Forum Discussion

Ivan_Blesa_2004's avatar
Ivan_Blesa_2004
Icon for Nimbostratus rankNimbostratus
Jun 24, 2015

ICAP inspection with SWG for HTTP and HTTPS

I have deployed SWG with the iApp provided in https://devcentral.f5.com/codeshare/f5-secure-web-gateway-iapp-template I have added ICAP Request and Response inspection for HTTP and HTTPS. If I select a Request/Response Adapt Profile in the HTTPS VS ("Proxy_catch_https_vs_443"), HTTPS content is inspected through ICAP, but not HTTP. If I do the same with the HTTP catch VS ("Proxy_catch_http_vs_80"), nothing happens. Actually I can see that this VS is not having any traffic going through it. If I enable ICAP inspection in the main HTTP VS ("Proxy_vs") it inspects HTTP traffic, but makes HTTPS to fail.

 

So is there a way to apply ICAP inspection to both HTTP and HTTPS traffic in SWG?

 

application delivery
deployment
devops
iApps
LTM
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Jun 24, 2015

    I've found that the HTTP VS generally never receives any traffic when using the explicit proxy, probably because most clients don't use the HTTP CONNECT method for unencrypted requests. Meaning that the HTTP proxy won't be triggered and the traffic will just be forwarded out the default route on your BIG-IP.

    I ran into this issue when trying to enable AAM on the proxy_vs, and worked around it using this iRule:

    when HTTP_PROXY_REQUEST {
     traffic passed through to the HTTPS VS where web acceleration is enabled
    WAM::disable
}
when HTTP_REQUEST {
     web acceleration enabled non-proxy HTTP requests
    WAM::enable
}

    I don't know if there's an equivalent command to enable/disable ICAP.

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jun 24, 2015

    I've found that the HTTP VS generally never receives any traffic when using the explicit proxy, probably because most clients don't use the HTTP CONNECT method for unencrypted requests. Meaning that the HTTP proxy won't be triggered and the traffic will just be forwarded out the default route on your BIG-IP.

    I ran into this issue when trying to enable AAM on the proxy_vs, and worked around it using this iRule:

    when HTTP_PROXY_REQUEST {
     traffic passed through to the HTTPS VS where web acceleration is enabled
    WAM::disable
}
when HTTP_REQUEST {
     web acceleration enabled non-proxy HTTP requests
    WAM::enable
}

    I don't know if there's an equivalent command to enable/disable ICAP.

  • Ivan_Blesa_2004's avatar
    Ivan_Blesa_2004
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2015

    Thank you! The equivalent is ADAPT::enable . I had to add some more logic to disable content adaptation only for CONNECT as those go to the HTTPS VS were content adaptation is enabled:

    when HTTP_PROXY_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}

when HTTP_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}
  • Ivan_Blesa_2004's avatar
    Ivan_Blesa_2004
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2015

    Thank you! The equivalent is ADAPT::enable . I had to add some more logic to disable content adaptation only for CONNECT as those go to the HTTPS VS were content adaptation is enabled:

    when HTTP_PROXY_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}

when HTTP_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}
    • F5_Jeff's avatar
      F5_Jeff
      Icon for Cirrus rankCirrus
      Feb 11, 2019

      Hi Ivan,

       

      We are currently integrating F5 explicit Proxy to a Symantec DLP. We are also encountering the same issue. Right now here is the set-up:

       

      VS_proxy - has Request Adapt profile VS_catch_80 - has Request Adapt profile VS_catch_443 - no Request Adapt profile

       

      DLP Policy incidents for HTTPS traffic can not be seen so we tried also putting Request Adapt profile in the VS_catch_443 but after putting it, we cannot access HTTPS sites (mail.yahoo.com , gmail.com) so we removed it again then the sites are accessible again.

       

      For HTTP traffic, DLP can inspect the traffic and violations is being logged in the incident reports.

       

      My question is, after putting the irule, were you able to see inspect HTTPS packets? Also, in which VS did you put the irule, is it the VS_Proxy or the VS_catch_443?

       

      Thank you very much.

       

    • F5_Jeff's avatar
      F5_Jeff
      Icon for Cirrus rankCirrus
      Feb 12, 2019

      Hi again,

       

      we were able to test this scenario.

       

      When we put the Request Adapt profile and irule in the catch_443, we can now see the HTTPS traffic in the Symantec DLP however, the mail sites (which are only allowed in the URL Filtering) cannot be accessed.

       

      When we tried to remove the Request Adapt profile, the irule should be removed also but mail sites will be accessible.

       

      Any idea what can be the reason of this scenario? thank you

       

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Jun 30, 2015

    Ivan,

     

    I am curious, what type of ICAP server are you using here? Typically, you would not want to send all the traffic to the ICAP server but rather use BIG-IP to intelligently steer required data(like POST requests, for example) to the ICAP. I'm curious what the use case is for sending all request data via ICAP and what purpose it will serve. Thanks.

     

  • Ivan_Blesa_2004's avatar
    Ivan_Blesa_2004
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2015

    Hi Michael,

     

    I'm using Clearswift SECURE ICAP Gateway. It is a Data Loss Prevention ICAP server which apart from blocking/allowing policies, it can modify the traffic to suit with the security policy. But it also provides antivirus, URL filters and Web 2.0 policies. I'm testing different configurations. In a reverse proxy configuration, I'm only sending certain traffic to the Clearswift SIG as you mention. However, when F5 is working as a Secure Web Gateway, I want to send everything so that for outbound traffic URL filters are applied, outbound data is redacted/removed/blocked and Web 2.0 policies can be enforced. For incoming traffic, I want to remove active content from certain data types, run the antivirus, and apply any other content inspection policies (like blocking by true data type, malformed data types detection,...) to prevent incoming threats. Thanks!