Forum Discussion
Ivan_Blesa_2004
Nimbostratus
NimbostratusICAP inspection with SWG for HTTP and HTTPS
I have deployed SWG with the iApp provided in https://devcentral.f5.com/codeshare/f5-secure-web-gateway-iapp-template
I have added ICAP Request and Response inspection for HTTP and HTTPS. If I select...
I've found that the HTTP VS generally never receives any traffic when using the explicit proxy, probably because most clients don't use the HTTP CONNECT method for unencrypted requests. Meaning that the HTTP proxy won't be triggered and the traffic will just be forwarded out the default route on your BIG-IP.
I ran into this issue when trying to enable AAM on the proxy_vs, and worked around it using this iRule:
when HTTP_PROXY_REQUEST { traffic passed through to the HTTPS VS where web acceleration is enabled WAM::disable } when HTTP_REQUEST { web acceleration enabled non-proxy HTTP requests WAM::enable }I don't know if there's an equivalent command to enable/disable ICAP.
Ivan_Blesa_2004Nimbostratus
NimbostratusThank you! The equivalent is ADAPT::enable . I had to add some more logic to disable content adaptation only for CONNECT as those go to the HTTPS VS were content adaptation is enabled:
when HTTP_PROXY_REQUEST {
if {[HTTP::method] eq "CONNECT"} {
ADAPT::enable false
} else {
ADAPT::enable true
}
}
when HTTP_REQUEST {
if {[HTTP::method] eq "CONNECT"} {
ADAPT::enable false
} else {
ADAPT::enable true
}
}
F5_Jeff
Cirrus
CirrusHi again,
we were able to test this scenario.
When we put the Request Adapt profile and irule in the catch_443, we can now see the HTTPS traffic in the Symantec DLP however, the mail sites (which are only allowed in the URL Filtering) cannot be accessed.
When we tried to remove the Request Adapt profile, the irule should be removed also but mail sites will be accessible.
Any idea what can be the reason of this scenario? thank you