Forum Discussion
ICAP inspection with SWG for HTTP and HTTPS
- Jun 24, 2015
I've found that the HTTP VS generally never receives any traffic when using the explicit proxy, probably because most clients don't use the HTTP CONNECT method for unencrypted requests. Meaning that the HTTP proxy won't be triggered and the traffic will just be forwarded out the default route on your BIG-IP.
I ran into this issue when trying to enable AAM on the proxy_vs, and worked around it using this iRule:
when HTTP_PROXY_REQUEST { traffic passed through to the HTTPS VS where web acceleration is enabled WAM::disable } when HTTP_REQUEST { web acceleration enabled non-proxy HTTP requests WAM::enable }
I don't know if there's an equivalent command to enable/disable ICAP.
Thank you! The equivalent is ADAPT::enable . I had to add some more logic to disable content adaptation only for CONNECT as those go to the HTTPS VS were content adaptation is enabled:
when HTTP_PROXY_REQUEST {
if {[HTTP::method] eq "CONNECT"} {
ADAPT::enable false
} else {
ADAPT::enable true
}
}
when HTTP_REQUEST {
if {[HTTP::method] eq "CONNECT"} {
ADAPT::enable false
} else {
ADAPT::enable true
}
}
- F5_JeffFeb 11, 2019Cirrus
Hi Ivan,
We are currently integrating F5 explicit Proxy to a Symantec DLP. We are also encountering the same issue. Right now here is the set-up:
VS_proxy - has Request Adapt profile VS_catch_80 - has Request Adapt profile VS_catch_443 - no Request Adapt profile
DLP Policy incidents for HTTPS traffic can not be seen so we tried also putting Request Adapt profile in the VS_catch_443 but after putting it, we cannot access HTTPS sites (mail.yahoo.com , gmail.com) so we removed it again then the sites are accessible again.
For HTTP traffic, DLP can inspect the traffic and violations is being logged in the incident reports.
My question is, after putting the irule, were you able to see inspect HTTPS packets? Also, in which VS did you put the irule, is it the VS_Proxy or the VS_catch_443?
Thank you very much.
- F5_JeffFeb 12, 2019Cirrus
Hi again,
we were able to test this scenario.
When we put the Request Adapt profile and irule in the catch_443, we can now see the HTTPS traffic in the Symantec DLP however, the mail sites (which are only allowed in the URL Filtering) cannot be accessed.
When we tried to remove the Request Adapt profile, the irule should be removed also but mail sites will be accessible.
Any idea what can be the reason of this scenario? thank you
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com