Forum Discussion

e_a's avatar
e_a
Icon for Nimbostratus rankNimbostratus
Jun 14, 2023

APM/SWG explicit-proxy with authentication bypass

Hello!

We are setting up a small explicit Web-gateway using F5 BigIP APM and SWG. See link:

https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-secure-web-gateway.html

This is supposed to be used for some time while the customer fixes the settings on all the unmanged devices they have.

These devices currently uses McAfee Webgateway with NTLM but due to end of life in that platform they need a new temporary soloution to buy time. This make the solution limited to NTLM hence keberos can't be used.

Later when the customer made the changes, these devices will use Check Point to access internet and the F5-solution will be removed.

 

We have all working as intended but one thing:

We want to be able to exclude a few clients (IP addresses) from the Authentication (Access-Policy). In the best of worlds we still want the url-checks from SWG but if this is not possible a total bypass could also be ok.

We have tried to make an exception in the Access-Policy (see the picture) where we specify the IP-addresses that should be allowed access without authentication. When the client hits this rule we get passed to Allow, as intended. The client doesn't get access to internet though.

After checking this in a tcpdump we can see that the http 407 still goes out to the client. Which the client does not handle - that's why we need the exception.

Also tried to build an exception with this irule in the last comment: https://community.f5.com/t5/technical-forum/irule-to-disable-apm/td-p/100710

Same applies here - seems like the irule got hit but doesn't allow internet access for the client.

Any suggestions?

Thanks!

8 Replies

    • e_a's avatar
      e_a
      Icon for Nimbostratus rankNimbostratus

      Thanks for the reply. This kind of SSL-bypass is working fine for us.

      We need to bypass the NTLM authentication though. The profile is found under this menu:

      Access ›› Profiles / Policies : Access Profiles (Per-Session Policies)

      • Checking the test session log, do you actually see the Allow branch of Client IP Address for Bypass being hit? Just want to rule out the issue is more complex than just a logic issue, or failure to match correct IP address.

  • What is the authentication mechanism on the back end server/app?  Once the client gets through APM, the destination server may still be asking for authentication.  

    Might need to look into SSO for the back end authentication.

    • e_a's avatar
      e_a
      Icon for Nimbostratus rankNimbostratus

      Hi Ben_Novak!

      Thanks for your reply.

      This is used for internet access for these devices/Services. The customer has a dns-record set as Proxy on a lot of systems they don't have any person responsible for. The systems where someone is responsible has already migrated to Check Point. Some devices have been excluded from the Authentication-process in McAfee and we want to by-pass this in our F5-solotion aswell. 

      The plan is to move the dns-record to the F5-solotion and handle any problems as they come up. But a few exclusions is already known before the migration and need to be handled.

      Hope this clears things up - let me know if I can provide any more insight to our problem!

  • Could you control by Item: "NTLM Auth Result"?

    I remember that when "NTLM Auth Configuration" was applied to Per-Session Policy, the VPE control did not work.
    BASIC and Kerberos authentication are controlled by VPE, but NTLM authentication does not need to be configured in VPE.
    Therefore, I thought at the time that it was not controlled from the VPE.

    However, I did not try Item: "NTLM Auth Result".

    Configuring BIG-IP APM NTLM authentication
    https://my.f5.com/manage/s/article/K03010204#ap
    > Creating an Access Policy in the Visual Policy Editor to include NTLM checks

  • Follow the documentation provided to install the initial configuration of the F5 BigIP APM and SWG. Ensure that the necessary policies for web access control, security, and authentication are configured to meet your requirements. Since you mentioned that these devices currently use NTLM with McAfee Web Gateway, configure F5 to support NTLM authentication for a smooth transition. Oh, and if you do buy proxies, only buy them from trusted dealers. Implement logging and monitoring features to track user activity and potential security events. This will help in troubleshooting and securing the Web Gateway environment.