SSL Orchestrator Advanced Use Cases: Forward Proxy Authentication
Introduction
F5 BIG-IP is synonymous with "flexibility". You likely have few other devices in your architecture that provide the breadth of capabilities that come native with the BIG-IP platform. And for each and every BIG-IP product module, the opportunities to expand functionality are almost limitless. In this article series we examine the flexibility options of the F5 SSL Orchestrator in a set of "advanced" use cases.
If you haven't noticed, the world has been steadily moving toward encrypted communications. Everything from web, email, voice, video, chat, and IoT is now wrapped in TLS, and that's a good thing. The problem is, malware - that thing that creates havoc in your organization, that exfiltrates personnel records to the Dark Web - isn't stopped by encryption. TLS 1.3 and multi-factor authentication don't eradicate malware. The only reasonable way to defend against it is to catch it in the act, and an entire industry of security products are designed for just this task. But ironically, encryption makes this hard. You can't protect against what you can't see. F5 SSL Orchestrator simplifies traffic decryption and malware inspection, and dynamically orchestrates traffic to your security stack. But it does much more than that. SSL Orchestrator is built on top of F5's BIG-IP platform, and as stated earlier, is abound with flexibility.
SSL Orchestrator Use Case: Forward Proxy Authentication
Arguably, authentication is an easy one for BIG-IP, but I'm going to ease into this series slowly. There's no better place to start than with an examination of some of the many ways you can configure an F5 BIG-IP to authenticate user traffic.
Forward Proxy Overview
Forward proxy authentication isn't exclusive to SSL Orchestrator, but a vital component if you need to authenticate inspected outbound client traffic to the Internet. In this article, we are simply going to explore the act of authenticating in a forward proxy, in general. - how it works, and how it's applied. For detailed instructions on setting up Kerberos and NTLM forward proxy authentication, please see the SSL Orchestrator deployment guide. Let's start with a general characterization of "forward proxy" to level set. The semantics of forward and reverse proxy can change depending on your environment, but generally when we talk about a forward proxy, we're talking about something that controls outbound (usually Internet-bound) traffic. This is typically internal organizational traffic to the Internet. It is an important distinction, because it also implicates the way we handle encryption. In a forward proxy, clients are accessing remote Internet resources (ex. https://www.f5.com). For TLS to work, the client expects to receive a valid certificate from that remote resource, though the inspection device in the middle does not own that certificate and private key. So for decryption to work in an "SSL forward proxy", the middle device must re-issue ("forge") the remote server's certificate to the client using a locally-trusted CA certificate (and key). This is essentially how every SSL visibility product works for outbound traffic, and a native function of the SSL Orchestrator. Now, for any of this to work, traffic must of course be directed through the forward proxy, and there are generally two ways that this is accomplished:
- Explicit proxy - where the browser is configured to access the Internet through a proxy server. This can also be accomplished through auto-configuration scripts (PAC and WPAD).
- Transparent proxy - where the client is blissfully unaware of the proxy and simply routes to the Internet through a local gateway.
It should be noted here that SSL visibility products that deploy at layer 2 are effectively limited to one traffic flow option, and lack the level of control that a true proxy solution provides, including authentication.
Also note, BIG-IP forward proxy authentication requires the Access Policy Manager (APM) module licensed and provisioned.
Explicit Forward Proxy Authentication
The option you choose for outbound traffic flow will have an impact on how you authenticate that traffic, as each works a bit differently. Again, we're not getting into the details of Kerberos or NTLM here. The goal is to derive an essential understanding of the forward proxy authentication mechanisms, how they work, how traffic flows through them, and ultimately how to build them and apply them to your SSL Orchestrator configurations. And as each is different, let us start with explicit proxy.
Explicit forward proxy authentication for HTTP traffic is governed by a "407" authentication model. In this model, the user agent (i.e. a browser) authenticates to the proxy server before passing any user request traffic to the remote server. This is an important distinction from other user-based authentication mechanisms, as the browser is generally limited in the types of authentication it can perform here (on the user's behalf). In fact most modern browsers, with some exceptions, are limited to the set of "Windows Integrated" methods (NTLM, Kerberos, and Basic). Explicit forward proxy authentication will look something like this:
Figure: 407-based HTTPS and HTTP authentication
The upside here is that the Windows Integrated methods are usually "transparent". That is, silently handled by the browser and invisible to the user. If you're logged into a domain-joined workstation with a domain user account, the browser will use this access to generate an NTLM token or fetch a Kerberos ticket on your behalf. If you build an SSL Orchestrator explicit forward proxy topology, you may notice it builds two virtual servers. One of these is the explicit proxy itself, listening on the defined explicit proxy IP and port. And the other is a TCP tunnel VIP. All client traffic arrives at the explicit proxy VIP, then wraps around through the TCP tunnel VIP. The SSL Orchestrator security policy, SSL configurations, and service chains are all connected to the TCP tunnel VIP.
Figure: SSL Orchestrator explicit proxy VIP configuration
As explicit proxy authentication is happening at the proxy connection layer, to do authentication you simply need to attach your authentication policy to the explicit proxy VIP. This is actually selected directly inside the topology configuration, Interception Rules page.
Figure: SSL Orchestrator explicit proxy authentication policy selection
But before you can do this, you must first create the authentication policy. Head on over to Access -> Profiles / Policies -> Access Profiles (Per-session policies), and click the Create button.
Settings:
- Name: provide a unique name
- Profile Type: SWG-Explicit
- Profile Scope: leave it at 'Profile'
- Customization Type: leave it at 'Modern'
Don't let the name confuse you. Secure Web Gateway (SWG) is not required to perform explicit forward proxy authentication. Click Finished to complete. You'll be taken back to the profile list. To the right of the new profile, click the Edit link to open a new tab to the Visual Policy Editor (VPE). Now, before we dive into the VPE, let's take a moment to talk about how authentication is going to work here. As previously stated, we are not going to dig into things like Kerberos or NTLM, but we still need something to authenticate to. Once you have something simple working, you can quickly shim in the actual authentication protocol. So let's do basic LocalDB authentication to prove out the configuration. Hop down to Access -> Authentication -> Local User DB -> Instances, and click Create New Instance. Create a simple LocalDB instance:
Settings:
- Name: provide a unique name
Leave the remaining settings as is and click OK. Now go to Access -> Authentication -> Local User DB -> Users, and click Create New User.
Settings:
- User Name: provide a unique user name
- Password: provide a password
- Instances: selected the LocalDB instance
Leave everything else as is and click OK. Now go back to the VPE. You're ready to define your authentication policy. With some exceptions, most explicit forward proxy authentication policies will minimally include a 407 Proxy-Authenticate agent and an authentication agent. The 407 Proxy-Authenticate agent will issue the 407 Proxy-Authenticate response to the client, and pass the user's submitted authentication data (Basic Authorization header, NTLM token, Kerberos ticket) to the auth agent behind it. The auth agent is then responsible for validating that submission and allowing (or denying) access. Since we're using a simple LocalDB to test this, we'll configure this for Basic authentication.
Figure: 407-based SWG-Explicit authentication policy
407 HTTP Response Agent Settings:
- Properties
- Basic Auth: enter unique text here
- HTTP Auth Level: select Basic
- Branch Rules
- Delete the existing Negotiate Branch
Authentication Agent Settings:
- Type: LocalDB Auth
- LocalDB Instance: your Local DB instance
Note again that this is a simple explicit forward proxy test using a local database for HTTP Basic authentication. Once you have this working, it is super easy to replace the LocalDB method with the authentication protocol you need. Now head back to your SSL Orchestrator explicit proxy configuration. Navigate to the Interception Rules page. On that page you will see a setting for Access Profile. Select your SWG-Explicit access policy here. And that's it. Deploy the configuration and you're done.
Configure your browser to point to the SSL Orchestrator explicit proxy IP and port, if you haven't already, and attempt to access an external URL (ex. https://www.f5.com). Since this is configured for HTTP Basic authentication, you should see a popup dialog in the browser requesting username and password. Enter the values you created in the LocalDB user properties. In following articles, I will show you how to configure Kerberos and NTLM for forward proxy authentication. If you want to see what this communication actually looks like on the wire, you can either enable your browser's developer tools, network tab. Or for a cleaner view, head over to a command line on your client and use the cURL command (you'll need cURL installed on your workstation):
curl -vk --proxy [PROXY IP:PORT] https://www.example.com --proxy-basic --proxy-user '[username:password]'
Figure: cURL explicit proxy output
What you see in the output should look pretty close to the explicit proxy diagram from earlier. And if your SSL Orchestrator security policy is defined to intercept TLS, you will see your local CA as the example.com CA issuer.
Transparent Forward Proxy Authentication
I intentionally started with explicit proxy authentication because it's usually the easiest to get your head around. Transparent forward proxy authentication is a bit different, but you very likely see it all the time. If you've ever connected to hotel, airport/airplane, or coffee shop WiFi, and you were presenting with a webpage or popup screen that asked for username, room number, or asked you to agree to some terms of use, you were using transparent authentication. In this case though, it is commonly referred to as a "Captive Portal".
Note that captive portal authentication was introduced to SSL Orchestrator in version 6.0.
Captive portal authentication basically works like this:
- On first time connecting, you navigate to a remote URL (ex. www.f5.com), which passes through a security device (a proxy server, or in the case of hotel/coffee shop WiFi, an access point).
- The device has never seen you before, so issues an HTTP redirect to a separate URL. This URL will present an authentication point, usually a web page with some form of identity verification, user agreement, etc. You do what you need to do there, and the authentication page redirects you back to the original URL (ex. www.f5.com) and either stores some information about you, or sends something back with you in the redirect (a token).
- On passing back through the proxy (or access point), you are recognized as an authenticated user and allowed to pass. The token is stored for the life of your sessions so that you are not sent back to the captive portal.
Figure: Captive-portal Authentication Process
The real beauty here is that you are not at limited in the mechanisms you use to authenticate, like you are in an explicit proxy. The captive portal URL is essentially a webpage, so you could use NTLM, Kerberos, Basic, certificates, federation, OAuth, logon page, basically anything. Configuring this in APM is also super easy. Head on over to Access -> Profiles / Policies -> Access Profiles (Per-session policies), and click the Create button.
Settings:
- Name: provide a unique name
- Profile Type: SWG-Transparent
- Profile Scope: leave it at 'Named'
- Named Scope: enter a unique value here (ex. SSO)
- Customization Type: set this to 'Standard'
Again, don't let the name confuse you. Secure Web Gateway (SWG) is not required to perform transparent forward proxy authentication. Click Finished to complete. You'll be taken back to the profile list. To the right of the new profile, click the Edit link to open a new tab to the Visual Policy Editor (VPE). We are going to continue to use the LocalDB authentication method here to keep the configuration simple. But in this case, you could extend that to do Basic authentication or a logon page. If you do Basic, Kerberos, or NTLM, you'll be using a "401 authentication model". This is very similar to the 407 model, except that 401 interacts directly with the user. And again, this is just an example. Captive portal authentication isn't dependent on browser proxy authentication capabilities, and can support pretty much any user authentication method you can throw at it.
Figure: 401-based SWG-Transparent authentication policy
401 Authentication Agent Settings:
- Properties
- Basic Auth: enter unique text here
- HTTP Auth Level: select Basic
- Branch Rules
- Delete the existing Negotiate Branch
Authentication Agent Settings:
- Type: LocalDB Auth
- LocalDB Instance: your Local DB instance
Now, there are a few additional things to do here. Transparent proxy (captive portal) authentication actually requires two access profiles. The authentication profile you just created gets applied to the captive port (authentication URL). You need a separate access profile on the proxy listener to redirect the user to the captive if no token exists for that user. As it turns out, an SSL Orchestrator security policy is indeed a type of access profile, so it simply gets modified to point to the captive portal URL. The 'named' profile scope you selected in the above authentication profile defines how the two profiles share user identity information, thus both with have a named profile scope, and must use the same named scope value (ex. SSO). You will now create the second access profile:
Settings:
- Name: provide a unique name
- Profile Type: SSL Orchestrator
- Profile Scope: leave it at 'Named'
- Named Scope: enter a unique value here (ex. SSO)
- Customization Type: set this to 'Standard'
- Captive Portals: select 'Enabled'
- Primary Authentication URI: enter the URL of the captive portal (ex. https://login.f5labs.com)
You now need to create a virtual server to hold your captive portal. This is the URL that users are redirected to for authentication (ex. https://login.f5labs.com). The steps are as follows:
- Create a certificate and private key to enable TLS
- Create a client SSL profile that contains the certificate and private key
- Create a virtual server
- Destination Address/Mask: enter the IP address that the captive portal URL resolves to
- Service Port: enter 443
- HTTP Profle (Client): select 'http'
- SSL Profile (Client): select your client SSL profile
- VLANs and Tunnels: enable for your client-facing VLAN
- Access Profile: select your captive portal access profile
Head back into your SSL Orchestrator outbound transparent proxy topology configuration, and go to the Interception Rules page. Under the 'Access Profile' setting, select your new SSL Orchestrator access profile and re-deploy.
That's it. Now open a browser and attempt to access a remote resource. Since this is using Basic authentication with LocalDB, you should get prompted for username and password. If you look closely, you will see that you've been redirected to your captive portal URL. 401 Basic authentication is not connection based, so APM stores the user session information by client IP. If you do not get prompted for authentication, it's likely you have an active session already. Navigate to Access -> Overview -> Active Sessions. If you see your LocalDB user account name listed there, delete it and try again (close and re-open the browser).
And there you have it. In just a few steps you've configured your SSL Orchestrator outbound topology to perform user authentication, and along the way you have hopefully recognized the immense flexibility at your command.
Thanks.
- Kevin_StewartEmployee
For transparent proxy captive portal auth, the transparent portal VIP should have a policy of type SWG-Transparent and the captive portal enabled in that policy. You do not have to add a service profile to that VIP. Otherwise I don't believe this service profile type is used anywhere in SSLO.
Thanks for sharing this Kevin_Stewart . Can I ask if the transperant portal VS should have a service of type "Captive Portal" attached to it? If not where is this service type used?
- dragonflymrCirrostratus
Hi,
Well, this is for decrypting traffic started by many services in one location to many services in another location. As well it should protect traffic in opposite way. For me it looks like Outbound type topology is the best joice but sure I can be wrong so if you think it would be better to use Inbound topology I will investigate this scenario as well.
- Kevin_StewartEmployee
Does this necessarily have to be forward proxy for east-west traffic?
- dragonflymrCirrostratus
Thanks a lot for explanation. Checking F5 SSL Orchestrator Deployment Guide I can see that for transparent proxy there are two options - direct and captive portal. Let's assume that clients are not users by services trying to connect to another services in another DC, all via transparent proxy, services are sending JWT. Will it be as well hard to implement or in this case not so much?
- Kevin_StewartEmployee
Correct. Reverse proxy is easy. Forward proxy is not.
There are a number of obstacles here, and again mostly to do with how proxy auth works. Let's also assume we're talking about explicit proxy. Transparent forward proxy is necessarily a captive portal mechanism, so that redirects out to a captive portal auth point anyway. But for explicit forward proxy you'll run into an order of events problem. If SSLO presents as an explicit proxy, the client says CONNECT www.example.com:443 and gets a 200 tunnel established (from SSLO, no auth challenge). Then decrypted traffic enters the service chain and the APM sends a 407 for auth. This would be a proxy auth challenge inside a proxy TCP tunnel, which the browser would likely not understand. Again, there are a few challenges here, that's just one of them.
But...You can attach forward proxy authentication directly to the SSLO topology, so layering isn't required. And if you're just looking for some way to trigger auth based on some condition, you can already do that directly at the SSLO proxy VIP.
- dragonflymrCirrostratus
Thanks for reply, so for forward proxy placing APM as service is not really the option - should I understand it like that? Or it depends on type of authentication? Not sure why forward proxy is more complicated in this respect than reverse proxy?
- Kevin_StewartEmployee
Anything is possible, but would be complex to do for forward proxy authentication. This has more to do though with how forward proxy auth works, not as much about SSLO itself.
But it's definitely doable for reverse proxy auth (like ASM in the service chain). Your options here then would be to layer APM in front of SSLO, or have APM inside the service chain.
- dragonflymrCirrostratus
Hi,
Great article. I Am just curious if it is possible and what is opinion about using APM as a service in Service Chain (like ASM for example). So authentication is not done at the SSLO but rather selectively after decrypting by sending traffic to APM device configured as Service. Possible? Seems to be a little beet "cleaner" way than creating frontend VS and then steer traffic that needs to be authenticated to given Topology. Will appreciate a lot your opinion abut that type of implementation.
Piotr
- Kevin_StewartEmployee
SSLO forward proxy authentication