We have an existing F5 SWG Explicit proxy for outbound Internet connection of users. Now, they are requesting to integrate the Symantec DLP for Outbound Internet Traffic using the ICAP.
We found an article from Symantec KB that we can use an IRule and create some VS. However, settings/configuration of the VS to be configured was not discussed. It only indicated that we need to create an Internal Virtual Server and Standard HTTP Virtual Server.
Are there any available guide in configuring this? or if someone has a similar implementation/deployment that we can use as a guide?
Thank you for your help.
Take a look at this: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/10.html
thank you for this information. upon reading the KB, please correct me if im wrong. Since the flow of traffic for our implementation is from Internal Network user going to an External Network (Internet), can we use the existing Virtual Servers for HTTP Traffic (ones used for SWG Internet Proxy)? or a separate Standard VS is still required?
Thank you again for your help.
ICAP attaches to an SWG VIP as separate request and response Adapt profiles. Here's the very basic configuration of an LTM ICAP client:
Now the only thing you need to do is to attach the request and response Adapt profiles to the SWG VIP(s). Note for that HTTPS traffic, you must decrypt before sending to ICAP.
Thank you for this step by step configuration! This will be a great help as it is our first time to deploy this kind of set-up :)
Hi again! We are currently stuck with our testing. The policy of the DLP does not take effect.
(example: we send a word document with "blocked" content using gmail, DLP cannot inspect the content hence the file is still sent)
We cannot decrypt the traffic of HTTPS when sending to the ICAP. But for the HTTP,ICAP Server can already see the traffic.
How can we decrypt the HTTPS if our policy in SWG has already the SSL Intercept?
Thank you again!
F5_Jeff, can I ask you to elaborate on some of your comments?
to answer your questions:
Sorry, I'm going to need more clarification.
So does HTTPS traffic pass through (does it work)? An SSL forward proxy config does not require the same cert and key on both SSL profiles.
Hi again Kevin,
Sorry for the confusion, we tried doing tcpdump and can see that F5 is sending the POST request to the ICAP server. We can also see the content of the traffic (message sent during the testing) in the wireshark. Is it safe to say that F5 is doing the decryption already?
Also, what do you mean that a forward proxy config does not require same cert and key? We can use different Cert and Key for the SSL Client and SSL Server side, but having cert and key on both sides is still required right? and it does not have difference if we use same cert or different one.
Thank you for answering all my questions. Thank you for sharing your knowledge. This will be a great help in the future.
ICAP is an encapsulation protocol, so you'd see something like this:
If you see something like this in the traffic to the ICAP server, and the ICAP server responds correctly, for both inbound HTTP and HTTPS traffic, I'd assume here that the F5 is correctly decrypting the HTTPS traffic.
SSL forward proxy doesn't need a cert and key on the server SSL profile. The primary function of SSL forward proxy is to forge/re-issue a remote server cert to internal clients. This is done with with two sets of certs/keys in the client SSL profile:
These certs/keys in the client SSL profile, and the respective SSL forward proxy settings in both SSL profiles is all that you need to properly decrypt outbound (forward proxy) traffic.
We have some development in our on-going testing. We can now inspect the HTTPS traffic when we put a Request adapt profile and an irule in our catch_443 VS however, we cannot access the sites allowed in the URL Filtering except from the Customized allowed. When removing the Request Adapt profile, the sites become accessible but cannot inspect the HTTPS traffic. It seems that the Request adapt profile in the catch_443_VS is causing it so right now, we removed the Request Adapt profile in the catch_443
My observation is it seems that the traffic is being encrypted again when the F5 is sending the traffic to the DLP Server. Is this somehow because of the Server SSL profile configured in the catch_443 VS where there is an installed cert and key? I tried removing the SSL Server profile but getting an error, or should i just remove the cert and key in the Server SSL profile but just leave the Server SSL profile in the VS.
Thank you very much. Sorry for too many questions, we already made a support case but it may take some time before we get an answer.
For those having the same deployment with our set-up, we were able to integrate F5 SWG to Symantec DLP. Use the latest iApp Template for SWG found here in devcentral. This template already included the config for ICAP.
Thank you everyone!