Forum Discussion
DamP_320463
Nimbostratus
NimbostratusSSL Orchestrator between client and explicit HTTP proxy
Hi Devcentral,
I am testing SSL orchestrator with Inline mode (L2 / Trasparent) in order to inspect cleartext web browsing traffic using an IPS device, the scenario is the following:
- Client that points directly to F5 as a gateway
- Client have explicit HTTP forward proxy configured on the browser (Mozilla) for HTTP & HTTPS traffic
- SSLO is placed inline with SNAT Automap that points to router connected to the Internet
I did a packet capture and I saw that the SSL handshake occurs between the client and the HTTP/HTTPS Forward proxy (tiny proxy) - using HTTP Connect / Proxy-Connect method but the SSL decryption will not occur if the HTTP Forward proxy is configured on the client. (I am testing this because one of our customer would like to implement SSL Orchestrator but actually the customer have explicit HTTP proxy configured in order to provide web reputation filtering to the clients)
The architecture flow is the following (starting from the source):
- Client
- F5 SSL Orchestrator
- HTTP/HTTPS Forward Proxy (tinyproxy)
- Internet
I'll expect to see that the traffic is decrypted correctly also using the HTTP forward proxy in place. (actually it works for outbound decryption but without the HTTP forward proxy --> point 3.)
- Kevin_Stewart
Employee
This use case is expected to be available in BIG-IP 13.1 and SSLO 3.0 (arriving at about the same time).
Artur_HorodynskThanks for info, planed for 13.1.x?
Piotr
- Kevin_Stewart
Not in 13.1, no. But shortly after I believe.
dragonflymrCirrostratus
Hi Kevin,
Thanks for info.
Piotr
