E XERCISE 8.2 – E NABLING E XPLICIT F ORWARD P ROXY
Required virtual images: BIGIP_SWG_v11.5.1, LAMP_3.4.
Estimated completion time: 40 minutes
TASK 1 – Configure a DNS Resolver
Configure a DNS resolver that will be used in the explicit HTTP profile.
Access and log in to BIGIP_SWG_v11.5.1.
Open the Network > DNS Resolvers > DNS Resolvers List page, and then click Create.
In the Name field, type proxy_dns_resolver, and then click Finished.
Click proxy_dns_resolver, and then open the Forward Zones page.
Click Add, and then create a forward zone using the following information, and then click Finished.
Name .
Nameservers Address: 4.2.2.2
Service Port: 53 (Click Add)
TASK 2 – Configure a TCP Forward Tunnel
Configure a TCP forward tunnel that will be used in the explicit HTTP profile.
Open the Network > Tunnels > Tunnel List page, and then click Create.
Create a TCP tunnel using the following information, and then click Finished.
Name proxy_tcp_tunnel
Encapsulation Type tcp-forward
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 3 – Configure an Explicit HTTP Profile
Configure an explicit HTTP profile for the forward proxy virtual server.
Open the Local Traffic > Profiles > Services > HTTP page, and then click Create.
Create an HTTP profile using the following information, and then click Finished.
Name explicit_http_profile
TASK 4 – Configure an Explicit HTTP Forward Proxy Virtual Server
Configure a virtual server to support explicit HTTP forward proxy.
Create a virtual server using the following information, and then click Finished.
Name explicit_http_virtual
Destination Address: 10.128.20.222
Service Port 3128
HTTP Profile explicit_http_profile Source Address Translation Auto Map
TASK 5 – Edit the Settings of the LAMP Image
The LAMP_3.4 image requires manual network configuration changes.
In the VMware library, select the LAMP_3.4 image.
Within the VMware library window (and within the LAMP_3.4 desktop) click Login.
Open Firefox, and then go to Edit > Preferences.
Click Advanced, then click the Network tab, and then in the Connections section, click Settings.
Select the Manual proxy configuration option.
In the HTTP Proxy field, type 10.128.20.222.
In the Port field, type 3128.
Exercise 8.2 – Enabling Explicit Forward Proxy
Select the Use this proxy for all protocols checkbox, then click OK, and then click Close.
Use Firefox to access http://www.wikipedia.org, and then click English.
You can access Internet Web sites using HTTP.
Edit the URL to https://www.google.com.
You are unable to access Internet Web sites using HTTPS.
TASK 6 – Import CA Certificate and Key
Import the clientCA.crt certificate and clientCA.key key.
In the VMware library, power on the BIGIP_SWG_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_SWG_v11.5.1.
Open the System > File Management > SSL Certificate List page, and then click Import.
From the Import Type list box, select Certificate.
In the Certificate Name field, type swg_CA.
Click the Browse button.
Navigate to the Exercise_Files folder, select the clientCA.crt file, and then click Open.
Click Import.
Click the Import button again.
From the Import Type list box, select Key.
In the Key Name box, type swg_CA.
Click the Browse button.
Select the clientCA.key file, and then click Open.
Click Import.
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 7 – Create a Client and a Server SSL Profile
Create a new client SSL profile using the clientCA certificate and key.
Open the Local Traffic > Profiles > SSL > Client page, and then click Create.
Create a client SSL profile using the following information, and then click Finished.
Name proxy_client_ssl
Open the Local Traffic > Profiles > SSL > Server page, and then click Create.
Create a server SSL profile using the following information, and then click Finished.
Name proxy_server_ssl
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 8 – Configure an Explicit HTTPS Forward Proxy Virtual Server
Configure a virtual server to support explicit HTTPS forward proxy.
Create a virtual server using the following information, and then click Finished.
Name explicit_https_virtual
SSL Profile (Client) proxy_client_ssl SSL Profile (Server) proxy_server_ssl VLAN and Tunnel Traffic Enabled on VLANs and Tunnels proxy_tcp_tunnel Source Address Translation Auto Map
TASK 9 – Edit the Settings of the LAMP Image
The LAMP_3.4 image requires manual network configuration changes.
Open the Exercise_Files folder from your local workstation.
Right-click clientCA.crt, and then select Copy.
In the VMware library, on the LAMP_3.4 desktop, right-click and select Paste.
Open Firefox, and then go to Edit > Preferences.
Click Advanced, then click the Encryption tab, and then in the Certificates section, click View Certificates.
Click the Authorities tab, and then click Import.
From navigation menu, select Desktop, then click clientCA.crt, and then click Open.
Select the Trust this CA to identify websites checkbox, and then click OK.
Scroll down in the certificate list box to F5 Networks, then select bigipSWG.f5demo.com, and then click View.
This certificate has been verified as an SSL client certificate, an SSL server certificates, an SSL certificate authority, and a status responder certificate.
Click Close, then click OK, and then click Close.
Use Firefox to access https://www.google.com.
Exercise 8.2 – Enabling Explicit Forward Proxy
Click the certificate icon on the left-side of the URL.
The website identity was verified by F5 Networks.
Click More Information, and then click View Certificate.
The Issued To information references the website, in this case Google Inc. The Issued By information references our CA certificate, issued by F5 Networks.
Close the certificate windows.
Edit the URL to https://www.bankofamerica.com.
You can now access both HTTP and HTTPS Web sites through the BIG-IP system.
Close Firefox.
TASK 10 – Configure a BIG-IP APM Local User Database
Configure a local BIG-IP system database to authenticate proxy users.
Open the Access Policy > Local User DB > Manage Instances page, and then click Create New Instance.
Name the new instance proxy_users, and then click OK.
Open the Access Policy > Local User DB > Manage Users page, and then click Create New User.
Create a user using the following information, and then click OK.
User Name your first name
Password and Confirm Password your last name in all lowercase
Instance /Common/proxy_users
Exercise 8.2 – Enabling Explicit Forward Proxy
TASK 11 – Use Authentication for Explicit Forward Proxy Traffic
Configure an access policy using the HTTP 407 Response item and the local BIG-IP system database to authenticate proxy users.
Open the Access Policy > Access Profiles > Access Profile List page, and then click Create.
Create an access policy using the following information, and then click Finished.
Name explicit_policy Profile Type SWG-Explicit Languages English (en)
On the Access Profiles List page, in the explicit_policy row, click the Edit link to open the Visual Policy Editor.
Click the + icon between Start and Deny to add a new item.
On the Logon tab, select the HTTP 407 Response option, and then click Add Item.
From the HTTP Auth Level list box select basic, and then click Save.
Add a new item in the following location:
Click the Authentication tab, then select the LocalDB Auth option, and then click Add Item.
→NOTE: You can use any of the BIG-IP APM authentication methods.
From the LocalDB Instance list box, select /Common/proxy_users.
From the Max Logon Attempts Allowed list box, select 1, and then click Save.
Change the LocalDB Auth Successful brand ending to Allow.
Exercise 8.2 – Enabling Explicit Forward Proxy
Click Apply Access Policy, and then close the Visual Policy Editor.
In the Configuration Utility, open the Virtual Server List page, and then click explicit_http_virtual.
In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update.
Open the Virtual Server List page, and then click explicit_https_virtual.
In the Access Policy section, from the Access Profile list box, select explicit_policy, and then click Update.
In the VMware library, on the LAMP_3.4 desktop, use Firefox to access http://www.wikipedia.org.
Enter your login credentials (your first and last name).
→NOTE: Do not select to remember your password.
Edit the URL to https://www.f5.com.
Your credentials are saved within your session.
Close Firefox.
In the Configuration Utility, open the Access Policy > Manage Sessions page, and then select and kill any active sessions.
Create an archive file named bc_8.2_swg_explicit_proxy_v11.5.1.