Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Michael_Goetz's avatar
Michael_Goetz
Icon for Nimbostratus rankNimbostratus
Feb 14, 2023

Transparent Forward Proxy iApp

Hello, my organization has used a simple F5 Forward Proxy iApp, built by F5/Websense, for many years.  It functioned exactly as expected - a simple transparent proxy that allowed servers behind the F...
application delivery
Michael_Goetz's avatar
Michael_Goetz
Icon for Nimbostratus rankNimbostratus
Feb 15, 2023

Paulius Thank you sir.  The original forward proxy iApp did not require SWG.  Actually I think it was built before SWG was even a product.  We used it from version 11 to version 13.  Only version 14+ seems to have broken it, so it was a method at least at one point in time.  Oddly I cannot find any references to it DevCentral even though it was written by F5.

I setup the explicit proxy as mentioned in Steve's thread.  It does respond but now we're receving a 503 error.  I saw a reply to Steve's thread which suggested adding the route domain in the profile if a 503 is received, but that did not fix it.

9 230.341665 X.X.116.153 X.X.115.133 HTTP 357 IN s1/tmm3 : CONNECT externalsystem.com:443 HTTP/1.0
10 230.341744 X.X.115.133 X.X.116.153 TCP 211 OUT s1/tmm3 : 443 → 58998 [ACK] Seq=1 Ack=132 Win=65024 Len=0 TSval=1446237578 TSecr=1680799487
11 241.621895 X.X.115.133 X.X.116.153 TCP 283 OUT s1/tmm3 : 443 → 58998 [PSH, ACK] Seq=1 Ack=132 Win=65024 Len=72 TSval=1446248858 TSecr=1680799487 [TCP segment of a reassembled PDU]
12 241.621903 X.X.115.133 X.X.116.153 HTTP 211 OUT s1/tmm3 : HTTP/1.0 503 Service Unavailable

Seems like it may not be making the full trip to the external system, and I did not see any DNS requests in the packet capture.

 

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Feb 15, 2023

    Michael_Goetz If you are not seeing the F5 perform any DNS requests for the forward proxy the DNS Resolver might not be configured correctly and that might be why this is failing. I never had any luck configuring a wildcard DNS Resolver but I was able to configure individual DNS Resolvers entries for each domain we were dealing with and that fixed our issues with DNS queries.

    • Michael_Goetz's avatar
      Michael_Goetz
      Icon for Nimbostratus rankNimbostratus
      Feb 15, 2023

      Paulius Good point!  I've looked into the config portion of the Resolvers list and everything looks correct.  The old iApp used a pool with the name servers as nodes which worked in v13, but coincidentally lack of DNS queries seemed to also be the issue with the iApp too, as indicated in the packet captures after moving to v16.  No specific error either like 'no response' or 'connection refused', just would not perform the lookup part of the routine at all.  Would be great if it was just a DNS issue.

      Asking our network team to check if the F5 has a clear path to the nameservers and will report back.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Feb 16, 2023

        Michael_Goetz sounds like a plan. On a device that I currently manage, if a FQDN that isn't configured as a resolve properly will still show DNS request but will not have a response back from the DNS caching server that you are querying. If you do the following tcpdump and receive nothing it is most likely an issue with the forward proxy and how it maps the Virtual Servers to the DNS resolver.

        tcpdump -nni 0.0 port 53