Applies To:

Show Versions Show Versions

Manual Chapter: Explicit Forward Proxy Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Explicit Forward Proxy Configuration

Overview: Configuring SWG explicit forward proxy

A Secure Web Gateway (SWG) explicit forward proxy deployment provides an easy way to handle web requests from users. For explicit forward proxy, you configure client browsers to point to a forward proxy server. A forward proxy server establishes a tunnel for SSL traffic. Other virtual servers (wildcard SSL and wildcard forwarding IP virtual servers) listen on the tunnel. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.

clients on LAN

Explicit forward proxy configuration

In any deployment of explicit forward proxy, you must consider how best to configure browsers on client systems to point to the proxy server and how to configure your firewall to prevent users from bypassing the proxy. This implementation does not explain how to do these tasks. However, here are some best practices to consider.

Table 1. Client browser and firewall configuration
Configuration Recommendation
Client browser Consider using a group policy that points to a Proxy Auto-Configuration (PAC) file to distribute the configuration to clients and periodically update it.
Firewall A best practice might be to configure the firewall to trust outbound connections from Secure Web Gateway only. Note that possibly not all applications will work with a firewall configured this way. (Secure Web Gateway uses ports 80 and 443.)

Task summary

About the iApp for Secure Web Gateway configuration

When deployed as an application service, the Secure Web Gateway iApps® template can set up either an explicit or a transparent forward proxy configuration. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at (http://devcentral.f5.com/wiki/iapp.Codeshare.ashx).

SWG explicit forward proxy configuration prerequisites

Ensure that prerequisites are complete before beginning the configuration.

Per-request policy
A per-request policy is required in any Secure Web Gateway (SWG) forward proxy configuration. A per-request policy must specify the logic for processing URL requests.
URL categorization
On a BIG-IP® system with an SWG subscription, you must download and install a URL database and schedule updates for it. On a system without an SWG subscription, you can configure user-defined URL categories and filters to control access by filtering URLs.
Transparent user identification
On a system with an SWG subscription, if you plan to identify users transparently, you must first download, install, and configure an F5®user identification agent, either the F5 DC Agent or the F5 Logon Agent.
Note: User identification agents are available only on a BIG-IP® system with an SWG subscription.
Authentication
If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5 recommends that you use NTLM or Kerberos authentication. If you plan to use authentication, ensure that you have what you need configured.
  • For NTLM, you need an NTLM Auth Configuration in Access Policy Manager® (APM®).
  • For Kerberos, you need a domain-joined Kerberos user account and a Kerberos AAA server configured in APM.
SSL intercept
To intercept SSL connections that are passing through the proxy, ensure that you have imported a valid subordinate CA certificate and key that is trusted by the endpoints behind the proxy.

About ACLs and SWG explicit forward proxy

Only L7 ACLs work with Secure Web Gateway (SWG) explicit forward proxy.

Creating a DNS resolver

You configure a DNS resolver on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache.
  1. On the Main tab, click Network > DNS Resolvers > DNS Resolver List .
    The DNS Resolver List screen opens.
  2. Click Create.
    The New DNS Resolver screen opens.
  3. In the Name field, type a name for the resolver.
  4. Click Finished.

Adding forward zones to a DNS resolver

Before you begin, gather the IP addresses of the nameservers that you want to associate with a forward zone.

Add a forward zone to a DNS resolver when you want the BIG-IP® system to forward queries for particular zones to specific nameservers for resolution in case the resolver does not contain a response to the query.
Note: Creating a forward zone is optional. Without one, a DNS resolver can still make recursive name queries to the root DNS servers; however, this requires that the virtual servers using the cache have a route to the Internet.
  1. On the Main tab, click Network > DNS Resolvers > DNS Resolver List .
    The DNS Resolver List screen opens.
  2. Click the name of the resolver you want to modify.
    The properties screen opens.
  3. On the menu bar, click Forward Zones.
    The Forward Zones screen displays.
  4. Click the Add button.
    Note: You add more than one zone to forward based on the needs of your organization.
  5. In the Name field, type the name of a subdomain or type the fully qualified domain name (FQDN) of a forward zone.
    For example, either example or site.example.com would be valid zone names.
  6. Add one or more nameservers:
    1. In the Address field, type the IP address of a DNS nameserver that is considered authoritative for this zone.
      Based on your network configuration, add IPv4 or IPv6 addresses, or both.
    2. Click Add.
      The address is added to the list.
    Note: The order of nameservers in the configuration does not impact which nameserver the system selects to forward a query to.
  7. Click Finished.

Creating a tunnel for SSL forward proxy traffic

You create a tunnel to support SSL traffic in a Secure Web Gateway (SWG) explicit forward proxy configuration.
Note: Alternatively, you can use a preconfigured tunnel, http-tunnel.
  1. On the Main tab, click Network > Tunnels > Tunnel List .
    The Tunnel List screen opens.
  2. Click Create.
  3. In the Name field, type a name.
  4. From the Encapsulation Type menu, select tcp-forward.
  5. Click Finished.
    The Tunnel List screen displays the tunnel with tcp-forward in the Profile column.

Creating a custom HTTP profile for explicit forward proxy

An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.
Note: Secure Web Gateway (SWG) explicit forward proxy requires a DNS resolver that you select in the HTTP profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Proxy Mode list, select Explicit.
  5. For Parent Profile, retain the http-explicit setting.
  6. Select the Custom check box.
  7. Scroll down to the Explicit Proxy area.
  8. From the DNS Resolver list, select the DNS resolver you configured previously.
  9. In the Tunnel Name field, you can retain the default value, http-tunnel, or type the name of a tunnel if you created one.
    SWG requires a tunnel with tcp-forward encapsulation to support SSL traffic for explicit forward proxy.
  10. From the Default Connect Handling list, retain the default setting Deny.
    Any CONNECT traffic goes through the tunnel to the virtual server that most closely matches the traffic; if there is no match, the traffic is blocked.
  11. Click Finished.
The custom HTTP profile now appears in the HTTP profile list screen.

Creating an access profile for explicit forward proxy

Create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and per-request policy names.
  4. From the Profile Type list, select SWG-Explicit.
    Selecting this type ensures that only access policy items that are valid for Secure Web Gateway (SWG) explicit forward proxy are available in the visual policy editor when you configure an access policy.
  5. In the Configurations area for the User Identification Method list, select one of these methods:
    • IP Address: Select this method only in an environment where a client IP address is unique and can be trusted.
    • Credentials: Select this method to identify users using NTLM authentication.
  6. If you selected Credentials for the User Identification Method, you must select an entry from the NTLM Auth Configuration list.
  7. If you selected IP Address for the User Identification Method, you can also select an entry from the NTLM Auth Configuration list to use NTLM authentication before a session starts.
    In the case of a shared machine, an IP address might already be associated with a user or a session. Using NTLM authentication ensures that the system can associate the IP address with the correct session (new or existing) or with a new user each time a user logs on to a shared machine.
  8. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  9. Click Finished.
    The Access Profiles list screen displays.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Configuring an access policy for SWG explicit forward proxy

You configure an access policy for Secure Web Gateway (SWG) explicit forward proxy to populate session variables with group or class attribute information for use in the per-request policy. You can also add access policy items to collect credentials and to authenticate a user or add access policy items to identify the user transparently.
Note: If you include authentication in your access policy and the first site that a user accesses uses HTTP instead of secure HTTP, passwords are passed as clear text. To prevent this from happening, F5® recommends using Kerberos or NTLM authentication.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  3. If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
    1. Type NTLM in the search field.
    2. Select NTLM Auth Result from the results list.
    3. Click Add Item.
      A properties popup screen opens.
    4. Click Save.
      The properties screen closes. The visual policy editor displays.
  4. Optional: To add Kerberos authentication to the access policy, perform these substeps:
    1. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
    2. On the Logon tab, select HTTP 407 Response and click Add Item.
      A properties screen opens.
    3. From the HTTP Auth Level list, select negotiate and click Save.
      The properties screen closes.
    4. Click the (+) icon on the negotiate branch.
      A popup screen opens.
    5. Type ker in the search field, select Kerberos Auth from the results, and click Add Item.
      A properties screen opens.
    6. From the AAA Server list, select an existing server.
    7. From the Request Based Auth list, select Disabled.
    8. Click Save.
      The properties screen closes and the visual policy editor displays.
    Note: The Max Logon Attempts Allowed setting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.
  5. To identify a user transparently using information provided by a BIG-IP® user identification agent, perform these substeps:
    For this step of the access policy to succeed, you must have installed and configured either the F5® DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
    1. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
    2. From the Authentication tab, select Transparent Identity Import and click Add Item.
      The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.
      A properties screen opens.
    3. Click Save.
      The visual policy editor displays.
    4. Add any additional access policy items to the fallback or associated branches.
      You might add Kerberos authentication on the fallback branch.
  6. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA LDAP server.
      An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the SearchDN, and SearchFilter settings.
      SearchDN is the base DN from which the search is done.
    3. Click Save.
    This item populates the session.ldap.last.attr.memberOf session variable.
  7. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA AD server.
    2. Select the Fetch Primary Group check box.
      The value of the primary user group populates the session.ad.last.attr.primaryGroupID session variable.
    3. Click Save.
  8. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the access policy and configure its properties:
    1. From the Server list, select an AAA RADIUS server.
    2. Click Save.
    This item populates the session.radius.last.attr.class session variable.
  9. Click the Apply Access Policy link to apply and activate the changes to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Creating a virtual server to use as the forward proxy server

You specify a virtual server to handle forward proxy traffic with Secure Web Gateway (SWG). In an explicit proxy configuration, client browser configurations specify this virtual server as the proxy server.
Note: Use this virtual server for forward proxy traffic only. You should not try to use it for reverse proxy too; do not add a pool to it. This virtual server is, in effect, a bastion host.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
    Type a destination address in this format: 162.160.15.20.
  5. From the Configuration list, select Advanced.
  6. In the Service Port field, type the port number to use for forward proxy traffic.
    Typically, the port number is 3128 or 8080.
  7. From the HTTP Profile list, select the HTTP profile you configured earlier.
  8. From the VLAN and Tunnel Traffic list, select Enabled on.
  9. For the VLANs and Tunnels setting, move the VLAN on the BIG-IP® system that connects to the internal networks to the Selected list.
  10. From the Source Address Translation list, select Auto Map.
  11. If the per-request policy that you configured earlier includes application filtering, perform these substeps:
    1. From the Classification list, select Enabled.
    2. Scroll down to the Resources area.
    3. For Policies, make sure that sys_CEC_video_policy is enabled.
    Note: The per-request policy uses application filtering when it runs an Application Lookup action.
  12. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  13. From the Per-Request Policy list, select the per-request policy that you configured earlier.
  14. Click Finished.

Creating a custom Client SSL forward proxy profile

Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. To avoid issues with privacy concerns, you might need to enable SSL forward proxy bypass for URLs that expose personal user information, such as those for financial or government sites.
    1. Scroll down to the SSL Forward Proxy list, and select Advanced.
    2. Select the Custom check box for the SSL Forward Proxy area.
    3. From the SSL Forward Proxy list, select Enabled.
      You can update this setting later but only while the profile is not assigned to a virtual server.
    4. From the CA Certificate list, select a certificate.
    5. From the CA Key list, select a key.
    6. In the CA Passphrase field, type a passphrase.
    7. In the Confirm CA Passphrase field, type the passphrase again.
    8. In the Certificate Lifespan field, type a lifespan for the SSL forward proxy certificate in days.
    9. Optional: From the Certificate Extensions list, select Extensions List.
    10. Optional: For the Certificate Extensions List setting, select the extensions that you want in the Available extensions field, and move them to the Enabled Extensions field using the Enable button.
    11. From the SSL Forward Proxy Bypass list, select Enabled.
      You can update this setting later but only while the profile is not assigned to a virtual server.
      Additional settings display.
    12. For Default Bypass Action, retain the default value Intercept.
      You can override the value of this action on a case-by-case basis in the per-request policy for the virtual server.
      Note: Bypass and intercept lists do not work with per-request policies. Retain the setting None for the remainder of the fields.
  6. Click Finished.
The custom Client SSL forward proxy profile now appears in the Client SSL profile list screen.

Creating a custom Server SSL profile

Create a custom server SSL profile to support SSL forward proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The SSL Server profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. For Parent Profile, retain the default selection, serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the SSL Forward Proxy list, select Enabled.
    You can update this setting later, but only while the profile is not assigned to a virtual server.
  8. From the SSL Forward Proxy Bypass list, select Enabled (or retain the default value Disabled).
    The values of the SSL Forward Proxy Bypass settings in the server SSL and the client SSL profiles specified in a virtual server must match. You can update this setting later but only while the profile is not assigned to a virtual server.
  9. Scroll down to the Secure Renegotiation list and select Request.
  10. Click Finished.
The custom Server SSL profile is now listed in the SSL Server profile list.

Creating a virtual server for SSL forward proxy traffic

You specify a port-specific wildcard virtual server to handle SSL traffic. This virtual server listens on the tunnel that the forward proxy server establishes.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the Configuration list, select Advanced.
  7. From the HTTP Profile list, select http.
  8. For the SSL Profile (Client) setting, from the Available list, select the name of the custom Client SSL proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable proxy SSL functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
    • Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable proxy SSL functionality.
  9. For the SSL Profile (Server) setting, from the Available list, select the name of the custom Server SSL proxy profile you previously created, and using the Move button, move the name to the Selected list.
    Important: To enable SSL proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
    • Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL proxy functionality.
  10. From the VLAN and Tunnel Traffic list, select Enabled on.
  11. For the VLANs and Tunnels setting, move either the tunnel you configured earlier or the default tunnel, http-tunnel, to the Selected list.
    This must be the same tunnel that you specified in the HTTP profile for the virtual server for forward proxy.
  12. From the Source Address Translation list, select Auto Map.
  13. For the Address Translation setting, clear the Enabled check box.
  14. If the per-request policy that you configured earlier includes application filtering, perform these substeps:
    1. From the Classification list, select Enabled.
    2. Scroll down to the Resources area.
    3. For Policies, make sure that sys_CEC_video_policy is enabled.
    Note: The per-request policy uses application filtering when it runs an Application Lookup action.
  15. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  16. From the Per-Request Policy list, select the per-request policy that you configured earlier.
  17. Click Finished.
The virtual server now appears in the Virtual Server List screen.

Creating a virtual server to reject traffic

You create a reject type virtual server to reject any IP traffic with URLs that are incomplete, or otherwise misconfigured for use with forward proxy. This virtual server listens on the tunnel that the forward proxy server establishes.
Note: Secure Web Gateway does not support application access and network access tunnels.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Reject.
  5. In the Source Address field, type 0.0.0.0/0.
  6. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  7. From the Service Port list, select *All Ports.
  8. From the Protocol list, select TCP.
  9. From the VLAN and Tunnel Traffic list, select Enabled on.
  10. For the VLANs and Tunnels setting, select the tunnel you configured earlier, or select the default tunnel, http-tunnel, and move it to the Selected list.
    This must be the same tunnel that is specified in the virtual server for the forward proxy server.
  11. Click Finished.

Implementation result

Web traffic that originates from your enterprise networks is now inspected and controlled by F5® Secure Web Gateway forward proxy.

Per-request policy items that read session variables

This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.

Per-request policy item Session variable Access policy item
AD Group Lookup session.ad.last.attr.primaryGroupID AD Query
LDAP Group Lookup session.ldap.last.attr.memberOf LDAP Query
LocalDB Group Lookup session.localdb.groups
Note: This session variable is a default in the expression for LocalDB Group Lookup; any session variable in the expression must match the session variable used in the Local Database action in the access policy.
Local Database
RADIUS Class Lookup session.radius.last.attr.class RADIUS Auth

Overview: Processing RDP traffic on a device with SWG

If you configure Access Policy Manager® APM® as a gateway for RDP clients and configure Secure Web Gateway (SWG) explicit forward proxy on the same BIG-IP® system, you need to complete an additional configuration step to ensure that APM can process the RDP client traffic. The recommended SWG configuration for explicit forward proxy includes a catch-all virtual server, which listens on all IP addresses and all ports, on an HTTP tunnel interface.

When a programmatic API queries listeners for a specific IP and port, the query covers all interfaces and tunnels. As a result, the catch-all virtual server will always match. Sending traffic using this tunnel results in all packets being dropped because this virtual server is configured as a reject type of virtual server.

To prevent RDP client traffic from being dropped, add an additional wildcard port-specific virtual server on the HTTP tunnel interface.

Note: Removing the catch-all virtual server from the HTTP tunnel interface is not recommended because doing so is counterproductive for security.

About wildcard virtual servers on the HTTP tunnel interface

In the recommended Secure Web Gateway explicit forward proxy configuration, client browsers point to a forward proxy server that establishes a tunnel for SSL traffic. Additional wildcard virtual servers listen on the HTTP tunnel interface. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.

clients on LAN

Explicit forward proxy configuration

Creating a virtual server for RDP client traffic

You specify a port-specific wildcard virtual server to match RDP client traffic on the HTTP tunnel interface for the Secure Web Gateway (SWG) explicit forward proxy configuration.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type 0.0.0.0/0 to accept any IPv4 traffic.
  5. In the Service Port field, type 3389.
  6. From the Configuration list, select Advanced.
  7. From the VLAN and Tunnel Traffic list, select Enabled on.
  8. For the VLANs and Tunnels setting, move the HTTP tunnel interface used in the SWG explicit forward proxy configuration to the Selected list.
    The default tunnel is http-tunnel.
    This must be the same tunnel specified in the HTTP profile for the virtual server for forward proxy.
  9. For the Address Translation setting, clear the Enabled check box.
  10. Click Finished.
The virtual server now appears in the Virtual Server List screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)