Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP SWG
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3
Fixed In:
14.0.0, 13.1.0.4, 13.0.1
Opened: Aug 22, 2016 Severity: 3-Major
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.
The BIG-IP system directly communicates with the backend to fetch server certificates.
SWG per-request policy with proxy select agent.
None.
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate. In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.