APM/SWG explicit-proxy with authentication bypass
We are setting up a small explicit Web-gateway using F5 BigIP APM and SWG. See link:
This is supposed to be used for some time while the customer fixes the settings on all the unmanged devices they have.
These devices currently uses McAfee Webgateway with NTLM but due to end of life in that platform they need a new temporary soloution to buy time. This make the solution limited to NTLM hence keberos can't be used.
Later when the customer made the changes, these devices will use Check Point to access internet and the F5-solution will be removed.
We have all working as intended but one thing:
We want to be able to exclude a few clients (IP addresses) from the Authentication (Access-Policy). In the best of worlds we still want the url-checks from SWG but if this is not possible a total bypass could also be ok.
We have tried to make an exception in the Access-Policy (see the picture) where we specify the IP-addresses that should be allowed access without authentication. When the client hits this rule we get passed to Allow, as intended. The client doesn't get access to internet though.
After checking this in a tcpdump we can see that the http 407 still goes out to the client. Which the client does not handle - that's why we need the exception.
Also tried to build an exception with this irule in the last comment: https://community.f5.com/t5/technical-forum/irule-to-disable-apm/td-p/100710
Same applies here - seems like the irule got hit but doesn't allow internet access for the client.