Forward explicit SSL proxy server

There's no difference in the license itself, but I do not believe the Lab VE comes with SSL Forward Proxy. You'll see it on the License page listed as SSL, Forward Proxy. I egree though that there are a few documents that don't mention the separate license.

I know that you can license it on the Lab VE, but I don't think the $98 Lab VE comes with by default.

If you attempt to use SSL Forward Proxy features without the license, it will surely fail.

At a minimum, if you remove the TCP ingress VIP and just leave the proxy VIP, you should be able to do outbound HTTP (HTTPS should fail with a 503). If that works, create the ingress TCP VIP with the following minimum properties (leave everything else at default):

• Type: Standard
• Destination Address/Mask: 0.0.0.0/0
• Service Port: 443
• VLAN and Tunnel Traffic: Enabled on the tunnel VLAN
• Source Address Translation: SNAT if you need it for outbound traffic
• Address and port translation: unchecked

In this case you're just creating a tunnel to allow HTTPS traffic to pass, without attempting to decrypt. Again, without the license it will definitely fail if you apply SSL profiles.

Have followed the documentation and have the same result - no traffic hits the SSL-Forward-Proxy VIP.

Andrew, assuming you're also doing explicit proxy, you should have two ingress VIPs: the proxy vip listening on some IP and proxy port, and a wildcard TCP VIP listening on 0.0.0.0/0 and port 443 (or any port), that is bound to the proxy tunnel object that you created and also applied to the http-explicit proxy (which is applied to the proxy VIP).

Which VIP are you observing?

You technically just need 11.4 and above to make this work. Your ingress TCP wildcard VIP should have absolutely nothing applied (assuming you're not decrypting and re-encrypting):

• Type: Standard
• Destination address/Mask: 0.0.0.0/0
• Service Port: 443 (or * All ports)
• Protocol: TCP
• VLAN and Tunnel Traffic: enabled on the same tunnel that you used in the http-explicit profile
• Source Address Translation: SNAT as required
• Address Translation: unchecked
• Port Translation: unchecked
• Default Pool: your gateway pool

Notice that there's no HTTP or SSL profiles attached to this VIP.

Okay, so just a crazy set of questions here, but

1. Do you have an HTTP profile applied to the TCP wildcard VIP? You shouldn't.

    

2. Does the destination address include the mask (ex. 0.0.0.0/0), versus just 0.0.0.0? If not, it should.

    

Sorry for interrupting you. From my point of view, you might hit ID597099.

597099SSL forward proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone. There is no workaround.

https://support.f5.com/kb/en-us/products/ssl-orchestrator/releasenotes/product/relnote-ssl-orchestrator-12-1-0.html

597099SSL forward proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone. There is no workaround.

I don't believe that case applies here. This is when the F5 is in transparent proxy mode, there's an explicit proxy inside the inspection zone, and the client is attempting to communicate via explicit proxy requests to the "internal" explicit proxy, through the F5 transparent proxy. If you apply SSL Forward Proxy at this F5 ingress point, SSL Forward Proxy is currently not able to decrypt (and re-encrypt) the SSL session created inside the proxy tunnel between the client and the internal proxy.

In this thread, the F5 is an explicit proxy and Marvin and Andrew are just doing SSL Forward Proxy, and at this point not even trying to decrypt the outbound SSL traffic. In the F5 explicit forward proxy scenario, the proxy tunnel is actually established between the client and the ingress TCP wildcard VIP, through the proxy VIP, and the ingress wildcard VIP is the one providing SSL Forward Proxy decrypt/re-encrypt services.

Just to re-iterate, that bug is only relevant when there's an explicit proxy inside the inspection zone, the F5 is in transparent proxy mode, the client is trying to talk directly to the internal explicit proxy, and the F5 is trying to decrypt the SSL session between the client and the internal explicit proxy. You absolutely CAN work around that scenario by putting the ingress F5 in explicit mode (with some additional iRule logic to reformat decrypted HTTP requests to talk to the internal explicit proxy), or by putting the internal proxy in transparent mode.

Hi Kevin,

What's the trick to forwarding the HTTP traffic out the back of the Explicit VIP? The SSL traffic traverses the tcp-forward tunnel to the wildcard VS where it can be managed. How would I forward everything else (in particular, HTTP) where I want (e.g. to another VS or gateway pool)?

I've tried using the HTTP_PROXY_REQUEST event and proxy disable to send it various places. I can successfully send it to another VS however what I really want to do is send it through a security device. The SSL Intercept iApp 1.0 does this for HTTPS via an ingress pool, however I can't get this working for HTTP?

Without a fancy iRule solution, I guess creating routes is the only way to get it where I want.

Any tips?

Hi Kevin,

What's the trick to forwarding the HTTP traffic out the back of the Explicit VIP? The SSL traffic traverses the tcp-forward tunnel to the wildcard VS where it can be managed. How would I forward everything else (in particular, HTTP) where I want (e.g. to another VS or gateway pool)?

I've tried using the HTTP_PROXY_REQUEST event and proxy disable to send it various places. I can successfully send it to another VS however what I really want to do is send it through a security device. The SSL Intercept iApp 1.0 does this for HTTPS via an ingress pool, however I can't get this working for HTTP?

Without a fancy iRule solution, I guess creating routes is the only way to get it where I want.

Any tips?