Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM
In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.
This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!
Creating a DNS Resolver
- Navigate to Network > DNS Resolvers > click Create
- Name: DemoDNSResolver
- Leave all other settings at their defaults and click Finished
- Click the newly created DNS resolver object
- Click Forward Zones
- Click Add
In this use case, we will be forwarding all requests to this DNS resolver.
- Name: .
- Address: 8.8.8.8
Note: Please use the correct DNS server for your use case.
- Service Port: 53
- Click Add and Finished
Creating a Network Tunnel
- Navigate to Network > Tunnels > Tunnel List > click Create
- Name: DemoTunnel
- Profile: tcp-forward
- Leave all other settings default and click Finished
Create an http Profile
- Navigate to Local Traffic > Profiles > Services > HTTP > click Create
- Name: DemoExplicitHTTP
- Proxy Mode: Explicit
- Parent Profile: http-explict
- Scroll until you reach Explicit Proxy settings.
- DNS Resolver: DemoDNSResolver
- Tunnel Name: DemoTunnel
- Leave all other settings default and click Finish
Create an Explicit Proxy Virtual Server
- Navigate to Local Traffic > Virtual Servers > click Create
- Name: explicit_proxy_vs
- Type: Standard
- Destination Address/Mask: 10.1.20.254
Note: This must be an IP address the internal clients can reach.
- Service Port: 8080
- Protocol: TCP
Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.
- Protocol Profile (Client): f5-tcp-progressive
- Protocol Profile (Server): f5-tcp-wan
- HTTP Profile: DemoExplicitHTTP
- VLAN and Tunnel Traffic Enabled on: Internal
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finish.
Create a Fast L4 Profile
- Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
- Name: demo_fastl4
- Parent Profile: fastL4
- Enable Loose Initiation and Loose Close as shown in the screenshot below.
- Click Finished
Create a Wild Card Virtual Server
In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.
- Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
- Name: wildcard_VS
- Type: Forwarding (IP)
- Source Address: 0.0.0.0/0
- Destination Address: 0.0.0.0/0
- Protocol: *All Protocols
- Service Port: 0 *All Ports
- Protocol Profile: demo_fastl4
- VLAN and Tunnel Traffic: Enabled on...DemoTunnel
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finished.
Testing and Validation
- Navigate to a workstation on your internal network.
- Launch Internet Explorer or the browser of your preference.
- Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.
- Attempt to access several sites and validate you are able to reach them.
- Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
- Validate traffic is hitting both of the virtual servers created above.
- If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.
You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!
- k20Nimbostratus
I got the same error "DNS lookup failed" Have you ever got it figured out?
- Stanislas_Piro2Cumulonimbus
@k20 : Do you try to access FQDN or short names?
- k20Nimbostratus
I'm trying to to go to google.com from a workstation inside my network.
- AjitAltostratus
Facing similar issue. Unable to resolve DNS. Do you have a solution to this problem?
- Steve_LyonsRet. Employee
@Ajit, do you have an external self IP configured that allows access to the external internet or whatever you are using as a DNS resolver? You can also run ip route get <server ip address> to determine which IP address is being used to communicate with the DNS resolver.
Honestly this is the first time I am seeing any of these comments so if it is related to internal websites, you should probably be bypassing any type of proxy for internal addresses. If not, let me know and we can figure out how to resolve it.
- AjitAltostratus
No, these are Amazon VPC endpoints that I am trying to resolve. If I set the same DNS server that I use in the DNS resolver in nslookup command then it resolves without any issues. However, the same DNS server is unable to resolve via the proxy solution. Am I missing something.
- Steve_LyonsRet. Employee
, can you validate that when you do a tcpdump, you see queries sent and received on the IP you have configured in your DNS resolver? I too was getting DNS failures in my browser when I just set this up again in my own environment which let me to believe I did not have a route configured for my queries and external connections to use. I have a very basic configuration and when I did an "ip get route 8.8.8.8" it was attempting to use my mgmt IP. That of course is not going to work so I configured a default route for my BIG-IP to use a gateway that had access to the outside world. Using ip route get and tcpdump, can you validate your connections are being attempted using your external self IP? If you do not have an external self IP configured, that needs to be done first. I will be updating this article to reflect these troubleshooting steps as well. Let me know.
[root@ip-10-1-1-4:Active:Standalone] log # ip route get 8.8.8.8
8.8.8.8 via 10.1.10.1 dev External src 10.1.10.240
cache
[root@ip-10-1-1-4:Active:Standalone] log #
[root@ip-10-1-1-4:Active:Standalone] log # tcpdump -ni 0.0 host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:15:32.240515 IP 10.1.10.240.31374 > 8.8.8.8.domain: 55472+ [1au] A? e13678.DSPb.akAmAIEDgE.neT. (55) out slot1/tmm1 lis=
17:15:32.266805 IP 8.8.8.8.domain > 10.1.10.240.31374: 55472 1/0/1 A 23.64.48.164 (71) in slot1/tmm1 lis=
- AjitAltostratus
Hi
All the configuration & routing looks perfect however, the dns resolvers are not resolving the hostnames.
I think the issue is that I had first set the forward zone name as "TestDNS" initially, later realized that it is incorrect. I then changed the forward zone name as "dot" however in-spite of the correction made the DNS resolver refuses to resolve the FQDN's whatsoever. I think it has some bug / misbehavior after the correction. When I built the same setup on another LB with the exact steps (no mistakes in any step) then it worked perfectly.
Regards,
Ajit
- Steve_LyonsRet. Employee
, I cannot be sure about your configuration without seeing it but I can tell you I have deployed this using v13, v14, and v15. I have customers currently running this on v13 and v14. The biggest issue my customers faced was understanding how and what self IP was being used to perform the resolution. They each experienced the same issue you did regarding the inability to resolve but after validating the external self IP being used, it began functioning as expected. Some created default routes to use the external self IP. I am sorry you are unable to get this functioning. I would definitely recommend opening a ticket with F5 support to determine why resolution is not occurring.
- yingweiNimbostratus
how to forward https traffic?