Manual Chapter : Policies for APM as a Secure Web Gateway

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.0.1, 13.0.0
Manual Chapter

Overview: Controlling forward proxy traffic with APM

On a BIG-IP® system with Access Policy Manager® (APM®), you can configure per-request policies to control forward proxy access with user-defined URL categories and filters that you have configured.

Task summary

You must have created an explicit or a transparent forward proxy configuration.

Task list

Configuring an access policy for forward proxy with SWG

You configure an access policy to support explicit forward proxy or transparent forward proxy. If you plan to use branching by group or class attribute in your per-request policy, you add items to the access policy to populate that information. You can also add access policy items to collect credentials and to authenticate a user or add access policy items to identify the user transparently.
Note: If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends using Kerberos or NTLM authentication.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
    1. On the Authentication tab, select NTLM Auth Result.
    2. Click Add Item.
      A properties popup screen opens.
    3. Click Save.
      The properties screen closes. The policy displays.
  5. To add Kerberos authentication to an access policy for forward proxy, add HTTP 407 Response (for explicit forward proxy) or HTTP 401 Response (for transparent forward proxy); then follow it with these actions in order: Variable Assign, and Kerberos Auth.
    Note: This example uses HTTP 407 Response. You can replace it with HTTP 401 Response.
    In a transparent forward proxy configuration, APM does not support Kerberos request-based authentication
    1. On a policy branch, click the plus symbol (+) to add an item to the policy.
    2. On the Logon tab, select HTTP 407 Response and click Add Item.
      A properties screen opens.
    3. From the HTTP Auth Level list, select negotiate and click Save.
      The properties screen closes.
    4. Click the (+) icon on the negotiate branch.
      A popup screen opens.
    5. On the Assignment tab, select Variable Assign and click Add Item.
      For Kerberos authentication to work correctly with forward proxy, you must assign the domain name for the proxy virtual server to a session variable.
    6. Click Add new entry.
      An empty entry appears in the Assignment table.
    7. Click the change link in the new entry.
      A popup screen opens.
    8. In the left pane, retain the selection of Custom Variable and type this variable name: session.server.network.name.
    9. In the right pane, in place of Custom Variable, select Text and type the domain name for the proxy virtual server.
    10. Click Finished.
      The popup screen closes.
    11. Click Save.
      The properties screen closes. The policy displays.
    12. On a policy branch, click the plus symbol (+) to add an item to the policy.
    13. On the Authentication tab, select Kerberos Auth and click Add Item.
      A properties screen opens.
    14. From the AAA Server list, select an existing server.
    15. From the Request Based Auth list, select Disabled.
    16. Click Save.
      The properties screen closes and the policy displays.
    Note: The Max Logon Attempts Allowed setting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.
  6. To identify a user transparently using information provided by a Secure Web Gateway (SWG) user identification agent, perform these steps:
    For this step of the access policy to succeed, you must have installed and configured either the F5® DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
    1. On a policy branch, click the plus symbol (+) to add an item to the policy.
    2. From the Authentication tab, select Transparent Identity Import and click Add Item.
      The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.
      A properties screen opens.
    3. Click Save.
      The visual policy editor opens.
    4. Add any additional access policy items to the fallback or associated branches.
      For example, you might add Kerberos authentication on the fallback branch.
  7. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
    1. From the Server list, select an AAA LDAP server.
      An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the SearchDN, and SearchFilter settings.
      SearchDN is the base DN from which the search is done.
    3. Click Save.
    This item populates the session.ldap.last.attr.memberOf session variable.
  8. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
    1. From the Server list, select an AAA AD server.
    2. Select the Fetch Primary Group check box.
      The value of the primary user group populates the session.ad.last.attr.primaryGroupID session variable.
    3. Click Save.
  9. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
    1. From the Server list, select an AAA RADIUS server.
    2. Click Save.
    This item populates the session.radius.last.attr.class session variable.
  10. Click the Apply Access Policy link to apply and activate the changes to the policy.

Example policy: User-defined category-specific access control

In this per-request policy example, only recruiters are allowed to access URLs in the user-defined category Employment. The policy also restricts access to entertaining videos during business hours.

Category-specific access restrictions (using user-defined categories)

Example policy: URL filter per user group

Each URL Filter Assign item in this per-request policy example should specify a filter that is applicable to the user group.

Group lookup followed by branches for specific groups and a URL filter assignment for each.

URL filter based on group membership

Creating a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. Click Create.
    The General Properties screen displays.
  3. In the Name field, type a name for the policy and click Finished.
    A per-request policy name must be unique among all per-request policy and access profile names.
    The policy name appears on the Per-Request Policies screen.

Applying user-defined URL categories and filters in a per-request policy

Important: This task is for use on a BIG-IP® system without an SWG subscription.
Look up the category for a URL request and assign a URL filter that blocks or allows access to control access to the web, based on the category of the URL request.
Note: This task provides the steps for adding items to control web traffic based on the URL category. It does not specify a complete per-request policy.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. In the Name field, locate the policy that you want to update, then in the Per-Request Policy field, click the Edit link.
    The visual policy editor opens in another tab.
  3. On the General Purpose tab, select Category Lookup item and click Add Item.
    A popup Properties screen opens.
  4. For Categorization Input, select an option based on the type of traffic to process:
    • For HTTP traffic, select Use HTTP URI (cannot be used for SSL Bypass decisions). If selected, the SafeSearch Mode field displays set to Enabled.
    • For SSL-encrypted traffic, select Use SNI in Client Hello (if SNI is not available, use Subject.CN) or Use Subject.CN in Server Cert.
    Tip: Early in the per-request policy, you can insert a Protocol Lookup agent to provide separate branches for HTTPS and HTTP traffic.
  5. For Category Lookup Type, you can only retain the default value Process custom categories only.
    Category Lookup looks through the user-defined categories to compile a list of categories for the URL.
  6. Click Save.
    The properties screen closes. The visual policy editor displays.
  7. On a branch after a Category Lookup item, add a URL Filter Assign agent and, in its properties, select a URL filter.
A per-request policy goes into effect when you add it to a virtual server. Depending on the forward proxy configuration, you might need to add the per-request policy to more than one virtual server.

Adding a per-request policy to the virtual server

To add per-request processing to a configuration, associate the per-request policy with the virtual server.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server.
  3. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  4. Click Update.
The per-request policy is now associated with the virtual server.

Virtual server Access Policy settings for forward proxy

F5 recommends multiple virtual servers for configurations where Access Policy Manager® (APM®) acts as an explicit or transparent forward proxy. This table lists forward proxy configurations, the virtual servers recommended for each, and whether an access profile and per-request policy should be specified on the virtual server.

Forward proxy Recommended virtual servers (by purpose) Specify access profile? Specify per-request policy?
Explicit Process HTTP traffic Yes Yes
Process HTTPS traffic Yes Yes
Reject traffic other than HTTP and HTTPS N/A N/A
Transparent Inline Process HTTP traffic Yes Yes
Process HTTPS traffic Only when a captive portal is also included in the configuration Only when a captive portal is also included in the configuration
Forward traffic other than HTTP and HTTPS N/A N/A
Captive portal Yes No
Transparent Process HTTP traffic Yes Yes
Process HTTPS traffic Only when a captive portal is also included in the configuration Only when a captive portal is also included in the configuration
Captive portal Yes No