Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Jun 22, 2015 Severity: 4-Minor
SWG configuration recommends deploying a catch-all virtual (listening on all IPs and all Ports) on an HTTP tunnel interface. When TMOS makes an attempt to find the nexthop for traffic to be forwarded, it queries for all listeners (i.e. virtual servers) for that could match the specific IP and port. This query covers all interfaces and tunnels as well. When using the recommended configuration for Secure Web Gateway, the catch-all virtual will always match. TMOS will forward the traffic to this virtual which results in all packets being dropped as it is configured as a "reject" virtual server.
RDP traffic will be dropped.
RDP gateway configuration on the same device as SWG configured with a catch-all reject virtual.
To work around the problem, you can do either of the following: - Configure a layered virtual server for RDP (IP address 0.0, port 3389) on the http tunnel interface. - Or, remove the catch-all layered virtual from the http tunnel. This is not recommended because it will be counterproductive for security.
APM documentation now includes instructions for ensuring correct processing of RDP client traffic on a BIG-IP system on which both of the following are configured: SWG explicit forward proxy and APM configured as a gateway for RDP clients.