Bug ID 612118: Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP SWG(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4, 13.0.1

Opened: Aug 22, 2016
Severity: 3-Major

Symptoms

In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Impact

The BIG-IP system directly communicates with the backend to fetch server certificates.

Conditions

SWG per-request policy with proxy select agent.

Workaround

None.

Fix Information

Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate. In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.

Behavior Change