Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy
Introduction
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?
An integrated F5 and Symantec/Broadcom ProxySG solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Symantec ProxySGs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.
Prerequisites
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
F5 SSL Orchestrator version 11.0
Symantec/Broadcom ProxySG version 7.3.1.1
Symantec/Broadcom ProxySG will be configured as an Explicit Proxy
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Demo Video
F5 BIG-IP SSL Orchestrator Network Configuration
Create VLANS from Network > VLANs
In this example:
The 10.0.0.0 vlan is used for egress/ingress connectivity between BIG-IP and ProxySG
The north_vlan is used for connectivity to the North of BIG-IP
The south_vlan is used for connectivity to the South of BIG-IP
Create Self IPs from Network > Self IPs
In this example:
IP address 10.0.0.1 is on the 10.0.0.0 vlan and is used for egress/ingress connectivity between BIG-IP and ProxySG
IP address 192.168.0.1 is on the north_vlan and is used for connectivity to the North of BIG-IP
IP address 172.16.0.1 is on the south_vlan and is used for connectivity to the South of BIG-IP
NOTE:
On the north_vlan there is a test client at IP address 192.168.0.5
On the south_vlan there is a test server at IP address 172.16.0.5
In this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two north/south Self IPs are for. Your configuration will look different if using an L2 Topology.
Symantec/Broadcom ProxySG Configuration
Go to the Configuration tab of the ProxySG management console
Expand Network and Select Adapters
In this example we are configuring Interface 3:0 of the Bridge Group “passthru-3”
IP address 10.0.0.5 is assigned to this interface
Click Edit to set the IP Address
Specify the IP Address to be used for this interface, 10.0.0.5 in this example
Click OK when done then click Apply on the next screen
Select Routing and add the correct Gateway, 10.0.0.1 (the BIG-IP Self IP) in this example
Click Apply when done
Expand Services and select Proxy Services
Set the Explicit HTTP Service to Intercept and click Apply
Create a Policy to Allow the client request
As an example, expand Policy then select Policy Options
Set the Default Proxy Policy to Allow
Click Apply
NOTE:
Use the Visual Policy Manager to create a more specific, granular Allow policy
Troubleshooting
You may need to disable “Reflect Client IP”
Do this from Proxy Settings > General
BIG-IP SSL Orchestrator Configuration
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the Symantec ProxySG Service
Under Services, click Add.
In the Service Catalog select the Inline HTTP tab then double click on Symantec ProxySG HTTP Proxy
Give it a name, SYMC in this example
Uncheck the option to Auto Manage Addresses
Set the Proxy Type to Explicit
Under To Service Configuration select Use Existing then choose 10.0.0.1/24
Click Add to configure the HTTP Proxy Device
Enter the IP Address, 10.0.0.5 in this example
Enter the Port, 8080 in this example
Click Done
Under From Service Configuration select Use Existing then choose 10.0.0.1/24
Set Manage SNAT Settings to Auto Map
Click Save & Next at the bottom.
Click the name of the Service Chain.
Select the SYMC Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see the Symantec ProxySG
Testing the Configuration
In this example there is a Linux client that connects through the SSL Orchestrator to a Linux server running DVWA:
Test this connection now and it should look like the following:
An Access Log (Statistics > Access Logging) running on the ProxySG should show the connection in plain-text HTTP:
Active Sessions (Statistics > Active Sessions) running on the ProxySG should show the connection in plain-text HTTP:
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with Symantec ProxySG Explicit Proxy. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Symantec ProxySG Service and inspected for malicious payloads or policy violations.
Related Articles
Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy