explicit forward proxy
12 TopicsF5 LTM Explicit Forward Proxy with SSL Decryption(and XFF insertion)
Hi experts, I am working on a project where I have to configure the LTM as an Explicit Forward Proxy. I managed to get this working for both HTTP and HTTPS traffic using the this article here: Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM | DevCentral Note that, to align with the existing routing topology, the above setup required SNAT so the return traffic can get back to the LTM (currently routing topology can't be changed) However, a new requirement has come up to to include the X-Forwarded-for header in the outgoing packets from the LTMs (to Internet) so the Firewalls (that happens to be in the path to the internet) can enforce necessary policies based on Source IP derived from the XFF IP. Essentially, now I have the requirement of decrypting the traffic on the LTMs (while it's still functioning as an explicit forward proxy), insert XFF and re-encrypt traffic before sending out to the firewall. The firewall, in this case, will also decrypt the traffic and extract the XFF information and use that to enforce security policies on the traffic before sending out to Internet. Obviously, decrypting the same traffic twice is an overkill, but I guess at this point in time, I just wanted to make sure that this option is available and I test this out in my POC. The issues I am having right now is that, for the life of me, I can't find any document that tells me how perform this on an explicit forwarding proxy setup. I can find a lot of information around SSL decryption and XFF insertion on a reverse proxy setup but I am a bit confused how I derive the necessary bits from that and apply to the explicit-forward proxy. I tried different things in my lab but failed to get the expected outcome. Can someone please show me a document or let me know how to do this? Your input is much appreciated. ThanksSolved118Views0likes2CommentsUse F5 LTM as HTTP Proxy
Problem this snippet solves: LTM product can be used as a HTTP Proxy for servers and PC. This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp. How to use this snippet: All these commands must be run in bash shell. Create HTTP PROXY VIRTUAL SERVER Configure variables used in next commands Variable HTTPBaseName is used to create : Resolver object : RESOLVER_${HTTPBaseName} HTTP profile : http_${HTTPBaseName} virtual server : VS_${HTTPBaseName} HTTPBaseName="HTTP_FORWARD_PROXY" VS_IP="192.168.2.80" VS_PORT="8080" create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare) tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 } create HTTP profile type explicit, using DNS resolver. The parameter default-connect-handling allow enables HTTPS connections without SSL inspection tmsh create ltm profile http http_${HTTPBaseName} { defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit } create HTTP proxy Virtual server tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled} ENABLE SSL FORWARD PROXY This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests. Note : Following configuration requires SSL, Forward Proxy License. Configure variables used in next commands Variable SSLBaseName is used to create : certificate / key pair : ${SSLBaseName} Client SSL profile : clientssl_${SSLBaseName} Server SSL profile : serverssl_${SSLBaseName} virtual server : VS_${SSLBaseName} SSLBaseName="SSL_FORWARD_PROXY" dirname="/var/tmp" CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA" Create self-signed certificate for CA purpose (not available in WebUI) Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY. openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094 openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}" Import certificates in TMOS tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt; After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA Create SSL profiles for SSL FORWARD PROXY tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled } tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled } create SSL FORWARD PROXY Virtual server tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with { http-tunnel } vlans-enabled } Change HTTP EXPLICIT PROXY Default Connect Handling to Deny tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny } Note : These commands were tested in both 12.1 and 13.1 versions. Code : No Code11KViews1like24CommentsSNAT based on XFF to internet
Hi All, my company is trying to get LTM to work with ironport proxy. The proxy gateway is pointed to F5 and we have configured a performance L4 virtual server to allow the traffic to passthrough. so far what we observed from our irules, the XFF header is not match properly and it is intermittently having issue. when HTTP_REQUEST { set XFF [HTTP::header X-Forwarded-For] log local0. $XFF if { [catch {class match [HTTP::header "X-Forwarded-For"] equals abc-address}] } { log local0. "$XFF hit ABC" snatpool SNAT_POOL_1.1.1.1 } elseif { [catch {class match [HTTP::header "X-Forwarded-For"] equals def-address}] } { log local0. "$XFF hit DEF" snatpool SNAT_POOL_2.2.2.2 } elseif {[class match [IP::client_addr] equals proxy-address]} { log local0. "not nat. proxy going to internet" } else { log local0. "Not matching any ip. traffic dropped" drop } } would anyone be able to help advise if it is the rule having issue?437Views0likes3CommentsLTM Websense loadbalancing VIP resets connection
The traffic flow for this connection is: DMZ(on firewall) 10.0.0.0/24 range -> hits a IP 192.168.1.x -> SRC NAT(outgoing interface of the fw) and DST NAT (to VIP:8080) -> NO AUTO MAP, Persistence used -> Loadbalanced across websense pool -> reply goes back the same interface of the fw which was used for the src NAT IP. In the pcaps from LTM, the VIP resets the connection after a GET from the src NATTED IP. And the reset from the LTM only says "TCP retrasmission timeout". From read this thread: https://devcentral.f5.com/questions/load-balancing-web-proxy-servers It seems that the TCP profile low time out value could be as issue here but I'm not sure and not sure how to test this. On another note I feel the SRC NATTED address on the fw interface is exhausting its limit of 64k ports and hence the LTM is failing to respond in time. What troubleshooting approach can I go to from here. Just started with f5s. Thanks.Solved510Views0likes2CommentsExplicit forward proxy for HTTP(S), FTP(S), SFTP and SOCKS
Hi folks, I wanna setup a BIG-IP as a simple explicit forwarding proxy for several services: HTTP(S) FTP(S) SFTP SOCKS There is no need for caching, URL filtering or authentication just IP Intelligence should be used. So to my understanding LTM and an IPI license are sufficienct. Moreover the encrypted protocols (HTTPS, SFTP, FTPS) shouldnt be intercepted. I have read a few implementation guides for SWG which gave me an idea what to do: First of all I think I need 4 virtual servers to use as forward proxy servers (they act as listeners for the client proxy connections): VS_Forward_8080 (for receiving and forwarding the client HTTP(S) requests) VS_Forward_2121 (for receiving and forwarding the client FTP(S) requests) VS_Forward_22 (for receiving and forwarding the client SFTP requests) VS_Forward_1080 (for receiving and forwarding the client SOCKS requests) Moreover 4 tunnels are needed: tunnel_http tunnel_ftp tunnel_sftp tunnel_socks And last but not least I need six virtual servers who finally handle the client requests (name resolution, IPI check via iRule, SNAT and routing to the Internet): VS_HTTP_80 VS_HTTPS_443 VS_FTP_21 VS_FTPS_990 VS_SFTP_22 VS_SOCKS_1080 The tunnels link the forwarding proxy severs. A high level overwiew looks like that: My questions regarding that sceanrio: Does it work in principal? Is there a better/easier way to achieve what I want? Is it possible to avoid interception of the encrypted connections? If yes, how is name resolution possible for the destination hosts? Shall Fast L4 or Standard VS be used? Many thanks for your ideas and comments!1.3KViews0likes2CommentsForward explicit SSL proxy server
Dear all, Trying to figure out why HTTPS traffic is not passing the forward proxy. I followed the following article, configured the HTTP and SSL profiles and the two virtual servers accepting HTTP and HTTPS traffic. The only thing that we dont use is the APM part. Result is that when using the explicit IP address configured in HTTP virtual server and the local browser client is that it works just fine when accessing HTTP websites. When I try to access a website with HTTPS using the explicit IP address configured in my browser I can see an HTTP CONNECT and the virtual server replies with service unavailable HTTP 503. This happens with all HTTPS sites. If I change the proxy setting in the browser the HTTPS (port 443) to request is simply being reset. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-12-0-0/7.html Does anyone has experience in deploying Big IP LTM as a explicit forward proxy using HTTP and clientSSL profiles only without the use of Irules?1.6KViews0likes20CommentsVIP targeting VIP, preserve src and dst IP
Hi, I tried everything and nothing worked :-(. I am running out of ideas, so either I am doing something wrong or what I need is not possible. Idea is to have setup like that: client -> explicit forward proxy type VS -> ForwardIP type VS -> target server I tried plenty of combinations to pass traffic from forward proxy VS to ForwardIP VS but all failed - virtual, nexthop with snat none, translate addr disable etc. I need to pass traffic after forward proxy VS resolves destination server from proxy request to ForwardIP server. This is my idea to be able to use AFM rules to enforce limitation os src IP:port, dst IP:port (L4 rules). I know that it's possible to use APM ACLs but this is not very elegant and admin friendly solution :-( Everything is failing when I try to pass traffic to ForwardIP VS. When virtual command is used dst IP is changed to ForwardIP VS or (when wildcard VS is used) to nothing. But at least traffic is reaching ForwardIP VS. When nexthop is used traffic is never reaching ForwardIP VS. When nexthop with tunnel specified (tcp forward type on which ForwardIP VS is enabled) immediately I have port exhaustion message in LTM log. Is there any way to achieve what I need or it's plain impossible? Piotr512Views0likes3CommentsF5 AS A TRANSPARENT PROXY FOR MOBILE USERS
What configuration can be done on F5 LTM (Only LTM in use in my environment) to enable it as Transparent Proxy for mobile users. My configuration is this : Mobile Proxy Users==>F5 (TRANSPARENT PROXY) ===> MOBILE FW ==> INternet Gateway. I only have F5 LTM in my environment384Views0likes1CommentF5 LTM AS A TRANSPARENT BRIDGE (PROXY) FOR HTTP/HTTPS FOR MOBILE USERS
Hello Devcentral, I have a request to make the F5 LTM act as a transparent proxy for mobile users so their requests are forwarded straight to the firewall instead of load-balancing them to Traffic servers which are being phased out. The arrangement wanted is for requests from GGSN to hit the F5,and the requests forwarded transparently to the Mobile Firewall, so users don't have to be instructed to change their proxy on their phones. Thanks.258Views0likes0CommentsLocal Traffic Policy and forward to virtual not working
Hi, Maybe not "not working at all" but for some reasons for some configs not :-( I tried setup like that: VS1 - Standard, wildcard with pool containing default gateway IP (not really relevant here), SNAT enabled, Address and port translation disabled VS2 - ForwardingIP, wildcard VS1 has LTP attached: forward to VS2 Client pointed at BIGIP selfIP as default gateway. Because VS1 has Source Address set to client IP VS1 is processing client request. From log it's obvious that traffic from VS1 is passed to VS2 then delivered to target server. Setup like that is not working - forward to VS2 is completely ignored, traffic is passed directly to target server (same one as for first config) VSProxy - Standard, Explicit forward proxy profile attached, no pool, SNAT enabled, Address and Port translation disabled VS2 - same as above VSProxy has same LTP attached No traffic ever reaches VS2, client request is passed directly to target server. I know of course how VS with explicit proxy HTTP profile is working but can't understand why it's ignoring LTP and not forwarding traffic to VS2 - even if connection will not work then forward should not be ignored - but it is :-( Sure there is Address/Port translation enabled but still... When Address/Port translation is disabled on VSProxy connection fails completely but traffic is not hitting VS2 as well. So either it's by design or it's kind of bug? Piotr565Views0likes6Comments