Issues with ProxySG and F5 SSL Orchestration (SSLO)

book

Article ID: 193891

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article addresses how to resolve issues seen when the ProxySG is deployed as part of an F5 SSL Orchestration (SSLO) stack.  When an F5 appliance, running version 14.1.2, has SSLO enabled and is providing decrypted traffic to one or more ProxySG appliances for policy inspection further configurations will be necessary for proper handling.


These issues have been found to require additional steps taken for pipelining and caching changes on ProxySG to allow this behavior to function as expected.

Resolution

The following is based on customer feedback and testing:

The ProxySG will only receive packets from the F5 that appear to be HTTP requests from an internal client. As such, any initial request sent upstream by the ProxySG will be HTTP. If the ProxySG is the sole originator, such as the case with pipelining, the F5 is unable to re-encrypt the request. To work around this, pipelining can be disabled, and a few other caching settings changed.

Furthermore, if the ProxySG receives a 3xx redirect, such as the expected 301 Permanent Redirects used to upgrade from HTTP to SSL/TLS, the ProxySG may cache the response. If a 3xx redirect is cached, any future HTTP requests provided to the ProxySG from the F5 on behalf of a client will automatically result in a 301 sent by the ProxySG, potentially triggering a redirect loop. To work around this, caching for 3xx Status codes can be disabled.

To disable pipelining, and change caching settings:

From the ProxySG CLI, issue the following commands:

  • > en
  • # config t
  • #(config) http substitute if-modified-since
  • #(config) http substitute conditional
  • #(config) http no substitute pragma-no-cache
  • #(config) http no substitute ie-reload
  • #(config) http no pipeline client requests
  • #(config) http no pipeline client redirects
  • #(config) http no pipeline prefetch requests
  • #(config) http no pipeline prefetch redirects
  • #(config) http cache expired
  • #(config) http strict-expiration refresh
  • #(config) http no strict-expiration serve
  • #(config) bandwidth-gain enable

For more information regarding the CLI commands, please refer to the ProxySG Command Line Interface Reference.

To disable caching of 3xx status codes:

The following CPL can be used in a local or central CPL file, or as part of a CPL layer in VPM.

    <cache>
     http.response.code=301 cache(no)
     http.response.code=302 cache(no)
     http.response.code=307 cache(no)