Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM

In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.

This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!

Creating a DNS Resolver

  • Navigate to Network > DNS Resolvers > click Create
  • Name: DemoDNSResolver
  • Leave all other settings at their defaults and click Finished

  • Click the newly created DNS resolver object

  • Click Forward Zones

  • Click Add

In this use case, we will be forwarding all requests to this DNS resolver.

  • Name: .
  • Address: 8.8.8.8

Note: Please use the correct DNS server for your use case.

  • Service Port: 53
  • Click Add and Finished

Creating a Network Tunnel

  • Navigate to Network > Tunnels > Tunnel List > click Create
  • Name: DemoTunnel
  • Profile: tcp-forward
  • Leave all other settings default and click Finished

Create an http Profile

  • Navigate to Local Traffic > Profiles > Services > HTTP > click Create
  • Name: DemoExplicitHTTP
  • Proxy Mode: Explicit
  • Parent Profile: http-explict

  • Scroll until you reach Explicit Proxy settings.
  • DNS Resolver: DemoDNSResolver
  • Tunnel Name: DemoTunnel

  • Leave all other settings default and click Finish

Create an Explicit Proxy Virtual Server

  • Navigate to Local Traffic > Virtual Servers > click Create
  • Name: explicit_proxy_vs
  • Type: Standard
  • Destination Address/Mask: 10.1.20.254

Note: This must be an IP address the internal clients can reach.

  • Service Port: 8080
  • Protocol: TCP

Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.

  • Protocol Profile (Client): f5-tcp-progressive
  • Protocol Profile (Server): f5-tcp-wan
  • HTTP Profile: DemoExplicitHTTP

  • VLAN and Tunnel Traffic Enabled on: Internal
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finish.

Create a Fast L4 Profile

  • Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
  • Name: demo_fastl4
  • Parent Profile: fastL4

  • Enable Loose Initiation and Loose Close as shown in the screenshot below.

  • Click Finished

Create a Wild Card Virtual Server

In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.

  • Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
  • Name: wildcard_VS
  • Type: Forwarding (IP)
  • Source Address: 0.0.0.0/0
  • Destination Address: 0.0.0.0/0
  • Protocol: *All Protocols
  • Service Port: 0 *All Ports

  • Protocol Profile: demo_fastl4
  • VLAN and Tunnel Traffic: Enabled on...DemoTunnel
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finished.

Testing and Validation

  • Navigate to a workstation on your internal network.
  • Launch Internet Explorer or the browser of your preference.
  • Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.

  • Attempt to access several sites and validate you are able to reach them.

  • Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
  • Validate traffic is hitting both of the virtual servers created above.

  • If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.

You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!

Updated Dec 08, 2022
Version 2.0
application delivery
LTM
security
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Nov 02, 2022

    Sam_D_  based on the following article I believe they would technically conflict with each other so I think the index ID would most likely cause traffic to go to the previously existing VS first rather than a new one that listens on the specific interface/vlan/tunnel.

    https://support.f5.com/csp/article/K14800

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Nov 02, 2022

    Sam_D_the reason the wildcard VS is necessary is because that is what creates the forward proxy tunnel between the BIG-IP and the destination that you are trying to reach through the forward proxy. If you didn't have this you wouldn't be able to dynamically configure the destination the way the wildcard VS does. I'm also glad that the article did help sort out the confussion you had on priority of VS.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 29, 2018

    Hi Steve,

     

    Why do you create a l4 virtual server instead of configuring default-connect-handling allow in http profile?

     

    Did you see this codeshare with configuration command lines for http and ssl forward proxy?

     

  • sonu_kumar4's avatar
    sonu_kumar4
    Icon for Altostratus rankAltostratus
    Apr 04, 2019

    Hello Steve,

     

    We have a explicit F5 forward proxy server where I am able to access all external sites and it works fine however I can't reach any my internal sites , It said "DNS lookup failed " .

     

    from Big IP I can resolve these sites but not working in browser., In DNS resolver list I have called the internal DNS server which can resolve all the DNS entries internal and external.

     

    So please suggest where am I missing .

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 11, 2019

    @Sergi0 : the Explicit Proxy Virtual Server convert proxy connection with CONNECT method to TCP connection. CONNECT method is usually for HTTPS connection when the proxy must not inspect the content.

     

    This connection is injected into an internal network to be forwarded to the destination.

     

    Then the HTTPS virtual server with destination 0.0.0.0/0 listen on this internal network to enabled SSL Forward Proxy.

     

  • Sergi0's avatar
    Sergi0
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2019

    I know how to 0.0.0.0/0 works. What is the reason use DemoTunnel not just Internal vlan with wildcard_VS?

     

  • Steve_Lyons's avatar
    Steve_Lyons
    Ret. Employee
    Apr 12, 2019

    As Stanislas mentioned, the network tunnel will maintain the HTTP CONNECT tunnel for SSL traffic using the tcp-forward profile. I just searched for documentation around this and I honestly don't see a ton. I will keep searching and share if I find anything.

     

  • Manish_Vashisht's avatar
    Manish_Vashisht
    Icon for Nimbostratus rankNimbostratus
    May 19, 2019

    Its not working when I configured in Partition. I do not see traffic on Wild CARD VS configured in Partition. I am not sure if above solution supports in F5 Partition.