A Secure Web Gateway (SWG) explicit forward proxy deployment provides an easy way to handle web requests from users. For explicit forward proxy, you configure client browsers to point to a forward proxy server. A forward proxy server establishes a tunnel for SSL traffic. Other virtual servers (wildcard SSL and wildcard forwarding IP virtual servers) listen on the tunnel. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.
Explicit forward proxy configuration
In any deployment of explicit forward proxy, you must consider how best to configure browsers on client systems to point to the proxy server and how to configure your firewall to prevent users from bypassing the proxy. This implementation does not explain how to do these tasks. However, here are some best practices to consider.
|Client browser||Consider using a group policy that points to a Proxy Auto-Configuration (PAC) file to distribute the configuration to clients and periodically update it.|
|Firewall||A best practice might be to configure the firewall to trust outbound connections from Secure Web Gateway only. Note that possibly not all applications will work with a firewall configured this way. (Secure Web Gateway uses ports 80 and 443.)|
When deployed as an application service, the Secure Web Gateway iApps® template can set up either an explicit or a transparent forward proxy configuration. You can download the template from the F5® DevCentral™ iApp Codeshare wiki at (http://devcentral.f5.com/wiki/iapp.Codeshare.ashx).
Ensure that prerequisites are complete before beginning the configuration.
Only L7 ACLs work with Secure Web Gateway (SWG) explicit forward proxy.
Before you begin, gather the IP addresses of the nameservers that you want to associate with a forward zone.
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
Web traffic that originates from your enterprise networks is now inspected and controlled by F5® Secure Web Gateway forward proxy.
This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.
|Per-request policy item||Session variable||Access policy item|
|AD Group Lookup||session.ad.last.attr.primaryGroupID||AD Query|
|LDAP Group Lookup||session.ldap.last.attr.memberOf||LDAP Query|
|LocalDB Group Lookup||
Note: This session variable is a default in the expression for LocalDB Group Lookup; any session variable in the expression must match the session variable used in the Local Database action in the access policy.
|RADIUS Class Lookup||session.radius.last.attr.class||RADIUS Auth|
If you configure Access Policy Manager® APM® as a gateway for RDP clients and configure Secure Web Gateway (SWG) explicit forward proxy on the same BIG-IP® system, you need to complete an additional configuration step to ensure that APM can process the RDP client traffic. The recommended SWG configuration for explicit forward proxy includes a catch-all virtual server, which listens on all IP addresses and all ports, on an HTTP tunnel interface.
When a programmatic API queries listeners for a specific IP and port, the query covers all interfaces and tunnels. As a result, the catch-all virtual server will always match. Sending traffic using this tunnel results in all packets being dropped because this virtual server is configured as a reject type of virtual server.
To prevent RDP client traffic from being dropped, add an additional wildcard port-specific virtual server on the HTTP tunnel interface.
In the recommended Secure Web Gateway explicit forward proxy configuration, client browsers point to a forward proxy server that establishes a tunnel for SSL traffic. Additional wildcard virtual servers listen on the HTTP tunnel interface. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.
Explicit forward proxy configuration