Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
May 11, 2016

Forward proxy, proxy chaining and APM issue

Hi,

 

I am really desperate, everything I tried failed and I don't know if it's because of my mistake, setup is not possible or there is some bug.

 

Goal:

 

  • BIG-IP working as explicit proxy for internal clients
  • Users logged into domain should be transparently authenticated using NTLM (prefered) or Kerberos
  • All request should be passed to upstream proxy

Everything is working OK until there is 302 to internal APM resources - like when authentication fails or some other conditions prevents user accessing given URL.

 

Scenario used:

 

  • Standard VS with reverse http profile
  • APM profile with SWG-Explicit type

Result when APM sends 302 with Location pointing to vdesk... URI:

 

  • Client sends request with proxy kind URI, like GET
  • For NTLM I can see proper NTLM handshake (at least for me looking like proper - similar to when there is initial NTLM handshake to authenticate user)
  • When NTLM handshake is finished instead of OK 200 I am getting again 302 to the same location
  • It repeats indefinitely until exceeding browser redirection limit

In case of Kerberos there is no reauthentication for redirection request but still loop is there.

 

Is there any way (via iRule?) to avoid this loop? Any other approach that can be used to achieve my goal?

 

I will really appreciate any help to solve this issue.

 

My Access Profile is working OK to authenticate users both for NTLM and Kerberos - so scenario is working for users allowed to access given URL - authentication is performed, request are passed to upstream proxy, users are getting web sites in the browser... but everything breaks when there is redirection to internal APM pages.

 

Piotr