Configuring F5 SSL Orchestrator as an Outbound Layer 3 Transparent Proxy
Based on the number of inquiries around F5's SSL Orchestrator, I wanted to take a few moments to provide a how-to guide on deploying SSLO with an explicit forward web proxy in the inspection zone. There are actually many ways in which we could deploy SSLO with forward web proxies, though the two most common use cases I have run into are using F5's SWG as a service on the same box if you currently subscribe to F5's SWG and using an existing forward proxy like Bluecoat SG inside the inspection zone.
If you are new to the industry and looking for a forward web proxy solution, it is important to understand that many of these appliances are not designed to handle large volumes of cryptographic traffic. Today, I can name several customers off the top of my head who are experiencing this problem which prompts their administrators to bypass the forward proxy solution altogether. F5 is unique in the industry as it is a full proxy designed to support a large number of SSL transactions. In fact, not only does F5 continue to improve hardware performance but they also continue to improve software performance as the SSLO product continues to mature. With that, let's begin discussing the use case at hand.
For this particular how-to guide, I will be using an F5 BIG-IP licensed with SSLO, URLDB, LTM and APM running on BIG-IP version 14.1. In our inspection zone, we will be pointing to an explicit WSA HTTP proxy. If you are looking for a guide on using SWG and how to restrict access to different URL categories based on Active Directory security group, see Configuring the F5 BIG-IP as an Explicit Forward Web Proxy Using Secure Web Gateway (SWG) on DevCentral. This guide was written to expose you to F5's SSLO 5.0 as well as a glimpse into the breadth and depth of its capabilities. Let's get to it!
Prerequisites
- LTM licensed and provisioned
- URLDB licensed and provisioned
- SSL Orchestrator licensed and provisioned
- AVR provisioned (not required for functionality though excellent for reporting purposes)
- CA signing certificate and key to perform certificate forging
- DNS configured
- NTP configured
- Route configured
Create a new SSLO Topology
- Navigate to SSL Orchestrator >> Configuration.
- Under Topologies click Add.
- When redirected, you will be prompted with different configuration examples to provide a visual. In this case, we will be acting as an L3 outbound transparent proxy and passing all decrypted traffic to an explicit forward web proxy.
- Click Next.
- Name: sslo_proxy
- Protocol: TCP
- IP Family: IPv4
- From the list of topologies, select L3 Outbound.
- Click Save & Next.
SSL Configurations
- SSL Profile: Create New
- Name: ssloT_proxy
- Client-side SSL Cipher: Default
Certificate Key Chain
- Click Add.
- Select the default.crt and default.key from their respective drop-down menus.
- Click Done.
CA Certificate Key Chain
- Click Add.
- Select your CA signing cert and key.
- Click Done.
- Server-side SSL Cipher Type: Cipher String
- Cipher: DEFAULT
- Click Save & Next.
Create an SSLO Service
- Click Add Service.
Before moving to the next step, take a moment to scroll through the list of different services. It is likely you already have one of these other products in your data center, and F5 is making it that much easier for you to integrate them. This list will continue to grow as the product grows.
- Double Click WSA HTTP Proxy.
- Name: ssloS_Proxy
- IP Family: IPv4 Only
Service Definition
- Auto Manage Address Checked
- Proxy Type: Explicit
- VLAN: Create New
- Name: ssloN_proxy_in
- Interface: Insert the appropriate VLAN tag for your environment
- Tag: Insert the appropriate VLAN tag for your environment
Security Devices
In this section, we are defining the IP address of the WSA HTTP Proxy
- Click Add.
- IP Address: 198.19.96.66
- Port: 3128
- Click Done.
From Service Configuration
- From Service: Because we selected auto manage this will be grayed out.
- VLAN: Select the appropriate outbound VLAN from the drop-down menu or select Create New
- Name: ssloN_proxy_outbound
- Interface: Select the appropriate interface in which outbound traffic will be forwarded
- Tag: Insert the appropriate VLAN tag for your environment
- Authentication Offload: Unchecked
Note: In this use case we are not performing authentication; though if authentication is required, this would be offloaded to the BIG-IP.
- Click Save.
- Click Save & Next.
Create a Service Chain List
- Click Add.
Service Chain Properties
- Name: ssloSC_http_proxy
- Services: Select the service created int he previous steps and move it to the Selected Service Chain Order.
- Click Save.
- Click Save & Next.
Create a Security Policy
- Create New.
- From the Rules list Click Add.
Note: This is where we will be defining what content to not decrypt but rather bypass the proxy process due to the traffic content. Examples of this would be financial or health-related websites. This is where the URLDB is utilized in order to determine the URL category.
- From the Conditions drop-down menu select SSL Check.
- Select + to add a second condition.
- Select SNI Category from the drop-down menu.
- From the field to the right of SNI Category begin typing Financial Data and you will be presented with Financial Data and Services.
- Select Financial Data and Services.
- Begin typing Health and you will be presented with Health and Medicine.
- Select Health and Medicine.
- Click Ok.
- Select the pencil to edit the All Traffic security policy.
- Select the Service Chain created in previous steps and click OK.
- Click Save & Next.
Interception Rule
- Select the client-vlan for your environment from the list of available VLANs and add it to the Selected list.
- Click Save & Next.
- Click Deploy.
Validating the Objects Created During the Guided Configuration Wizard
- Navigate to Local Traffic >> Virtual Servers.
- Navigate to Local Traffic >> Pools >> Pool List.
- Select the Pool created by the guided configuration process.
- Click the Members tab to identify the explicit forward proxy we will be sending traffic to.
Note: While many more objects are created during the deployment of SSL Orchestrator, reviewing each item is outside the scope of this document.
Validating BIG-IP is Performing Decryption
- Launch a browser of your choice.
- Modify the proxy settings to reflect the IP address and port defined in the configuration above.
- Navigate to a non-medical or non-financial related website.
- Select the certificate information to view the issuer.
- Navigate to a medical or financial related website.
- Select the certificate information to view the issuer.
- Launch the Traffic Management User Interface.
- Navigate to SSL Orchestrator >> Analytics >> General Statistics.
- Review the statistics provided on this page.
Here you can identify things such as URL Categories, Decryption Status, Service Paths taken and much more. Once this is complete, you have successfully deployed SSL Orchestrator supporting an explicit forward web proxy in your inspection zone. This will allow F5 to perform all of the heavy SSL decryption and re-encryption while using the security tools as they were designed to be used. Until next time!
- dragonflymrCirrostratus
Hi,
Great article. What I can't figure out is how to configure routing on external proxy.
My assumption is that:
- Traffic from SSLO will go to External Proxy (EP) via VLAN ssloN_proxy_in (198.19.96.7/25)
- EP IP is 198.19.96.66, port 3128
- Traffic should return to SSLO via VLAN ssloN_proxy_outbound (198.19.96.245/25)
Based on that what default route should be set on EP? Should in point to 198.19.96.245?
If so I have to be missing something as all the time traffic is just reset by ssloS_explicit-D-0-t-4 that as far as I understand should process it and send to the Internet - or I am completely missing the point here?
Piotr
- Steve_LyonsRet. Employee
Hey Piotr, great questions. Let me re-deploy and provide more specific details with screenshots around routing.
- dragonflymrCirrostratus
Hi Steve,
Would be great. Maybe I messed my config around but maybe as well I just don't understand how external Proxy should be configured related to routing. Results I've got are that traffic is reaching my external proxy (in this case another BIG-IP with Explicit proxy configured) form SSLO box but is never delivered to target site :-(
Piotr
- ecceCirrostratus
When configuring the security policy and bypassing Financial and Health traffic, there should probably be a logical AND between the two statements: SSL check AND category lookup. Would it not otherwise bypass all SSL traffic?