on 14-Mar-2018 04:00
In previous articles, we have discussed the use of F5 BIG-IP as a SSL VPN and other use cases for external or inbound access. I now wanted to take some time to discuss an outbound access use case using F5 BIG-IP as an explicit forward web proxy. In laymen terms, this use case allows you to control end user web access with malware prevention, URL and content filtering. This is made possible with a great partnership between F5 and Forcepoint, previously known as Websense. The BIG-IP can also be used as a transparent forward proxy though this will be outside the scope of this article. Below is a diagram and description of each.
OK, so now that we've discussed the intent of the article, let's go over the requirements before getting started. The customer requirement is to identify a forward web proxy solution that provides URL filtering, content filtering as well as the ability to export logs and statistics on end user browsing. They also require single sign on using Kerberos authentication.
As the integrator, you're wondering how much it would cost to bring in a new vendor and appliances to meet this requirement. Then you remember hearing that F5 is somewhat of a Swiss Army Knife, can they do this? So as many of us do, we go back to our handy dandy search engine and type in web proxy site:f5.com. What do you know, you see BIG-IP APM Secure Web Gateway Overview.
After reading the overview you will now identify the requirements to successfully deploy this solution. They include:
Note: SWG is a subscription based licenses which includes Forcepoint (Websense DB updates)
Now looking at this it seems like it must include much much more than F5 but let's go deeper. Running on the F5 BIG-IP is LTM, APM and SWG. From SWG you will download the IP intelligence database which will be stored on the local BIG-IP and if connected to the internet can download updates on a reoccurring basis. With all of that now covered and you have provided a project timeline and requirements to your local PM, let's get started!
Note: Additional details regarding resource provisioning can be found here https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-essentials-12-1-1/7.html
Now that you have provisioned the necessary F5 modules, you must obtain a signing cert and key which you will import into the BIG-IP for use later in the article. For this use case, I used a Windows 2012 box to submit a custom certificate request to my CA. For the sake of time, I am not going to walk through the certificate request process though I will provide one very important detail when performing the certificate request. When submitting the custom request, you must enable basic constraints allowing the subject to issue certificates behalf of the BIG-IP.
Before deploying the SWG iApp, we are going to configure our Active Directory AAA server, create a Keytab file, configure a Kerberos AAA server, create an explicit access policy, custom URL filter as well as a per-request access policy.
From a command prompt run the following ktpass command.
ktpass /princ HTTP/demouser.demo.lab@DEMO.LAB /mapuser demo\demouser /ptype KRB5_NT_PRINCIPAL /pass Password#1 /out c:\demo.keytab
After running the command above, navigate back to active directory users and computers and notice the changes made to the AD user account.
You will then be presented with the AD Auth configuration item.
With a Per-Request Access Policy, we can identify the category of each website a user browsers to.
Note: This is a no cost account. If you have not done so, register using a valid email address and you will have access to F5 downloads.
You will then be redirected to the iApps download page
Return to the BIG-IP TMUI
Now the time you've been waiting for. F5 said it has the ability but only way to validate is test yourself. So let's get to the bottom of this F5 explicit web proxy claim by F5 and test for ourselves.
Well, there you have it. You have successfully deployed a forward web proxy solution using something you may already have in your data center. No time to celebrate though, you've got 10 more priority one projects that came into your queue in the hour it took you to deploy SWG! Until next time.
Reference Documentation
https://www.f5.com/pdf/solution-center/websense-overview.pdf
http://clouddocs.f5.com/training/community/iam/html/class1/kerberos.html
Good article and I'm at the moment implementing this at a customer. I do have some issues which I do not know how to solve. Maybe you have some insight?
First one being that the Kerberos Auth is not in any way tied to the actual user that executes the process on the client. I.e. if the user launches a new Internet Explorer window with "Run as different user..." this new browser window will ride on the first "Auth" made by the first User's browser window, accidently inherenting this user's assigned URL filter. Another side effect of this is that before the user logs in to the computer, Microsoft Windows by itself, starts accessing pages on the Internet e.g. msftconnecttest and other webpages. This results in that the user authenticated to APM might be a Machine Account.
Second problem we have has to do with the "Confirm Box" that you can use to force the User to temporary accept a policy violation. The choice the user takes seems to hit the whole URL filter and not the actual Category of this particular website. Also there is no way to set the timeout anywhere for the choice made? I suspect there must be a cookie or something that needs to be cleared but I can not find any documentation of it anywhere...
I'd be grateful if you can point me in the right direction if you happen to know anything about these issues...
Kind regards, Marcus
Hi Marcus, I apologize for the delayed response. Give me a few days to review your questions and I will get back to you as soon as I can.
Excellent article!!!
Really helps a lot.
By any chance do you have a guide in how to make a sizing exercise for this solutions with this components?
And another one: I was reading the guide "replacing TMG" and makes a reference of using "AFM" but in your article and many playbooks that I have checked, I haven't seen that recommendation, my question would be: Do I need it?. The question comes from an economical point of view. If we go "best" is an elevated price vs. having LTM + APM + SWG.
Thanks!!!!
I'm sorry Steve, regarding the "AFM" question; already got my answer.
It's optional if you required some reporting and DoS defenses, etc.
So, only I would ask for the sizing exercise. If you can help me with that, I would realy appreciate it man!