Forum Discussion

DamP_320463's avatar
Icon for Nimbostratus rankNimbostratus
Aug 31, 2017

SSL Orchestrator between client and explicit HTTP proxy

Hi Devcentral,


I am testing SSL orchestrator with Inline mode (L2 / Trasparent) in order to inspect cleartext web browsing traffic using an IPS device, the scenario is the following:


  1. Client that points directly to F5 as a gateway
  2. Client have explicit HTTP forward proxy configured on the browser (Mozilla) for HTTP & HTTPS traffic
  3. SSLO is placed inline with SNAT Automap that points to router connected to the Internet

I did a packet capture and I saw that the SSL handshake occurs between the client and the HTTP/HTTPS Forward proxy (tiny proxy) - using HTTP Connect / Proxy-Connect method but the SSL decryption will not occur if the HTTP Forward proxy is configured on the client. (I am testing this because one of our customer would like to implement SSL Orchestrator but actually the customer have explicit HTTP proxy configured in order to provide web reputation filtering to the clients)


The architecture flow is the following (starting from the source):


  1. Client
  2. F5 SSL Orchestrator
  3. HTTP/HTTPS Forward Proxy (tinyproxy)
  4. Internet

I'll expect to see that the traffic is decrypted correctly also using the HTTP forward proxy in place. (actually it works for outbound decryption but without the HTTP forward proxy --> point 3.)


4 Replies