Dear all, Trying to figure out why HTTPS traffic is not passing the forward proxy. I followed the following article, configured the HTTP and SSL profiles and the two virtual servers accepting HTTP and HTTPS traffic. The only thing that we dont use is the APM part. Result is that when using the explicit IP address configured in HTTP virtual server and the local browser client is that it works just fine when accessing HTTP websites. When I try to access a website with HTTPS using the explicit IP address configured in my browser I can see an HTTP CONNECT and the virtual server replies with service unavailable HTTP 503. This happens with all HTTPS sites. If I change the proxy setting in the browser the HTTPS (port 443) to request is simply being reset. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-12-0-0/7.html Does anyone has experience in deploying Big IP LTM as a explicit forward proxy using HTTP and clientSSL profiles only without the use of Irules?

There are a few moving parts. Create the "tcp-forward" tunnel objectCreate the DNS resolver objectCreate the http-explicit profile that binds the tunnel and DNS resolver objectsMake sure you have a default outbound route. It may be helpful to jump onto the command line and nslookup/dig some remote site to make sure it resolves, and then cURL to it to make sure the F5 can actually get thereCreate the proxy VIP - this is the IP::port that the client browser will be configured to talk to. A standard VIP, listening on specific internal IP and port (ex. 3128 or 8080), http-explicit profile, listening on client side VLAN, SNAT as required, address and port translation enabledCreate the "tunnel" VIP - this is the VIP that will maintain the HTTP CONNECT tunnel for SSL traffic. A standard VIP listening on 0.0.0.0, port 443 (or port 0 if you want to be able to handle HTTPS on any port), listening on the tunnel object created earlier, SNAT as required, address and port translation disabled So the way it works, an HTTP proxy request hits the proxy VIP, is locally resolved, and is routed out the default gateway. An HTTPS proxy CONNECT request hits the proxy VIP, is locally resolved, and the proxy VIP establishes a TCP tunnel between the client and the tunnel VIP, and then responds to the client with a "200 Connection Established". Upon receipt of this message the client initiates its SSL handshake outbound, through the TCP tunnel, out the default gateway to the remote server. You don't technically have to process SSL at the tunnel VIP. If you do, that's called "SSL Forward Proxy", and you need the SSL Forward Proxy license for that. This license allows the F5 to re-issue the server cert to the client from a locally-installed (preferably subordinate) certificate authority. In this case, you'd Install the CA certificate and private keyCreate a client SSL profile that enables the SSL Forward Proxy option, binds the CA cert and key, and whatever other options you want thereCreate a server SSL profile that enables the SSL Forward Proxy option, optionally enables the SSL Forward Proxy Bypass option, optionally sets the Server Authentication - Server Certificate option to require, and provides a certificate bundle for the Trusted Certificate Authorities option (if Server Certificate is set to require). The ca-bundle certificate bundle is comprised of the Mozilla CA trust stack and is updated often. You may optionally want to modify the Ciphers option to: "DEFAULT:ECDHE_ECDSA" if you're running at least 11.6HF5, and it would be wise to also set the Secure Renegotiation option to Request or Require as there are still many servers on the Internet that don't support RFC5746 Secure Renegotiation.Bind the client and server SSL profiles to the tunnel VIP

There's no difference in the license itself, but I do not believe the Lab VE comes with SSL Forward Proxy. You'll see it on the License page listed as SSL, Forward Proxy. I egree though that there are a few documents that don't mention the separate license.

I know that you can license it on the Lab VE, but I don't think the $98 Lab VE comes with by default.

If you attempt to use SSL Forward Proxy features without the license, it will surely fail. At a minimum, if you remove the TCP ingress VIP and just leave the proxy VIP, you should be able to do outbound HTTP (HTTPS should fail with a 503). If that works, create the ingress TCP VIP with the following minimum properties (leave everything else at default): Type: StandardDestination Address/Mask: 0.0.0.0/0Service Port: 443VLAN and Tunnel Traffic: Enabled on the tunnel VLANSource Address Translation: SNAT if you need it for outbound trafficAddress and port translation: unchecked In this case you're just creating a tunnel to allow HTTPS traffic to pass, without attempting to decrypt. Again, without the license it will definitely fail if you apply SSL profiles.

Have followed the documentation and have the same result - no traffic hits the SSL-Forward-Proxy VIP. Andrew, assuming you're also doing explicit proxy, you should have two ingress VIPs: the proxy vip listening on some IP and proxy port, and a wildcard TCP VIP listening on 0.0.0.0/0 and port 443 (or any port), that is bound to the proxy tunnel object that you created and also applied to the http-explicit proxy (which is applied to the proxy VIP). Which VIP are you observing?

Forward explicit SSL proxy server

20 Replies

AP
Nimbostratus
Sep 21, 2016
Hi Kevin,

What's the trick to forwarding the HTTP traffic out the back of the Explicit VIP? The SSL traffic traverses the tcp-forward tunnel to the wildcard VS where it can be managed. How would I forward everything else (in particular, HTTP) where I want (e.g. to another VS or gateway pool)?

I've tried using the HTTP_PROXY_REQUEST event and proxy disable to send it various places. I can successfully send it to another VS however what I really want to do is send it through a security device. The SSL Intercept iApp 1.0 does this for HTTPS via an ingress pool, however I can't get this working for HTTP?

Without a fancy iRule solution, I guess creating routes is the only way to get it where I want.

Any tips?
- Marvin
  Cirrocumulus
  Oct 18, 2016
  Kevin, I have a very specific issue that an internal client is trying to access an external webservice using the explicit forward proxy with a SOAPui client and it works just fine. Also usign a webbrowser it works great. However when they try to communicate using an IBM AIX MQ server they are unable to connect to the external HTTPS webservice.
  
  What I have seen in the packet capture is that the client does not send SNI information and the server does not respond with a server hello. The level of encryption and cipher support is not a problem using TLS1.2. Almost sure that SNI support is the problem, so how am I able to inject the SNI information uing the forward proxy? How to deal with this issue when there are similar problems with different external webservices? To be able to alter this behavior I guess the SSL forward proxy license is required, correct?
  
  Looking forward to your fast response. Thanks!

Kevin_Stewart

Employee

Sep 21, 2016

There are at least three ways to get HTTP traffic to go through your inspection devices.

Use the new SSL Intercept 1.5 iApp, which supports this use case and much more.
If you're doing this across two boxes, set the internal box's default route to the internal self-IP of the second box. Or if on a single box, create a route domain that separates a "dmv internal" VLAN from a "dmv external" VLAN, and then make the box's default route the dmv external VLAN self-IP. So you'd have a client side VLAN, Internet side VLAN, and two internal VLANs through which your decrypted traffic would flow from ingress to egress.

Use an iRule to force traffic through the inspection zone. In the iRule attached to the http-explicit VIP, the HTTP_REQUEST event will only fire for HTTP traffic. HTTPS traffic is sent directly to the wildcard TCP VIP. The only caveat to this is that by the time the HTTP_REQUEST event fires, the outgoing traffic hasn't been IP translated yet. In other words, the source address and port are still the http-explicit VIP's address and port. Here's what the iRule might look like:

when RULE_INIT {
     User-Defined: optional internal DNS cache (in seconds)
    set static::DNSCACHE_TIME 20

     User-Defined: path for the decrypted traffic. This can be a wildcard VIP on the other side of a route domain and VLAN for inline layer 2 devices, or the inbound IP address of an inline layer 3 device. In any case it's defined as a pool so that you can effectively load balance across multiple security devices
    set static::L2_SERVICE_POOL "my_service_pool"
}
when CLIENT_ACCEPTED {
     Check for service availability. If services are down, bypass SSL inspection and just exit
     The default path for HTTP explicit traffic, via http-explicit, is the system default route. If the inline security devices are available, you're going to trigger commands in the HTTP_REQUEST event. Otherwise let the traffic follow its native path to the system default gateway
    if { [active_members $static::L2_SERVICE_POOL] > 0 } {
         At least one security service is available
        set PROXY_ON 1
    } else {
         No security services are available - exit via system default route without inspection
        set PROXY_ON 0
         Enable outbound SNAT from here (as required)
        snat automap
    }
}
when HTTP_REQUEST {
     This event is only triggered for HTTP requests
     HTTPS (CONNECT) requests are sent to the ingress TCP VIP by default
    if { $PROXY_ON } {
         Pick an active service pool member. We're routing here. Normally you'd just turn off address translation in the VIP, but since you actually need this enabled for HTTPS traffic, you're going to use a combination of 'node' and 'nexthop' to effectively creating a routed path. First pick an inline security service pool member.
        pool $static::L2_SERVICE_POOL
        set next_service [lindex [LB::select] 3]

         The incoming destination address is local, so resolve the host and re-inject the true 
         destination address via node command, and account for non-standard ports
        set proto 1
        catch {
            if { [HTTP::host] contains ":" } {
                set host [lindex [split [HTTP::host] ":"] 0]
                set port [lindex [split [HTTP::host] ":"] 1]
            } else {
                set host [HTTP::host]
                set port 80
            }
            set this_host [lindex [RESOLV::lookup -a ${host}] 0]

             Optionally create a local table to cache DNS responses so that you're not always doing two DNS queries per request
            if { [table lookup -subtable DNSCACHE ${host}] ne "" } {
                set this_host [table lookup -subtable DNSCACHE ${host}]
            } else {
                set this_host [lindex [RESOLV::lookup -a ${host}] 0]
                table set -subtable DNSCACHE ${host} ${this_host} $static::DNSCACHE_TIME
            }                    

             Then set the traffic path in the direction of the resolved node
            node ${this_host} ${port}
        }
    }
}
when LB_SELECTED {
     Only do this for HTTP traffic. The true destination address was re-inserted via node 
     command above, so set the nexthop route to the target VLAN self-IP. So if this is HTTP traffic and the inline security services are available, you're going to instruct the outgoing traffic to go through the selected inline security service, thus forcing a routed path
    if { [info exists proto] } {
        LB::reselect nexthop ${next_service}
    }
}

Marvin
Cirrocumulus
Oct 10, 2016
Dear all use my config but only change the virtual server port from 443 to all and then it works fine, problem solved!
rtenggario
Nimbostratus
Apr 29, 2018
Hi Andrew, i configure the same thing like what you do. i can open http and https web (youtbe) the problem when open the facebok or download large file via browser. seems like only open 1 connection, it very slow to download or load the facebook web face this problem before?

i run VE, with 8GB RAM and 4 core cpu. i dont think throughput issue.

thanks in advance.
Pedro_Roure_249
Altostratus
May 09, 2018
Hi all,

I'm having exactly the same problem: HTTP works and HTTPS not work with an 503 Service Unavailable. The only difference is that i made the implementation through an SWG iApp. Any ideas ?
Stanislas_Piro2
Cumulonimbus
May 09, 2018
You can find here working simple configuration of http proxy without swg (tested on version 13.1)
¬†
- Abed_AL-R
  Cirrostratus
  Nov 20, 2019
  Hi Stanislas Piron
  link is not working.
  do you have updated link to that article ?
Stanislas_Piro2
Cumulonimbus
Nov 20, 2019
I updated the link.

Forum Discussion

Forward explicit SSL proxy server

20 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM

Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy

Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

HTTP Explicit Proxy Explained in Plain English

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition-Explicit Proxy