Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy

Introduction

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?

An integrated F5 and Symantec/Broadcom ProxySG solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Symantec ProxySGs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.

Prerequisites

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

F5 SSL Orchestrator version 11.0

Symantec/Broadcom ProxySG version 7.3.1.1

Symantec/Broadcom ProxySG will be configured as an Explicit Proxy

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Demo Video

 

 

F5 BIG-IP SSL Orchestrator Network Configuration

Create VLANS from Network > VLANs

In this example:

The 10.0.0.0 vlan is used for egress/ingress connectivity between BIG-IP and ProxySG

The north_vlan is used for connectivity to the North of BIG-IP

The south_vlan is used for connectivity to the South of BIG-IP

Create Self IPs from Network > Self IPs

In this example:

IP address 10.0.0.1 is on the 10.0.0.0 vlan and is used for egress/ingress connectivity between BIG-IP and ProxySG

IP address 192.168.0.1 is on the north_vlan and is used for connectivity to the North of BIG-IP

IP address 172.16.0.1 is on the south_vlan and is used for connectivity to the South of BIG-IP

NOTE:

On the north_vlan there is a test client at IP address 192.168.0.5

On the south_vlan there is a test server at IP address 172.16.0.5

In this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the two north/south Self IPs are for. Your configuration will look different if using an L2 Topology.

Symantec/Broadcom ProxySG Configuration

Go to the Configuration tab of the ProxySG management console

Expand Network and Select Adapters

In this example we are configuring Interface 3:0 of the Bridge Group “passthru-3”

IP address 10.0.0.5 is assigned to this interface

Click Edit to set the IP Address

Specify the IP Address to be used for this interface, 10.0.0.5 in this example

Click OK when done then click Apply on the next screen

Select Routing and add the correct Gateway, 10.0.0.1 (the BIG-IP Self IP) in this example

Click Apply when done

Expand Services and select Proxy Services

Set the Explicit HTTP Service to Intercept and click Apply

Create a Policy to Allow the client request

As an example, expand Policy then select Policy Options

Set the Default Proxy Policy to Allow

Click Apply

NOTE:

Use the Visual Policy Manager to create a more specific, granular Allow policy

Troubleshooting

You may need to disable “Reflect Client IP”

Do this from Proxy Settings > General

BIG-IP SSL Orchestrator Configuration

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Create the Symantec ProxySG Service

Under Services, click Add.

In the Service Catalog select the Inline HTTP tab then double click on Symantec ProxySG HTTP Proxy

Give it a name, SYMC in this example

Uncheck the option to Auto Manage Addresses

Set the Proxy Type to Explicit

Under To Service Configuration select Use Existing then choose 10.0.0.1/24

Click Add to configure the HTTP Proxy Device

Enter the IP Address, 10.0.0.5 in this example

Enter the Port, 8080 in this example

Click Done

Under From Service Configuration select Use Existing then choose 10.0.0.1/24

Set Manage SNAT Settings to Auto Map

Click Save & Next at the bottom.

Click the name of the Service Chain.

Select the SYMC Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

From the Services screen if you expand the Pool Member Status you should see the Symantec ProxySG

Testing the Configuration

In this example there is a Linux client that connects through the SSL Orchestrator to a Linux server running DVWA:

https://172.16.0.5/

Test this connection now and it should look like the following:

An Access Log (Statistics > Access Logging) running on the ProxySG should show the connection in plain-text HTTP:

Active Sessions (Statistics > Active Sessions) running on the ProxySG should show the connection in plain-text HTTP:

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with Symantec ProxySG Explicit Proxy. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Symantec ProxySG Service and inspected for malicious payloads or policy violations.

Related Articles

Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy