How to: Configure the Forward Proxy using BIG-IP Next Central Manager¶
Overview¶
The document descibes the steps to enable or disable the HTTP or HTTPS proxy in BIG-IP Next Central Manager.
Procedures¶
Configure the Proxy in BIG-IP Next Central Manager
Log in to BIG-IP Next Central Manager as admin.
In the left-hand navigation menu, click the Workspace icon located next to the F5 icon.
Go to System > CM Maintenance and click Properties.
The Properties screen will appear on the right side.
Access Proxy Settings:
Click Manage.
In the left-hand navigation menu, select the Proxy option.
A new screen will appear where you can enable and configure the proxy settings.
Enable and Configure Proxy:
Toggle the Enable Proxy radio button to turn on the proxy feature then click Configure Proxy.
Notes: The Configure Proxy option will be enabled after you activate the Enable Proxy button.
To enable the proxy, click Yes, Enable Proxy and proceed with configuring the proxy settings.
Enter Proxy Details:
In the IP Address or FQDN field, enter the IP address or Fully Qualified Domain Name (FQDN).
In the Port field, enter the port number.
In the Protocol field, select HTTP or HTTPS (recommended).
HTTP: No certificate is required.
HTTPS: Choosing a certificate from the dropdown is mandatory.
Add a Certificate:
If adding a certificate for the first time, click + Add Certificates.
You will be redirected to a new screen to import the certificates.
Click + Add at the top right corner of the screen.
Import Certificate:
Select Import a Certificate.
In the Name field, choose Create New and enter the certificate name.
In the Tag dropdown, select a tag to define the type of traffic the certificate will support. Make sure to choose Forward Proxy.
In the Type field, select Certificate.
Source Selection:
From the Source field, choose one of the import options:
Import: Click Import, navigate to the location where the certificate is stored, and select it.
Paste: Copy and paste the certificate content into the provided fields.
Click Save to add the imported certificate.
Enable Authentication:
Check the box for Enable Authentication.
Enter the Username and Password.
Click Test Proxy Connection.
A success message will appear if the proxy connection is successful.
Save Configuration:
Click Save.
The Proxy screen will appear in the settings you configured.
Verify and Finalize:
Review the IP Address, Port, and Protocol settings.
Click Test to verify the connection. If changes are necessary, click Edit.
If the connection is successful, a success message will appear.
Click Save Proxy to finalize the configuration.
A success message will appear Proxy Created Successfully.
Disable the Proxy in BIG-IP Next Central Manager
Log in to BIG-IP Next Central Manager as admin.
Navigate to the Properties screen:
In the left-hand navigation menu, click the Workspace icon located next to the F5 icon.
Go to System > CM Maintenance and click Properties.
The Properties screen will appear on the right side.
Access Proxy Settings:
Click Manage.
In the left-hand navigation menu, select the Proxy option.
A new screen will appear where you can enable and configure the proxy settings.
Disable Proxy:
Toggle the Enable Proxy radio button to disable the proxy feature.
A confirmation window will prompt you with the message: “Do you want to disable the Proxy?” Or “Do you want to continue?”
To continue, click Yes, Disable Proxy. A success message will appear: Proxy Disabled Successfully.
Steps to Configure Proxy settings for K3s
When enabling ZTNA, the BIG-IP Next Central Manager connects to the XC container registry. If a forward proxy is present, k3s must be configured with the proxy settings.
Create a new file at /etc/default/k3s with the following content:
CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888 CONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888 CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Refere to the K3s advanced configuration for more details.
Restart the K3s service to apply the new configuration.
Verify the configuration by deploying with kubectl commands.
Note: Ensure the CONTAINERD_NO_PROXY setting is updated according to your K3s environment.
Steps for finding “CONTAINERD_NO_PROXY” value
In complex K3s environments, correctly configuring NO_PROXY is critical to ensure that internal traffic bypasses the proxy while external traffic is properly routed. Here’s a structured approach to determine the appropriate NO_PROXY settings:
Localhost and Loopback Addresses:
localhost
127.0.0.1
::1 (IPv6)
Pod and Service CIDR Ranges: These are the IP ranges assigned to pods and services within the clust
kubectl cluster-info dump | grep -m 1 -E --color=never 'cluster-cidr|service-cluster-ip-range'
Node IP Addresses: Obtain the IP addresses of all nodes in the cluster using the command:
kubectl get nodes -o jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}{end}
Cluster Domain Suffix: Typically, Kubernetes clusters use a default domain suffix like .cluster.local. This can be verified in the cluster DNS settings.
Prerequisite
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Procedures
Use the following APIs to enable/disable proxy using BIG-IP Next APIs:
Import the certificate by using the POST request to
spaces/default/certificates/import
endpoint.POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import
For the request payload, use the following example and substitute appropriate values as required.
"name": "testProxyCert", "cert_text": "-----BEGIN CERTIFICATE-----\nMIIDkzCCAnugAwIBAgIUZ+oVJ4HE1GO/LzOMeOR2uJQyzYwwDQYJKoZIhvcNAQEL\nBQAwWTELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCVRFTEFOR0FOQTEMMAoGA1UEBwwD\nSFlEMREwDwYDVQQKDAhGNSwgSW5jLjEVMBMGA1UEAwwMQ1BDTCBSb290IENBMB4X\nDTIzMDYwNzEzMzM0NloXDTI4MTEyNzEzMzM0NlowWTELMAkGA1UEBhMCSU4xEjAQ\nBgNVBAgMCVRFTEFOR0FOQTEMMAoGA1UEBwwDSFlEMREwDwYDVQQKDAhGNSwgSW5j\nLjEVMBMGA1UEAwwMQ1BDTCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAmYg8wKCxLf2NRzzdlrcAJ8aSDYYyM7FZJMa4lwYjITNXb+y2lob1\ngLkbS6knqFSZKCGeFWgZFLkpA//ESSZALa+kP2KFMMLRmgxpoOP2FowCMFk/vtmA\nWc+uZahckRCKidwbltBX++uwgcatvh5hfCq91sP9qop+tunfyxBe3KfmOh4aX+q/\nvKSIyzv5gIFXrH2l9SCoMGN5hR1IHS4SAD5EDYs1cDxGH5z3m2hc8n5fInHUlRFr\nGmzgB1DeE8DxKo1tzWZQXCQYrhy+3k6niobA4JQTg4wvFt6sGFhzQyWj/ktR8rG1\nmIxznSUmvAIHINMh0MTVFfLrn+WUsyU0zwIDAQABo1MwUTAdBgNVHQ4EFgQU3Gyx\nvq1DFQBHgISE+tHpQaagR8IwHwYDVR0jBBgwFoAU3Gyxvq1DFQBHgISE+tHpQaag\nR8IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAbOtf20GzEFBP\nzoUFK8jsiExwBl00UCMFbpbt2v831j9u6ZTmgj2hRKOh8AgwdM2e5zC0ceKbDwTu\nBEmFRFM/zb2HqqsWDEoQRKENq/XNMhr/RlPiDr+A56Rcrlt/h0q4B/frSE69JnzJ\n5gE4Oy8J7p6Ann8lD+pOAC196asYbO7yrfOqvx7uww3esiEHG/V+g7bPS1yDaV/7\nrv7sL4TTMMRjcYd4KeMyAmC9/Z9bILY3bvkNT+YXHRlfmHROPezVydhZU8dri9oY\n97d4lde/NlWzwnCae3jNE0kbU2Imfk6wEmtltZ7csbIARuURwlp4bqGb+qe7SazQ\nQvkHkS/aXw==\n-----END CERTIFICATE-----", "source": "ForwardProxy" }
For more information about importing certificates by using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Retrieve the certificate details with forward proxy by sending the GET request to
/spaces/default/certificates?filter=source eq 'ForwardProxy'
endpoint.GET https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates?filter=source eq 'ForwardProxy'
Retrieve the configuration of all forward proxies by sending the GET request to
/system/forward-proxy
endpoint.
Identify the proxy id from the response.GET https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy
For more information about retrieving the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Create forward proxy configuration to system by sending the POST request to
/system/forward-proxy
endpoint.POST https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy
For the request payload, use the following example and substitute appropriate values as required.
{ "auth_required": true, "enabled": true, "host": "xxx.xxx.xxx.xxx", "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e", "password": "", "port": 3127, "protocol": "HTTP", "root_cert_id": "00000000-0000-0000-0000-000000000000", "username": "user" }
For more information about creating the forward proxies configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Update the information of a forward proxy by sending the PUT request to
system/forward-proxy/{id}
endpoint.
Replace theid
with the proxy id from the step 3 response.PUT https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/{id}
For the request payload, use the following example and substitute appropriate values as required.
{ "auth_required": true, "enabled": true, "host": "xxx.xxx.xxx.xxx", "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e", "password": "", "port": 3127, "protocol": "HTTP", "root_cert_id": "00000000-0000-0000-0000-000000000000", "username": "user" }
For more information about updating the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Test the forward proxy configuration by sending the POST request to
system/forward-proxy/test
endpoint.POST https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/test
For the request payload, use the following example and substitute appropriate values as required.
{ "auth_required": true, "enabled": true, "host": "xxx.xxx.xxx.xxx", "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e", "password": "", "port": 3127, "protocol": "HTTP", "root_cert_id": "00000000-0000-0000-0000-000000000000", "username": "user" }
For more information about testing the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.
Test a forward proxy configuration with the given endpoint by sending the POST request to
system/forward-proxy/{id}/test-connection
endpoint.POST https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/{id}/test-connection
For the request payload, use the following example and substitute appropriate values as required.
{ "endpoint": "http: //google.com" }
For more information about testing the specific forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.