Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM
In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.
This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!
Creating a DNS Resolver
- Navigate to Network > DNS Resolvers > click Create
- Name: DemoDNSResolver
- Leave all other settings at their defaults and click Finished
- Click the newly created DNS resolver object
- Click Forward Zones
- Click Add
In this use case, we will be forwarding all requests to this DNS resolver.
- Name: .
- Address: 8.8.8.8
Note: Please use the correct DNS server for your use case.
- Service Port: 53
- Click Add and Finished
Creating a Network Tunnel
- Navigate to Network > Tunnels > Tunnel List > click Create
- Name: DemoTunnel
- Profile: tcp-forward
- Leave all other settings default and click Finished
Create an http Profile
- Navigate to Local Traffic > Profiles > Services > HTTP > click Create
- Name: DemoExplicitHTTP
- Proxy Mode: Explicit
- Parent Profile: http-explict
- Scroll until you reach Explicit Proxy settings.
- DNS Resolver: DemoDNSResolver
- Tunnel Name: DemoTunnel
- Leave all other settings default and click Finish
Create an Explicit Proxy Virtual Server
- Navigate to Local Traffic > Virtual Servers > click Create
- Name: explicit_proxy_vs
- Type: Standard
- Destination Address/Mask: 10.1.20.254
Note: This must be an IP address the internal clients can reach.
- Service Port: 8080
- Protocol: TCP
Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.
- Protocol Profile (Client): f5-tcp-progressive
- Protocol Profile (Server): f5-tcp-wan
- HTTP Profile: DemoExplicitHTTP
- VLAN and Tunnel Traffic Enabled on: Internal
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finish.
Create a Fast L4 Profile
- Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
- Name: demo_fastl4
- Parent Profile: fastL4
- Enable Loose Initiation and Loose Close as shown in the screenshot below.
- Click Finished
Create a Wild Card Virtual Server
In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.
- Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
- Name: wildcard_VS
- Type: Forwarding (IP)
- Source Address: 0.0.0.0/0
- Destination Address: 0.0.0.0/0
- Protocol: *All Protocols
- Service Port: 0 *All Ports
- Protocol Profile: demo_fastl4
- VLAN and Tunnel Traffic: Enabled on...DemoTunnel
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finished.
Testing and Validation
- Navigate to a workstation on your internal network.
- Launch Internet Explorer or the browser of your preference.
- Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.
- Attempt to access several sites and validate you are able to reach them.
- Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
- Validate traffic is hitting both of the virtual servers created above.
- If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.
You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!
Sam_D_ based on the following article I believe they would technically conflict with each other so I think the index ID would most likely cause traffic to go to the previously existing VS first rather than a new one that listens on the specific interface/vlan/tunnel.
Sam_D_the reason the wildcard VS is necessary is because that is what creates the forward proxy tunnel between the BIG-IP and the destination that you are trying to reach through the forward proxy. If you didn't have this you wouldn't be able to dynamically configure the destination the way the wildcard VS does. I'm also glad that the article did help sort out the confussion you had on priority of VS.
- Stanislas_Piro2Cumulonimbus
Hi Steve,
Why do you create a l4 virtual server instead of configuring default-connect-handling allow in http profile?
Did you see this codeshare with configuration command lines for http and ssl forward proxy?
- Bogart_376119Nimbostratus
Daemon tunnel apps for android
- sonu_kumar4Altostratus
Hello Steve,
We have a explicit F5 forward proxy server where I am able to access all external sites and it works fine however I can't reach any my internal sites , It said "DNS lookup failed " .
from Big IP I can resolve these sites but not working in browser., In DNS resolver list I have called the internal DNS server which can resolve all the DNS entries internal and external.
So please suggest where am I missing .
- Sergi0Nimbostratus
Why we use DemoTunnel not vlan?
- Stanislas_Piro2Cumulonimbus
@Sergi0 : the Explicit Proxy Virtual Server convert proxy connection with CONNECT method to TCP connection. CONNECT method is usually for HTTPS connection when the proxy must not inspect the content.
This connection is injected into an internal network to be forwarded to the destination.
Then the HTTPS virtual server with destination 0.0.0.0/0 listen on this internal network to enabled SSL Forward Proxy.
- Sergi0Nimbostratus
I know how to 0.0.0.0/0 works. What is the reason use DemoTunnel not just Internal vlan with wildcard_VS?
- Steve_LyonsRet. Employee
As Stanislas mentioned, the network tunnel will maintain the HTTP CONNECT tunnel for SSL traffic using the tcp-forward profile. I just searched for documentation around this and I honestly don't see a ton. I will keep searching and share if I find anything.
- Manish_VashishtNimbostratus
Its not working when I configured in Partition. I do not see traffic on Wild CARD VS configured in Partition. I am not sure if above solution supports in F5 Partition.