Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM
In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.
This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!
Creating a DNS Resolver
- Navigate to Network > DNS Resolvers > click Create
- Name: DemoDNSResolver
- Leave all other settings at their defaults and click Finished
- Click the newly created DNS resolver object
- Click Forward Zones
- Click Add
In this use case, we will be forwarding all requests to this DNS resolver.
- Name: .
- Address: 8.8.8.8
Note: Please use the correct DNS server for your use case.
- Service Port: 53
- Click Add and Finished
Creating a Network Tunnel
- Navigate to Network > Tunnels > Tunnel List > click Create
- Name: DemoTunnel
- Profile: tcp-forward
- Leave all other settings default and click Finished
Create an http Profile
- Navigate to Local Traffic > Profiles > Services > HTTP > click Create
- Name: DemoExplicitHTTP
- Proxy Mode: Explicit
- Parent Profile: http-explict
- Scroll until you reach Explicit Proxy settings.
- DNS Resolver: DemoDNSResolver
- Tunnel Name: DemoTunnel
- Leave all other settings default and click Finish
Create an Explicit Proxy Virtual Server
- Navigate to Local Traffic > Virtual Servers > click Create
- Name: explicit_proxy_vs
- Type: Standard
- Destination Address/Mask: 10.1.20.254
Note: This must be an IP address the internal clients can reach.
- Service Port: 8080
- Protocol: TCP
Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.
- Protocol Profile (Client): f5-tcp-progressive
- Protocol Profile (Server): f5-tcp-wan
- HTTP Profile: DemoExplicitHTTP
- VLAN and Tunnel Traffic Enabled on: Internal
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finish.
Create a Fast L4 Profile
- Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
- Name: demo_fastl4
- Parent Profile: fastL4
- Enable Loose Initiation and Loose Close as shown in the screenshot below.
- Click Finished
Create a Wild Card Virtual Server
In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.
- Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
- Name: wildcard_VS
- Type: Forwarding (IP)
- Source Address: 0.0.0.0/0
- Destination Address: 0.0.0.0/0
- Protocol: *All Protocols
- Service Port: 0 *All Ports
- Protocol Profile: demo_fastl4
- VLAN and Tunnel Traffic: Enabled on...DemoTunnel
- Source Address Translation: Auto Map
- Leave all other settings at their defaults and click Finished.
Testing and Validation
- Navigate to a workstation on your internal network.
- Launch Internet Explorer or the browser of your preference.
- Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.
- Attempt to access several sites and validate you are able to reach them.
- Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
- Validate traffic is hitting both of the virtual servers created above.
- If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.
You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!
- Steve_LyonsRet. Employee
This also entails https traffic. There is no additional configuration for this specific use case. With that, if we are terminating SSL for inspection or authentication purposes then yes there would be additional configuration items.
- pstavrCirrus
Hi Steve.
Very interesting, thank you for the walkthrough. I tested this and it works quite well. I was wondering though what happens if you want to do URL Filtering. There is a guide for deploying an explicit forward proxy using APM and you can define URL Categories / URL Filtering there. Is it possible on this setup as well? I tried to apply certain iRules to restrict the explicit proxy to be able to reach e.g. *.microsoftupdates.com but it looks like the F5 doesn't really perceive this is an HTTP_REQUEST. I also tried to apply iRules on the wildcard VS, however no luck on that one as well.
- Andre-GermanyNimbostratus
Hello,
I have the problem as soon as I have https traffic no more data packets are forwarded.
I can still see that there is a DNS request and it is answered. But then comes to no connection. The F5 does not send packets to the destination.
If I make the same call with http I see the packets leaving the F5.
- Andre-GermanyNimbostratus
Just deleted the Wild Card Virtual Server again and set it up again. And now it works
- Steve_LyonsRet. Employee
When defining the wildcard VS, please ensure you define a /0 mask for the destination. Just worked with another customer and this is all they were missing and everything began to function as expected.
- quickrefNimbostratus
Since we move to the cloud we need a solution to nat applications to different ip's. As the clients are in the Azure env. i thought about setting up multiple of these proxy listeners. But as we set the nat on the wildcard VS i guess i can only nat to 1 ip address per proxy. Would it work to assign every proxy listener to a different routing domain?
- Erik_RoeckersEmployee
To get this to work I needed to enable port translation in the wildcard IP forwarding virtual server. Without that it was sending traffic out to the web server on port 8080 instead of port 443 or 80. This was on BIG-IP version 15.1.
- JiwookNimbostratus
Erik_Roeckers Hi I have some questions.
I try to configure forward proxy on LTM following this article.
But I Can't reach outside Internet but Can on F5 explicit_proxy_vs
At virtual Server Statistics, I can see wildcard_vs packet 'zero'.
I assume that my packet can't pass through F5 LTM.
It's enabled port translation on expicit_proxy_vs but there is not ' port translation' options on wildcard ip forwarding vs...:(
Steve_LyonsBased on this article it seems like this forward proxy configuration is suppose to work for HTTP requests to the forward proxy but does this work for HTTPS requests to the forward proxy? Currently when I attempt to utilize the forward proxy for HTTPS communication I receive a "HTTP/1.0 503 Service Unavailable" in the browser and in the tcpdump I see "Connect failed[!http]" which makes me believe this type of forward proxy does not support HTTPS communication. I am seeing "CONNECT <redactid FQDN>:443 HTTP/1.1" and "Host: <redactid FQDN>:443" in the initial request so the F5 is definitely seeing the appropriate pieces of information but it continues to fail.
- Yonatan_TalmorNimbostratus
I had to struggle with this one for hours
Finally it succeeded to work, but it took an extra setting: only after I added the 'route domain' directive in HTTP profile attached to the explicit proxy VIRT.
that is, I suppse, due to the multi route domain design in my env.now everything just works, also for HTTPS traaffic.
Thank you