Forum Discussion

willerman's avatar
willerman
Icon for Nimbostratus rankNimbostratus
Mar 13, 2017

Explicit forward proxy for HTTP(S), FTP(S), SFTP and SOCKS

Hi folks, I wanna setup a BIG-IP as a simple explicit forwarding proxy for several services:

 

  • HTTP(S)
  • FTP(S)
  • SFTP
  • SOCKS

There is no need for caching, URL filtering or authentication just IP Intelligence should be used. So to my understanding LTM and an IPI license are sufficienct. Moreover the encrypted protocols (HTTPS, SFTP, FTPS) shouldnt be intercepted.

 

I have read a few implementation guides for SWG which gave me an idea what to do:

 

First of all I think I need 4 virtual servers to use as forward proxy servers (they act as listeners for the client proxy connections):

 

  • VS_Forward_8080 (for receiving and forwarding the client HTTP(S) requests)
  • VS_Forward_2121 (for receiving and forwarding the client FTP(S) requests)
  • VS_Forward_22 (for receiving and forwarding the client SFTP requests)
  • VS_Forward_1080 (for receiving and forwarding the client SOCKS requests)

Moreover 4 tunnels are needed:

 

  • tunnel_http
  • tunnel_ftp
  • tunnel_sftp
  • tunnel_socks

And last but not least I need six virtual servers who finally handle the client requests (name resolution, IPI check via iRule, SNAT and routing to the Internet):

 

  • VS_HTTP_80
  • VS_HTTPS_443
  • VS_FTP_21
  • VS_FTPS_990
  • VS_SFTP_22
  • VS_SOCKS_1080

The tunnels link the forwarding proxy severs.

 

A high level overwiew looks like that:

 

My questions regarding that sceanrio:

 

  • Does it work in principal?
  • Is there a better/easier way to achieve what I want?
  • Is it possible to avoid interception of the encrypted connections? If yes, how is name resolution possible for the destination hosts?
  • Shall Fast L4 or Standard VS be used?

Many thanks for your ideas and comments!