Forum Discussion
CirrusProxy iRule - Office 365 Bypass
Hi All,
We have our F5 in Front of our Bluecoat Proxies which handles load balancing to the proxy fleet. We are deploying office 365 for my organization and have been warned about additional load for our users through our proxies.
To avoid this, I am trying to create a bypass mechanism on the F5 using a Datagroup of Office 365 sites and the http-forward-proxy rule (https://devcentral.f5.com/codeshare/http-forward-proxy-v32). We are running 11.5.1 code.
The question I have is that I need to apply the iRule to the explict proxy Virtual Server WITHOUT impacting existing traffic.
There are several events within the iRule ( HTTP_REQUEST, HTTP_RESPONSE etc ) that I am not 100% sure I need to modify or not. If I configure the bypass for the list of sites on the HTTP_REQUEST, does that mean the HTTP_RESPONSE event only triggers on the HTTP_REQUESTS I bypassed initially or ALL HTTP_RESPONSE that are coming back from the BC proxies.
My Current Change to the iRule:
when HTTP_REQUEST {
set websitehost [string tolower [HTTP::host]]
Add in IF Statement to redirect ONLY office 365 sites!
if { [class match $websitehosthost equals O365_Websites] } {
set DNS_ERROR 0
...The events I think I may have to change:
when HTTP_RESPONSE {
set request_log_line "$request_log_line [HTTP::status] [HTTP::payload length]"
Via = "Via" ":" 1( received-protocol received-by [ comment ] )
received-protocol = [ protocol-name "/" ] protocol-version
protocol-name = token
....
when SERVER_CONNECTED {
Need to put in only care about servers NOT in pool-Proxy201 IP::server_addr?? 6 Replies
kunjanNimbostratus
- nitass
Employee
i agree with kunjan. since you are running 11.5.1, explicit proxy http profile may be a better choice.
by the way, if i do not misunderstand, HTTP::proxy command is implemented in 11.5.1 hf5.
ID452264-1 Explicit forward proxy should allow proxy-chaining
HTTP::proxy
https://devcentral.f5.com/Wiki/iRules.HTTP-proxy.ashx 
danielpennaAwesome, running HF8 so that should cover it. Will test in the next day or so.
I was aware of the extra proxy functionality in 11.6 but didn't know it was in a HF on 11.5.1. Thanks!
- danielpenna
Getting there...
Had to change the HTTP profile on the VS to http-explicit, but I have definitely progressed the solution. External DNS is working and the traffic I dont want to bypass the proxies still go via the Bluecoats.
The next hurdle I have is two issues:
-
SNAT Pool is not working, the client IP is making it past the F5 onto the external firewall with the original client IP. It needs to be SNATTed: EDIT: WORKS NOW. Moved the snatpool from bottom of IF statement to type and works for SNAT. Still have issue 2 to resolve.
-
Internally, we use a non standard port to tunnel traffic to the explicit proxy ( say port 98 ). The proxy just forwards port 89, instead of changing to 80 or 443.
Will continue myself to play around but interested in any suggestions.
when HTTP_PROXY_REQUEST { set websitehost [string tolower [HTTP::host]] if { [class match $websitehost equals O365_Websites] } { snatpool SNAT-O365-Outbound HTTP::proxy log local0.info "Proxy bypass hit for site: $websitehost" log local0.info "Port for $websitehost should be" } else { HTTP::proxy disable pool pool-Proxy201 }}
-
- danielpenna
Sometimes its the most obvious solution, point 2 above resolve as didn't have port translation enabled on the VS. Test site is now working, onto the full O365 suite of sites.
EDIT: Lol, popped the champagne a bit to early...HTTPS sites don't work where HTTP sites do....investigating further.
jpersin_288375hello.
Can you please share solution. I have the same problem, but I can't solve it by myself. I'm not so experienced. Mybe you can send me on my email?
Thanks
