Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Symantec DLP integrated with F5 SWG Explicit Proxy

Hi everyone,

We have an existing F5 SWG Explicit proxy for outbound Internet connection of users. Now, they are requesting to integrate the Symantec DLP for Outbound Internet Traffic using the ICAP.

We found an article from Symantec KB that we can use an IRule and create some VS. However, settings/configuration of the VS to be configured was not discussed. It only indicated that we need to create an Internal Virtual Server and Standard HTTP Virtual Server.

Are there any available guide in configuring this? or if someone has a similar implementation/deployment that we can use as a guide?

Thank you for your help.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Comments on this Answer
Comment made 4 months ago by F5_Jeff 336

Hi Kevin,

thank you for this information. upon reading the KB, please correct me if im wrong. Since the flow of traffic for our implementation is from Internal Network user going to an External Network (Internet), can we use the existing Virtual Servers for HTTP Traffic (ones used for SWG Internet Proxy)? or a separate Standard VS is still required?

Thank you again for your help.

0
Comment made 4 months ago by Kevin Stewart

ICAP attaches to an SWG VIP as separate request and response Adapt profiles. Here's the very basic configuration of an LTM ICAP client:

1. Create an ICAP profile

  • Create two if there are separate ICAP service URLs
  • Minimal enter the ICAP service URL and preview length. Symantec DLP usually requires a 0 (zero) here.

2. Create an ICAP server pool

  • Create a pool that points to the ICAP service (usually on port 1344).

3. Create an ICAP VIP

  • Type: Internal
  • Attach the ICAP profile
  • Attach the ICAP server pool

4. Create a Request Adapt profile

  • Enabled: checked
  • Internal Virtual Server: ICAP VIP
  • Preview Size: enter the ICAP service's preferred preview length value

5. Create a Response Adapt profile

  • Enabled: checked
  • Internal Virtual Server: ICAP VIP
  • Preview Size: enter the ICAP service's preferred preview length value

Now the only thing you need to do is to attach the request and response Adapt profiles to the SWG VIP(s). Note for that HTTPS traffic, you must decrypt before sending to ICAP.

0
Comment made 4 months ago by F5_Jeff 336

Hi Kevin,

Thank you for this step by step configuration! This will be a great help as it is our first time to deploy this kind of set-up :)

0
Comment made 2 months ago by F5_Jeff 336

Hi again! We are currently stuck with our testing. The policy of the DLP does not take effect. (example: we send a word document with "blocked" content using gmail, DLP cannot inspect the content hence the file is still sent)

We cannot decrypt the traffic of HTTPS when sending to the ICAP. But for the HTTP,ICAP Server can already see the traffic.

How can we decrypt the HTTPS if our policy in SWG has already the SSL Intercept?

Thank you again!

0
Comment made 2 months ago by Kevin Stewart

F5_Jeff, can I ask you to elaborate on some of your comments?

  • Are you doing SSL decryption?
  • Does it work for HTTP (unencrypted) traffic?
  • Do you see any traffic going to the ICAP server?
0
Comment made 2 months ago by F5_Jeff 336

Hi Kevin,

to answer your questions:

  • Are you doing SSL decryption? yes, we have an SSL Client profile in our catch vs for 443 but also have SSL Server Profile. Both profiles use the same certificate and key
  • Does it work for HTTP (unencrypted) traffic? - yes. we can already see traffic in the ICAP Servers when using HTTP only
  • Do you see any traffic going to the ICAP server?
0
Comment made 2 months ago by Kevin Stewart

Sorry, I'm going to need more clarification.

So does HTTPS traffic pass through (does it work)? An SSL forward proxy config does not require the same cert and key on both SSL profiles.

0
Comment made 2 months ago by F5_Jeff 336

Hi again Kevin,

Sorry for the confusion, we tried doing tcpdump and can see that F5 is sending the POST request to the ICAP server. We can also see the content of the traffic (message sent during the testing) in the wireshark. Is it safe to say that F5 is doing the decryption already?

Also, what do you mean that a forward proxy config does not require same cert and key? We can use different Cert and Key for the SSL Client and SSL Server side, but having cert and key on both sides is still required right? and it does not have difference if we use same cert or different one.

Thank you for answering all my questions. Thank you for sharing your knowledge. This will be a great help in the future.

0
Comment made 2 months ago by Kevin Stewart

ICAP is an encapsulation protocol, so you'd see something like this:

ICAP request
    ICAP headers
        HTTP GET
            HTTP headers

If you see something like this in the traffic to the ICAP server, and the ICAP server responds correctly, for both inbound HTTP and HTTPS traffic, I'd assume here that the F5 is correctly decrypting the HTTPS traffic.

SSL forward proxy doesn't need a cert and key on the server SSL profile. The primary function of SSL forward proxy is to forge/re-issue a remote server cert to internal clients. This is done with with two sets of certs/keys in the client SSL profile:

  • A CA issuer cert and key - this is the local CA certificate/key used to re-issue the remote server certs to the internal clients.
  • A "template" cert/key - this is the value in the "Certificate Key Chain" entry, and defines the template cert/key for the forged server certs.

These certs/keys in the client SSL profile, and the respective SSL forward proxy settings in both SSL profiles is all that you need to properly decrypt outbound (forward proxy) traffic.

0
Comment made 2 months ago by F5_Jeff 336

Hi

We have some development in our on-going testing. We can now inspect the HTTPS traffic when we put a Request adapt profile and an irule in our catch_443 VS however, we cannot access the sites allowed in the URL Filtering except from the Customized allowed. When removing the Request Adapt profile, the sites become accessible but cannot inspect the HTTPS traffic. It seems that the Request adapt profile in the catch_443_VS is causing it so right now, we removed the Request Adapt profile in the catch_443

My observation is it seems that the traffic is being encrypted again when the F5 is sending the traffic to the DLP Server. Is this somehow because of the Server SSL profile configured in the catch_443 VS where there is an installed cert and key? I tried removing the SSL Server profile but getting an error, or should i just remove the cert and key in the Server SSL profile but just leave the Server SSL profile in the VS.

Thank you very much. Sorry for too many questions, we already made a support case but it may take some time before we get an answer.

thank you!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

For those having the same deployment with our set-up, we were able to integrate F5 SWG to Symantec DLP. Use the latest iApp Template for SWG found here in devcentral. This template already included the config for ICAP.

reference: https://devcentral.f5.com/codeshare/f5-secure-web-gateway-iapp-template

Thank you everyone!

0