looking for a way to give servers(which has no public DNS/ routes) behind the F5 access to the Internet. I've created new Forwarding IP virtual server so they initiate outgoing connections. However, would like to limit that access to a certain URLs like HTTPS://google.com or some other cloud URLs. Is it possible to limit it somehow using iRules or other BigIP functionality? I cannot achieve the same using firewall's rules as URLs usually convert to many (and changing from time to time) IPs.
NO SSL inspection to be done ..... no changes to payload is requirement..
so my scenario is like HOST system doesn't have internet access and DNS resolution.
host needs to be reach on cloud urls which are dynamic. all communication will be HTTPS and group of urls only allowed to reach from host.
BIG IP configuration / setting can achieve solution ? or complex iRule as suggested needs to be configure ?
I don't have Firewalls that can do filtering on URL base .
We are using explicit proxy to reach internet, so no public IP routing, no default route in my environment. F5 can help me providing solution ?
This is not simple without F5's Secure Web Gateway module.
Your IP Forwarding VS will need a complex iRule to get the Host name from the TLS handshake to work out if you should allow or block the connection.
irules are meant for incoming connection, so I really doubt to achieve your requirement using one of those. You can achieve it by allowing/blocking on the firewall if it permits URL based filtering.
iRules can be used on any traffic traversing the F5 device via a Virtual Server
Not tested this but this might be what you are looking for regarding an iRule:
You will need to edit it to add restrictions but I would get the forward proxy working first.
well , make sense ...now need to test ....thanks ALL..will get back ones tested ....
Hey Guys ..need to your help to understand the below query and issue facing I am...
My server and application hosted on ,is not proxy aware (cant configure proxy settings on it) .
To reach to f5 VIP, I have edited local host file on server to map VIP to FQDN for example: https://goole.com = VIP IP.
Now in this case, how will F5 treat and resolve this packet or traffic to get the OCS server (Google.com).