Forward proxy with SSL passthrough - SWG license required?
Hi, At one site with a single v15 VE I need to proxy outbound traffic, but without SSL inspection. Most docs relating to SSL passthrough assume that targets are internal and pooled but this is not my scenario: internal clients must connect to numerous (but specified) external URLs outside my control, and whose IPs are constantly changing. This similar query states solved via iApp but does not specify which one, or much detail on the final config. Regarding the license aspect, other proxy-related posts refer to the need for SWG license (which I don't have) - would I need this? The documentation for this use-case is unclear; any comments/tips gratefully received! Cheers, auto
HTTP Explicit Proxy - V11.5+
Problem this snippet solves: This iApp configures an Explicit Proxy using the new "Explicit" Proxy Mode that was introduced into the HTTP Profile in BIG-IP 11.5. You only need LTM or APM provisioned. It creates all configuration components required including: DNS Resolvers TCP Tunnel HTTP Profile (Explicit) Default Connect Handling set to Allow SNAT Pools (Optional) SNAT Default is Automap If you require the Explicit Proxy to listen on more than 1 port e.g 3128 and 8080, simply just create another Application Service. Contributed by: Brett Smith How to use this snippet:
Squid forward caching proxy server conflicting with Load Balancer; images, JS, CSS not rendering in application
Have an interesting one here that I hope others can help unravel. A user tells me that the website application, which sits behind an F5 LB, is not rendering properly: E.g.: is missing images, stylesheets, javascript files, and the like. And it's not just this user but a colleague at his workplace has the same issue and seemingly others in the company also can reproduce this issue. I will say that this client (as in the company) is the only one who has reported such an issue. No other companies who use the application are reporting pages not rendering content properly. He had tried testing with a work laptop, work phone, personal phone, over the company network, cellular network, and home network and using multiple browsers. It was consistent across multiple browsers. I asked him to clear cache and cookies and that did not help. Here are the results of his testing: Work laptop on home network: Pass. Work laptop on company network : Fail. Work laptop at their customer's location (possibly connected to customer's network): Fail Work phone on company network: Fail. Work phone on cellular network (Verizon)*: Fail. Personal phone on cellular network (AT&T)*: Pass. Work colleague of user laptop connected to said colleague's phone configured as hotspot (Sprint) (not sure if devices are work or personal)**: **This was conducted while on company premises. It didn't seem to matter what browser was employed. I didn't get a report that it worked in one browser but not another, for instance. To make a long story short, I asked him to send me a fiddler log and the logs showed something that I cannot reproduce on my end. The Fiddler log shows the page loaded with HTTP 200 but the content on the page (i.e. JavaScript files, stylesheets, images) show HTTP 304. In the response headers, under Transport, for all requests, I see Connection: close and Via: 1.1 {unique ID} (squid/3.5.23) (The unique ID is some kind of specific value. It might be sensitive information so I decided to not include it in this post). For , the response header Cache shows: X-Cache: MISS from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} For , the response header Cache shows: X-Cache: HIT from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} I don't recall seeing anything like this before. It looks to be Squid, a caching and forward proxy server, that is sitting in front of the client and making requests to the LB. Since this company is the only one who has reported this issue and I cannot reproduce it on my end, it's probably safe to say that either this company is running Squid, their ISP is running Squid, or even both. I pressed the user to inquire with the company's IT if they are running any proxies and the answer was no. It's certainly possible the company's IT could be mistaken. Today, the user says that he came into his office and everything is working now. He tried Firefox, IE, wireless network, cellular network and does not understand why it's working. The likely possibilities I can think of as to what and why is: Squid cache was flushed, which means this problem may return in the future. Squid was not configured properly by company's IT/ISP and now it is, thus resolving the issue. Squid was taken offline and the client is connecting directly to the LB now. What I am very concerned about is what happens if the company reports the same issue or maybe another company who is running Squid or some other forward caching/proxy server reports the same issue? I really don't know if this is something where I have to tell the user that this is not our problem, this is your IT infrastructure and/or your local ISP's problem. In other words, whether the Squid server is configured properly or not, is this something where the LB needs to be configured such that it works around the problem? Does that make sense? If there is a configuration change that I need to enact on the LB, what are these changes and what are step-by-step instructions? I'm sorry for the long-winded explanation but I'm trying to be detailed and thorough with this. Thank you very much.
Forward SSL proxy or Proxy SSL ?
Hi We want to create new Virtual server wildcard Outbound with standard type and port 443. The thing is we want to decrypt to inspect and modify some http header of some host too. example. If we access ";, F5 should perform irule and send it to pool A but if other user access ";, F5 should do nothing and send traffic normally. What need to do between Forward SSL proxy and Proxy SSL? Is both an additional license? Thank you
SSL forward proxy integration with FireEye to inspect HTTPS
We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution. We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes. Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this. SSL forward proxy with route domains Lab setup After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device. Considerations All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions. To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted. The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1. On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection. Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here. Does anyone has some recomendations why this is happening?Add banner to HTML Pages with no control over HTTP code
I'm quite new to iRules, but I have a requirement to have the F5 add a banner message at the top of certain webpages. We aren't able to modify the source HTML of the pages though. Is this possible with either iRules or content profiles? A bit more background: The F5 is acting as a forward proxy for Internet access. Our management have requested that we add a warning message to certain websites, but not block them entirely. Thanks in advanceHTTP FORWARD PROXY IAPP IRULE NOT WORKING
How can i get the HTTP FORWARD PROXY IAPP to work effectively. In my environment,i have a requirement to use LTM as a forward Proxy to .i have used the HTTP PROXY IAPP and edited the DNS to reflect the dns server in my environment, and i can confirm DNS is working. However,users can't browse with their proxy ip and port configured on their browsers, even though chat messages are landing Is there any tweak that needs to be done on Irule or the likes to make it work?. I will post the irule generated by the iapp in the comments
IP forwarding to a pool
How do you configure an F5 to just pass off traffic to the back-end pool of servers without modifying the packets nor load balancing the traffic after it has made the initial connection to the back-end server. I am just looking for the F5 to listen for traffic on the VIP, pick the next available server in the pool, and then forward all of the traffic from that session to the one pool member. Almost a simple reverse proxy.F5 LTM AS A FORWARD PROXY/TMG REPLACEMENT FOR HTTP/HTTPS FOR MOBILE USERS
How can the F5 be used as a Forward Proxy for mobile users to the internet. My initial setup included the mobile users sending requests to F5,which sends requests to Traffic Servers,and Traffic servers have another leg which sends requests to the internet. The traffic servers however are capping (capacity),and so,there is a requirement for the F5 to be used as a FORWARD PROXY for mobile users. Kindly list the steps to follow, e.g, 1,create standard virtual server, 2, use the irule HTTP Forward Proxy - v3.2 e.t.c Thanksproblem with proxy irule
im using this irule to set up a forward proxy: https://devcentral.f5.com/codeshare/http-forward-proxy-v32 it is operational on other big-ip's i administer, but i have encountered a problem now on one of our virtual editions, with the irules being aborted: 01220009Pending rule /Common/forward_proxy_http_domain_irule aborted for :60019 -> :8080 i had this scenario on my other devices, and the solution there was to upgrade to the latest version. the virtual edition is running 11.6.1 today, which has known issues with components in the irule(table, server_closed and lb_failed). has anyone tried rewriting the irule, or shall i just bite the bullet and plan for an upgrade?
