Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SOCKS proxy with authentication

Hello,

I have a request to set up F5 as SOCKS proxy server with user authentication. While I have been successful in configuring VS which will server SOCKS requests, I am struggling to find a way how to enforce basic client authentication on SOCKS level against LDAP server. We are running LTM and APM modules, but I am not convinced that APM can do the work for me for non-HTTP traffic. Can you please point me to right direction please?

Many thanks, JB

0
Rate this Question
Comments on this Question
Comment made 1 month ago by spalan 309

Hi Brabik,

Did you find solution for it?

0
Comment made 1 month ago by Brabik 1

Hi spalan,

we got a working solution for SOCKS authentication from F5 professional services. This solution is built on iRules. As I am not the owner of the solution, I am not allowed to share it here so I can only refer you to your F5 support service and/or sales contacts for more details.

Thank you for understanding, Brabik

0
Comment made 1 month ago by spalan 309

Thanks Brabik , I can totally understand. Can you please share at least basic configuration for VS, like DNS resolver, socks profile, pool and virtual server config. Do we have to configure upstream router or firewall as pool member for VIP?

0
Comment made 1 month ago by spalan 309

Hi JB,

Would be really helpful if you can help with the basic setup. Thank you in advance!!

0
Comment made 1 month ago by Brabik 1

Hi, our solution is based on two daisy-chained virtual servers The latter VS contains standard SOCKS proxy configuration and is configured on non-default port:

ltm virtual VS_SOCKS_proxy {
destination 192.168.1.100:1081
ip-protocol tcp
mask 255.255.255.255
partition Common
profiles {
    /Common/PF_SOCKS { }
    /Common/tcp { }
}
rules {
    IR_SOCKS_WHITELIST
}
source 0.0.0.0/0
source-address-translation {
     type automap
}
translate-address enabled
translate-port enabled
vs-index 64
}
  • iRule IR_SOCKS_WHITELIST whitelists only specific destination IPs behind the SOCKS tunnel in order to keep the network secure

The first Virtual server which is in front of the previous one is the VS enforcing the user authentication utilizing IR_SOCKS_basic-auth_EMEA iRule which we obtained from F5 Professional Services

ltm virtual VS_SOCKS_auth_emea {
destination 192.168.1.100:1080
ip-protocol tcp
mask 255.255.255.255
partition Common
profiles {
    /Common/tcp { }
}
rules {
    IR_SOCKS_basic-auth_EMEA
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled
vs-index 63
}
0
Comment made 1 month ago by spalan 309

Thanks a lot JB

0

Answers to this Question