Forum Discussion

Ivan_Blesa_2004's avatar
Ivan_Blesa_2004
Icon for Nimbostratus rankNimbostratus
Jun 24, 2015

ICAP inspection with SWG for HTTP and HTTPS

I have deployed SWG with the iApp provided in https://devcentral.f5.com/codeshare/f5-secure-web-gateway-iapp-template I have added ICAP Request and Response inspection for HTTP and HTTPS. If I select...
application delivery
deployment
devops
iApps
LTM
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Jun 24, 2015

    I've found that the HTTP VS generally never receives any traffic when using the explicit proxy, probably because most clients don't use the HTTP CONNECT method for unencrypted requests. Meaning that the HTTP proxy won't be triggered and the traffic will just be forwarded out the default route on your BIG-IP.

    I ran into this issue when trying to enable AAM on the proxy_vs, and worked around it using this iRule:

    when HTTP_PROXY_REQUEST {
     traffic passed through to the HTTPS VS where web acceleration is enabled
    WAM::disable
}
when HTTP_REQUEST {
     web acceleration enabled non-proxy HTTP requests
    WAM::enable
}

    I don't know if there's an equivalent command to enable/disable ICAP.

Ivan_Blesa_2004's avatar
Ivan_Blesa_2004
Icon for Nimbostratus rankNimbostratus

Thank you! The equivalent is ADAPT::enable . I had to add some more logic to disable content adaptation only for CONNECT as those go to the HTTPS VS were content adaptation is enabled:

when HTTP_PROXY_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}

when HTTP_REQUEST {
    if {[HTTP::method] eq "CONNECT"} {
        ADAPT::enable false
    } else {
        ADAPT::enable true
    }
}
F5_Jeff's avatar
F5_Jeff
Icon for Cirrus rankCirrus
Feb 11, 2019

Hi Ivan,

 

We are currently integrating F5 explicit Proxy to a Symantec DLP. We are also encountering the same issue. Right now here is the set-up:

 

VS_proxy - has Request Adapt profile VS_catch_80 - has Request Adapt profile VS_catch_443 - no Request Adapt profile

 

DLP Policy incidents for HTTPS traffic can not be seen so we tried also putting Request Adapt profile in the VS_catch_443 but after putting it, we cannot access HTTPS sites (mail.yahoo.com , gmail.com) so we removed it again then the sites are accessible again.

 

For HTTP traffic, DLP can inspect the traffic and violations is being logged in the incident reports.

 

My question is, after putting the irule, were you able to see inspect HTTPS packets? Also, in which VS did you put the irule, is it the VS_Proxy or the VS_catch_443?

 

Thank you very much.