Forum Discussion
e_a
Nimbostratus
NimbostratusAPM/SWG explicit-proxy with authentication bypass
Hello!
We are setting up a small explicit Web-gateway using F5 BigIP APM and SWG. See link:
https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-secure-web-gateway.html
This is supposed to be used for some time while the customer fixes the settings on all the unmanged devices they have.
These devices currently uses McAfee Webgateway with NTLM but due to end of life in that platform they need a new temporary soloution to buy time. This make the solution limited to NTLM hence keberos can't be used.
Later when the customer made the changes, these devices will use Check Point to access internet and the F5-solution will be removed.
We have all working as intended but one thing:
We want to be able to exclude a few clients (IP addresses) from the Authentication (Access-Policy). In the best of worlds we still want the url-checks from SWG but if this is not possible a total bypass could also be ok.
We have tried to make an exception in the Access-Policy (see the picture) where we specify the IP-addresses that should be allowed access without authentication. When the client hits this rule we get passed to Allow, as intended. The client doesn't get access to internet though.
After checking this in a tcpdump we can see that the http 407 still goes out to the client. Which the client does not handle - that's why we need the exception.
Also tried to build an exception with this irule in the last comment: https://community.f5.com/t5/technical-forum/irule-to-disable-apm/td-p/100710
Same applies here - seems like the irule got hit but doesn't allow internet access for the client.
Any suggestions?
Thanks!
- whisperer
MVP
Are you proxying SSL? Here are some good resources on that:
e_aThanks for the reply. This kind of SSL-bypass is working fine for us.
We need to bypass the NTLM authentication though. The profile is found under this menu:
Access ›› Profiles / Policies : Access Profiles (Per-Session Policies)
- whisperer
Checking the test session log, do you actually see the Allow branch of Client IP Address for Bypass being hit? Just want to rule out the issue is more complex than just a logic issue, or failure to match correct IP address.
- Ben_Novak
Employee
What is the authentication mechanism on the back end server/app? Once the client gets through APM, the destination server may still be asking for authentication.
Might need to look into SSO for the back end authentication.
- e_a
Hi Ben_Novak!
Thanks for your reply.
This is used for internet access for these devices/Services. The customer has a dns-record set as Proxy on a lot of systems they don't have any person responsible for. The systems where someone is responsible has already migrated to Check Point. Some devices have been excluded from the Authentication-process in McAfee and we want to by-pass this in our F5-solotion aswell.
The plan is to move the dns-record to the F5-solotion and handle any problems as they come up. But a few exclusions is already known before the migration and need to be handled.
Hope this clears things up - let me know if I can provide any more insight to our problem!
MyHomeNWLabAltostratus
Could you control by Item: "NTLM Auth Result"?
I remember that when "NTLM Auth Configuration" was applied to Per-Session Policy, the VPE control did not work.
BASIC and Kerberos authentication are controlled by VPE, but NTLM authentication does not need to be configured in VPE.
Therefore, I thought at the time that it was not controlled from the VPE.However, I did not try Item: "NTLM Auth Result".
Configuring BIG-IP APM NTLM authentication
https://my.f5.com/manage/s/article/K03010204#ap
> Creating an Access Policy in the Visual Policy Editor to include NTLM checks
