SSL Orchestrator and SWG combined
Hi, I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup? Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet. From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard. Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy. So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP? I am curious (if combining is possible) what are real life best practices and experiences how this setup works. Piotr430Views0likes2CommentsAPM - change CONNECT to GET to trigger per request policy
Hi, I wonder if this is at all possible to trick APM when CONNECT type of request is received to trigger Per Request Policy (PRP). According to my test on v13.0.0HF2 no matter what I will do when VS with Access Policy and PRP policy is receiving CONNECT request PRP is not triggered at all - probably by design, but maybe it's a bug? I would like to be able to use PRP objects to perform URL Filtering (based on target host FQDN) for CONNECT requests. I think - but it's just theory - that if I would be able to use iRule to change CONNECT HTTP/1.1 to GET http://www.host.com HTTP/1.1 then PRP would launch and do URL filtering stuff. Unfortunately my skills in iRule programing is rather limited so I will appreciate any help here. I suspect that maybe there is a way to use when CLIENT_CONNECTED and when CLIENT_DATA to detect CONNECT request, store is in table, change to GET and trick AMP to process it via PRP. Would it be possible? It's as well heavily related to be able to pass CONNECT request to another proxy after validating if host reported in CONNECT is allowed by PRP. Piotr254Views0likes0CommentsSSL Orchestrator and SWG combined
Hi, I wonder if it is at all possible to setup both SWG and SSL Orchestrator as combined solution using one BIG-IP (or two BIG-IP) setup? Idea is to be able to use SWG features for user authentication, URL filtering etc. and SSL Orchestrator for Service chaining to provide added security for users accessing Internet. From what I tested deploying SSL Orchestrator (module on BIG-IP VE, not Herculon appliance) in Explicit proxy SSL Orchestrator is deployed as kind of iApp (but not visible via iApps -> Application Service) with Strict Updates enabled - so no way to modify VS created by wizard. Additionally it seems that there is no way to disable Strict Updates for SSL Orchestrator so impossible to add APM policies to VS set as Explicit proxy. So not possible to combine those functionalities? Or maybe kind of proxy chaining from SWG Explicit proxy to SSL Orchestrator Explicit proxy VS? Or iRule on SWG Explicit Proxy VS with VIP targeting VIP? I am curious (if combining is possible) what are real life best practices and experiences how this setup works. Piotr257Views0likes0Comments