Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Sep 24, 2015

SSL forward proxy integration with FireEye to inspect HTTPS

We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution.

 

We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes.

 

 

Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.

 

SSL forward proxy with route domains Lab setup After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device.

 

 

 

Considerations All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions.

 

 

To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted. The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1.

 

 

On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection.

 

 

Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w

 

In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here.

 

 

Does anyone has some recomendations why this is happening?

 

application delivery
clientside encryption
forward proxy
LTM
ssl

2 Replies

Sort By
  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus
    Oct 12, 2015

    Update on the original test;

     

    Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this.

     

    It is not needed to configure the F5 as the gateway when we have a Vlan group configured as a tranparent layer 2 setup. Also it is not needed to translate the original IP.