Applies To:

Show Versions Show Versions

Manual Chapter: Configuring for F5 SSL Orchestrator
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Configuring for F5 SSL Orchestrator

Overview: Configuring the system for F5 SSL Orchestrator

To configure a standalone system that provides decryption and encryption of outbound SSL/TLS traffic and manages that traffic, you must use two components:
  • SSL Orchestrator Setup Wizard
  • F5 SSL Intercept iApp template
The first component is the SSL Orchestrator Setup Wizard, which initially guides you through basic minimal setup configuration. The second component, the F5 SSL Intercept iApp template, assists with the rest of the configuration. This setup guide focuses only on using the SSL Orchestrator Setup Wizard.

Downloading the iApp template onto your system

Before you walk through the SSL Orchestrator Setup Wizard, you need to download and install the f5.ssl_intercept_svc_chain.v1.5.0.tmpl iApp template available from the F5 downloads web site.
  1. Log in to the F5 Downloads site, https://downloads.f5.com, and click the Find a Download button.
  2. In the Security Product Family, locate SSL Orchestrator, and click it.
  3. Select the product version and click SSL-Orchestrator.
  4. Read the End User Software License, and click the I Accept button if you agree with the terms.
  5. Click the ssl-intercept-12.1.0-1.5.6 zip file.
  6. Click the closest geographical location, and save the file on your local system.
  7. Extract the contents of the ssl-intercept-12.1.0-1.5.6 zip file.
The f5.ssl_intercept_svc_chain.v1.5.0 iApp template is now ready on your system. You will deploy this template using the SSL Orchestrator Setup Wizard.

Using the SSL Orchestrator Setup Wizard

Before you start this task:
  • Make sure you set up a management IP address, netmask, and default routing on your system.
  • Navigate to f5.downloads.com and download the f5.ssl_intercept_svc_chain.v1.5.0 template onto your system.
Note: If at any time during your configuration you need to return to the SSL Orchestrator Setup Wizard, simply click the F5 logo in the upper-left corner of the Configuration utility, and on the Welcome screen, click the Run the Setup Utility link.
The SSL Orchestrator Setup Wizard guides you through basic minimal setup configuration for F5 SSL Orchestrator™.
  1. On the Welcome screen, click Next.
  2. On the License screen, click Activate.
  3. On the EULA screen, click Accept.
    The license activates, and the system reboots for configuration changes to take effect.
  4. Click Continue after the system reboots.
  5. On the Device Certificate screen, click Next.
  6. On the CA Bundle screen, click Next.
  7. On the Forward Proxy Certificate screen, type a name for the Certificate Name and select Browse to upload your SSL certificate, and click Next.
  8. On the Forward Proxy Key screen, type a name for the Key Name and select Browse to upload your SSL Key, and click Next.
  9. On the Platform screen for the Management Port Configuration setting, click Manual.
    The Management Port setting should include the management interface details that were previously set up.
  10. In the Host Name field, type the name of this system.
    The Host Name must be a fully qualified domain name.
    For example, www.siterequest.com.
  11. In the User Administration area, type and confirm the Root and Admin account passwords, and click Next.
    The Root account provides access to the command line, and the Admin account accesses the user interface.
    The system reboots and asks you to log back in with your new login and password.
  12. After you enter your user login and password, click OK.
    The NTP (Network Time Protocol) screen opens.
  13. Optional: To synchronize the system clock with an NTP server, in the Address field, type the IP address of the NTP server, and click Add.
  14. Click Next.
    The DNS (Domain Name Server) screen opens.
    Note: If you plan to use the DNSSEC option in the iApp template, you must set up DNS using the SSL Orchestrator Setup Wizard. Otherwise, this step is optional.
  15. Optional: To resolve host names on the system, set up the DNS and associated servers:
    1. For the DNS Lookup Server List, in the Address field, type the IP address of the DNS server, and click Add.
    2. If you use BIND servers, add them to the BIND Forwarder Server List.
    3. For doing local domain lookups to resolve local host names, add them to the DNS Search Domain List.
    Click Next and the Internal VLAN screen opens.
  16. Specify the Self IP setting for the internal network:
    1. In the Address field, type a self IP address.
    2. In the Netmask field, type a network mask for the self IP address.
    3. For the Port Lockdown setting, retain the default value.
  17. Specify the Floating IP setting:
    1. In the Address field, type a floating IP address.
      This address should be distinct from the address you type for the Self IP setting.
      Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address.
    2. For the Port Lockdown setting, retain the default value.
  18. For the VLAN Tag ID setting, retain the default value, auto.
    This is the recommended value.
  19. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. Click Add.
  20. Click Next.
    This completes the configuration of the internal self IP addresses and VLAN, and displays the screen for configuring the default VLAN external.
  21. Specify the Self IP setting for the external network:
    1. In the Address field, type a self IP address.
    2. In the Netmask field, type a network mask for the self IP address.
    3. For the Port Lockdown setting, retain the default value.
  22. Specify the Floating IP setting:
    1. In the Address field, type a floating IP address.
      This address should be distinct from the address you type for the Self IP setting.
      Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address.
    2. For the Port Lockdown setting, retain the default value.
  23. In the Default Gateway field, type the IP address that you want to use as the default gateway to VLAN external.
  24. For the VLAN Tag ID setting, retain the default value, auto.
    This is the recommended value.
  25. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. Click Add.
  26. Click Next.
  27. On the Logging screen, under Publisher Type, select either local or splunk.
    • If you select local as your Publisher Type, specify your destination to which logs are forwarded, either to a local database or a local syslog server.
    • If you select splunk as your Publisher Type, select your protocol and type the IP address and port of the splunk server, and click Next.
  28. On the Import screen, click Browse to search for your SSL Intercept iApp template that you saved onto your system, and click Upload.
    The template uploads onto your system and you are now ready to proceed to the second part of the configuration where you deploy the iApp template and follow additional instructions to finalize your system for SSL Orchestrator.

Deploying the SSL Intercept iApp template

The f5.ssl_intercept_svc_chain.v1.5.0 iApp template assists in the completion of your configuration so that your system can act as a forward proxy. This means it can decrypt outbound encrypted traffic to be inspected by service chains you configure, and send it back to the system for re-encryption and delivery to the destination.
  1. On the Applications screen, type a name for your template.
  2. In the Template field, select the template from the drop-down list.
    The system deploys the template on your system.
    Note: Refer to the F5 Deployment Guide: Deploying the BIG-IP system for SSL Intercept v1.5 to complete your deployment.

Additional resources

You can access all of the following BIG-IP® system documentation from the AskF5™ Knowledge Base located at http://support.f5.com/.

Document Description
BIG-IP® System: Essentials This guide contains additional information on general device properties including licensing, platform, DNS, and NTP.
BIG-IP® System: SSL Administration This guide contains additional information on device certificates, managing SSL certificates and keys, understanding client and server certificate authentication, managing SSL traffic, and so on.
BIG-IP® TMOS®: Routing Administration This guide contains overview information on VLANs, self-IP addresses, route domains, and so on.
BIG-IP® Local Traffic Manager™: Implementations This guide contains overview information on SSL forward proxy.
BIG-IP® Device Service Clustering: Administration This guide contains information about device clustering.
Release notes Release notes contain information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.
Solutions and Tech Notes Solutions are responses and resolutions to known issues. Tech Notes provide additional configuration instructions and how-to information.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)