F5 APM/SWG Forward Proxy problem with HSTS sites

Question

Hi gurus,&nbsp;
I had the lab to test F5 APM/SWG Forward Proxy. All things work well except sites with HSTS as , gmail.com... &nbsp;
Normally, when user puts the URL to browser, it will redirect to the Captive portal of APM.
But with these sites, an error display and user cannot continue. I think the problem is HSTS of these sites. &nbsp;
How to resolve it?&nbsp;
Thanks&nbsp;
Phong&nbsp;

niels_van_sluis · Answer

Are you sure it is HSTS? Since you mention  and gmail, it could also be QUIC. This is a experimental protocol used by Google websites and the Chrome browser. It's an alternative for TLS. It uses port 443/UDP. The BIG-IP will not intercept this traffic. You could try blocking 443/UDP. This will cause the browser to fallback to 443/TCP and make it possible for the BIG-IP to do SSL interception.&nbsp;
See: https://en.wikipedia.org/wiki/QUIC&nbsp;

stanislas_piro2 · Answer

Hi, &nbsp;
did you configure serverssl profile in your virtual server?&nbsp;

anesh · Answer

sites which send the HSTS header do not like self signed certificates, although in other sites you may be able to ignore the trust error when using ssl forward proxy, for sites using HSTS you need to import the certificate into the browser root trust store..

Forum Discussion

F5 APM/SWG Forward Proxy problem with HSTS sites

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

Source_Addr Persistence Problems

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

X-Forwarded-For on L4 VS

F5 DNS Forwarding

Nodes forwarding