Forum Discussion
Forward proxy, proxy chaining and APM issue
Hi,
I am really desperate, everything I tried failed and I don't know if it's because of my mistake, setup is not possible or there is some bug.
Goal:
- BIG-IP working as explicit proxy for internal clients
- Users logged into domain should be transparently authenticated using NTLM (prefered) or Kerberos
- All request should be passed to upstream proxy
Everything is working OK until there is 302 to internal APM resources - like when authentication fails or some other conditions prevents user accessing given URL.
Scenario used:
- Standard VS with reverse http profile
- APM profile with SWG-Explicit type
Result when APM sends 302 with Location pointing to vdesk... URI:
- Client sends request with proxy kind URI, like GET
- For NTLM I can see proper NTLM handshake (at least for me looking like proper - similar to when there is initial NTLM handshake to authenticate user)
- When NTLM handshake is finished instead of OK 200 I am getting again 302 to the same location
- It repeats indefinitely until exceeding browser redirection limit
In case of Kerberos there is no reauthentication for redirection request but still loop is there.
Is there any way (via iRule?) to avoid this loop? Any other approach that can be used to achieve my goal?
I will really appreciate any help to solve this issue.
My Access Profile is working OK to authenticate users both for NTLM and Kerberos - so scenario is working for users allowed to access given URL - authentication is performed, request are passed to upstream proxy, users are getting web sites in the browser... but everything breaks when there is redirection to internal APM pages.
Piotr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com