Configuring the F5 BIG-IP as an Explicit Forward Web Proxy Using Secure Web Gateway (SWG)

In previous articles, we have discussed the use of F5 BIG-IP as a SSL VPN and other use cases for external or inbound access. I now wanted to take some time to discuss an outbound access use case usi...
Published Mar 14, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
Secure Web Gateway
security
antec42's avatar
antec42
Icon for Altostratus rankAltostratus
Mar 20, 2018

Good article and I'm at the moment implementing this at a customer. I do have some issues which I do not know how to solve. Maybe you have some insight?

 

First one being that the Kerberos Auth is not in any way tied to the actual user that executes the process on the client. I.e. if the user launches a new Internet Explorer window with "Run as different user..." this new browser window will ride on the first "Auth" made by the first User's browser window, accidently inherenting this user's assigned URL filter. Another side effect of this is that before the user logs in to the computer, Microsoft Windows by itself, starts accessing pages on the Internet e.g. msftconnecttest and other webpages. This results in that the user authenticated to APM might be a Machine Account.

 

Second problem we have has to do with the "Confirm Box" that you can use to force the User to temporary accept a policy violation. The choice the user takes seems to hit the whole URL filter and not the actual Category of this particular website. Also there is no way to set the timeout anywhere for the choice made? I suspect there must be a cookie or something that needs to be cleared but I can not find any documentation of it anywhere...

 

I'd be grateful if you can point me in the right direction if you happen to know anything about these issues...

 

Kind regards, Marcus