For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Son_of_Tom_1379's avatar
Son_of_Tom_1379
Icon for Nimbostratus rankNimbostratus
Aug 15, 2014
Solved

SWG Evaluation

Hey There,   We're evaluating the SWG module to see if it fits well in a consolidation piece we're looking to perform. So far the base configuration seems convoluted, when compared with other forw...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
LTM
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Aug 19, 2014

    In fact, you can do SSL interception with embedded certificates (ex: "default" for F5).

     

    You have to make sure of two things : - the Certificate is trusted by users, - the certificate is able to sign child certificates (keyring).

     

    Please find below two links : - generating certificates for SSL interception : http://communicationsfinance.com/wp-content/uploads/2013/04/SSL-Interception-on-Proxy-SG.pdf - Configuring SSL Forward Proxy on F5 : http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-1/16.htmlconceptid

     

Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Aug 15, 2014

Hi,

 

You have to use a keering certificate that is trusted (or its Issuer is trusted by users)

 

It's a special kind of certificate.

 

BR

 

Yann

 

  • Son_of_Tom_1379's avatar
    Son_of_Tom_1379
    Icon for Nimbostratus rankNimbostratus
    Aug 17, 2014
    Thanks for that Yann, don't suppose you have anything more verbose? This is a certificate type I'm not familiar with. There is an internal PKI infrastructure which we may be able to leverage, I just find it hard to believe it's a requirement as products such as Symantec Web Gateway provide this functionality out of the box.