ssl inspection
2 TopicsF5 LTM Explicit Forward Proxy with SSL Decryption(and XFF insertion)
Hi experts, I am working on a project where I have to configure the LTM as an Explicit Forward Proxy. I managed to get this working for both HTTP and HTTPS traffic using the this article here: Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM | DevCentral Note that, to align with the existing routing topology, the above setup required SNAT so the return traffic can get back to the LTM (currently routing topology can't be changed) However, a new requirement has come up to to include the X-Forwarded-for header in the outgoing packets from the LTMs (to Internet) so the Firewalls (that happens to be in the path to the internet) can enforce necessary policies based on Source IP derived from the XFF IP. Essentially, now I have the requirement of decrypting the traffic on the LTMs (while it's still functioning as an explicit forward proxy), insert XFF and re-encrypt traffic before sending out to the firewall. The firewall, in this case, will also decrypt the traffic and extract the XFF information and use that to enforce security policies on the traffic before sending out to Internet. Obviously, decrypting the same traffic twice is an overkill, but I guess at this point in time, I just wanted to make sure that this option is available and I test this out in my POC. The issues I am having right now is that, for the life of me, I can't find any document that tells me how perform this on an explicit forwarding proxy setup. I can find a lot of information around SSL decryption and XFF insertion on a reverse proxy setup but I am a bit confused how I derive the necessary bits from that and apply to the explicit-forward proxy. I tried different things in my lab but failed to get the expected outcome. Can someone please show me a document or let me know how to do this? Your input is much appreciated. ThanksSolved107Views0likes2CommentsF5 Reverse Proxy with MFA
Hi, We have a requirement to implement reverse proxy with multifactor authentication. The current network setup has a cloud WAF which forwards traffic to on-premise application LB VIP. F5 support guided me to use APM+LTM in DMZ which will act as revers proxy with mfa. But from the APM data sheets, it looks more of a SSL VPN. So I am concerned if this solution will work with SSL inspection on the Cloud WAF. Traffic flow, External user (HTTPS) >> Cloud WAF (SSL inspection, NAT) >> F5 APM + LTM (Reverse proxy + MFA + SSL offloading) >> Internal LB >> HTTP APP Servers Can anyone please guide me on this requirement.4KViews0likes2Comments