Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM

In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.

This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!

Creating a DNS Resolver

  • Navigate to Network > DNS Resolvers > click Create
  • Name: DemoDNSResolver
  • Leave all other settings at their defaults and click Finished

  • Click the newly created DNS resolver object

  • Click Forward Zones

  • Click Add

In this use case, we will be forwarding all requests to this DNS resolver.

  • Name: .
  • Address: 8.8.8.8

Note: Please use the correct DNS server for your use case.

  • Service Port: 53
  • Click Add and Finished

Creating a Network Tunnel

  • Navigate to Network > Tunnels > Tunnel List > click Create
  • Name: DemoTunnel
  • Profile: tcp-forward
  • Leave all other settings default and click Finished

Create an http Profile

  • Navigate to Local Traffic > Profiles > Services > HTTP > click Create
  • Name: DemoExplicitHTTP
  • Proxy Mode: Explicit
  • Parent Profile: http-explict

  • Scroll until you reach Explicit Proxy settings.
  • DNS Resolver: DemoDNSResolver
  • Tunnel Name: DemoTunnel

  • Leave all other settings default and click Finish

Create an Explicit Proxy Virtual Server

  • Navigate to Local Traffic > Virtual Servers > click Create
  • Name: explicit_proxy_vs
  • Type: Standard
  • Destination Address/Mask: 10.1.20.254

Note: This must be an IP address the internal clients can reach.

  • Service Port: 8080
  • Protocol: TCP

Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.

  • Protocol Profile (Client): f5-tcp-progressive
  • Protocol Profile (Server): f5-tcp-wan
  • HTTP Profile: DemoExplicitHTTP

  • VLAN and Tunnel Traffic Enabled on: Internal
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finish.

Create a Fast L4 Profile

  • Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
  • Name: demo_fastl4
  • Parent Profile: fastL4

  • Enable Loose Initiation and Loose Close as shown in the screenshot below.

  • Click Finished

Create a Wild Card Virtual Server

In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.

  • Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
  • Name: wildcard_VS
  • Type: Forwarding (IP)
  • Source Address: 0.0.0.0/0
  • Destination Address: 0.0.0.0/0
  • Protocol: *All Protocols
  • Service Port: 0 *All Ports

  • Protocol Profile: demo_fastl4
  • VLAN and Tunnel Traffic: Enabled on...DemoTunnel
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finished.

Testing and Validation

  • Navigate to a workstation on your internal network.
  • Launch Internet Explorer or the browser of your preference.
  • Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.

  • Attempt to access several sites and validate you are able to reach them.

  • Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
  • Validate traffic is hitting both of the virtual servers created above.

  • If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.

You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!

Updated Dec 08, 2022
Version 2.0
application delivery
LTM
security
  • Sam_D_'s avatar
    Sam_D_
    Icon for Altostratus rankAltostratus
    Nov 01, 2022

    I'm wondering how such a newly created wildcard VS with settings listed below will affect our existing Virtual Servers that were created with BigIP as a Reverse-Proxy with All VLANs and Tunnuels for "VLAN and Tunnel Traffic"?

    • Type: Forwarding (IP)
    • Source Address: 0.0.0.0/0
    • Destination Address: 0.0.0.0/0
    • Protocol: *All Protocols
    • Service Port: 0 *All Ports
    • Protocol Profile: demo_fastl4
    • VLAN and Tunnel Traffic: Enabled on...DemoTunnel
    • Source Address Translation: Auto Map
  • Sam_D_'s avatar
    Sam_D_
    Icon for Altostratus rankAltostratus
    Nov 02, 2022

    Paulius thanks for your nice tips! That tech article really explains what confused me 😀

    BTW, it'll be really appreciated if you could shed light on why we need a wildcard VS in addition to the explicit proxy VS. How do these two VSs work together to serve the forward proxying purpose?

  • MacOA's avatar
    MacOA
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2023

    So, I know this article is a bit old, but two questions:
    1) If I have a 0.0.0.0/0 all port VS, it'll also match for any VS that has any other IP, but not that explicit port defined, correct?  Since the source of the forwarded traffic will be the F5 tunnel, could I just allow that as the range? I'd rather not "capture" traffic otherwise destined for a specific VIP/VS, but doesn't happen to have the port being requested defined for the other VSs.
    2)In the case of lookups, we need if it's  not one of two specific domains, to just route to a specific pool as opposed to the wildcard IP forwarder. Today I do that successfully to the pool, but for all requests, including the two domains that when we switch proxy providers/applications those domains will fail so I'd like to handle those via the F5 forwader.
    I appreciate anyone's thoughts. 
    Tagging original author Steve_Lyons 

    Thanks,

    Pat Gasior

  • SV2022's avatar
    SV2022
    Icon for Cirrus rankCirrus
    Dec 15, 2023

    irule is not working ..i mapped the irule with ip deatils that should be blocked while accessing the internet with explicit proxy VS... but still i could see the traffic is not hitting the irule both in stats/logs..

    when HTTP_REQUEST {
    if { [IP::addr [getfield [IP::client_addr] "%" 1] equals "100.76.0.0/16"] } {
    reject
    }
    }.