Any CONNECT traffic goes through the tunnel to the virtual server that most closely matches the traffic; if there is no match, the traffic is blocked.
  11. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Configuring a per-request policy for SWG

Configure a per-request policy to specify the logic that determines how to process web traffic.
Note: A per-request policy must determine whether to bypass SSL traffic and, otherwise, whether to allow or reject a URL request in a Secure Web Gateway (SWG) forward proxy configuration.
  1. On the Main tab, click Access Policy > Per-Request Policies. The Per-Request Policies screen opens.
  2. Click Create. The General Properties screen displays.
  3. In the Name field, type a name for the policy and click Finished. A per-request policy name must be unique among all per-request policy and access profile names. The policy name appears on the Per-Request Policies screen.
  4. In the Access Policy column for the per-request policy that you want to update, click the Edit link. The visual policy editor opens in another tab.
  5. To create different branches for processing HTTP and HTTPS traffic, add a Protocol Lookup item.
    1. Click the (+) icon anywhere in the per-request policy to add a new item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. Type prot in the Search field, select Protocol Lookup, and click Add Item. A Properties popup screen opens.
    3. Click Save. The Properties screen closes. The visual policy editor displays.
  6. If you configured SSL forward proxy bypass in the client and server SSL profiles, include an SSL Intercept Set item to ensure that SSL traffic is not bypassed until this policy determines that it should be. It is important to include SSL Intercept Set when the default SSL bypass action in the client SSL profile is set to Bypass.
  7. To retrieve the requested URL and the categories to which it belongs, add a Category Lookup item.
    Important: A Category Lookup item is required to trigger event logging for SWG, to provide a response web page for the Response Analytics item, and to provide categories for the URL Filter Assign item.
    1. Click the (+) icon anywhere in the per-request policy to add a new item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. Type cat in the Search field, select Category Lookup, and click Add Item. A Properties popup screen opens.
    3. From the Categorization Input list, select how to obtain the requested URL. For HTTP traffic, select Use HTTP URI (cannot be used for SSL Bypass decisions). For SSL-encrypted traffic, select either Use SNI in Client Hello (if SNI is not available, use Subject.CN) or Use Subject.CN in Server Cert. If you select Use HTTP URI (cannot be used for SSL Bypass decisions), the SafeSearch Mode list displays and Enabled is selected.
    4. From the Category Lookup Type list, select the category types in which to search for the requested URL. Select one from Custom categories first, then standard categories if not found, Always process full list of both custom and standard categories, or Process standard categories only. Depending on your selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.
    5. Click Save. The Properties screen closes. The visual policy editor displays.
  8. To enable Safe Search for SSL-encrypted traffic, add an additional Category Lookup item, specify Use HTTP URI (cannot be used for SSL Bypass decisions) as the Category Lookup Type, and retain the default setting (Enabled) for SafeSearch Mode.
  9. At any point in the policy where a decision to bypass SSL traffic is made, add an SSL Bypass Set item.
  10. Add any of these items to the policy.
    Item Description
    Dynamic Date Time Branch by day of week or time of day.
    AD Group Lookup Branch by user group. Requires branch rule configuration.
    LDAP Group Lookup Branch by user group. Requires branch rule configuration.
    LocalDB Group Lookup Branch by user group. Requires branch rule configuration.
    RADIUS Class Lookup Branch by the class attribute. Requires branch rule configuration.
  11. To configure a branch rule for a LocalDB Group Lookup item:
    1. In the visual policy editor, click the name of the item. A Properties popup screen opens.
    2. Click the Branch Rules tab.
    3. To edit an expression, click the change link. An additional popup screen opens, displaying the Simple tab.
    4. If the Local Database action in the access policy was configured to read groups into the session.localdb.groups session variable, edit the default simple expression, User is a member of MY_GROUP, replacing MY_GROUP with a relevant group.
    5. If the Local Database action in the access policy was configured to read groups into a session variable other than session.localdb.groups, click the Advanced tab; edit the default advanced expression, expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }, replacing MY_GROUP with a relevant group and session.localdb.groups with the session variable specified in the Local Database action.
    6. Click Finished. The popup screen closes.
    7. Click Save. The popup screen closes. The visual policy editor displays.
  12. To configure a branch rule for AD, LDAP, or RADIUS group or class lookups:
    1. In the visual policy editor, click the name of the policy item. A Properties popup screen opens.
    2. Click the Branch Rules tab.
    3. To edit an expression, click the change link. An additional popup screen opens, displaying the Simple tab.
    4. Edit the default simple expression to specify group or class that is used in your environment. In an LDAP Group Lookup item, the default simple expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN. You can use the simple expression editor to replace the default values.
    5. Click Finished. The popup screen closes.
    6. Click Save. The popup screen closes. The visual policy editor displays.
  13. To trigger inspection of the response web page contents, add a Response Analytics item. A Category Lookup item must precede this item.
    1. In the Max Buffer Size field, type the number of bytes to buffer.
    2. In the Max Buffer time field, type the number of seconds to retain response data in the buffer.
    3. For the Reset on Failure field, retain the default value Enabled to send a TCP reset if the server fails.
    4. For each type of content that you want to exclude from analysis, click Add new entry and then select a type from the list. The All-Images type is on the list by default because images are not scanned.
    5. Click Finished. The popup screen closes.
    6. Click Save. The fallback branch after this item indicates that a failure occurred during content analysis. The Success branch indicates that content analysis completed. The popup screen closes. The visual policy editor displays.
  14. Add a URL Filter Assign item after the Response Analytics item, if included on the branch; otherwise, add it anywhere on a branch after a Category Lookup item. In this item, you must specify a URL filter to apply to the URL categories that the Category Lookup item returned. If any URL category specifies the Block filtering action, this item blocks the request. This item also blocks the request if the Response Analytics item identified malicious content.
To put the per-request policy into effect, add it to the virtual server.

Creating an access profile for SWG explicit forward proxy

You create an access profile to specify any access policy configuration for a virtual server that serves in a Secure Web Gateway (SWG) explicit forward proxy configuration.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and per-request policy names.
  4. From the Profile Type list, select SWG-Explicit. Additional fields display set to default values.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished. The Access Profiles list screen displays.
  7. To enable Secure Web Gateway event logging for this access profile, add log settings.
    1. Click the name of the access profile that you just created. The Properties screen displays.
    2. On the menu bar, click Logs. The General Properties screen displays.
    3. In the Log Settings area, move log settings from the Available list to the Selected list.
    You can configure log settings in the Access Policy Event Logs area of the product.
This creates an access profile with a default access policy that contains a Start and a Deny ending.
You do not need to add any actions or make any changes to the access policy.

Creating a virtual server for network access client forward proxy server

Before you begin, you need to know the name of the connectivity profile specified in the virtual server for the network access configuration that you want to protect using Secure Web Gateway (SWG).
You specify a virtual server to process forward proxy traffic with Secure Web Gateway (SWG). This virtual server must listen on the secure connectivity interface that is specified on the virtual server through which network access clients connect. This virtual server is also the one that network access resources must specify as the client proxy server.
Note: Use this virtual server for forward proxy traffic only. You should not try to use it for reverse proxy, or add a pool to it.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server. This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address. Type a destination address in this format: 162.160.15.20.
  5. In the Service Port field, type the port number to use for forward proxy traffic. Typically, the port number is 3128 or 8080.
  6. From the HTTP Profile list, select the HTTP profile you configured earlier.
  7. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  8. For the VLANs and Tunnels setting, move the secure connectivity interface to the Selected list.
  9. From the Source Address Translation list, select Auto Map.
  10. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  11. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  12. Click Finished.

Creating a wildcard virtual server for HTTP tunnel traffic

You configure a virtual server to process web traffic coming in on the HTTP tunnel from the explicit forward-proxy virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  9. For the VLANs and Tunnels setting, move the tunnel to the Selected list. The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel is http-tunnel.
  10. From the Source Address Translation list, select Auto Map.
  11. Scroll down to the Port Translation setting and clear the Enabled check box.
  12. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  13. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  14. Click Finished.

Creating a custom Client SSL forward proxy profile

Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. To avoid issues with privacy concerns, you might need to enable SSL forward proxy bypass for URLs that expose personal user information, such as those for financial or government sites.
    1. Scroll down to the SSL Forward Proxy list, and select Advanced.
    2. Select the Custom check box for the SSL Forward Proxy area.
    3. From the SSL Forward Proxy list, select Enabled. You can update this setting later but only while the profile is not assigned to a virtual server.
    4. From the CA Certificate list, select a certificate.
    5. From the CA Key list, select a key.
    6. In the CA Passphrase field, type a passphrase.
    7. In the Confirm CA Passphrase field, type the passphrase again.
    8. In the Certificate Lifespan field, type a lifespan for the SSL forward proxy certificate in days.
    9. Optional: From the Certificate Extensions list, select Extensions List.
    10. Optional: For the Certificate Extensions List setting, select the extensions that you want in the Available extensions field, and move them to the Enabled Extensions field using the Enable button.
    11. From the SSL Forward Proxy Bypass list, select Enabled. You can update this setting later but only while the profile is not assigned to a virtual server. Additional settings display.
    12. For Default Bypass Action, retain the default value Intercept. You can override the value of this action on a case-by-case basis in the per-request policy for the virtual server.
      Note: Bypass and intercept lists do not work with per-request policies. Retain the setting None for the remainder of the fields.
  6. Click Finished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile list screen.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server. The SSL Server profile list screen opens.
  2. Click Create. The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. For Parent Profile, retain the default selection, serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box. The settings become available for change.
  7. From the SSL Forward Proxy list, select Enabled. You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the SSL Forward Proxy Bypass list, select Enabled (or retain the default value Disabled). The values of the SSL Forward Proxy Bypass settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the Secure Renegotiation list and select Request.
  10. Click Finished.
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a wildcard virtual server for SSL traffic on the HTTP tunnel

If you do not have existing client SSL and server SSL profiles that you want to use, configure them before you start.
You configure a virtual server to process SSL web traffic coming in on the HTTP tunnel from the forward proxy virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  9. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  10. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  11. For the VLANs and Tunnels setting, move the tunnel to the Selected list. The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel is http-tunnel.
  12. From the Source Address Translation list, select Auto Map.
  13. Scroll down to the Port Translation setting and clear the Enabled check box.
  14. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  15. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  16. Click Finished.

Updating the access policy in the remote access configuration

Add an SWG Scheme Assign item to an access policy to assign a Secure Web Gateway (SWG) scheme to a client session. Add queries to populate any session variables that are required for successful execution of the per-request policy.

Note: Class lookup or group lookup items in a per-request policy rely on session variables that are populated in this access policy.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit. The properties screen opens.
  3. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  4. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  5. On the Assignment tab, select SWG Scheme Assign and click Add Item. A properties screen opens.
  6. To display the available schemes, click the Add/Delete link.
  7. Select one scheme and click Save. The Properties screen closes and the visual policy editor screen displays.
  8. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA LDAP server. An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the SearchDN, and SearchFilter settings. SearchDN is the base DN from which the search is done.
    3. Click Save.
    This item populates the session.ldap.last.attr.memberOf session variable.
  9. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA AD server.
    2. Select the Fetch Primary Group check box. The value of the primary user group populates the session.ad.last.attr.primaryGroupID session variable.
    3. Click Save.
  10. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA RADIUS server.
    2. Click Save.
    This item populates the session.radius.last.attr.class session variable.
  11. To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the access policy and configure its properties:
    1. From the LocalDB Instance list, select a local user database.
    2. In the User Name field, retain the default session variable.
    3. Click Add new entry A new line is added to the list of entries with the Action set to Read and other default settings.
    4. In the Destination column Session Variable field, type session.localdb.groups. If you type a name other than session.localdb.groups, note it. You will need it when you configure the per-request access policy.
    5. In the Source column from the DB Property list, select groups.
    6. Click Save.
    This item populates the session.localdb.groups session variable.
The access policy is configured to assign an SWG scheme and to support the per-request policy.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

Configuring a network access resource to forward traffic

You must create a network access resource, or open an existing resource, before you can perform this task.
Configure a network access resource to forward traffic to the Secure Web Gateway (SWG) explicit forward proxy virtual server so that SWG can filter Internet traffic and analyze content, protecting the client from malware.
  1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens.
  2. In the Name column, click the name of the network access resource you want to edit.
  3. On the menu bar, click Network Settings.
  4. For Client Settings, select Advanced.
  5. Scroll down and select Client Proxy Settings. Additional settings display.
  6. If the Traffic Options setting specifies Force all traffic through tunnel, configure these additional settings:
    1. In the Client Proxy Address field, type the IP address of the SWG explicit forward proxy virtual server.
    2. In the Client Proxy Port field, type the port number of the SWG explicit forward proxy virtual server. Typically, the port number is 3128 or 8080; it might be different in your configuration.
  7. If the Traffic Options setting specifies Use split tunneling for traffic, in the Client Proxy Autoconfig Script field, type the URL for a proxy auto-configuration script.
  8. Click the Update button. Your changes are saved and the page refreshes.
The network access resource forwards traffic to the SWG explicit forward proxy server.

Implementation result

The Secure Web Gateway (SWG) explicit forward proxy configuration is ready to process web traffic from network access clients.

Session variables for use in a per-request policy

Per-request policy items that look up the group or class to which a user belongs rely on the access policy to populate these session variables.

Per-request policy item Session variable Access policy item
AD Group Lookup session.ad.last.attr.primaryGroupID AD Query
LDAP Group Lookup session.ldap.last.attr.memberOf LDAP Query
LocalDB Group Lookup session.localdb.groups
Note: This session variable is a default in the expression for LocalDB Group Lookup; any session variable in the expression must match the session variable used in the Local Database action in the access policy.
Local Database
RADIUS Class Lookup session.radius.last.attr.class RADIUS Auth

Overview: Configuring SWG transparent forward proxy for remote access

Secure Web Gateway (SWG) can be configured to support remote clients that connect using application access, network access, or portal access.

Note: Using a distinct SWG transparent forward proxy configuration to process traffic from remote clients separately from an SWG configuration used for processing traffic from internal clients provides an important measure of network security.
BIG-IP system with remote access and SWG transparent configurations SWG transparent forward proxy for remote access

You should understand how these configuration objects fit into the overall configuration.

Secure connectivity interface
In a remote access configuration, a connectivity profile is required on the virtual server to specify a secure connectivity interface for traffic from the client. In the SWG configuration, SWG wildcard virtual servers must listen on the secure connectivity interface for traffic from remote access clients.
Per-request policy
In any SWG configuration, the determination of whether a user can access a URL must be made in a per-request access policy. A per-request access policy determines whether to block or allow access to a request based on time or date or group membership or other criteria that you configure.
Access policies
The access policy in the remote access configuration continues to authenticate users, assign resources, and evaluate ACLs, if any. In addition, this access policy must assign an SWG scheme for the network access session and populate any session variables used in the per-request policy. An access profile of the SWG-Transparent type is required in the SWG configuration; however, it is not necessary to include any items in the access policy.

Task summary

Prerequisites

Before you start to create a Secure Web Gateway (SWG) transparent forward proxy configuration to support remote access clients, you must have completed these tasks.

  • You need to have configured a working application access, network access, or portal access configuration, depending on which type of remote client you want to support.
  • If you have not already done so, you must ensure that the URL database is downloaded.
  • You need to have configured at least one SWG scheme and any URL filters that you want to use in addition to or instead of the default URL filters.

Configuration outline

Tasks for integrating an Access Policy Manager® (APM®) remote access configuration with a Secure Web Gateway (SWG) transparent forward proxy configuration follow this order.

  • First, update the existing application access, network access, or portal access configuration to add a secure connectivity profile to the virtual server if one is not already specified.
  • Next, create an SWG transparent forward proxy configuration. The per-request policy is part of this configuration.
  • Finally, update the access policy in the existing application access, network access, or portal access configuration. An SWG scheme assignment is required in this access policy. If the per-request policy uses group or class lookup items, add queries to populate the session variables on which the lookup items rely.

Creating a connectivity profile

You create a connectivity profile to configure client connections.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Click Add. The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a Profile Name for the connectivity profile.
  4. Select a Parent Profile from the list. APM® provides a default profile, connectivity.
  5. Click OK. The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile to a virtual server.

Adding a connectivity profile to a virtual server

Update a virtual server that is part of an Access Policy Manager® application access, network access, or portal access configuration to enable a secure connectivity interface for traffic from the client.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. Scroll down to the Access Policy area.
  4. From the Connectivity Profile list, select the connectivity profile.
  5. Click Update to save the changes.

Configuring a per-request policy for SWG

Configure a per-request policy to specify the logic that determines how to process web traffic.
Note: A per-request policy must determine whether to bypass SSL traffic and, otherwise, whether to allow or reject a URL request in a Secure Web Gateway (SWG) forward proxy configuration.
  1. On the Main tab, click Access Policy > Per-Request Policies. The Per-Request Policies screen opens.
  2. Click Create. The General Properties screen displays.
  3. In the Name field, type a name for the policy and click Finished. A per-request policy name must be unique among all per-request policy and access profile names. The policy name appears on the Per-Request Policies screen.
  4. In the Access Policy column for the per-request policy that you want to update, click the Edit link. The visual policy editor opens in another tab.
  5. To create different branches for processing HTTP and HTTPS traffic, add a Protocol Lookup item.
    1. Click the (+) icon anywhere in the per-request policy to add a new item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. Type prot in the Search field, select Protocol Lookup, and click Add Item. A Properties popup screen opens.
    3. Click Save. The Properties screen closes. The visual policy editor displays.
  6. If you configured SSL forward proxy bypass in the client and server SSL profiles, include an SSL Intercept Set item to ensure that SSL traffic is not bypassed until this policy determines that it should be. It is important to include SSL Intercept Set when the default SSL bypass action in the client SSL profile is set to Bypass.
  7. To retrieve the requested URL and the categories to which it belongs, add a Category Lookup item.
    Important: A Category Lookup item is required to trigger event logging for SWG, to provide a response web page for the Response Analytics item, and to provide categories for the URL Filter Assign item.
    1. Click the (+) icon anywhere in the per-request policy to add a new item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
    2. Type cat in the Search field, select Category Lookup, and click Add Item. A Properties popup screen opens.
    3. From the Categorization Input list, select how to obtain the requested URL. For HTTP traffic, select Use HTTP URI (cannot be used for SSL Bypass decisions). For SSL-encrypted traffic, select either Use SNI in Client Hello (if SNI is not available, use Subject.CN) or Use Subject.CN in Server Cert. If you select Use HTTP URI (cannot be used for SSL Bypass decisions), the SafeSearch Mode list displays and Enabled is selected.
    4. From the Category Lookup Type list, select the category types in which to search for the requested URL. Select one from Custom categories first, then standard categories if not found, Always process full list of both custom and standard categories, or Process standard categories only. Depending on your selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.
    5. Click Save. The Properties screen closes. The visual policy editor displays.
  8. To enable Safe Search for SSL-encrypted traffic, add an additional Category Lookup item, specify Use HTTP URI (cannot be used for SSL Bypass decisions) as the Category Lookup Type, and retain the default setting (Enabled) for SafeSearch Mode.
  9. At any point in the policy where a decision to bypass SSL traffic is made, add an SSL Bypass Set item.
  10. Add any of these items to the policy.
    Item Description
    Dynamic Date Time Branch by day of week or time of day.
    AD Group Lookup Branch by user group. Requires branch rule configuration.
    LDAP Group Lookup Branch by user group. Requires branch rule configuration.
    LocalDB Group Lookup Branch by user group. Requires branch rule configuration.
    RADIUS Class Lookup Branch by the class attribute. Requires branch rule configuration.
  11. To configure a branch rule for a LocalDB Group Lookup item:
    1. In the visual policy editor, click the name of the item. A Properties popup screen opens.
    2. Click the Branch Rules tab.
    3. To edit an expression, click the change link. An additional popup screen opens, displaying the Simple tab.
    4. If the Local Database action in the access policy was configured to read groups into the session.localdb.groups session variable, edit the default simple expression, User is a member of MY_GROUP, replacing MY_GROUP with a relevant group.
    5. If the Local Database action in the access policy was configured to read groups into a session variable other than session.localdb.groups, click the Advanced tab; edit the default advanced expression, expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }, replacing MY_GROUP with a relevant group and session.localdb.groups with the session variable specified in the Local Database action.
    6. Click Finished. The popup screen closes.
    7. Click Save. The popup screen closes. The visual policy editor displays.
  12. To configure a branch rule for AD, LDAP, or RADIUS group or class lookups:
    1. In the visual policy editor, click the name of the policy item. A Properties popup screen opens.
    2. Click the Branch Rules tab.
    3. To edit an expression, click the change link. An additional popup screen opens, displaying the Simple tab.
    4. Edit the default simple expression to specify group or class that is used in your environment. In an LDAP Group Lookup item, the default simple expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN. You can use the simple expression editor to replace the default values.
    5. Click Finished. The popup screen closes.
    6. Click Save. The popup screen closes. The visual policy editor displays.
  13. To trigger inspection of the response web page contents, add a Response Analytics item. A Category Lookup item must precede this item.
    1. In the Max Buffer Size field, type the number of bytes to buffer.
    2. In the Max Buffer time field, type the number of seconds to retain response data in the buffer.
    3. For the Reset on Failure field, retain the default value Enabled to send a TCP reset if the server fails.
    4. For each type of content that you want to exclude from analysis, click Add new entry and then select a type from the list. The All-Images type is on the list by default because images are not scanned.
    5. Click Finished. The popup screen closes.
    6. Click Save. The fallback branch after this item indicates that a failure occurred during content analysis. The Success branch indicates that content analysis completed. The popup screen closes. The visual policy editor displays.
  14. Add a URL Filter Assign item after the Response Analytics item, if included on the branch; otherwise, add it anywhere on a branch after a Category Lookup item. In this item, you must specify a URL filter to apply to the URL categories that the Category Lookup item returned. If any URL category specifies the Block filtering action, this item blocks the request. This item also blocks the request if the Response Analytics item identified malicious content.
To put the per-request policy into effect, add it to the virtual server.

Creating an access profile for SWG transparent forward proxy

You create an access profile to supply an access policy.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and per-request policy names.
  4. From the Profile Type list, select SWG-Transparent. Additional fields display set to default values.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished. The Access Profiles list screen displays.
  7. To enable Secure Web Gateway event logging for this access profile, add log settings.
    1. Click the name of the access profile that you just created. The Properties screen displays.
    2. On the menu bar, click Logs. The General Properties screen displays.
    3. In the Log Settings area, move log settings from the Available list to the Selected list.
    You can configure log settings in the Access Policy Event Logs area of the product.
This creates an access profile with a default access policy that contains a Start and a Deny ending.
You do not need to add any actions or make any changes to the access policy.

Creating a wildcard virtual server for HTTP traffic on the connectivity interface

Before you begin, you need to know the name of the connectivity profile specified in the virtual server for the remote access configuration that you want Secure Web Gateway (SWG) to protect.
You configure a virtual server to process web traffic on the secure connectivity interface for a remote access client.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  9. For the VLANs and Tunnels setting, move the secure connectivity interface to the Selected list.
  10. From the Source Address Translation list, select Auto Map.
  11. Scroll down to the Port Translation setting and clear the Enabled check box.
  12. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  13. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  14. Click Finished.

Creating a custom Client SSL forward proxy profile

Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client. The Client profile list screen opens.
  2. Click Create. The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. To avoid issues with privacy concerns, you might need to enable SSL forward proxy bypass for URLs that expose personal user information, such as those for financial or government sites.
    1. Scroll down to the SSL Forward Proxy list, and select Advanced.
    2. Select the Custom check box for the SSL Forward Proxy area.
    3. From the SSL Forward Proxy list, select Enabled. You can update this setting later but only while the profile is not assigned to a virtual server.
    4. From the CA Certificate list, select a certificate.
    5. From the CA Key list, select a key.
    6. In the CA Passphrase field, type a passphrase.
    7. In the Confirm CA Passphrase field, type the passphrase again.
    8. In the Certificate Lifespan field, type a lifespan for the SSL forward proxy certificate in days.
    9. Optional: From the Certificate Extensions list, select Extensions List.
    10. Optional: For the Certificate Extensions List setting, select the extensions that you want in the Available extensions field, and move them to the Enabled Extensions field using the Enable button.
    11. From the SSL Forward Proxy Bypass list, select Enabled. You can update this setting later but only while the profile is not assigned to a virtual server. Additional settings display.
    12. For Default Bypass Action, retain the default value Intercept. You can override the value of this action on a case-by-case basis in the per-request policy for the virtual server.
      Note: Bypass and intercept lists do not work with per-request policies. Retain the setting None for the remainder of the fields.
  6. Click Finished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile list screen.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server. The SSL Server profile list screen opens.
  2. Click Create. The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. For Parent Profile, retain the default selection, serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box. The settings become available for change.
  7. From the SSL Forward Proxy list, select Enabled. You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the SSL Forward Proxy Bypass list, select Enabled (or retain the default value Disabled). The values of the SSL Forward Proxy Bypass settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the Secure Renegotiation list and select Request.
  10. Click Finished.
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a wildcard virtual server for SSL traffic on the connectivity interface

Before you begin, you need to know the name of the connectivity profile specified in the virtual server for the remote access configuration that you want Secure Web Gateway (SWG) to protect. Also, if you do not have existing client SSL and server SSL profiles that you want to use, configure them before you start.
You configure a virtual server to process SSL web traffic coming in on the secure connectivity interface for a remote access client.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  9. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  10. Scroll down to the VLAN and Tunnel Traffic setting and select Enabled on.
  11. For the VLANs and Tunnels setting, move the secure connectivity interface to the Selected list.
  12. From the Source Address Translation list, select Auto Map.
  13. Scroll down to the Port Translation setting and clear the Enabled check box.
  14. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  15. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  16. Click Finished.

Updating the access policy in the remote access configuration

Add an SWG Scheme Assign item to an access policy to assign a Secure Web Gateway (SWG) scheme to a client session. Add queries to populate any session variables that are required for successful execution of the per-request policy.

Note: Class lookup or group lookup items in a per-request policy rely on session variables that are populated in this access policy.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit. The properties screen opens.
  3. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  4. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  5. On the Assignment tab, select SWG Scheme Assign and click Add Item. A properties screen opens.
  6. To display the available schemes, click the Add/Delete link.
  7. Select one scheme and click Save. The Properties screen closes and the visual policy editor screen displays.
  8. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA LDAP server. An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the SearchDN, and SearchFilter settings. SearchDN is the base DN from which the search is done.
    3. Click Save.
    This item populates the session.ldap.last.attr.memberOf session variable.
  9. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA AD server.
    2. Select the Fetch Primary Group check box. The value of the primary user group populates the session.ad.last.attr.primaryGroupID session variable.
    3. Click Save.
  10. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA RADIUS server.
    2. Click Save.
    This item populates the session.radius.last.attr.class session variable.
  11. To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the access policy and configure its properties:
    1. From the LocalDB Instance list, select a local user database.
    2. In the User Name field, retain the default session variable.
    3. Click Add new entry A new line is added to the list of entries with the Action set to Read and other default settings.
    4. In the Destination column Session Variable field, type session.localdb.groups. If you type a name other than session.localdb.groups, note it. You will need it when you configure the per-request access policy.
    5. In the Source column from the DB Property list, select groups.
    6. Click Save.
    This item populates the session.localdb.groups session variable.
The access policy is configured to assign an SWG scheme and to support the per-request policy.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

Implementation result

The Secure Web Gateway (SWG) transparent proxy configuration is ready to process web traffic from remote access clients.

Session variables for use in a per-request policy

Per-request policy items that look up the group or class to which a user belongs rely on the access policy to populate these session variables.

Per-request policy item Session variable Access policy item
AD Group Lookup session.ad.last.attr.primaryGroupID AD Query
LDAP Group Lookup session.ldap.last.attr.memberOf LDAP Query
LocalDB Group Lookup session.localdb.groups
Note: This session variable is a default in the expression for LocalDB Group Lookup; any session variable in the expression must match the session variable used in the Local Database action in the access policy.
Local Database
RADIUS Class Lookup session.radius.last.attr.class RADIUS Auth