SSL Orchestrator Advanced Use Cases: Forward Proxy Authentication

Introduction F5 BIG-IP is synonymous with "flexibility". You likely have few other devices in your architecture that provide the breadth of capabilities that come native with the BIG-IP platform. ...
Published Nov 17, 2020
Version 1.0
authentication
BIG-IP Access Policy Manager (APM)
Security
series-ssl-orchestrator-advanced-use-cases
ssl
SSL Orchestrator
sslo
tls
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 03, 2020

Correct. Reverse proxy is easy. Forward proxy is not.

 

There are a number of obstacles here, and again mostly to do with how proxy auth works. Let's also assume we're talking about explicit proxy. Transparent forward proxy is necessarily a captive portal mechanism, so that redirects out to a captive portal auth point anyway. But for explicit forward proxy you'll run into an order of events problem. If SSLO presents as an explicit proxy, the client says CONNECT www.example.com:443 and gets a 200 tunnel established (from SSLO, no auth challenge). Then decrypted traffic enters the service chain and the APM sends a 407 for auth. This would be a proxy auth challenge inside a proxy TCP tunnel, which the browser would likely not understand. Again, there are a few challenges here, that's just one of them.

 

But...You can attach forward proxy authentication directly to the SSLO topology, so layering isn't required. And if you're just looking for some way to trigger auth based on some condition, you can already do that directly at the SSLO proxy VIP.