For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Phong_Tang_7213's avatar
Phong_Tang_7213
Icon for Altostratus rankAltostratus
Feb 28, 2017

F5 APM/SWG Forward Proxy problem with HSTS sites

Hi gurus,

 

I had the lab to test F5 APM/SWG Forward Proxy. All things work well except sites with HSTS as , gmail.com...

 

Normally, when user puts the URL to browser, it will redirect to the Captive portal of APM. But with these sites, an error display and user cannot continue. I think the problem is HSTS of these sites.

 

How to resolve it?

 

Thanks

 

Phong

 

BIG-IP Access Policy Manager (APM)
security

3 Replies

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Feb 28, 2017

    Are you sure it is HSTS? Since you mention and gmail, it could also be QUIC. This is a experimental protocol used by Google websites and the Chrome browser. It's an alternative for TLS. It uses port 443/UDP. The BIG-IP will not intercept this traffic. You could try blocking 443/UDP. This will cause the browser to fallback to 443/TCP and make it possible for the BIG-IP to do SSL interception.

     

    See: https://en.wikipedia.org/wiki/QUIC

     

  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    Apr 27, 2017

    sites which send the HSTS header do not like self signed certificates, although in other sites you may be able to ignore the trust error when using ssl forward proxy, for sites using HSTS you need to import the certificate into the browser root trust store..