Forum Discussion
CSOC_146480
Nimbostratus
Nimbostratusweb proxy XFF header https
Hello,
I have recently noticed that my configured F5 proxy is forwarding XFF for http but not for https. For https the F5 is being the broker for client and so client source becomes the F5 for https.
Is there any way for the F5 to proxy client WWW traffic and forward XFF? We are running identity awareness on the next hop device.
flow is as follows. (F5 VS is explicit http proxy currently)
client --> GTM pool to resolve client proxy IP --> GSLB pool (3 x VS) --> Check point with IA (3 in total)
In F5 case, the next hop and DG is the Check Point firewall.
If the above cannot send XFF for https:
- is there another way to use the F5 as a WWW proxy and send original client IP or information to the next hop Check Point?
- if we enabled WWW proxy on the Check Point, can the GTM resolve to the Check Point as a node without proxying the users? There are three routes to the internet for clients
Thanks for any help,
Derrick
CSOC_146480I think the answer to my question is the check point need to proxy the user traffic, not the F5. Will look at load balancing the check points to the check point proxies rather than proxy on the F5- On F5, you can configure the HTTP profile on the Virtual Server handling the traffic to insert XFF Header.
- CSOC_146480
Thanks, was already doing XFF insert in http profile on the VS but the problem was if using explicit proxy then XFF is encypted by the time it gets to next hop all the way to WWW server.
Not using the F5 as explicit proxy is working in the testing so far. User are now proxy terminating on next hop to F5 rather than the F5 with XFF being forwarded using snat via the VS. The VS is resolved as the proxy IP by GTM. All good.
