For explicit forward proxy, you configure client browsers to point to a forward proxy server. A forward proxy server establishes a tunnel for SSL traffic. Other virtual servers (wildcard SSL and wildcard forwarding IP virtual servers) listen on the tunnel. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.
Explicit forward proxy configuration
Use these procedures to configure the virtual servers, SSL profiles, access profile, and tunnel, that you need to support explicit forward proxy. When you are done, you must add an access policy and a per-request policy to this configuration to process traffic as you want.
When deployed as an application service, the Secure Web Gateway (SWG) iApps® template can set up either an explicit or a transparent forward proxy configuration. The template is designed for use on a system provisioned and licensed with SWG. To download a zipped file of iApp templates from the F5 Downloads site at (downloads.f5.com), you must register for an F5 support account. In the zipped file, a README and template for F5 Secure Web Gateway are located in the RELEASE_CANDIDATE folder.
In any deployment of explicit forward proxy, you must consider how best to configure browsers on client systems to point to the proxy server and how to configure your firewall to prevent users from bypassing the proxy. Here are some best practices to consider.
|Client browser||Consider using a group policy that points to a Proxy Auto-Configuration (PAC) file to distribute the configuration to clients and periodically update it.|
|Firewall||A best practice might be to configure the firewall to trust outbound connections from Access Policy Manager® (APM®) only. Note that possibly not all applications will work with a firewall configured this way. (APM uses ports 80 and 443.)|
Before you begin, gather the IP addresses of the nameservers that you want to associate with a forward zone.
When you create an OAuth Server, creating a DNS Resolver with a forward zone named . (period) is mandatory.
Creating a Client SSL forward proxy profile makes it possible for client and server authentication, while still allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. This profile applies to client-side SSL forward proxy traffic only.
You now have the profiles and virtual servers that you need for explicit forward proxy.
Access policy and per-request policy configuration depends on what you are trying to do. Look for configuration examples that categorize and filter traffic, intercept or bypass SSL traffic, forward traffic to a third-party proxy server, and so on.
Only L7 ACLs work with Access Policy Manager® (APM®) explicit forward proxy.
If you configure Access Policy Manager® APM® as a gateway for RDP clients and configure APM to act as an explicit forward proxy on the same BIG-IP® system, you need to complete an additional configuration step to ensure that APM can process the RDP client traffic. The configuration F5 recommends for explicit forward proxy includes a catch-all virtual server, which listens on all IP addresses and all ports, on an HTTP tunnel interface.
When a programmatic API queries listeners for a specific IP and port, the query covers all interfaces and tunnels. As a result, the catch-all virtual server will always match. Sending traffic using this tunnel results in all packets being dropped because this virtual server is configured as a reject type of virtual server.
To prevent RDP client traffic from being dropped, add an additional wildcard port-specific virtual server on the HTTP tunnel interface.
In the recommended Secure Web Gateway explicit forward proxy configuration, client browsers point to a forward proxy server that establishes a tunnel for SSL traffic. Additional wildcard virtual servers listen on the HTTP tunnel interface. The listener that best matches the web traffic directed to the forward proxy server handles the traffic.
Explicit forward proxy configuration