Explicit proxy and snat-pools
Hi, We are setting up an explicit proxy for some testing. What we have so far is pretty much the same as this article: Explicit proxy example Under the "Create a wildcard virtual server"-section you create a listener for the tunnel-interface. In the example they used automap, but we changed this to a SNAT-pool to better suit or firewall-rulesets. However, we would like to have one SNAT-pool/listener for traffic that is not in a pre-defined host-name-list, and one SNAT-pool for traffic that is in a "whitelisted" host-name-list. I dont understand quite what this wildcard-listener does, but it clearly is selected after you hit the proxy-ip-vs. So if we have 1.1.1.1:8080 as our proxy-vs, the next thing that happens is that F5 selects the 0.0.0.0:0 wildcard vs that is configured through the http-profile. The documentation doesnt really explain why this wildcard-listener is needed, and is it possible to select a different wildcard-listener with a different SNAT-pool in an iRule? As far as i can see, i could create a new wildard-vs with another SNAT-pool and enable it on the tunnel-interface, but i have no clue how to select it.Implementing SSL Orchestrator - Explicit Proxy Service Configuration (Cisco WSA)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, Explicit Proxy security device and everything you need to know about it. This article covers the configuration of Cisco Web Security Appliance (WSA) running version 11.8. Please forgive me for using SSL and TLS interchangeably in this article. A common Cisco WSA deployment mode is as an Explicit Proxy.The WSA proxy is completely transparent to the user but the BIG-IP will connect to it as an Explicit Proxy. The default settings for Cisco WSA will work with SSL Orchestrator.Keep in mind that: 1)By default WSA accepts connections on ports 80 & 3128.If you changed this you will have to specify the correct port when configuring SSLO. 2)It is assumed you are using WSA security features like URL categorization, Anti-Malware, Reputation filtering, etc. 3)It is recommended to use separate ethernet ports for Management and Data, similar to the image below. Summary In this article you learned how to configure a Cisco WSA in Explicit Proxy mode. Configuration of Cisco WSA can be downloaded fromherein GitLab. Next Steps Click Next to proceed to the next article in the series. Contact Cisco if you need additional assistance with their products.
SSL Orchestrator and SWG combined
Hi, I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup? Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet. From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard. Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy. So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP? I am curious (if combining is possible) what are real life best practices and experiences how this setup works. Piotr
LTM HTTP explicit forward proxy and route domains
Hi, I have a simple lab setup for LTM + http explicit forward proxy no SSL interception just CONNECT handling. When I test this in a single route domain it works OK. I have a requirement to use a different route domain for the egress traffic. So I config the egress VLAN/Self IP/SNAT and explicit proxy in the HTTP profile into the new RD1. I setup a default route in the RD1 and leave a single static route in RD0 for my client traffic. Now when I test I can see the DNS resolver working ok through the egress VLAN/RD1 but I get a 503 after that from the F5, no server side traffic is seen in tcpdumps, just DNS. I checked the HTTP packets sent back to the client and see a connection failed as well as the 503 After troubleshooting I was able to get this to work by changing the RD1 parent name from 'none' to '0' the default partition. I can't figure out why I need to have the parent set to 0, when the only route in that RD is a static route for the client traffic and why this would make the connection fail otherwise? Any ideas? thanksSSL Orchestrator and SWG combined
Hi, I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup? Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet. From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard. Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy. So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP? I am curious (if combining is possible) what are real life best practices and experiences how this setup works. PiotrUpstream explicit proxy and static NTLM auth
Hi, I need to set static NTLM authentication performed by LTM when sending proxy requests to upstream proxy - is that at all possible? Scenario: LTM working as explicit proxy for internal clients APM profile attached to VS working as explicit proxy should be responsible for AAA and all kind of client checks When user is allowed to access external site request should be send to upstream explicit proxy (no authentication, just some headers added with authentication info) - this is easy part Based on client checks some requests should be redirected to another upstream explicit proxy - this proxy requires NTLM authentication. Static user and password is used for all connections to this proxy Last point is troublemaker here. I have no idea how to implement. My first idea was to use NTLM SSO. This is working for LTM VS type of access. I can set Access Policy to VS that is performing NTLM Auth with some www server (IIS for example). When I tried to use this for VS working as explicit proxy everything fails. There is no way to use SSO on proxy type Access Profiles. I can do that with All or LTM-APM type but in this case first thing what profile is doing is 302 to set APM cookies. At this point browser fails - it sends GET to APM URI and gets 404. I am thinking about implementing iRule that will intercept APM 302, saves cookies in table etc. - just a basic idea, plenty of details to work on. I am even not sure if it's at all possible. My question is if there is better way to implement or if my spoofing idea is workable solution - is that possible to trick APM using iRule created response and client request mods (adding proper cookies to each client request via iRule)? PiotrUpstream explicit proxy and static NTLM auth
Hi, I need to set static NTLM authentication performed by LTM when sending proxy requests to upstream proxy - is that at all possible? Scenario: LTM working as explicit proxy for internal clients APM profile attached to VS working as explicit proxy should be responsible for AAA and all kind of client checks When user is allowed to access external site request should be send to upstream explicit proxy (no authentication, just some headers added with authentication info) - this is easy part Based on client checks some requests should be redirected to another upstream explicit proxy - this proxy requires NTLM authentication. Static user and password is used for all connections to this proxy Last point is troublemaker here. I have no idea how to implement. My first idea was to use NTLM SSO. This is working for LTM VS type of access. I can set Access Policy to VS that is performing NTLM Auth with some www server (IIS for example). When I tried to use this for VS working as explicit proxy everything fails. There is no way to use SSO on proxy type Access Profiles. I can do that with All or LTM-APM type but in this case first thing what profile is doing is 302 to set APM cookies. At this point browser fails - it sends GET to APM URI and gets 404. I am thinking about implementing iRule that will intercept APM 302, saves cookies in table etc. - just a basic idea, plenty of details to work on. I am even not sure if it's at all possible. My question is if there is better way to implement or if my spoofing idea is workable solution - is that possible to trick APM using iRule created response and client request mods (adding proper cookies to each client request via iRule)? PiotrExplicit proxy and client NTLM
Hi, I am pretty sure it is easy and possible but can't figure out how. I have user logged to domain, explicit proxy is configured on LTM, user browser is pointed to proxy IP. I would like to avoid separate login when first time accessing proxy. I tried to set it up based on article about client NTLM but it fails, so I think it's a bit different for proxy than for accessing directly some sites. In Access Profile (type SWG-Explicit) there is option to choose NTLM Auth configuration created before (option NTLM Auth Configuration). I did that, now there is question what to choose for User Identification Method - if i can recall options are htto (maybe IP) or credentials - or it is not important in case of explicit proxy? What should be placed in Access Policy? First 407 response then NTLM Auth Result, then for successful Allow? I wonder if in this case assigning eca profile (and iRule enabling it) to the VS configured as explicit proxy is necessary - I suspect that probably not, and doing so could be main issue? That step was in Configuring APM Client Side NTLM Authentication but is that necessary for proxy? Piotr
