Forum Discussion

NathanAsky's avatar
NathanAsky
Icon for Altostratus rankAltostratus
Mar 19, 2025

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Through testing, I found that if I simply use all-zero virtual services and use standard mode, I must use the client SLL profile to obtain the SIN domain name in the TLS handshake message sent by the client. However, I don’t know what the domain name certificate that the client needs to access is for the client Internet exit. It is not fixed, and these certificates may not exist on my device. If I use a self-signed domain name certificate, the intranet client will prompt "Do not trust the domain name site". Does anyone have a better solution for this? The F5 forward proxy needs to know what the domain name requested by the client is or provide irules events or commands! Thank you for every reader’s reply!

 

when CLIENTSSL_HANDSHAKE {
    binary scan [SSL::extensions -type 0] {@9A*} sni_name
    log local0. "$sni_name"
    pool ChinaRadioTelevisionPool

}
}

#This method currently lacks remote certificate issues, prompting unsafe trust. Is there any other way to obtain the domain name information sent by the client for diversion?
ltm virtual OverseasApplications {
    destination 0.0.0.0:https
    ip-protocol tcp
    mask any
    profiles {
        ForwardClientSSL {
            context clientside
        }
        ForwardServerSSL {
            context serverside
        }
        Forward_HTTP { }
        apm-forwarding-client-tcp { }
    }
    rules {
        OutboundIRules
    }
    source 0.0.0.0/0
    source-address-translation {
        pool ChinaRadioTelevisionSNATPOOL
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal_vlan_13
    }
    vlans-enabled
    vs-index 3
}

 

8 Replies

  • NathanAsky - I'm moving your question to the Technical Forum. Watercooler isn't the sort of place people will look for technical assistance/help.

  • NathanAsky any particular reason you are doing this on the forward proxy and not the server side of the connection? It seems like a significant amount of work to go through rather than just use the forward proxy and let it connect to what it should connect to based on DNS.

    • NathanAsky's avatar
      NathanAsky
      Icon for Altostratus rankAltostratus

      Yes, I agree with you. I have considered using DNS to capture domain name traffic, but I don't know how the logic is related. For example, I use a 0.0.0.0:53 VS to capture domain name information and addresses, and another 0.0.0.0:0 for the egress network. I don't know how to associate the two VS.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        I believe what you are looking for is outlined in the following document.

        https://community.f5.com/kb/technicalarticles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using-ltm/286647