http URI filtering in front of TMG

Hello,

I am familiar with the concept of deploying Microsoft TMG behind F5 LTM with forward proxy/reverse proxy. In that scenario I would use an iApp and follow the relevant deployment guides.

My question scenario is around HTTP URI filtering. I have a virtual server in front of a TMG gateway where I can filter the inbound connections by IP address (CLIENT_ACCEPTED event). I would like to filter (or reject) all inbound connection when a specific URI is requested from outside a few IPs (let's say /clients/secured). This requires HTTP_REQUEST event, which requires an http profile.

I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource. * I have a custom http profile created that does not process or rechunk http (it is based upon http transparent profile) * I can provide a copy of the iRule in question. * I can describe the VS and edge network architecture if needed.

My questions: 1. Is it possible to place an http profile in front of a TMG gateway server for the solution I am attempting? 2. Should I pursue a different solution? 3. Will full TMG replacement with SWG / iApp provide what I need?

I have better bundle licensing so can leverage other modules outside of LTM if those are more appropriate. Looking to avoid full TMG replacement if possible. Thanks!

13 Replies

kunjan
Nimbostratus
Mar 08, 2015
Option 3 should be possible with subnet agent match and URL filter on SWG

'IP Subnet Match => Create policy branch rules based on user's subnet'
Joe_41441
Nimbostratus
Mar 08, 2015
Thans Kunjan, if I understand correctly this means I should plan the TMG replacement to accomplish what I need. None of the other deployment scenarios or modules will accomplish the TMG URI filtering. Is that correct?
nitass_89166
Noctilucent
Mar 08, 2015
I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource.

i never used tmg but you are talking about tmg as a reverse proxy, aren't you? if yes, can you post the virtual server and pool configurations?

tmsh list ltm virtual (virtual server name) tmsh list ltm pool (pool name)
- Joe_41441
  Nimbostratus
  Mar 09, 2015
  nitass, the VS and Pool configs are rather vanilla. Sanitized output below: ltm virtual VS_TMG { destination A.A.51.94:any ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool VS_TMG profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool snat-120 type snat } translate-port disabled vs-index 3 } ltm pool POOL_TMG { load-balancing-mode least-connections-member members { TMG:any { address A.A.20.94 } } }
- nitass_89166
  Noctilucent
  Mar 09, 2015
  configuration looks straightforward. i do not see anything suspicious. have you tried tcpdump when having the problem?
nitass
Employee
Mar 08, 2015
I believe I have the iRule setup properly, however the browser just hangs as soon as an http profile is added to the TMG Gateway VS. It hangs without the iRule resource.

i never used tmg but you are talking about tmg as a reverse proxy, aren't you? if yes, can you post the virtual server and pool configurations?

tmsh list ltm virtual (virtual server name) tmsh list ltm pool (pool name)
- Joe_41441
  Nimbostratus
  Mar 09, 2015
  nitass, the VS and Pool configs are rather vanilla. Sanitized output below: ltm virtual VS_TMG { destination A.A.51.94:any ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool VS_TMG profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool snat-120 type snat } translate-port disabled vs-index 3 } ltm pool POOL_TMG { load-balancing-mode least-connections-member members { TMG:any { address A.A.20.94 } } }
- nitass
  Employee
  Mar 09, 2015
  configuration looks straightforward. i do not see anything suspicious. have you tried tcpdump when having the problem?
kunjan
Nimbostratus
Mar 08, 2015
I guess what you need is forward proxy chaining, i.e, BigIP proxy forwarding to TMG proxy

You may able to achieve this by an iRule in addition to other logic:

1) Assign the explicit HTTP profile in BigIP
2) Create TMG proxy pool
3) iRule like following:

when HTTP_PROXY_REQUEST { HTTP::proxy disable pool tmg_pool }
- Joe_41441
  Nimbostratus
  Mar 09, 2015
  kunjan, thanks for the suggestion. After setting up the TMG proxy pool and iRule code for HTTP_PROXY_REQUEST events I am getting "Secure Connection Failed"
kunjan_118660
Cumulonimbus
Mar 08, 2015
I guess what you need is forward proxy chaining, i.e, BigIP proxy forwarding to TMG proxy

You may able to achieve this by an iRule in addition to other logic:

1) Assign the explicit HTTP profile in BigIP
2) Create TMG proxy pool
3) iRule like following:

when HTTP_PROXY_REQUEST { HTTP::proxy disable pool tmg_pool }
- Joe_41441
  Nimbostratus
  Mar 09, 2015
  kunjan, thanks for the suggestion. After setting up the TMG proxy pool and iRule code for HTTP_PROXY_REQUEST events I am getting "Secure Connection Failed"
kunjan
Nimbostratus
Mar 09, 2015
May I know the version you are running? Is it working for non-SSL page? Where do you see this error?

Forum Discussion

http URI filtering in front of TMG

13 Replies

Recent Discussions

Transaction looks successful but file not downloading

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

HTTP Forward Proxy (implemented with http-explicit HTTP Profile) filtering iRule - v1.0

iRule to take cookie from HTTP Response into HTTP Request via table

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit

Real Attack Stories: Tales from the Front Lines

URI Keyword And HTTP Method Filtering