Forum Discussion
Nimbostratushttp URI filtering in front of TMG
Hello,
I am familiar with the concept of deploying Microsoft TMG behind F5 LTM with forward proxy/reverse proxy. In that scenario I would use an iApp and follow the relevant deployment guides.
My question scenario is around HTTP URI filtering. I have a virtual server in front of a TMG gateway where I can filter the inbound connections by IP address (CLIENT_ACCEPTED event). I would like to filter (or reject) all inbound connection when a specific URI is requested from outside a few IPs (let's say /clients/secured). This requires HTTP_REQUEST event, which requires an http profile.
I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource. * I have a custom http profile created that does not process or rechunk http (it is based upon http transparent profile) * I can provide a copy of the iRule in question. * I can describe the VS and edge network architecture if needed.
My questions: 1. Is it possible to place an http profile in front of a TMG gateway server for the solution I am attempting? 2. Should I pursue a different solution? 3. Will full TMG replacement with SWG / iApp provide what I need?
I have better bundle licensing so can leverage other modules outside of LTM if those are more appropriate. Looking to avoid full TMG replacement if possible. Thanks!
13 Replies
kunjanOption 3 should be possible with subnet agent match and URL filter on SWG
'IP Subnet Match => Create policy branch rules based on user's subnet'
Joe_41441Thans Kunjan, if I understand correctly this means I should plan the TMG replacement to accomplish what I need. None of the other deployment scenarios or modules will accomplish the TMG URI filtering. Is that correct?
- nitass_89166
Noctilucent
I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource.
i never used tmg but you are talking about tmg as a reverse proxy, aren't you? if yes, can you post the virtual server and pool configurations?
tmsh list ltm virtual (virtual server name) tmsh list ltm pool (pool name)- Joe_41441nitass, the VS and Pool configs are rather vanilla. Sanitized output below: ltm virtual VS_TMG { destination A.A.51.94:any ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool VS_TMG profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool snat-120 type snat } translate-port disabled vs-index 3 } ltm pool POOL_TMG { load-balancing-mode least-connections-member members { TMG:any { address A.A.20.94 } } }
- nitass_89166configuration looks straightforward. i do not see anything suspicious. have you tried tcpdump when having the problem?
- nitass
Employee
I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource.
i never used tmg but you are talking about tmg as a reverse proxy, aren't you? if yes, can you post the virtual server and pool configurations?
tmsh list ltm virtual (virtual server name) tmsh list ltm pool (pool name)- Joe_41441nitass, the VS and Pool configs are rather vanilla. Sanitized output below: ltm virtual VS_TMG { destination A.A.51.94:any ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool VS_TMG profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool snat-120 type snat } translate-port disabled vs-index 3 } ltm pool POOL_TMG { load-balancing-mode least-connections-member members { TMG:any { address A.A.20.94 } } }
- nitassconfiguration looks straightforward. i do not see anything suspicious. have you tried tcpdump when having the problem?
- kunjan
I guess what you need is forward proxy chaining, i.e, BigIP proxy forwarding to TMG proxy
You may able to achieve this by an iRule in addition to other logic:
1) Assign the explicit HTTP profile in BigIP
2) Create TMG proxy pool 3) iRule like following:when HTTP_PROXY_REQUEST { HTTP::proxy disable pool tmg_pool }- Joe_41441kunjan, thanks for the suggestion. After setting up the TMG proxy pool and iRule code for HTTP_PROXY_REQUEST events I am getting "Secure Connection Failed"
kunjan_118660Cumulonimbus
I guess what you need is forward proxy chaining, i.e, BigIP proxy forwarding to TMG proxy
You may able to achieve this by an iRule in addition to other logic:
1) Assign the explicit HTTP profile in BigIP
2) Create TMG proxy pool 3) iRule like following:when HTTP_PROXY_REQUEST { HTTP::proxy disable pool tmg_pool }- Joe_41441kunjan, thanks for the suggestion. After setting up the TMG proxy pool and iRule code for HTTP_PROXY_REQUEST events I am getting "Secure Connection Failed"
- kunjan
May I know the version you are running? Is it working for non-SSL page? Where do you see this error?
