Applies To:

Show Versions Show Versions

Manual Chapter: Setting Up a Basic Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Setting up a basic configuration

This section contains general information that the system needs before you can configure services and service chains. The SSL Orchestrator configuration utility will assist you with configuring logging settings, setting up ingress and egress devices as one system or separate systems, and configuring the system for transparent proxy and explicit proxy.

Configuring general properties

You must provide general information that the system needs so that you can then set up ingress and egress devices, create services and service chains, and create classifier rules using the F5 ® SSL Orchestrator™ configuration utility.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. For the Application Service Name field, ssloApp is the default name for this configuration.
  3. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select one of the options:
    • If the same BIG-IP® system receives both ingress and egress traffic on different networks, use No, use one BIG-IP device for ingress and egress.
    • If you are configuring separate devices for ingress and egress traffic, use Yes, configure separate ingress and egress BIG-IP devices.
  4. From the Which IP address families do you want to support? list, select Support IPv4 only.
  5. From the Which proxy schemes do you want to implement? list, select whether the system operates in transparent proxy mode, explicit proxy mode, or both.
    • Use Implement transparent proxy only for the system to operate in transparent proxy mode. The transparent proxy scheme can intercept all types of TLS and TCP traffic. It also processes UDP traffic and forwards all other types of traffic. The transparent proxy requires no client configuration modifications.
    • Use Implement both transparent and explicit proxies for the system to operate in explicit and transparent proxy modes simultaneously.
    • Use Implement explicit proxy only for the system to operate in explicit proxy mode. The explicit proxy scheme supports only HTTP(S) per RFC2616. If you choose to configure an explicit proxy, assign a specific IP address and TCP port where the HTTP explicit-proxy clients connect.
  6. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list, select one of the options:
    • Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
    • Use No, manage UDP traffic by classification to configure specific service chain classifier rules for UDP traffic.
    This option is available only if you select Implement transparent proxy only.
  7. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list, select one of the options:
    • Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose this option, this traffic will not be classified or processed by any service chain.
    • Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on.) for the system to block all non-TCP and non-UDP traffic.
    This option is available only if you select Implement transparent proxy only.
  8. From the Which is the SSL Forward Proxy CA certificate? list, select the Certificate Authority (CA) certificate that your clients will trust to authenticate intercepted TLS connections.
  9. From the Which is the SSL Forward Proxy CA private key? list, select the corresponding private key.
    You imported the CA certificate and private key while configuring the Setup Wizard. If you did not use the Setup Wizard, you must import a CA certificate before you can use this functionality.
  10. For the What is the private-key passphrase (if any)? field, type the private-key passphrase.
    If the key does not have a passphrase, leave the field empty.
  11. From the Which CA bundle is used to validate remote server certificates? list, select the CA bundle that validates the remote server certificates.
    The CA bundle is the collection of root and intermediate certificates for the CA you trust to authenticate servers where your clients might connect. The CA bundle is also known as the local trust store.
  12. From the Should connections to servers with expired certificates be allowed? list, select one of the two options to determine what happens with connections to servers with expired certificates:
    • Use Yes, allow connections to servers with expired certificates to allow connections to the servers that have expired certificates.
    • Use No, forbid connections to servers with expired certificates to prevent connections to servers that have expired certificates.
    Remote servers can present expired certificates. Allowing connections to servers with expired certificates can cause a security risk.
  13. From the Should connections to servers with untrusted certificates be allowed? list, select one of the two options to determine what happens with connections to servers with untrusted certificates:
    • Use Yes, allow connections to servers with untrusted certificates to allow connections to the servers that have untrusted certificates.
    • Use No, forbid connections to servers with untrusted certificates to prevent connections to servers that have untrusted certificates.
    Remote servers can present untrusted certificates. Allowing connections to servers with untrusted certificates can cause a security risk.
  14. If strict updates should protect the configuration, select the check box for Should strict updates be enforced for this application?.
    If you select this option, you cannot manually modify any settings produced by the application. Once you disable this option, you can manually change your configuration. You should enable this setting to avoid misconfigurations that can cause an unusable application.
  15. Click Save.
You have provided the basic configuration the system requires for SSL Orchestrator.
You can now set up ingress and egress devices, configure transparent or explicit proxies for the system, and create services, service chains, and classifier rules.

Configuring logging

Before configuring logging for SSL Orchestrator, complete all areas in General Properties.
You can generate log messages to help you monitor (and optionally debug) system activity. And you can choose the level of logging you want the system to perform. Log messages may be sent to one or more external log servers (preferred) and/or stored on the BIG-IP® device (less desirable because BIG-IP devices have limited log storage capacity).
  1. On the main tab, click SSL Orchestrator > Configuration .
    The Logging Configuration section displays at the bottom of the screen.
  2. From the What SSL Intercept logging level do you want to enable? list, select the level of logging the system performs.
    • Use Errors. Log only functional errors to log errors related to how SSL Orchestrator functions.
    • Use Normal. Log connection data as well as errors to log per-connection data in additional to functional errors.
    • Use Debug. Log debug data as well as normal level data to log debug data as well as connection data and functional errors. Because this logging level consumes more resources on the BIG-IP® system, use this mode only during setup or troubleshooting.
  3. From the Which Log Publisher will process the log messages? list, select whether an existing log publisher object processes the log messages or does not process the log messages and sends the messages to syslog-ng. We strongly recommend that you use a Log Publisher for good system performance. The syslog-ng service is useful for Errors-only logging but is too slow for Normal or Debug logging when the system is used in production. A Log Publisher delivers log messages to one or more Log Destinations. Log Destinations may include Syslog, ArcSight, Splunk, and other log servers as well as the BIG-IP system's local log database. To use a Log Publisher, it must already be present on the system
    • Use None (Send log messages to syslog-ng) to send log messages to the system management plane syslog-ng subsystem. This option is not recommended for use in production systems.
    • Otherwise, from the list, select the Log Publisher you created. A Log Publisher delivers log messages to one or more Log Destinations. Log Destinations may include Syslog, ArcSight, Splunk, and other log servers.
  4. From the What kind of statistics do you want to record? list, select the type of statistic the system records. This implementation can collect usage data for connections, service chains, services, and so on. The implementation can also record remote domain names and TLS cipher suites for TLS connections if you wish, but gathering such data consumes more system resources.
    Domain names are taken from remote server PKI certificates (or client SNI in the case of Dynamic Domain Bypass) and may include a wildcard. TLS cipher suites may not be recorded when a connection bypasses interception.
    If you choose to collect any statistics, the BIG-IP system starts saving extra data in memory for the use of integration with performance reporting systems like Splunk or BIG-IP® iStats integration.
    • Use None if you do not want the system to record statistics.
    • Use Usage counters only (No remote-domain+cipher records) to record usage counters only and not statistics on remote-domain and cipher records.
    • Use Usage counters and remote-domain+cipher records (may slow system) to record both usage counters and remote-domain and cipher records. This option can slow performance on your system.
  5. Click Save.
You have configured logging options and completed the basic F5® SSL Orchestrator™ configuration.

Configuring an ingress and egress device on one system

The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The egress device is either a device or a Sync-Failover device group that receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination.

If both the ingress and egress traffic are used by the same BIG-IP® system, the ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each connection for inspection.

If both the ingress and egress traffic are used by the same BIG-IP® system, the egress device is one or more egress VLANs where the clients receive traffic.

  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. If you have only one BIG-IP® system, from the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select No, use one BIG-IP device for ingress and egress .
  3. From the Which IP address families do you want to support? list, select Support IPv4 only.
  4. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will arrive.
  5. From the How should a server TLS handshake failure be handled? list, select whether you want the connection to fail or bypass the connection.
  6. From the DNS query resolution list, select whether to permit the system to send DNS queries directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS queries from SSL Orchestrator.
  7. From the Do you want to configure local/private DNS zones? list, select whether you want to configure local or private DNS zones.
  8. For the Which local forwarding nameserver(s) will resolve DNS queries from this solution? setting, type the IP address of local nameservers that will resolve all DNS queries from this implementation.
  9. In the List local/private Forward Zones setting, type the IP address of one or more nameservers.
  10. From the Do you want to use DNSSEC to validate DNS information? list, select whether you want to use DNSSEC to validate the DNS information.
  11. In the Egress Device Configuration area, from the Do you want to SNAT client IP addresses? list, select whether you want to define SNAT addresses.
  12. From the Should traffic go to the Internet via specific gateways? list, choose whether or not you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device in the next step.
    • If you want outbound/Internet traffic out using the default route on the BIG-IP® system, select No. Send outbound/Internet traffic via the default route.
    • If you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given), use Yes. Send outbound/Internet traffic via specific gateways.
  13. Click Save.
You have now configured an ingress device and an egress device located on one system.
This describes only the fields, lists, and areas needed to configure an ingress and egress device on one system. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring an ingress device (for separate ingress and egress devices)

The ingress device is either a device or a Sync-Failover device group where each client sends traffic. The ingress device is one or more ingress VLANs where the clients send traffic. The ingress device decrypts the traffic and then, based on protocol, source, and destination, classifies the traffic and passes each connection for inspection.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select Yes, configure separate ingress and egress BIG-IP devices.
  3. From the Is this device the ingress or egress device? list, select This is the INGRESS device to which clients connect.
  4. For the What is the EGRESS device Application Service name? field, type the name of the device service.
  5. For the What is the IP address of the EGRESS device control-channel virtual server? field, type the IP address of the service chain control channel virtual server over on the egress device.
  6. For the What IP address should THIS (ingress) device's control-channel virtual server use? field, type the IP address of the virtual server for the service chain control channel on a VLAN.
  7. For the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to enable cryptographic protection of the service chain control channel between the ingress and egress devices.
  8. From the Which IP address families do you want to support? list, select Support IPv4 only.
  9. From the Ingress Device Configuration area, for the Which VLAN(s) will bring client traffic to the transparent proxy? setting, select one or more VLANs where transparent-proxy ingress traffic will arrive.
  10. From the How should a server TLS handshake failure be handled? list, select whether you want the connection to fail or bypass the connection.
  11. From the DNS query resolution list, select whether to permit the system to send DNS queries directly out to the Internet, or specify one or more local forwarding nameservers to process all DNS queries from SSL Orchestrator.
  12. From the Do you want to configure local/private DNS zones? list, select whether you want to configure local or private DNS zones.
  13. In the Which local forwarding nameserver(s) will resolve DNS queries from this solution? area, type the IP address of local nameservers that will resolve all DNS queries from this implementation.
  14. In the List local/private Forward Zones area, type the IP address of one or more nameservers.
  15. From the Do you want to use DNSSEC to validate DNS information? list, select whether you want to use DNSSEC to validate the DNS information.
  16. In the Decrypt Zone to Egress Device Configuration area, for Are there parallel service devices in the decrypt zone?, select whether you want to send outbound traffic using the BIG-IP® system default route(s) or send outbound traffic through one or more service devices.
    • If the system will send the traffic through its default route to the internet, which must be configured to point to the egress BIG-IP® system, use No, send outbound traffic via the BIG-IP default route(s).
    • If your configuration includes any Layer 3 systems in the decrypt zone that must receive the traffic, use Yes, send outbound traffic via one or more service device(s).
  17. From the What are the IPv4 decrypt zone gateway addresses?, type the IP addresses or the IPv4 decrypt zone gateway.
    Click the + button to add additional addresses.

    If you answered the previous question Yes, send outbound traffic via one or more service device(s), you will type the IP address of the inward interface of the first Layer 3 device in the decrypt zone. You can enter multiple gateways if you have multiple systems and wish to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  18. Click Save.
You have now configured an ingress device for a system configured for separate ingress and egress devices.
This describes only the fields, lists, and areas needed to configure an ingress device. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring an egress device (for separate ingress and egress devices)

The egress device is either a device or a Sync-Failover device group that receives traffic after a connection travels through the specified service chain and directs the traffic to the final destination. When users set up separate ingress and egress devices, they send each other control messages. These can go through the decrypt zone, or around it if you configure a different path through the network. In either case, the messages are sent through TCP connections to port 245, at an IP address users specify, on each BIG-IP® system.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. From the Do you want to setup separate ingress and egress devices with a cleartext zone between them? list, select Yes, configure separate ingress and egress BIG-IP devices
  3. From the Is this device the ingress or egress device? list, select This is the EGRESS device to which connects to server.
  4. For the What is the INGRESS device Application Service name? field, type the name of the device service.
  5. For the What is the IP address of the INGRESS device control-channel virtual server? field, type the IP address of the service chain control channel virtual server over on the egress device.
  6. For the What IP address should THIS (egress) device's control-channel virtual server use? field, type the IP address of the virtual server for the service chain control channel on a VLAN.
  7. For the What is the control-channel pre-shared key? field, type a pre-shared key (PSK) value to enable cryptographic protection of the service chain control channel between the ingress and egress devices.
  8. From the Which IP address families do you want to support? list, select Support IPv4 only.
  9. From the Egress Device Configuration area, in the Which VLAN(s) are part of the decrypt zone? (These bring traffic from the ingress device) setting, select one or more VLANs where transparent-proxy egress traffic will arrive.
  10. From the Do you want to SNAT client IP addresses? list, select whether you want to define SNAT addresses.
  11. From the Do you want to use a SNAT Pool? list, select whether you want to use a SNAT pool or SNAT auto map to translate addresses.
  12. For IPv4 SNAT addresses, enter the SNAT addresses if you are using them.
  13. From the Should traffic go to the Internet via specific gateways? list, select whether you want the system to let all SSL traffic use the default route, or if you want to specify Internet gateways (routers). If you chose to use specific gateways, you can also define the ratio of traffic sent to each device in the next step.
    • If you want outbound/Internet traffic out using the default route on the BIG-IP® system, use No. Send outbound/Internet traffic via the default route.
    • I,f you want to define a list of gateways (routers) to handle outbound SSL traffic (and control the share of traffic each is given) use Yes. Send outbound/Internet traffic via specific gateways.
  14. For What are the IPv4 outbound gateway addresses?, type one or more IPv4 addresses of one or more exit gateways.
    Click the + button to add additional addresses.
  15. In the Decrypt Zone to Ingress Device Configuration area, for Are there parallel service devices in the decrypt zone?, select whether you want to send outbound traffic using the BIG-IP® system default route(s) or send outbound traffic through one or more service devices.
    • If the system will send the traffic through its default route, which must be configured to point to the ingress BIG-IP® system, use No, send outbound traffic via the BIG-IP default route(s).
    • If your configuration includes any Layer 3 systems in the decrypt zone that must receive the responses to traffic, use Yes, send outbound traffic via one or more service device(s)i.
  16. For What are the IPv4 decrypt zone gateway addresses?, type the IP addresses or the IPv4 decrypt zone gateway.
    Click the + button to add additional addresses.

    If you answered the previous question Yes, send outbound traffic via one or more service device(s), you need to enter the IP address of the outward interface of the last Layer 3 device in the decrypt zone. You can enter multiple gateways if you have multiple systems and want to load balance across them. If you do enter multiple addresses, you can also use the ratio value to control the load balancing. For example, if you have two devices, and one handles twice as much traffic as the other, you can set the ratio to 1 on the smaller device, and 2 on the larger one.

  17. For What are the intranet networks (subnets)?, type the IP address and mask-length in CIDR format for intranet submasks.
    Click the + button to add additional addresses. Typical IPv4 entries include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
  18. Click Save.
You have now configured an egress device for a system configured for separate ingress and egress devices.
This describes only the fields, lists, and areas needed to configure an egress device. You should complete the other areas in General Properties before moving on to create services and service chains.

Configuring the system for transparent proxy

You can configure F5® SSL Orchestrator™ to operate in transparent proxy mode only. A transparent proxy intercepts normal communication without requiring any special client configuration, so clients are unaware of the proxy in the network.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. From the Which IP address families do you want to support? list, select Support IPv4 only.
  3. From the Which proxy schemes do you want to implement? list, select Implement transparent proxy only.
  4. From the Do you want to pass UDP traffic through the transparent proxy unexamined? list, select one of the options:
    • Use Yes, pass all UDP traffic unexamined to pass UDP traffic through without inspecting it.
    • Use No, manage UDP traffic by classification to configure specific service chain classifier rules for UDP traffic.
  5. From the Do you want to pass non-TCP, non-UDP traffic through the transparent proxy? list, select one of the options:
    • Use Yes, pass non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) if you want the system to pass all traffic that is not TCP or UDP through the transparent proxy. If you choose this option, this traffic will not be classified or processed by any service chain.
    • Use No, block all non-TCP, non-UDP traffic (such as IPsec, SCTP, OSPF, and so on) for the system to block all non-TCP and non-UDP traffic.
  6. Click Save.
You have now configured SSL Orchestrator to work in transparent proxy mode.
This describes only the fields, lists, and areas needed to configure SSL Orchestrator to work in transparent proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains.

Configuring the system for explicit proxy

You can configure F5® SSL Orchestrator™ to operate in explicit proxy mode only. Explicit proxy in SSL Orchestrator requires manual configuration of the client and supports only HTTP(S) based on RFC2616.
  1. On the Main tab, click SSL Orchestrator > Configuration .
    A screen opens showing the network diagram and listing general properties.
  2. From the Which IP address families do you want to support? list, select Support IPv4 only.
  3. From the Which proxy schemes do you want to implement? list, select Implement explicit proxy only.
  4. In the On which VLAN(s) should the explicit proxy listen? area, select one or more BIG-IP® VLANs where the explicit proxy listens.
  5. For What IPv4 address and port should the explicit proxy use?, select the IPv4 address and port that the BIG-IP® system should use for the explicit proxy virtual server.
  6. Click Save.
You have now configured SSL Orchestrator to work in explicit proxy mode.
This describes only the fields, lists, and areas needed to configure SSL Orchestrator to work in explicit proxy mode. You should also complete the other areas in General Properties before moving on to create services and service chains.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)