Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

VIP relay for https request

Hi All looking for a way to give servers(which has no public DNS/ routes) behind the F5 access to the Internet. I've created new Forwarding IP virtual server so they initiate outgoing connections. However, would like to limit that access to a certain URLs like HTTPS://google.com or some other cloud URLs. Is it possible to limit it somehow using iRules or other BigIP functionality? I cannot achieve the same using firewall's rules as URLs usually convert to many (and changing from time to time) IPs.

0
Rate this Question
Comments on this Question
Comment made 20-Nov-2017 by SagarSatam 16

NO SSL inspection to be done ..... no changes to payload is requirement..

0
Comment made 20-Nov-2017 by SagarSatam 16

so my scenario is like HOST system doesn't have internet access and DNS resolution. host needs to be reach on cloud urls which are dynamic. all communication will be HTTPS and group of urls only allowed to reach from host. BIG IP configuration / setting can achieve solution ? or complex iRule as suggested needs to be configure ?

0
Comment made 20-Nov-2017 by SagarSatam 16

I don't have Firewalls that can do filtering on URL base . We are using explicit proxy to reach internet, so no public IP routing, no default route in my environment. F5 can help me providing solution ?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is not simple without F5's Secure Web Gateway module.

Your IP Forwarding VS will need a complex iRule to get the Host name from the TLS handshake to work out if you should allow or block the connection.

0
Comments on this Answer
Comment made 20-Nov-2017 by SagarSatam 16

so my scenario is like HOST system doesn't have internet access and DNS resolution. host needs to be reach on cloud urls which are dynamic. all communication will be HTTPS and group of urls only allowed to reach from host. BIG IP configuration / setting can achieve solution ? or complex iRule as suggested needs to be configure ?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

irules are meant for incoming connection, so I really doubt to achieve your requirement using one of those. You can achieve it by allowing/blocking on the firewall if it permits URL based filtering.

0
Comments on this Answer
Comment made 20-Nov-2017 by SagarSatam 16

I don't have Firewalls that can do filtering on URL base . We are using explicit proxy to reach internet, so no public IP routing, no default route in my environment. F5 can help me providing solution ?

0
Comment made 20-Nov-2017 by Andy McGrath 2563

iRules can be used on any traffic traversing the F5 device via a Virtual Server

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Not tested this but this might be what you are looking for regarding an iRule:

CodeShare: http-forward-proxy-v32

You will need to edit it to add restrictions but I would get the forward proxy working first.

0
Comments on this Answer
Comment made 20-Nov-2017 by SagarSatam 16

well , make sense ...now need to test ....thanks ALL..will get back ones tested ....

0
Comment made 14-Dec-2017 by SagarSatam 16

Hey Guys ..need to your help to understand the below query and issue facing I am...

My server and application hosted on ,is not proxy aware (cant configure proxy settings on it) . To reach to f5 VIP, I have edited local host file on server to map VIP to FQDN for example: https://goole.com = VIP IP. Now in this case, how will F5 treat and resolve this packet or traffic to get the OCS server (Google.com).

Thanks

0