SWG Evaluation

Question

Hey There,&nbsp;
We're evaluating the SWG module to see if it fits well in a consolidation piece we're looking to perform. So far the base configuration seems convoluted, when compared with other forward proxy products but I'm persisting.&nbsp;
I'm currently stuck on three key concepts for the configuration:&nbsp;
Which certs/keys to use for the SSL client side profileWhat port to use for the browsers SSL settingHow does reporting work
I've followed Chapter 4 - Explicit Forward Proxy - Configuring SWG Explicit Forward Proxy, but it's not very verbose so I'm struggling to understand how this all pieces together.&nbsp;
For the SSL component, which certificate do I use? I've selected just the default certificate and key for now, but that hasn't worked. I've messed around with varying cert pairs etc, to no avail.&nbsp;
The browser port setting maybe a moot point once the certificate is sorted, I've tried the default 8080 I'm using on the HTTP VS, and also 443 (as the HTTPS VS is on 443), but neither work. Again, the issue may well be the certificates.&nbsp;
The last issue is the reporting, I'm sending HTTP traffic through the forward proxy fine, but nothing is showing up in the reporting section.&nbsp;
Hope these are easy questions!&nbsp;
Thanks&nbsp;

yann_desmarest_ · Accepted Answer

In fact, you can do SSL interception with embedded certificates (ex: "default" for F5).&nbsp;
You have to make sure of two things : 
- the Certificate is trusted by users,
- the certificate is able to sign child certificates (keyring).&nbsp;
Please find below two links : 
- generating certificates for SSL interception : http://communicationsfinance.com/wp-content/uploads/2013/04/SSL-Interception-on-Proxy-SG.pdf
- Configuring SSL Forward Proxy on F5 : http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-1/16.htmlconceptid&nbsp;

son_of_tom_1379 · Answer

Update - I have it working... it would have helped if I had typed a passphrase... the second point is moot, it's port 8080 and the tunnel takes care of it.

But, I'm receiving an invalid certificate as it's presented from localhost.domain, as I'm using the default, so I'm still trying to figure out what cert I should be using here.

yann_desmarest_ · Answer

Hi,&nbsp;
You have to use a keering certificate that is trusted (or its Issuer is trusted by users)&nbsp;
It's a special kind of certificate.&nbsp;
BR&nbsp;
Yann&nbsp;

yann_desmarest · Answer

Hi,&nbsp;
You have to use a keering certificate that is trusted (or its Issuer is trusted by users)&nbsp;
It's a special kind of certificate.&nbsp;
BR&nbsp;
Yann&nbsp;

son_of_tom_1379 · Answer

Thanks for that Yann, don't suppose you have anything more verbose?

This is a certificate type I'm not familiar with. There is an internal PKI infrastructure which we may be able to leverage, I just find it hard to believe it's a requirement as products such as Symantec Web Gateway provide this functionality out of the box.

son_of_tom_1379 · Answer

Thanks for that Yann, don't suppose you have anything more verbose?

This is a certificate type I'm not familiar with. There is an internal PKI infrastructure which we may be able to leverage, I just find it hard to believe it's a requirement as products such as Symantec Web Gateway provide this functionality out of the box.

Forum Discussion

SWG Evaluation

9 Replies

Recent Discussions

How to add a new DNS(gtm) to the existing network?

Failed to add new DNS machine to the existing DNS sync-group

Email Notification Sent For The Configuration Change

F5 Malicious Source IP Address Alert

F5 APM Variable Assign agent

Related Content

F5 Distributed Cloud Network Firewall Rule Evaluation and Packet Flow

Intermediate iRules: Evaluating Performance

iRule operator evaluation order OR/AND

Evaluate WAF Policy with BIG-IQ Policy Analyzer

big-iq stuck running evaluation task