Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM

In a previous article, I provided a guide on using F5's Access Policy Manager (APM) and Secure Web Gateway (SWG) to provide forward web proxy services. While that guide was for organizations that are looking to provide secure internet access for their internal users, URL filtering as well as securing against both inbound and outbound malware, this guide will use only F5's Local Traffic Manager to allow internal clients external internet access.

This week I was working with F5's very talented professional services team and we were presented with a requirement to allow workstation agents internet access to known secure sites to provide logs and analytics. Of course, this capability can be used to meet a number of other use cases, this was a real-world use case I wanted to share. So with that, let's get to it!

Creating a DNS Resolver

  • Navigate to Network > DNS Resolvers > click Create
  • Name: DemoDNSResolver
  • Leave all other settings at their defaults and click Finished

  • Click the newly created DNS resolver object

  • Click Forward Zones

  • Click Add

In this use case, we will be forwarding all requests to this DNS resolver.

  • Name: .
  • Address: 8.8.8.8

Note: Please use the correct DNS server for your use case.

  • Service Port: 53
  • Click Add and Finished

Creating a Network Tunnel

  • Navigate to Network > Tunnels > Tunnel List > click Create
  • Name: DemoTunnel
  • Profile: tcp-forward
  • Leave all other settings default and click Finished

Create an http Profile

  • Navigate to Local Traffic > Profiles > Services > HTTP > click Create
  • Name: DemoExplicitHTTP
  • Proxy Mode: Explicit
  • Parent Profile: http-explict

  • Scroll until you reach Explicit Proxy settings.
  • DNS Resolver: DemoDNSResolver
  • Tunnel Name: DemoTunnel

  • Leave all other settings default and click Finish

Create an Explicit Proxy Virtual Server

  • Navigate to Local Traffic > Virtual Servers > click Create
  • Name: explicit_proxy_vs
  • Type: Standard
  • Destination Address/Mask: 10.1.20.254

Note: This must be an IP address the internal clients can reach.

  • Service Port: 8080
  • Protocol: TCP

Note: This use case was for TCP traffic directed at known hosts on the internet. If you require other protocols or all, select the correct option for your use case from the drop-down menu.

  • Protocol Profile (Client): f5-tcp-progressive
  • Protocol Profile (Server): f5-tcp-wan
  • HTTP Profile: DemoExplicitHTTP

  • VLAN and Tunnel Traffic Enabled on: Internal
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finish.

Create a Fast L4 Profile

  • Navigate to Local Traffic > Profiles: Protocol: Fast L4 > click Create
  • Name: demo_fastl4
  • Parent Profile: fastL4

  • Enable Loose Initiation and Loose Close as shown in the screenshot below.

  • Click Finished

Create a Wild Card Virtual Server

In order to catch and forward all traffic to the BIG-IP's default gateway, we will create a virtual server to accept traffic from our explicit proxy virtual server created in the previous steps.

  • Navigate to Local Traffic > Virtual Servers > Virtual Server List > click Create
  • Name: wildcard_VS
  • Type: Forwarding (IP)
  • Source Address: 0.0.0.0/0
  • Destination Address: 0.0.0.0/0
  • Protocol: *All Protocols
  • Service Port: 0 *All Ports

  • Protocol Profile: demo_fastl4
  • VLAN and Tunnel Traffic: Enabled on...DemoTunnel
  • Source Address Translation: Auto Map

  • Leave all other settings at their defaults and click Finished.

Testing and Validation

  • Navigate to a workstation on your internal network.
  • Launch Internet Explorer or the browser of your preference.
  • Modify the proxy settings to reflect the explicit_proxy_VS created in previous steps.

  • Attempt to access several sites and validate you are able to reach them.

  • Whether successful or unsuccessful, navigate to Local Traffic > Virtual Servers > Virtual Server List > click the Statistics tab.
  • Validate traffic is hitting both of the virtual servers created above.

  • If it is not, for troubleshooting purposes only configure to the virtual servers to accept traffic on All VLANs and Tunnels as well as useful tools such as curl and tcpdump.

You have now successfully configured your F5 BIG-IP to act as an explicit forward web proxy using LTM only. As stated above, this use case is not meant to fulfill all forward proxy use cases. If URL filtering and malware protection are required, APM and SWG integration should be considered. Until next time!

Updated Dec 08, 2022
Version 2.0

Was this article helpful?

34 Comments