In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.
This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!
Creating a DNS Resolver
Navigate to Network > DNS Resolvers > click Create
Leave all other settings at their defaults and click Finished
Click the newly created DNS resolver object
Click Forward Zones
In this use case, we will be forwarding all requests to this DNS resolver.
Note: Please use the correct DNS server for your use case.
Service Port: 53
Click Add and Finished
Creating a Network Tunnel
Navigate to Network > Tunnels > Tunnel List > click Create
Leave all other settings default and click Finished
Create an http Profile
Navigate to Local Traffic > Profiles > Services > HTTP > click Create
Proxy Mode: Explicit
Parent Profile: http-explict
Scroll until you reach Explicit Proxy settings.
DNS Resolver: DemoDNSResolver
Tunnel Name: DemoTunnel
Leave all other settings default and click Finish
Create an Explicit Proxy Virtual Server
Navigate to Local Traffic > Virtual Servers > click Create
Destination Address/Mask: 10.1.20.254
Note: This must be an IP address the internal clients can reach.
Service Port: 8080
Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.
Protocol Profile (Client): f5-tcp-progressive
Protocol Profile (Server): f5-tcp-wan
HTTP Profile: DemoExplicitHTTP
VLAN and Tunnel Traffic Enabled on: Internal
Source Address Translation: Auto Map
Leave all other settings at their defaults and click Finish.
Create a Fast L4 Profile
Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
Parent Profile: fastL4
Enable Loose Initiation and Loose Close as shown in the screenshot below.
Create a Wild Card Virtual Server
In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.
Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
Type: Forwarding (IP)
Source Address: 0.0.0.0/0
Destination Address: 0.0.0.0/0
Protocol: *All Protocols
Service Port: 0 *All Ports
Protocol Profile: demo_fastl4
VLAN and Tunnel Traffic: Enabled on...DemoTunnel
Source Address Translation: Auto Map
Leave all other settings at their defaults and click Finished.
Testing and Validation
Navigate to a workstation on your internal network.
Launch Internet Explorer or the browser of your preference.
Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.
Attempt to access several sites and validate you are able to reach them.
Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
Validate traffic is hitting both of the virtual servers created above.
If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.
You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!